CN104573507A - Secure container and design method thereof - Google Patents
Secure container and design method thereof Download PDFInfo
- Publication number
- CN104573507A CN104573507A CN201510059684.7A CN201510059684A CN104573507A CN 104573507 A CN104573507 A CN 104573507A CN 201510059684 A CN201510059684 A CN 201510059684A CN 104573507 A CN104573507 A CN 104573507A
- Authority
- CN
- China
- Prior art keywords
- container
- program
- file
- safety
- resource
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a secure container and a design method thereof, belonging to the technical field of information safety. The secure container disclosed by the invention is characterized in that a secure area is constructed in an operation system; a set of processes is operated in the area by utilizing the three mechanisms including mandatory access control, resource isolation and trusted measurement; the set of processes is only capable of accessing resources in the area and is incapable of accessing resources outside the area; processes outside the area are also incapable of accessing resources in the area; and furthermore, the strategy of the area and application in the area need to be subjected to trusted measurement. Compared with the prior art, the secure container disclosed by the invention is capable of resisting various attacks in a network through the operation system level; therefore, the network information security problem is thoroughly solved; and the secure container and the design method thereof disclosed by the invention have good popularization and application value.
Description
Technical field
The present invention relates to field of information security technology, specifically a kind of safety container, and method for designing.
Background technology
Along with the development of Internet, network spreads all over the every nook and cranny of life, and internet, LAN (Local Area Network) have all become part and parcel in our life, and the safety problem of network comes out.In order to ensure the safety of network, expensive energy sets up network security system, mainly contains the security systems such as VPN, fire wall, Viral diagnosis.Nowadays, set up these security systems and play a significant role, but these security systems still could not solve Network Information Security Problem thoroughly.The safety problem of system was not concerned originally, left over a lot of hidden danger.Such as: although user installation anti-virus, but PC can infect virus, or can in wooden horse, be subject to the attack of hacker.
Summary of the invention
Technical assignment of the present invention is for above-mentioned the deficiencies in the prior art, provides a kind of method for designing of safety container.
Technical assignment of the present invention realizes in the following manner: a kind of safety container, be characterized in being structured in the safety zone in an operating system, forced symmetric centralization, resource isolation and credible tolerance three kinds of mechanism are utilized to make one group of process run in described region, this group process can only to the resource (CPU of one's respective area, internal memory etc.) conduct interviews, the resource outside one's respective area can not be accessed, process outside one's respective area can not access the resource in one's respective area, and the application in the strategy in this region and region all needs to carry out credible tolerance.
As preferably, the system resource dynamic adjustment that each container distributes.
Container program self preferably adopts forced symmetric centralization technology to protect, and makes other programs cannot destroy the operation of container program.
Described forced symmetric centralization refers to: the process in container can only access the resource distributing to this container, and the program of external container cannot be attacked this container.Described forced symmetric centralization refers to: the process in container can only access the resource distributing to this container, and the program of external container cannot be attacked this container.
Described resource isolation refers to: the program in container is isolated in different NameSpaces from the program outside container, does not interfere with each other each other.
Described credible tolerance refers to: when container is set up, and carries out baseline collection, when container starts each time, carry out trust authentication to container, program, file to program relevant in each container self configuration and container, file.
The method for designing of above-mentioned safety container comprises:
(1) file that the one or more application program or program that need protection will be accessed is added into safety container, generates a series of strategy by the access rights configuring these programs or file, and the resource needed for the appointment of this container;
(2) initialization container, automatic analysis the baseline value of the configuration of collection container, container Program;
(3) trust authentication is carried out to container, comprise identifying object and comprise file in container itself, container;
(4) create at container and generate its baseline value to during electrical condenser interpolation file, automatically upgrading the baseline value of container and file when revising security strategy, and automatically delete the baseline value of its correspondence when deleting container or deleted file;
(5) when container starts or container internal program starts, credible tolerance is carried out to container and program, if trust authentication failure, the operation of the operation of refusal container or program wherein, and to the report of user feedback tolerance, or still start container and program, but prompting current container is insincere;
(6) utilize Cgroup, NameSpace Kernel Technology that Linux kernel provides, container resource is managed, realize the isolation for resource in container.
In said method, when carrying out trust authentication to container, described container itself comprises container program, configuration file and security strategy; File in described container comprises script file, program file, and the file that program will be accessed.
Safety container of the present invention is divided into several steps such as container establishment, tactical management and Container Management when implementing:
(1) container is created
User is convenient to the title of image that manages for self-defined one of container.User operation creates safety container, fills in Container Name and describes the summary info of this container application.Automatically the baseline value of this container is generated after creating electrical condenser success.Select to expect to put into the file that the application program (one or more) of this container and program will be accessed; How containment system automatic analysis application program can access the file that its needs, and according to the appropriate access rights of analysis result configuring application program to file, thus automatically generates container strategy.Meanwhile, also can spanned file baseline value automatically.User selects initialization container, automatically loads security strategy, builds security domain, namely starts to build container relevant configuration.
(2) tactical management
When adding to operating container or deleting application program or file, container can re-create the baseline value of container, application program and file automatically.Program in default conditions container has permission to some extent to the resource access in container, if wish that the more fine-grained authority of configuration is to reduce container internal program by the risk of network attack, as read-only to some configuration file, then user can enter advanced configuration pattern, the manual strategy from amendment, interpolation, deletion container.Container program self according to risk algorithm, can process for user or points out user to configure automatically.For the dynamic management of resource, user can manage the adjustresources configuration (CPU of the container be in operation at any time, internal memory, the network bandwidth etc.), but adjustresources to just impacting in operating application program in container, can distribute may cause application crash as reduced physical memory.Complete container security strategy configuration, after resource distribution, can also derive or import these and be configured in text.In addition, can also pass through the Container Management instrument of Container Management interface or order line, the application program in Administrative Security container, mainly comprises the startup of program, stopping etc.
(3) Container Management
Enable safety container, after by credible tolerance authenticate, security strategy comes into force, and Resourse Distribute comes into force, and starts the default application in container simultaneously.If user is not when safety container is by trust authentication, still select to start safety container, then safety container carries out safe mode (process function limitation) or monitoring mode (recording nearly all process operation) automatically, and prompting user current container is insincere.When stopping the operation of safety container, now, the program in container generally also can be out of service.No matter safety container be in enable, out of service, to create etc. in state, user can delete safety container.When deleting (destruction) safety container, user can select stop container internal program or continue to allow program run.
Compared with prior art, safety container of the present invention uses forced symmetric centralization, resource isolation and credible tolerance three kinds of mechanism simultaneously, can resist for the various attacks network from operating system aspect, such as APT attack, Rootkit attack, and solve Network Information Security Problem thoroughly.Specifically, there is following characteristics:
(1) forced symmetric centralization.Namely, after container is set up, container self forms a security domain, and the process in container can only access the resource (CPU, internal memory etc.) distributing to this container, and the program of external container cannot be attacked this container.Program impression in container, less than the existence of the process in external container or other container, even if self is under attack, also can not has influence on other containers or spread to external container.
(2) resource isolation.Program in container is isolated in different NameSpaces from the program outside container, does not interfere with each other each other, as CPU, internal memory etc. can system resource once be assigned in different containers, the use of the program in different vessels to these resources is independent of each other.
(3) credible tolerance.When container is set up, baseline collection can be carried out to relevant program, file etc. in each container self configuration and container, when container starts each time, trust authentication is carried out to container, program, file etc., only have and can be run by the container of trust authentication, and the program in container is also only had and could be run by trust authentication.
(4) resource dynamic management.Can each container of dynamic conditioning system resource (CPU, internal memory etc.) of distributing.
(5) inherently safe is guaranteed.Container program self adopts forced symmetric centralization technology to protect, and other programs cannot destroy the operation of container program.
Accompanying drawing explanation
Accompanying drawing 1 is the schematic diagram of safety container of the present invention;
Accompanying drawing 2 is design framework figure of safety container of the present invention.
Embodiment
Safety container of the present invention and method for designing thereof are described in detail below with specific embodiment with reference to Figure of description.
Embodiment:
As shown in Figure 1, safety container of the present invention utilizes forced symmetric centralization, resource isolation and credible tolerance three kinds of mechanism, one group of process is made to operate in a region, this group process can only to the resource (CPU of one's respective area, internal memory etc.) conduct interviews, the resource outside one's respective area can not be accessed, process outside one's respective area can not access the resource in one's respective area, and credible verification is carried out to the application in the strategy in this region and region, make different responses according to check results, namely this region forms a safety container.
Safety container design framework of the present invention as shown in Figure 2; first the file that the one or more application program or program that need protection will be accessed is added into safety container; a series of strategy is generated by the access rights configuring these programs or file, and the resource (CPU, internal memory or network etc.) needed for the appointment of this container.During initialization container, automatic analysis the baseline value of the configuration of collection container, container Program.The credible tolerance of container and integrity detection mechanism carry out trust authentication, and identifying object comprises file in container itself (container program, configuration file, security strategy etc.), container (script file, program file, and the file that will access of program).The trust authentication of container forms the trust authentication of whole container together with the trust authentication of the file in container.Generate its baseline value when creating at container and add file to electrical condenser, automatically upgrade the baseline value of container and file when revising security strategy, and automatically delete the baseline value of its correspondence when deleting container or deleted file.When container startup, container internal program start, container and program are measured.If authentication failed, the operation of the operation of refusal container or program wherein, and to the report of user feedback tolerance, or still start container and program, but prompting current container is insincere.For the isolation of resource in container, employ Cgroup, NameSpace Kernel Technology that Linux kernel provides, container resource is managed.
Above-mentioned safety container is divided into the following steps when implementing: container establishment, tactical management, Container Management.
(1) container is created
User is convenient to the title of image that manages for self-defined one of container.User operation creates safety container, fills in Container Name and describes the summary info of this container application.Automatically the baseline value of this container is generated after creating electrical condenser success.Select to expect to put into the file that the application program (one or more) of this container and program will be accessed; How containment system automatic analysis application program can access the file that its needs, and according to the appropriate access rights of analysis result configuring application program to file, thus automatically generates container strategy.Meanwhile, also can spanned file baseline value automatically.User selects initialization container, automatically loads security strategy, builds security domain, namely starts to build container relevant configuration.
(2) tactical management
When adding to operating container or deleting application program or file, container can re-create the baseline value of container, application program and file automatically.Program in default conditions container has permission to some extent to the resource access in container, if wish that the more fine-grained authority of configuration is to reduce container internal program by the risk of network attack, as read-only to some configuration file, then user can enter advanced configuration pattern, the manual strategy from amendment, interpolation, deletion container.Container program self according to risk algorithm, can process for user or points out user to configure automatically.For the dynamic management of resource, user can manage the adjustresources configuration (CPU of the container be in operation at any time, internal memory, the network bandwidth etc.), but adjustresources to just impacting in operating application program in container, can distribute may cause application crash as reduced physical memory.Complete container security strategy configuration, after resource distribution, can also derive or import these and be configured in text.In addition, can also pass through the Container Management instrument of Container Management interface or order line, the application program in Administrative Security container, mainly comprises the startup of program, stopping etc.
(3) Container Management
Enable safety container, after by credible tolerance authenticate, security strategy comes into force, and Resourse Distribute comes into force, and starts the default application in container simultaneously.If user is not when safety container is by trust authentication, still select to start safety container, then safety container carries out safe mode (process function limitation) or monitoring mode (recording nearly all process operation) automatically, and prompting user current container is insincere.When stopping the operation of safety container, now, the program in container generally also can be out of service.No matter safety container be in enable, out of service, to create etc. in state, user can delete safety container.When deleting (destruction) safety container, user can select stop container internal program or continue to allow program run.
Claims (8)
1. a safety container, it is characterized in that: described safety container is be structured in the safety zone in an operating system, forced symmetric centralization, resource isolation and credible tolerance three kinds of mechanism are utilized to make one group of process operate in described region, this group process can only conduct interviews to the resource of one's respective area, the resource outside one's respective area can not be accessed, process outside one's respective area can not access the resource in one's respective area, and the application in the strategy in this region and region all needs to carry out credible tolerance.
2. safety container according to claim 1, is characterized in that, the system resource dynamic adjustment that each container distributes.
3. safety container according to claim 1 and 2, is characterized in that, container program self adopts forced symmetric centralization technology to protect.
4. safety container according to claim 3, is characterized in that, described forced symmetric centralization refers to: the process in container can only access the resource distributing to this container, and the program of external container cannot be attacked this container.
5. safety container according to claim 3, is characterized in that, described resource isolation refers to: the program in container is isolated in different NameSpaces from the program outside container, does not interfere with each other each other.
6. safety container according to claim 3, it is characterized in that, described credible tolerance refers to: when container is set up, and carries out baseline collection to program relevant in each container self configuration and container, file, when container starts each time, trust authentication is carried out to container, program, file.
7. the method for designing of safety container according to claim 1, is characterized in that comprising the following steps:
(1) file that the one or more application program or program that need protection will be accessed is added into safety container, generates a series of strategy by the access rights configuring these programs or file, and the resource needed for the appointment of this container;
(2) initialization container, automatic analysis the baseline value of the configuration of collection container, container Program;
(3) trust authentication is carried out to container, comprise identifying object and comprise file in container itself, container;
(4) create at container and generate its baseline value to during electrical condenser interpolation file, automatically upgrading the baseline value of container and file when revising security strategy, and automatically delete the baseline value of its correspondence when deleting container or deleted file;
(5) when container starts or container internal program starts, credible tolerance is carried out to container and program, if trust authentication failure, the operation of the operation of refusal container or program wherein, and to the report of user feedback tolerance, or still start container and program, but prompting current container is insincere;
(6) utilize Cgroup, NameSpace Kernel Technology that Linux kernel provides, container resource is managed, realize the isolation for resource in container.
8. the method for designing of safety container according to claim 7, when it is characterized in that carrying out trust authentication to container, described container itself comprises container program, configuration file and security strategy; File in described container comprises script file, program file, and the file that program will be accessed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510059684.7A CN104573507A (en) | 2015-02-05 | 2015-02-05 | Secure container and design method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510059684.7A CN104573507A (en) | 2015-02-05 | 2015-02-05 | Secure container and design method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104573507A true CN104573507A (en) | 2015-04-29 |
Family
ID=53089546
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510059684.7A Pending CN104573507A (en) | 2015-02-05 | 2015-02-05 | Secure container and design method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104573507A (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN105956493A (en) * | 2016-06-29 | 2016-09-21 | 乐视控股(北京)有限公司 | Mobile phone file protection method and mobile phone file protection device |
| CN106293875A (en) * | 2016-08-04 | 2017-01-04 | 中国联合网络通信集团有限公司 | The creation method of a kind of Docker container and the system of establishment |
| CN106471791A (en) * | 2015-04-07 | 2017-03-01 | 华为技术有限公司 | Method and apparatus for the PC cluster framework based on mobile device |
| CN106776067A (en) * | 2016-11-29 | 2017-05-31 | 北京元心科技有限公司 | Method and device for managing system resources in multi-container system |
| CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
| CN107851032A (en) * | 2016-06-08 | 2018-03-27 | 慧与发展有限责任合伙企业 | Service is performed in a reservoir |
| CN108182095A (en) * | 2018-01-16 | 2018-06-19 | 湖北省楚天云有限公司 | A kind of application dispositions method, device and equipment |
| CN109155782A (en) * | 2016-05-27 | 2019-01-04 | 华为技术有限公司 | Interprocess communication between container |
| CN110046505A (en) * | 2019-04-28 | 2019-07-23 | 联想(北京)有限公司 | Vessel safety reinforcement means, system and storage medium |
| CN110135127A (en) * | 2019-04-11 | 2019-08-16 | 北京亿赛通科技发展有限责任公司 | A kind of Document distribution formula baselined system and importing and distribution method based on sandbox |
| CN110651269A (en) * | 2017-05-22 | 2020-01-03 | 微软技术许可有限责任公司 | Isolated container event monitoring |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111711612A (en) * | 2020-05-25 | 2020-09-25 | 数篷科技(深圳)有限公司 | Communication control method, method and device for processing communication request |
| CN111722894A (en) * | 2019-03-21 | 2020-09-29 | 成都鼎桥通信技术有限公司 | Application processing method and device and electronic equipment |
| CN111949334A (en) * | 2020-10-16 | 2020-11-17 | 腾讯科技(深圳)有限公司 | Sandbox environment-based virtual application starting control method, device and equipment |
| CN114186280A (en) * | 2022-02-14 | 2022-03-15 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
| CN114546598A (en) * | 2022-02-25 | 2022-05-27 | 北京小佑网络科技有限公司 | Control method for processes, files and network access in container |
| US11880482B2 (en) | 2020-12-10 | 2024-01-23 | International Business Machines Corporation | Secure smart containers for controlling access to data |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254123A (en) * | 2011-06-22 | 2011-11-23 | 北京椒图科技有限公司 | Method and device for enhancing security of application software |
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN104331659A (en) * | 2014-10-30 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Design method for resource application isolation of key application host system |
-
2015
- 2015-02-05 CN CN201510059684.7A patent/CN104573507A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254123A (en) * | 2011-06-22 | 2011-11-23 | 北京椒图科技有限公司 | Method and device for enhancing security of application software |
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN104331659A (en) * | 2014-10-30 | 2015-02-04 | 浪潮电子信息产业股份有限公司 | Design method for resource application isolation of key application host system |
Cited By (31)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106471791A (en) * | 2015-04-07 | 2017-03-01 | 华为技术有限公司 | Method and apparatus for the PC cluster framework based on mobile device |
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN105069353A (en) * | 2015-08-11 | 2015-11-18 | 武汉大学 | Security reinforcement method for credible container based on Docker |
| CN105069353B (en) * | 2015-08-11 | 2017-10-24 | 武汉大学 | A kind of credible vessel safety reinforcement means based on Docker |
| CN109155782A (en) * | 2016-05-27 | 2019-01-04 | 华为技术有限公司 | Interprocess communication between container |
| CN107851032B (en) * | 2016-06-08 | 2021-04-02 | 慧与发展有限责任合伙企业 | Computing device, system and method for executing services in containers |
| US10929148B2 (en) | 2016-06-08 | 2021-02-23 | Hewlett Packard Enterprise Development Lp | Executing services in containers |
| CN107851032A (en) * | 2016-06-08 | 2018-03-27 | 慧与发展有限责任合伙企业 | Service is performed in a reservoir |
| CN105956493A (en) * | 2016-06-29 | 2016-09-21 | 乐视控股(北京)有限公司 | Mobile phone file protection method and mobile phone file protection device |
| CN106293875A (en) * | 2016-08-04 | 2017-01-04 | 中国联合网络通信集团有限公司 | The creation method of a kind of Docker container and the system of establishment |
| CN106776067A (en) * | 2016-11-29 | 2017-05-31 | 北京元心科技有限公司 | Method and device for managing system resources in multi-container system |
| CN106776067B (en) * | 2016-11-29 | 2020-10-23 | 北京元心科技有限公司 | Method and device for managing system resources in multi-container system |
| CN110651269A (en) * | 2017-05-22 | 2020-01-03 | 微软技术许可有限责任公司 | Isolated container event monitoring |
| CN110651269B (en) * | 2017-05-22 | 2023-09-05 | 微软技术许可有限责任公司 | Isolated container event monitoring |
| CN107480524A (en) * | 2017-08-18 | 2017-12-15 | 郑州云海信息技术有限公司 | A kind of security sandbox and its construction method |
| CN108182095A (en) * | 2018-01-16 | 2018-06-19 | 湖北省楚天云有限公司 | A kind of application dispositions method, device and equipment |
| CN111722894A (en) * | 2019-03-21 | 2020-09-29 | 成都鼎桥通信技术有限公司 | Application processing method and device and electronic equipment |
| CN111722894B (en) * | 2019-03-21 | 2023-04-18 | 成都鼎桥通信技术有限公司 | Application processing method and device and electronic equipment |
| CN110135127A (en) * | 2019-04-11 | 2019-08-16 | 北京亿赛通科技发展有限责任公司 | A kind of Document distribution formula baselined system and importing and distribution method based on sandbox |
| CN110046505A (en) * | 2019-04-28 | 2019-07-23 | 联想(北京)有限公司 | Vessel safety reinforcement means, system and storage medium |
| CN110046505B (en) * | 2019-04-28 | 2021-07-16 | 联想(北京)有限公司 | Container security reinforcement method, system and storage medium |
| CN111711612A (en) * | 2020-05-25 | 2020-09-25 | 数篷科技(深圳)有限公司 | Communication control method, method and device for processing communication request |
| CN111709023A (en) * | 2020-06-16 | 2020-09-25 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111709023B (en) * | 2020-06-16 | 2023-04-28 | 全球能源互联网研究院有限公司 | Application isolation method and system based on trusted operating system |
| CN111949334B (en) * | 2020-10-16 | 2021-06-18 | 腾讯科技(深圳)有限公司 | Sandbox environment-based virtual application starting control method, device and equipment |
| CN111949334A (en) * | 2020-10-16 | 2020-11-17 | 腾讯科技(深圳)有限公司 | Sandbox environment-based virtual application starting control method, device and equipment |
| US11880482B2 (en) | 2020-12-10 | 2024-01-23 | International Business Machines Corporation | Secure smart containers for controlling access to data |
| CN114186280A (en) * | 2022-02-14 | 2022-03-15 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
| CN114186280B (en) * | 2022-02-14 | 2022-05-20 | 统信软件技术有限公司 | File access method, computing device and readable storage medium |
| CN114546598A (en) * | 2022-02-25 | 2022-05-27 | 北京小佑网络科技有限公司 | Control method for processes, files and network access in container |
| CN114546598B (en) * | 2022-02-25 | 2022-10-21 | 北京小佑网络科技有限公司 | Control method for processes, files and network access in container |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104573507A (en) | Secure container and design method thereof | |
| US10419931B1 (en) | Security for network computing environment using centralized security system | |
| CN105468978B (en) | A kind of creditable calculation password platform suitable for electric system universal computing platform | |
| AU2019246773B2 (en) | Systems and methods of risk based rules for application control | |
| US7870613B2 (en) | Automating software security restrictions on applications | |
| CN104735091B (en) | A kind of user access control method and apparatus based on linux system | |
| CN104751050A (en) | Client application program management method | |
| CN104732147A (en) | Application program processing method | |
| US11797664B2 (en) | Computer device and method for controlling process components | |
| CN104601580A (en) | Policy container design method based on mandatory access control | |
| CN103890772A (en) | Sandboxing technology for webruntime system | |
| US11792194B2 (en) | Microsegmentation for serverless computing | |
| Hicks et al. | An architecture for enforcing end-to-end access control over web applications | |
| WO2019177563A1 (en) | Hardware security | |
| US20220201041A1 (en) | Administrative policy override in microsegmentation | |
| CN104732140A (en) | Program data processing method | |
| CN110188574A (en) | A kind of the webpage tamper resistant systems and its method of Docker container | |
| CN106936768B (en) | White list network control system and method based on trusted chip | |
| Larsen et al. | Cloudvaults: Integrating trust extensions into system integrity verification for cloud-based environments | |
| Durve et al. | Windows 10 security hardening using device guard whitelisting and applocker blacklisting | |
| Choudhary et al. | A study of threats, vulnerabilities and countermeasures: An iot perspective | |
| CN109376557B (en) | Information security management system | |
| JP2018142078A (en) | Information processing system and information processing method | |
| KR102430882B1 (en) | Method, apparatus and computer-readable medium for container work load executive control of event stream in cloud | |
| WO2016177051A1 (en) | Security authentication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150429 |