CN117835240A - A custom ROM identification method, device, electronic device and medium - Google Patents
A custom ROM identification method, device, electronic device and medium Download PDFInfo
- Publication number
- CN117835240A CN117835240A CN202311775855.7A CN202311775855A CN117835240A CN 117835240 A CN117835240 A CN 117835240A CN 202311775855 A CN202311775855 A CN 202311775855A CN 117835240 A CN117835240 A CN 117835240A
- Authority
- CN
- China
- Prior art keywords
- information
- software package
- terminal
- stored
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/068—Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/30—Security of mobile devices; Security of mobile applications
- H04W12/37—Managing security policies for mobile devices or for controlling mobile applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/66—Trust-dependent, e.g. using trust scores or trust relationships
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure provides a customized ROM identification method, a customized ROM identification device, electronic equipment and a customized ROM identification medium, and relates to the technical field of network security, in particular to the technical field of equipment wind control and the technical field of equipment security assessment. The specific implementation scheme of the embodiment of the disclosure is as follows: the server receives verification information sent by a terminal to be identified, wherein the verification information comprises: device type information and operating system package information. Then the server searches software package information corresponding to the equipment type information from a preset information base; the information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM. And judging whether the software package information included in the verification information is the same as the searched software package information. If yes, determining that the terminal to be identified does not have the customized ROM; if not, determining that the terminal to be identified has the customized ROM. Thereby realizing a determination as to whether the terminal to be recognized has a custom ROM.
Description
Technical Field
The disclosure relates to the technical field of network security, in particular to the technical field of equipment wind control and equipment security assessment.
Background
Android (Android) is one of the most popular mobile operating systems worldwide, with a huge population of users. Since the Android (Android) operating system is highly open, means for replacing and adding functions of the Android system are numerous and easy.
Therefore, in order to enable the android terminal to realize more functions or repair existing vulnerabilities, many manufacturers or device fever friends can add or modify system functions on the basis of the android system to obtain a customized operating system, and then brush a Read Only Memory (ROM) of the android terminal to write a self-customized operating system file into the ROM of the android terminal, so that the android terminal operates according to the customized operating system. Since the customized operating system file is stored in the ROM of the android terminal after being refreshed, the ROM may also be referred to as a customized ROM.
Disclosure of Invention
The present disclosure provides a custom ROM identification method, apparatus, electronic device, and medium.
In a first aspect of the embodiments of the present disclosure, there is provided a method for identifying a customized ROM, which is applied to a server, including:
receiving verification information sent by a terminal to be identified, wherein the verification information comprises: device type information and operating system package information;
Searching software package information corresponding to the equipment type information from a preset information base; the information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM;
judging whether the software package information included in the verification information is the same as the searched software package information;
if yes, determining that the terminal to be identified does not have a custom ROM;
if not, determining that the terminal to be identified has the customized ROM.
In a second aspect of the embodiments of the present disclosure, there is provided a method for identifying a customized ROM, which is applied to a terminal, including:
acquiring verification information, wherein the verification information comprises equipment type information and software package information of an operating system;
the verification information is sent to a server, so that the server searches software package information corresponding to the equipment type information from a preset information base, judges whether the software package information included in the verification information is identical to the searched software package information, if so, determines that the terminal does not have a custom ROM, and if not, determines that the terminal has the custom ROM, wherein the information base comprises the corresponding relation between the equipment type information and the software package information of a plurality of terminals not having the custom ROM.
In a third aspect of the embodiments of the present disclosure, there is provided a custom ROM identification device applied to a server, including:
the receiving module is used for receiving verification information sent by the terminal to be identified, and the verification information comprises: device type information and operating system package information;
the searching module is used for searching software package information corresponding to the equipment type information from a preset information base; the information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM;
the judging module is used for judging whether the software package information included in the verification information is the same as the searched software package information;
the determining module is used for determining that the terminal to be identified does not have the customized ROM if the judging result of the judging module is yes;
and the determining module is further used for determining that the terminal to be identified has the customized ROM if the judging result of the judging module is negative.
In a fourth aspect of the embodiments of the present disclosure, there is provided a custom ROM identification device applied to a terminal, including:
the device comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring verification information, and the verification information comprises equipment type information and software package information of an operating system;
The sending module is used for sending the verification information to a server, so that the server searches software package information corresponding to the equipment type information from a preset information base, judges whether the software package information included in the verification information is identical to the searched software package information, if so, determines that the terminal does not have a custom ROM, and if not, determines that the terminal has the custom ROM, wherein the information base comprises the corresponding relation between the equipment type information and the software package information of a plurality of terminals not having the custom ROM.
In a fifth aspect of embodiments of the present disclosure, there is provided an electronic device, including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of the first or second aspects.
A sixth aspect of embodiments of the present disclosure provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to perform the method according to any one of the first or second aspects.
A seventh aspect of the disclosed embodiments provides a computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of the first or second aspects.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the disclosure, nor is it intended to be used to limit the scope of the disclosure. Other features of the present disclosure will become apparent from the following specification.
Drawings
The drawings are for a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
FIG. 1 is a flow chart of a method of custom ROM identification provided by an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method of building an information base provided by an embodiment of the present disclosure;
FIG. 3 is a flow chart of another method of custom ROM identification provided by an embodiment of the present disclosure;
FIG. 4 is a flow chart of another method of building an information base provided by an embodiment of the present disclosure;
FIG. 5 is an exemplary schematic diagram of a custom ROM identification process provided by an embodiment of the present disclosure;
FIG. 6 is a schematic diagram of a custom ROM identification device provided in an embodiment of the present disclosure;
FIG. 7 is a schematic diagram of another custom ROM identification device provided by an embodiment of the present disclosure;
Fig. 8 is a block diagram of an electronic device for implementing a custom ROM identification method of an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below in conjunction with the accompanying drawings, which include various details of the embodiments of the present disclosure to facilitate understanding, and should be considered as merely exemplary. Accordingly, one of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
Although customizing the ROM for the terminal may enable the terminal to perform more functions to meet user-specific needs, customizing the ROM also presents a certain risk to the terminal itself as well as to network communications. For example, a terminal with a custom ROM may install various applications for the terminal without user authorization, not only occupying the storage space of the terminal, but also not bringing other benefits to the user. For another example, a shopping platform may allow a platform new user to request a coupon from the shopping platform, and a terminal with a custom ROM may obtain the coupon from the shopping platform in the form of a fake identity with the platform new user's identity, thereby causing a loss to the shopping platform.
Terminals with custom ROM may affect network security, causing problems with data leakage, improper software propagation, and privacy violations.
In order to identify whether a terminal has a custom ROM, an embodiment of the present disclosure provides a custom ROM identification method, which is applied to a server, as shown in fig. 1, and includes the steps of:
s101, receiving verification information sent by a terminal to be identified.
Wherein the verification information includes: device type information and operating system package information.
For example, the device type information includes: vendor identification, device model number, android system version number used, and/or ROM version number, etc. The manufacturer identification may be a manufacturer number or name, etc.
The software package information of the operating system may represent method information executed by the operating system, and the software package information is stored in the ROM of the terminal.
In the embodiment of the present disclosure, the terminal to be identified may be any terminal that transmits authentication information to the server. The terminal to be identified can carry verification information in the service request sent to the server, or send the verification information to the server before sending the service request to the server, so that when the server verifies the verification information and determines that the terminal to be identified does not have the customized ROM, the terminal to be identified sends the service request to the server. Wherein the service request may request that the server provide a specified service. Or, the terminal to be identified may periodically send the verification information to the server, for example, the terminal to be identified may send the verification information to the server once a day, and in the embodiment of the present application, the timing of sending the verification information to the terminal to be identified is not specifically limited.
S102, searching software package information corresponding to the equipment type information from a preset information base.
The information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM.
The terminal without the custom ROM is the terminal with the general ROM. Wherein the software package stored in the general ROM includes: a software package of an operating system issued by an official authority of a terminal manufacturer or a software package of an operating system issued by another official channel. Wherein the software package may also be referred to as a Java Archive (JAR) package, or a software development kit (Software Development Kit, SDK).
S103, judging whether the software package information included in the verification information is identical with the searched software package information. If yes, executing S104; if not, S105 is performed.
S104, determining that the terminal to be identified does not have the custom ROM.
If the verification information includes the same software package information as the found software package information, it is indicated that the software package of the operating system stored in the ROM of the terminal is a software package issued by the authorities, so that it is determined that the terminal to be identified does not have a custom ROM.
S105, determining that the terminal to be identified has a custom ROM.
If the verification information includes different software package information from the found software package information, it is indicated that the software package of the operating system stored in the ROM of the terminal is not an official release software package, and thus it is determined that the terminal to be identified has a custom ROM.
In the embodiment of the present disclosure, the correspondence between the device type information of the terminal without the custom ROM and the software package information is stored in the preset information base, so that the software package information corresponding to the device type information of the terminal to be identified in the information base is the software package information issued for the official of the terminal of the type. Therefore, whether the terminal to be identified has the custom ROM can be determined by comparing whether the found software package information is the same as the software package information of the terminal to be identified.
In an embodiment of the present disclosure, the software package information in the verification information includes: each software package of the operating system includes a total number of Java classes (Java class) and an encrypted value of each software package.
Before S101, the terminal to be identified may acquire each software package of the operating system through a preset script. The terminal may obtain each software package of the operating system from a local designated directory through a preset script, for example, the designated directory is a "/system/framework" directory. And then the terminal uses a preset jar tool to count the number of Java class included in the jar files in each acquired software package, and uses a preset dexdump tool to count the number of Java class included in the dex files in each acquired software package. Wherein the dexdump tool is a dex file viewing tool. And then summing the number of Java class included in the jar file and the number of Java class included in the dex file to obtain the total number of Java class.
Moreover, the terminal to be identified can respectively calculate the encryption value for the content of each software package of the operating system by using a preset digest algorithm. For example, the preset Digest Algorithm may be Message Digest Algorithm 5 (md5), secure Hash Algorithm (Secure Hash Algorithm, SHA), or Hash Message authentication code (Hash-based Message Authentication Code, HMAC), etc., which are not particularly limited in the embodiments of the present disclosure.
On this basis, the above-mentioned S103 server determines whether the software package information included in the verification information is the same as the found software package information, which may be implemented as: judging whether the total number of Java class included in the verification information is the same as the searched total number of Java class, and judging whether the encryption value of each software package included in the verification information is the same as the encryption value of each searched software package.
If the judging results are the same, determining that the software package information included in the verification information is the same as the searched software package information.
If any judging result is different, determining that the software package information included in the verification information is different from the searched software package information.
Since the verification information includes a plurality of encrypted values of the software package, it is possible to determine, for each encrypted value included in the verification information, whether or not the encrypted value is identical to any one of the searched encrypted values of the respective software packages. If the judgment result of each encryption value is yes, the encryption value of each software package included in the verification information is determined to be the same as the searched encryption value of each software package.
If the total number of the searched Java class is the same as the total number of the Java class included in the verification information sent by the terminal to be identified, the number of classes included in the operating system of the terminal to be identified is the same as the number of classes included in the operating system of the same type of terminal without the customized ROM, and the number of methods executed by the operating system can be reflected, so that the terminal to be identified is determined to not have the customized ROM.
Otherwise, if the total number of the found Java class is different from the total number of the Java class included in the verification information sent by the terminal to be identified, it is indicated that the number of classes included in the operating system of the terminal to be identified is different from the number of classes included in the operating system of the same type of terminal without the custom ROM, that is, compared with the operating system issued by the authorities, there may be an additional method in the operating system of the terminal to be identified, and a part of the method may be deleted, so that it is determined that the terminal to be identified has the custom ROM.
On the other hand, if the found encrypted value of each software package is the same as the encrypted value of each software package included in the verification information sent by the terminal to be identified, the content of the class included in the operating system of the terminal to be identified is the same as the content of the class included in the operating system of the same type of terminal without the customized ROM, and the method executed by the operating system can be reflected, so that the terminal to be identified is determined to not have the customized ROM.
Otherwise, if the found encryption value of each software package is different from the encryption value of each software package included in the verification information sent by the terminal to be identified, the content of the class included in the operating system of the terminal to be identified is different from the content of the class included in the operating system of the same type of terminal without the custom ROM, that is, compared with the operating system issued by the authorities, the modified class may exist in the operating system of the terminal to be identified, so that the terminal to be identified is determined to have the custom ROM.
Therefore, the embodiment of the disclosure can verify whether the terminal to be identified and the terminal which is not provided with the customized ROM are the same in number and content of classes included in the operating systems of the terminal to be identified, so that whether the operating system of the terminal to be identified is modified is verified, and whether the terminal is provided with the customized ROM is determined more accurately. Namely, the embodiment of the disclosure realizes the use of the hardware environment of the terminal and identifies whether the terminal has the customized ROM.
In this embodiment of the present application, the authentication information sent by the terminal to be identified in S101 further includes: root Of Trust) information. The trusted root information is used for reflecting the security of a secret key used by the terminal when the terminal performs network communication.
Before S101, the terminal to be identified may acquire, from the KeyStore, an x.509 certificate chain of a key used when the terminal to be identified performs network communication, using a getCertificateChain () method of the KeyStore by using an Android key authentication function. The Android key authentication function can verify whether the terminal is in a safe operation environment, and can determine whether a key used by the terminal for communication is supported by hardware, various attributes of the key, a limiting condition of the key in use and the like. The getCertification chain () method is used for requesting acquisition of a certificate chain, and the X.509 certificate chain includes a plurality of certificates, a key used by a terminal to be identified for network communication, and extension data.
The terminal to be identified may then verify whether each Certificate included in the x.509 Certificate chain is valid, for example, whether the current time is within the validity period of each Certificate, and whether the root Certificate of the x.509 Certificate chain is trusted, using the method provided by the X509Certificate (X509) object.
After passing the verification, the terminal to be identified may extract the first element of the x.509 certificate chain, which is the extension data, using an abstract syntax notation one (Abstract Syntax Notation One, asn.1) parser. The extended data includes trusted execution environment (Trusted Execution Environment, TEE) information of the terminal. The extended data includes a complete description of the authorization result of the key master (Keymaster) associated with the key, and the structure of the extended data is the same as the authorization list structure used in the android system and the key master hardware abstraction layer (Keymaster HAL).
In a conventional key authentication scenario, in order to verify the security of a key included in an x.509 certificate chain, a terminal carrying Android versions of 7.0 or higher generally uses a Google (Google) hardware authentication key scheme to verify the extension data of the x.509 certificate chain in a key store supported by hardware of the terminal. After the verification is passed, the key is determined to be a secure key. The android7.0 version of the application program interface (Application Program Interface, API) level is 24.
In the embodiment of the disclosure, after the terminal acquires the extension data, the security of the key may not be verified, but the trusted root information included in the extension data is sent to the server, so that the server verifies whether the terminal has the custom ROM.
Therefore, before searching the software package information corresponding to the device type information from the preset information base in S102, the server may further determine whether the key used when the terminal to be identified performs network communication is safe according to the trusted root information included in the verification information.
If yes, determining that the terminal to be identified is not provided with the custom ROM. If not, the above-mentioned step S102 is executed.
The trusted root information includes: device lock (deviceLocked) information and a validation boot state (verifiedboost state).
The deviceLocked information is true, which indicates that the boot loader of the terminal is in a locked state, and at the moment, the verification checking function is in an enabled state when the terminal is started, so that an unsigned operating system file can be prevented from being stored in the ROM, and the fact that the terminal can only be brushed into the signed official published operating system file at present can be reflected, so that the terminal does not have a customized ROM; the deviceLocked information is false, which indicates that the bootloader of the terminal is in an unlocked state, and can reflect that the terminal can be currently brushed into an operating system file which is not issued officially, namely, a customized operating system can be written into the ROM of the terminal, and the possibility of having the customized ROM exists for the terminal.
verifiedboost state represents the security state that the terminal verifies at startup. The verifiedboost state being verified represents that a complete trust chain from the boot loader to the verified disk partition is realized, and can reflect that the terminal has not been modified by the boot loader of the operating system. The verifiedboost state is Unvtified, and can reflect that the terminal is modified by the boot loader of the operating system.
The server may determine whether the deviceLocked information in the authentication information sent by the terminal to be identified is true, and whether the verifydootstate in the authentication information is verified. If the judgment results are yes, determining the safety of the secret key used by the terminal to be identified; if any judging result is negative, determining that the key used by the terminal to be identified is unsafe.
Optionally, the root of trust information may further include: a verification start key (verifiedboost key). verifiedboost key is a hash value of a key used by the terminal for network communication. Wherein the hash value may be calculated by the SHA-256 algorithm.
Therefore, before determining the key security used by the terminal to be identified, the server can also search the corresponding verifieddioootKey corresponding to the device type information in the verification information sent by the device to be identified in the corresponding relation between the device type information and the verifieddioootKey of the terminal without customized ROM, and judge whether the searched verifieddioootKey is the same as the verifieddioootKey included in the verification information. If the key is the same, determining the safety of the key used by the terminal to be identified; if the keys are different, the key used by the terminal to be identified is determined to be unsafe.
When the deviceLocked information is true, the boot loader of the terminal to be identified is in a locked state, so that the terminal to be identified is not brushed into an operating system file which is not issued by an official authority, and the terminal to be identified does not have a custom ROM. And when the verifiedootstate is verifield, the terminal to be identified is not modified by the boot loader of the operating system, so that the terminal does not have a custom ROM. Therefore, the embodiment of the disclosure verifies the security of the key used by the terminal by verifying the trusted root sent by the terminal to be identified, namely by utilizing the hardware environment of the terminal, and when the key is not secure, the terminal to be identified can be brushed into an operating system file which is not issued by the official, so that the terminal to be identified is determined to have the customized ROM without continuously searching the information base, and the efficiency of identifying the customized ROM is improved. In addition, when the secret key is safe, verification can be further performed in a mode of comparing an information base, so that a hardware environment and a software environment of the terminal are combined, and accuracy of identifying the customized ROM is improved.
Since the embodiment of the present disclosure needs to be based on the information base in S102 described above when identifying whether the terminal to be identified has the custom ROM, the server may also construct the information base in advance before executing the identification procedure of fig. 1. The information base may be constructed in the manner shown in fig. 2:
S201, receiving information to be put in storage sent by each candidate terminal.
The information to be put in storage comprises: the device comprises trusted root information, device type information and software package information of an operating system, wherein the trusted root information is used for reflecting the security of a secret key used when the terminal performs network communication.
The candidate terminal may be any terminal that transmits information to be put in storage to the server. The method for obtaining the information to be put in storage by the candidate terminal is the same as the method for obtaining the verification information by the terminal to be identified, and reference is made to the above description, and details are not repeated here.
S202, determining whether a key used by a candidate terminal for sending the information to be put in storage is safe or not according to the credible root information included in the information to be put in storage aiming at each piece of information to be put in storage.
S203, screening information to be put in storage sent by the candidate terminal with safe key, and constructing an information base based on the device type information and the software package information of the operating system contained in the screened information to be put in storage.
The server may remove the duplication of each piece of screened information to be put in storage, then, for each piece of information to be put in storage reserved after the duplication removal, use the device type information of the information to be put in storage as a key (key), use the software package information of the operating system of the information to be put in storage as a value (value), and store the software package information in the form of key-value pairs (key-value) in the information base.
Alternatively, the information base can be constructed based on the screened information to be stored by the method described below.
By the method, the server can verify the safety of the key used when the candidate terminals are in network communication, and when the safety verification of the key is passed, the terminal is in a safe operation environment, so that the candidate terminals can be considered to have no customized ROM, an information base can be constructed based on information to be put in the base, which is sent by the candidate terminals, and the accuracy of the information base is improved.
In the embodiment of the present disclosure, the determining, by S202, whether the key used by the candidate terminal that sends the information to be put in storage is secure according to the root-trusted information included in the information to be put in storage may be implemented as follows: judging whether deviceLocked information included in the information to be put in storage is true or not, and judging whether verifiedBootState included in the information to be put in storage is verifield or not.
If the judging results are all yes, determining the key security used by the candidate terminal for sending the information to be put in storage;
if any judging result is negative, determining that the key used by the candidate terminal for sending the information to be put in storage is unsafe.
When the deviceLocked is true, the boot loader of the terminal to be identified is in a locked state, so that the terminal to be identified is not brushed into an operating system file which is not issued by an official authority, and the terminal to be identified does not have a custom ROM. And when the verifiedootstate is verifield, the terminal to be identified is not modified by the boot loader of the operating system, so that the terminal does not have a custom ROM. Therefore, the embodiment of the disclosure screens out information to be put in storage with deviceLocked as true and verifiedBootstate as verifield, and builds an information base based on the information to be put in storage, so that the situation that information of equipment with customized ROM is stored in the information base is reduced, and the accuracy of the information base is improved.
Before determining that the key used by the candidate terminal for sending the information to be put in storage is safe in S202, the server may further obtain other information to be put in storage, which is the same as the equipment type information included in the information to be put in storage, then determine a first proportion of verifiedbloootkeys included in other information to be put in storage, which is the same as the verifiedblootkeys included in the information to be put in storage, and determine whether the first proportion is greater than a first preset threshold. The first preset threshold may be set based on actual requirements, for example, the first preset threshold is 30% or 50% or the like.
These verifiedboost keys are generally identical or each of the same verifiedboost keys occupies a relatively large area for terminals that have identical device type information and do not have custom ROM. For example, among the terminal verifidbootkey having the same device type information and not having the custom ROM, 50% of the verifidbootkey is 00000000 and 50% of the verifidbootkey is 10000000.
Therefore, if the first proportion is larger than the first preset threshold value, the key security used by the candidate terminal for sending the information to be put in storage can be determined, and therefore the information base can be constructed based on the information to be put in storage sent by the candidate terminal.
Optionally, the verifiedbase key with the first ratio greater than the first preset threshold value and the equipment type information included in the information to be put in storage to which the verifiedbase key belongs may be recorded correspondingly, so that the custom ROM may be identified based on the corresponding relationship later.
However, in the verifiedboost keys of terminals having the same device type information and no custom ROM, a certain verifiedboost key is generally not present in an extremely small ratio. Therefore, if the first proportion is smaller than or equal to the first preset threshold value, the fact that the key used by the candidate terminal for sending the information to be put in storage is unsafe is determined, namely the candidate terminal has the customized ROM with high probability, and therefore the information base is not built based on the information to be put in storage sent by the candidate terminal.
By the method, the embodiment of the disclosure can filter out the information to be put in storage sent by the candidate terminal with the minimum verifiedbase key ratio in the candidate terminals with the same type, and the candidate terminal with the minimum verifiedbase key ratio has the possibility of customizing ROM, so that the embodiment of the disclosure does not construct an information base based on the information to be put in storage sent by the candidate terminals, thereby improving the accuracy of the information base.
In the embodiment of the present disclosure, the method for constructing an information base by the server in S203 based on the device type information and the software package information of the operating system included in the screened information to be put in storage includes the following steps:
Step one, classifying the information to be warehoused, which contains the same equipment type information, into a group in each screened information to be warehoused.
Since the device type information includes a plurality of pieces of information, the server may divide the to-be-stocked information in which the pieces of information included in the device type information are the same into a group.
Step two, counting the second proportion of various software package information in the software package information included in each group of information to be put in storage according to each group of information to be put in storage.
Because the software package information comprises the total number of Java packages and the encryption value of each software package of the operating system, the server can take the software package information with the same total number of Java packages and the encryption value of each software package as one software package information and count the ratio of the number of each software package information to the number of the group of the information to be put in as a second ratio of the software package information.
And thirdly, correspondingly adding equipment type information contained in one piece of information to be put in the group of information to be put in the storage and at least one piece of software package information with a second proportion larger than a second preset threshold value into an information base.
The second preset threshold may be set based on actual requirements, for example, the second preset threshold is 30% or 50% or the like.
Since the device type information is the same and the package information of the terminal having no custom ROM is generally the same or the occupation of each package information is relatively large. And therefore, in each group of information to be put in storage, the software package information with the second proportion larger than the second preset threshold value is the software package information of the terminal without the customized ROM.
In addition, because the equipment type information of each group of information to be put in storage is the same, for each group of information to be put in storage, the equipment type information of one group of information to be put in storage can be randomly obtained from the group of information to be put in storage, and the equipment type information and at least one piece of software package information with the second proportion being larger than a second preset threshold value are correspondingly added into the information base, so that the accuracy of the information base is improved.
Based on the same inventive concept, the embodiment of the present disclosure also provides a custom ROM identification method, which is applied to a terminal. As shown in fig. 3, the method includes:
s301, acquiring verification information. Wherein the authentication information includes device type information and software package information of the operating system.
The manner in which the terminal obtains the verification information, and the specific information included in the verification information may refer to the above description, which is not repeated here.
S302, sending verification information to a server, so that the server searches software package information corresponding to the equipment type information from a preset information base, judges whether the software package information included in the verification information is identical to the searched software package information, if so, determines that the terminal does not have the custom ROM, and if not, determines that the terminal has the custom ROM. The information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM.
The specific judgment manner of the server based on the verification information can refer to the above description, and will not be repeated here.
In the embodiment of the disclosure, the corresponding relationship between the device type information and the software package information of the terminal without the custom ROM is stored in the preset information base, so that the software package information corresponding to the device type information of the terminal in the information base is the software package information issued for the official of the terminal of the type. Therefore, whether the terminal to be identified has the custom ROM can be determined by comparing whether the found software package information is the same as the software package information of the terminal to be identified.
In the embodiment of the present disclosure, since the server needs to determine whether the terminal has the custom ROM based on the information base, before executing the flow shown in fig. 3, referring to fig. 4, the terminal may further send information to be put into storage to the server, so that the server builds the information base based on the information to be put into storage, and the specific process includes the following steps:
s401, acquiring a certificate chain of a key used by the terminal in network communication.
The certificate chain may be an x.509 certificate chain, and the manner in which the terminal obtains the x.509 certificate chain may refer to the above description, which is not repeated herein.
S402, carrying out security verification on each certificate included in the certificate chain.
The manner in which the terminal performs security verification on each certificate included in the certificate chain may refer to the above description, and will not be described herein.
S403, if all certificates included in the certificate chain pass the security verification, obtaining the trusted root information from the certificate chain. Wherein the root of trust information is used to reflect the security of the key.
The terminal may obtain the extension information from the certificate chain and obtain the root of trust information from the extension information. The manner in which the terminal obtains the extension information may refer to the above description, and will not be described herein.
S404, sending information to be put in storage to a server. The information to be put in storage comprises: the trusted root information, the equipment type information of the terminal and the software package information are used for enabling the server to construct an information base based on the information to be put in storage.
The manner in which the server constructs the information base based on the information to be put in storage may refer to the above description, and will not be repeated here.
By the method, the terminal can send the information to be put in storage to the server so that the server can identify whether the terminal has the customized ROM or not based on the trusted root information included in the information to be put in storage, so that the information base is constructed by using the equipment type information and the software package information sent by the terminal without the customized ROM, and the accuracy of the information base is improved.
Referring to fig. 5, the following describes a custom ROM identification procedure provided by an embodiment of the present disclosure in connection with an actual application scenario:
the server receives information to be put in storage sent by each candidate terminal, and determines whether a key used by the candidate terminal sending the information to be put in storage is safe or not according to the credible root information included in the information to be put in storage aiming at each piece of information to be put in storage. And screening information to be put in storage sent by the candidate terminal with safe key, and constructing an information base based on the equipment type information and the software package information of the operating system included in each screened information to be put in storage.
After receiving the verification information sent by the terminal A, the server searches the software package information corresponding to the equipment type information included in the verification information from the information base. Assuming that the verification information includes the same package information as the found package information, the server determines that terminal a does not have the custom ROM.
After receiving the verification information sent by the terminal B, the server searches the software package information corresponding to the equipment type information included in the verification information from the information base. Assuming that the verification information includes the same package information as the found package information, the server determines that terminal B does not have the custom ROM.
After receiving the verification information sent by the terminal C, the server searches the software package information corresponding to the equipment type information included in the verification information from the information base. The verification information includes the software package information 1 and the searched software package information 2 as shown in table one.
List one
It can be seen that the total number of Java class included in the software package information 1 included in the authentication information transmitted by the terminal C is different from the total number of Java class included in the found software package information 2, so that the server can determine that the terminal C has a custom ROM.
The usual ways to detect if a terminal has a custom ROM are as follows:
1. detecting whether the signature of the specified application program in the terminal is matched with the signature of the legal version, if so, determining that the terminal does not have a customized ROM; otherwise, determining that the terminal has the custom ROM.
2. Checking whether the hash value of the disk partition of the system is matched with a preset hash value. If the terminal is matched with the ROM, determining that the terminal does not have the customized ROM; otherwise, determining that the terminal has the custom ROM.
3. And using an anti-malicious software engine to perform static scanning and/or dynamic scanning on the application program installed on the terminal. Wherein the static scan comprises: checking whether the authority obtained by the application program application is in an authority white list; the dynamic scanning includes: it is checked whether the application is not communicating with a device in the blacklist. If the scanning is passed, determining that the terminal does not have a customized ROM; otherwise, determining that the terminal has the custom ROM.
4. It is detected whether the version and signature of the baseband firmware (modem firmware) of the terminal are identical to those of the baseband firmware (modem firmware) of the non-customized ROM. If yes, determining that the terminal does not have the customized ROM; otherwise, determining that the terminal has the custom ROM.
5. Status information such as network activity of the monitoring terminal, central processing unit (Central Processing Unit, CPU) usage and memory occupancy, and whether to communicate with devices in the blacklist. If the bad state information is monitored or the bad state information is communicated with the equipment in the blacklist, determining that the terminal has a customized ROM; otherwise, determining that the terminal does not have the custom ROM.
But since the custom ROM can modify the operating system of the terminal, it is possible to falsify behavior information, log information and signature information of an application program, information of a disk partition, and the like by the operating system, and use a self-signed certificate instead of a standard certificate, and the like in the application program. Therefore, the existing detection mode is not accurate enough.
The embodiment of the disclosure does not detect the application program installed in the terminal, but directly detects the software package information of the operating system of the terminal, thereby directly verifying whether the software package of the operating system is the same as the software package issued by the authorities, and therefore, the deeply forged customized ROM can be more accurately identified.
In addition, since the Android system is very diversified, the hardware configuration and the software configuration are different, so that the types and versions of the custom ROM are numerous, and thus the current detection method is difficult to cover various custom ROMs. The information base of the embodiment of the disclosure can include device type information and software package information of various types of terminals with non-customized ROM, so that whether the terminals are customized ROM can be detected by comparing the information base, detection difficulty is reduced, and detection accuracy is improved.
Furthermore, not all modifications to the ROM are malicious, and some device manufacturers or communities may develop and distribute official operating system packages to the terminals in order to provide additional functionality or improve device performance for the terminals. The embodiments of the present disclosure can store information of terminals in which various official operating systems are installed in an information base, thereby reducing the case where terminals in which official operating systems are installed are recognized as custom ROM.
In the technical scheme of the disclosure, the related equipment type information, software package information of an operating system, verification information and other processes such as collection, storage, use, processing, transmission, provision, disclosure and the like all conform to the regulations of related laws and regulations, and the public order is not violated.
Based on the same inventive concept, corresponding to the above method embodiment, the present application further provides a custom ROM identification device, applied to a server, as shown in fig. 6, where the device includes: a receiving module 601, a searching module 602, a judging module 603 and a determining module 604;
the receiving module 601 is configured to receive verification information sent by a terminal to be identified, where the verification information includes: device type information and operating system package information;
the searching module 602 is configured to search software package information corresponding to the device type information from a preset information base; the information base comprises the corresponding relation between the device type information and the software package information of a plurality of terminals without customized ROM;
a judging module 603, configured to judge whether the software package information included in the verification information is the same as the found software package information;
a determining module 604, configured to determine that the terminal to be identified does not have the custom ROM if the determination result of the determining module 603 is yes;
the determining module 604 is further configured to determine that the terminal to be identified has the custom ROM if the determination result of the determining module 603 is negative.
In some embodiments of the present disclosure, wherein the software package information comprises: the total number of Java class included in each software package of the operating system and the encryption value of each software package; the judging module 603 is specifically configured to:
Judging whether the total number of Java class included in the verification information is the same as the searched total number of Java class, and judging whether the encryption value of each software package included in the verification information is the same as the encryption value of each searched software package;
if the judging results are the same, determining that the software package information included in the verification information is the same as the searched software package information;
if any judging result is different, determining that the software package information included in the verification information is different from the searched software package information.
In some embodiments of the present disclosure, the authentication information further includes: the trusted root information is used for reflecting the security of a secret key used when the terminal performs network communication; the judging module 603 is further configured to:
before searching software package information corresponding to equipment type information from a preset information base, judging whether a secret key used when a terminal to be identified performs network communication is safe or not according to the credible root information included in the verification information;
if yes, determining that the terminal to be identified is not provided with the custom ROM;
if not, calling a searching module to execute the step of searching the software package information corresponding to the equipment type information from a preset information base.
In some embodiments of the present disclosure, the apparatus may further include a build module to:
Receiving information to be put in storage sent by each candidate terminal, wherein the information to be put in storage comprises: the method comprises the following steps of (1) trusted root information, equipment type information and software package information of an operating system, wherein the trusted root information is used for reflecting the security of a secret key used when a terminal performs network communication;
for each piece of information to be put in storage, determining whether a key used by a candidate terminal for sending the information to be put in storage is safe or not according to the credible root information included in the information to be put in storage;
screening information to be put in storage sent by a candidate terminal with safe key, and constructing an information base based on the device type information and the software package information of an operating system contained in each screened information to be put in storage.
In some embodiments of the present disclosure, wherein the root of trust information comprises: the device locks the deviceLocked information and confirms the startup state verifiedBoootState; the construction module is specifically used for:
judging whether deviceLocked information included in the information to be put in storage is true or not, and judging whether verifiedBootState included in the information to be put in storage is verifield or not;
if the judging results are all yes, determining the key security used by the candidate terminal for sending the information to be put in storage;
if any judging result is negative, determining that the key used by the candidate terminal for sending the information to be put in storage is unsafe.
In some embodiments of the present disclosure, the root of trust information further comprises: verifying a start key verifiedboost key; the apparatus may further include:
the acquisition module is used for acquiring other to-be-put information which is the same as the equipment type information included in the to-be-put information before determining the key security used by the candidate terminal for transmitting the to-be-put information;
the determining module 604 is further configured to determine a first proportion of verifieddioootkeys that are the same as verifieddiotkeys included in other information to be put in storage;
the judging module 603 is further configured to judge whether the first ratio is greater than a first preset threshold; if yes, calling a construction module to execute the step of determining the key security used by the candidate terminal for sending the information to be put in storage; if not, determining that the key used by the candidate terminal for sending the information to be put in storage is unsafe.
In some embodiments of the present disclosure, wherein the building block is specifically configured to:
the information to be put in storage, which is the same as the equipment type information, is divided into a group in each screened information to be put in storage;
counting a second proportion of various software package information in the software package information included in each group of information to be put in the warehouse;
And correspondingly adding equipment type information contained in one piece of information to be put in the group of information to be put in the storage and at least one piece of software package information with a second proportion larger than a second preset threshold value into an information base.
Based on the same inventive concept, corresponding to the above method embodiment, the present disclosure further provides a custom ROM identification device, applied to a terminal, as shown in fig. 7, including: an acquisition module 701 and a transmission module 702;
an obtaining module 701, configured to obtain verification information, where the verification information includes device type information and software package information of an operating system;
the sending module 702 is configured to send verification information to the server, so that the server searches software package information corresponding to the device type information from a preset information base, and determines whether the software package information included in the verification information is the same as the found software package information, if yes, it is determined that the terminal does not have a custom ROM, and if not, it is determined that the terminal has a custom ROM, where the information base includes correspondence between device type information and software package information of a plurality of terminals that do not have custom ROMs.
In some embodiments of the present disclosure, the apparatus may further include:
the acquiring module 701 is further configured to acquire a certificate chain of a key used when the terminal performs network communication;
The verification module is used for carrying out security verification on each certificate included in the certificate chain;
the obtaining module 701 is further configured to obtain trusted root information from the certificate chain if each certificate included in the certificate chain passes the security verification, where the trusted root information is used to reflect the security of the key;
the sending module 702 is further configured to send to-be-binned information to a server, where the to-be-binned information includes: the trusted root information, the equipment type information of the terminal and the software package information are used for enabling the server to construct an information base based on the information to be put in storage.
According to embodiments of the present disclosure, the present disclosure also provides an electronic device, a readable storage medium and a computer program product.
Fig. 8 illustrates a schematic block diagram of an example electronic device 800 that may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 8, the electronic device 800 includes a computing unit 801 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 802 or a computer program loaded from a storage unit 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for the operation of the electronic device 800 can also be stored. The computing unit 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.
Various components in electronic device 800 are connected to I/O interface 805, including: an input unit 806 such as a keyboard, mouse, etc.; an output unit 807 such as various types of displays, speakers, and the like; a storage unit 808, such as a magnetic disk, optical disk, etc.; and a communication unit 809, such as a network card, modem, wireless communication transceiver, or the like. The communication unit 809 allows the electronic device 800 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunication networks.
The computing unit 801 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 801 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 801 performs the respective methods and processes described above, such as a custom ROM identification method. For example, in some embodiments, the custom ROM identification method may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 808. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 800 via the ROM 802 and/or the communication unit 809. When a computer program is loaded into RAM 803 and executed by computing unit 801, one or more steps of the custom ROM identification method described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the custom ROM identification method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and pointing device (e.g., a mouse or trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel, sequentially, or in a different order, provided that the desired results of the disclosed aspects are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
Claims (21)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311775855.7A CN117835240A (en) | 2023-12-21 | 2023-12-21 | A custom ROM identification method, device, electronic device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311775855.7A CN117835240A (en) | 2023-12-21 | 2023-12-21 | A custom ROM identification method, device, electronic device and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117835240A true CN117835240A (en) | 2024-04-05 |
Family
ID=90518195
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311775855.7A Pending CN117835240A (en) | 2023-12-21 | 2023-12-21 | A custom ROM identification method, device, electronic device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117835240A (en) |
-
2023
- 2023-12-21 CN CN202311775855.7A patent/CN117835240A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109492378B (en) | Identity verification method based on equipment identification code, server and medium | |
| KR101956486B1 (en) | Method and system for facilitating terminal identifiers | |
| US20150113618A1 (en) | Verifying the security of a remote server | |
| Al Rahat et al. | Oauthlint: An empirical study on oauth bugs in android applications | |
| CN107133520B (en) | Trust measurement method and device for cloud computing platform | |
| CN101512512A (en) | Software authorization using software reputation | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| CN108805571B (en) | Data protection method, platform, blockchain node, system and storage medium | |
| CN113360868A (en) | Application program login method and device, computer equipment and storage medium | |
| CN107196972B (en) | A kind of authentication method and system, terminal and server | |
| CN101562558A (en) | Method, system and device for terminal grade classification | |
| CN112632573A (en) | Intelligent contract execution method, device and system, storage medium and electronic equipment | |
| CN110943840B (en) | A signature verification method | |
| CN112765588A (en) | Identity recognition method and device, electronic equipment and storage medium | |
| CN115329315A (en) | Service authentication method, device, storage medium and electronic device | |
| US20250097051A1 (en) | Remote Attestation Method, Apparatus, and System, Storage Medium, and Computer Program Product | |
| US11423160B2 (en) | System for analysis and authorization for use of executable environment data in a computing system using hash outputs | |
| CN117835240A (en) | A custom ROM identification method, device, electronic device and medium | |
| KR102534012B1 (en) | System and method for authenticating security level of content provider | |
| CN117370463A (en) | Block chain-based data storage method, device and storage medium | |
| CN117596028A (en) | Identification method, identification device, electronic equipment and storage medium | |
| CN118779924A (en) | Equipment safety assessment method, device, equipment and medium | |
| CN113849802A (en) | Equipment authentication method and device, electronic equipment and storage medium | |
| CN119622697B (en) | Terminal device verification method, device, electronic device and storage medium | |
| CN113672994B (en) | Cooking equipment data management method, device and system based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |