CN113225344B - Access control method, device, equipment and readable storage medium - Google Patents
Access control method, device, equipment and readable storage medium Download PDFInfo
- Publication number
- CN113225344B CN113225344B CN202110506793.4A CN202110506793A CN113225344B CN 113225344 B CN113225344 B CN 113225344B CN 202110506793 A CN202110506793 A CN 202110506793A CN 113225344 B CN113225344 B CN 113225344B
- Authority
- CN
- China
- Prior art keywords
- network
- authority
- application program
- protocol stack
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an access control method, an access control device, an access control equipment and a readable storage medium, wherein the method comprises the following steps: receiving a network access request sent by an application program; if the application program has the second authority, the network access request is sent to the network protocol stack with the first authority; judging whether the application program has network access authority or not by utilizing a network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority; if so, the application is allowed to access the network. The network protocol stack is isolated from the application program by using the hardware virtualization technology, so that the privilege level of the operation of the network protocol stack is higher than that of the application program, and the reliability and the safety of the network system are improved by using the control capability of the high privilege level on the access of the low privilege level resources.
Description
Technical Field
The present application relates to the field of security assurance technologies, and in particular, to an access control method, apparatus, device, and readable storage medium.
Background
At present, a method for realizing a high-performance (high throughput and low delay) network system is to bypass a kernel and directly construct a protocol stack in a user mode to process a network data message.
Specifically, the kernel is bypassed, the network data message is processed in the user mode, the physical network card is taken over in the user mode, and a network protocol stack is built for data message processing. The network protocol stack can realize high-performance network data packet processing by taking over the physical network card by bypassing the kernel, but the problems of reliability and safety can be caused by the separation of the protection of a kernel resource management mechanism. That is, after bypassing the kernel, the network system is no longer protected by the kernel resource management mechanism, the application program and the network protocol stack are located in the same memory address space, and bug (bug) of the application program easily causes crash of the entire network protocol stack.
In summary, how to effectively make the network protocol stack safe and reliable is a technical problem that needs to be solved by those skilled in the art.
Disclosure of Invention
The application aims to provide an access control method, a system, equipment and a readable storage medium, wherein a network protocol stack and an application program thereof are subjected to authority isolation by using a hardware virtualization technology, so that the operating privilege level of the network protocol stack is higher than that of the application program, and the reliability and the safety of a network system are improved by using the control capability of a high privilege level on low privilege level resource access.
In order to solve the technical problem, the application provides the following technical scheme:
in a first aspect, the present application provides an access control method, including:
receiving a network access request sent by an application program;
if the application program has a second authority, the network access request is sent to a network protocol stack with a first authority;
judging whether the application program has network access authority or not by utilizing the network protocol stack; the first permission and the second permission are non-root mode permissions corresponding to hardware virtualization, and the first permission is higher than the second permission;
if so, the application is allowed to access the network.
In an optional implementation manner, the receiving a network access request sent by an application program includes:
and receiving the network access request sent by each application program after the application program uses different network protocol stack instances to process the network data packet.
In an optional implementation manner, the receiving a network access request sent by an application program includes:
receiving the network access request generated by the application program and forwarded through a user mode network service interface; the user mode web service interface has the second authority.
In an alternative embodiment, allowing the application to access a network comprises:
and forwarding the network access request to a network card by utilizing the network protocol stack so as to enable the application program to access the network.
In an alternative embodiment, the method further comprises:
receiving an access request sent by the application program; wherein the access request is not the network access request;
and forwarding the access request to a Linux kernel.
In an optional embodiment, forwarding the access request to a Linux kernel includes:
switching the authority of the network protocol stack by using a hardware virtualization management module;
and after the network protocol stack has no first authority, forwarding the access request to the Linux kernel.
In an optional implementation manner, the hardware virtualization management module corresponds to an Intel VT, and the hardware virtualization management module has a highest root mode privilege, and before the receiving a network access request sent by an application program, the method further includes:
the hardware virtualization management module is utilized to endow the first authority to the network protocol stack and endow the second authority to an application program to be subjected to resource management by the network protocol stack;
the first authority corresponds to a non-root mode privilege level 0, and the second authority corresponds to a non-root mode privilege level 3.
In a second aspect, the present application provides an access control apparatus comprising:
the request receiving module is used for receiving a network access request sent by an application program;
the request forwarding module is used for sending the network access request to a network protocol stack with a first authority if the application program has a second authority;
the authority determining module is used for judging whether the application program has network access authority or not by utilizing the network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority;
and the access permission module is used for allowing the application program to access the network if the application program has the network access authority.
In a third aspect, the present application provides an electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the above access control method when executing the computer program.
In a fourth aspect, the present application provides a readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the above-described access control method.
By applying the method provided by the embodiment of the application, the network access request sent by the application program is received; if the application program has the second authority, the network access request is sent to the network protocol stack with the first authority; judging whether the application program has network access authority or not by utilizing a network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority; if so, the application is allowed to access the network.
After receiving the network access request, it may be determined whether the application sending the network access request has the second permission, and if so, it indicates that the network protocol stack may manage and control the resource access of the application. Therefore, the network protocol stack can be used for judging that the application program has the network access authority, so that the access of the application program to the network is controlled, namely the application program is allowed to access the network if the network access authority exists, and the application program is forbidden to access the network if the network access authority does not exist. The method has the advantages that the authority isolation is carried out on the network protocol stack and the application program of the network protocol stack by using a hardware virtualization technology, so that the privilege level of the operation of the network protocol stack is higher than that of the application program, and the reliability and the safety of a network system are improved by using the control capability of the high privilege level on the access of low privilege level resources.
That is, through the hardware virtualization technology, the network protocol stack can have a first authority in the non-root mode authorities corresponding to the hardware virtualization; the application program which needs to be managed by the network protocol stack can have a second authority in the non-root mode authorities corresponding to the hardware virtualization through a hardware virtualization technology; because the first authority is higher than the second authority, the network protocol stack can perform access control on the application program with the second authority, so that the application program is controlled, the safety and the reliability of the network protocol stack are guaranteed, and the stability of a network system is further guaranteed.
Accordingly, embodiments of the present application further provide an access control apparatus, a device, and a readable storage medium corresponding to the access control method, which have the above technical effects and are not described herein again.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or related technologies of the present application, the drawings needed to be used in the description of the embodiments or related technologies are briefly introduced below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of an implementation of an access control method in an embodiment of the present application;
fig. 2 is a schematic flowchart of an access control method in an embodiment of the present application;
fig. 3 is a specific architecture diagram of a network system according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an access control device in an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device in an embodiment of the present application;
fig. 7 is a schematic view of an application scenario in an embodiment of the present application.
Detailed Description
In order that those skilled in the art will better understand the disclosure, the following detailed description will be given with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Referring to fig. 1, fig. 1 is a flowchart illustrating an access control method according to an embodiment of the present application. The method can be applied to a processor which can directly construct a network protocol stack in a user mode by bypassing a kernel to process the network data message so as to improve the processing efficiency of the network data message. Because the kernel is bypassed to process the network data message in the user mode, the physical network card is taken over in the user mode and a network protocol stack is built for data message processing, the method has the following defects: after the kernel is bypassed, the network system is not protected by the kernel resource management mechanism any more, the user program and the protocol stack are located in the same memory address space, bug of the user program easily causes crash of the whole protocol stack, and a malicious program can attack the protocol stack and other programs using the protocol stack by utilizing the weakness. In the application, the access control method can improve the safety and reliability of a network protocol stack. The method may be applied to a system comprising the steps of:
s101, receiving a network access request sent by an application program.
The application program may be specifically a program that needs to use a network protocol stack, and in this embodiment, it is not limited to what application the application program itself belongs to, and what functions the application program has.
The network access request is a request related to network setting, query, and the like, such as obtaining related resources through a network, or setting network permissions, and the like. Specifically, the request can be determined to be a network access request through the content carried by the request itself, or can be determined to be a network service request through receiving the interface type of the request.
The receiving of the network access request sent by the application program may specifically be: receiving a network access request generated by an application program and forwarded through a user mode network service interface; the user mode web service interface has a second privilege. Generally, an application calls a network service in a network protocol stack through a user-mode network service interface. Therefore, the user mode network service interface can be directly operated in the second permission corresponding mode, so that the network protocol stack can manage the user mode network service interface, and further can control and manage the network access request forwarded by the user mode network service interface.
And S102, if the application program has the second authority, sending the network access request to a network protocol stack with the first authority.
The network protocol stack may be embodied as NetStack, i.e. a high performance network protocol stack module.
Wherein, whether the application program has the second authority or not is determined, and whether the application program has the second authority or not can be determined by acquiring the running mode of the application program. For example, when the application program is found to run in the mode corresponding to the second authority, it may be determined that the application program has the second authority.
It should be noted that, if the application program does not have the second authority, it indicates that the network protocol stack having the first authority does not have the authority to manage the application program, and at this time, the access request sent by the application program may be directly sent to the network card providing the network service, so that the application program may access the network. Certainly, the application program does not have the second authority, and it may also be that the application program is omitted when the authority is set, or a requirement for accessing the network is generated due to a service change of the application program, but the second authority is not yet given to the application program, so that when the application program is determined to have no second authority, a corresponding alarm prompt may be output, so as to give the second authority to the application program in time, and enable the application program to receive the access control management of the network protocol stack.
The network protocol stack is a protocol stack that is directly built in a user mode by bypassing a kernel to process a network data packet, such as a network protocol stack in mTCP. The mTCP is a high-performance and high-extensible user-mode TCP protocol stack implementation scheme suitable for a multi-core system.
It should be noted that, in the present application, the first right and the second right both refer to non-root mode rights corresponding to hardware virtualization, and the first right is higher than the second right. In this embodiment, the privilege is higher, indicating that the high-privilege application/program has an application/program that manages the low privilege. For example, if the first program has a first right and the second program has a second right, the first program may control and manage the second program.
In this embodiment, it is not limited to which hardware virtualization technology is specifically adopted, and it is only required that after hardware virtualization is performed, a non-root mode different from a root mode is provided, where the non-root mode specifically includes a first authority and a second authority, and the first authority is higher than the second authority, and an application/program having the first authority may perform access control on an application/program having the second authority.
In particular, the network protocol stack having the first authority means that the network protocol stack operates in a mode corresponding to the first authority.
S103, judging whether the application program has the network access authority or not by utilizing the network protocol stack.
The first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority.
As can be seen from the above, if the application has the second authority, it indicates that the network protocol stack can perform control management on the application. Therefore, after the network access request is sent to the network protocol stack in the case that the application program is determined to have the second authority, the network protocol stack can be used for judging whether the application program has the specific situation of the network access authority or not, and therefore whether the application program is allowed to access the network or not can be determined.
The network access right can be confirmed based on the trusted list, and if the application program is in the trusted list, the application program is determined to have the network access right. Of course, the network access right may also be confirmed by other management modules, for example, sending a query request to the hardware virtualization management module, and determining whether the application program is given the network access right in a manner of receiving a query result, that is, whether a certain application program is allowed to access the network may be managed and controlled by the hardware virtualization management module.
After the specific judgment result is obtained, different processing operations can be executed according to the specific judgment result. Specifically, if the determination result is yes, step S104 is executed, and if the determination result is no, step S105 is executed.
And S104, allowing the application program to access the network.
After determining that the application has network access rights, the application may be allowed to access the network. Specifically, the access request may be directly sent to a network card providing the network service.
In one embodiment of the present application, the application is allowed to access the network, that is, the network protocol stack may be used to send the network access request to the network card. Therefore, the network card can respond to the network access request, and the application program can access the network. Therefore, the network protocol stack can be used for realizing high-efficiency network data packet processing by taking over the network card, meanwhile, the network protocol stack is prevented from being attacked due to application program bugs, and the stable operation of a network system can be further ensured.
For the purpose of accessing the network service by the application program, what kind of content and the like of the network service can refer to the specific implementation content and function of the network service, and the details are not repeated herein.
And S105, prohibiting the application program from accessing the network.
After determining that the application program has no network access right, the application program can be prohibited from accessing the network. Specifically, the prohibition of the application program from accessing the network may be implemented by not processing the network access request, or feeding back the request to the application program for invalidation, or the like.
By applying the method provided by the embodiment of the application, the network access request sent by the application program is received; if the application program has the second authority, the network access request is sent to the network protocol stack with the first authority; judging whether the application program has network access authority or not by utilizing a network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority; if so, the application is allowed to access the network.
After receiving the network access request, it may be determined whether the application sending the network access request has the second permission, and if so, it indicates that the network protocol stack may manage and control the resource access of the application. Therefore, the network protocol stack can be used for judging that the application program has the network access authority, so that the access of the application program to the network is controlled, namely the application program is allowed to access the network if the network access authority exists, and the application program is forbidden to access the network if the network access authority does not exist. The network protocol stack is isolated from the application program by using the hardware virtualization technology, so that the privilege level of the operation of the network protocol stack is higher than that of the application program, and the reliability and the safety of the network system are improved by using the control capability of the high privilege level on the access of the low privilege level resources.
That is, through the hardware virtualization technology, the network protocol stack can have a first authority in the non-root mode authorities corresponding to the hardware virtualization; the application program which needs to be managed by the network protocol stack can have a second authority in the non-root mode authorities corresponding to the hardware virtualization through a hardware virtualization technology; because the first authority is higher than the second authority, the network protocol stack can carry out access control on the application program with the second authority, thereby realizing the control of the application program, ensuring the safety and the reliability of the network protocol stack and further ensuring the stability of a network system.
It should be noted that, based on the above embodiments, the embodiments of the present application also provide corresponding improvements. In the preferred/improved embodiment, the same steps as those in the above embodiment or corresponding steps may be referred to each other, and corresponding advantageous effects may also be referred to each other, which are not described in detail in the preferred/improved embodiment herein.
In a specific embodiment of the present application, except for the network service-related interface, other system calls used by the application program are not affected, and the system call sent by the application program is forwarded to the Linux Kernel via the NetStack, so as to finally obtain corresponding normal processing, thereby ensuring normal operation of the application program. The specific implementation process comprises the following steps:
step one, receiving an access request sent by an application program; wherein the access request is not a network access request;
and step two, forwarding the access request to a Linux kernel.
For convenience of description, the above two steps will be described in combination.
Other access requests than the network access request sent by the application program are received. I.e. the access request does not request access to the network. At this point, the access request may be forwarded to the Linux kernel. The Linux kernel can process the access request.
Specifically, the access request is forwarded to the Linux kernel, and the specific implementation steps include:
step 1, switching the authority of a network protocol stack by using a hardware virtualization management module;
and 2, forwarding the access request to a Linux kernel after the network protocol stack has no first authority.
That is, in order to forward the access request to the Linux kernel, the authority mode of the network protocol stack needs to be switched, so as to avoid the management capability brought by the first authority of the network protocol stack, and perform wrong resource access control on the access request. Because the hardware virtualization management module can set the authority, the network protocol stack can be switched by the hardware virtualization module in a mode of sending an authority switching request to the hardware virtualization management module. After the hardware virtualization module receives the permission switching request, the network protocol stack can be switched from the first permission to other permissions, or the network protocol stack is only made to exit the first permission.
After the network protocol stack exits the first permission, the management control qualification of the application program is lost, and at the moment, the access request can be directly forwarded to the Linux kernel by using the network protocol stack according to a conventional processing mode.
That is, the program using other network service interfaces can be migrated to the NetStack platform more conveniently, and only the interfaces related to the network service need to be modified.
Specifically, in practical applications, the hardware virtualization management module corresponds to the Intel VT, and the hardware virtualization management module has the highest authority in the root mode, and before step S101 is executed to receive the network access request sent by the application program, the hardware virtualization management module may also be used to perform hardware virtualization setting on the relevant module, that is, to implement authority initialization.
Specifically, the hardware virtualization management module corresponds to the Intel VT, has the highest authority in the root mode, and assigns a first authority to the network protocol stack and a second authority to the application program to be resource managed by the network protocol stack by using the hardware virtualization management module before receiving the network access request sent by the application program; wherein the first authority corresponds to privilege level of non-root mode No. 0, and the second authority corresponds to privilege level of non-root mode No. 3
The Intel VT (Intel Virtualization Technology) refers to a hardware Virtualization Technology developed by Intel, and a set of hardware devices can be virtualized on a host machine by using the Intel VT for a virtual machine operating system.
For convenience of explanation, the following description is made with reference to fig. 2 and fig. 3, and fig. 2 is a schematic flow chart of an access control method in an embodiment of the present application; fig. 3 is a specific architecture diagram of a network system according to an embodiment of the present application.
In FIG. 2, the VT module corresponds to the Intel VT module; the VT management module corresponds to the hardware virtualization management module; the NetStack module is a high-performance network protocol stack module.
For the initialization of the VT management Module, the hardware related to the Intel VT needs to be initialized first, and the work is executed by the VT Manager Module (VT management Module). The VT management module runs in the privilege level 0 of the root mode and has the highest authority of the system, and other modules in the system, such as a high performance network protocol stack (NetStack) and a user mode network service interface library (LibNetStack), are all managed and controlled by the VT management module.
In particular, the management of the other modules by the VT management module is embodied in that the access rights of the other modules to the system resources are controlled by the VT management module, and the other modules can only access the system resources allowed by the VT management module. For example, the takeover of the physical network card by NetStack requires the permission of the VT management module, and the application cannot access system resources that are not authorized by the VT management module. That is, NetStack can determine whether to intercept a corresponding network access request based on whether the application has the web service right granted by the VT management module.
Since the VT management module needs to operate at the highest privilege level, in practical applications, it can be implemented as a kernel module of the Linux kernel.
In fig. 3, a User Program is an application (the application may be deployed on a User terminal shown in fig. 7, such as a PC terminal or a mobile terminal; of course, the application may also be deployed in a server shown in fig. 7), LibNetStack is a User mode network service interface, NetSTack is a high performance network protocol stack, Physical NIC is a Physical network card, VT Manager Module is a VT management Module (corresponding to a hardware virtualization management Module), and Linux Kernel is a Linux Kernel.
Root Mode Ring 0: root mode privilege level 0, the highest privilege level operating mode using an Intel VT technology processor, at which the host operating system operates in a typical virtualized environment configuration.
Non root Mode Ring 0: non-root mode privilege level 0, a higher privilege level operating mode using Intel VT technology processors, at which the guest (virtual machine) operating system operates in a typical virtualization environment configuration.
Non root Mode Ring 3: non-root mode privilege level 3, a low privilege level mode of operation using Intel VT technology processors, at which privilege level client applications run in typical virtualization environment configurations.
In addition, Root Mode Ring 3: root mode privilege level 3, a low privilege level mode of operation using an Intel VT technology processor, at which privilege level host applications run in a typical virtualization environment configuration. Applications that do not need to be accessed by the network protocol stack control can run at this privilege level in practice, but are not referred to in this figure.
The NetStack, i.e. a high-performance network protocol stack module, is similar to a typical user-state high-performance protocol stack mTCP, and adopts a design of taking over a physical network card to construct a protocol stack by bypassing a Linux Kernel, so that the NetStack has the advantages of high throughput and low delay of the typical high-performance network protocol stack.
Regarding the loading specification of the NetStack module, in the embodiment, the NetStack is different from the normal user mode protocol stack in that it runs at the privilege level of non-root mode No. 0 and is located at a different privilege level from the application program (running at the privilege level of non-root mode No. 3) using it. The CPU privilege level to run the NetStack protocol stack is higher than the application using it. Therefore, NetStack can limit the access of the application program to system resources (such as the memory used by NetStack itself), and the security risk that a malicious program can attack by using a protocol stack is reduced.
For application loading and running: an application program for performing network packet processing by using NetStack is loaded to a non-root mode privilege level 3 for running, and uses a network service provided by NetStack through an interface provided by a LibNetStack library (the network server can be deployed in a server shown in fig. 7, and the server can be specifically an entity server or a virtual server). Therefore, except for the network service related interface, other system calls used by the application program are not affected, the system calls sent by the application program are forwarded to the Linux Kernel through the NetStack, corresponding normal processing is finally obtained, and the normal operation of the application program is ensured. That is, programs using other network service interfaces can be migrated to the NetStack platform more conveniently, and only the interfaces related to the network service need to be modified.
That is to say, by using the Intel VT technology, the CPU privilege level isolation can be performed on the high-performance network protocol stack and its application program, so that the privilege level of the network protocol stack operation is higher than that of the application program, and the reliability and security of the network system are improved by using the control capability of the high privilege level to access the low privilege level resources.
In a specific embodiment of the present application, the receiving, by step S101, a network access request sent by an application program may include: and receiving a network access request sent by each application program after processing the network data packet by using different network protocol stack instances. For example, the applications can use different NetStack instances for network packet processing, and thus, the memory spaces of the applications are isolated from each other.
Specifically, NetStack memory isolation can be realized by an EPT mechanism with high guaranteed performance based on hardware, each NetStack instance (including applications served by the NetStack instance) uses different EPT tables for memory access, and by the EPT mechanism, memory isolation between NetStack instances can be realized.
The ept (extended Page tables) refers to a hardware mechanism provided by Intel in terms of virtualization of memory resources, and provides a memory virtualization capability for a system by adding a second-level memory address translation process, and belongs to a part of Intel VT.
That is to say, when a certain application program fails, the normal operation of other application programs is not affected. That is, the reliability of the network system can be effectively improved and the breakdown of the whole system caused by single point of failure can be avoided by receiving the network access request sent after each application program uses different network protocol stack instances to process the network data packet.
That is, in the embodiment, the Intel VT technology is used to isolate the high performance protocol stacks used by different network applications in the memory space, so as to avoid the breakdown of the whole system caused by a single point of failure generated by a single program, and improve the reliability and security of the network system.
Corresponding to the above method embodiments, the present application further provides an access control device, and the access control device described below and the access control method described above may be referred to in correspondence with each other.
Referring to fig. 4, the system includes the following modules:
a request receiving module 101, configured to receive a network access request sent by an application program;
the request forwarding module 102 is configured to send the network access request to a network protocol stack with a first right if the application has a second right;
the authority determining module 103 is configured to determine whether the application has a network access authority by using a network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority;
an access permission module 104 for permitting the application to access the network if the application has network access rights.
The device provided by the embodiment of the application is applied to receive the network access request sent by the application program; if the application program has the second authority, the network access request is sent to the network protocol stack with the first authority; judging whether the application program has network access authority or not by utilizing a network protocol stack; the first authority and the second authority are non-root mode authorities corresponding to hardware virtualization, and the first authority is higher than the second authority; if so, the application is allowed to access the network.
After receiving the network access request, it may be determined whether the application sending the network access request has the second permission, and if so, it indicates that the network protocol stack may manage and control the resource access of the application. Therefore, the network protocol stack can be used for judging that the application program has the network access authority, so that the access of the application program to the network is controlled, namely the application program is allowed to access the network if the network access authority exists, and the application program is forbidden to access the network if the network access authority does not exist. The network protocol stack is isolated from the application program by using the hardware virtualization technology, so that the privilege level of the operation of the network protocol stack is higher than that of the application program, and the reliability and the safety of the network system are improved by using the control capability of the high privilege level on the access of the low privilege level resources.
That is, through the hardware virtualization technology, the network protocol stack can have a first authority in the non-root mode authorities corresponding to the hardware virtualization; the application program which needs to be managed by the network protocol stack can have a second authority in the non-root mode authorities corresponding to the hardware virtualization through a hardware virtualization technology; because the first authority is higher than the second authority, the network protocol stack can carry out access control on the application program with the second authority, thereby realizing the control of the application program, ensuring the safety and the reliability of the network protocol stack and further ensuring the stability of a network system.
In a specific embodiment of the present application, the request receiving module is specifically configured to receive a network access request sent by each application program after processing a network data packet with different network protocol stack instances.
In a specific embodiment of the present application, the request receiving module is configured to receive a network access request generated by an application and forwarded through a user-mode web service interface; the user mode web service interface has a second privilege.
In an embodiment of the present application, the access permission module is specifically configured to forward the network access request to the network card by using a network protocol stack, so that the application program accesses the network.
In one embodiment of the present application, the method further includes:
the non-network access processing module is used for receiving an access request sent by an application program; wherein the access request is not a network access request; and forwarding the access request to the Linux kernel.
In a specific embodiment of the present application, the non-network access processing module is specifically configured to switch the authority of the network protocol stack by using the hardware virtualization management module; and after the network protocol stack has no first permission, forwarding the access request to the Linux kernel.
In a specific embodiment of the present application, the hardware virtualization management module corresponds to an Intel VT, and the hardware virtualization management module has the highest authority of the root mode, and further includes:
the authority endowing module is used for endowing a first authority to the network protocol stack and endowing a second authority to the application program to be subjected to resource management by the network protocol stack by using the hardware virtualization management module before receiving the network access request sent by the application program; the first authority corresponds to the privilege level of the non-root mode No. 0, and the second authority corresponds to the privilege level of the non-root mode No. 3.
Corresponding to the above method embodiment, the present application further provides an electronic device, and the electronic device described below and the access control method described above may be referred to in correspondence.
Referring to fig. 5, the electronic device includes:
a memory 332 for storing a computer program;
a processor 322 for implementing the steps of the access control method of the above-described method embodiments when executing the computer program.
Specifically, referring to fig. 6, fig. 6 is a schematic structural diagram of an electronic device provided in this embodiment, which may generate relatively large differences due to different configurations or performances, and may include one or more processors (CPUs) 322 (e.g., one or more processors) and a memory 332, where the memory 332 stores one or more computer applications 342 or data 344. Memory 332 may be, among other things, transient or persistent storage. The program stored in memory 332 may include one or more modules (not shown), each of which may include a sequence of instructions operating on a data processing device. Still further, the central processor 322 may be configured to communicate with the memory 332 to execute a series of instruction operations in the memory 332 on the electronic device 301.
The electronic device 301 may also include one or more power sources 326, one or more wired or wireless network interfaces 350, one or more input-output interfaces 358, and/or one or more operating systems 341.
The steps in the access control method described above may be implemented by the structure of the electronic device.
Corresponding to the above method embodiment, the present application embodiment further provides a readable storage medium, and a readable storage medium described below and an access control method described above may be referred to correspondingly.
A readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the access control method of the above-mentioned method embodiments.
The readable storage medium may be a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and various other readable storage media capable of storing program codes.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Claims (10)
1. An access control method, comprising:
receiving a network access request sent by an application program;
if the application program has a second authority, the network access request is sent to a network protocol stack with a first authority; the network protocol stack is a protocol stack which is directly constructed in a user mode by bypassing a kernel;
judging whether the application program has network access authority or not by utilizing the network protocol stack; the first permission and the second permission are non-root mode permissions corresponding to hardware virtualization, and the first permission is higher than the second permission;
if so, the application is allowed to access the network.
2. The access control method according to claim 1, wherein the receiving a network access request sent by an application program comprises:
and receiving the network access request sent by each application program after the application program uses different network protocol stack instances to process the network data packet.
3. The access control method according to claim 1, wherein the receiving a network access request sent by an application program comprises:
receiving the network access request generated by the application program and forwarded through a user mode network service interface; the user mode web service interface has the second authority.
4. The access control method of claim 1, wherein allowing the application to access a network comprises:
and forwarding the network access request to a network card by utilizing the network protocol stack so as to enable the application program to access the network.
5. The access control method according to any one of claims 1 to 4, characterized by further comprising:
receiving an access request sent by the application program; wherein the access request is not the network access request;
and forwarding the access request to a Linux kernel.
6. The access control method according to claim 5, wherein forwarding the access request to a Linux kernel comprises:
switching the authority of the network protocol stack by using a hardware virtualization management module;
and after the network protocol stack has no first authority, forwarding the access request to the Linux kernel.
7. The access control method according to claim 6, wherein the hardware virtualization management module corresponds to intel vt, and the hardware virtualization management module has the highest authority in root mode, and before the receiving the network access request sent by the application program, the method further comprises:
the hardware virtualization management module is utilized to endow the first authority to the network protocol stack and endow the second authority to an application program to be subjected to resource management by the network protocol stack;
the first authority corresponds to a non-root mode privilege level 0, and the second authority corresponds to a non-root mode privilege level 3.
8. An access control apparatus, comprising:
the request receiving module is used for receiving a network access request sent by an application program;
the request forwarding module is used for sending the network access request to a network protocol stack with a first authority if the application program has a second authority; the network protocol stack is a protocol stack which is directly constructed in a user mode by bypassing a kernel;
the authority determining module is used for judging whether the application program has network access authority or not by utilizing the network protocol stack; the first permission and the second permission are non-root mode permissions corresponding to hardware virtualization, and the first permission is higher than the second permission;
and the access permission module is used for allowing the application program to access the network if the application program has the network access authority.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the steps of the access control method according to any one of claims 1 to 7 when executing the computer program.
10. A readable storage medium, having stored thereon a computer program which, when being executed by a processor, carries out the steps of the access control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110506793.4A CN113225344B (en) | 2021-05-10 | 2021-05-10 | Access control method, device, equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110506793.4A CN113225344B (en) | 2021-05-10 | 2021-05-10 | Access control method, device, equipment and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113225344A CN113225344A (en) | 2021-08-06 |
| CN113225344B true CN113225344B (en) | 2022-09-30 |
Family
ID=77094290
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110506793.4A Active CN113225344B (en) | 2021-05-10 | 2021-05-10 | Access control method, device, equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113225344B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115525415B (en) * | 2022-10-19 | 2023-08-11 | 科东(广州)软件科技有限公司 | Data processing method, device, equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465863A (en) * | 2009-01-14 | 2009-06-24 | 北京航空航天大学 | Method for implementing high-efficiency network I/O in kernel virtual machine circumstance |
| CN103155520A (en) * | 2010-08-06 | 2013-06-12 | 思杰***有限公司 | Systems and methods for a para-virtualized driver in a multi-core virtual packet engine device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7664841B2 (en) * | 2005-12-07 | 2010-02-16 | International Business Machines Corporation | Selective activation of TCP/IP link and traffic |
| CN104424034A (en) * | 2013-09-04 | 2015-03-18 | 华为技术有限公司 | Hardware resource access method and hardware resource access device |
| CN108256298A (en) * | 2017-12-14 | 2018-07-06 | 大唐微电子技术有限公司 | A kind of resource access method and device |
| CN111737656B (en) * | 2019-05-30 | 2023-10-27 | 中国科学院计算技术研究所 | Application program-oriented privileged hardware resource access method and electronic equipment |
| CN112052439A (en) * | 2020-09-29 | 2020-12-08 | 北京智芯微电子科技有限公司 | Access right control method and device of embedded system and storage medium |
-
2021
- 2021-05-10 CN CN202110506793.4A patent/CN113225344B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101465863A (en) * | 2009-01-14 | 2009-06-24 | 北京航空航天大学 | Method for implementing high-efficiency network I/O in kernel virtual machine circumstance |
| CN103155520A (en) * | 2010-08-06 | 2013-06-12 | 思杰***有限公司 | Systems and methods for a para-virtualized driver in a multi-core virtual packet engine device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113225344A (en) | 2021-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11200080B1 (en) | Late load technique for deploying a virtualization layer underneath a running operating system | |
| CN109086100B (en) | High-security credible mobile terminal security system architecture and security service method | |
| US8910238B2 (en) | Hypervisor-based enterprise endpoint protection | |
| US10146936B1 (en) | Intrusion detection for storage resources provisioned to containers in multi-tenant environments | |
| EP3017392B1 (en) | Process evaluation for malware detection in virtual machines | |
| US10025924B1 (en) | Taskless containers for enhanced isolation of users and multi-tenant applications | |
| EP2940615B1 (en) | Method and apparatus for isolating management virtual machine | |
| US10255088B2 (en) | Modification of write-protected memory using code patching | |
| US10083129B2 (en) | Code loading hardening by hypervisor page table switching | |
| US20140053272A1 (en) | Multilevel Introspection of Nested Virtual Machines | |
| US10592434B2 (en) | Hypervisor-enforced self encrypting memory in computing fabric | |
| CN107707622B (en) | Method and device for accessing desktop cloud virtual machine and desktop cloud controller | |
| US8893306B2 (en) | Resource management and security system | |
| JP2018538633A (en) | Dual memory introspection to secure multiple network endpoints | |
| US8495750B2 (en) | Filesystem management and security system | |
| EP1830257A2 (en) | Input/output control apparatus, input/output control system, and input/output control method | |
| US10360386B2 (en) | Hardware enforcement of providing separate operating system environments for mobile devices | |
| CN113127077B (en) | Server-based microkernel operating system deployment method and operating system | |
| US20150370582A1 (en) | At least one user space resident interface between at least one user space resident virtual appliance and at least one virtual data plane | |
| CN108509251A (en) | A kind of safety virtualization system suitable for credible performing environment | |
| US20120198542A1 (en) | Shared Security Device | |
| US20220156103A1 (en) | Securing virtual machines in computer systems | |
| CN111078367A (en) | Request processing method and device, electronic equipment and storage medium | |
| CN113225344B (en) | Access control method, device, equipment and readable storage medium | |
| US11507408B1 (en) | Locked virtual machines for high availability workloads |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |