CN113987468A - Security check method and security check device - Google Patents

Security check method and security check device Download PDF

Info

Publication number
CN113987468A
CN113987468A CN202111229446.8A CN202111229446A CN113987468A CN 113987468 A CN113987468 A CN 113987468A CN 202111229446 A CN202111229446 A CN 202111229446A CN 113987468 A CN113987468 A CN 113987468A
Authority
CN
China
Prior art keywords
file
path
website server
white list
condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111229446.8A
Other languages
Chinese (zh)
Inventor
闫海林
张茜
苏建明
蒋家堂
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111229446.8A priority Critical patent/CN113987468A/en
Publication of CN113987468A publication Critical patent/CN113987468A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a safety inspection method and a safety inspection device, relates to the field of information safety, and aims to perform safety inspection in the process of acquiring and spreading sensitive information, so that the leakage of the sensitive information in a website server is prevented, and the safety of the website server is improved. The method is applied to a website server with a Linux operating system, and comprises the following steps: when detecting that the first process is created, acquiring a parent process identifier of the first process; judging whether the father process identification is equal to the software process identification in the website server or not; under the condition that the father process identification is equal to the software process identification, acquiring a file path of a first process; judging whether a file path of a first process belongs to a first white list or not; and running the first process under the condition that the file path of the first process belongs to the first white list.

Description

Security check method and security check device
Technical Field
The present disclosure relates to the field of information security, and in particular, to a security inspection method and a security inspection apparatus.
Background
A web server refers to a computer that provides web services. The web server may run a Linux operating system and the web server software and application software may run in the operating system. The user can access the website server through application software such as a browser and the like to acquire data provided by the website.
For example, a website server open to the internet may be accessed by any user, files in the website server are allowed to be read by any user, the website server is allowed to run various types of application software, and an attacker may steal sensitive information of the website server or control the website server by using the security vulnerability, so that the sensitive information of the website server is leaked, and the security of the website server is affected.
Disclosure of Invention
The application provides a security check method and a security check device, which are used for performing security check in the process of acquiring and spreading sensitive information, are beneficial to preventing the sensitive information in a website server from being leaked, and improve the security of the website server.
In a first aspect, the present application provides a security check method, which is applied to a website server deployed with a Linux operating system, and includes: when detecting that the first process is created, acquiring a parent process identifier of the first process; judging whether the father process identification is equal to the software process identification in the website server or not; under the condition that the father process identification is equal to the software process identification, acquiring a file path of a first process; judging whether a file path of a first process belongs to a first white list or not; and running the first process under the condition that the file path of the first process belongs to the first white list.
According to the security inspection method provided by the embodiment of the application, security inspection is performed on the first process during program operation, the first process is operated under the condition that the father process identifier of the first process is equal to the software process identifier in the website server and the file path of the first process belongs to the first white list, and through the security inspection on the father process identifier and the file path of the first process, leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the first process is run in the event that the parent process identification is not equal to the software process identification.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and under the condition that the file path of the first process does not belong to the first white list, forbidding the first process to run.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: when a first request for opening a first file is detected, acquiring the authority requested by the first request; judging whether the permission requested by the first request comprises a reading permission or not; acquiring a path of a first file under the condition that the authority requested by the first request comprises a reading authority; judging whether the path of the first file belongs to a second white list or not; and opening the first file under the condition that the path of the first file belongs to the second white list.
According to the security check method provided by the embodiment of the application, the security check is performed on the opening of the file, the first process is opened under the condition that the authority requested by the first request for opening the first file comprises the reading authority and the path of the first file belongs to the second white list, and the security check is performed on the authority requested by the first request for opening the first file and the path of the first file, so that the leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: in the event that the requested permission of the first request does not include a read permission, the first file is opened.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: and in the case that the path of the first file does not belong to the second white list, forbidding opening the first file.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: when a second request for sending the first message is detected, acquiring the content of the first message; judging whether the content of the first message belongs to a blacklist or not; and in the case that the content of the first message does not belong to the blacklist, sending the first message.
According to the security check method provided by the embodiment of the application, the security check is performed on the message sending, the first message is sent under the condition that the content of the first message does not belong to the blacklist, and the security check is performed on the content of the first message, so that the leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
In a second aspect, the present application provides a security inspection apparatus, which includes an obtaining module, a determining module, and a processing module. The acquisition module is used for acquiring a parent process identifier of the first process when the first process is detected to be established; the judging module is used for judging whether the father process identification is equal to the software process identification in the website server or not; the acquisition module is further configured to: under the condition that the father process identification is equal to the software process identification, acquiring a file path of a first process; the judging module is also used for: judging whether a file path of a first process belongs to a first white list or not; and the processing module is used for running the first process under the condition that the file path of the first process belongs to the first white list.
With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to: the first process is run in the event that the parent process identification is not equal to the software process identification.
With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to: and under the condition that the file path of the first process does not belong to the first white list, forbidding the first process to run.
With reference to the second aspect, in some implementations of the second aspect, the obtaining module is further configured to: when a first request for opening a first file is detected, acquiring the authority requested by the first request; the judging module is further configured to: judging whether the permission requested by the first request comprises a reading permission or not; the acquisition module is further configured to: acquiring a path of a first file under the condition that the authority requested by the first request comprises a reading authority; the judging module is further configured to: judging whether the path of the first file belongs to a second white list or not; the processing module is further configured to: and opening the first file under the condition that the path of the first file belongs to the second white list.
With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to: in the event that the requested permission of the first request does not include a read permission, the first file is opened.
