CN112214759A - Behavior authority distribution method and device for application program based on credible root measurement and related products - Google Patents
Behavior authority distribution method and device for application program based on credible root measurement and related products Download PDFInfo
- Publication number
- CN112214759A CN112214759A CN202011133552.1A CN202011133552A CN112214759A CN 112214759 A CN112214759 A CN 112214759A CN 202011133552 A CN202011133552 A CN 202011133552A CN 112214759 A CN112214759 A CN 112214759A
- Authority
- CN
- China
- Prior art keywords
- application program
- behavior data
- trusted
- application
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the application provides a behavior authority distribution method and device for an application program based on a root of trust measurement and a related product, wherein the behavior authority distribution method comprises the following steps: determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base; collecting real-time behavior data of any application program running on the electronic equipment in real time; and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree. According to the embodiment of the application, the tampered application program cannot call the API of the TEE environment, so that the safety of a single electronic device is guaranteed, and the safety of a data system applying the electronic device is finally guaranteed.
Description
Technical Field
The present application relates to the field of block chain technologies, and in particular, to a method and an apparatus for assigning behavior permissions of an application based on a root-of-trust metric, and a related product.
Background
The blockchain system is essentially an integrated application mode of technologies such as a distributed data storage system, point-to-point transmission, a consensus mechanism and an encryption algorithm, and can realize trust and value transfer which cannot be realized by the traditional internet on the internet. It is based on cryptographic principles rather than credit features, enabling any agreed party to trade directly without the involvement of third party intermediaries. On the other hand, there is almost no single point of failure in the blockchain, and data on the chain is stored on numerous machine nodes (also referred to as electronic devices) around the world, so that the data is "stable", "trusted", and "non-tamperproof", which gives the data on the network a value that can be trusted.
However, a TEE (Trusted Execution Environment) Environment is configured on the electronic device to provide various security services, but since all electronic devices in the blockchain system are actually in a large internet Environment, various application programs running on the electronic devices are easily tampered, so that the tampered application programs call API interfaces of the TEE Environment, and thus, a single electronic device is no longer secure, and finally, a great potential safety hazard exists in the whole blockchain system.
Disclosure of Invention
Based on the above problems, embodiments of the present application provide a method, an apparatus, and a related product for assigning a behavior authority of an application based on a root-of-trust metric.
The embodiment of the application discloses the following technical scheme:
1. a behavior authority distribution method for an application program based on a credible root measurement is characterized by comprising the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
collecting real-time behavior data of any application program running on the electronic equipment in real time;
and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree.
2. The method of claim 1, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
3. The method for assigning behavioral authority of an application based on root-of-trust metric according to claim 2, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values;
and determining a plurality of trusted behavior data of the electronic equipment running each application program according to the file called in the starting process of each application program and the corresponding trusted value so as to form a trusted behavior data rule base.
4. The method of claim 1, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment according to the set credibility calculation model.
5. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 4, wherein the calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment according to the set static credibility measurement model.
6. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 3, wherein the calculating the trust value of each application program in the white list of application programs when running on the electronic device according to the set static trust metric model comprises:
after the electronic equipment is powered on and started and before the application program of the electronic equipment is started, carrying out hash operation on the integrity data of the application program to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value.
7. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 1, wherein the calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment in real time according to the set dynamic measurement credibility mechanism.
8. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 7, wherein the calculating the trust value of each application program in the white list of application programs when running on the electronic device in real time according to the set dynamic metric trust mechanism comprises:
after each application program is started, carrying out hash operation on the integrity data of each application program to obtain an operating system hash value; carrying out Hash operation on the integrity data of the application programs on the electronic equipment to obtain Hash values of the application programs; and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value of each application program.
9. The method for assigning behavioral authority of an application program based on root-of-trust metric according to any one of claims 1-8, wherein the determining the matching degree of the real-time behavior data and the trusted behavior data to assign the behavioral authority to the application program according to the matching degree comprises:
determining the matching degree of the real-time behavior data and the credible behavior data;
and if the matching degree is greater than the set matching degree threshold value, distributing a behavior permission which can call the TEE environment API interface for any application program.
10. A computer storage medium having stored thereon a computer software program that, when executed, performs the method for assigning behavioral rights of an application based on root-of-trust metrics of any of claims 1-9.
11. An electronic device, comprising a memory and a processor, wherein the memory stores a computer software program, and the processor executes the computer software program to perform the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
collecting real-time behavior data of any application program running on the electronic equipment in real time;
and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree.
12. The electronic device according to claim 11, wherein the processor, after calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model, further generates a trusted metric log according to the calculated trust value of each application program in the application program white list, where the trusted metric log records a file called during the starting process of each application program and a corresponding trust value.
13. The electronic device of claim 12, wherein the processor, when determining, according to the trusted value of each application in the application white list, a plurality of trusted behavior data of the electronic device running the each application to form a trusted behavior data rule base, parses the trusted metric log to obtain a file called in the starting process of the each application and a corresponding trusted value, and determines, according to the file called in the starting process of the each application and the corresponding trusted value, a plurality of trusted behavior data of the electronic device running the each application to form a trusted behavior data rule base.
14. The electronic device of claim 11, wherein the processor, before executing the determining of the plurality of trusted behavior data of the electronic device running each application program according to the trusted value of each application program in the application program white list to form the trusted behavior data rule base, further calculates the trusted value of each application program in the application program white list when running on the electronic device according to the set trusted calculation model.
15. The electronic device of claim 14, wherein the processor calculates the trust value of each application program in the application white list when running on the electronic device according to the set static trust metric model when calculating the trust value of each application program in the application white list when running on the electronic device according to the set trust calculation model.
16. The electronic device according to claim 15, wherein the processor performs a hash operation on the integrity data of the application program to obtain a hash value when calculating the trust value of each application program in the application program white list when running on the electronic device according to the set static trust metric model after the electronic device is powered on and started and before the application program is started, and calculates the trust value of each application program in the application program white list when running on the electronic device according to the hash value.
17. The electronic device of claim 11, wherein the processor calculates the trust value of each application program in the application white list when running on the electronic device in real time according to the set dynamic metric trust mechanism when calculating the trust value of each application program in the application white list when running on the electronic device according to the set trusted calculation model.
18. The electronic device according to claim 14, wherein when the processor calculates, in real time, a trust value of each application program in the application program white list when running on the electronic device according to the set dynamic metric trust mechanism, after each application program is started, the processor performs a hash operation on integrity data of each application program to obtain an operating system hash value; carrying out Hash operation on the integrity data of the application programs on the electronic equipment to obtain Hash values of the application programs; and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value of each application program.
19. The electronic device of any one of claims 11-18, wherein the processor, when determining a degree of matching between the real-time behavior data and the trusted behavior data to assign a behavior right to the any application according to the degree of matching, comprises:
determining the matching degree of the real-time behavior data and the credible behavior data;
and if the matching degree is greater than the set matching degree threshold value, distributing a behavior permission which can call the TEE environment API interface for any application program.
20. An apparatus for managing an application based on a root of trust metric, comprising:
the rule base forming unit is used for determining a plurality of credible behavior data of the electronic equipment running each application program according to the credible value of each application program in the application program white list so as to form a credible behavior data rule base;
the behavior data acquisition unit is used for acquiring real-time behavior data of any application program running on the electronic equipment in real time;
and the behavior authority distribution unit is used for determining the matching degree of the real-time behavior data and the credible behavior data so as to distribute the behavior authority to any application program according to the matching degree.
21. A blockchain system comprising a plurality of electronic devices according to any of claims 11-19, each electronic device serving as a blockchain node in the blockchain system.
22. The blockchain system of claim 21, wherein a same application whitelist is configured for all electronic devices in the blockchain system; or configuring an application self-defined white list for each electronic device in the blockchain system.
In the technical scheme of the embodiment of the application, a plurality of trusted behavior data of the electronic equipment running each application program are determined according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base; collecting real-time behavior data of any application program running on the electronic equipment in real time; and determining the matching degree of the real-time behavior data and the credible behavior data, and allocating a behavior authority to any application program according to the matching degree, so that the tampered application program cannot call an API (application programming interface) of a TEE (trusted environment), the safety of a single electronic device is ensured, and the safety of a data system of the application electronic device is finally ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for assigning a behavior authority of an application based on a root-of-trust metric according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a method for assigning a behavior authority of an application based on a root-of-trust metric according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a method for assigning behavior permission of an application based on a root-of-trust metric according to an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application;
FIG. 6 is a schematic structural diagram of an apparatus for managing an application based on a root-of-trust metric according to an embodiment of the present application;
FIG. 7 is a block chain system architecture of the present application;
FIG. 8 is a schematic diagram of a computer storage medium according to an embodiment of the present application.
Detailed Description
It is not necessary for any particular embodiment of the invention to achieve all of the above advantages at the same time.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for assigning a behavior authority of an application based on a root-of-trust metric according to an embodiment of the present application; as shown in fig. 1, it includes:
s101, determining a plurality of trusted behavior data of electronic equipment running each application program according to the trusted value of each application program in an application program white list to form a trusted behavior data rule base;
in this embodiment, the running states of all the application programs on the electronic device are monitored to obtain historical running conditions of all the application programs, and a white list is established according to the historical running conditions, so that the running states are consistent and normal or consistent and are not tampered to obtain the application programs and record the application programs in the white list, and names, execution paths, library files called during running, executable files and the like of the application programs can be recorded in the white list.
In this embodiment, the credibility of the application program is directly reflected by the credibility value, and of course, the credibility is only a relative representation and is not an absolute representation.
In this embodiment, the trusted behavior data includes a function call relationship when the application program on the white list runs, a library file call relationship, running state information of the executable file, and the like.
In this embodiment, there may be a plurality of trusted behavior data of the blockchain node of each application program, and these trusted behavior data may be stored in a key-value pair manner or a list manner, as long as a corresponding relationship between the application program and the trusted behavior data can be established.
In this embodiment, in the forming of the trusted behavior data rule base, the trusted behavior rule base may be formed in a list form or a tree form, as long as a corresponding relationship between each application program and trusted behavior data can be established, and trusted behavior data corresponding to different application programs can be distinguished from each other.
S102, collecting real-time behavior data of any application program running on the electronic equipment in real time;
in this embodiment, the real-time behavior data of the application program is specifically stored in the real-time behavior log, and the real-time behavior data of any application program is collected from the real-time behavior log by analyzing the real-time behavior log, where the real-time behavior data includes a function call relationship, a library file call relationship, and running state information of the executable file when the application program runs.
S103, determining the matching degree of the real-time behavior data and the credible behavior data, and distributing behavior permission to any application program according to the matching degree.
In this embodiment, the matching degree may be determined by directly comparing the real-time behavior data with the trusted behavior data. Further, a graph structure can be generated according to the real-time behavior data and the credible behavior data, and the matching degree can be determined through direct comparison of the graph structures. The greater the degree of matching, the higher the assigned behavioral rights. In this embodiment, the behavior permission may define a level at which the application program may call other library files or executable files, and the greater the behavior permission is, the higher the level at which the library files or executable files are called is, and otherwise, the smaller the level is.
Fig. 2 is a schematic flowchart of a method for assigning a behavior authority of an application based on a root-of-trust metric according to an embodiment of the present application; as shown in fig. 2, it includes:
s201, generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
S202, determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
optionally, in step S202, determining, according to the trust value of each application in the application white list, a plurality of pieces of trusted behavior data of the electronic device running the each application to form a trusted behavior data rule base, which may include:
s212, analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values;
s222, determining a plurality of trusted behavior data of the electronic equipment running each application program according to the file called in the starting process of each application program and the corresponding trusted value to form a trusted behavior data rule base.
In the embodiment, the credible behavior data is determined based on the called file and the corresponding hash value, so that the determined credible behavior data is more comprehensive and accurate, and the formed credible behavior data rule base is more effective.
S203, collecting real-time behavior data of any application program running on the electronic equipment in real time;
and S204, determining the matching degree of the real-time behavior data and the credible behavior data, and allocating a behavior authority to any application program according to the matching degree.
In this embodiment, the steps S203-204 can be referred to the related embodiments.
Fig. 3 is a schematic flowchart of a method for assigning behavior permission of an application based on a root-of-trust metric according to an embodiment of the present application; as shown in fig. 3, it includes:
s301, calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment according to the set credibility calculation model.
Optionally, when the trusted value of each application program in the application program white list when running on the electronic device is calculated according to the set trusted calculation model, the trusted value of each application program in the application program white list when running on the electronic device may be calculated according to the set static trusted measurement model.
Further, the calculating a trust value of each application program in the application program white list when running on the electronic device according to the set static trust metric model may include: after the electronic equipment is powered on and started and before the application program of the electronic equipment is started, carrying out hash operation on the integrity data of the application program to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value.
Alternatively, the calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model may include: and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment in real time according to the set dynamic measurement credibility mechanism.
Optionally, the calculating, in real time, a trust value of each application program in the application program white list when running on the electronic device according to the set dynamic metric trust mechanism includes: after each application program is started, carrying out hash operation on the integrity data of each application program to obtain an operating system hash value; carrying out Hash operation on the integrity data of the application programs on the electronic equipment to obtain Hash values of the application programs; and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value of each application program.
In this embodiment, the complete new data may include an executable file and a library file, and the executable file and the library file are stored in a dynamic list form, so as to dynamically update the executable file and the library file. The execution files and library files may be associated with system boot, configuration parameters, and the like.
Specifically, the executable file and the library file may be files that have the greatest influence on calculation of the trusted value, the executable file and the library file may be respectively multiple files, the trusted values are respectively calculated for the multiple executable files and the library file to obtain multiple trusted values, and the multiple trusted values are statistically calculated to obtain a final trusted value as the trusted value of the application program. The size of the confidence value is used to reflect whether the executable files and library files are operating in a normal manner.
And performing hash processing to obtain a hash value, comparing the hash value with the standard hash value obtained by performing hash processing when the executable file and the library file are not tampered or are abnormally executed, and identifying the distance between the credible value and the standard hash value, wherein the closer the distance is, the more reliable or credible the corresponding application program is.
Specifically, the measurement can be performed by taking the execution path of the executable file and the library file as a unit, that is, the hash processing is performed on the executable file and the library file on the same execution path at the same time, so that the time consumed by the credibility measurement is reduced, and the efficiency of the credibility measurement is further improved.
For example, when calculating the trusted value, the trusted value may be obtained by bringing the information bases of the behavior metrics and the traces of the executable file and the library file into the behavior action function to perform an expansion process, and the process of calculating the trusted value may be implemented based on hardware or based on software.
S302, generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
S303, analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values; determining a plurality of trusted behavior data of the electronic equipment running each application program according to the file called in the starting process of each application program and the corresponding trusted value so as to form a trusted behavior data rule base;
s304, collecting real-time behavior data of any application program running on the electronic equipment in real time;
s305, determining the matching degree of the real-time behavior data and the credible behavior data, and distributing behavior permission to any application program according to the matching degree.
In this embodiment, the same steps as those in the embodiment of fig. 1 are not described herein again.
FIG. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application; as shown in fig. 4, the electronic device comprises a memory 401 and a processor 402, wherein the memory stores a computer software program, and the processor executes the computer software program to perform the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
collecting real-time behavior data of any application program running on the electronic equipment in real time;
and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree.
Optionally, in an embodiment of the present application, after calculating, according to a set trusted computing model, a trusted value of each application program in an application program white list when running on an electronic device, the processor further generates, according to the calculated trusted value of each application program in the application program white list, a trusted metric log, where the trusted metric log records a file called in a starting process of each application program and a corresponding trusted value.
Optionally, in an embodiment of the present application, when determining, by the processor, a plurality of pieces of trusted behavior data of the electronic device running each application according to a trusted value of each application in a white list of applications to form a trusted behavior data rule base, the processor analyzes the trusted metric log to obtain a file called in a starting process of each application and a corresponding trusted value, and determines, according to the file called in the starting process of each application and the corresponding trusted value, a plurality of pieces of trusted behavior data of the electronic device running each application to form the trusted behavior data rule base.
Optionally, in an embodiment of the application, before determining, by the processor, a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base, the trusted value of each application in the application white list when running on the electronic device is further calculated according to a set trusted calculation model.
Optionally, in an embodiment of the application, when the processor calculates the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model, the processor calculates the trust value of each application program in the application program white list when running on the electronic device according to the set static trust metric model.
Optionally, in an embodiment of the present application, when calculating, according to the set static confidence metric model, a confidence value of each application program in the application program white list when running on the electronic device, after the electronic device is powered on and started and before the application program is started, the processor performs a hash operation on the integrity data of the application program to obtain a hash value, and calculates, according to the hash value, a confidence value of each application program in the application program white list when running on the electronic device.
Optionally, in an embodiment of the present application, when calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model, the processor calculates the trust value of each application program in the application program white list when running on the electronic device in real time according to the set dynamic metric trust mechanism.
Optionally, in an embodiment of the present application, when the processor calculates, in real time, a trusted value of each application program in an application program white list when running on the electronic device according to a set dynamic measurement trusted mechanism, after each application program is started, the processor performs a hash operation on integrity data of each application program to obtain an operating system hash value; carrying out Hash operation on the integrity data of the application programs on the electronic equipment to obtain Hash values of the application programs; and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value of each application program.
Optionally, in an embodiment of the present application, when determining a matching degree between the real-time behavior data and the trusted behavior data, and allocating a behavior right to the any application according to the matching degree, the processor includes:
determining the matching degree of the real-time behavior data and the credible behavior data;
and if the matching degree is greater than the set matching degree threshold value, distributing a behavior permission which can call the TEE environment API interface for any application program.
Fig. 5 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application; as shown in fig. 5, the hardware structure of the electronic device may include: a processor 501, a communication interface 502, a computer-readable medium 503, and a communication bus 504;
the processor 501, the communication interface 502 and the computer readable medium 503 are communicated with each other through a communication bus 504;
optionally, the communication interface 502 may be an interface of a communication module, such as an interface of a GSM module;
the processor 501 may be specifically configured to run a computer software program stored on the memory, so as to perform all or part of the processing steps of any of the above method embodiments.
The Processor 501 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
FIG. 6 is a schematic structural diagram of an apparatus for managing an application based on a root-of-trust metric according to an embodiment of the present application; as shown in fig. 6, it includes:
a rule base forming unit 601, configured to determine, according to a trusted value of each application in an application white list, multiple pieces of trusted behavior data of an electronic device running the each application, so as to form a trusted behavior data rule base;
a behavior data collecting unit 602, configured to collect real-time behavior data of any application running on the electronic device in real time;
the behavior permission allocation unit 603 determines a matching degree between the real-time behavior data and the trusted behavior data, and allocates a behavior permission to the any application program according to the matching degree.
FIG. 7 is a block chain system architecture of the present application; as shown in fig. 7, the blockchain system includes a plurality of electronic devices as described in any embodiment of the present application, each electronic device serves as a blockchain node 701 in the blockchain system, and the same application white list is configured for all the electronic devices in the blockchain system; or configuring an application self-defined white list for each electronic device in the blockchain system.
For the case that all electronic devices in the blockchain system are configured with the same application white list, the embodiments of fig. 1 to 7 may be used, and each electronic device in the blockchain system is configured with an application custom white list, and all electronic devices in the blockchain system perform consensus processing on all application custom white lists according to a set consensus algorithm, and when a trusted behavior data rule base is established, a plurality of trusted behavior data of the electronic device running each application is determined based on an application trusted value that is commonly recognized by all electronic devices, so that a uniform trusted behavior data rule base is established inside the blockchain system, and the efficiency of application management is improved.
Here, it should be noted that any application running on the electronic device may be an application in a white list, or may not be an application in a white list, for this reason, actually, since an application in a white list is trusted, corresponding behavior data is also trusted, that is, trusted behavior data can be obtained, and when an application in another non-white list runs, a matching pair of real-time behavior data and trusted behavior data can be quickly determined with reference to the trusted behavior data. If any application is a white-listed application, in fact, it may be tampered with, and therefore, in the case of tampering, there is also a matching degree between the corresponding real-time behavior data and each trusted behavior data in the trusted behavior rule base, whereas, if the application is not tampered with, the corresponding real-time behavior data and one trusted behavior data in the trusted behavior rule base are completely matched, that is, the matching degree may be considered as 100%.
FIG. 8 is a schematic diagram of a computer storage medium according to an embodiment of the present application; as shown in fig. 8, the computer storage medium stores a computer software program that executes any of the methods for assigning behavior authority of an application based on root-of-trust metric according to the present application, where the method for assigning behavior authority of an application based on root-of-trust metric mainly includes the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
collecting real-time behavior data of any application program running on the electronic equipment in real time;
and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree. In particular, according to an embodiment of the present disclosure, the computer program comprises program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section, and/or installed from a removable medium. The computer program, when executed by a processing unit (CPU), performs the above-described functions defined in the method of the present application. It should be noted that the computer readable medium described herein can be a computer readable signal medium or a computer storage medium or any combination of the two. A computer storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of computer storage media may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It should be noted that the same and similar parts in the various embodiments in this specification may be referred to each other, and each embodiment is mainly described as different from the other embodiments. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, they are described in a relatively simple manner, and reference may be made to some of the descriptions of the method embodiments for related points. The above-described embodiments of the apparatus and system are merely illustrative, and the modules illustrated as separate components may or may not be physically separate, and the components suggested as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The above description is only one specific embodiment of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A behavior authority distribution method for an application program based on a credible root measurement is characterized by comprising the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
collecting real-time behavior data of any application program running on the electronic equipment in real time;
and determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree.
2. The method of claim 1, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
and generating a credibility measurement log according to the calculated credibility value of each application program in the application program white list, wherein the credibility measurement log records the file called in the starting process of each application program and the corresponding credibility value.
3. The method of claim 2, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
analyzing the credibility measurement log to obtain files called in the starting process of each application program and corresponding credibility values;
and determining a plurality of trusted behavior data of the electronic equipment running each application program according to the file called in the starting process of each application program and the corresponding trusted value so as to form a trusted behavior data rule base.
4. The method of claim 1, wherein the determining a plurality of trusted behavior data of the electronic device running each application according to the trusted value of each application in the application white list to form a trusted behavior data rule base comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment according to the set credibility calculation model.
5. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 4, wherein the calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment according to the set static credibility measurement model.
6. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 3, wherein the calculating the trust value of each application program in the white list of application programs when running on the electronic device according to the set static trust metric model comprises:
after the electronic equipment is powered on and started and before the application program of the electronic equipment is started, carrying out hash operation on the integrity data of the application program to obtain a hash value, and calculating the credible value of each application program in the application program white list when the application program runs on the electronic equipment according to the hash value.
7. The method for assigning behavioral authority of an application program based on root-of-trust metric according to claim 1, wherein the calculating the trust value of each application program in the application program white list when running on the electronic device according to the set trusted computing model comprises:
and calculating the credibility value of each application program in the application program white list when the application program runs on the electronic equipment in real time according to the set dynamic measurement credibility mechanism.
8. The method for assigning behavioral authority of an application program based on root-of-trust metric according to any one of claims 1-8, wherein the determining the matching degree of the real-time behavior data and the trusted behavior data to assign the behavioral authority to the application program according to the matching degree comprises:
determining the matching degree of the real-time behavior data and the credible behavior data;
and if the matching degree is greater than the set matching degree threshold value, distributing a behavior permission which can call the TEE environment API interface for any application program.
9. An electronic device, comprising a memory and a processor, wherein the memory stores a computer software program, and the processor executes the computer software program to perform the following steps:
determining a plurality of trusted behavior data of the electronic equipment running each application program according to the trusted value of each application program in the application program white list to form a trusted behavior data rule base;
real-time behavior data of any application running on the electronic device is collected in real-time.
10. And determining the matching degree of the real-time behavior data and the credible behavior data so as to allocate the behavior authority to any application program according to the matching degree. An apparatus for managing an application based on a root of trust metric, comprising:
the rule base forming unit is used for determining a plurality of credible behavior data of the electronic equipment running each application program according to the credible value of each application program in the application program white list so as to form a credible behavior data rule base;
the behavior data acquisition unit is used for acquiring real-time behavior data of any application program running on the electronic equipment in real time;
and the behavior authority distribution unit is used for determining the matching degree of the real-time behavior data and the credible behavior data so as to distribute the behavior authority to any application program according to the matching degree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011133552.1A CN112214759A (en) | 2020-10-21 | 2020-10-21 | Behavior authority distribution method and device for application program based on credible root measurement and related products |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011133552.1A CN112214759A (en) | 2020-10-21 | 2020-10-21 | Behavior authority distribution method and device for application program based on credible root measurement and related products |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112214759A true CN112214759A (en) | 2021-01-12 |
Family
ID=74056405
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011133552.1A Pending CN112214759A (en) | 2020-10-21 | 2020-10-21 | Behavior authority distribution method and device for application program based on credible root measurement and related products |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112214759A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824683A (en) * | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104933354A (en) * | 2014-12-30 | 2015-09-23 | 国家电网公司 | Trusted computing based white list static measurement method |
| CN105468978A (en) * | 2015-11-16 | 2016-04-06 | 国网智能电网研究院 | Trusted computing cryptogram platform suitable for general computation platform of electric system |
| CN111159691A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Dynamic credibility verification method and system for application program |
| CN111291381A (en) * | 2020-01-17 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method, equipment and medium for building trust chain based on TCM |
-
2020
- 2020-10-21 CN CN202011133552.1A patent/CN112214759A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104933354A (en) * | 2014-12-30 | 2015-09-23 | 国家电网公司 | Trusted computing based white list static measurement method |
| CN105468978A (en) * | 2015-11-16 | 2016-04-06 | 国网智能电网研究院 | Trusted computing cryptogram platform suitable for general computation platform of electric system |
| CN111159691A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Dynamic credibility verification method and system for application program |
| CN111291381A (en) * | 2020-01-17 | 2020-06-16 | 山东超越数控电子股份有限公司 | Method, equipment and medium for building trust chain based on TCM |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824683A (en) * | 2021-08-13 | 2021-12-21 | 中国光大银行股份有限公司 | Trusted domain establishing method and device and data system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9652617B1 (en) | Analyzing security of applications | |
| CN108334753B (en) | Pirate application verification method and distributed server node | |
| CN107133520B (en) | Credibility measuring method and device for cloud computing platform | |
| JP2013522795A (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| US20170134173A1 (en) | Determining trustworthiness of a cryptographic certificate | |
| CN110868377A (en) | Method and device for generating network attack graph and electronic equipment | |
| CN112134883A (en) | Method and device for quickly authenticating trust relationship between nodes based on trusted computing and related products | |
| CN114327803A (en) | Method, apparatus, device and medium for accessing machine learning model by block chain | |
| CN112162781A (en) | Method and device for dual-core secure boot based on trusted root measurement and related products | |
| US11557005B2 (en) | Addressing propagation of inaccurate information in a social networking environment | |
| CN112214759A (en) | Behavior authority distribution method and device for application program based on credible root measurement and related products | |
| CN112214760A (en) | Application program management method and device based on credible root measurement and related products | |
| CN112991027A (en) | Bidding information processing method, device, equipment and medium based on block chain | |
| CN112416263A (en) | Space-time certification blocking storage method and device based on random verification and electronic equipment | |
| CN112187476A (en) | Method and device for synchronizing block chain state based on trusted computing and related product | |
| CN111899104B (en) | Service execution method and device | |
| CN114338051B (en) | Method, device, equipment and medium for acquiring random number by block chain | |
| WO2014165464A2 (en) | Cryptographic mechanisms to provide information privacy and integrity | |
| CN113569232A (en) | Credibility measuring method and device for container and data system | |
| CN115391801A (en) | Method and device for updating encryption module in block chain system and related products | |
| TW201546626A (en) | Resource restriction | |
| CN110109731B (en) | Management method and system of virtual trusted root in cloud environment | |
| CN112202875A (en) | Method and device for safety detection based on block link point weight and related product | |
| US11954007B2 (en) | Tracking usage of common libraries by means of digitally signed digests thereof | |
| CN114186207A (en) | Data sharing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |