CN110308955A - A kind of interface call method, system and equipment - Google Patents

A kind of interface call method, system and equipment Download PDF

Info

Publication number
CN110308955A
CN110308955A CN201910484848.9A CN201910484848A CN110308955A CN 110308955 A CN110308955 A CN 110308955A CN 201910484848 A CN201910484848 A CN 201910484848A CN 110308955 A CN110308955 A CN 110308955A
Authority
CN
China
Prior art keywords
interface
program
application program
fingerprint data
call request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910484848.9A
Other languages
Chinese (zh)
Other versions
CN110308955B (en
Inventor
徐子腾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Advantageous New Technologies Co Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910484848.9A priority Critical patent/CN110308955B/en
Publication of CN110308955A publication Critical patent/CN110308955A/en
Application granted granted Critical
Publication of CN110308955B publication Critical patent/CN110308955B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4488Object-oriented
    • G06F9/449Object-oriented method invocation or resolution

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

This application discloses a kind of interface call method, system and equipment.In the method for one embodiment of this specification, method flow include: when exist be directed to first interface interface call request when, judge the corresponding interface call operation of the interface call request whether be the first interface interface call operation for the first time;When the corresponding interface call operation of the interface call request is the call operation of interface for the first time of the first interface, the program fingerprint data and the first interface that will initiate the application program of the interface call request are bound, wherein, the first interface be configured as being only capable of by with itself bound in the application program of program fingerprint Data Matching call, described program finger print data is only capable of matching its corresponding application program, in the whole life cycle of the first interface, it is only capable of the program fingerprint data of one application program of binding.

Description

A kind of interface call method, system and equipment
Technical field
This specification is related to field of computer technology more particularly to a kind of interface call method, system and equipment.
Background technique
It generally requires to call different interfaces different to realize in computer application field, application program operational process Function.In order to ensure system safety, prevent illegal program calling interface, commonly used scheme be before interface is called, it is right The application program of request call interface is authenticated.
In the prior art, interface authentication usually has following several schemes: user name password authentification, token are authenticated, are public and private Key signature verification.But either password, token or public and private key, have greatly may leakage, once these interfaces call with Card leakage, these interfaces can be forged by attacker and be called.Attacker can carry out interface and call puppet by very low cost It makes.
Summary of the invention
In view of this, this specification embodiment provides a kind of interface call method, system and equipment, it is existing for solving Interface present in interface calling procedure illegally calls problem in technology.
This specification embodiment adopts the following technical solutions:
This specification embodiment provides a kind of interface call method, which comprises
When there is the interface call request for being directed to first interface, judge that the corresponding interface of the interface call request calls Operation whether be the first interface interface call operation for the first time;
When the interface call operation for the first time that the corresponding interface call operation of the interface call request is the first interface When, the program fingerprint data and the first interface that will initiate the application program of the interface call request are bound, wherein described First interface be configured as being only capable of by with itself bound in the application program of program fingerprint Data Matching call, described program Finger print data is only capable of matching its corresponding application program, in the whole life cycle of the first interface, is only capable of binding one The program fingerprint data of application program.
In one embodiment of this specification, will initiate the program fingerprint data of the application program of the interface call request with The first interface binding, comprising:
Corresponding program fingerprint data are generated according to the application program for initiating the interface call request;
Described program finger print data is saved in legal procedure finger print data storage catalogue corresponding with the first interface In, the legal procedure finger print data storage catalogue is only capable of saving a described program finger print data.
In one embodiment of this specification, judge whether the corresponding interface call operation of the interface call request is described The interface call operation for the first time of first interface, wherein judge the corresponding legal procedure finger print data storage mesh of the first interface Whether program fingerprint data are preserved in record.
In one embodiment of this specification, the method also includes:
When the corresponding application program of described program finger print data is updated, deletes corresponding legal procedure finger print data and deposit The program fingerprint data saved in storage catalogue.
In one embodiment of this specification, the legal procedure finger print data storage catalogue is located at the sheet of the first interface Under ground file directory.
In one embodiment of this specification, described program finger print data is the data by computations comprising application The executable file and/or program directory of program.
In one embodiment of this specification, the method also includes, the program fingerprint data of the application program are obtained, In, when the application program initiates interface call request, by process, port information association obtain the application program into Journey PID obtains the program fingerprint data of the application program according to the process PID.
In one embodiment of this specification, described program finger print data includes order line content Hash value, executable file Filename, the attribute of executable file, the modification time of executable file, executable file content Hash value, working directory The file category of name, working directory attribute, working directory modification time, environmental variance content Hash value, the filename of opening, opening The filemodetime of property, the filemodetime of opening and opening.
This specification embodiment also provides a kind of interface calling system, the system comprises:
Interface call request monitoring modular is used to judge institute when there is the interface call request for being directed to first interface State the corresponding interface call operation of interface call request whether be the first interface interface call operation for the first time;
Legal procedure Registration Module is used to when the corresponding interface call operation of the interface call request be described first When the call operation of interface for the first time of interface, will initiate the program fingerprint data of the application program of the interface call request with it is described First interface binding, wherein the first interface be configured as being only capable of by with itself bound in program fingerprint Data Matching Application program is called, and described program fingerprint is only capable of matching its corresponding application program, in the entire life of the first interface In period, it is only capable of the program fingerprint data of one application program of binding.
This specification embodiment also provides a kind of equipment for handling in user equipment client information, which includes being used for Store the memory of computer program instructions and the processor for executing program instructions, wherein when the computer program instructions When being executed by the processor, triggers the equipment and execute method described in system described in this specification embodiment.
At least one above-mentioned technical solution that this specification embodiment uses can reach following the utility model has the advantages that according to this theory The method of bright book embodiment is interface binding procedure finger print data, to not verify interface when interface calls legitimate verification Call voucher, but verify it is current initiate application program that interface calls whether the program fingerprint data of matched interfaces binding;Phase It can evade and connect since the method for this specification embodiment does not use interface to call voucher compared with prior art Mouth calls voucher to reveal brought security risk.Further, according to the method for this specification embodiment, the entire life of interface The program fingerprint data of one application program of binding are only capable of in the life period, so that not can be carried out after the legal procedure of enrollment interface The increase and decrease and modification of legal procedure, to fundamentally avoid the generation for the case where illegal program is forged into legal procedure. Further, according to the method for this specification embodiment, the binding of program fingerprint data is carried out when interface is called for the first time, greatly The deployment registering flow path of legal procedure is simplified greatly.The method of this specification embodiment executes simply, highly-safe, can be effective Interface is avoided illegally to be called.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
Fig. 1 and Fig. 3 is the flow chart of the operation method of application program in this specification embodiment;
Fig. 2, Fig. 4 and Fig. 6 are the partial process view of the operation method of application program in this specification embodiment;
Fig. 5, Fig. 7 and Fig. 8 are the application scenarios timing flow diagram according to this specification embodiment;
Fig. 9 is the structural block diagram of system in one embodiment of this specification.
Specific embodiment
To keep the purposes, technical schemes and advantages of the application clearer, below in conjunction with the application specific embodiment and Technical scheme is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the application one Section Example, instead of all the embodiments.Based on the embodiment in the application, those of ordinary skill in the art are not doing Every other embodiment obtained under the premise of creative work out, shall fall in the protection scope of this application.
In the prior art, interface authentication usually has following several schemes: user name password authentification, token are authenticated, are public and private Key signature verification.But either password, token or public and private key, have greatly may leakage, once these interfaces call with Card leakage, these interfaces can be forged by attacker and be called.Attacker can carry out interface and call puppet by very low cost It makes.
In view of the above-mentioned problems, this specification embodiment proposes a kind of interface call method.
Method in order to propose this specification embodiment, inventor first analyze practical application scene.Certain In application scenarios, since system is the application program for calling voucher by verifying interface to confirm current initiation interface call request Whether legal, therefore, once interface calls voucher leakage, system just can not prevent interface from illegally being called.Because even Illegal program, as long as it, which has effective interface, calls voucher, system will identify it for legal application program.
In above-mentioned application scenarios, calls voucher to reveal brought interface by interface and illegally call, essential reason is Because of the self-characteristic of interface calling voucher.Interface calling voucher can be a supplementary features of application program in itself, It is legal procedure that it, which is used to identify the application program,.That is, when application program has interface calling voucher, this is special When feature, which is exactly legal procedure.This is allowed for, and interface calls voucher to be can be with different application combinations , have versatility.In addition, since interface calling is not a sexual behaviour, it is that can repeat that interface, which calls voucher, It is nonexpondable, have reusability.
Since interface calls voucher to have versatility and reusability, in theory, as long as obtaining Voucher is called to complete interface, so that it may is combined it with any application, so that the application program can be with Pass through legal verifying.This is allowed for, once interface calls voucher to be leaked, it is possible to it is applied to the verifying of illegal program On, the legal procedure so that illegal program disguises oneself as.
Based on above-mentioned analysis, it in this specification embodiment, is not adopted as application program additional interface and calls voucher It is legal procedure that method, which carrys out identification application, but is directed to each application program, and independent label application program is legal Program.That is, being not that legal procedure is individually divided into one kind, the application program that definition has " interface calling voucher " is legal Program, but using each legal procedure as independent individual, each legal procedure is recorded respectively.(it should be noted that In this specification embodiment, to the format of interface without mandatory requirement, interface can provide REST service or RPC service etc..)
For example, in an application scenarios, for application program A and application program B, if application program A and application Program B is the legal procedure of interface C, then records application program A and application program B, wishes that calling connects in certain application program When mouth C, it is not whether the mark that judgement wishes whether the application program of calling interface B has valid application program (has and connect Mouth calls voucher), but judgement wishes whether the application program of calling interface B is application program A or application program B, if uncommon Hope the application program of calling interface B neither application program A is also not application program B, it is desirable that the application journey of calling interface B Sequence is not just the legal procedure of interface C.
Further, security verified in order to improve, in one embodiment of this specification, call deployment system true by interface Recognize legal procedure corresponding to interface.That is, being only capable of calling deployment system by interface for the legal procedure that a certain interface is registered It is increased and decreased and/or modifies.Also, the quantity (predetermined quantity) for the legal procedure that interface is registered, and be only capable of by interface tune Determined by deployment system.
Further, illegal to increase and decrease and/or modify in order to evade brought by interface calling deployment system is cracked The generation of the case where legal procedure that interface is registered initially is come into operation or not in one embodiment of this specification in interface Its corresponding legal procedure just is set for it when coming into operation, after interface comes into operation, its corresponding legal journey cannot be changed Sequence.
Further, it is contemplated that corresponding in order to register its for interface when an interface is registered with multiple legal procedures Corresponding relationship between legal procedure and management interface and legal procedure just must call deployment system to step on interface by interface The legal procedure of note is managed (increase and decrease and/or modification).The presence of above-mentioned management process will increase the possibility that system is cracked Property.
Therefore, it in one embodiment of this specification, for either interface, in the whole life cycle of interface, is only capable of stepping on Remember a unique legal procedure.That is, once it is determined that application program A is the legal procedure of interface B, then, Interface B can only just be called by interface A, which can not modify.In this way, even if interface calls deployment system to be broken Solution can not also be pretended illegal program by way of modifying the legal procedure setting of interface or increasing legal procedure for interface At legal procedure.This just fundamentally avoids the generation that interface illegally calls.
Further, it is contemplated that the scene that various services are updated, called mutually between service, in huge enterprises application In environment, the feature difficulty for combing out the call relation and legal procedure between service is very big.Therefore, implement in this specification one In example, when interface is first invoked, registration calls the application program of the interface for the legal procedure of the interface.It thus can be with Credible call relation between the clear service of the combing of automation.Specifically, the interface is called in registration when interface is first invoked Application program be the interface legal procedure, there is no need to interface call deployment system be actively that interface directly distributes legal journey Sequence avoids the case where meeting bring illegal program is registered as interface legal procedure when interface calls deployment system to be cracked Occur.
Further, in one embodiment of this specification, in order to avoid illegal program disguises oneself as legal procedure, for interface When registering legal procedure, by the way of by the binding of the program fingerprint data of interface and legal procedure.One interface is only capable of tying up The program fingerprint data of a fixed application program, the program fingerprint data of application program are only capable of matching its corresponding application program. When there is application program to initiate interface call request for the interface, the program fingerprint data for calling the interface to bind, verifying is worked as Whether the preceding application program for initiating interface call request can be matched to program fingerprint data.In this way, unless can be by illegal journey Sequence disguises oneself as legal procedure completely, and otherwise illegal program can not pass through interface and call legitimate verification.Very due to attacker Hardly possible forges one and carrys out calling interface with the identical program of legal procedure, this safety for allowing for interface calling obtains significantly Enhancing.
To sum up, in one embodiment of this specification, in the whole life cycle of the interface of setting, it is only capable of one application of binding The program fingerprint data of program, also, when interface is called for the first time, the program fingerprint number of the application program of the interface will be called According to being tied to the interface.
It is interface binding procedure finger print data according to the method for this specification embodiment, to call legitimacy in interface Or not interface when verifying and call voucher, but verify it is current initiate application program that interface calls whether matched interfaces binding Program fingerprint data;Scheme compared to the prior art, since the method for this specification embodiment does not use interface to call voucher, Therefore can evade interface calls voucher to reveal brought security risk.Further, according to the side of this specification embodiment Method is only capable of the program fingerprint data of one application program of binding in the whole life cycle of interface, so that in the conjunction of enrollment interface The increase and decrease and modification of legal procedure are not can be carried out after method program, so that fundamentally avoiding illegal program is forged into legal journey The generation of the case where sequence.Further, according to the method for this specification embodiment, program is carried out when interface is called for the first time and is referred to The binding of line data enormously simplifies the deployment registering flow path of legal procedure.The method of this specification embodiment executes simple, peace Quan Xinggao, it is possible to prevente effectively from interface is illegally called.
Below in conjunction with attached drawing, the technical solution that each embodiment of this specification provides is described in detail.
In one embodiment of this specification, as shown in Figure 1, method includes:
S100 monitors whether that there are interface call requests;
When there is the interface call request for being directed to interface, S110 judges the corresponding interface tune of the interface call request With operation whether be the first interface interface call operation for the first time;
When the corresponding interface call operation of interface call request is the call operation of interface for the first time of first interface, S120, The program fingerprint data and first interface that will initiate the application program of interface call request are bound, wherein first interface is configured to Be only capable of by with itself bound in the application program of program fingerprint Data Matching call, program fingerprint is only capable of matching its corresponding Application program is only capable of the program fingerprint data of one application program of binding in the whole life cycle of first interface.
Further, in one embodiment of this specification, method further include:
When the corresponding interface call operation of interface call request is not the call operation of interface for the first time of first interface, judgement Initiate the program fingerprint the Data Matching whether application program of interface call request binds with first interface;
When the program fingerprint Data Matching that the application program and first interface for initiating interface call request are bound, letting pass, this is connect Mouth call request;
When the program fingerprint data of the application program and first interface binding of initiating interface call request mismatch, intercepting should Interface call request.
Further, in one embodiment of this specification, when the corresponding interface call operation of interface call request is first When the call operation of interface for the first time of interface, the interface call request of letting pass.
Further, in one embodiment of this specification, in such a way that program fingerprint data are saved in specified directory Interface and program fingerprint data are bound.Specifically, in one embodiment of this specification, for interface binding procedure finger print data During:
Corresponding program fingerprint data are generated according to the application program for initiating interface call request;
Program fingerprint data are saved in legal procedure finger print data storage catalogue corresponding with first interface, this is legal Program fingerprint data storage catalogue is only capable of saving a program fingerprint data.
Further, in one embodiment of this specification, as shown in Fig. 2, when the corresponding interface of interface call request calls When operation is not the call operation of interface for the first time of first interface, in the application program for judge initiation interface call request whether with the During the program fingerprint Data Matching of one interface binding:
S210 reads the corresponding legal procedure finger print data storage catalogue of first interface, the program wherein saved is called to refer to Line data;
S220 judges whether the application program for initiating interface call request can be with matcher finger print data;
When the application program for initiating interface call request can be with matcher finger print data, S221, clearance interface is called Request;
When initiate interface call request application program cannot matcher finger print data when, S222, intercept interface tune With request.
Further, in the application scenarios for registering legal procedure by the way of save routine finger print data, if one Corresponding program fingerprint data are preserved in the corresponding legal procedure finger print data storage catalogue of a interface, then explanation should Interface is bound with program fingerprint data, that is to say, that the interface necessarily has already been through to be called for the first time.Therefore, in this specification In one embodiment, by judging whether preserve program fingerprint data under the corresponding legal procedure finger print data storage catalogue of interface It is called for the first time to judge whether the interface have passed through.Specifically, judging interface call request in one embodiment of this specification When whether corresponding interface call operation is the call operation of interface for the first time of first interface, the corresponding legal journey of first interface is judged Program fingerprint data whether are preserved in sequence finger print data storage catalogue.
Specifically, in one embodiment of this specification, as shown in figure 3, method includes:
S310 receives the interface call request for being directed to first interface;
S320 judges whether preserve program fingerprint number in the corresponding legal procedure finger print data storage catalogue of first interface According to;
When there is no save routine finger print data in legal procedure finger print data storage catalogue, S330, according to initiation interface The application program of call request generates program fingerprint data and saves;And S351, clearance interface call request;
When preserving program fingerprint data in legal procedure finger print data storage catalogue, S340 calls the program fingerprint Data;
S350, judges whether the application program for initiating interface call request matches with program fingerprint data;
When initiating the application program and program fingerprint Data Matching of interface call request, S351, clearance interface calling is asked It asks;
When the application program and program fingerprint data of initiating interface call request mismatch, S352 intercepts interface and calls Request.
Further, in certain application scenarios, there is the case where more new application.Due to updating the application journey of front and back There are data differences for sequence, this is possible to after causing application program to be updated, can not be with the program fingerprint data that have saved Match.For this case, in one embodiment of this specification, when application program is updated, the corresponding program saved that updates refers to Line data.
Specifically, method further includes, when the corresponding application program quilt of program fingerprint data in one embodiment of this specification When update, the program fingerprint data saved in corresponding legal procedure finger print data storage catalogue are deleted.In this way, after updating Application program for the first time calling interface when, by the program saved in the corresponding legal procedure finger print data storage catalogue of interface Finger print data has been deleted, and according to the method for this specification embodiment, is equivalent to the interface and is identified as no binding procedure and refer to Line data generate program fingerprint letter according to updated application program at this time that is, interface is identified as being first invoked It ceases and by new program fingerprint information preservation into legal procedure finger print data storage catalogue.
Specifically, in one embodiment of this specification, as shown in Figure 4:
S410, when application program is updated, confirmation is using the application program as the interface of legal procedure;
S420 deletes the program fingerprint data in the corresponding legal procedure finger print data storage catalogue of the interface;
S430, application program in the updated for the first time calling interface when, according to updated application program generate program refer to Line data;
The program fingerprint data being newly generated are saved in legal procedure finger print data storage catalogue by S440.
Further, in one embodiment of this specification, by taking an application scenarios as an example, it is assumed that have an interface B by program B Operation, the program A (legal procedure that program A is interface B) of a callable interface B, interface B only allows program A to call.Interface The program for calling the interface for the first time can be considered legal procedure by B, and in the whole life cycle of interface B, only allow this Trusted program calling interface B.The more new technological process of program A is as shown in Figure 5.
S510, delivery system more new procedures A.
S511, program A are fed back to delivery system, and the interface B called needs synchronized update.
S520, delivery system more new procedures B and interface B.
S521, program B empty the local Key file of interface B.
After program A completes to update (S531) and program B completes to update (S532), program A calling interface B, interface B's Key file (legal procedure finger print data storage catalogue) is written into the program fingerprint data (Secret) of updated program A.
Further, in order to avoid attacker is after learning the legal procedure verifying logic of this specification embodiment, by hand Program fingerprint data are deleted, and legal procedure calling interface is preempted by condition competition, to be verified around legal procedure.? In one embodiment of this specification, security monitoring is carried out to the program fingerprint data of preservation, monitors abnormal modification, delete operation.
Further, it is broken since local file is far longer than network file by the difficulty that non-local operation cracks and distorts The difficulty for solving and distorting.Therefore, in one embodiment of this specification, the corresponding legal procedure finger print data storage catalogue position of interface Under the local file directory of interface.Further, since program fingerprint data are stored in local file, without being stored in In memory, when avoiding attacker in this way and restarting interface routine by hand, the generation of program fingerprint loss of data.
Further, in one embodiment of this specification, legal procedure finger print data storage catalogue in local file Directory path is can be customized, that is, the storage location and filename of developer's available customization program fingerprint data, this is just The difficulty that program fingerprint data are found by attacker is considerably increased, to enhance safety.
Further, in order to ensure the Corresponding matching relationship between program fingerprint data and legal procedure, prevent matching wrong The generation for the case where unrest or program fingerprint data/legal procedure are forged, in one embodiment of this specification, program fingerprint number According to for the program fingerprint information by computations, specifically, program fingerprint information include application program executable file and/ Or program directory.
Since program fingerprint information includes the executable file and/or program directory of application program, for legal procedure, Attacker is difficult or even can not forge a rogue program to come through interface authentication.Because as long as attacker is to legal procedure In be filled with malicious code, centainly will lead to the variation of program fingerprint information.
Further, in one embodiment of this specification, as shown in fig. 6, when the corresponding interface of interface call request calls When operation is not the call operation of interface for the first time of first interface, in the application program for judge initiation interface call request whether with the During the program fingerprint Data Matching of one interface binding:
S600 calls the program fingerprint data in the corresponding legal procedure finger print data storage catalogue of first interface;
The program fingerprint information of the application program of interface call request is initiated in S610, identification;
S620 carries out computations to the program fingerprint information for the application program for initiating interface call request;
The encryption of the program fingerprint information of the application program of S630, comparison program fingerprint data and initiation interface call request Whether calculated result is consistent.
Further, in one embodiment of this specification, during obtaining the program fingerprint data of application program, When application program initiates interface call request, interface gets the process of application program by information associations such as process, ports PID.The program fingerprint data of application program are obtained according to the process PID of application program.
Specifically, after getting the process PID of application program, operating system in Linux in one embodiment of this specification The following feature of the process is obtained under system:
1. order line :/proc/pid/cmdline, the complete order row of the process;
2. executing file :/proc/pid/exe executes the binary file address of the process;
3. working directory :/proc/pid/cwd, the work at present catalogue of the process;
4. environmental variance :/proc/pid/environ, the environmental variance of the process;
5. the file opened :/proc/pid/fd, the file information which opens.
Further, in certain application scenarios, get above several process features does not prove application program also enough Identity uniqueness, therefore, in one embodiment of this specification, it is also necessary to features described above into carrying out following feature extraction:
1. extracting the content Hash (cryptographic Hash, hashed value) of order line.Extracting method: md5sum/proc/pid/ cmdline
2. extracting the filename of executable file, attribute, modification time, content Hash.Extracting method: stat/proc/ Pid/exe, md5sum/proc/pid/exe
3. extracting the directory name of working directory, attribute, modification time.Extracting method: stat/proc/pid/exe
4. the content Hash of extraction environment variable.Extracting method: md5sum/proc/pid/environ
5. extracting the filename for opening file, attribute, modification time, content Hash.Extracting method: stat/proc/pid/ Fd/0, md5sum/proc/pid/fd/0.
It is extracted by features described above, shares following 13 specific features values:
1. order line Hash
2. executable file name
3. executable file attribute
4. executable file modification time
5. executable file content Hash
6. working directory name
7. working directory attribute
8. working directory modification time
9. environmental variance content Hash
10. the filename opened
11. the file attribute opened
12. the filemodetime opened
13. the file content Hash opened.
Further, it in one embodiment of this specification, is encrypted by Md5, to above-mentioned 13 hash values according to certain Format is encrypted.Specifically, in one embodiment of this specification, using directly carrying out Md5 encryption after string-concatenation.Encryption Content afterwards is the program fingerprint data of application program.
Further, since program fingerprint data need order line, executable file, the file of opening etc. of capture program Progress information.Therefore, in one embodiment of this specification, on deployment mode, legal procedure and interface must be deployed in same On platform server.
Specifically, in one embodiment of this specification, by taking an application scenarios as an example, it is assumed that there is an interface B to be transported by program B Row, the program A (legal procedure that program A is interface B) of a callable interface B, interface B only allows program A to call.Interface B The program for calling the interface for the first time can be considered legal procedure, and in the whole life cycle of interface B, only allow this can Believe routine call interface B.It is as shown in Figure 7 for the call flow of interface B.
S710, program A initiate request call interface B for the first time.
After S720, interface B are called, the finger print information of recognizer A first gets executable file, the journey of program A Preface and table of contents record etc. information, and carry out series of algorithms and encrypt to obtain the program fingerprint data (Secret) of program A.
Interface B obtains the program fingerprint data locally saved, and program fingerprint data are stored in local Key file (legal journey Sequence finger print data storage catalogue) in.
S731, if local Key file content is sky, interface B thinks it oneself is to be called for the first time, allows any journey Sequence is called;
S732, if local Key file content is not sky, interface B can be by the Secret of program A and local Key file content It compares, comparing successfully just allows to call.
Due to being to call for the first time, therefore local Key file content is sky, interface B has learnt that program A is legal journey at this time Sequence.
S740, interface B will be in the Secret write-in local Key files of legal procedure A.
S750, interface B allow program A to call, and interface call result is returned to program A.
At this point, it is the legal procedure that can call oneself that interface B, which has obtained program A, and by the identity documents of legal procedure A It has been stored in after encryption in local Key file.
Second of S760, program A (n-th) initiate request call interface B2.
S761, the finger print information of interface B recognizer A get executable file, program directory of program A etc. letter Breath, and carry out series of algorithms and encrypt to obtain the Secret of program A.
S762, interface B obtain local Key file content, and local Key file content is not sky, and interface B is by program A's Secret is compared with local Key file content.
S763, by comparing, the Secret of program A is identical as local Key file content.
S764, interface B allow program A to call, and interface call result is returned to program A.
Further, in one embodiment of this specification, by taking an application scenarios as an example, it is assumed that have an interface B by program B Operation, the program A (legal procedure that program A is interface B) of a callable interface B, interface B only allows program A to call.Interface The program for calling the interface for the first time can be considered legal procedure by B, and in the whole life cycle of interface B, only allow this Trusted program calling interface B.Assuming that attacker invades interface B now.Attacker has write a program C and has carried out illegal calling interface B, then the process of program C calling interface B is as shown in Figure 8.
S810, program C initiate request call interface B.
After S820, interface B are called, the finger print information of recognizer C gets executable file, the program mesh of program C Record etc. information, and carry out series of algorithms and encrypt to obtain the Secret of program C.
Interface B obtains the content of local Key file, if Key file content is sky, interface B thinks it oneself is for the first time It is called, allow any routine call.
S830, if Key file content is not sky, interface B can compare Secret and Key content, judge Secret and Key Whether content is identical.
S831, through comparing, Key file content is different from the Secret content of program C.
S840, interface B do not allow program C to call, and return to malloc failure malloc.
Further, this specification embodiment also proposed a kind of interface calling system, as shown in figure 9, system includes:
Interface call request monitoring modular 910 is used for the judgement when there is the interface call request for being directed to first interface The corresponding interface call operation of interface call request whether be first interface interface call operation for the first time;
Legal procedure Registration Module 920 is used to when the corresponding interface call operation of interface call request be first interface The call operation of interface for the first time when, the program fingerprint data of application program for initiating interface call request are tied up with first interface It is fixed, wherein the first interface be configured to be only capable of by with itself bound in the application program of program fingerprint Data Matching adjust With program fingerprint is only capable of matching its corresponding application program, in the whole life cycle of the first interface, is only capable of binding one The program fingerprint data of a application program.
Further, based on method of the invention, the invention also provides one kind in the processing of user equipment client information Equipment, which includes the memory for storing computer program instructions and the processor for executing program instructions, In, when the computer program instructions are executed by the processor, triggers the equipment and execute method of the present invention.
In the 1990s, the improvement of a technology can be distinguished clearly be on hardware improvement (for example, Improvement to circuit structures such as diode, transistor, switches) or software on improvement (improvement for method flow).So And with the development of technology, the improvement of current many method flows can be considered as directly improving for hardware circuit. Designer nearly all obtains corresponding hardware circuit by the way that improved method flow to be programmed into hardware circuit.Cause This, it cannot be said that the improvement of a method flow cannot be realized with hardware entities module.For example, programmable logic device (Programmable Logic Device, PLD) (such as field programmable gate array (Field Programmable Gate Array, FPGA)) it is exactly such a integrated circuit, logic function determines device programming by user.By designer Voluntarily programming comes a digital display circuit " integrated " on a piece of PLD, designs and makes without asking chip maker Dedicated IC chip.Moreover, nowadays, substitution manually makes IC chip, this programming is also used instead mostly " is patrolled Volume compiler (logic compiler) " software realizes that software compiler used is similar when it writes with program development, And the source code before compiling also write by handy specific programming language, this is referred to as hardware description language (Hardware Description Language, HDL), and HDL is also not only a kind of, but there are many kind, such as ABEL (Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL (Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language) etc., VHDL (Very-High-Speed is most generally used at present Integrated Circuit Hardware Description Language) and Verilog.Those skilled in the art also answer This understands, it is only necessary to method flow slightly programming in logic and is programmed into integrated circuit with above-mentioned several hardware description languages, The hardware circuit for realizing the logical method process can be readily available.
Controller can be implemented in any suitable manner, for example, controller can take such as microprocessor or processing The computer for the computer readable program code (such as software or firmware) that device and storage can be executed by (micro-) processor can Read medium, logic gate, switch, specific integrated circuit (Application Specific Integrated Circuit, ASIC), the form of programmable logic controller (PLC) and insertion microcontroller, the example of controller includes but is not limited to following microcontroller Device: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320 are deposited Memory controller is also implemented as a part of the control logic of memory.It is also known in the art that in addition to Pure computer readable program code mode is realized other than controller, can be made completely by the way that method and step is carried out programming in logic Controller is obtained to come in fact in the form of logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion microcontroller etc. Existing identical function.Therefore this controller is considered a kind of hardware component, and to including for realizing various in it The device of function can also be considered as the structure in hardware component.Or even, it can will be regarded for realizing the device of various functions For either the software module of implementation method can be the structure in hardware component again.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity, Or it is realized by the product with certain function.It is a kind of typically to realize that equipment is computer.Specifically, computer for example may be used Think personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play It is any in device, navigation equipment, electronic mail equipment, game console, tablet computer, wearable device or these equipment The combination of equipment.
For convenience of description, it is divided into various units when description apparatus above with function to describe respectively.Certainly, implementing this The function of each unit can be realized in the same or multiple software and or hardware when application.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want There is also other identical elements in the process, method of element, commodity or equipment.
The application can describe in the general context of computer-executable instructions executed by a computer, such as program Module.Generally, program module includes routines performing specific tasks or implementing specific abstract data types, programs, objects, group Part, data structure etc..The application can also be practiced in a distributed computing environment, in these distributed computing environments, by Task is executed by the connected remote processing devices of communication network.In a distributed computing environment, program module can be with In the local and remote computer storage media including storage equipment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for system reality For applying example, since it is substantially similar to the method embodiment, so being described relatively simple, related place is referring to embodiment of the method Part explanation.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal Replacement, improvement etc., should be included within the scope of the claims of this application.

Claims (10)

1. a kind of interface call method, which comprises
When there is the interface call request for being directed to first interface, the corresponding interface call operation of the interface call request is judged Whether be the first interface interface call operation for the first time;
It, will when the corresponding interface call operation of the interface call request is the call operation of interface for the first time of the first interface The program fingerprint data and the first interface for initiating the application program of the interface call request are bound, wherein described first Interface be configured as being only capable of by with itself bound in the application program of program fingerprint Data Matching call, described program fingerprint Data are only capable of matching its corresponding application program, in the whole life cycle of the first interface, are only capable of one application of binding The program fingerprint data of program.
2. according to the method described in claim 1, by the program fingerprint data for the application program for initiating the interface call request It is bound with the first interface, comprising:
Corresponding program fingerprint data are generated according to the application program for initiating the interface call request;
Described program finger print data is saved in legal procedure finger print data storage catalogue corresponding with the first interface, institute Legal procedure finger print data storage catalogue is stated to be only capable of saving a described program finger print data.
3. according to the method described in claim 2, judging whether the corresponding interface call operation of the interface call request is institute State the interface call operation for the first time of first interface, wherein judge the corresponding legal procedure finger print data storage of the first interface Whether program fingerprint data are preserved in catalogue.
4. according to the method described in claim 3, the method also includes:
When the corresponding application program of described program finger print data is updated, corresponding legal procedure finger print data storage mesh is deleted The program fingerprint data saved in record.
5. the method according to any one of claim 2~4, the legal procedure finger print data storage catalogue is located at described Under the local file directory of first interface.
6. method according to any one of claims 1 to 5, described program finger print data is the number by computations According to comprising the executable file and/or program directory of application program.
7. according to the method described in claim 6, the method also includes, obtain the program fingerprint data of the application program, Wherein, when the application program initiates interface call request, the application program is obtained by process, port information association Process PID obtains the program fingerprint data of the application program according to the process PID.
8. according to the method described in claim 7, described program finger print data includes order line content Hash value, executable file Filename, the attribute of executable file, the modification time of executable file, executable file content Hash value, working directory The file category of name, working directory attribute, working directory modification time, environmental variance content Hash value, the filename of opening, opening The filemodetime of property, the filemodetime of opening and opening.
9. a kind of interface calling system, the system comprises:
Interface call request monitoring modular is used to connect described in judgement when there is the interface call request for being directed to first interface The corresponding interface call operation of mouthful call request whether be the first interface interface call operation for the first time;
Legal procedure Registration Module is used to when the corresponding interface call operation of the interface call request be the first interface The call operation of interface for the first time when, the program fingerprint data and described first of the application program of the interface call request will be initiated Interface binding, wherein the first interface be configured as being only capable of by with itself bound in program fingerprint Data Matching application Program is called, and described program fingerprint is only capable of matching its corresponding application program, in the whole life cycle of the first interface In, it is only capable of the program fingerprint data of one application program of binding.
10. a kind of equipment for handling in user equipment client information, the equipment include for storing computer program instructions Memory and processor for executing program instructions, wherein when the computer program instructions are executed by the processor, triggering Method described in any one of equipment perform claim requirement 1 to 8.
CN201910484848.9A 2019-06-05 2019-06-05 Interface calling method, system and equipment Active CN110308955B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910484848.9A CN110308955B (en) 2019-06-05 2019-06-05 Interface calling method, system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910484848.9A CN110308955B (en) 2019-06-05 2019-06-05 Interface calling method, system and equipment

Publications (2)

Publication Number Publication Date
CN110308955A true CN110308955A (en) 2019-10-08
CN110308955B CN110308955B (en) 2023-03-31

Family

ID=68075180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910484848.9A Active CN110308955B (en) 2019-06-05 2019-06-05 Interface calling method, system and equipment

Country Status (1)

Country Link
CN (1) CN110308955B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083541A (en) * 2019-12-30 2020-04-28 深圳Tcl数字技术有限公司 Interface calling method and device, smart television and readable storage medium
CN112000949A (en) * 2020-08-26 2020-11-27 中国联合网络通信集团有限公司 Program package calling method, system, terminal device and computer readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070118534A1 (en) * 2005-11-18 2007-05-24 Database-Brothers, Inc. Auditing database end user activity in one to multi-tier web application and local environments
WO2013009385A2 (en) * 2011-07-08 2013-01-17 Uniloc Usa Device-bound certificate authentication
CN105718779A (en) * 2016-01-20 2016-06-29 广东欧珀移动通信有限公司 Application program login method and user terminal
CN105991287A (en) * 2015-02-26 2016-10-05 阿里巴巴集团控股有限公司 Signature data generation and fingerprint authentication request method and device
CN107621921A (en) * 2017-08-03 2018-01-23 广东小天才科技有限公司 A kind of application program launching method and mobile device
CN107707554A (en) * 2017-10-18 2018-02-16 维沃移动通信有限公司 A kind of login method and mobile terminal of application program account
WO2018166169A1 (en) * 2017-03-16 2018-09-20 广东欧珀移动通信有限公司 Fingerprint recognition method and related product
CN108566389A (en) * 2018-03-28 2018-09-21 中国工商银行股份有限公司 A kind of fingerprint identity validation method and device across application

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070118534A1 (en) * 2005-11-18 2007-05-24 Database-Brothers, Inc. Auditing database end user activity in one to multi-tier web application and local environments
WO2013009385A2 (en) * 2011-07-08 2013-01-17 Uniloc Usa Device-bound certificate authentication
CN105991287A (en) * 2015-02-26 2016-10-05 阿里巴巴集团控股有限公司 Signature data generation and fingerprint authentication request method and device
CN105718779A (en) * 2016-01-20 2016-06-29 广东欧珀移动通信有限公司 Application program login method and user terminal
WO2018166169A1 (en) * 2017-03-16 2018-09-20 广东欧珀移动通信有限公司 Fingerprint recognition method and related product
CN107621921A (en) * 2017-08-03 2018-01-23 广东小天才科技有限公司 A kind of application program launching method and mobile device
CN107707554A (en) * 2017-10-18 2018-02-16 维沃移动通信有限公司 A kind of login method and mobile terminal of application program account
CN108566389A (en) * 2018-03-28 2018-09-21 中国工商银行股份有限公司 A kind of fingerprint identity validation method and device across application

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Y. KURITA等: "A fingerprint pointing device utilizing the deformation of the fingertip during the incipient slip", 《 IEEE TRANSACTIONS ON ROBOTICS》 *
蒋煦等: "一种动态监测安卓应用程序的方法", 《西北工业大学学报》 *
陈宇磊: "多生物特征密码技术的研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111083541A (en) * 2019-12-30 2020-04-28 深圳Tcl数字技术有限公司 Interface calling method and device, smart television and readable storage medium
CN112000949A (en) * 2020-08-26 2020-11-27 中国联合网络通信集团有限公司 Program package calling method, system, terminal device and computer readable storage medium
CN112000949B (en) * 2020-08-26 2023-06-16 中国联合网络通信集团有限公司 Program package calling method, system, terminal device and computer readable storage medium

Also Published As

Publication number Publication date
CN110308955B (en) 2023-03-31

Similar Documents

Publication Publication Date Title
US11270306B2 (en) Asset management method and apparatus, and electronic device
KR102396739B1 (en) Asset management method and apparatus, and electronic device
RU2728524C1 (en) Method and device for consensus verification
JP7030981B2 (en) Asset management methods and equipment, and electronic devices
KR102327574B1 (en) Blockchain-based transaction processing method and device
US11321308B2 (en) Asset management method and apparatus, and electronic device
CN107483509A (en) A kind of auth method, server and readable storage medium storing program for executing
CN116049785A (en) Identity authentication method and system
CN106063185A (en) Methods and apparatus to securely share data
CN107911393A (en) A kind of data safety management system and method
US20220329446A1 (en) Enhanced asset management using an electronic ledger
US11265174B2 (en) Method, apparatus, and device for processing blockchain data
CN109492421A (en) Data processing method, electronic equipment and the storage medium of security middleware based on android system
CN110308955A (en) A kind of interface call method, system and equipment
US20200244441A1 (en) One-time password with unpredictable moving factor
CN110602051B (en) Information processing method based on consensus protocol and related device
EP3975015B1 (en) Applet package sending method and device and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200925

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Innovative advanced technology Co.,Ltd.

Address before: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant before: Advanced innovation technology Co.,Ltd.

Effective date of registration: 20200925

Address after: Cayman Enterprise Centre, 27 Hospital Road, George Town, Grand Cayman Islands

Applicant after: Advanced innovation technology Co.,Ltd.

Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands

Applicant before: Alibaba Group Holding Ltd.

GR01 Patent grant
GR01 Patent grant