With reference to the second aspect, in some implementations of the second aspect, the processing module is further configured to: and in the case that the path of the first file does not belong to the second white list, forbidding opening the first file.
With reference to the second aspect, in some implementations of the second aspect, the obtaining module is further configured to: when a second request for sending the first message is detected, acquiring the content of the first message; the judging module is further used for judging whether the content of the first message belongs to a blacklist; the device further comprises a sending module, wherein the sending module is used for: and in the case that the content of the first message does not belong to the blacklist, sending the first message.
In a third aspect, the present application provides a security check device comprising a processor and a memory. The processor is configured to read instructions stored in the memory to perform the method of any one of the possible implementations of the first aspect.
Optionally, there are one or more processors and one or more memories.
Alternatively, the memory may be integrated with the processor, or provided separately from the processor.
In a specific implementation process, the memory may be a non-transient memory, such as a Read Only Memory (ROM), which may be integrated on the same chip as the processor, or may be separately disposed on different chips.
The security check apparatus in the third aspect may be a chip, and the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated with the processor, located external to the processor, or stand-alone.
In a fourth aspect, the present application provides a computer-readable medium storing a computer program (which may also be referred to as code, or instructions) which, when executed on a computer, causes the computer to perform the method of any of the possible implementations of any of the above aspects.
In a fifth aspect, the present application provides a computer program product comprising: computer program (also called code, or instructions), which when executed, causes a computer to perform the method of any of the possible implementations of the first aspect described above.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flow chart of a security inspection method provided in an embodiment of the present application;
FIG. 2 is a schematic flow chart diagram of another security check method provided by an embodiment of the present application;
FIG. 3 is a schematic flow chart diagram of another security check method provided in the embodiments of the present application;
fig. 4 is a schematic block diagram of a security inspection apparatus according to an embodiment of the present application;
fig. 5 is a schematic block diagram of another security inspection apparatus provided in an embodiment of the present application.
With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
For the convenience of understanding the embodiments of the present application, the related terms in the embodiments of the present application will be described first.
1. Linux operating system
Linux, which is called GNU/Linux as a general UNIX operating system free of use and free of propagation, is an operating system based on a Portable Operating System Interface (POSIX) and capable of supporting multiple threads and multiple Central Processing Units (CPUs).
The Linux operating system may run Unix tool software, applications, and network protocols and may support 32-bit and 64-bit hardware. Linux inherits the design idea of Unix with network as core, and is a multi-user network operating system with stable performance.
2. Linux safety module
A Linux Security Module (LSM) is a security access control framework provided by a Linux operating system, supports a "restrictive" access control decision, and a developer can complete related security verification by implementing a function of a preset hook point.
After the LSM is developed, the LSM can be compiled together with the kernel and run in the kernel mode. When a user process tries to perform operations such as file reading and writing, program running, network transmission and the like, if the relevant hook function is realized, the function is called to perform security check, and whether the current request conforms to the security policy or not is judged and permitted or rejected.
3. Website server
A web server (web server) refers to a server that stores a web site in an internet data center. The website server is mainly used for publishing and applying websites in the internet and is an infrastructure of network application.
The web server may have several features as follows:
1) the web server only provides "authorized" data to the user, i.e., the user cannot freely access any file data in the web server.
2) The website server only needs to run programs related to guaranteeing normal operation, daily operation and maintenance of the website, and the normal operation of the server is not affected by not running other programs.
3) The website server only needs to read and write the specific directory when running.
4. Socket (socket)
socket is an abstraction layer between application layer and transport layer, which abstracts the complex operation of transmission control protocol/internet protocol (TCP/IP) layer into several simple interfaces for the application layer to call the implemented process to communicate in the network.
5. Safety base line
The security baseline is a detailed description of how the computer is configured and managed. The security baseline implements trusted computer components on one computer, while also describing all relevant configuration settings to implement secure operations.
Elements of the security baseline include:
1) service and application settings, such as: only the designated user has the right to start a service or run an application.
2) Configuration of operating system components, for example: all sample files of the Internet Information Services (IIS) themselves must be deleted from the computer.
3) Rights and rights assignments, such as: only the administrator has the right to change operating system files.
4) Management rules, for example: the administrator (administeror) password on the computer is changed every 30 days.
The website server may run a Linux operating system and the website server software and application software may run in the operating system. The website server software may be weblogic software and the like, and the application software may be any software allowing access to the website server. For example, a user may access a website server through application software such as a browser to obtain data provided by a website.
For example, a website server open to the internet can be accessed by any user, files in the website server are allowed to be read arbitrarily, the website server is allowed to run various types of application software, and an attacker can steal sensitive information of the website server or control the website server by using the security vulnerability, so that the sensitive information of the website server is leaked and the security of the website server is affected, and the user experience is not facilitated.
The sensitive information may include a key stored in the website server, network card and interface information of the Linux operating system, data of the Linux operating system during software running, and the like.
Illustratively, an attacker designs a piece of application software program with a virus, and when the website server runs the application software with the virus, the attacker can acquire sensitive information in the website server through the application software with the virus, so that the sensitive information in the website server is leaked.
Illustratively, files in the website server are allowed to be read arbitrarily, and an attacker can acquire sensitive information in the website server by reading the files in the website server, so that the sensitive information in the website server is leaked.
Currently, a website server may perform network traffic analysis based on a host-based intrusion detection system (HIDS), and block or alarm potential threats included in the network traffic.
Specifically, an agent (agent) may be deployed in the web server, and the agent may be configured to detect a security state of the web server, and may detect an abnormal operation behavior for a network traffic in an environment of the web server. After the agent is deployed in the website server, the agent needs to communicate with the system server, so that unified management is facilitated.
In the method, agent focuses more on the detection of intrusion behavior, and sensitive information may be already leaked when the network traffic in the website server environment is detected to be invaded. In addition, in a large complex website server environment, each website server needs to be deployed and connected to a system server, which causes a problem of more deployment operations and may introduce a risk of accessing across a Virtual Local Area Network (VLAN).
In view of this, in the field of information security, embodiments of the present application provide a security inspection method and a security inspection apparatus, which perform security inspection in the process of acquiring and propagating sensitive information, so as to prevent leakage of the sensitive information in a web server and improve security of the web server.
Before describing the security inspection method and security inspection apparatus provided in the embodiments of the present application, the following description is made.
First, the first, second and various numerical numbers in the embodiments shown below are merely for convenience of description and are not intended to limit the scope of the embodiments of the present application. E.g., to distinguish between different whitelists, to distinguish between different messages, etc.
Second, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, and c, may represent: a, or b, or c, or a and b, or a and c, or b and c, or a, b and c, wherein a, b and c can be single or multiple.
Fig. 1 is a schematic flow chart of a security check method 100 according to an embodiment of the present application, where the method 100 may be applied to a website server deployed with a Linux operating system.
The web server may implement the method 100 based on the Linux security module described above.
Illustratively, the website server may implement the method 100 through a task _ alloc and bprm _ set _ seeds function in the LSM hook function.
The method 100 may include the steps of:
s101, when the fact that the first process is created is detected, acquiring a parent process identification of the first process.
The first process is a process when the website server runs the program. When the website server detects that the first process is created, the parent process identification of the first process can be obtained through a parameter struct task _ struct in the task _ alloc function.
It should be understood that each process has a unique process identification that is not a negative integer representation.
A process may be created by another process, the process that created the process being a parent process, the process being created being a child process, the first process being a child process.
The first process may be the minimum set of commands that satisfy the website's normal operation and does not include some non-essential and often-used instructions (e.g., ifconfig) by the attacker.
S102, judging whether the father process identification is equal to the software process identification in the website server.
And the software process identification in the website server is the process identification of the website server software. If the website server software is weblogic, the software process identifier in the website server is the process identifier of weblogic.
One or more pieces of website server software may exist, and the embodiment of the present application is not limited to this.
When there are a plurality of web server software, the software process identification in the web server may be the process identification of the plurality of web server software.
The website server judges whether the father process identification is equal to the software process identification in the website server, namely whether the first process is created by the process of the website server software.
S103, acquiring a file path of the first process under the condition that the parent process identifier is equal to the software process identifier.
The first process is a process when the website server runs the program, and the file path of the first process is the program file path run by the website server.
In the case that the parent process identification is equal to the software process identification, that is, in the case that the first process is created by a process of the web server software, the web server may acquire the file path of the first process through the struct linux _ bindrm parameter in the bprm _ set _ crops function.
Optionally, the first process is run in case the parent process identity is not equal to the software process identity.
In the case where the parent process identification is not equal to the software process identification, i.e., in the case where the first process is not created by a process of the web server software, the first process is run.
S104, judging whether the file path of the first process belongs to a first white list.
The first white list includes a plurality of file paths. The file path in the first white list is preset. Illustratively, the file path in the first white list may be determined by an administrator of the web server or based on a security baseline.
The website server judges whether the file path of the first process belongs to a first white list, namely whether a plurality of file paths in the first white list comprise the file path of the first process.
When the plurality of file paths in the first white list include a file path of the first process, the website server may determine that the first process is less likely to have a security vulnerability; when the plurality of file paths in the first white list do not include the file path of the first process, the website server may determine that the first process has a security vulnerability. And S105, running the first process under the condition that the file path of the first process belongs to the first white list.
In the case that the file path of the first process belongs to the first white list, that is, the plurality of file paths in the first white list include the file path of the first process, the website server may run the first process.
Optionally, in a case that the file path of the first process does not belong to the first white list, the first process is prohibited from running.
In the case that the file path of the first process does not belong to the first white list, that is, the plurality of file paths in the first white list do not include the file path of the first process, the web server may prohibit the first process from running.
