CN103942488B - Method, device and the secure browser being on the defensive using sandbox technology - Google Patents

Method, device and the secure browser being on the defensive using sandbox technology Download PDF

Info

Publication number
CN103942488B
CN103942488B CN201410058386.1A CN201410058386A CN103942488B CN 103942488 B CN103942488 B CN 103942488B CN 201410058386 A CN201410058386 A CN 201410058386A CN 103942488 B CN103942488 B CN 103942488B
Authority
CN
China
Prior art keywords
destination object
sandbox
operated
destination
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410058386.1A
Other languages
Chinese (zh)
Other versions
CN103942488A (en
Inventor
范纪鍠
潘剑锋
孙晓骏
路健华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qizhi Business Consulting Co ltd
Beijing Qihoo Technology Co Ltd
360 Digital Security Technology Group Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410058386.1A priority Critical patent/CN103942488B/en
Priority claimed from CN201110100859.6A external-priority patent/CN102184356B/en
Publication of CN103942488A publication Critical patent/CN103942488A/en
Application granted granted Critical
Publication of CN103942488B publication Critical patent/CN103942488B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The invention provides method, device and secure browser that a kind of utilization sandbox technology is on the defensive, the problems of the sandbox technology voluntarily selected by user in the prior art with solution.Methods described includes:Before operation is performed to destination object, the following defence step of triggering:To destination object to be operated, whether the execution of destination object described in automatic decision needs to import sandbox, if it is, completing the execution of the destination object in sandbox;If it is not, then completing the execution of the destination object outside sandbox.The present invention can be before user performs operation to destination object, and whether the execution of destination object described in automatic decision needs to import sandbox, helps user to determine which risky program needs to be run in sandbox.

Description

Method, device and the secure browser being on the defensive using sandbox technology
It is on April 21st, 2011, Application No. 201110100859.6, entitled that present patent application is the applying date The divisional application of the Chinese invention patent application of " method, device and the secure browser that are on the defensive using sandbox technology ".
Technical field
The present invention relates to computer security technique field, the side that more particularly to a kind of utilization sandbox technology is on the defensive Method, device and a kind of secure browser.
Background technology
In computer safety field, sandbox (also referred to as sandbox) is a kind of isolation operating mechanism of program, the purpose is to limit The authority of untrusted process processed.Sandbox technology be often used in perform not after tested or incredible CLIENT PROGRAM.In order to keep away Exempting from untrusted application may destroy the operation of other programs, and sandbox technology provides the magnetic for virtualizing by for insincere CLIENT PROGRAM Disk, internal memory and Internet resources, and this virtualization means are transparent for CLIENT PROGRAM.Due to the resource quilt in sandbox Virtualization(Or changed indirectly), so the malicious act of the untrusted application in sandbox is often limited in sandbox, so that The original state of protection system.
Specifically, a program can be put into sandbox operation by sandbox technology, and so the program is created, changes, deleted The All Files and registration table for removing can all be virtualized redirection, that is to say, that all operations are all virtual, real files Will not be altered with registration table, so may insure that virus cannot be modified destruction system to system core position.
Current sandbox technology provides two kinds of sandbox:One kind is ad hoc type sandbox, for example:Chrome(It is a kind of clear Look at device)Rendering engine or Flash are placed in sandbox using sandbox technology are run, to ensure the safety of browser;It is also a kind of It is universal sandbox, for example:Sandboxie(Another browser)One sandbox of user is then supplied to, allows user voluntarily to select Software program is put into operation in sandbox.
Compared with ad hoc type sandbox, the above-mentioned universal sandbox selected by user has provided the user more flexibilities, It is very easy to the use of user.But, this mode for allowing user to select there are problems that following:
First, user must voluntarily judge which is that risky program needs to be placed on operation in sandbox, if user is not The characteristic of understanding program, it is possible to select mistake;
Second, mistakenly using sandbox, such as the edit routine just in editing files is placed in sandbox, file can be caused to lose Lose;
3rd, the mode ease for use that user voluntarily selects is not high, and complex operation does not meet the operating habit of user.
The content of the invention
The technical problems to be solved by the invention are to provide method, device and the peace that a kind of utilization sandbox technology is on the defensive The problems of full browser, the sandbox technology voluntarily selected by user in the prior art with solution.
In order to solve the above problems, the invention discloses a kind of method that utilization sandbox technology is on the defensive, including:
Before operation is performed to destination object, the following defence step of triggering:
To destination object to be operated, whether the execution of destination object described in automatic decision needs to import sandbox, if it is, The execution of the destination object is then completed in sandbox;If it is not, then completing the execution of the destination object outside sandbox.
Wherein, when the execution of destination object described in automatic decision needs to import sandbox:
If the destination object is target program, the target program is imported into sandbox, the target is completed in sandbox The operation of program;
If the destination object is file destination, the associated program that will perform the file destination imports sandbox, in sand The file destination is run by the associated program in case;
If the destination object is the information of user input, the associated program that will receive the user input information is imported Sandbox, the associated program is run in sandbox according to the user input information;The information of the user input include network address and/ Or keyword.
Wherein, described triggering before operation is performed to destination object defends step, including:
If the destination object is target program, run in client after the target program is downloaded into client Defence step is triggered before the target program;And/or, defence step was triggered before the target program is downloaded;
If the destination object is file destination, by the file destination or the associated program of the file destination is performed Defence step was triggered before client runs the file destination after downloading to client;And/or, downloading the file destination Or defence step is triggered before performing the associated program of the file destination online;
If the destination object is the information of user input, defence step is triggered in user input described information.
Preferably, the automatic decision includes:Judge whether the destination object to be operated meets preset matching rule Then, if met, the execution of the destination object to be operated needs to import sandbox;If do not met, need not import Sandbox.
Preferably, before judging whether the destination object to be operated meets preset matched rule, also include:Create For the process of the execution of destination object described in automatic decision;Whether the parent process of the process is judged in sandbox, if it is, The then execution of the destination object to be operated needs to import sandbox;If it is not, then continuation judges the target pair to be operated As if no meet preset matched rule.
Preferably, before judging whether the destination object to be operated meets preset matched rule, also include:Judge Whether user selects for the execution of the destination object to be operated to import sandbox, if it is, the target pair to be operated The execution of elephant needs to import sandbox;If it is not, then continuation judges whether the destination object to be operated meets preset matching Rule.
Preferably, before judging whether the destination object to be operated meets preset matched rule, also include:Judge Whether the destination object to be operated is in white list, if not in white list, the destination object to be operated is Unknown object, continuation judges whether the destination object to be operated meets preset matched rule;If in white list, Sandbox need not be imported.
Preferably, before judging whether the destination object to be operated meets preset matched rule, also include:Judge Whether the destination object to be operated is in blacklist, if in blacklist, the destination object to be operated is held Row needs to import sandbox;If not in blacklist, continuation judges whether the destination object to be operated meets preset Matched rule.
Preferably, judge whether the destination object to be operated meets preset matched rule, including:Inquiry is preset Database, the destination object to be operated and the presetting rule in the database are compared, if in the database Inquire, then meet matched rule;If do not inquired, matched rule is not met.
Preferably, when the destination object to be operated is target program and/or file destination, judge described to be operated Destination object whether meet preset matched rule, including:Judge whether the relevant information of the destination object meets preset Matched rule;And/or, judge whether the relevant information for carrying out source program of the destination object meets preset matched rule.
Wherein, the file path, and/or encryption data of the relevant information of the destination object including destination object, and/or File attribute, and/or icon characteristics value, and/or file characteristic value, and/or download source;It is described come source program relevant information File path, and/or encryption data, and/or file attribute, and/or icon characteristics value, and/or file including carrying out source program Characteristic value, and/or download source.
Preferably, when information of the destination object to be operated for user input, the target to be operated is judged Whether object meets preset matched rule, including:Judge whether the information of the user input meets preset matched rule.
Preferably, according to the request of client, the execution of destination object to be operated as described in server end automatic decision Whether need to import sandbox;And/or, whether the execution of destination object to be operated as described in client automatic decision needs to import Sandbox.
Preferably, if the execution of the destination object to be operated needs to import sandbox, before importing sandbox, also wrap Include:Ejection reminding window prompts the user whether to import sandbox.
Present invention also offers the device that a kind of utilization sandbox technology is on the defensive, including:
Trigger module is judged, for before operation is performed to destination object, triggering the automatic decision module;
Automatic decision module, for destination object to be operated, whether the execution of destination object described in automatic decision to need Sandbox is imported, if it is, completing the execution of the destination object in sandbox;If it is not, then completing the target outside sandbox The execution of object.
Wherein, when the execution of destination object described in automatic decision needs to import sandbox:
If the destination object is target program, the target program is imported sandbox by the automatic decision module, The operation of the target program is completed in sandbox;
If the destination object is file destination, the automatic decision module will perform the association journey of the file destination Sequence imports sandbox, and the file destination is run by the associated program in sandbox;
If the destination object is the information of user input, the automatic decision module will receive user input letter The associated program of breath imports sandbox, and the associated program is run according to the user input information in sandbox;The user input Information include network address and/or keyword.
Wherein, if the destination object is target program, the judgement trigger module downloads the target program Automatic decision module was triggered after to client before client runs the target program;And/or, downloading the target program Automatic decision module is triggered before;
It is described to judge that trigger module is by the file destination or performs the mesh if the destination object is file destination The associated program of mark file triggered automatic decision module after downloading to client before client runs the file destination;With/ Or, downloading the file destination or triggering automatic decision module before performing the associated program of the file destination online;
If the destination object is the information of user input, the judgement trigger module is in user input described information When trigger automatic decision module.
Preferably, the automatic decision module includes:Rule judgment submodule, for judging the target pair to be operated As if it is no meet preset matched rule, if met, the execution of the destination object to be operated needs to import sandbox;Such as Fruit does not meet, then need not import sandbox.
Preferably, the automatic decision module also includes:Parent process judging submodule, for creating for automatic decision After the process of the execution of the destination object, whether the parent process of the process is judged in sandbox, if it is, described wait to grasp The execution of the destination object of work needs to import sandbox;If it is not, then trigger the rule judgment submodule to continue to be treated described in judgement Whether the destination object of operation meets preset matched rule.
Preferably, the automatic decision module also includes:User selects judging submodule, for judging whether user selects The execution of the destination object to be operated imported into sandbox, if it is, the destination object to be operated performs needs Import sandbox;If it is not, then trigger the rule judgment submodule to continue to judge whether the destination object to be operated meets Preset matched rule.
Preferably, the automatic decision module also includes:White list judging submodule, for judging the mesh to be operated Whether in white list, if not in white list, the destination object to be operated is unknown object to mark object, triggers institute Rule judgment submodule is stated to continue to judge whether the destination object to be operated meets preset matched rule;If in white name Dan Zhong, then need not import sandbox.
Preferably, the automatic decision module also includes:Blacklist judging submodule, for judging the mesh to be operated Whether in blacklist, if in blacklist, the execution of the destination object to be operated needs to import sandbox mark object; If not in blacklist, triggering the rule judgment submodule and continuing to judge whether the destination object to be operated meets Preset matched rule.
Preferably, when the destination object to be operated is target program and/or file destination, rule judgment Module judges whether the relevant information of the destination object meets preset matched rule;And/or, judge the destination object Whether the relevant information for carrying out source program meets preset matched rule;
Wherein, the file path, and/or encryption data of the relevant information of the destination object including destination object, and/or File attribute, and/or icon characteristics value, and/or file characteristic value, and/or download source;It is described come source program relevant information File path, and/or encryption data, and/or file attribute, and/or icon characteristics value, and/or file including carrying out source program Characteristic value, and/or download source;
When information of the destination object to be operated for user input, the rule judgment submodule judges the use Whether the information of family input meets preset matched rule.
Preferably, described device also includes:Reminding module, for needing to lead when the execution of the destination object to be operated When entering sandbox, before sandbox is imported, ejection reminding window prompts the user whether to import sandbox.
Present invention also offers a kind of secure browser, including the dress being on the defensive using sandbox technology as described above Put.
Compared with prior art, the present invention includes advantages below:
First, the invention provides a kind of method of intelligent decision, can user to destination object perform operation before, Whether the execution of destination object described in automatic decision needs to import sandbox, thus produces the advantage that:
First, user can be helped to determine which risky program needs to be run in sandbox, without user certainly Row judges;
Second, it is to avoid the program of safe devoid of risk is placed into operation in sandbox causes the loss of user data;
3rd, without the participation of user, therefore the operation of user is not influenceed, ease for use is high.
Secondly, destination object of the present invention can be not only target program, can also be that file destination or user are defeated The information for entering.Therefore, the present invention not only can carry out automatic decision to some software programs, and the files such as picture can also be held Whether safety carries out automatic decision to row, but also can carry out automatic decision to information such as the network address of user input, keywords, such as Fruit network address or keyword are that certain web film is, then open a new browser and go to browse this website in sandbox.
Brief description of the drawings
Fig. 1 is the method flow diagram that a kind of utilization sandbox technology described in the embodiment of the present invention is on the defensive;
Fig. 2 is the method flow diagram that a kind of utilization sandbox technology described in the preferred embodiment of the present invention is on the defensive;
Fig. 3 is the structure drawing of device that a kind of utilization sandbox technology described in the preferred embodiment of the present invention is on the defensive.
Specific embodiment
It is below in conjunction with the accompanying drawings and specific real to enable the above objects, features and advantages of the present invention more obvious understandable The present invention is further detailed explanation to apply mode.
System for employing sandbox technology, the invention provides a kind of method of intelligent decision, can be in user couple Before destination object performs operation, whether the execution of destination object described in automatic decision needs to import sandbox, so as to help user Determine which risky program needs to be run in sandbox.
It is described in detail below by embodiment.
Reference picture 1, is method flow diagram that a kind of utilization sandbox technology described in the embodiment of the present invention is on the defensive.
Step 101, before operation is performed to destination object, the following defence step of triggering;
Step 102, to destination object to be operated, whether the execution of destination object described in automatic decision needs to import sand Case;
If it is, performing step 103;If it is not, then performing step 104.
Step 103, if necessary to import sandbox, then completes the execution of the destination object in sandbox.
Step 104, if sandbox need not be imported, completes the execution of the destination object outside sandbox.
The destination object is performed according to normal handling process.
Preferably, if the execution of the destination object to be operated needs to import sandbox, before importing sandbox, may be used also Prompt the user whether to import sandbox to eject reminding window, to facilitate user to carry out unrestricted choice according to the result of automatic decision.
In above-described embodiment, the destination object includes but is not limited to the letter of target program, file destination and user input Breath.It is described in detail separately below.
(1)Target program
The target program is often referred to executable file, such as e-book, online player, serial number gencration device.
User can in several ways trigger the execution of step 102, and triggering mode is included but is not limited to:By under target program After being downloaded to client, by double-click or click in right button menu the mode such as " opening " client run the target program it Before, can trigger step 102 carries out automatic decision, so as to the operation for preventing rogue program destroys system;And/or, downloading target Triggered before program, so that with regard to being defendd in advance before rogue program is downloaded into client.Additionally, for one A bit can on-line operation target program, it is also possible to before runtime triggering defence protection.In a word, in any behaviour to target program Automatic decision can be all carried out before work, with the security of protection system.
For being judged as needing to import the target program that sandbox is performed, the execution that the target program is completed in sandbox Refer to:The target program is imported into sandbox, the operation of the target program is completed in sandbox.For example, for the color on certain website Feelings player, the player is put into sandbox and is run.
(2)File destination
The file destination is often referred to the not executable file such as picture, and the execution of this file destination is needed by associated program Complete.For example, for picture, it is necessary to start Photo Browser to browse, the Photo Browser is the pass of the picture file Connection program.
For being judged as needing to import the file destination that sandbox is performed, the execution that the file destination is completed in sandbox Refer to:The associated program that the file destination will be performed imports sandbox, and the file destination is run by the associated program in sandbox. For example, for incredible picture file, can Photo Browser be imported into sandbox to open the picture.
For file destination, user also can in several ways trigger the execution of step 102, and triggering mode includes but do not limit In:By the file destination or perform the file destination associated program download to client after, run the target in client Triggered before file;And/or, downloading the advance of the file destination or the associated program for performing the file destination online Row triggering.In a word, automatic decision can be all carried out before any operation to file destination, with the security of protection system.
(3)The information of user input
The information of the user input information such as including the network address of user input, keyword.
If the destination object is the information of user input, generally step is triggered in user input described information 102 carry out Prevention-Security, that is, judge the information such as network address, the keyword of user input whether secure and trusted, if insincere, hold Row step 103.
It is described that user input letter is completed in sandbox for being judged as needing to import the user input information that sandbox is performed The execution of breath refers to:The associated program that the user input information will be received imports sandbox, is believed according to the user input in sandbox The breath operation associated program.For example, for there is suspicious network address, a browser is newly opened in sandbox to be linked to this The corresponding website of network address, the browser program is the associated program for receiving network address input.
With reference to above-mentioned(1)、(2)、(3), no matter user's destination object to be operated is any, and method all may be used shown in Fig. 1 With automatic decision, whether its execution needs to import sandbox.Automatic judging method provided in an embodiment of the present invention is included but is not limited to: Judge whether the destination object to be operated meets preset matched rule, if met, the target pair to be operated The execution of elephant needs to import sandbox;If do not met, sandbox need not be imported.
Specifically, the judgement can be:The preset database of inquiry, by the destination object to be operated and the number It is compared according to the presetting rule in storehouse, if inquired in the database, meets matched rule;If do not inquired, Matched rule is not met then.The rule of various judgements is stored in database, or is directly stored and is met matched rule The feature of object, if inquiring the destination object to be operated in database, show the destination object performs need Import sandbox.
For different destination objects, corresponding matched rule is also different:
1)When the destination object to be operated is target program and/or file destination, the mesh to be operated is judged Whether mark object meets preset matched rule, including:Judge whether the relevant information of the destination object meets preset With rule;And/or, judge whether the relevant information for carrying out source program of the destination object meets preset matched rule.
Wherein, the relevant information of the destination object includes:
The file path of destination object, and/or
Encryption data(Such as MD5), and/or
File attribute(Such as name of product, version information, signature publisher, file size), and/or
Icon characteristics value(Such as icon cryptographic Hash), and/or
File characteristic value(Such as file cryptographic Hash), and/or
Download source(Which such as downloaded from website);
Accordingly, it is described come source program relevant information include:
Carry out the file path of source program, and/or
Encryption data(Such as MD5), and/or
File attribute(Such as name of product, version information, signature publisher, file size), and/or
Icon characteristics value(Such as icon cryptographic Hash), and/or
File characteristic value(Such as file cryptographic Hash), and/or
Download source(Which such as downloaded from website).
Relevant information based on above-mentioned destination object and carry out the relevant information of source program, the matched rule can be:
Example 1:For the pornographic player on website, matched rule is as follows:
Carrying out source program is:Browser program or explorer;
The filename of target:Comprising " Japanese AV " or " erotica " ...;
The file icon of target:It is specific player icon;
The file size of target:A scope is may be limited to, such as:1MB~10MB;
The file description of target:Such as xxxx adult's players, xxxx special players.
The player for meeting above-mentioned rule is judged to pornographic player.
Example 2:For unknown risky e-book, matched rule is as follows:
File destination title:Keyword comprising " e-book ";
The characteristic value of file destination icon is included:The feature of the icon of e-book.
E-book for meeting above-mentioned rule is judged to risky e-book.
Example 3:For unknown risky serial number gencration device, matched rule is as follows:
File destination title:There is the key comprising " serial number gencration device " or " keygen " or " cracker " or " shredder " Word;
The characteristic value of file destination icon is included:The feature of the icon of serial number gencration device.
Serial number gencration device to meeting above-mentioned rule can determine whether to be risky serial number gencration device.
In addition to the above-mentioned several matched rules enumerated, can also there is other multiple rules, such as carry out fuzzy matching or Match in full, preferentially carry out matching of file name, etc., depending on concrete application, will not enumerate herein.
2)When information of the destination object to be operated for user input, judge that the destination object to be operated is It is no to meet preset matched rule, including:Judge whether the information of the user input meets preset matched rule.
For example, judging whether the network address of user input is the network address of some porn sites, or judge the pass of user input Whether keyword is comprising information such as " Japanese AV " or " eroticas ".By the information of user input, it is possible to prejudge out under user Whether website that one step to be browsed or the webpage to be searched for need to be put into sandbox.
Based on the above-mentioned various matched rules enumerated, it is preferred that carrying out the automatic of above-mentioned matched rule to destination object Before judgement, following automatic decision can also be preferentially carried out, be listed below:
1)Before judging whether the destination object to be operated meets preset matched rule:
Create the process of the execution for destination object described in automatic decision;
Whether the parent process of the process is judged in sandbox, if it is, the execution of the destination object to be operated Need to import sandbox;If it is not, then continuation judges whether the destination object to be operated meets preset matched rule.
If the process of the i.e. described execution for automatic decision destination object has parent process, this is used for automatic decision Process be referred to as subprocess.If parent process has been imported in sandbox, illustrate that the parent process is insincere, then what the parent process was called Subprocess is also incredible, so subprocess should also import sandbox execution.
2) before judging whether the destination object to be operated meets preset matched rule:
Judge whether user selects for the execution of the destination object to be operated to import sandbox, if it is, described treat The execution of the destination object of operation needs to import sandbox;If it is not, then continuation judges whether the destination object to be operated accords with Close preset matched rule.
I.e. user may participate in and choose whether to be put into sandbox, if actively selection is put into sandbox to user, need not carry out The automatic decision of matched rule.
3) before judging whether the destination object to be operated meets preset matched rule:
Whether the destination object to be operated is judged in white list, if not in white list, it is described to be operated Destination object be unknown object, continuation judge whether the destination object to be operated meets preset matched rule;If In white list, then sandbox need not be imported.
The safe destination object of comparing is listed in the white list, the destination object in white list can not import sandbox And directly perform.If destination object to be operated is in the white list, the automatic decision of matched rule can be exempted.Such as Destination object really to be operated indicates that the destination object to be operated is unknown object not in the white list, in addition it is also necessary to Further carry out automatic decision.
4) before judging whether the destination object to be operated meets preset matched rule:
Whether the destination object to be operated is judged in blacklist, if in blacklist, it is described to be operated The execution of destination object needs to import sandbox;If not in blacklist, continuation judges that the destination object to be operated is It is no to meet preset matched rule.
Certain incredible destination object is listed in the blacklist, if destination object to be operated is in the black name Dan Zhong, then be introduced directly into sandbox execution;But if not in blacklist, the destination object to be operated can not be excluded certain Safety, therefore also need to proceed the judgement of matched rule.
In actual applications, if destination object to be operated is in blacklist, it is also possible to directly intercepted without putting Enter sandbox, these can be selected by user.
Above-mentioned 1)To 4)Individually can be used before the judgement of matched rule, it is also possible to combine in matched rule Used before judgement.
Based on the above, in actual applications, the embodiment of the present invention additionally provides following two implementations:
The first, is according to the request of client, the execution of destination object to be operated as described in server end automatic decision Whether need to import sandbox;
Specifically, server end stores the various rules of automatic decision, if target program to be operated or target File has had been downloaded into client, and when user clicks on and performs, server is issued in the request that client will can be judged, Automatic decision is carried out by server.Or, before downloading from a server target program or file destination, server is according to client The download request at end, judges whether that importing sandbox downloads.Or, in user input network address, keyword, server is according to user Input carry out automatic decision.
Second, whether the execution of destination object to be operated as described in client automatic decision needs to import sandbox.
In this case, client stores the various rules of automatic decision, and periodically renewal, client from server Automatic decision can be carried out before user operates to destination object.
In sum, a kind of method of intelligent decision is above mentioned embodiment provided, destination object can be performed in user Before operation, whether the execution of destination object described in automatic decision needs to import sandbox, thus produces the advantage that:
First, user can be helped to determine which risky program needs to be run in sandbox, without user certainly Row judges;
Second, it is to avoid the program of safe devoid of risk is placed into operation in sandbox causes the loss of user data;
3rd, without the participation of user, therefore the operation of user is not influenceed, ease for use is high.
Based on the above, present invention also offers the preferred embodiment shown in Fig. 2.
Reference picture 2, is method flow diagram that a kind of utilization sandbox technology described in the preferred embodiment of the present invention is on the defensive.
So that destination object is target program as an example, destination object be the situation of file destination and user input information with it is such Seemingly, no longer describe in detail.
Whole target program to be operated is as follows automatically into the judgement flow of sandbox:
Step 201, creates process;
Whether step 202, judge parent process in sandbox;
If parent process is in sandbox, step 208 is jumped to;
If parent process is not in sandbox, continue step 203.
Step 203, judges whether user selects for the execution of the target program to be operated to import sandbox;
If user has selected for the execution of the target program to be operated to import sandbox, step 208 is jumped to;
If the non-selected execution by the target program to be operated of user imports sandbox, continue step 204.
Whether step 204, judge the target program to be operated in white list;
If in white list, jumping to step 209;
If being unknown program not in white list, continue step 205.
Whether step 205, judge the destination object to be operated in blacklist;
If in blacklist, jumping to step 208;
If not in blacklist, continuing step 206.
Step 206, judges whether the target program is certain types of program;
Determine whether certain types of program according to various matched rules;
If it is, continuing step 207;
If it is not, then jumping to step 209.
Step 207, ejection reminding window prompting user target program will be imported in sandbox and performed;
If user's selection is imported, the target program is added into sandbox operation list.
Step 208, starts for the operational motions such as write-in, deletion, the modification of file/registration table of target program to be oriented to sandbox In, judge that flow terminates.
Step 209, target program is run under general environment(Non- sandbox mode), judge that flow terminates.
It should be noted that above-mentioned steps 203 to the order of step 205 can also be changed, but be required for step 206 it Before.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Combination of actions, but those skilled in the art should know, the present invention not by described by sequence of movement limited because According to the present invention, some steps can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art should also know Know, embodiment described in this description belongs to preferred embodiment, involved action and module is not necessarily of the invention It is necessary.
Based on the above, present invention also offers corresponding device embodiment, as shown in Figure 3.
Reference picture 3, is structure drawing of device that a kind of utilization sandbox technology described in the preferred embodiment of the present invention is on the defensive.
Described device can include with lower module:
Trigger module 31 is judged, for before operation is performed to destination object, triggering the automatic decision module 32;
Automatic decision module 32, for destination object to be operated, whether the execution of destination object described in automatic decision Need to import sandbox, if it is, completing the execution of the destination object in sandbox;If it is not, then completing the mesh outside sandbox Mark the execution of object.
Wherein, the destination object is included but is not limited to:Target program, file destination, the information of user input.
When the execution of destination object described in automatic decision needs to import sandbox:
If the destination object is target program, the target program is imported sandbox by the automatic decision module 32, The operation of the target program is completed in sandbox;
If the destination object is file destination, the automatic decision module 32 will perform the association of the file destination Program imports sandbox, and the file destination is run by the associated program in sandbox;
If the destination object is the information of user input, the automatic decision module 32 will receive the user input The associated program of information imports sandbox, and the associated program is run according to the user input information in sandbox;The user is defeated The information for entering includes network address and/or keyword.
Also, if the destination object is target program, then the judgement trigger module 31 is by under the target program Automatic decision module 32 was triggered before client runs the target program after being downloaded to client;And/or, downloading the target Automatic decision module 32 is triggered before program;
If the destination object is file destination, the judgement trigger module 31 should by the file destination or execution The associated program of file destination triggered automatic decision module 32 after downloading to client before client runs the file destination; And/or, the triggering automatic decision module 32 before downloading the file destination or performing the associated program of the file destination online;
If the destination object is the information of user input, the judgement trigger module 31 is being believed described in user input Automatic decision module 32 is triggered during breath.
Further, the automatic decision module 32 can include:
Rule judgment submodule 321, for judging whether the destination object to be operated meets preset matched rule, If met, the execution of the destination object to be operated needs to import sandbox;If do not met, sand need not be imported Case.
Further, when the destination object to be operated is target program and/or file destination, rule judgment Module 321 judges whether the relevant information of the destination object meets preset matched rule;And/or, judge the target pair Whether the relevant information for carrying out source program of elephant meets preset matched rule;
Wherein, the file path, and/or encryption data of the relevant information of the destination object including destination object, and/or File attribute, and/or icon characteristics value, and/or file characteristic value, and/or download source;It is described come source program relevant information File path, and/or encryption data, and/or file attribute, and/or icon characteristics value, and/or file including carrying out source program Characteristic value, and/or download source;
When information of the destination object to be operated for user input, the rule judgment submodule 321 judges institute Whether the information for stating user input meets preset matched rule.
Preferably, the automatic decision module 32 can also include:
Parent process judging submodule 322, after in establishment for the process of the execution of destination object described in automatic decision, Whether the parent process of the process is judged in sandbox, if it is, the execution of the destination object to be operated needs to import Sandbox;If it is not, then trigger the rule judgment submodule to continue to judge whether the destination object to be operated meets preset Matched rule.
Preferably, the automatic decision module 32 can also include:
User selects judging submodule 323, for judging whether user selects holding the destination object to be operated Row imports sandbox, if it is, the execution of the destination object to be operated needs to import sandbox;If it is not, then triggering is described Rule judgment submodule continues to judge whether the destination object to be operated meets preset matched rule.
Preferably, the automatic decision module 32 can also include:
White list judging submodule 324, for judging the destination object to be operated whether in white list, if not In white list, then the destination object to be operated is unknown object, triggers the rule judgment submodule and continues to judge institute State whether destination object to be operated meets preset matched rule;If in white list, sandbox need not be imported.
Preferably, the automatic decision module 32 can also include:
Blacklist judging submodule 325, for judging the destination object to be operated whether in blacklist, if In blacklist, then the execution of the destination object to be operated needs to import sandbox;If not in blacklist, triggering is described Rule judgment submodule continues to judge whether the destination object to be operated meets preset matched rule.
Preferably, described device can also include:
Reminding module 33, for when the execution of the destination object to be operated needs to import sandbox, importing sandbox Before, ejection reminding window prompts the user whether to import sandbox.
For device embodiment, because it is substantially similar to embodiment of the method, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.
The device that above-mentioned utilization sandbox technology is on the defensive can be deployed in server end, it is also possible to be deployed in client, Before user performs operation to destination object, whether the execution of destination object described in automatic decision needs to import sandbox, helps User determines which risky program needs to be run in sandbox, it is to avoid places in sandbox the program of safe devoid of risk and runs Cause the loss of user data, and due to the participation without user, therefore do not influence the operation of user, ease for use is high.
Based on the device that above-mentioned utilization sandbox technology is on the defensive, the embodiment of the present invention additionally provides a kind of safety and browses Device, the browser includes the device that systemic defence is carried out with sandbox technology as described in above-mentioned Fig. 3 embodiments, and can use Fig. 1 Or whether the execution of method automatic decision described in Fig. 2 destination object to be operated needs to import sandbox.Specifically describe and can be found in The related content of above-mentioned Fig. 1, Fig. 2 and Fig. 3, no longer describes in detail.
Each embodiment in this specification is described by the way of progressive, what each embodiment was stressed be with The difference of other embodiment, between each embodiment identical similar part mutually referring to.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.
And, "and/or" above represent and both contained herein " and " relation, also contains the relation of "or", its In:If option A and option b be " and " relation, then it represents that can simultaneously include option A and option b in certain embodiment;If Option A and the relation that option b is "or", then it represents that can individually include option A in certain embodiment, or individually include option b.
Method, device and the secure browser being on the defensive to a kind of utilization sandbox technology provided by the present invention above, It is described in detail, specific case used herein is set forth to principle of the invention and implementation method, above reality The explanation for applying example is only intended to help and understands the method for the present invention and its core concept;Simultaneously for the general technology of this area Personnel, according to thought of the invention, will change in specific embodiments and applications, in sum, this theory Bright book content should not be construed as limiting the invention.

Claims (15)

1. a kind of method that utilization sandbox technology is on the defensive, it is characterised in that including:
Before operation is performed to destination object, the following defence step of triggering:
To destination object to be operated, whether the execution of destination object described in automatic decision needs to import sandbox, if it is, The execution of the destination object is completed in sandbox;If it is not, then completing the execution of the destination object outside sandbox;
The automatic decision includes:Judge whether the destination object to be operated meets preset matched rule, if met, The then execution of the destination object to be operated needs to import sandbox;If do not met, sandbox need not be imported;
Before judging whether the destination object to be operated meets preset matched rule, also include:
Create the process of the execution for destination object described in automatic decision;Judge the parent process of the process whether in sandbox It is interior, if it is, the execution of the destination object to be operated needs to import sandbox;If it is not, then continuing to wait to grasp described in judgement Whether the destination object of work meets preset matched rule;
Whether the destination object to be operated is judged in white list, if not in white list, the mesh to be operated Mark pair as if unknown object, continuation judge whether the destination object to be operated meets preset matched rule;If white In list, then sandbox need not be imported;
Whether the destination object to be operated is judged in blacklist, if in blacklist, the target to be operated The execution of object needs to import sandbox;If not in blacklist, continuation judges whether the destination object to be operated accords with Close preset matched rule.
2. method according to claim 1, it is characterised in that when the execution of destination object described in automatic decision needs to import During sandbox:
If the destination object is target program, the target program is imported into sandbox, the target program is completed in sandbox Operation;
If the destination object is file destination, the associated program that will perform the file destination imports sandbox, in sandbox The file destination is run by the associated program;
If information of the destination object for user input, the associated program that will receive the user input information imports sand Case, the associated program is run in sandbox according to the user input information;The information of the user input include network address and/or Keyword.
3. method according to claim 2, it is characterised in that described that defence was triggered before operation is performed to destination object Step, including:
If the destination object is target program, the mesh is run in client after the target program is downloaded into client Defence step is triggered before beacon course sequence;And/or, defence step was triggered before the target program is downloaded;
If the destination object is file destination, the file destination or the associated program for performing the file destination are downloaded Defence step was triggered after to client before client runs the file destination;And/or, download the file destination or Defence step is triggered before the associated program that line performs the file destination;
If the destination object is the information of user input, defence step is triggered in user input described information.
4. method according to claim 1, it is characterised in that judge whether the destination object to be operated meets preset Matched rule, including:
The preset database of inquiry, the destination object to be operated and the presetting rule in the database is compared, such as Fruit inquires in the database, then meet matched rule;If do not inquired, matched rule is not met.
5. method according to claim 1, it is characterised in that when the destination object to be operated be target program and/ Or during file destination, judge whether the destination object to be operated meets preset matched rule, including:
Judge whether the relevant information of the destination object meets preset matched rule;
And/or, judge whether the relevant information for carrying out source program of the destination object meets preset matched rule.
6. method according to claim 5, it is characterised in that:
File path, and/or encryption data, and/or file attribute of the relevant information of the destination object including destination object, And/or icon characteristics value, and/or file characteristic value, and/or download source;
It is described come source program relevant information include coming the file path, and/or encryption data of source program, and/or file attribute, And/or icon characteristics value, and/or file characteristic value, and/or download source.
7. method according to claim 1, it is characterised in that when the destination object to be operated is the letter of user input During breath, judge whether the destination object to be operated meets preset matched rule, including:
Judge whether the information of the user input meets preset matched rule.
8. according to any described method of claims 1 to 3, it is characterised in that:
According to the request of client, whether the execution of destination object to be operated as described in server end automatic decision needs to import Sandbox;
And/or, whether the execution of destination object to be operated as described in client automatic decision needs to import sandbox.
9. according to any described method of claims 1 to 3, it is characterised in that if the destination object to be operated is held Row needs to import sandbox, then before importing sandbox, also include:
Ejection reminding window prompts the user whether to import sandbox.
10. the device that a kind of utilization sandbox technology is on the defensive, it is characterised in that including:
Trigger module is judged, for before operation is performed to destination object, triggering automatic decision module;
Automatic decision module, for destination object to be operated, whether the execution of destination object described in automatic decision to need to lead Enter sandbox, if it is, completing the execution of the destination object in sandbox;If it is not, then completing the destination object outside sandbox Execution;
The automatic decision includes:Rule judgment submodule, for judging whether the destination object to be operated meets preset Matched rule, if met, the execution of the destination object to be operated needs to import sandbox;If do not met, no Need to import sandbox;
The automatic decision module also includes:Parent process judging submodule, for creating for target pair described in automatic decision After the process of the execution of elephant, whether the parent process of the process is judged in sandbox, if it is, the target pair to be operated The execution of elephant needs to import sandbox;If it is not, then trigger the rule judgment submodule to continue to judge the target to be operated Whether object meets preset matched rule;White list judging submodule, for whether judging the destination object to be operated In white list, if not in white list, the destination object to be operated is unknown object, triggers the rule judgment Submodule continues to judge whether the destination object to be operated meets preset matched rule;If in white list, no Need to import sandbox;Blacklist judging submodule, for judging the destination object to be operated whether in blacklist, if In blacklist, then the execution of the destination object to be operated needs to import sandbox;If not in blacklist, triggering institute Rule judgment submodule is stated to continue to judge whether the destination object to be operated meets preset matched rule.
11. devices according to claim 10, it is characterised in that when the execution of destination object described in automatic decision needs to lead When entering sandbox:
If the destination object is target program, the target program is imported sandbox by the automatic decision module, in sandbox The middle operation for completing the target program;
If the destination object is file destination, the automatic decision module leads the associated program for performing the file destination Enter sandbox, the file destination is run by the associated program in sandbox;
If the destination object is the information of user input, the automatic decision module will receive the user input information Associated program imports sandbox, and the associated program is run according to the user input information in sandbox;The letter of the user input Breath includes network address and/or keyword.
12. devices according to claim 11, it is characterised in that:
If the destination object is target program, after the target program is downloaded to client by the judgement trigger module Automatic decision module was triggered before client runs the target program;And/or, triggered certainly before the target program is downloaded Dynamic judge module;
If the destination object is file destination, the judgement trigger module is by the file destination or performs target text The associated program of part triggered automatic decision module after downloading to client before client runs the file destination;And/or, Automatic decision module is triggered before downloading the file destination or performing the associated program of the file destination online;
If the destination object is the information of user input, the judgement trigger module is touched in user input described information From dynamic judge module.
13. devices according to claim 10, it is characterised in that the automatic decision module also includes:
User selects judging submodule, for judging whether user selects for the execution of the destination object to be operated to import sand Case, if it is, the execution of the destination object to be operated needs to import sandbox;If it is not, then triggering the rule judgment Submodule continues to judge whether the destination object to be operated meets preset matched rule.
14. devices according to claim 10, it is characterised in that:
When the destination object to be operated is target program and/or file destination, the rule judgment submodule judges institute Whether the relevant information for stating destination object meets preset matched rule;And/or, judge the source program that comes of the destination object Whether relevant information meets preset matched rule;
Wherein, the relevant information of the destination object includes the file path, and/or encryption data, and/or file of destination object Attribute, and/or icon characteristics value, and/or file characteristic value, and/or download source;It is described come source program relevant information include Carry out the file path, and/or encryption data, and/or file attribute, and/or icon characteristics value, and/or file characteristic of source program Value, and/or download source;
When information of the destination object to be operated for user input, the rule judgment submodule judges that the user is defeated Whether the information for entering meets preset matched rule.
15. according to any described device of claim 10 to 12, it is characterised in that also include:
Reminding module, for when the execution of the destination object to be operated needs to import sandbox, before sandbox is imported, bullet Go out reminding window to prompt the user whether to import sandbox.
CN201410058386.1A 2011-04-21 2011-04-21 Method, device and the secure browser being on the defensive using sandbox technology Active CN103942488B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410058386.1A CN103942488B (en) 2011-04-21 2011-04-21 Method, device and the secure browser being on the defensive using sandbox technology

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410058386.1A CN103942488B (en) 2011-04-21 2011-04-21 Method, device and the secure browser being on the defensive using sandbox technology
CN201110100859.6A CN102184356B (en) 2011-04-21 2011-04-21 Method, device and safety browser by utilizing sandbox technology to defend

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201110100859.6A Division CN102184356B (en) 2011-04-21 2011-04-21 Method, device and safety browser by utilizing sandbox technology to defend

Publications (2)

Publication Number Publication Date
CN103942488A CN103942488A (en) 2014-07-23
CN103942488B true CN103942488B (en) 2017-06-23

Family

ID=51190155

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410058386.1A Active CN103942488B (en) 2011-04-21 2011-04-21 Method, device and the secure browser being on the defensive using sandbox technology

Country Status (1)

Country Link
CN (1) CN103942488B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104375494B (en) * 2014-12-02 2017-02-22 北京奇虎科技有限公司 Security sandbox construction method and security sandbox construction device
CN104834868A (en) * 2015-04-28 2015-08-12 一铂有限公司 Electronic data protection method, device and terminal equipment
CN107451482B (en) * 2017-08-01 2020-06-05 北京数字时代科技有限公司 Copyright protection method and system for mobile APP
CN108985050A (en) * 2018-06-29 2018-12-11 北京奇虎科技有限公司 shortcut processing method, device and equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7120698B2 (en) * 2001-09-20 2006-10-10 Sun Microsystems, Inc. Access control for an e-commerce application
US8745361B2 (en) * 2008-12-02 2014-06-03 Microsoft Corporation Sandboxed execution of plug-ins

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN1961272A (en) * 2004-06-29 2007-05-09 英特尔公司 Method of improving computer security through sandboxing

Also Published As

Publication number Publication date
CN103942488A (en) 2014-07-23

Similar Documents

Publication Publication Date Title
CN102184356B (en) Method, device and safety browser by utilizing sandbox technology to defend
US11379582B2 (en) Methods and apparatus for malware threat research
Monnappa Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware
US9531752B2 (en) Detection of spyware threats within virtual machines
US6499109B1 (en) Method and apparatus for securing software distributed over a network
Xue et al. Detection and classification of malicious JavaScript via attack behavior modelling
EP3371953B1 (en) System and methods for detecting domain generation algorithm (dga) malware
CN103942488B (en) Method, device and the secure browser being on the defensive using sandbox technology
CN106203108A (en) Linux white list system protection method based on kernel module and device
CN103514401A (en) Method and device for defense by utilization of sandbox technology and security browser
McDonald Web security for developers: real threats, practical defense
CN103970574B (en) The operation method and device of office programs, computer system
Pedro et al. From prompt injections to sql injection attacks: How protected is your llm-integrated web application?
Govindavajhala et al. Windows access control demystified
Galluccio et al. SQL Injection Strategies: Practical techniques to secure old vulnerabilities against modern attacks
CN105592105B (en) Guarantee the asynchronous system Network Access Method and device of safety
Yehoshua et al. Antivirus Bypass Techniques: Learn practical techniques and tactics to combat, bypass, and evade antivirus software
CN104050411A (en) Active defense method
Takata et al. MineSpider: Extracting hidden URLs behind evasive drive-by download attacks
JP4629291B2 (en) Method and system for verifying client requests
Van Mieghem Detecting malicious behaviour using system calls
Mulukutla Wolfsting: Extending Online Dynamic Malware Analysis Systems by Engaging Malware.
Araujo et al. Embedded honeypotting
Muhovic Behavioural Analysis of Malware Using Custom Sandbox Environments
de Sousa XS-Leaks Crutch: Assisted Detection & Exploitation of Cross-Site Leaks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder

Address after: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee after: Beijing Qizhi Business Consulting Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Qizhi software (Beijing) Co.,Ltd.

CP01 Change in the name or title of a patent holder
TR01 Transfer of patent right

Effective date of registration: 20220402

Address after: 100016 1773, 15 / F, 17 / F, building 3, No.10, Jiuxianqiao Road, Chaoyang District, Beijing

Patentee after: Sanliu0 Digital Security Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.

Patentee before: Beijing Qizhi Business Consulting Co.,Ltd.

TR01 Transfer of patent right