TWI668633B - Method of authorization for computer tasks and server system with funtion of authorization for computer tasks - Google Patents

Method of authorization for computer tasks and server system with funtion of authorization for computer tasks Download PDF

Info

Publication number
TWI668633B
TWI668633B TW107123387A TW107123387A TWI668633B TW I668633 B TWI668633 B TW I668633B TW 107123387 A TW107123387 A TW 107123387A TW 107123387 A TW107123387 A TW 107123387A TW I668633 B TWI668633 B TW I668633B
Authority
TW
Taiwan
Prior art keywords
black
white list
computer
content
computer task
Prior art date
Application number
TW107123387A
Other languages
Chinese (zh)
Other versions
TW202006537A (en
Inventor
蕭伯宇
林彥宇
許峰維
許罡毓
Original Assignee
英研智能移動股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 英研智能移動股份有限公司 filed Critical 英研智能移動股份有限公司
Priority to TW107123387A priority Critical patent/TWI668633B/en
Application granted granted Critical
Publication of TWI668633B publication Critical patent/TWI668633B/en
Publication of TW202006537A publication Critical patent/TW202006537A/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

一種適於計算機的電腦任務判行方法,包含以計算機依據一控制指令對一黑白名單進行修改程序,修改程序包含對黑白名單進行解密程序以取得黑白名單的內容,且對黑白名單的內容進行修改,於修改該黑白名單的內容後,對修改後的黑白名單進行加密程序。當執行電腦任務時,對修改後的黑白名單進行另一解密程序以讀取黑白名單的內容。以讀取到的黑白名單的內容判斷所述的電腦任務是否關聯於該黑白名單上的受限制選項。若是,則計算機允許執行該電腦任務。若否,則計算機拒絕執行該電腦任務。A computer task determination method suitable for a computer, comprising: modifying a black and white list according to a control instruction by a computer, the modification program comprises: decrypting a black and white list to obtain a black and white list content, and modifying the content of the black and white list After modifying the content of the black and white list, the encrypted black and white list is encrypted. When performing a computer task, another decryption process is performed on the modified black and white list to read the contents of the black and white list. The content of the read black and white list is used to determine whether the computer task is associated with the restricted option on the black and white list. If so, the computer is allowed to perform the computer task. If not, the computer refuses to perform the computer task.

Description

電腦任務判行方法及具有電腦任務判行功能的伺服器系統Computer task judgment method and server system with computer task judgment function

本發明係關於一種電腦任務判行方法及具有電腦任務判行功能的伺服器系統,特別是一種應用黑白名單的電腦任務判行方法及具有電腦任務判行功能的伺服器系統。The invention relates to a computer task determination method and a server system with a computer task judgment function, in particular to a computer task determination method using a black and white list and a server system with a computer task judgment function.

一般來說,為因應客戶的特殊需求,各家廠商在設計組裝伺服器時,會對伺服器進行設定以限制某些軟硬體的功能。舉例來說,對於公司企業來說,會限制旗下員工所使用之電腦的部分功能,以便於管理且避免公司機密資料外洩之疑慮,例如禁止安裝或執行社群軟體或是限制電腦連線僅能連線至公司內部特定之路由器,而禁止連線至外部網路的路由器等。Generally speaking, in order to meet the special needs of customers, each manufacturer will set the server to limit the function of some software and hardware when designing and assembling the server. For example, for a company, it will limit some of the functions of the computers used by its employees to manage and avoid the concerns of the company's confidential information, such as prohibiting the installation or execution of social software or restricting computer connections. It can be connected to a specific router inside the company, and routers that are connected to the external network are prohibited.

然而,限制軟硬體功能的相關設定係於初始階段就已經預先編譯且設定完成,若是客戶因某些因素而需要對軟硬體功能的相關限制設定進行變更,以實務操作上來說係為一個困難點。換言之,以現有的技術來說,並沒有針對這類型功能規劃出一個完善的管理機制,使其具備隱密、易用、使用者不可隨意修改等特性。再者,此機制亦需要符合工業MDM需求,可以遠端進行修改。因此,若無上述完善的統一管理方案,隨著調整變更的選項/功能增多,散落的程式碼會在後續的開發與維護上的造成極大的負擔。However, the related settings that restrict the function of the software and hardware are pre-compiled and set in the initial stage. If the customer needs to change the relevant restrictions on the software and hardware functions due to certain factors, it is a practical operation. Difficulties. In other words, with the existing technology, there is no perfect management mechanism for this type of function, so that it has the characteristics of being secret, easy to use, and users are not free to modify. Furthermore, this mechanism also needs to meet the requirements of industrial MDM and can be modified remotely. Therefore, without the above-mentioned perfect unified management scheme, as the options/functions of adjusting and changing increase, the scattered code will impose a great burden on subsequent development and maintenance.

有鑑於此,本發明提出一種電腦任務判行方法及具有電腦任務判行功能的伺服器系統,主要統整相關的限制功能以歸納出一個適用於絕大多數限制條件格式的黑白名單,將此黑白名單儲存於不易讀取的儲存空間,且進行加密做二次保護,並同時允許本地端及遠端進行動態修改需求。In view of this, the present invention provides a computer task determination method and a server system having a computer task judgment function, which mainly integrates related restriction functions to summarize a black and white list applicable to most restriction condition formats. The black and white list is stored in a storage space that is difficult to read, and is encrypted for secondary protection, and at the same time allows the local end and the remote end to dynamically modify the requirements.

依據本發明揭露一種適於計算機的電腦任務判行方法,包含以計算機依據一控制指令對一黑白名單進行修改程序,其中修改程序包含對黑白名單進行解密程序以取得黑白名單的內容,且對黑白名單的內容進行修改,於修改該黑白名單的內容後,對修改後的黑白名單進行加密程序。接著,當執行電腦任務時,對修改後的黑白名單進行另一解密程序以讀取黑白名單的內容。以讀取到的黑白名單的內容判斷所執行的電腦任務是否關聯於黑白名單上的受限制選項。若判斷電腦任務不關聯於黑白名單上的受限制選項,則計算機允許執行電腦任務。若判斷電腦任務係關聯於黑白名單上的受限制選項,則計算機拒絕執行電腦任務。According to the present invention, a computer task determination method suitable for a computer includes modifying a black and white list by a computer according to a control instruction, wherein the modifying program includes decrypting a black and white list to obtain a black and white list, and The contents of the list are modified. After modifying the contents of the black and white list, the modified black and white list is encrypted. Then, when performing the computer task, another decryption process is performed on the modified black and white list to read the contents of the black and white list. The content of the read black and white list is used to determine whether the executed computer task is associated with the restricted option on the black and white list. The computer is allowed to perform computer tasks if it is determined that the computer task is not associated with the restricted option on the black and white list. If the computer task is determined to be associated with the restricted option on the black and white list, the computer refuses to perform the computer task.

依據本發明揭露一種具有電腦任務判行功能的伺服器系統,包含本地伺服器及管理伺服器。本地伺服器包含儲存空間,用以存放一黑白名單。本地伺服器用以選擇性地提供硬體功能指令以對該黑白名單進行一修改程序。管理伺服器通訊連接本地伺服器,且管理伺服器用以選擇性地提供遠端指令以對黑白名單進行另一修改程序。其中,當本地伺服器執行電腦任務時,本地伺服器對修改後的黑白名單進行解密程序以讀取黑白名單的內容,據以判斷所執行的電腦任務是否關聯於該黑白名單上的受限制選項。若判斷電腦任務不關聯於黑白名單上的受限制選項,本地伺服器允許執行電腦任務,若判斷電腦任務關聯於黑白名單上的受限制選項,本地伺服器拒絕執行電腦任務。According to the present invention, a server system having a computer task determination function includes a local server and a management server. The local server contains storage space for storing a black and white list. The local server is configured to selectively provide hardware function instructions to perform a modification procedure on the black and white list. The management server communicates with the local server, and the management server selectively provides remote commands to perform another modification procedure on the black and white list. Wherein, when the local server performs the computer task, the local server decrypts the modified black and white list to read the contents of the black and white list, thereby determining whether the executed computer task is associated with the restricted option on the black and white list. . If the computer task is not associated with the restricted option on the black and white list, the local server allows the computer task to be executed. If the computer task is associated with the restricted option on the black and white list, the local server refuses to perform the computer task.

判行方法及具有電腦任務判行功能的伺服器系統當中,主要藉由統整相關的限制功能以歸納出一個適用於絕大多數限制條件格式的黑白名單,將此黑白名單儲存於不易讀取的儲存空間,且進行加密做二次保護,並同時允許本地端及遠端進行動態修改需求。The method of judging and the server system with computer task judgment function mainly summarizes the black and white list applicable to most restriction formats by integrating the related restriction functions, and stores the black and white list in the hard-to-read list. The storage space is encrypted for secondary protection, and at the same time, the local end and the remote end are allowed to dynamically modify the requirements.

以上之關於本揭露內容之說明及以下之實施方式之說明係用以示範與解釋本發明之精神與原理,並且提供本發明之專利申請範圍更進一步之解釋。The above description of the disclosure and the following description of the embodiments of the present invention are intended to illustrate and explain the spirit and principles of the invention, and to provide further explanation of the scope of the invention.

以下在實施方式中詳細敘述本發明之詳細特徵以及優點,其內容足以使任何熟習相關技藝者了解本發明之技術內容並據以實施,且根據本說明書所揭露之內容、申請專利範圍及圖式,任何熟習相關技藝者可輕易地理解本發明相關之目的及優點。以下之實施例係進一步詳細說明本發明之觀點,但非以任何觀點限制本發明之範疇。The detailed features and advantages of the present invention are set forth in the Detailed Description of the Detailed Description of the <RTIgt; </ RTI> <RTIgt; </ RTI> </ RTI> </ RTI> <RTIgt; The objects and advantages associated with the present invention can be readily understood by those skilled in the art. The following examples are intended to describe the present invention in further detail, but are not intended to limit the scope of the invention.

請參照圖1,圖1係依據本發明之一實施例所繪示的一種具有電腦任務判行功能的伺服器系統的功能方塊圖。如圖1所示,伺服器系統1包含本地伺服器10及管理伺服器12。本地伺服器10具有一個儲存空間101用以存放黑白名單BK。於實務上,所述的儲存空間101可以係為本地伺服器10內的具有儲存資料或數據功能的儲存記憶體,且具備有不易被讀取的特性。本地伺服器10(例如內部的處理器)可用以選擇性地提供硬體功能指令CMD1(圖中未示)以對所述的黑白名單BK進行修改程序。Please refer to FIG. 1. FIG. 1 is a functional block diagram of a server system with a computer task determination function according to an embodiment of the invention. As shown in FIG. 1, the server system 1 includes a local server 10 and a management server 12. The local server 10 has a storage space 101 for storing the black and white list BK. In practice, the storage space 101 can be a storage memory having a storage data or data function in the local server 10, and has characteristics that are difficult to be read. A local server 10 (e.g., an internal processor) can be used to selectively provide a hardware function command CMD1 (not shown) to modify the black and white list BK.

管理伺服器12通訊連接本地伺服器10,且管理伺服器12(例如內部的處理器)可用以選擇性地提供遠端指令CMD2以對黑白名單BK進行另一個修改程序。於此實施例中,當本地伺服器10欲執行一個電腦任務時,本地伺服器10將會對修改後的黑白名單BK’進行一個解密程序以讀取黑白名單BK’的內容,據以判斷所欲執行的應用程式是否關聯於黑白名單BK’上的受限制選項。於實際操作上,若本地伺服器10判斷所述的應用程式不關聯於所述的受限制選項,則本地伺服器10允許執行或安裝所述的電腦任務。反之,若本地伺服器10判斷所述的電腦任務係關聯於所述的受限制選項,則本地伺服器10拒絕執行所述的電腦任務。所述的電腦任務可以例如是某些特定社群/通訊軟體/應用程式APP的安裝任務、連線至特定路由器的連線任務或是系統相關設定的任務。The management server 12 communicates with the local server 10, and the management server 12 (e.g., an internal processor) can be used to selectively provide the remote command CMD2 to perform another modification procedure for the black and white list BK. In this embodiment, when the local server 10 wants to perform a computer task, the local server 10 will perform a decryption process on the modified black and white list BK' to read the content of the black and white list BK'. Whether the application to be executed is associated with the restricted option on the black and white list BK'. In practice, if the local server 10 determines that the application is not associated with the restricted option, the local server 10 allows execution or installation of the computer task. On the other hand, if the local server 10 determines that the computer task is associated with the restricted option, the local server 10 refuses to execute the computer task. The computer tasks may be, for example, installation tasks of certain specific community/communication software/application programs, connection tasks connected to a specific router, or tasks related to system settings.

於一個例子中,在根據硬體功能指令CMD1所進行的修改程序中,本地伺服器10會存取儲存空間101以對黑白名單BK進行一道解密程序,從而取得黑白名單BK的內容。接著,本地伺服器10便可以修改黑白名單BK的內容。在本地伺服器10修改完黑白名單BK的內容後(即產生黑白名單BK’之後),接著本地伺服器10會對修改後的黑白名單BK’進行一道加密程序。於實務上,所述的加密程序係透過使用具有高安全性的加密演算法來實現,可以提升黑白名單BK’的內容防護性,使其不易被竄改。In one example, in the modification procedure performed according to the hardware function command CMD1, the local server 10 accesses the storage space 101 to perform a decryption process on the black and white list BK, thereby obtaining the content of the black and white list BK. Then, the local server 10 can modify the content of the black and white list BK. After the local server 10 modifies the contents of the black and white list BK (i.e., after the black and white list BK' is generated), the local server 10 then performs an encryption process on the modified black and white list BK'. In practice, the encryption program is implemented by using a high-security encryption algorithm, which can improve the content protection of the black-and-white list BK', making it difficult to be tampered with.

於另一個例子中,在根據遠端指令CMD2所進行的修改程序中,管理伺服器12會透過遠端連線下達遠端指令CMD2給本地伺服器10,使得本地伺服器10得以根據遠端指令CMD2來存取儲存空間101,以對黑白名單BK進行一解密程序,從而取得黑白名單BK的內容。相仿於前述例子,本地伺服器10對黑白名單BK的內容進行修改,且於修改黑白名單BK的內容後,進一步地對修改後的黑白名單BK’進行一道加密程序。於一實施例中,管理伺服器12係藉由行動裝置管理(MDM)的機制,先將遠端指令CMD2傳送至本地伺服器10的代理程式APK,再進一步由計算機的系統控制器103(即黑白名單控制器)來修改黑白名單BK的內容。In another example, in the modification procedure according to the remote command CMD2, the management server 12 sends the remote command CMD2 to the local server 10 through the remote connection, so that the local server 10 can be based on the remote command. The CMD 2 accesses the storage space 101 to perform a decryption process on the black and white list BK, thereby obtaining the content of the black and white list BK. Similar to the foregoing example, the local server 10 modifies the content of the black and white list BK, and after modifying the content of the black and white list BK, further performs an encryption process on the modified black and white list BK'. In one embodiment, the management server 12 first transmits the remote command CMD2 to the agent APK of the local server 10 by means of a mobile device management (MDM) mechanism, and further by the system controller 103 of the computer (ie, Black and white list controller) to modify the content of the black and white list BK.

於實作上,本地伺服器10可以視為本地端的電腦,例如企業分配給員工使用的電腦,而管理伺服器12可以視為遠端的管理員電腦,例如企業中控端的電腦。具體來說,當本地伺服器10的使用者,例如企業員工,欲對黑白名單進行修改時,可以藉由本地伺服器10產生硬體功能指令CMD1,並依據硬體功能指令CMD1進行黑白名單BK的修改或變更。另一方面,當管理伺服器12的使用者,例如企業電腦的管理人員,欲對黑白名單進行修改時,可以藉由管理伺服器12發送遠端指令CMD2至本地伺服器10,以進行黑白名單BK的修改或變更。換言之,本發明所提出的伺服器系統,兼具本地端與遠端路徑動態修改黑白名單的功能。In practice, the local server 10 can be regarded as a local computer, such as a computer that the enterprise assigns to employees, and the management server 12 can be regarded as a remote administrator computer, such as a computer at the enterprise central control terminal. Specifically, when the user of the local server 10, such as a corporate employee, wants to modify the black and white list, the local server 10 can generate the hardware function command CMD1, and the black and white list BK according to the hardware function command CMD1. Modifications or changes. On the other hand, when the user of the management server 12, such as the administrator of the enterprise computer, wants to modify the black and white list, the remote server CMD2 can be sent to the local server 10 by the management server 12 to perform the black and white list. Modifications or changes to BK. In other words, the server system proposed by the present invention has the functions of dynamically modifying the black and white list by the local end and the far end path.

於一個應用的例子中,本地伺服器10或管理伺服器12分別用以依據硬體功能指令CMD1或遠端指令CMD2於黑白名單BK的內容中新增至少一選項或者移除黑白名單BK的內容中的至少一選項。詳細來說,黑白名單BK的內容係預先設定並儲取於儲存空間101當中。黑白名單BK的內容可包含多個黑名單選項(即受限制選項),用於作為判斷是否禁止執行該電腦任務的依據。舉例來說,黑白名單BK的黑名單選項預設載有關聯於某家廠商提出的通訊軟體/應用程式的限制選項(例如該通訊軟體的名稱)或是某個設於公司網絡之外的路由器的限制選項(例如該路由器的名稱(Name)或服務設置識別碼(SSID))。In an example of an application, the local server 10 or the management server 12 is configured to add at least one option to the content of the black and white list BK or remove the content of the black and white list BK according to the hardware function instruction CMD1 or the remote command CMD2. At least one option in . In detail, the content of the black and white list BK is preset and stored in the storage space 101. The content of the black and white list BK may include multiple blacklist options (ie, restricted options) for use as a basis for determining whether to prohibit execution of the computer task. For example, the blacklist option of the blacklist and whitelist BK presets a restriction option (such as the name of the communication software) associated with a communication software/application proposed by a certain manufacturer or a router located outside the company network. Limit options (such as the name of the router (Name) or Service Set Identifier (SSID)).

也就是說,本地伺服器10係預設不允許執行所述通訊軟體的安裝任務以及禁止執行連線至所述的路由器的連線任務。然而,本地伺服器10或管理伺服器12的使用者可根據實際的需求變更黑白名單BK的預設內容,將所述的該家廠商的通訊軟體的選項或是所述公司網絡外部的路由器的選項從黑白名單BK中移除。如此一來,原本被限制的通訊軟體或是該公司外部的路由器連線功能即被變更為不關聯於受限制選項。在此情況下,本地伺服器10便可安裝使用該通訊軟體/應用程式,或是執行連線任務以連線至該外部路由器。於另一個例子中,本地伺服器10或管理伺服器12的使用者亦可以可根據實際的需求變更黑白名單BK的預設內容,將原本未受限制的應用程式或功能選項新增至黑名單選項中以進行限制。That is to say, the local server 10 presets that the installation task of the communication software is not allowed to be performed and that the connection task connected to the router is prohibited. However, the user of the local server 10 or the management server 12 can change the preset content of the black and white list BK according to actual needs, and the option of the communication software of the manufacturer or the router outside the company network. The option is removed from the black and white list BK. As a result, the originally restricted communication software or the router connection function outside the company is changed to not be associated with the restricted option. In this case, the local server 10 can install the communication software/application or perform a connection task to connect to the external router. In another example, the user of the local server 10 or the management server 12 can also change the preset content of the black and white list BK according to actual needs, and add the originally unrestricted application or function option to the blacklist. In the options to limit.

換言之,黑白名單BK的功能主要係用於透過遠端來進行電腦相關的操作任務,舉例來說,軟體程式(APP)的限制安裝移除,指定使用特定之WIFI連線,或是能否使用客製化的特殊功能等。於一實施例中,系統更可加入GPS/網路定位限制等功能。在實務上,當黑白名單遭不明用戶修改或變更而使伺服器執行受限制(即“不合法”)的電腦任務時,例如執行有安全性疑慮的社群軟體/應用程式的安裝程序或是執行連線任務而連線至不明的路由器等,恐造成公司企業內部的機密文件洩漏而導致損失。為避免上述問題,於一個實施例中,本地伺服器10的用戶或管理伺服器12的用戶必需係為具有金鑰(key)的權限用戶,以執行前述黑白名單的修改程序。換言之,於此實施例中,無論是本地伺服器10的用戶或是管理伺服器12的用戶都必須預先取得對應的金鑰,方可取得特定權限來進行黑白名單內容的修改。In other words, the function of the black and white list BK is mainly used for computer-related operation tasks through the remote end. For example, the software program (APP) is restricted to install and remove, and the specific WIFI connection is specified, or whether it can be used. Customized special features, etc. In an embodiment, the system can also add functions such as GPS/network positioning restrictions. In practice, when a black and white list is modified or changed by an unknown user to cause the server to perform a restricted (ie, "illegal") computer task, such as a social software/application installer with security concerns or Performing a connection task and connecting to an unknown router may cause loss of confidential documents inside the company. In order to avoid the above problem, in one embodiment, the user of the local server 10 or the user of the management server 12 must be a privileged user with a key to perform the modification procedure of the aforementioned black and white list. In other words, in this embodiment, the user of the local server 10 or the user of the management server 12 must obtain the corresponding key in advance in order to obtain a specific authority to modify the black and white list contents.

請參照圖2,圖2係依據本發明之一實施例所繪示的適於計算機的電腦任務判行方法的方法流程圖。所述的電腦任務判行方法可適用於圖1實施例的伺服器系統1。如圖2所示,於步驟S201中,以計算機(意即“本地伺服器10”)依據控制指令對黑白名單BK進行修改程序。其中,所述的修改程序包含以下的子步驟I~III。於子步驟I中,計算機對黑白名單BK進行解密程序以取得黑白名單BK的內容,於子步驟II中,計算機對黑白名單BK的內容進行修改,於子步驟III中,於修改黑白名單BK的內容後,計算機進一步地對修改後的黑白名單BK’進行加密程序。Please refer to FIG. 2. FIG. 2 is a flow chart of a method for a computer task determination method for a computer according to an embodiment of the present invention. The computer task determination method can be applied to the server system 1 of the embodiment of FIG. 1. As shown in FIG. 2, in step S201, the computer (that is, "local server 10") performs a modification procedure on the black and white list BK according to the control command. Wherein, the modification procedure includes the following sub-steps I-III. In sub-step I, the computer decrypts the black-and-white list BK to obtain the content of the black-and-white list BK. In sub-step II, the computer modifies the content of the black-and-white list BK. In sub-step III, the black-and-white list BK is modified. After the content, the computer further performs an encryption process on the modified black and white list BK'.

接著,在步驟S202中,當計算機欲執行一個電腦任務時,計算機先對修改後的黑白名單BK’進行另一解密程序以讀取黑白名單BK’的內容。步驟S203中,計算機以讀取到的黑白名單BK’的內容判斷所執行的電腦任務是否關聯於受限制選項。若判斷電腦任務不關聯於受限制選項,則於步驟S204中,計算機允許執行所述的電腦任務。若判斷電腦任務係關聯於受限制選項,則於步驟S205中,計算機拒絕執行所述的電腦任務。所述的電腦任務包含某些特定社群/通訊軟體/應用程式APP的安裝任務、連線至某個路由器的連線任務或是系統相關設定的任務。Next, in step S202, when the computer wants to execute a computer task, the computer first performs another decryption process on the modified black and white list BK' to read the contents of the black and white list BK'. In step S203, the computer judges whether the executed computer task is associated with the restricted option based on the content of the read black and white list BK'. If it is determined that the computer task is not associated with the restricted option, then in step S204, the computer is allowed to execute the computer task. If it is determined that the computer task is associated with the restricted option, then in step S205, the computer refuses to execute the computer task. The computer task includes installation tasks of certain specific community/communication software/application programs, connection tasks connected to a router, or tasks related to system settings.

於一實施例中,以控制指令對黑白名單BK進行修改程序的步驟包含以來自計算機(即本地伺服器10)的硬體功能指令CMD1或來自管理伺服器12的遠端指令CMD2對黑白名單BK進行所述的修改程序。於一實施例中,前述以來自遠端伺服器12的遠端指令CMD2對黑白名單BK進行所述的修改程序的步驟包含以遠端伺服器12發送遠端指令CMD2至系統控制器103,接著,再以所述的系統控制器103依據遠端指令CMD2對黑白名單BK進行所述的修改程序。具體來說,遠端伺服器12可藉由行動裝置管理(MDM)的機制,將遠端指令CMD2傳送至計算機(即本地伺服器10)的代理程式APK,再由代理程式APK轉遞遠端指令CMD2至計算機的系統控制器103(即黑白名單控制器)以修改黑白名單BK的內容。In one embodiment, the step of modifying the black and white list BK by the control command includes the hardware function command CMD1 from the computer (ie, the local server 10) or the remote command CMD2 from the management server 12 to the black and white list BK. Perform the described modification procedure. In one embodiment, the step of performing the modification procedure on the black and white list BK with the remote command CMD2 from the remote server 12 includes transmitting the remote command CMD2 to the system controller 103 by the remote server 12, and then Then, the system controller 103 performs the modification procedure on the black and white list BK according to the remote command CMD2. Specifically, the remote server 12 can transmit the remote command CMD2 to the agent APK of the computer (ie, the local server 10) by means of a mobile device management (MDM) mechanism, and then forward the remote terminal by the agent APK. The CMD2 is instructed to the system controller 103 of the computer (ie, the black and white list controller) to modify the contents of the black and white list BK.

於一實施例中,對黑白名單BK的內容進行修改包含於黑白名單BK的內容中新增至少一選項或者移除黑白名單BK的內容所包含的至少一選項。於實務上,黑白名單BK的內容包含所欲限制的相關裝置的選項,例如路由器的用戶名稱(Name)與服務設置識別碼(SSID)。在實際應用時,本地伺服器10會查找黑白名單以確認是否有關聯於所述電腦任務(例如路由器的連線任務)的相關選項,且進一步地將受限制的相關選項過濾,以達到禁止執行所述電腦任務的目的。In an embodiment, modifying the content of the black and white list BK includes adding at least one option to the content of the black and white list BK or removing at least one option included in the content of the black and white list BK. In practice, the content of the black and white list BK contains options for the relevant device to be restricted, such as the router's user name (Name) and service setting identifier (SSID). In actual application, the local server 10 will look up the black and white list to confirm whether there are related options associated with the computer task (such as the router's connection task), and further filter the restricted related options to prohibit execution. The purpose of the computer task.

於一實施例中,所述的控制指令係來自於具有金鑰(key)的權限用戶。具體來說,本地伺服器10的用戶或管理伺服器12的用戶必需係為具有金鑰的權限用戶,以執行前述黑白名單的修改程序。換言之,於此實施例中,無論是本地伺服器10的用戶或是管理伺服器12的用戶都必須預先取得對應得金鑰,才會被認證為具有特定權限的用戶,如此才可進行黑白名單內容的修改。In one embodiment, the control command is from a rights user with a key. Specifically, the user of the local server 10 or the user of the management server 12 must be a rights user with a key to perform the modification procedure of the aforementioned black and white list. In other words, in this embodiment, the user of the local server 10 or the user of the management server 12 must obtain the corresponding key in advance to be authenticated as a user with specific rights, so that the black and white list can be performed. Modification of the content.

總結來說,於本發明所提出的電腦任務判行方法及具有電腦任務判行功能的伺服器系統中,主要統整相關的限制選項功能以歸納出一個適用於絕大多數限制條件格式的黑白名單,且將此黑白名單儲存於不易讀取的儲存空間,並進行加密以作為二次保護,並同時允許本地端及遠端的伺服器進行黑白名單的動態修改需求,藉此而完成一個兼具高安全性且高實用性的軟硬體相關功能的管理機制,以克服傳統伺服器無法修改軟硬體功能的相關設定的問題。In summary, in the computer task determination method and the server system with computer task judgment function proposed by the present invention, the related restriction option functions are mainly integrated to summarize a black and white suitable for most restrictive formats. List, and store this black and white list in a storage space that is not easy to read, and encrypt it for secondary protection, and at the same time allow the local and remote servers to dynamically modify the black and white list, thereby completing a concurrent A highly secure and highly practical management mechanism for hardware and software related functions to overcome the problem that traditional servers cannot modify the relevant settings of hardware and software functions.

雖然本發明以前述之實施例揭露如上,然其並非用以限定本發明。在不脫離本發明之精神和範圍內,所為之更動與潤飾,均屬本發明之專利保護範圍。關於本發明所界定之保護範圍請參考所附之申請專利範圍。Although the present invention has been disclosed above in the foregoing embodiments, it is not intended to limit the invention. It is within the scope of the invention to be modified and modified without departing from the spirit and scope of the invention. Please refer to the attached patent application for the scope of protection defined by the present invention.

1‧‧‧伺服器系統1‧‧‧Server system

10‧‧‧本地伺服器 10‧‧‧Local server

101‧‧‧儲存空間 101‧‧‧ storage space

103‧‧‧系統控制器 103‧‧‧System Controller

12‧‧‧管理伺服器 12‧‧‧Management Server

CMD2‧‧‧遠端指令 CMD2‧‧‧ remote command

BK‧‧‧黑白名單 BK‧‧‧ black and white list

圖1係依據本發明之一實施例所繪示的一種具有應用程式判行功能的伺服器系統的功能方塊圖。 圖2係依據本發明之一實施例所繪示的適於計算機的應用程式判行方法的方法流程圖。FIG. 1 is a functional block diagram of a server system with an application judgment function according to an embodiment of the invention. 2 is a flow chart of a method for adapting an application of a computer according to an embodiment of the invention.

Claims (10)

一種電腦任務判行方法,適於一計算機,該電腦任務判行方法包含:以該計算機依據一控制指令對一黑白名單進行一修改程序,其中該修改程序包含:對該黑白名單進行一解密程序以取得該黑白名單的內容;對該黑白名單的內容進行修改;以及於修改該黑白名單的內容後,對修改後的該黑白名單進行一加密程序;當執行一電腦任務時,對修改後的該黑白名單進行另一解密程序以讀取該黑白名單的內容;以讀取到的該黑白名單的內容判斷所執行的該電腦任務是否關聯於該黑白名單上的一受限制選項; 若判斷該電腦任務不關聯該黑白名單上的該受限制選項,則該計算機允許執行該電腦任務;以及若判斷該電腦任務係關聯該黑白名單上的該受限制選項,則該計算機拒絕執行該電腦任務。A computer task determination method is suitable for a computer. The computer task determination method comprises: performing a modification procedure on a black and white list according to a control instruction by the computer, wherein the modification program comprises: performing a decryption procedure on the black and white list To obtain the content of the black and white list; modify the content of the black and white list; and after modifying the content of the black and white list, perform an encryption process on the modified black and white list; when performing a computer task, the modified The black and white list performs another decryption process to read the content of the black and white list; and judges whether the executed computer task is associated with a restricted option on the black and white list by reading the content of the black and white list; The computer task is not associated with the restricted option on the black and white list, the computer is allowed to perform the computer task; and if the computer task is determined to be associated with the restricted option on the black and white list, the computer refuses to perform the computer task. 如請求項1所述的適於該計算機的電腦任務判行方法,其中以該控制指令對該黑白名單進行該修改程序包含以來自該計算機的一硬體功能指令或來自一管理伺服器的一遠端指令對該黑白名單進行該修改程序。The computer task determination method suitable for the computer according to claim 1, wherein the modification program for the black and white list by the control instruction comprises a hardware function instruction from the computer or a slave from a management server. The remote command performs the modification procedure on the black and white list. 如請求項2所述的適於該計算機的電腦任務判行方法,其中以來自該管理伺服器的該遠端指令對該黑白名單進行該修改程序包含:以該管理伺服器發送該遠端指令至一系統控制器;以及以該系統控制器依據該遠端指令對該黑白名單進行該修改程序。The computer task determination method for the computer according to claim 2, wherein the modifying the black and white list by the remote instruction from the management server comprises: sending the remote instruction by the management server Up to a system controller; and the system controller performs the modification procedure on the black and white list according to the remote command. 如請求項1所述的適於該計算機的電腦任務判行方法,其中對該黑白名單的內容進行修改包含於該黑白名單的內容新增至少一選項或移除該黑白名單的內容所包含的至少一選項。The computer task determination method suitable for the computer according to claim 1, wherein modifying the content of the black and white list includes adding at least one option to the content of the black and white list or removing the content included in the black and white list At least one option. 如請求項1所述的適於該計算機的電腦任務判行方法,其中該控制指令係來自於具有一金鑰的權限用戶。A computer task determination method suitable for the computer according to claim 1, wherein the control instruction is from a rights user having a key. 一種具有電腦任務判行功能的伺服器系統,包含一本地伺服器,包含一儲存空間,該儲存空間用以存放一黑白名單,該本地伺服器用以選擇性地提供一硬體功能指令以對該黑白名單進行一修改程序;以及一管理伺服器,通訊連接該本地伺服器,該管理伺服器用以選擇性地提供一遠端指令以對該黑白名單進行另一修改程序;其中,當該本地伺服器執行一電腦任務時,該本地伺服器對修改後的該黑白名單進行一解密程序以讀取該黑白名單的內容,據以判斷所執行的該電腦任務是否關聯於該黑白名單上的一受限制選項; 其中,若判斷該電腦任務不關聯於該黑白名單上的該受限制選項,該本地伺服器允許執行該電腦任務,若判斷該電腦任務係關聯於該黑白名單上的該受限制選項,該本地伺服器拒絕執行該電腦任務。A server system having a computer task judgment function, comprising a local server, comprising a storage space for storing a black and white list, wherein the local server is configured to selectively provide a hardware function instruction to The black and white list performs a modification procedure; and a management server communicatively connects the local server, the management server is configured to selectively provide a remote command to perform another modification procedure on the black and white list; wherein, when When the local server performs a computer task, the local server performs a decryption process on the modified black and white list to read the content of the black and white list, thereby determining whether the executed computer task is associated with the black and white list. a restricted option; wherein, if it is determined that the computer task is not associated with the restricted option on the black and white list, the local server allows execution of the computer task, and if the computer task is determined to be associated with the blacklist Restrict the option that the local server refused to perform the computer task. 如請求項6所述的具有電腦任務判行功能的伺服器系統,其中於該修改程序中,該本地伺服器對該黑白名單進行另一解密程序以取得該黑白名單的內容以對該黑白名單的內容進行修改,且於修改該黑白名單的內容後,該本地伺服器更對修改後的該黑白名單進行一加密程序。The server system having the computer task determination function according to claim 6, wherein in the modification program, the local server performs another decryption process on the black and white list to obtain the content of the black and white list to the black and white list. The content is modified, and after modifying the content of the black and white list, the local server further performs an encryption process on the modified black and white list. 如請求項6所述的具有電腦任務判行功能的伺服器系統,其中於該另一修改程序中,該本地伺服器依據該管理伺服器的該遠端指令而對該黑白名單進行另一解密程序以取得該黑白名單的內容,以對該黑白名單的內容進行修改,且於修改該黑白名單的內容後,該本地伺服器更對修改後的該黑白名單進行一加密程序。A server system having a computer task determination function according to claim 6, wherein in the another modification program, the local server performs another decryption of the black and white list according to the remote command of the management server The program obtains the content of the black and white list to modify the content of the black and white list, and after modifying the content of the black and white list, the local server further performs an encryption process on the modified black and white list. 如請求項6所述的具有電腦任務判行功能的伺服器系統,其中該本地伺服器或該管理伺服器分別用以依據該硬體功能指令或該遠端指令於該黑白名單的內容中新增至少一選項或移除該黑白名單的內容中的至少一選項。The server system of claim 6, wherein the local server or the management server is configured to newly update the content of the black and white list according to the hardware function instruction or the remote command. Add at least one option or remove at least one of the contents of the black and white list. 如請求項6所述的具有電腦任務判行功能的伺服器系統,其中該本地伺服器的用戶或該管理伺服器的用戶係為具有一金鑰的權限用戶。A server system having a computer task determination function as claimed in claim 6, wherein the user of the local server or the user of the management server is a rights user having a key.
TW107123387A 2018-07-06 2018-07-06 Method of authorization for computer tasks and server system with funtion of authorization for computer tasks TWI668633B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW107123387A TWI668633B (en) 2018-07-06 2018-07-06 Method of authorization for computer tasks and server system with funtion of authorization for computer tasks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW107123387A TWI668633B (en) 2018-07-06 2018-07-06 Method of authorization for computer tasks and server system with funtion of authorization for computer tasks

Publications (2)

Publication Number Publication Date
TWI668633B true TWI668633B (en) 2019-08-11
TW202006537A TW202006537A (en) 2020-02-01

Family

ID=68316501

Family Applications (1)

Application Number Title Priority Date Filing Date
TW107123387A TWI668633B (en) 2018-07-06 2018-07-06 Method of authorization for computer tasks and server system with funtion of authorization for computer tasks

Country Status (1)

Country Link
TW (1) TWI668633B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008013655A2 (en) * 2006-07-07 2008-01-31 Sandisk Corporation Content control system and method using certificate revocation lists
TW201502844A (en) * 2013-03-15 2015-01-16 Ologn Technologies Ag Systems, methods and apparatuses for remote attestation
WO2015103338A1 (en) * 2013-12-31 2015-07-09 Lookout, Inc. Cloud-based network security
WO2016176686A1 (en) * 2015-04-30 2016-11-03 Drawbridge Networks, Inc. Computer network security system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008013655A2 (en) * 2006-07-07 2008-01-31 Sandisk Corporation Content control system and method using certificate revocation lists
TW201502844A (en) * 2013-03-15 2015-01-16 Ologn Technologies Ag Systems, methods and apparatuses for remote attestation
WO2015103338A1 (en) * 2013-12-31 2015-07-09 Lookout, Inc. Cloud-based network security
WO2016176686A1 (en) * 2015-04-30 2016-11-03 Drawbridge Networks, Inc. Computer network security system

Also Published As

Publication number Publication date
TW202006537A (en) 2020-02-01

Similar Documents

Publication Publication Date Title
US9165139B2 (en) System and method for creating secure applications
KR102434444B1 (en) Method and Apparatus for Device Security Verification Utilizing a Virtual Trusted Computing Base
US7971232B2 (en) Setting group policy by device ownership
US8356361B2 (en) Secure co-processing memory controller integrated into an embedded memory subsystem
US8166515B2 (en) Group policy for unique class identifier devices
US8458480B2 (en) Method and apparatus for binding TPM keys to execution entities
JP4089171B2 (en) Computer system
US9483626B2 (en) Multi-security-CPU system
US20080052755A1 (en) Secure, real-time application execution control system and methods
US9183402B2 (en) Protecting secure software in a multi-security-CPU system
US9171170B2 (en) Data and key separation using a secure central processing unit
US20150358356A1 (en) Processing device and method of operation thereof
US20150012980A1 (en) Systems and methods for secure singular computing environment
US11695650B2 (en) Secure count in cloud computing networks
RU2546585C2 (en) System and method of providing application access rights to computer files
KR20080081631A (en) Apparatus and method for digital rights management loaded on mobile terminal
Muthukumaran et al. Protecting the integrity of trusted applications in mobile phone systems
TWI668633B (en) Method of authorization for computer tasks and server system with funtion of authorization for computer tasks
US11822699B1 (en) Preventing surreptitious access to file data by malware
KR102554875B1 (en) Apparatus and method for connecting network for providing remote work environment
US11777938B2 (en) Gatekeeper resource to protect cloud resources against rogue insider attacks
CN110688647A (en) Computer task judging method and server system suitable for same
KR101042218B1 (en) A data security system for computer and security method
JP2006190050A (en) Multitask execution system and multitask execution method
US11784978B2 (en) Method for establishing remote work environment to ensure security of remote work user terminal and apparatus using the same