KR20140112392A - Application access control method and electronic device implementing the same - Google Patents

Abstract

A method for controlling access in an electronic device according to various embodiments of the present disclosure includes the steps of determining whether an access control module in a first one of the areas configured in the electronic device Obtaining an unique identifier of the application in the second region; Determining whether the unique identifier is present in the access control list; And approving access to the resource if the unique identifier is present in the access control list.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an application access control method,

Various embodiments of the present disclosure are directed to methods of controlling access of an application to computing resources or computational resources and to electronic devices implementing the same.

Electronic devices such as smart phones, tablet PCs, and the like can be loaded with memories, processors, and operating systems (OSs) and can execute various applications accordingly. The electronic device may control access of the application to computing resources.

The electronic device may have a driver for controlling access to computing resources, e.g., storage. Such a driver may check whether such a deletion action is valid when a process attempting to access the storage (e.g., an attempt to delete all data stored in the storage) is executed. If the deletion action is valid (e.g., if the password entered by the user is a valid value), the driver may execute the deletion process. However, this access control method is not suitable as a driver's access control method because it is based on interaction with the user (for example, password input).

An electronic device can communicate with a server (e.g., a proxy server) as a client. These servers can control access to walled gardens (ie content or services that exist in a privately controlled environment). The client can request the server to access the service provided at the site existing in the world garden. The site can send the client a code to call a function that exists in the API (Application Programming Interface). If the code is valid, the client can call and execute the function of the API corresponding to the code. If the code is invalid, the client can abort the execution. However, these access control methods are too complex because they provide access control for the execution of functions by a privileged mode.

The electronic device may have software to protect the computer system from adverse effects caused by improper use of the configuration (e.g., application, operating system, etc.). Such software can determine whether an application has an implicit policy before loading and executing the application. If the application has a policy, the software can load and run the application. If an application requires access to a computing resource, the software may execute the code of the policy to determine whether the access is permitted. However, these access control methods provide an overly complex environment that causes a decrease in productivity.

Various embodiments of the present disclosure provide a method for safely and efficiently protecting computing resources by controlling access of an application to computing resources without interaction with a user and an electronic device implementing the method.

A method for controlling access in an electronic device according to various embodiments of the present disclosure includes the steps of determining whether an access control module in a first one of the areas configured in the electronic device Obtaining an unique identifier of the application in the second region; Determining whether the unique identifier is present in the access control list; And approving access to the resource if the unique identifier is present in the access control list.

According to various embodiments of the present disclosure, an electronic device includes a memory including a first area and a second area; And a processor for executing programs contained in the first area and the second area. The first area may comprise an access control module and the second area may comprise an application. Wherein the access control module obtains a unique identifier of the application in the second area in response to an access request for the resource of the application, determines whether the unique identifier is present in the access control list, May be configured to grant access to the resource if it is present in the access control list.

Various embodiments of the present disclosure can provide a method for safely and efficiently protecting computing resources by controlling an access of an application to computing resources without interaction with a user and an electronic device implementing the method.

1 illustrates a network environment including an electronic device, in accordance with various embodiments.
Figure 2 shows a block diagram of an electronic device according to various embodiments of the present disclosure.
3 is a flow chart illustrating a method of operating an electronic device according to various embodiments.
4 is a block diagram of a programming module in accordance with various embodiments.
5 is a flow chart illustrating an access control method according to various embodiments.

The present disclosure will be described below with reference to the accompanying drawings. The present disclosure is capable of various modifications and various embodiments, and specific embodiments are illustrated in the drawings and detailed description of the invention is set forth. It is to be understood, however, that this disclosure is not intended to be limited to the specific embodiments, but includes all changes and / or equivalents and alternatives falling within the spirit and scope of the disclosure. In connection with the description of the drawings, like reference numerals have been used for like elements.

   The use of the terms "comprises" or "comprising" may be used in the present disclosure to indicate the presence of a corresponding function, operation, or element, etc., and does not limit the presence of one or more other features, operations, or components. Also, in this disclosure, the terms "comprises" or "having ", and the like, specify that the presence of stated features, integers, But do not preclude the presence or addition of other features, numbers, steps, operations, components, parts, or combinations thereof.

  The "or" in the present disclosure includes any and all combinations of words listed together. For example, "A or B" may comprise A, comprise B, or both A and B.

   The expressions "first," " second, "" first," or "second, " and the like in the present disclosure may modify various elements of the disclosure, but do not limit the elements. For example, the representations do not limit the order and / or importance of the components. The representations may be used to distinguish one component from another. For example, both the first user equipment and the second user equipment are user equipment and represent different user equipment. For example, without departing from the scope of the present disclosure, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component.

   It is to be understood that when an element is referred to as being "connected" or "connected" to another element, it may be directly connected or connected to the other element, . On the other hand, when an element is referred to as being "directly connected" or "directly connected" to another element, it should be understood that there are no other elements in between.

   The terminology used in this disclosure is used only to describe a specific embodiment and is not intended to limit the disclosure. The singular expressions include plural expressions unless the context clearly dictates otherwise.

   Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. Terms such as those defined in commonly used dictionaries are to be interpreted as having a meaning consistent with the contextual meaning of the relevant art and are to be interpreted as either ideal or overly formal in the sense of the art unless explicitly defined in this disclosure Do not.

An electronic device according to the present disclosure may be implemented in a variety of environments, depending on what functions or operations are executed or run or compute, or depending on the reliability of the environment, . For example, an electronic device may include a trusted environment and a non-trusted environment.

An untrusted environment may include an application. Some applications may request the trusted environment to access application resources or system resources provided in a trusted environment. Where application resources can mean, for example, keys (e.g., security keys), sensitive data (e.g., data processed by a driver or an OS), or access to something. System resources may refer to memory, processors, buses, and the like.

The trusted environment may include a driver and an OS. In particular, a driver may be considered a particular module capable of performing certain functions that are not allowed to access untrusted environments. In addition, the driver and OS may be considered trusted and secure. The OS can perform authentication for an untrusted environment (e.g., application) that requested access and establish correspondences between the application and its UID (Unique IDentifier) according to the authentication result.

On the other hand, the trust environment can be referred to as a trusted world (trusted world). The trust environment can also be referred to as a semi-trusted environment. An untrusted environment may be referred to as a non-trusted world (non-trusted region) or a non-trusted area.

In a semi-trusted environment, the driver API security method can distinguish application access from driver functionality without significant impact on system performance. In addition, in a semi-trusted environment, the driver API security method is a special technique that provides the following properties: It is very efficient because its analysis (eg access authorization) depends on host OS authentication services. The method is relatively safe because it is based on hardware privilege levels. The method is very accurate because it passes through function access control. Without interaction with the user, a high level of hardware-based security is assured. At the same time in the same electronic device, the privacy of user data may be provided for different applications and / or different users.

An electronic device according to the present disclosure may be any device that supports a trusted environment. Further, the electronic device according to the present disclosure may be a device including a communication function. For example, the electronic device can be a smartphone, a tablet personal computer, a mobile phone, a videophone, an e-book reader, a desktop personal computer, a laptop Such as a laptop personal computer (PC), a netbook computer, a personal digital assistant (PDA), a portable multimedia player (PMP), an MP3 player, a mobile medical device, a camera, or a wearable device Such as a head-mounted-device (HMD) such as electronic glasses, an electronic garment, an electronic bracelet, an electronic necklace, an electronic app apparel, an electronic tattoo, or a smartwatch.

   According to some embodiments, the electronic device may be a smart home appliance with communication capabilities. [0003] Smart household appliances, such as electronic devices, are widely used in the fields of television, digital video disk (DVD) player, audio, refrigerator, air conditioner, vacuum cleaner, oven, microwave oven, washing machine, air cleaner, set- And may include at least one of a box (e.g., Samsung HomeSyncTM, Apple TVTM, or Google TVTM), game consoles, an electronic dictionary, an electronic key, a camcorder, or an electronic frame.

   According to some embodiments, the electronic device may be a variety of medical devices (e.g., magnetic resonance angiography (MRA), magnetic resonance imaging (MRI), computed tomography (CT) (global positioning system receiver), EDR (event data recorder), flight data recorder (FDR), automotive infotainment device, marine electronic equipment (eg marine navigation device and gyro compass), avionics, A security device, a head unit for a vehicle, an industrial or home robot, an ATM (automatic teller's machine) of a financial institution, or a POS (point of sale) of a shop.

According to some embodiments, the electronic device may be a piece of furniture or a structure / structure including a communication function, an electronic board, an electronic signature receiving device, a projector, (E.g., water, electricity, gas, or radio wave measuring instruments, etc.). An electronic device according to the present disclosure may be one or more of the various devices described above. Further, the electronic device according to the present expansion may be a flexible device. It should also be apparent to those skilled in the art that the electronic device according to the present disclosure is not limited to the above-described devices.

Hereinafter, an electronic device according to various embodiments will be described with reference to the accompanying drawings. The term user as used in various embodiments may refer to a person using an electronic device or a device using an electronic device (e.g., an artificial intelligence electronic device).

1 illustrates a network environment 100 including an electronic device 101, in accordance with various embodiments. Referring to FIG. 1, the electronic device 101 may include a bus 110, a processor 120, a memory 130, an input / output interface 140, a display 150, a communication interface 160, and an application control module 170.

The bus 110 may be a circuit that interconnects the components described above and communicates (e.g., control messages) between the components described above.

The processor 120 may be operatively coupled to other components (e.g., the memory 130, the input / output interface 140, the display 150, the communication interface 160, or the application control module 170) via the bus 110 Receives a command, decrypts the received command, and can execute an operation or data processing according to the decrypted command.

The memory 130 may be coupled to the processor 120 or other components such as the processor 120 or other components (e.g., the input / output interface 140, the display 150, the communication interface 160, or the application control module 170) Lt; RTI ID = 0.0 > and / or < / RTI > The memory 130 may include, for example, an operating system of the electronic device 101, such as a kernel 131, a middleware 132, an application programming interface (API) 133, or an application 134. Each of the above-described programming modules may be composed of software, firmware, hardware, or a combination of at least two of them.

The kernel 131 may include system resources (e.g., the bus 110, the processor 120, etc.) used to execute the operations or functions implemented in the other programming modules, e.g., the middleware 132, the API 133, Or the memory 130 and the like). In addition, the kernel 131 may provide an interface for accessing and controlling or managing resources of the electronic device 101 in the middleware 132, the API 133, or the application 134.

The kernel 131 may include a driver. The driver can receive commands from the kernel 131 and control input and output of peripheral devices (e.g., display, camera, Bluetooth, etc.) in response to commands. The driver may include, for example, a display driver, a camera driver, a Bluetooth driver, a memory driver, a USB driver, a keypad driver, a WiFi driver or an audio driver. Also, according to one embodiment, the driver may include an inter-process communication (IPC) driver.

The middleware 132 can act as an intermediary for the API 133 or the application 134 to communicate with the kernel 131 to exchange data. In addition, the middleware 132 may be configured to communicate with at least one of the applications 134, for example, system resources of the electronic device 101 (e.g., the bus 110, the processor 120, or the like) (E.g., scheduling or load balancing) of a work request using a method of assigning a priority that can be used to the job (e.g., the memory 130).

The API 133 is an interface for the application 134 to control the functions provided by the kernel 131 or the middleware 132 and includes at least one interface or function for file control, window control, image processing, (E.g., commands).

According to various embodiments, the application 134 may be an SMS / MMS application, an email application, a calendar application, an alarm application, a health care application (e.g., an application that measures momentum or blood glucose) Pressure, humidity, or temperature information, etc.), and the like. Additionally or alternatively, the application 134 may be an application related to the exchange of information between the electronic device 101 and an external electronic device (e.g., electronic device 104). The application associated with the information exchange may include, for example, a notification relay application for communicating specific information to the external electronic device, or a device management application for managing the external electronic device .

For example, the notification delivery application may send notification information generated by another application (e.g., SMS / MMS application, email application, healthcare application, or environment information application) of the electronic device 101 to an external electronic device ). ≪ / RTI > Additionally or alternatively, the notification delivery application may receive notification information from, for example, an external electronic device (e.g., electronic device 104) and provide it to the user. The device management application may provide a function (e.g., turn-on / turn-off) of at least some of the external electronic device (e.g., electronic device 104) in communication with the electronic device 101 (E.g., adjusting, turning off, or adjusting the brightness (or resolution) of the display), managing an application running on the external electronic device or services (e.g., call service or message service) )can do.

According to various embodiments, the application 134 may include an application designated according to attributes (e.g., the type of electronic device) of the external electronic device (e.g., electronic device 104). For example, if the external electronic device is an MP3 player, the application 134 may include an application related to music playback. Similarly, if the external electronic device is a mobile medical device, the application 134 may include applications related to health care. According to one embodiment, the application 134 may include at least one of an application specified in the electronic device 101 or an application received from an external electronic device (e.g., the server 106 or the electronic device 104).

The input / output interface 140 connects commands or data input from a user via an input / output device (e.g., a sensor, a keyboard or a touch screen) to the processor 120, the memory 130, the communication interface 160 , Or to the application control module 170. For example, the input / output interface 140 may provide the processor 120 with data on the user's touch input through the touch screen. The input / output interface 140 may transmit commands or data received from the processor 120, the memory 130, the communication interface 160, or the application control module 170 via the bus 110 to the input / output device Or display). For example, the input / output interface 140 can output voice data processed through the processor 120 to a user through a speaker.

The display 150 may display various information (e.g., multimedia data or text data) to the user.

The communication interface 160 can connect the communication between the electronic device 101 and an external device (e.g., the electronic device 104 or the server 106). For example, the communication interface 160 may be connected to the network 162 via wireless communication or wired communication to communicate with the external device. The wireless communication may include, for example, wireless fidelity, Bluetooth, near field communication (NFC), global positioning system (GPS) , WiBro or GSM, etc.). The wired communication may include at least one of, for example, a universal serial bus (USB), a high definition multimedia interface (HDMI), a recommended standard 232 (RS-232) or a plain old telephone service (POTS).

According to one embodiment, the network 162 may be a telecommunications network. The communication network may include at least one of a computer network, an internet, an internet of things, or a telephone network. (E.g., a transport layer protocol, a data link layer protocol, or a physical layer protocol) for communication between the electronic device 101 and the external device is controlled by the application 134, the application programming interface 133, the middleware 132, the kernel 131 Or the communication interface 160. [0035]

The application control module 170 processes at least some of the information obtained from other components (e.g., the processor 120, the memory 130, the input / output interface 140, or the communication interface 160, etc.) . For example, the application control module 170 recognizes the information of the connected component provided in the electronic device 101, stores the information of the connected component in the memory 130, executes the application 134 based on the information of the connected component .

2 shows a block diagram of an electronic device 200 in accordance with various embodiments. The electronic device 200 may constitute all or part of the electronic device 101 shown in Fig. 1, for example. 2, the electronic device 200 includes at least one application processor 210, a communication module 220, a subscriber identification module (SIM) card 224, a memory 230, a sensor module 240, an input device 250, a display 260, An interface 270, an audio module 280, a camera module 291, a power management module 295, a battery 296, an indicator 297, and a motor 298.

The AP 210 may control a plurality of hardware or software components connected to the AP 210 by operating an operating system or an application program, and may perform various data processing and calculations including multimedia data. The AP 210 may be implemented as a system on chip (SoC), for example. According to one embodiment, the AP 210 may further include a graphics processing unit (GPU) (not shown).

The communication module 220 (e.g., the communication interface 160) can send and receive data in communication between the electronic device 200 (e.g., the electronic device 101) and other electronic devices (e.g., electronic device 104 or server 106) Can be performed. According to one embodiment, the communication module 220 may include a cellular module 221, a Wifi module 223, a BT module 225, a GPS module 227, an NFC module 228, and a radio frequency (RF) module 229.

The cellular module 221 may provide voice calls, video calls, text services, or Internet services over a communication network (e.g., LTE, LTE-A, CDMA, WCDMA, UMTS, WiBro or GSM). In addition, the cellular module 221 can perform identification and authentication of electronic devices within the communication network using, for example, a subscriber identity module (e.g., a SIM card 224). According to one embodiment, the cellular module 221 may perform at least some of the functions that the AP 210 may provide. For example, the cellular module 221 may perform at least some of the multimedia control functions.

According to one embodiment, the cellular module 221 may include a communication processor (CP). Also, the cellular module 221 may be implemented as an SoC, for example. In FIG. 2, components such as the cellular module 221 (e.g., a communication processor), the memory 230, or the power management module 295 are illustrated as separate components from the AP 210. However, according to one embodiment, May include at least a portion of the above-described components (e.g., cellular module 221).

According to one embodiment, the AP 210 or the cellular module 221 (e.g., a communications processor) loads commands or data received from at least one of non-volatile memory or other components connected to each of them into a volatile memory for processing can do. In addition, the AP 210 or the cellular module 221 may store data generated by at least one of the other components or received from at least one of the other components in the non-volatile memory.

Each of the Wifi module 223, the BT module 225, the GPS module 227, and the NFC module 228 may include a processor for processing data transmitted and received through a corresponding module, for example. Although the cellular module 221, the Wifi module 223, the BT module 225, the GPS module 227, or the NFC module 228 are shown as separate blocks in FIG. 2, the cellular module 221, the Wifi module 223, the BT module 225, At least some (e.g., two or more) of modules 227 or NFC modules 228 may be included in one integrated chip (IC) or IC package. For example, at least some of the processors corresponding to the cellular module 221, the Wifi module 223, the BT module 225, the GPS module 227, or the NFC module 228, respectively (e.g., corresponding to the communication processor and Wifi module 223 corresponding to the cellular module 221) Wifi processor) can be implemented in a single SoC.

The RF module 229 can transmit and receive data, for example, transmit and receive RF signals. The RF module 229 may include, for example, a transceiver, a power amplifier module (PAM), a frequency filter, or a low noise amplifier (LNA). In addition, the RF module 229 may further include a component for transmitting and receiving electromagnetic waves in a free space in a wireless communication, for example, a conductor or a lead wire. 2, the cellular module 221, the Wifi module 223, the BT module 225, the GPS module 227, and the NFC module 228 share one RF module 229. However, according to one embodiment, the cellular module 221, the Wifi module 223 , The BT module 225, the GPS module 227, or the NFC module 228 can transmit and receive RF signals through separate RF modules.

The SIM cards 224_1 to N may be cards including a subscriber identity module, and may be inserted into slots 225_1 to N formed at specific positions of the electronic device. The SIM cards 224_1-N may include unique identification information (e.g., an integrated circuit card identifier (ICCID)) or subscriber information (e.g., international mobile subscriber identity (IMSI)).

The memory 230 (e.g., the memory 130) may include an internal memory 232 or an external memory 234. The built-in memory 232 may be a volatile memory such as a dynamic RAM (DRAM), a static random access memory (SRAM), a synchronous dynamic RAM (SDRAM), or a non-volatile memory , At least one of an OTPROM (one time programmable ROM), a PROM (programmable ROM), an EPROM (erasable and programmable ROM), an EEPROM (electrically erasable and programmable ROM), a mask ROM, a flash ROM, a NAND flash memory, . ≪ / RTI >

According to one embodiment, the internal memory 232 may be a solid state drive (SSD). The external memory 234 may be a flash drive such as a compact flash (CF), a secure digital (SD), a micro secure digital (SD), a mini secure digital (SD), an extreme digital And the like. The external memory 234 may be functionally connected to the electronic device 200 through various interfaces. According to one embodiment, the electronic device 200 may further include a storage device (or storage medium) such as a hard drive.

The sensor module 240 may measure a physical quantity or sense an operation state of the electronic device 200, and convert the measured or sensed information into an electrical signal. The sensor module 240 includes a gesture sensor 240A, a gyro sensor 240B, an air pressure sensor 240C, a magnetic sensor 240D, an acceleration sensor 240E, a grip sensor 240F, a proximity sensor 240G, a color sensor 240H blue sensor), a living body sensor 240I, a temperature / humidity sensor 240J, an illuminance sensor 240K, or an ultraviolet (UV) sensor 240M. Additionally or alternatively, the sensor module 240 may include an electronic sensor such as, for example, an E-nose sensor (not shown), an EMG sensor (not shown), an EEG sensor (not shown) an electrocardiogram sensor (not shown), an infra red sensor (not shown), an iris sensor (not shown), or a fingerprint sensor (not shown). The sensor module 240 may further include a control circuit for controlling at least one sensor included in the sensor module 240.

The input device 250 may include a touch panel 252, a (digital) pen sensor 254, a key 256, or an ultrasonic input device 258. The touch panel 252 can recognize a touch input by at least one of an electrostatic type, a pressure sensitive type, an infrared type, and an ultrasonic type. The touch panel 252 may further include a control circuit. In electrostatic mode, physical contact or proximity recognition is possible. The touch panel 252 may further include a tactile layer. In this case, the touch panel 252 can provide a tactile response to the user.

The (digital) pen sensor 254 can be implemented, for example, in the same or similar manner as receiving a touch input of a user or using a separate recognition sheet. The key 256 may include, for example, a physical button, an optical key or a keypad. The ultrasonic input device 258 is a device that can recognize data by sensing a sound wave from the electronic device 200 through a microphone (e.g., a microphone 288) through an input tool for generating an ultrasonic signal, and is capable of wireless recognition. According to one embodiment, the electronic device 200 may use the communication module 220 to receive user input from an external device (e.g., a computer or a server) connected thereto.

The display 260 (e.g., the display 150) may include a panel 262, a hologram device 264, or a projector 266. The panel 262 may be, for example, a liquid crystal display (LCD) or an active matrix organic light-emitting diode (AM-OLED). The panel 262 may be embodied, for example, as being flexible, transparent or wearable. The panel 262 may be formed of one module with the touch panel 252. The hologram device 264 can display stereoscopic images in the air using interference of light. The projector 266 can display an image by projecting light onto a screen. The screen may be located, for example, inside or outside the electronic device 200. According to one embodiment, the display 260 may further include control circuitry for controlling the panel 262, the hologram device 264, or the projector 266.

The interface 270 may include, for example, a high-definition multimedia interface (HDMI) 272, a universal serial bus (USB) 274, an optical interface 276, or a D-sub (D-subminiature) The interface 270 may, for example, be included in the communication interface 160 shown in FIG. Additionally or alternatively, the interface 270 may include, for example, a mobile high-definition link (MHL) interface, a secure digital (SD) card / multi-media card (MMC) interface, or an infrared data association can do.

The audio module 280 can convert sound and electric signals into both directions. At least some components of the audio module 280 may be included, for example, in the input / output interface 140 shown in FIG. The audio module 280 may process sound information input or output through, for example, a speaker 282, a receiver 284, an earphone 286, a microphone 288, or the like.

The camera module 291 may capture still images and moving images. The camera module 291 may include at least one image sensor (e.g., a front sensor or a rear sensor), a lens (not shown), an image signal processor ) Or a flash (not shown), such as an LED or xenon lamp.

The power management module 295 can manage the power of the electronic device 200. Although not shown, the power management module 295 may include, for example, a power management integrated circuit (PMIC), a charger integrated circuit ("IC"), or a battery or fuel gauge.

The PMIC can be mounted, for example, in an integrated circuit or a SoC semiconductor. The charging method can be classified into wired and wireless. The charging IC can charge the battery, and can prevent an overvoltage or an overcurrent from the charger. According to one embodiment, the charging IC may comprise a charging IC for at least one of a wired charging scheme or a wireless charging scheme. The wireless charging system may be, for example, a magnetic resonance system, a magnetic induction system or an electromagnetic wave system, and additional circuits for wireless charging may be added, such as a coil loop, a resonant circuit or a rectifier have.

The battery gauge can measure the remaining amount of the battery 296, the voltage during charging, the current or the temperature, for example. The battery 296 may store or generate electricity, and may supply power to the electronic device 200 using the stored or generated electricity. The battery 296 may include, for example, a rechargeable battery or a solar battery.

The indicator 297 may indicate a specific state of the electronic device 200 or a part thereof (e.g., the AP 210), for example, a boot state, a message state, or a charged state. The motor 298 may convert an electrical signal to mechanical vibration. Although not shown, the electronic device 200 may include a processing unit (e.g., GPU) for mobile TV support. The processing device for supporting the mobile TV can process media data conforming to standards such as digital multimedia broadcasting (DMB), digital video broadcasting (DVB), or media flow.

Each of the above-described components of the electronic device according to the present disclosure can be composed of one or more components, and the name of the component can be changed according to the type of the electronic device. The electronic device according to the present disclosure may be configured to include at least one of the above-described components, and some components may be omitted or further include other additional components. In addition, some of the components of the electronic device according to the present disclosure may be combined and configured as an entity, so that the functions of the corresponding components before being combined can be performed in the same manner.

The term "module" as used herein may mean a unit comprising, for example, one or a combination of two or more of hardware, software or firmware. A "module" may be interchangeably used with terms such as, for example, unit, logic, logical block, component or circuit. A "module" may be a minimum unit or a portion of an integrally constructed component. A "module" may be a minimum unit or a portion thereof that performs one or more functions. "Modules" may be implemented either mechanically or electronically. For example, a "module" in accordance with the present disclosure may be implemented as an application-specific integrated circuit (ASIC) chip, field-programmable gate arrays (FPGAs) or programmable logic arrays (FPGAs) logic device).

3 is a flow chart illustrating a method of operating an electronic device according to various embodiments.

Referring to FIG. 3, an application may invoke the functionality of a driver (e.g., a driver included in kernel 131). Accordingly, at operation 310, the driver may receive a request for a function from an application. At operation 320, the driver may obtain control of an application from an OS, such as kernel 131, for example. At operation 330, the driver may pass control rights to the function module. Here, the function module can be included in the driver. At operation 340, the functional module may launch an access control of the application. At operation 350, the functional module may determine whether access control is passed. If the result of the determination at operation 350 is that access control has passed, at function 360, the function module may execute the functionality required by the application. At this time, the function module can call the interface or function related to the function from the API, and execute the function using the called function. At operation 370, the functional module may return result data obtained as an execution result to the application. If the result of the determination at operation 350 indicates that access control has failed, at function 380, the functional module may notify the application of "denied access ".

4 is a block diagram of a programming module in accordance with various embodiments.

Referring to FIG. 4, the programming module 400 may be included (e.g., stored) in the electronic device 101 (e.g., memory 130) shown in FIG. At least some of the programming modules 400 may be comprised of software, firmware, hardware, or a combination of at least two of them. The programming module 400 may include an application 410, a driver 420, an access control list 430, and a UID (Unique Identifier) and Func # (function number) providing module 440. In the above programming module 400, the driver 420, the access control list 430, and the UID and Func # providing module 440 may be included in the trusted environment. The application 410 may be included in an untrusted environment. The application 410 may be a module that requests the driver 420 to access the functions provided by the driver 420, for example, the application 134.

The application 410 may send an access request of itself or another application to the driver 420. Here, the access request may include the number 412 of the function requested by the application 410. The driver 420 may forward the access request to the access control module 421. The access control module 421 may find a binary header 411 of the application 410 (or other application) in a memory (e.g., memory 130). The access control module 421 can catch the UID 411a of the application in the binary header 411. [ The access control module 421 can retrieve the number of the function corresponding to the UID 411a acquired in the access control list 430. [ The search results are accepted as access control results (eg, approve or deny access). The UID and Func # provision module 440 may manage (e.g., update, delete, add, edit, etc.) the access control list 430.

According to some embodiments, the access control list 430 may be included in an untrusted environment. If so, the UID and Func # provision module 440 may include a module for encrypting UID and Func #. The driver 420 or the access control module 421 may include a module for decrypting the encrypted UID and Func #.

5 is a flow chart illustrating an access control method according to various embodiments.

Referring to FIG. 5, at operation 510, an access control module (e.g., access control module 421) may obtain a UID from an access requesting application. In operation 520, access control module 421 may determine whether the acquired UID is present in an access control list (e.g., access control list 430). If the UID obtained as a result of the determination at operation 520 is not present in the access control list 430, then at operation 530, the access control module 421 may notify the application of "denied access ". If the UID obtained as a result of the determination at operation 520 is present in the access control list 430, then at operation 540, the access control module 421 determines that the Func # (e.g., Func # received from the application) The corresponding Func # list). If the determination result Func # at operation 540 is not present in the access control list, the access control module 421 may perform operation 530. [ If the determination result Func # at operation 550 is present in the access control list, the access control module 421 may approve the access.

According to various embodiments, at least a portion of a device (e.g., modules or functions thereof) or a method (e.g., operations) according to the present disclosure may be stored in a computer readable storage medium computer-readable storage media). The instructions, when executed by one or more processors (e.g., the processor 210), may cause the one or more processors to perform functions corresponding to the instructions. The computer readable storage medium may be, for example, the memory 220. At least some of the programming modules may be implemented (e.g., executed) by, for example, the processor 210. At least some of the programming modules may include, for example, modules, programs, routines, sets of instructions or processes, etc. to perform one or more functions.

According to some embodiments, a method for controlling access in an electronic device is a method in which an access control module in a first one of the areas configured in the electronic device responds to an access request for resources of an application existing in the second area Obtaining an unique identifier of the application in the second area; Determining whether the unique identifier is present in the access control list; And approving access to the resource if the unique identifier is present in the access control list. The method further comprising: receiving identification information about the resource from the application; and determining whether the identification information is present in the access control list, wherein the granting of access to the resource comprises: And the unique identifier and the identification information are present in the access control list. The identification information may include identification information of functions provided in the first area. The operation of acquiring the unique identifier of the application in the second area may include an operation of searching for a binary header of the application in a memory belonging to the second area and an operation of obtaining the unique identifier in the binary header . The resource may be included in an area that requires approval of access by the access control module. The area requiring the approval of the access may be the first area. The resource may be a function provided by a driver existing in the first area.

According to some embodiments, an electronic device includes a memory including a first area and a second area; And a processor for executing programs included in the first area and the second area. The first area may comprise an access control module and the second area may comprise an application. Wherein the access control module obtains a unique identifier of the application in the second area in response to an access request for the resource of the application, determines whether the unique identifier is present in the access control list, May be configured to grant access to the resource if it is present in the access control list. Wherein the access control module receives identification information about the resource from the application, determines whether the identification information is present in the access control list, and when the unique identifier and the identification information are present in the access control list And may be configured to grant access to the resource. The first area includes a driver and an operating system, and the identification information may include identification information of a function provided by the driver. The access control module may be configured to look up the binary header of the application in the second area and obtain the unique identifier from the binary header.

The computer-readable recording medium includes a magnetic medium such as a hard disk, a floppy disk and a magnetic tape, an optical recording medium such as a CD-ROM (Compact Disc Read Only Memory), a DVD (Digital Versatile Disc) A magneto-optical medium such as a floppy disk, and a program command such as a read only memory (ROM), a random access memory (RAM), a flash memory, Module) that is configured to store and perform the functions described herein. The program instructions may also include machine language code such as those generated by a compiler, as well as high-level language code that may be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of this disclosure, and vice versa.

A module or programming module according to the present disclosure may include at least one or more of the elements described above, some of which may be omitted, or may further include other additional elements. Operations performed by modules, programming modules, or other components in accordance with the present disclosure may be performed in a sequential, parallel, iterative, or heuristic manner. Also, some operations may be performed in a different order, omitted, or other operations may be added.

It is to be understood that both the foregoing description and the following detailed description are exemplary and explanatory only and are not intended to limit the scope of the present disclosure. Accordingly, the scope of the present disclosure should be construed as being included within the scope of the present disclosure in addition to the embodiments disclosed herein, all changes or modifications derived from the technical idea of the present disclosure.

101, 104: Electronic device 106: Server 110: Bus
120: processor 130: memory
131: Kernel 132: Middleware
133: Application Programming Interface (API)
134: Application 140: I / O interface
150: Display 160: Communication interface
162: network 170: application control module
200: electronic device 210: application processor
220: Communication module
224_1 to N: slots 225_1 to N: SIM card
230: memory 232: internal memory
234: External memory
240: Sensor module 250: Input device
260: Display module 270: Interface
280: audio module 291: camera module
295: Power management module 296: Battery
297 Indicator 298: Motor
400: Programming module 410: Application
411: Header 411a: UID
412: Func # 420: Driver
421: Access control module 430: Access control list
440: UID and Func # Providing Module

Claims (15)

A method of controlling access in an electronic device,
Wherein the access control module in the first area among the areas configured in the electronic device is operable in response to an access request for an application resource existing in the second area to acquire the unique identifier of the application in the second area ;
Determining whether the unique identifier is present in the access control list; And
And approving access to the resource if the unique identifier is present in the access control list. The method according to claim 1,
Receiving identification information on the resource from the application;
Further comprising: determining whether the identification information is present in the access control list,
Wherein the granting of access to the resource comprises:
Wherein the unique identifier and the identification information are present in the access control list. 3. The method of claim 2,
Wherein,
And identification information of a function provided in the first area. The method according to claim 1,
And acquiring the unique identifier of the application in the second area,
Searching for a binary header of the application in a memory belonging to the second area;
And obtaining the unique identifier in the binary header. The method according to claim 1,
The resource comprises:
Wherein the access control module is included in an area requiring acknowledgment of access. 6. The method of claim 5,
Wherein the area requiring approval of the access is the first area. 6. The method of claim 5,
The resource comprises:
And a function provided by a driver present in the first area. In an electronic device,
A memory including a first area and a second area;
And a processor for executing programs contained in the first area and the second area,
Wherein the first area comprises an access control module,
Wherein the second area comprises an application,
The access control module acquires a unique identifier of the application in the second area in response to a request for access to the resource of the application, determines whether the unique identifier is present in the access control list, Is configured to grant access to the resource if it is present in the access control list. 9. The method of claim 8,
The access control module,
Receiving from the application identification information for the resource, determining whether the identification information is present in the access control list, and if the unique identifier and the identification information are present in the access control list, An electronic device configured for approval. 10. The method of claim 9,
Wherein the first area includes a driver and an operating system,
Wherein,
And identification information of a function provided by the driver. 9. The method of claim 8,
The access control module,
And to retrieve the binary header of the application in the second region to obtain the unique identifier from the binary header. 9. The method of claim 8,
The resource comprises:
Wherein the access control module is included in the memory in an area requiring acknowledgment of access. 13. The method of claim 12,
And the area requiring the approval of the access is the first area. 13. The method of claim 12,
The resource comprises:
And a function provided by a driver existing in the first area. The access control module existing in the first area among the areas configured in the electronic device acquires the unique identifier of the application in the second area in response to an access request for the resource of the application existing in the second area;
Determining whether the unique identifier is present in the access control list; And
And granting access to the resource if the unique identifier is present in the access control list.

Images