CN113849819B - Method, device, computer equipment and storage medium for processing command line instruction - Google Patents
Method, device, computer equipment and storage medium for processing command line instruction Download PDFInfo
- Publication number
- CN113849819B CN113849819B CN202111120817.9A CN202111120817A CN113849819B CN 113849819 B CN113849819 B CN 113849819B CN 202111120817 A CN202111120817 A CN 202111120817A CN 113849819 B CN113849819 B CN 113849819B
- Authority
- CN
- China
- Prior art keywords
- instruction
- command line
- content container
- configuration file
- matching
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000012545 processing Methods 0.000 title claims description 22
- 238000004590 computer program Methods 0.000 claims description 28
- 238000004806 packaging method and process Methods 0.000 claims description 14
- 238000003672 processing method Methods 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Abstract
The application relates to a command line instruction processing method, a device, computer equipment and a storage medium. The method comprises the following steps: creating a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification. The method can protect the operating system and prevent information leakage by limiting the command line instructions executable by the user.
Description
Technical Field
The present invention relates to the field of command line processing technologies, and in particular, to a method, an apparatus, a computer device, and a storage medium for processing command line instructions.
Background
With the progress of technology in the current society, the network speed is faster and faster, and the mobile phone and the computer bring countless convenience and entertainment to users. And the back-end service of the application program of each mobile device and the computer corresponds to one or more servers for service deployment and application maintenance. Currently, most servers use a Unix operating system or Unix-like operating system. Although the operating systems of most servers support interfacing operations, such as centos, ubuntu, in order to reduce the overhead of system resources and facilitate batch operations, most servers use command lines and scripts to perform business operations and deployments, and their command line operations are almost indisputable.
In Unix operating systems or Unix-like operating systems, application services are operated and deployed in a command line mode, so that great potential safety hazards such as misoperation and information leakage are brought while operation is facilitated, and particularly, superadministrators such as a Unix-like operating system root, admin, superuser exist, almost all command line instructions can be executed, all files are operated, and the potential safety hazard is great.
Traditional ways to solve such safety hazards are: the access capability of the user is limited by not allowing the user to use certain functions, information or access specific system resources and the like, so that the aim of forced access control is fulfilled. For example, when using menu restrictions, the options provided to the user are commands that the user can execute. For example, if an administrator wishes for a user to execute only one program, that program is the only valid option on the menu. This way the functionality of the user is limited.
Therefore, conventionally, by configuring the Unix operating system or the mandatory access control tool in the Unix-like operating system, the behavior of the user can be limited, and the server is protected from being damaged by an attacker. However, the mandatory access control tool, the default policy, is not enough to protect the server operating system, and the configuration process of adding policies is rather complex, requiring a very high level of expertise.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a command line instruction processing method, apparatus, computer device, and storage medium that can achieve protection of an operating system by restricting command line instructions executable by a user without using a mandatory access control tool, and prevent information leakage.
A method of processing command line instructions, comprising: creating a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification.
In one embodiment, the content container is an enclave container implemented based on instruction set extension SGX.
In one embodiment, a method for processing a command line instruction further includes: in the tolerant mode, receiving a command line instruction through a trusted application program interface; storing the command line instructions to a configuration file; obtaining a command line instruction executable by a user from a configuration file comprises the following steps: user-executable command line instructions are obtained from the configuration file in the forced mode.
In one embodiment, storing command line instructions to a configuration file includes: storing the command line instructions into an instruction set of the content container; in the tolerant mode, encrypting the instruction set by using a packaging key in the content container, and storing the encrypted instruction set into a configuration file; obtaining user-executable command line instructions from a configuration file in a forced mode, including: loading the encrypted instruction set in the configuration file into a content container in a forced mode; decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decrypting.
In one embodiment, matching and identifying the current instruction with the command line instruction in the content container includes: when the current instruction is monitored by the monitoring program of the content container, the current instruction is matched and identified with the command line instruction in the content container.
In one embodiment, the information feedback according to the result of the matching recognition includes: acquiring identification information generated by a content container according to a matching identification result; and carrying out information feedback based on the identification information.
In one embodiment, the information feedback based on the identification information includes: if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out; if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is carried out.
A command line instruction processing apparatus, comprising: a creation module for creating a protected content container; the loading module is used for acquiring a command line instruction executable by a user from the configuration file and loading the command line instruction into the content container; the identification module is used for receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in the content container; and the feedback module is used for carrying out information feedback according to the result of the matching identification.
A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of any of the methods of the embodiments described above when the computer program is executed by the processor.
A computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the embodiments described above.
The processing method, the processing device, the computer equipment and the storage medium of the command line instruction create a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification. Therefore, the command line instruction is loaded into the protected content container, the current instruction and the command line instruction are subjected to matching identification operation in the protected content container, and the external program cannot access the protected content container, so that the external program cannot acquire the command line instruction and the matching rule of the current instruction and the command line instruction, the command line instruction is well protected, the user executable command can be limited, and the safety of an operating system is further ensured.
Drawings
FIG. 1 is an application environment diagram of a method of processing command line instructions in one embodiment;
FIG. 2 is a flow chart illustrating a method for processing command line instructions according to one embodiment;
FIG. 3 is a diagram of a management module for a server command line management binary executable according to one embodiment;
FIG. 4 is a diagram of a server command line management architecture for a server command line management binary executable in one embodiment;
FIG. 5 is a block diagram of a command line instruction processing apparatus in one embodiment;
fig. 6 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In the existing mode of controlling server command line management by using a server command line management tool, access control is performed through a black-and-white list policy of user executable instructions. However, the server has a lot of users and a lot of services, and it is difficult to manually configure the complete black-and-white list instruction, so that the normal service instruction fails to execute.
The server command line management tool SCLM (Server Command Line Management) is used for realizing the purpose of limiting the executable commands of the user based on the one-to-one correspondence between the user and the server command line management binary program in the user space so as to achieve the purpose of protecting the operating system. However, if the server command line management binary program is in the user space, an attacker can infinitely try, and if the server command line management binary program has security holes such as buffer overflow or other application programs running in the current system have security holes, the attacker can modify the internal logic of the binary program in an attack mode such as buffer overflow, so as to break command line management restriction.
According to the command line instruction processing method, management of the command line of the server can be achieved without using a server command line management tool SCLM, so that the behavior of a user is limited, and the server is protected from being damaged by an attacker.
The method for processing the command line command can be applied to an application environment shown in fig. 1. The server cluster 102 is used to implement a command line instruction processing method of the present application. Specifically, server cluster 102 creates a protected content container, obtains user-executable command line instructions from a configuration file, and loads the command line instructions into the content container. The server cluster 102 receives the current instruction input by the terminal 104, performs matching identification on the current instruction and the command line instruction in the content container, and performs information feedback according to the matching identification result. The feedback information may be sent to the terminal 104 according to the result of the matching identification, so that the user can learn the processing result of the input current instruction in the terminal 104. The server cluster 102 may also employ a single server. The terminal 104 may be a notebook computer, desktop computer, cell phone, or the like.
In one embodiment, as shown in fig. 2, a method for processing command line instructions is provided, and the method is applied to the server cluster 102 in fig. 1 for illustration, and includes the following steps:
s202, creating a protected content container.
In this embodiment, the protected content container refers to a protected area divided in the address space of the application program. The protected content container provides confidentiality and integrity protection for the code and data within it from malware having special rights. The protected content container may be an enclave container implemented based on instruction set extension SGX, among others. Instruction set extension SGX is a new extension of Intel architecture, and a new set of instruction sets and memory access mechanisms are added to the original architecture. These extensions allow an application to implement a container called enclave. An enclave container refers to a protected execution environment that can provide Jiang Anquan isolation based on a cryptographic algorithm for sensitive and confidential data therein, preventing an untrusted entity from accessing a user's digital assets.
S204, acquiring a command line instruction executable by a user from the configuration file, and loading the command line instruction into the content container.
In this embodiment, command line instructions executable by the user are stored in the configuration file in advance. User-executable command line instructions refer to the commands by which a user can interact with the system to control the system for business operations and deployments. Wherein the user-executable command line instructions may be server command line instructions.
S206, receiving the input current instruction, and matching and identifying the current instruction and the command line instruction in the content container.
In this embodiment, an instruction matching rule is set in the content container, and program codes corresponding to the instruction matching operation are set. When an input current instruction is received, the current instruction is transmitted into the content container, program codes in the content container are started, and the program codes are executed so as to match and identify the current instruction and a command line instruction in the content container. The matching identification mode may be: comparing the current instruction with the command line instruction in the content container, and if the comparison result shows that the current instruction is the same as the command line instruction in the content container, determining that the matching identification result is successful. Otherwise, if the comparison result shows that the current instruction is not the same as the command line instruction in the content container, the result of the matching identification is determined to be the matching failure.
For example, the content container is an enclave container implemented based on instruction set extension SGX. The command line instruction is a server command line instruction. The method comprises the steps of setting a core code for executing a current instruction which is received and input in an enclaspe container and a core code for executing matching identification of the current instruction and a command line instruction in a content container, and placing the core codes of the two parts in the enclaspe container, so that even if privileged applications such as a virtual machine monitor Hypervisor, a basic input output system BIOS, an operating system and the like cannot randomly access the core codes of the two parts under the protection of an instruction set extension SGX enclaspe technology, the matching process of the command line instruction of a server is a black box for an attacker, the internal details cannot be detected, the security holes of other application programs cannot be detected, and the internal logic of a server command line management binary program cannot be modified, thereby limiting the commands executable by a user, and further ensuring the security of the operating system.
And S208, information feedback is carried out according to the result of the matching identification.
In this embodiment, the result of the matching recognition includes a matching failure and a matching success. A match failure refers to the current instruction failing to match a command line instruction in the content container. A successful match refers to the current instruction matching the command line instruction in the content container. When information feedback is carried out based on the result of matching identification, if matching fails, information representing the failure of matching is fed back, and if matching is successful, information representing the success of matching is fed back.
The processing method of the command line instruction creates a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification. Therefore, the command line instruction is loaded into the protected content container, the current instruction and the command line instruction are subjected to matching identification operation in the protected content container, and the external program cannot access the protected content container, so that the external program cannot acquire the command line instruction and the matching rule of the current instruction and the command line instruction, the command line instruction is well protected, the user executable command can be limited, and the safety of an operating system is further ensured.
In one embodiment, before the step of obtaining the command line instruction executable by the user from the configuration file, the method further includes: in the tolerant mode, receiving a command line instruction through a trusted application program interface; the command line instructions are stored to a configuration file. The step of obtaining the command line instruction executable by the user from the configuration file comprises the following steps: user-executable command line instructions are obtained from the configuration file in the forced mode.
In this embodiment, the tolerant mode represents a system kernel operation and does not actually restrict data access. The forced mode represents the system kernel in operation and limits access to data. The command line instruction acquisition operation is performed before the actual application is entered, that is, before the step of acquiring the command line instruction executable by the user from the configuration file is entered. Specifically, in the tolerant mode, command line instructions are received through the trusted application program interface and stored to the configuration file. In actual application, user-executable command line instructions are obtained from the configuration file in a forced mode. Therefore, the command line command which can be executed by the user can be automatically collected, and the problem of failure in executing the normal service command caused by incomplete configuration of the manual configuration black-and-white list command is solved.
In one embodiment, the step of storing the command line instruction in the configuration file includes: storing the command line instructions into an instruction set of the content container; in the tolerant mode, the instruction set is encrypted using the package key in the content container and the encrypted instruction set is stored to the configuration file. The step of obtaining the command line instruction executable by the user from the configuration file in the forced mode comprises the following steps: loading the encrypted instruction set in the configuration file into a content container in a forced mode; decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decrypting.
In this embodiment, the command line instructions are encrypted before they are stored in the configuration file. Specifically, in the tolerant mode, the instruction set is encrypted using the package key in the content container and the encrypted instruction set is stored to the configuration file. When the command line command executable by the user is obtained, the command line command needs to be decrypted. Specifically, the encrypted instruction set in the configuration file is loaded to a content container in a forced mode, the encrypted instruction set is decrypted by using a content container packaging key, and a command line instruction in the instruction set is obtained after decryption. Thus, the security of the user-executable command line instructions can be further ensured.
In one embodiment, the step of matching and identifying the current instruction with the command line instruction in the content container includes: when the current instruction is monitored by the monitoring program of the content container, the current instruction is matched and identified with the command line instruction in the content container.
In this embodiment, a monitor program is provided in the content container, the monitor program being for monitoring whether an input current instruction is received. If yes, triggering the operation of matching and identifying the current instruction and the command line instruction in the content container. If the content container is in a monitoring state, after receiving the current instruction input by the user through the trusted API interface, traversing the instruction set of the content container, and returning a mark whether the current instruction can be executed. Therefore, the matching identification operation of the current instruction can be automatically performed.
In one embodiment, the step of feeding back information according to the result of the matching identification includes: acquiring identification information generated by a content container according to a matching identification result; and carrying out information feedback based on the identification information.
In one embodiment, the information feedback based on the identification information includes: if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out; if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is carried out.
In this embodiment, the content container generates identification information based on the result of the matching recognition. The identification information is used to characterize the result of the matching recognition. If the identification information is 0, the matching of the current instruction and the command line instruction in the content container is successful, and the current instruction can be executed. When the identification information is-1, the current instruction is failed to be matched with the command line instruction in the content container, and the current instruction cannot be executed. And executing the current instruction when the current instruction is determined to be successfully matched with the command line instruction based on the identification information. Otherwise, the current instruction is not legal. Thus, the current instruction may be automatically executed or may be prompted to be illegal.
For a method for processing command line instructions in the above embodiment, a specific implementation manner is given below:
the command line command is a server command line command, and a server command line management binary executable program is set for executing a processing method of the command line command. As shown in fig. 3, the server command line manages the binary executable program, and can be generally divided into four modules, namely an instruction loading module, an acquisition input module, an instruction learning and matching module and a result executing module. Wherein:
1. an instruction loading module: in the process of starting the program, an enclaspe is created, the program of the instruction learning and matching module is loaded into the enclaspe, the integrity and the legality of the program are checked, and the program of the instruction learning and matching module is started to be executed. The instruction loading module loads the command line instruction which is stored in the configuration file and configured in the configuration file and can be executed by the user into the enclaspe, decrypts the command line instruction by using the sealing key of the enclaspe, loads the command line instruction which is executed by the user after decryption into a black-and-white list set of the instruction, and completes the loading initialization work of the instruction set.
2. And an acquisition input module: the method can acquire the current instruction input by the user, analyze the current instruction into a form which can be identified by the instruction learning and matching module, and transmit the analyzed current instruction to the instruction learning and matching module.
3. Instruction learning and matching module: the server command line management tool is a core functional module of the server command line management tool and is divided into two working modes of a forgiving mode and a forced mode:
1) In the early stage, when operation and maintenance personnel and testers perform functional test and automatic test, the program is set to be in a tolerant mode, at the moment, the instruction learning and matching module is in a learning state, user instructions transmitted by the acquisition input module are received and acquired through the trusted API interface and recorded into an instruction set, the collection work of the instruction set is completed, the verification and filtration of the user instructions are not performed in the stage, and all the user instructions can be executed. The user instructions at this stage may be user-executable command line instructions.
2) And in the tolerant mode, updating the instruction set in the enclave, encrypting the updated instruction set by using a packaging key in the enclave, and then storing the encrypted instruction set in a configuration file to realize the encryption storage of the instruction set in the configuration file, wherein only the enclave has access.
3) And after the instruction learning and matching module receives the current instruction input by the user of the acquisition input module through the trusted API interface, traversing the instruction set, returning a mark of whether the current instruction can be executed or not to the result execution module, specifically returning 0 to indicate success, being executable, and returning-1 to indicate failure and being unable to be executed.
4) As shown in FIG. 4, the instruction learning and matching module is put into SGX leave protection, so that even though privileged applications such as Hypervisor, BIOS and an operating system cannot access the code of the instruction matching module at will, the instruction matching rule is modified, the matching process of the server command line instruction is a black box for an attacker, the internal details cannot be ascertained, and the internal logic of the server command line management binary program cannot be modified through security holes of other application programs, thereby limiting the commands executable by a user and further ensuring the security of the operating system.
4. The result execution module receives a current instruction input by a user of the input module and an execution mark returned by the instruction learning and matching module through an untrusted API interface, if the execution mark bit is 0, the current instruction input by the user is executed, and the instruction return result is displayed; if the execution flag bit is-1, the current instruction input by the user is not legal, and the input instruction is requested to be input again.
According to the command line command processing method, the user command is automatically collected through the program, and the problem that normal service command execution fails due to incomplete configuration of a manually configured black-and-white list command is solved. Meanwhile, a preset user-executable command line command can be loaded in a program starting stage, so that the requirement of manually controlling the user command is met. Meanwhile, the core code logic of the instruction learning and matching module is placed in the SGX enclaspe for protection, and the matching rule and the instruction set are invisible to the outside and only show as a black box with an instruction matching function to the outside, so that the server command line management program is well protected, and the purposes of protecting an operating system and preventing information leakage are achieved by limiting the executable commands of a user.
It should be understood that, although the steps in the flowchart are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least a portion of the steps in the flowcharts may include a plurality of sub-steps or stages that are not necessarily performed at the same time, but may be performed at different times, the order in which the sub-steps or stages are performed is not necessarily sequential, and may be performed in turn or alternately with at least a portion of the sub-steps or stages of other steps or other steps.
In one embodiment, as shown in FIG. 5, a command line instruction processing apparatus is provided that includes a creation module 502, a loading module 504, an identification module 506, and a feedback module 508. A creation module 502 for creating a protected content container; a loading module 504, configured to obtain a command line instruction executable by a user from the configuration file, and load the command line instruction into the content container; the identifying module 506 is configured to receive an input current instruction, and match and identify the current instruction with a command line instruction in the content container; and the feedback module 508 is used for carrying out information feedback according to the result of the matching identification.
In one embodiment, the content container is an enclave container implemented based on instruction set extension SGX.
In one embodiment, the processing device of command line instructions further includes a memory module configured to receive command line instructions through the trusted application program interface in the tolerant mode; the command line instructions are stored to a configuration file. Obtaining a command line instruction executable by a user from a configuration file comprises the following steps: user-executable command line instructions are obtained from the configuration file in the forced mode.
In one embodiment, storing command line instructions to a configuration file includes: storing the command line instructions into an instruction set of the content container; in the tolerant mode, the instruction set is encrypted using the package key in the content container and the encrypted instruction set is stored to the configuration file. Obtaining user-executable command line instructions from a configuration file in a forced mode, including: loading the encrypted instruction set in the configuration file into a content container in a forced mode; decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decrypting.
In one embodiment, matching and identifying the current instruction with the command line instruction in the content container includes: when the current instruction is monitored by the monitoring program of the content container, the current instruction is matched and identified with the command line instruction in the content container.
In one embodiment, the information feedback according to the result of the matching recognition includes: acquiring identification information generated by a content container according to a matching identification result; and carrying out information feedback based on the identification information.
In one embodiment, the information feedback based on the identification information includes: if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out; if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is carried out.
For specific limitations on the processing means of command line instructions, reference may be made to the above limitations on the processing method of command line instructions, and no further description is given here. The various modules in the command line instruction processing apparatus described above may be implemented in whole or in part by software, hardware, or a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 6. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for being connected with an external terminal so as to receive the current instruction input by the terminal. The computer program, when executed by a processor, implements a method of processing command line instructions.
It will be appreciated by those skilled in the art that the structure shown in fig. 6 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps of when executing the computer program: creating a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification.
In one embodiment, the content container is an enclave container implemented based on instruction set extension SGX.
In one embodiment, the processor, when executing the computer program, performs the steps of: in the tolerant mode, receiving a command line instruction through a trusted application program interface; storing the command line instructions to a configuration file; when the processor executes the computer program to realize the steps of acquiring the command line instruction executable by the user from the configuration file, the following steps are specifically realized: user-executable command line instructions are obtained from the configuration file in the forced mode.
In one embodiment, when the processor executes the computer program to implement the above steps of storing command line instructions in a configuration file, the following steps are specifically implemented: storing the command line instructions into an instruction set of the content container; in the tolerant mode, encrypting the instruction set by using a packaging key in the content container, and storing the encrypted instruction set into a configuration file; when the processor executes the computer program to realize the step of acquiring the command line instruction executable by the user from the configuration file in the forced mode, the following steps are specifically realized: loading the encrypted instruction set in the configuration file into a content container in a forced mode; decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decrypting.
In one embodiment, when the processor executes the computer program to implement the step of matching and identifying the current instruction with the command line instruction in the content container, the following steps are specifically implemented: when the current instruction is monitored by the monitoring program of the content container, the current instruction is matched and identified with the command line instruction in the content container.
In one embodiment, when the processor executes the computer program to implement the above step of feeding back information according to the result of the matching identification, the following steps are specifically implemented: acquiring identification information generated by a content container according to a matching identification result; and carrying out information feedback based on the identification information.
In one embodiment, when the processor executes the computer program to implement the above step of feeding back information based on the identification information, the following steps are specifically implemented: if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out; if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is carried out.
In one embodiment, a computer readable storage medium is provided having a computer program stored thereon, which when executed by a processor, performs the steps of: creating a protected content container; acquiring a command line instruction executable by a user from a configuration file, and loading the command line instruction into a content container; receiving an input current instruction, and matching and identifying the current instruction and a command line instruction in a content container; and carrying out information feedback according to the result of the matching identification.
In one embodiment, the content container is an enclave container implemented based on instruction set extension SGX.
In one embodiment, the computer program when executed by a processor performs the steps of: in the tolerant mode, receiving a command line instruction through a trusted application program interface; storing the command line instructions to a configuration file; when the computer program is executed by the processor to realize the steps of acquiring the command line instruction executable by the user from the configuration file, the following steps are specifically realized: user-executable command line instructions are obtained from the configuration file in the forced mode.
In one embodiment, when the computer program is executed by the processor to implement the steps of storing command line instructions into a configuration file, the following steps are specifically implemented: storing the command line instructions into an instruction set of the content container; in the tolerant mode, encrypting the instruction set by using a packaging key in the content container, and storing the encrypted instruction set into a configuration file; when the computer program is executed by the processor to realize the steps of acquiring the command line instruction executable by the user from the configuration file in the forced mode, the following steps are specifically realized: loading the encrypted instruction set in the configuration file into a content container in a forced mode; decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decrypting.
In one embodiment, when the computer program is executed by the processor to implement the step of matching and identifying the current instruction in the content container with the command line instruction in the content container, the following steps are specifically implemented: when the current instruction is monitored by the monitoring program of the content container, the current instruction is matched and identified with the command line instruction in the content container.
In one embodiment, when the computer program is executed by the processor to implement the above step of feeding back information according to the result of the matching identification, the following steps are specifically implemented: acquiring identification information generated by a content container according to a matching identification result; and carrying out information feedback based on the identification information.
In one embodiment, when the computer program is executed by the processor to implement the above steps of feeding back information based on the identification information, the following steps are specifically implemented: if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out; if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is carried out.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.
Claims (8)
1. A method of processing command line instructions, the method comprising:
creating a protected content container;
in the tolerant mode, receiving a command line instruction through a trusted application program interface;
storing the command line instruction to a configuration file;
acquiring the command line instruction executable by a user from the configuration file, and loading the command line instruction into the content container;
receiving an input current instruction, and matching and identifying the current instruction and the command line instruction in the content container;
information feedback is carried out according to the matching recognition result;
the obtaining the command line instruction executable by the user from the configuration file includes:
acquiring the command line instruction executable by the user from the configuration file in a forced mode;
the storing the command line instruction to the configuration file includes:
storing the command line instructions into an instruction set of the content container;
encrypting the instruction set by using a packaging key in the content container in the tolerant mode, and storing the encrypted instruction set into the configuration file;
the step of obtaining the command line instruction executable by the user from the configuration file in the forced mode comprises the following steps:
loading the encrypted instruction set in the configuration file to the content container in a forced mode;
and decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decryption.
2. The method of claim 1, wherein the content container is an enclave container implemented based on instruction set extension SGX.
3. The method of claim 1, wherein said matching the current instruction with the command line instruction in the content container comprises:
and when the current instruction is monitored by the monitoring program of the content container, matching and identifying the current instruction and the command line instruction in the content container.
4. The method according to claim 1, wherein the information feedback based on the result of the matching recognition comprises:
acquiring identification information generated by the content container according to the matching identification result;
and carrying out information feedback based on the identification information.
5. The method of claim 4, wherein the information feedback based on the identification information comprises:
if the identification information represents that the current instruction is successfully matched with the command line instruction, information feedback for executing the current instruction is carried out;
and if the identification information indicates that the matching of the current instruction and the command line instruction fails, information feedback for prompting that the current instruction is illegal is performed.
6. A command line instruction processing apparatus, the apparatus comprising:
a creation module for creating a protected content container;
the loading module is used for receiving a command line instruction through a trusted application program interface in a tolerant mode, storing the command line instruction into a configuration file, acquiring the command line instruction executable by a user from the configuration file, and loading the command line instruction into the content container;
the identification module is used for receiving an input current instruction, and carrying out matching identification on the current instruction and the command line instruction in the content container;
the feedback module is used for carrying out information feedback according to the matching recognition result;
the obtaining the command line instruction executable by the user from the configuration file includes:
acquiring the command line instruction executable by the user from the configuration file in a forced mode;
the storing the command line instruction to the configuration file includes:
storing the command line instructions into an instruction set of the content container;
encrypting the instruction set by using a packaging key in the content container in the tolerant mode, and storing the encrypted instruction set into the configuration file;
the step of obtaining the command line instruction executable by the user from the configuration file in the forced mode comprises the following steps:
loading the encrypted instruction set in the configuration file to the content container in a forced mode;
and decrypting the encrypted instruction set by using the content container packaging key, and obtaining the command line instruction in the instruction set after decryption.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method according to any one of claims 1 to 5 when the computer program is executed by the processor.
8. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111120817.9A CN113849819B (en) | 2021-09-24 | 2021-09-24 | Method, device, computer equipment and storage medium for processing command line instruction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111120817.9A CN113849819B (en) | 2021-09-24 | 2021-09-24 | Method, device, computer equipment and storage medium for processing command line instruction |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113849819A CN113849819A (en) | 2021-12-28 |
| CN113849819B true CN113849819B (en) | 2023-07-14 |
Family
ID=78979680
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111120817.9A Active CN113849819B (en) | 2021-09-24 | 2021-09-24 | Method, device, computer equipment and storage medium for processing command line instruction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113849819B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110245004A (en) * | 2019-06-13 | 2019-09-17 | 深圳前海微众银行股份有限公司 | Command executing method, device, equipment and computer readable storage medium |
| CN110874263A (en) * | 2019-11-06 | 2020-03-10 | 北京宝兰德软件股份有限公司 | Method and device for monitoring instances of docker container |
| CN111259412A (en) * | 2020-01-09 | 2020-06-09 | 远景智能国际私人投资有限公司 | Authority control method and device, computer equipment and storage medium |
| CN111680288A (en) * | 2020-06-10 | 2020-09-18 | 深圳前海微众银行股份有限公司 | Command execution method, device and equipment for container and storage medium |
-
2021
- 2021-09-24 CN CN202111120817.9A patent/CN113849819B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110245004A (en) * | 2019-06-13 | 2019-09-17 | 深圳前海微众银行股份有限公司 | Command executing method, device, equipment and computer readable storage medium |
| CN110874263A (en) * | 2019-11-06 | 2020-03-10 | 北京宝兰德软件股份有限公司 | Method and device for monitoring instances of docker container |
| CN111259412A (en) * | 2020-01-09 | 2020-06-09 | 远景智能国际私人投资有限公司 | Authority control method and device, computer equipment and storage medium |
| WO2021141543A1 (en) * | 2020-01-09 | 2021-07-15 | Envision Digital International Pte. Ltd. | Method and apparatus for authority control, computer device and storage medium |
| CN111680288A (en) * | 2020-06-10 | 2020-09-18 | 深圳前海微众银行股份有限公司 | Command execution method, device and equipment for container and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113849819A (en) | 2021-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11416605B2 (en) | Trusted execution environment instances licenses management | |
| EP2913956B1 (en) | Management control method and device for virtual machines | |
| AU2012337403B2 (en) | Cryptographic system and methodology for securing software cryptography | |
| US9424430B2 (en) | Method and system for defending security application in a user's computer | |
| KR101176646B1 (en) | System and method for protected operating system boot using state validation | |
| CN109918919A (en) | Authenticate the management of variable | |
| US20160275019A1 (en) | Method and apparatus for protecting dynamic libraries | |
| WO2011148224A1 (en) | Method and system of secure computing environment having auditable control of data movement | |
| Suciu et al. | Horizontal privilege escalation in trusted applications | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| US11704442B2 (en) | Instance handling of a trusted execution environment | |
| US11122079B1 (en) | Obfuscation for high-performance computing systems | |
| CN113849819B (en) | Method, device, computer equipment and storage medium for processing command line instruction | |
| CN110674525A (en) | Electronic equipment and file processing method thereof | |
| CN113127141B (en) | Container system management method and device, terminal equipment and storage medium | |
| US20230058046A1 (en) | Apparatus and Method for Protecting Shared Objects | |
| Jacob et al. | faultpm: Exposing amd ftpms’ deepest secrets | |
| CN113177222A (en) | Dynamic library processing method and device, electronic equipment and storage medium | |
| Renard | Practical iOS apps hacking | |
| CN111814137A (en) | Operation and maintenance method and system of terminal and storage medium | |
| CN111753263A (en) | Non-inductive encryption and decryption method based on macOS system | |
| CN111475844A (en) | Data sharing method, device, equipment and computer readable storage medium | |
| Sun et al. | An active android application repacking detection approach | |
| US20210224392A1 (en) | Tri-Level Secure Separation Kernel | |
| US11784978B2 (en) | Method for establishing remote work environment to ensure security of remote work user terminal and apparatus using the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |