CN110750781A - Method and device for application program safety control - Google Patents
Method and device for application program safety control Download PDFInfo
- Publication number
- CN110750781A CN110750781A CN201910991819.1A CN201910991819A CN110750781A CN 110750781 A CN110750781 A CN 110750781A CN 201910991819 A CN201910991819 A CN 201910991819A CN 110750781 A CN110750781 A CN 110750781A
- Authority
- CN
- China
- Prior art keywords
- database
- management platform
- capabilities
- centralized management
- hash value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 230000004044 response Effects 0.000 claims abstract description 19
- 230000004048 modification Effects 0.000 claims description 10
- 238000012986 modification Methods 0.000 claims description 10
- 230000000007 visual effect Effects 0.000 claims description 8
- 230000009286 beneficial effect Effects 0.000 abstract description 5
- 230000007547 defect Effects 0.000 abstract description 4
- 238000007726 management method Methods 0.000 description 104
- 230000006870 function Effects 0.000 description 7
- 101100217298 Mus musculus Aspm gene Proteins 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a method and a device for application program safety control, wherein the method comprises the following steps: each client node identifies a locally installed application program, calculates the hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of the centralized management platform; distributing corresponding capacity to all hash values in a database and/or a local database of the centralized management platform; responding to the application program running on the client node, and acquiring the distributed capacity from the local database or the database of the centralized management platform according to the hash value of the application program; comparing the allocated capabilities with capabilities carried by the application; in response to the assigned capabilities being different from the carried capabilities, the system API is called to override the carried capabilities with the assigned capabilities and the application is run in compliance with the assigned capabilities. The method of the invention overcomes the defects of complex function setting command of the system, being not beneficial to batch management and the like, and improves the safety of the system.
Description
Technical Field
The invention relates to the technical field of system safety. The invention further relates to a method and a device for application program safety control.
Background
In the traditional Linux kernel model, applications are executed either using root privileges or using ordinary user privileges. However, when the application program is executed with the root authority, the program acquires all the root authorities far beyond the authority required by the program to normally run. The SUID technique that is then generated does not substantially solve this problem, and the program may still run under greater authority. When a program runs with a large authority, an attacker may attack the system through a system bug and the like, which causes serious potential safety hazard.
Capability (Capability) is a security function provided by a new Linux kernel, and after the Capability is set for a program, when the program is executed, the system reads the Capability of the program, and at this time, even if a non-root-authority user is used to execute the program, the program also has the authority corresponding to the Capability.
The setcap command is provided in the Linux system to set the capability for a certain application program, but the existing scheme has some defects:
(1) when the same program runs in different paths, the capabilities need to be set respectively;
(2) when the same program is executed on different computers, the capacity needs to be set respectively, and if the number of the computers is large, the setting is complicated respectively;
(3) the ordinary user often does not know the capability of setting programs, 29 capabilities are provided by the new system kernel of Linux, and the ordinary user and an administrator are often difficult to master clearly;
(4) when the set capacity is too low to cause abnormal operation, it is difficult to locate which capacity is lacking.
Therefore, on the basis of the existing application security control method, a more efficient and convenient method for application security control based on capability is needed, and particularly, optimized security control is performed on applications running on each node of the clustered system.
Disclosure of Invention
In one aspect, the present invention provides a method for application security management and control based on the above object, where the method includes the following steps:
each client node identifies a locally installed application program, calculates the hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of the centralized management platform;
distributing corresponding capacity to all hash values in a database and/or a local database of the centralized management platform;
responding to the application program running on the client node, and acquiring the distributed capacity from the local database or the database of the centralized management platform according to the hash value of the application program;
comparing the allocated capabilities with capabilities carried by the application;
in response to the assigned capabilities being different from the carried capabilities, the system API is called to override the carried capabilities with the assigned capabilities and the application is run in compliance with the assigned capabilities.
An embodiment of the method of application security management according to the invention is described, wherein the method further comprises:
and recording the intercepted call in a local log and uploading the log to the centralized management platform to send out an alarm in response to the condition that the call request is intercepted because the capability required by the application program exceeds the allocated capability.
In an embodiment of the method for application security management and control according to the present invention, in response to the application running on the client node, the obtaining an allocated capability from the local database or the database of the centralized management platform according to the hash value of the application further includes:
querying a local database according to the hash value of the application program to obtain a first capability;
responding to the fact that the first capacity corresponding to the Hash value in the local database is empty, inquiring the database of the centralized management platform according to the Hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
the first capability is used as the allocated capability.
According to an embodiment of the method for application security management and control of the present invention, assigning respective capabilities to all hash values in the database and/or the local database of the centralized management platform further includes:
the centralized management platform initially assigns a preset capability to the hash value in the database of the centralized management platform.
According to an embodiment of the method for application security management and control of the present invention, assigning respective capabilities to all hash values in the database and/or the local database of the centralized management platform further includes:
and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
On the other hand, the invention also provides a device for application program security management and control, wherein the device comprises:
at least one processor; and
a memory storing processor-executable program instructions that, when executed by the processor, perform the steps of:
each client node identifies a locally installed application program, calculates the hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of the centralized management platform;
distributing corresponding capacity to all hash values in a database and/or a local database of the centralized management platform;
responding to the application program running on the client node, and acquiring the distributed capacity from the local database or the database of the centralized management platform according to the hash value of the application program;
comparing the allocated capabilities with capabilities carried by the application;
in response to the assigned capabilities being different from the carried capabilities, the system API is called to override the carried capabilities with the assigned capabilities and the application is run in compliance with the assigned capabilities.
An embodiment of the apparatus for application security management according to the invention is described, wherein the program instructions, when executed by the processor, further perform the steps of:
and recording the intercepted call in a local log and uploading the log to the centralized management platform to send out an alarm in response to the condition that the call request is intercepted because the capability required by the application program exceeds the allocated capability.
An embodiment of the apparatus for application security management and control according to the present invention, wherein the capability of obtaining the allocation from the local database or the database of the centralized management platform according to the hash value of the application in response to the application running on the client node further comprises:
querying a local database according to the hash value of the application program to obtain a first capability;
responding to the fact that the first capacity corresponding to the Hash value in the local database is empty, inquiring the database of the centralized management platform according to the Hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
the first capability is used as the allocated capability.
An embodiment of the apparatus for application security management and control according to the present invention, wherein assigning respective capabilities to all hash values in the database of the centralized management platform and/or the local database further comprises:
the centralized management platform initially assigns a preset capability to the hash value in the database of the centralized management platform.
An embodiment of the apparatus for application security management and control according to the present invention, wherein assigning respective capabilities to all hash values in the database of the centralized management platform and/or the local database further comprises:
and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
By adopting the technical scheme, the invention at least has the following beneficial effects: the traditional system capacity configuration is effectively supplemented, and the defects that the capacity setting function of the system has complicated commands and is not beneficial to batch management in the actual use process are overcome; the control is carried out based on the hash value, and the same capability setting can be enjoyed as long as the program path, the name and the machine where the program path and the name are located have the same hash value, so that the usability is greatly improved; the distribution capability of the application program is matched with the carrying capability of the application program, and the distribution capability and the carrying capability of the application program are not matched with each other, and new capability is endowed to the application program by calling the system API at the same time, so that the capability setting aiming at different application programs is conveniently and pertinently adjusted; the unified management method for the capability setting is provided, so that the security management and control of the application program can be more effectively carried out, and the security of the system is improved.
The present invention provides aspects of embodiments, which should not be used to limit the scope of the present invention. Other embodiments are contemplated in accordance with the techniques described herein, as will be apparent to one of ordinary skill in the art upon study of the following figures and detailed description, and are intended to be included within the scope of the present application.
Embodiments of the invention are explained and described in more detail below with reference to the drawings, but they should not be construed as limiting the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are required to be used in the description of the prior art and the embodiments will be briefly described below, parts in the drawings are not necessarily drawn to scale, and related elements may be omitted, or in some cases the scale may have been exaggerated in order to emphasize and clearly show the novel features described herein. In addition, the structural order may be arranged differently, as is known in the art.
Fig. 1 shows a schematic block diagram of an embodiment of a method of application security management according to the present invention.
Detailed Description
While the present invention may be embodied in various forms, there is shown in the drawings and will hereinafter be described some exemplary and non-limiting embodiments, with the understanding that the present disclosure is to be considered an exemplification of the invention and is not intended to limit the invention to the specific embodiments illustrated.
Fig. 1 shows a schematic block diagram of an embodiment of a method of application security management according to the present invention. In the embodiment shown in the figure, the method comprises at least the following steps:
s1: each client node identifies a locally installed application program, calculates the hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of the centralized management platform;
s2: distributing corresponding capacity to all hash values in a database and/or a local database of the centralized management platform;
s3: responding to the application program running on the client node, and acquiring the distributed capacity from the local database or the database of the centralized management platform according to the hash value of the application program;
s4: comparing the allocated capabilities with capabilities carried by the application;
s5: in response to the assigned capabilities being different from the carried capabilities, the system API is called to override the carried capabilities with the assigned capabilities and the application is run in compliance with the assigned capabilities.
In order to solve the disadvantages in the prior art, the invention provides a capability-based application program security management method in a cluster environment, which is based on a cluster-type security management system, and the system comprises at least one centralized management platform and a plurality of clients. The centralized management platform is deployed independently, the client is deployed on each protected computer, and the client and the protected computers can communicate through a network. Further, the centralized management platform provides a management function in a Web page form and a database storage function, and the client needs to input an IP address of the centralized management platform during deployment and automatically registers to the centralized management platform after successful deployment.
On the basis of the centralized management platform and the clients, in step S1, each client node identifies the locally installed application program, calculates the hash value of the application program, stores the hash value in the local database, and uploads the hash value to the database of the centralized management platform. That is, after the client is successfully installed, all application files in the local node are automatically scanned, and hash values (for example, SHA1 values) of each application file are calculated and uploaded to the centralized management platform, and one copy is also stored locally. It should be noted that, within the scope of the present invention, the criterion for determining the same application is the SHA1 hash value of the application file, for example, if two application files on different nodes and/or in different paths of the same node have the same hash value, the two applications are considered to be the same application and can share the same capability. And the centralized management platform receives the hash values of all the program files uploaded by all the clients and stores the hash values into the database. Then, in step S2, corresponding capabilities are allocated to all hash values in the database of the centralized management platform and the local database. I.e., the ability of the database to hold what the program of the SHA1 should have, in addition to the SHA 1. The capability can be allocated according to a default mode of system factory, and can also be configured by a user.
After configuring the capability of the hash value, when an application program is running on the client node, step S3 obtains the allocated capability from the local database or the database of the centralized management platform according to the hash value of the application program. That is, when an application program runs, a client may recognize the running of the application program, and at this time, the client may calculate a hash value of the running application program, perform matching with the hash value in the database according to the hash value, and if a record in the database is matched, read a capability field in the record as a capability allocated to the application program. Then step S4 compares the allocated capability with the capability carried by the application, and if the allocated capability is different from the carried capability, step S5 calls the system API to overwrite the carried capability with the allocated capability and to run the application following the allocated capability. That is, if the capability field in the database is inconsistent with the actual capability carried in the local application file, the system API is called to overwrite the capability field carried in the local application file with the capability field in the database, and then continue running the application program following the overwritten capability.
In addition, if the matched hash value cannot be found in the local database and the database of the centralized management platform, or the matched hash value is found but no capacity is allocated in the matched database record, no operation is performed, and the application program continues to run. The security management method according to the invention does not have any actual intervention on the running of the application at this time.
In addition, in fact, the configuration of the capability is optional, a user can select a part of the applications to configure the capability according to the needs of the user, and only the configured applications are controlled.
Further embodiments of the present invention will be described below, it being noted that the numbering of the steps mentioned therein is used only for the convenience of unambiguously indicating the step without any particular indication, and does not limit the order of the steps described.
In a further embodiment of the method for application security management and control of the present invention, the method further comprises:
s6: and recording the intercepted call in a local log and uploading the log to the centralized management platform to send out an alarm in response to the condition that the call request is intercepted because the capability required by the application program exceeds the allocated capability.
Since the capabilities to be followed by the application program in the foregoing embodiment are configured, there may be a case where, for example, a user does not know the operation principle of the application program and assigns non-conforming capabilities, or a case where the application program is utilized by a hacker and contains malicious code, and the like, where the capabilities required by the application program to complete its functions in actual operation differ from the capabilities assigned thereto. A policing policy is proposed according to the present invention for the case where the call request is intercepted if the capability required by the application exceeds the followed capability at step S6, the intercepted call is recorded in a local log and the log is uploaded to the centralized management platform to issue an alarm. The client can monitor the calling condition of the application program in the running process, and when the calling of the application program is found to exceed the permission of the capability of the application program and is rejected by the system, the log of the intercepted calling is recorded and uploaded to the centralized management platform. The user or the operation and maintenance personnel can analyze from the log whether the capability configuration of the application is below their requirements or the program contains malicious code/is utilized by a hacker. In order to implement the above functions, the centralized management platform presets a database when leaving the factory, and stores all system API calls and corresponding capability configurations thereof, so as to facilitate reasonable prompts and suggestions to users when the behavior of the program is intercepted, for example, as follows: program a1 calls the system API: apiSample () is intercepted, the required capability of the API is C1.
In one or more embodiments of the method for application security management and control of the present invention, the step S3, in response to the application running on the client node, further includes, in accordance with the hash value of the application, acquiring the allocated capability from the local database or the database of the centralized management platform:
s31: querying a local database according to the hash value of the application program to obtain a first capability;
s32: responding to the fact that the first capacity corresponding to the Hash value in the local database is empty, inquiring the database of the centralized management platform according to the Hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
s33: the first capability is used as the allocated capability.
In order to obtain the capabilities assigned to the corresponding application program based on the hash value, in these embodiments, first step S31 queries the local database to obtain the first capabilities based on the hash value of the application program. If the first capability corresponding to the hash value in the local database is empty, that is, there is no relevant record in the local database, step S32 queries the database of the centralized management platform according to the hash value of the application program to obtain a second capability, sets the first capability according to the second capability, and stores the set first capability in the local database. Finally, whether directly obtained from the local database or obtained and set from the database of the centralized management platform, step S33 takes the first capability as the assigned capability. That is, on the other hand, these embodiments mean that the capability configuration of the local database is obtained from the centralized management platform as the application is initially run, and the re-run application can directly obtain the allocated capability from the local database. It is noted that in these embodiments, the second capability is non-null. If the second capability is also empty, then no security restrictions are deemed to be made for the application.
In some embodiments of the method for application security management and control of the present invention, the step S2 assigning corresponding capabilities to all hash values in the database of the centralized management platform and/or the local database further includes:
s21: the centralized management platform initially assigns a preset capability to the hash value in the database of the centralized management platform.
For the convenience of the user, in some embodiments, the centralized management platform records some conventional capability allocation suggestions for different applications, and therefore, the centralized management platform initially allocates preset capabilities to the hash values in its database in step S21. Furthermore, under the condition of connecting the internet, the centralized management platform can download recommended capability configurations of various application programs from a specific server for reference of a user.
In several embodiments of the method for application security management and control of the present invention, the step S2 of assigning corresponding capabilities to all hash values in the database of the centralized management platform and/or the local database further includes:
s22: and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
The centralized management platform provides a visual Web page, and facilitates the capability of configuring different application programs more conveniently and quickly for users. Therefore, in these embodiments, step S22 is to modify the capabilities allocated in the database of the centralized management platform for the user through the visual Web interface of the centralized management platform, and synchronize the modifications to the corresponding local databases, so as to ensure the data consistency between the local databases and the centralized management platform.
On the other hand, the invention also provides a device for application program security management and control, wherein the device comprises: at least one processor; and a memory storing processor-executable program instructions that, when executed by the processor, perform the steps of:
s1: each client node identifies a locally installed application program, calculates the hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of the centralized management platform;
s2: distributing corresponding capacity to all hash values in a database and/or a local database of the centralized management platform;
s3: responding to the application program running on the client node, and acquiring the distributed capacity from the local database or the database of the centralized management platform according to the hash value of the application program;
s4: comparing the allocated capabilities with capabilities carried by the application;
s5: in response to the assigned capabilities being different from the carried capabilities, the system API is called to override the carried capabilities with the assigned capabilities and the application is run in compliance with the assigned capabilities.
In a further embodiment of the apparatus for application security management of the present invention, the program instructions, when executed by the processor, further perform the steps of:
s6: and recording the intercepted call in a local log and uploading the log to the centralized management platform to send out an alarm in response to the condition that the call request is intercepted because the capability required by the application program exceeds the allocated capability.
In one or more embodiments of the apparatus for application security management and control of the present invention, the step S3, in response to the application running on the client node, further includes the step of obtaining the allocated capability from the local database or the database of the centralized management platform according to the hash value of the application:
s31: querying a local database according to the hash value of the application program to obtain a first capability;
s32: responding to the fact that the first capacity corresponding to the Hash value in the local database is empty, inquiring the database of the centralized management platform according to the Hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
s33: the first capability is used as the allocated capability.
In some embodiments of the apparatus for application security management and control of the present invention, the step S2 assigning respective capabilities for all hash values in the database of the centralized management platform and/or the local database further includes:
s21: the centralized management platform initially assigns a preset capability to the hash value in the database of the centralized management platform.
In several embodiments of the apparatus for application security management and control of the present invention, the step S2 further includes assigning corresponding capabilities for all hash values in the database of the centralized management platform and/or the local database:
s22: and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
The devices and apparatuses disclosed in the embodiments of the present invention may be various electronic terminal apparatuses, such as a mobile phone, a Personal Digital Assistant (PDA), a tablet computer (PAD), a smart television, and the like, or may be a large terminal apparatus, such as a server, and therefore the scope of protection disclosed in the embodiments of the present invention should not be limited to a specific type of device and apparatus. The client disclosed in the embodiment of the present invention may be applied to any one of the above electronic terminal devices in the form of electronic hardware, computer software, or a combination of both.
The computer-readable storage media (e.g., memory) described herein may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. By way of example, and not limitation, nonvolatile memory can include Read Only Memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM), which can act as external cache memory. By way of example and not limitation, RAM is available in a variety of forms such as synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to comprise, without being limited to, these and other suitable types of memory.
By adopting the technical scheme, the invention at least has the following beneficial effects: the traditional system capacity configuration is effectively supplemented, and the defects that the capacity setting function of the system has complicated commands and is not beneficial to batch management in the actual use process are overcome; the control is carried out based on the hash value, and the same capability setting can be enjoyed as long as the program path, the name and the machine where the program path and the name are located have the same hash value, so that the usability is greatly improved; the distribution capability of the application program is matched with the carrying capability of the application program, and the distribution capability and the carrying capability of the application program are not matched with each other, and new capability is endowed to the application program by calling the system API at the same time, so that the capability setting aiming at different application programs is conveniently and pertinently adjusted; the unified management method for the capability setting is provided, so that the security management and control of the application program can be more effectively carried out, and the security of the system is improved.
It is to be understood that the features listed above for the different embodiments may be combined with each other to form further embodiments within the scope of the invention, where technically feasible. Furthermore, the specific examples and embodiments described herein are non-limiting, and various modifications of the structure, steps and sequence set forth above may be made without departing from the scope of the invention.
In this application, the use of the conjunction of the contrary intention is intended to include the conjunction. The use of definite or indefinite articles is not intended to indicate cardinality. In particular, references to "the" object or "an" and "an" object are intended to mean one of many such objects possible. However, although elements of the disclosed embodiments of the invention may be described or claimed in the singular, the plural is contemplated unless limitation to the singular is explicitly stated. Furthermore, the conjunction "or" may be used to convey simultaneous features, rather than mutually exclusive schemes. In other words, the conjunction "or" should be understood to include "and/or". The term "comprising" is inclusive and has the same scope as "comprising".
The above-described embodiments, particularly any "preferred" embodiments, are possible examples of implementations, and are presented merely for a clear understanding of the principles of the invention. Many variations and modifications may be made to the above-described embodiments without departing substantially from the spirit and principles of the technology described herein. All such modifications are intended to be included within the scope of this disclosure.
Claims (10)
1. A method for application security management, the method comprising:
each client node identifies a locally installed application program, calculates a hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of a centralized management platform;
distributing corresponding capacity to all hash values in the database of the centralized management platform and/or the local database;
responding to the application program running on the client node, and acquiring the distributed capability from the local database or the database of the centralized management platform according to the hash value of the application program;
comparing the allocated capabilities to capabilities carried by the application;
in response to the assigned capabilities being different from the carried capabilities, a system API is called to override the carried capabilities with the assigned capabilities and to run the application in compliance with the assigned capabilities.
2. The method of claim 1, further comprising:
in response to the application requiring capabilities exceeding the allocated capabilities, a call request is intercepted, the intercepted call is recorded in a local log, and the log is uploaded to the centralized management platform to raise an alarm.
3. The method of claim 1, wherein the obtaining an assigned capability from the local database or the database of the centralized management platform based on the hash value of the application in response to the application running on the client node further comprises:
querying the local database according to the hash value of the application program to obtain a first capability;
responding to the situation that the first capacity corresponding to the hash value in the local database is empty, inquiring a database of a centralized management platform according to the hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
and taking the first capability as the allocated capability.
4. The method of claim 1, wherein assigning respective capabilities for all hash values in the database of the centralized management platform and/or the local database further comprises:
the centralized management platform initially allocates a preset capability to the hash value in the database of the centralized management platform.
5. The method of claim 1, wherein assigning respective capabilities for all hash values in the database of the centralized management platform and/or the local database further comprises:
and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
6. An apparatus for application security management, the apparatus comprising:
at least one processor; and
a memory storing processor-executable program instructions that, when executed by the processor, perform the steps of:
each client node identifies a locally installed application program, calculates a hash value of the application program, stores the hash value into a local database and uploads the hash value to a database of a centralized management platform;
distributing corresponding capacity to all hash values in the database of the centralized management platform and/or the local database;
responding to the application program running on the client node, and acquiring the distributed capability from the local database or the database of the centralized management platform according to the hash value of the application program;
comparing the allocated capabilities to capabilities carried by the application;
in response to the assigned capabilities being different from the carried capabilities, a system API is called to override the carried capabilities with the assigned capabilities and to run the application in compliance with the assigned capabilities.
7. The apparatus of claim 6, wherein the program instructions, when executed by the processor, further perform the steps of:
in response to the application requiring capabilities exceeding the allocated capabilities, a call request is intercepted, the intercepted call is recorded in a local log, and the log is uploaded to the centralized management platform to raise an alarm.
8. The apparatus of claim 6, wherein the capability to obtain an assignment from the local database or the database of the centralized management platform based on the hash value of the application in response to the application running on the client node further comprises:
querying the local database according to the hash value of the application program to obtain a first capability;
responding to the situation that the first capacity corresponding to the hash value in the local database is empty, inquiring a database of a centralized management platform according to the hash value of the application program to obtain a second capacity, setting the first capacity according to the second capacity, and storing the first capacity in the local database;
and taking the first capability as the allocated capability.
9. The apparatus of claim 6, wherein assigning respective capabilities for all hash values in the database of the centralized management platform and/or the local database further comprises:
the centralized management platform initially allocates a preset capability to the hash value in the database of the centralized management platform.
10. The apparatus of claim 6, wherein assigning respective capabilities for all hash values in the database of the centralized management platform and/or the local database further comprises:
and modifying the distributed capacity in the database of the centralized management platform by a user through a visual Web interface of the centralized management platform, and synchronizing the modification to the corresponding local database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910991819.1A CN110750781A (en) | 2019-10-18 | 2019-10-18 | Method and device for application program safety control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910991819.1A CN110750781A (en) | 2019-10-18 | 2019-10-18 | Method and device for application program safety control |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110750781A true CN110750781A (en) | 2020-02-04 |
Family
ID=69278861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910991819.1A Pending CN110750781A (en) | 2019-10-18 | 2019-10-18 | Method and device for application program safety control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110750781A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462961A (en) * | 2014-12-24 | 2015-03-25 | 北京奇虎科技有限公司 | Mobile terminal and privacy permission optimizing method thereof |
| CN104484594A (en) * | 2014-11-06 | 2015-04-01 | 中国科学院信息工程研究所 | Linux system privilege distribution method based on capability mechanism |
| CN105653960A (en) * | 2015-12-31 | 2016-06-08 | 北京元心科技有限公司 | Linux capability distribution method and device |
| CN107871077A (en) * | 2016-09-27 | 2018-04-03 | 阿里巴巴集团控股有限公司 | Powers and functions management method, powers and functions management method and device for system service |
| EP3435601A1 (en) * | 2017-07-25 | 2019-01-30 | INFOCERT S.p.A. | Certified messaging system, method and service |
-
2019
- 2019-10-18 CN CN201910991819.1A patent/CN110750781A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104484594A (en) * | 2014-11-06 | 2015-04-01 | 中国科学院信息工程研究所 | Linux system privilege distribution method based on capability mechanism |
| CN104462961A (en) * | 2014-12-24 | 2015-03-25 | 北京奇虎科技有限公司 | Mobile terminal and privacy permission optimizing method thereof |
| CN105653960A (en) * | 2015-12-31 | 2016-06-08 | 北京元心科技有限公司 | Linux capability distribution method and device |
| CN107871077A (en) * | 2016-09-27 | 2018-04-03 | 阿里巴巴集团控股有限公司 | Powers and functions management method, powers and functions management method and device for system service |
| EP3435601A1 (en) * | 2017-07-25 | 2019-01-30 | INFOCERT S.p.A. | Certified messaging system, method and service |
Non-Patent Citations (1)
| Title |
|---|
| 黄福玉: "《移动政务》", 28 February 2017 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110535777B (en) | Access request control method and device, electronic equipment and readable storage medium | |
| CN108897638B (en) | Data backup method and device, computer equipment and storage medium | |
| CN107832100B (en) | APK plug-in loading method and terminal thereof | |
| CN110290112B (en) | Authority control method and device, computer equipment and storage medium | |
| CN110602169B (en) | Service calling method and device, computer equipment and storage medium | |
| CN112231168A (en) | Micro server control method, device, equipment and storage medium | |
| CN108804938B (en) | Authority detection method and device, electronic equipment and readable storage medium | |
| US20130024944A1 (en) | Confidential information leakage prevention system, confidential information leakage prevention method and confidential information leakage prevention program | |
| CN110781507A (en) | File authority control method and device, computer equipment and storage medium | |
| CN110557398B (en) | Service request control method, device, system, computer equipment and storage medium | |
| CN112099904A (en) | Nested page table management method and device for virtual machine, processor chip and server | |
| CN114064780A (en) | Session information processing method, system, device, storage medium and electronic equipment | |
| CN109831521B (en) | Cache instance management method and device, computer equipment and storage medium | |
| US20140041053A1 (en) | Data block access control | |
| CN112286911B (en) | Database management method and device, equipment and storage medium | |
| CN110597782B (en) | Database dynamic switching method and device, computer equipment and storage medium | |
| CN110750781A (en) | Method and device for application program safety control | |
| CN111176715A (en) | Information calling method and server | |
| CN113742681B (en) | Account management method and device, computer equipment and storage medium | |
| CN109492376B (en) | Device access authority control method and device and bastion machine | |
| CN112631727B (en) | Monitoring method and device for pod group pod | |
| CN115665265A (en) | Request processing method, device, equipment, storage medium and system | |
| CN111491021B (en) | License data processing method and device for distributed cluster | |
| CN115150161A (en) | Firewall security policy configuration method and device, storage medium and electronic device | |
| CN110417615B (en) | Check switch control method, device and equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200204 |