WO2014075504A1 - Procédé de contrôle de la sécurité et dispositif servant à exploiter une application - Google Patents

Procédé de contrôle de la sécurité et dispositif servant à exploiter une application Download PDF

Info

Publication number
WO2014075504A1
WO2014075504A1 PCT/CN2013/083621 CN2013083621W WO2014075504A1 WO 2014075504 A1 WO2014075504 A1 WO 2014075504A1 CN 2013083621 W CN2013083621 W CN 2013083621W WO 2014075504 A1 WO2014075504 A1 WO 2014075504A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
attribute
file
feature
terminal
Prior art date
Application number
PCT/CN2013/083621
Other languages
English (en)
Chinese (zh)
Inventor
温铭
李宇
胡劲
张家柱
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2014075504A1 publication Critical patent/WO2014075504A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present invention relates to the field of computer technologies, and in particular, to a security control method and apparatus for running an application. Background technique
  • the cloud is a metaphor for the Internet and the Internet. It represents the abstraction of the Internet and the underlying infrastructure. It can be roughly divided into public and private clouds.
  • a public cloud usually refers to a cloud that third-party vendors can use directly to external users through their own infrastructure.
  • Private clouds are placed in private environments, such as enterprises, governments, and other organizations that are established in the equipment room, or that operators are well-built, but are leased to an organization as a whole. Users outside the organization cannot access or use it.
  • a private cloud is built by an organization alone, providing the most effective control over data, security, and quality of service.
  • the terminal that can access the private cloud and the private cloud server are in the same local area network. They can be connected by network devices such as switches and routers.
  • the terminal needs to operate the file, the corresponding policy needs to be obtained from the private cloud. Specifically, the terminal accesses a certain terminal.
  • the private cloud needs to be requested to authenticate whether the program is executable. After receiving the authentication result of the private cloud, the program is further run or not executed.
  • the problem in the above prior art is that if a network failure occurs in a local area network to which the private cloud belongs, or a virus bursts, causing the terminal and the private cloud to be unable to connect, the terminal cannot determine whether the program is executable, and all the programs of the terminal are caused. Can not run, affecting the normal use of the terminal.
  • a security control method for running an application including:
  • the identity terminal obtains the identifier information of the application
  • the feature server is a server that performs security control on the feature terminal based on the intranet
  • the feature terminal loads and/or executes the application in accordance with the execution policy.
  • a security control device for running an application comprising:
  • the identifier information obtaining module is adapted to acquire the identifier information of the application when the feature terminal is unable to connect to the feature server, where the feature server is a server that performs security control on the specific terminal based on the intranet;
  • a first attribute obtaining module configured to extract, according to the identifier information, a first attribute of the application in a first attribute identification database preset by the feature terminal, where the first attribute includes security for the application Classification
  • a second attribute obtaining module configured to extract, according to the first attribute, a second attribute of the application in a second attribute configuration file preset by the feature terminal, where the second attribute includes The execution strategy of the corresponding application;
  • a loading module adapted to load and/or execute the application according to the execution policy.
  • a computer program comprising computer readable code causing the server to perform any of claims 1-10 when run on a server The security control method of running the application.
  • a computer readable medium storing the computer program according to claim 21 is provided.
  • the first attribute identification database and the second genus are preset by the terminal
  • the terminal can directly identify the execution policy corresponding to the security classification of the application locally, and then load the application according to the execution policy, so that when the terminal cannot connect to the private cloud, The application can be authenticated to see if the application can execute without affecting user access to the application.
  • the security classification of the application may include a plurality of different attributes, such as a black file, a white file, and a gray file.
  • the second attribute configuration file may include corresponding to a plurality of different security categories. Execution strategy. The user can reset the second attribute configuration file in the private cloud according to his own needs, and then update the second attribute configuration file of the terminal.
  • the security classification of the application may be determined as a gray file, and then the corresponding information may be found in the second attribute configuration file.
  • the execution strategy avoids the problem that some of the programs are inaccessible when the first attribute authentication database is not perfect.
  • FIG. 1 is a flow chart schematically showing a method of security control for running an application according to an embodiment of the present invention
  • FIG. 2 is a block diagram schematically showing a security control device for running an application according to an embodiment of the present invention
  • Figure 3 schematically shows a block diagram of a server for performing the method according to the invention
  • Fig. 4 schematically shows a storage unit for holding or carrying program code implementing the method according to the invention.
  • FIG. 1 a flow chart of steps of an embodiment of a security control method for running an application according to an embodiment of the present invention is shown, which may specifically include the following steps:
  • Step 101 The feature terminal acquires the identifier information of the application when the feature terminal is unable to connect to the feature server, where the feature server is a server that performs security control on the feature terminal based on the intranet.
  • the feature server is a server accessible by a specific terminal, that is, a private cloud, and the feature terminal that can access the private cloud and the private cloud server are in the same intranet.
  • the private cloud is set up in the private network.
  • security control can be performed on each terminal of the intranet.
  • the embodiment of the present invention is mainly used in the scenario that the terminal and the private cloud cannot be connected.
  • the terminal can use the http packet to initiate a request to the private cloud server. If the terminal cannot connect to the private cloud server, the request will immediately return a failure, and the terminal determines that the terminal is unable to perform the request.
  • the application may be an application requested by the user, and the user may request access to the application by clicking a shortcut of the application or a program file, and the terminal receives the click of the user. , extract the identification information of the application for further authentication.
  • the application program may also be all application programs installed by the feature terminal.
  • the feature terminal determines that the feature server terminal cannot be connected, the identifier information of all the application programs may be extracted and authenticated locally in the feature terminal.
  • the application program may also be an application program that needs to be connected to the feature server when the feature terminal is installed.
  • the terminal determines that the feature server end cannot be connected, the terminal extracts the identification information of the application program, and performs localization on the feature terminal. Identification.
  • the step 101 may include: sub-step S1 l, the feature terminal extracts an application file corresponding to the application; sub-step S12, converting the application file by using a preset algorithm For the corresponding identification information.
  • the identification information of the application can be obtained by processing the application file, and the private cloud terminal is installed with a plurality of applications, and each program has a plurality of files, including the application files.
  • the application file is a file in the form of PE (or portable executable).
  • the PE file is a program on the Microsoft Windows operating system. Files, common EXE, DLL, OCX, SYS, COM are PE files, and each application has a corresponding PE file.
  • the PE file is composed of an MS-DOS executable body, a file header, an optional header, a data directory, a section header, and a section, wherein the file header includes the following structure:
  • SizeOfOptionalHeader is just the size of the "IMAGE-OPTIONAL-HEADER” item, which can be used to verify the correctness of the PE file structure;
  • the keywords of each structure in the file header of the PE file can be used as a preset keyword to determine whether each file corresponding to the application is an application file.
  • the application file can then be converted by a preset algorithm and the converted file can be used as the identification information of the application.
  • the corresponding identifier may be obtained by converting a PE file by using a preset algorithm.
  • the preset algorithm may be an MD5 algorithm, that is, a message digest algorithm (Message-Digest Algorithm 5), and the role of the MD5 is to enable large-capacity information.
  • the private key is "compressed" into a secret format, which is to convert a string of arbitrary length into a string of hexadecimal digits of a certain length to ensure complete and consistent information transmission.
  • Step 102 Extract, according to the identifier information, a first attribute of the application in a first attribute authentication database preset by the feature terminal, where the first attribute includes a security classification of the application.
  • the first attribute identification database is preset in the terminal, which includes the correspondence between the identification information of the application and the first attribute, and the corresponding first attribute may be extracted according to the identification information of the application, and the first attribute may be Includes a classification of the security of the application.
  • the security classification may be classified into three types, specifically, a black file, a gray file, and a white file. If the initial stage of the first attribute identification database construction may not be perfect, When the identification information of the application does not exist, in order to avoid affecting the user's use of the program, the security classification of the application may be determined as a gray file, which avoids the problem that some programs cannot be accessed when the first attribute authentication database is not perfect. In a specific implementation, the types and the number of security classifications may also be set as needed, and the present invention does not limit this.
  • present invention may further include:
  • the identification information of the application does not exist in the first attribute identification database, the identification information of the application is recorded.
  • the identification information of the application may be recorded.
  • the identification information of the application is sent to the private cloud for authentication.
  • the embodiment of the present invention may further Includes:
  • the identifier information of the application is obtained and sent to the feature server for authentication.
  • embodiment of the present invention may further include:
  • the private cloud is built with an application management database, that is, a private black and white library, which is referred to as a private library, which is customized by the enterprise organization where the private cloud is located, and includes the correspondence between the identification information of each application and the first attribute.
  • the private cloud server After receiving the identification information of the application sent by the terminal, the private cloud server authenticates the first attribute of the application through the private library, and returns the information to the terminal, where the terminal saves the correspondence between the first attribute of the application and the identification information.
  • the first attribute of the program can be directly determined by using the local first attribute identification database next time, so that the identification of the application is more accurate.
  • Step 103 Extract, according to the first attribute, a second attribute of the application in a second attribute configuration file preset by the feature terminal, where the second attribute includes an application corresponding to the security classification. Execution strategy.
  • the feature terminal may be installed with client software, and the second property profile may be built in an installation package of the client software.
  • the second attribute configuration file includes a correspondence between the first attribute and the second attribute of the application, and the second attribute may include an execution policy of the application corresponding to the security classification.
  • the security classification and execution attributes of the application may have the following correspondence: When the security of the application is classified into a black file, the corresponding execution policy is to load and execute the application;
  • the corresponding execution policy is a partial application function of executing the application.
  • the correspondence between the application security classification and the execution policy can be flexibly set according to the application environment and requirements.
  • the user can re-set the second attribute configuration file on the feature server according to the different needs of the user, and then update the second attribute configuration file of the feature terminal.
  • the method further includes:
  • the second attribute configuration file of the feature terminal is updated according to the second attribute configuration file of the feature server.
  • Step 104 The feature terminal loads and/or executes the application according to the execution policy.
  • the execution policy includes various security classifications, corresponding loading or execution modes. After the feature terminal identifies the execution policy of the application, it can decide whether to load the application according to the execution policy.
  • the security of the application can be directly identified locally.
  • the corresponding execution strategy of the classification and then the application can be loaded according to the execution strategy, so that when the terminal cannot connect to the private cloud, the terminal can still authenticate the application, and whether the application can be executed without affecting the user's access to the application. .
  • the security classification of the application may include a plurality of different attributes, such as a black file, a white file, and a gray file.
  • the second attribute configuration file may include an execution strategy corresponding to multiple different security classifications. . The customer can reset the second attribute configuration file in the private cloud according to his own needs, and then update the second attribute configuration file of the terminal.
  • FIG. 2 a structural block diagram of an embodiment of a security control apparatus for running an application according to an embodiment of the present invention is shown, which may specifically include the following modules:
  • the identifier information obtaining module 201 is adapted to obtain the identifier information of the application when the feature terminal is unable to connect to the feature server;
  • the first attribute obtaining module 202 is configured to extract, according to the identifier information, a first attribute of the application in a first attribute identification database preset by the feature terminal, where the first attribute includes security for the application sexual classification
  • the second attribute obtaining module 203 is configured to extract, according to the first attribute, a second attribute of the application in a second attribute configuration file preset by the feature terminal, where the second attribute includes the security classification The corresponding execution strategy of the application;
  • the running module 204 is adapted to load and/or execute the application according to the execution policy by the feature terminal.
  • the application may include an application that requests access, or all applications installed by the feature terminal, or an application installed by the feature terminal that needs to be connected with the feature server.
  • the first attribute identification database may include a correspondence between the identification information of the application and the first attribute
  • the second attribute configuration file may include the first attribute of the application and the first The correspondence between the two attributes.
  • the security classification may include a black file, a white file, and a gray file
  • the first attribute authentication module may include:
  • the gray file identification submodule is adapted to determine that the security of the application is classified into a gray file if the identification information of the application does not exist in the first attribute identification database.
  • the corresponding execution policy is to load and execute the application
  • the corresponding execution policy is a partial application function of executing the application.
  • the device may further include: And a recording module, configured to: if the identification information of the application does not exist in the first attribute identification database, record the identification information of the application.
  • the device may further include:
  • the authentication module is configured to send the identifier information of the application to the feature server for authentication when the feature terminal is connected to the feature server.
  • the device may further include:
  • a saving module configured to receive the first attribute of the application returned by the feature server, and save the correspondence between the identification information of the application and the first attribute in the first attribute identification database.
  • the device may further include:
  • the update module is adapted to update the second attribute configuration file of the specific terminal according to the second attribute configuration file of the feature server.
  • the identifier information obtaining module may include: an application file extracting submodule, configured to extract, by the feature terminal, an application file corresponding to the application;
  • the conversion submodule is adapted to convert the application file into corresponding target information by using a preset algorithm.
  • the file header of the application file may include a preset keyword; the preset algorithm may include an information digest algorithm.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components of the security control device that runs the application in accordance with an embodiment of the present invention. .
  • DSP digital signal processor
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present invention may be stored on a computer readable medium or may have the form of one or more signals. Such signals may be downloaded from the Internet website, or provided on a carrier signal, or in any other form.
  • FIG. 3 illustrates a server, such as an application server, that can implement a security control method for running an application in accordance with the present invention.
  • the server conventionally includes a processor 310 and a computer program product or computer readable medium in the form of a memory 320.
  • Memory 320 can It is an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk or ROM.
  • the memory 320 has a memory space 330 for program code 331 for performing any of the method steps described above.
  • storage space 330 for program code may include various program code 331 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such computer program products are typically portable or fixed storage units as described with reference to FIG.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 320 in the server of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 331 ', i.e., code that can be read by a processor, such as 310, which, when executed by a server, causes the server to perform various steps in the methods described above.
  • any reference signs placed between parentheses shall not be construed as a limitation.
  • the word “comprising” does not exclude the presence of the elements or steps that are not in the claims.
  • the word “a” or “an” preceding a component does not exclude the presence of a plurality of such elements.
  • the invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item.
  • the use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de contrôle de la sécurité et un dispositif servant à exploiter une application. Ledit procédé se déroule de la manière suivante : lorsqu'un terminal fonctionnel ne peut pas se connecter à une extrémité de service fonctionnel, il obtient des informations d'identification d'une application, cette extrémité de service fonctionnel étant une extrémité de service qui assure un contrôle de la sécurité sur ledit terminal fonctionnel en se basant sur un réseau interne ; selon les informations d'identification, un premier attribut de l'application est extrait d'une base de données d'identification de premiers attributs préétablie par le terminal fonctionnel, ce premier attribut comprenant une classification de sécurité de l'application ; en fonction du premier attribut, un second attribut de l'application est extrait d'un fichier de configuration de seconds attributs préétabli par le terminal fonctionnel, ce second attribut comprenant une politique d'exécution de l'application qui correspond à la classification de sécurité ; et le terminal fonctionnel charge et/ou exécute l'application conformément à la politique d'exécution. Grâce à la présente invention, l'incapacité d'un terminal à se connecter à un Cloud privé n'a pas d'incidence sur l'exploitation de l'application.
PCT/CN2013/083621 2012-11-14 2013-09-17 Procédé de contrôle de la sécurité et dispositif servant à exploiter une application WO2014075504A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2012104571648A CN102982275A (zh) 2012-11-14 2012-11-14 一种运行应用程序的安全控制方法和装置
CN201210457164.8 2012-11-14

Publications (1)

Publication Number Publication Date
WO2014075504A1 true WO2014075504A1 (fr) 2014-05-22

Family

ID=47856279

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/083621 WO2014075504A1 (fr) 2012-11-14 2013-09-17 Procédé de contrôle de la sécurité et dispositif servant à exploiter une application

Country Status (2)

Country Link
CN (1) CN102982275A (fr)
WO (1) WO2014075504A1 (fr)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102982275A (zh) * 2012-11-14 2013-03-20 北京奇虎科技有限公司 一种运行应用程序的安全控制方法和装置
CN103646207A (zh) * 2013-12-02 2014-03-19 北京奇虎科技有限公司 一种应用程序安全属性的管理方法和装置
CN104850775B (zh) * 2014-02-14 2019-06-28 北京奇安信科技有限公司 一种应用程序安全性的鉴定方法和装置
WO2015165057A1 (fr) * 2014-04-30 2015-11-05 华为技术有限公司 Procédé et dispositif pour qu'un lecteur de disque dur exécute un code d'application
CN105630584A (zh) * 2015-06-16 2016-06-01 宇龙计算机通信科技(深圳)有限公司 应用程序的运行控制方法、***和终端
CN109558708B (zh) * 2018-11-30 2020-10-09 北京八分量信息科技有限公司 基于安全多方计算的应用程序运行控制方法、装置及***

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050125494A1 (en) * 2003-12-04 2005-06-09 Tsubasa System Co., Ltd. System environment regulation violation detecting method for client device
CN1900941A (zh) * 2006-04-28 2007-01-24 傅玉生 一种基于软件身份认证技术的计算机安全保护方法
CN102982275A (zh) * 2012-11-14 2013-03-20 北京奇虎科技有限公司 一种运行应用程序的安全控制方法和装置

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7895651B2 (en) * 2005-07-29 2011-02-22 Bit 9, Inc. Content tracking in a network security system
CN101950339B (zh) * 2010-09-14 2012-01-25 上海置水软件技术有限公司 一种电脑安全防护方法和***
CN102012992B (zh) * 2010-11-19 2012-11-21 奇智软件(北京)有限公司 一种实时防护文件的监控方法及装置
CN102034058B (zh) * 2010-11-25 2013-08-21 中国联合网络通信集团有限公司 应用软件安全控制方法及终端
CN102195987B (zh) * 2011-05-31 2014-04-30 成都七巧软件有限责任公司 一种基于软件产品库的分布式可信认证方法和***
CN102693388B (zh) * 2012-06-07 2014-03-19 腾讯科技(深圳)有限公司 数据安全防护处理***及方法及存储介质
CN102737203B (zh) * 2012-07-13 2015-10-21 珠海市君天电子科技有限公司 一种基于程序父子基因关系的病毒防御方法及***

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050125494A1 (en) * 2003-12-04 2005-06-09 Tsubasa System Co., Ltd. System environment regulation violation detecting method for client device
CN1900941A (zh) * 2006-04-28 2007-01-24 傅玉生 一种基于软件身份认证技术的计算机安全保护方法
CN102982275A (zh) * 2012-11-14 2013-03-20 北京奇虎科技有限公司 一种运行应用程序的安全控制方法和装置

Also Published As

Publication number Publication date
CN102982275A (zh) 2013-03-20

Similar Documents

Publication Publication Date Title
US11294983B2 (en) Inferred user identity in content distribution
US20210042108A1 (en) Software container registry service
US11777951B2 (en) Data and source validation for equipment output data or equipment failure prediction using blockchains
US10572240B2 (en) Operating system update management for enrolled devices
US11509537B2 (en) Internet of things device discovery and deployment
CN110414268B (zh) 访问控制方法、装置、设备及存储介质
US10320940B1 (en) Managing generic data
US11409884B2 (en) Security profiling of system firmware and applications from an OOB appliance at a differentiated trust boundary
JP5396051B2 (ja) 承認済みファイルと信頼されたドメインのデータベースを作成及び更新する方法及びシステム
WO2014075504A1 (fr) Procédé de contrôle de la sécurité et dispositif servant à exploiter une application
JP5970141B2 (ja) コンピュータでソフトウェア・モジュールを実行するための方法、ブートローダ、ユーザ信頼デバイス、およびシステム
US20070208826A1 (en) System and method of storing data files at a remote storage facility
US20090094462A1 (en) System and method for self policing of authorized configuration by end points
US9058490B1 (en) Systems and methods for providing a secure uniform resource locator (URL) shortening service
US20180102904A1 (en) Method and system for checking revocation status of digital certificates in a virtualization environment
JP2015528168A (ja) モバイルアプリケーションに対して認証トークンを事前にプロビジョニングするための方法及び機器
WO2020181809A1 (fr) Procédé et système de traitement de données basés sur une vérification d'interface, et dispositif informatique
JP2008015733A (ja) ログ管理計算機
WO2021139261A1 (fr) Procédé et dispositif de déploiement d'application et support
US11095666B1 (en) Systems and methods for detecting covert channels structured in internet protocol transactions
US11675619B2 (en) System and method of utilizing platform applications with information handling systems
CN112214769B (zh) 基于SGX架构的Windows***的主动度量***
WO2023092316A1 (fr) Procédé et appareil d'ouverture de session à un service tiers, dispositif terminal, et support de stockage
CN115941217B (zh) 用于安全通信的方法和其相关产品
WO2023093139A1 (fr) Procédé et appareil de création de ressources et dispositif électronique et support de stockage

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13855832

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13855832

Country of ref document: EP

Kind code of ref document: A1