Optionally, the first white list may also be a first black list, and the website server may determine whether the file path of the first process belongs to the first black list, and prohibit the first process from running under the condition that the file path of the first process belongs to the first black list; and running the first process under the condition that the file path of the first process does not belong to the first blacklist.
According to the security inspection method provided by the embodiment of the application, security inspection is performed on the first process during program operation, the first process is operated under the condition that the father process identifier of the first process is equal to the software process identifier in the website server and the file path of the first process belongs to the first white list, and through the security inspection on the father process identifier and the file path of the first process, leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
Fig. 2 is a schematic flow chart of another security check method 200 provided in an embodiment of the present application, where the method 200 may be applied to a website server deployed with a Linux operating system.
The web server may implement the method 200 based on the Linux security module described above.
Illustratively, the website server may implement the method 200 through a file _ permission function in the LSM hook function.
The method 200 may include the steps of:
s201, when a first request for opening a first file is detected, acquiring the authority requested by the first request.
The first request for opening the first file may be requested by a user using a web server, may be requested by an attacker, or may be requested by the process executed in the method 100, which is not limited in this embodiment of the application.
The first file may be the minimum set that satisfies the normal operation of the website and may not include a portion of the system files (e.g., proc).
The permission requested by the first request may include a read permission, a write permission, and an execution permission, which is not limited in this embodiment of the present application.
When detecting a first request for opening a first file, the website server may obtain the permission requested by the first request through a mask parameter in the file _ permission function.
Illustratively, the permission requested by the first request acquired by the website server comprises read permission and write permission
S202, judging whether the authority requested by the first request comprises a reading authority.
S203, acquiring a path of the first file under the condition that the authority requested by the first request comprises the reading authority.
The path of the first file is the path of the first file stored in the website server, for example, D: \ central data \ persistent integration project \ data and sharing.
When the permission requested by the first request includes the reading permission, the website server may acquire the path of the first file through a struct file parameter in the file _ permission function.
Optionally, in case the requested rights of the first request do not include read rights, the first file is opened.
Under the condition that the permission requested by the first request does not include the reading permission, the website server can judge that the first file is less likely to have a security vulnerability, and can open the first file.
And S204, judging whether the path of the first file belongs to a second white list.
The second white list includes a plurality of paths. The paths in the second whitelist are preset. Illustratively, the paths in the second white list may be determined by an administrator of the web server or based on a security baseline.
The website server judges whether the path of the first file belongs to a second white list, namely whether a plurality of paths in the second white list comprise the path of the first file.
When the plurality of paths in the second white list include the path of the first file, the website server may determine that the first file is less likely to have a security vulnerability; when the plurality of paths in the second white list do not include the path of the first file, the website server may determine that the first file has a security vulnerability.
S205, opening the first file under the condition that the path of the first file belongs to the second white list.
In the case where the path of the first file belongs to the second white list, i.e., the plurality of paths in the second white list include the path of the first file, the web server may open the first file.
Optionally, in a case that the path of the first file does not belong to the second white list, opening of the first file is prohibited.
In the case where the path of the first file does not belong to the second white list, i.e., the plurality of paths in the second white list includes the path of the first file, the web server may prohibit the first file from being opened.
Optionally, the second white list may also be a second black list, and the website server may determine whether the path of the first file belongs to the second black list, and prohibit opening the first file when the path of the first file belongs to the second black list; and opening the first file under the condition that the file path of the first process does not belong to the second blacklist.
According to the security check method provided by the embodiment of the application, the security check is performed on the opening of the file, the first process is opened under the condition that the authority requested by the first request for opening the first file comprises the reading authority and the path of the first file belongs to the second white list, and the security check is performed on the authority requested by the first request for opening the first file and the path of the first file, so that the leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
Fig. 3 is a schematic flow chart of another security check method 300 provided in an embodiment of the present application, where the method 300 may be applied to a website server deployed with a Linux operating system.
The web server may implement the method 300 based on the Linux security module described above.
Illustratively, the website server may implement the method 300 through a socket _ sendmsg function in the LSM hook function.
The method 300 may include the steps of:
s301, when a second request for sending the first message is detected, the content of the first message is obtained.
The first message may be a socket message.
The second request for sending the first message may be requested by a user using a web server, may be requested by an attacker, and may also be requested by the method 100 or the method 200, which is not limited in this embodiment of the application.
When detecting the second request for sending the first message, the web server may obtain the content of the first message, for example, the content of the first message is a process identifier, a memory map, or a stack.
S302, whether the content of the first message belongs to a blacklist is judged.
The blacklist includes a plurality of information, such as process identifier, memory map, stack, and the like. The number of information in the blacklist is not limited in the embodiment of the application.
The information in the black list is preset. Illustratively, the information in the blacklist may be determined by an administrator of the website server or based on a security baseline.
The information in the black list may be changed dynamically, i.e. the information in the black list may be added or subtracted dynamically.
Illustratively, an administrator of the web server may add information in a blacklist to prevent further messaging.
Illustratively, based on the security baseline, the website server may reduce the information in the blacklist, that is, the website server determines that the information in the blacklist is security information based on the security baseline, and may delete the information in the blacklist with as little security hole as possible.
The website server judges whether the content of the first message belongs to a blacklist, namely whether a plurality of information in the blacklist comprises the content of the first message.
When the plurality of information in the blacklist includes the content of the first message, the website server may determine that the first message has a security vulnerability; when the plurality of information in the blacklist does not include the content of the first message, the website server may determine that the first message has a security hole as small as possible.
S303, under the condition that the content of the first message does not belong to the blacklist, the first message is sent.
In the case where the content of the first message does not belong to the blacklist, i.e., the web server determines that the plurality of information in the blacklist does not include the content of the first message, the first message may be transmitted.
Optionally, in case the content of the first message belongs to a blacklist, sending of the first message is prohibited.
In the case where the content of the first message does not belong to the blacklist, i.e. the web server determines that the plurality of information in the blacklist includes the content of the first message, the sending of the first message may be prohibited.
Optionally, the second white list may also be a second black list, and the website server may determine whether the path of the first file belongs to the second black list, and prohibit opening the first file when the path of the first file belongs to the second black list; and opening the first file under the condition that the file path of the first process does not belong to the second blacklist.
According to the security check method provided by the embodiment of the application, the security check is performed on the message sending, the first message is sent under the condition that the content of the first message does not belong to the blacklist, and the security check is performed on the content of the first message, so that the leakage of sensitive information in the website server is prevented, and the security of the website server is improved.
The methods 100, 200, and 300 described above may all be performed by a web server. In one possible implementation, the website server may perform any one of the methods 100, 200 or 300, i.e., the website server may use the methods 100, 200 or 300 independently.
In another possible implementation, the web server may perform at least two of the methods 100, 200, or 300 described above. Illustratively, the website server may perform the above-described method 100 and method 200. Alternatively, the website server may perform the methods 100, 200, and 300 described above.
The sequence numbers of the above processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not be limited in any way to the implementation process of the embodiments of the present application.
The security inspection method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to 3, and the security inspection apparatus provided by the embodiment of the present application is described in detail below with reference to fig. 4 and 5.
Fig. 4 illustrates a security inspection apparatus 400 according to an embodiment of the present application. The apparatus 400 comprises: an acquisition module 410, a determination module 420, and a processing module 430. Wherein the obtaining module 410 is configured to: when detecting that the first process is created, acquiring a parent process identifier of the first process; the determining module 420 is configured to: judging whether the father process identification is equal to the software process identification in the website server or not; the obtaining module 410 is further configured to: under the condition that the father process identification is equal to the software process identification, acquiring a file path of a first process; the determining module 420 is further configured to: judging whether a file path of a first process belongs to a first white list or not; the processing module 430 is configured to: and running the first process under the condition that the file path of the first process belongs to the first white list.
Optionally, the processing module 430 is further configured to: the first process is run in the event that the parent process identification is not equal to the software process identification.
Optionally, the processing module 430 is further configured to: and under the condition that the file path of the first process does not belong to the first white list, forbidding the first process to run.
Optionally, the obtaining module 410 is further configured to: when a first request for opening a first file is detected, acquiring the authority requested by the first request; the determining module 420 is further configured to: judging whether the permission requested by the first request comprises a reading permission or not; the obtaining module 410 is further configured to: acquiring a path of a first file under the condition that the authority requested by the first request comprises a reading authority; the determining module 420 is further configured to: judging whether the path of the first file belongs to a second white list or not; the processing module 430 is further configured to: and opening the first file under the condition that the path of the first file belongs to the second white list.
Optionally, the processing module 430 is further configured to: in the event that the requested permission of the first request does not include a read permission, the first file is opened.
Optionally, the processing module 430 is further configured to: and in the case that the path of the first file does not belong to the second white list, forbidding opening the first file.
Optionally, the obtaining module 410 is further configured to: when a second request for sending the first message is detected, acquiring the content of the first message; the determining module 420 is further configured to: judging whether the content of the first message belongs to a blacklist or not; the apparatus 400 further comprises a sending module, configured to: and in the case that the content of the first message does not belong to the blacklist, sending the first message.
It should be appreciated that the apparatus 400 herein is embodied in the form of functional modules. The term module herein may refer to an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (e.g., a shared, dedicated, or group processor) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality. In an optional example, as will be understood by those skilled in the art, the apparatus 400 may be specifically a website server in the foregoing embodiment, or the functions of the website server in the foregoing embodiment may be integrated in the apparatus 400, and the apparatus 400 may be configured to execute each process and/or step corresponding to the website server in the foregoing method embodiment, and in order to avoid repetition, details are not described herein again.
The apparatus 400 has functions of implementing corresponding steps executed by the web server in the method 100, the method 200 or the method 300; the above functions may be implemented by hardware, or may be implemented by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the functions described above. For example, the obtaining module may be a communication interface, such as a transceiver interface.
Fig. 5 illustrates a security inspection apparatus 500 according to an embodiment of the present application. The apparatus 500 comprises: a processor 510, a communication interface 520, and a memory 530. Wherein the processor 510, the communication interface 520 and the memory 530 are in communication with each other via an internal connection path, the memory 530 is configured to store instructions, and the processor 510 is configured to execute the instructions stored in the memory 530 to control the communication interface to transmit and/or receive signals.
The apparatus 500 is used for executing each flow and step of the security check method. Wherein the processor 510 is configured to: when detecting that the first process is created, acquiring a parent process identifier of the first process; judging whether the father process identification is equal to the software process identification in the website server or not; under the condition that the father process identification is equal to the software process identification, acquiring a file path of a first process; judging whether a file path of a first process belongs to a first white list or not; and running the first process under the condition that the file path of the first process belongs to the first white list.
It should be understood that the apparatus 500 may be used for executing the steps and/or processes corresponding to the website server in the above method embodiments. Alternatively, the memory 530 may include a read-only memory and a random access memory, and provides instructions and data to the processor 510. A portion of memory 530 may also include non-volatile random access memory. For example, memory 530 may also store device type information. The processor 510 may be configured to execute the instructions stored in the memory 530, and when the processor 510 executes the instructions stored in the memory 530, the processor 510 is configured to perform the steps and/or processes of the method embodiments described above corresponding to the web server.
It should be understood that, in the embodiment of the present application, the processor 510 of the apparatus 500 may be a Central Processing Unit (CPU), and the processor 510 may also be other general processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The steps of a method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware processor, or may be implemented by a combination of hardware and software elements in a processor. The software elements may be located in ram, flash, rom, prom, or eprom, registers, among other storage media that are well known in the art. The storage medium is located in a memory, and a processor executes instructions in the memory, in combination with hardware thereof, to perform the steps of the above-described method. To avoid repetition, it is not described in detail here.
The present application provides a readable computer storage medium for storing a computer program for implementing the method corresponding to the website server in the above embodiments.
The present application provides a computer program product comprising a computer program (also referred to as code, or instructions) which, when run on a computer, can execute the method corresponding to the website server in the above embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A security check method, comprising:
when detecting that a first process is created, acquiring a parent process identifier of the first process;
judging whether the father process identification is equal to the software process identification in the website server or not;
under the condition that the parent process identification is equal to the software process identification, acquiring a file path of the first process;
judging whether the file path of the first process belongs to a first white list or not;
and running the first process under the condition that the file path of the first process belongs to the first white list.
2. The method of claim 1, further comprising:
and running the first process under the condition that the parent process identification is not equal to the software process identification.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
and under the condition that the file path of the first process does not belong to the first white list, forbidding the first process to run.
4. The method of claim 1, further comprising:
when a first request for opening a first file is detected, acquiring the authority requested by the first request;
judging whether the permission requested by the first request comprises a reading permission or not;
acquiring a path of the first file under the condition that the permission requested by the first request comprises a reading permission;
judging whether the path of the first file belongs to a second white list or not;
and opening the first file under the condition that the path of the first file belongs to the second white list.
5. The method of claim 4, further comprising:
opening the first file if the requested permission of the first request does not include a read permission.
6. The method according to claim 4 or 5, characterized in that the method further comprises:
and forbidding opening the first file under the condition that the path of the first file does not belong to the second white list.
7. The method of claim 1, further comprising:
when a second request for sending a first message is detected, acquiring the content of the first message;
judging whether the content of the first message belongs to a blacklist or not;
and sending the first message under the condition that the content of the first message does not belong to the blacklist.
8. A security inspection apparatus, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a parent process identifier of a first process when the first process is detected to be established;
the judging module is used for judging whether the father process identifier is equal to the software process identifier in the website server or not;
the acquisition module is further configured to: under the condition that the parent process identification is equal to the software process identification, acquiring a file path of the first process;
the judging module is further configured to: judging whether the file path of the first process belongs to a first white list or not;
and the processing module is used for running the first process under the condition that the file path of the first process belongs to the first white list.
9. A security inspection apparatus, comprising: a processor coupled with a memory for storing a computer program that, when invoked by the processor, causes the apparatus to perform the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a computer program comprising instructions for implementing the method according to any one of claims 1 to 7.
11. A computer program product comprising computer program code which, when run on a computer, causes the computer to carry out the method according to any one of claims 1 to 7.
CN202111229446.8A 2021-10-21 2021-10-21 Security check method and security check device Pending CN113987468A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111229446.8A CN113987468A (en) 2021-10-21 2021-10-21 Security check method and security check device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111229446.8A CN113987468A (en) 2021-10-21 2021-10-21 Security check method and security check device

Publications (1)

Publication Number Publication Date
CN113987468A true CN113987468A (en) 2022-01-28

Family

ID=79740071

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111229446.8A Pending CN113987468A (en) 2021-10-21 2021-10-21 Security check method and security check device

Country Status (1)

Country Link
CN (1) CN113987468A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114816447A (en) * 2022-03-08 2022-07-29 北京圣博润高新技术股份有限公司 White list based dynamic deployment software installation method and device, electronic equipment and medium
CN115277680A (en) * 2022-07-29 2022-11-01 山石网科通信技术股份有限公司 File synchronization method for improving synchronization security

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114816447A (en) * 2022-03-08 2022-07-29 北京圣博润高新技术股份有限公司 White list based dynamic deployment software installation method and device, electronic equipment and medium
CN114816447B (en) * 2022-03-08 2024-04-26 北京圣博润高新技术股份有限公司 White list-based dynamic deployment software installation method and device, electronic equipment and medium
CN115277680A (en) * 2022-07-29 2022-11-01 山石网科通信技术股份有限公司 File synchronization method for improving synchronization security
CN115277680B (en) * 2022-07-29 2024-04-19 山石网科通信技术股份有限公司 File synchronization method for improving synchronization security

Similar Documents

Publication Publication Date Title
Reardon et al. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system
Hussain et al. A security framework for mHealth apps on Android platform
Sharmeen et al. Malware threats and detection for industrial mobile-IoT networks
Bhat et al. A survey on various threats and current state of security in android platform
Shao et al. Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework.
US11494484B2 (en) Leveraging instrumentation capabilities to enable monitoring services
EP1518158B1 (en) Trusted computer platform
Shabtai et al. Google android: A state-of-the-art review of security mechanisms
Jeon et al. A practical analysis of smartphone security
US7669242B2 (en) Agent presence monitor configured to execute in a secure environment
US9787681B2 (en) Systems and methods for enforcing access control policies on privileged accesses for mobile devices
US20220046051A1 (en) Techniques for protecting applications from unsecure network exposure
US10771477B2 (en) Mitigating communications and control attempts
KR20120084184A (en) A smartphone malicious code blocking method based on white list and the recording medium thereof
GB2540961B (en) Controlling configuration data storage
US20150150119A1 (en) Framework for fine-grain access control from high-level application permissions
CN113987468A (en) Security check method and security check device
Choi et al. Personal information leakage detection method using the inference-based access control model on the Android platform
KR20160039234A (en) Systems and methods for enhancing mobile security via aspect oriented programming
Zungur et al. Borderpatrol: Securing byod using fine-grained contextual information
Sohr et al. Software security aspects of Java-based mobile phones
Kulkarni et al. Open source android vulnerability detection tools: a survey
Zhang et al. Design and implementation of efficient integrity protection for open mobile platforms
Sharma et al. Smartphone security and forensic analysis
Blasco et al. Detection of app collusion potential using logic programming

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination