CN110990844A - Cloud data protection method based on kernel, cloud server and system - Google Patents

Cloud data protection method based on kernel, cloud server and system Download PDF

Info

Publication number
CN110990844A
CN110990844A CN201911022164.3A CN201911022164A CN110990844A CN 110990844 A CN110990844 A CN 110990844A CN 201911022164 A CN201911022164 A CN 201911022164A CN 110990844 A CN110990844 A CN 110990844A
Authority
CN
China
Prior art keywords
program
folder
identification number
permission
cloud server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911022164.3A
Other languages
Chinese (zh)
Other versions
CN110990844B (en
Inventor
赵树升
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Dahua Technology Co Ltd
Original Assignee
Zhejiang Dahua Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Dahua Technology Co Ltd filed Critical Zhejiang Dahua Technology Co Ltd
Priority to CN201911022164.3A priority Critical patent/CN110990844B/en
Publication of CN110990844A publication Critical patent/CN110990844A/en
Application granted granted Critical
Publication of CN110990844B publication Critical patent/CN110990844B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The application relates to a cloud data protection method based on a kernel, a cloud server, a system, computer equipment and a storage medium, wherein the method comprises the following steps: the method comprises the steps that a kernel program of the cloud server obtains a security policy and takes over a file operation function of the cloud server, wherein a permission array in the security policy is a permission corresponding relation between a process and a folder, a first process identification number of the first process is obtained, the permission array is inquired, whether the first process identification number exists in the permission array is judged, if yes, whether the first folder is the folder which is allowed to be accessed by the first process identification number is judged, and if yes, the file operation function allows the first process to operate the first folder. According to the method, the file operation authority can be separated from the administrator authority and only related to the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.

Description

Cloud data protection method based on kernel, cloud server and system
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method, a cloud server, a system, a computer device, and a storage medium for protecting cloud data based on a kernel.
Background
With the development of network technology, cloud storage technology appears, a large number of enterprises and individuals use clouds to store data on a large scale at present, the information security problem of the data on the clouds is very important, the important files are protected from being illegally accessed by using authority control in related technologies, in addition, various encryption technologies are also applied to encryption of the important files, and the plaintext of the important files is protected from being maliciously acquired. However, in the related art, the security protection method for program loading and file reading and writing on the cloud server is mainly used for protecting against intrusion outside the system, for example, performing identity authentication on an accessor; for malicious behaviors from the inside of the cloud server system, security threats can still be caused to data on the cloud, for example, after an intruder obtains the authority of an administrator, the file on the cloud server can be easily accessed; an administrator of the cloud server may also read and write all important files deployed on the cloud.
Aiming at the problem that the data on the cloud is illegally accessed by using the identity of a system or a device administrator in the related art, an effective solution is not provided at present.
Disclosure of Invention
The invention provides a cloud data protection method based on a kernel, a cloud server, a system, computer equipment and a storage medium, aiming at the problem that the data on the cloud is illegally accessed by using the identity of a system or equipment administrator in the related art, and at least solving the problem.
In order to achieve the purpose, the invention adopts the following cloud data protection method based on the kernel, which comprises the following steps:
a method for cloud data protection based on a kernel, the method comprising:
a kernel program on a cloud server acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder;
the kernel program takes over the file operation function of the cloud server;
the method comprises the steps of obtaining a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, judging whether a first folder is a folder which is allowed to be accessed by the first process identification number if the first process identification number exists in the permission array, and allowing the first process to operate the first folder by the file operation function if the first folder is allowed to be accessed by the first process identification number.
In one embodiment, after the kernel program on the cloud server acquires the security policy, the method includes:
the kernel program takes over a process loading function of the cloud server;
acquiring program information of a first program to be started, comparing the program information with a white list in the security policy, and allowing the first program to be started by the process loading function if the program information is matched with information in the white list; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number into an authority array according to the program information and the file authority set in the security policy.
In one embodiment, the placing the folder to which the second process identification number and the second process identification number have access right into the permission array according to the program information and the file permission set includes:
inquiring the file authority set according to the program information, and acquiring a folder which the first program allows to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value;
and putting a second process identification number, the folder which the first program is allowed to access and the operation into a permission array.
In one embodiment, obtaining program information of a first program to be started, comparing the program information with the white list, and if the program information matches information in the white list, the process loading function allowing the first program to be started includes:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value;
comparing the program information with the white list;
and if the program information is matched with the information in the white list, allowing the first program to be started by the process loading function.
According to another aspect of the present invention, there is also provided a cloud server, including:
the system comprises a policy module, a file processing module and a file management module, wherein the policy module is used for acquiring a security policy, and the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder;
the takeover module is used for taking over a file operation function of the cloud server;
the first permission module is used for acquiring a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, if so, judging whether a first folder is a folder which the first process identification number allows to access, and if so, allowing the first process to perform first operation on the first folder by the file operation function.
In one embodiment, the cloud server further comprises:
the takeover module is also used for taking over the process loading function of the cloud server;
the second authority module is used for acquiring program information of a first program to be started, comparing the program information with the white list, and allowing the first program to be started by the process loading function if the program information is matched with information in the white list in the security policy; acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number into an authority array according to the program information and the file authority set in the security policy;
in one embodiment, the second permission module is further for:
inquiring the file authority set according to the program information, and acquiring a folder which the first program allows to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; and putting a second process identification number, the folder which the first program is allowed to access and the operation into a permission array.
In one embodiment, the second permission module is further for:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with the white list; and if the program information is matched with the information in the white list, allowing the first program to be started by the process loading function.
According to another aspect of the present invention, there is also provided a kernel-based cloud data protection system, including a hypervisor and a cloud server:
the management machine issues a security policy to the cloud server after the cloud server is started;
a kernel program on a cloud server acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder; the kernel program takes over the file operation function of the cloud server; the method comprises the steps of obtaining a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, judging whether a first folder is a folder which the first process identification number allows to access if the first process identification number exists in the permission array, and allowing the first process to perform first operation on the first folder by a file operation function if the first folder is the folder which the first process identification number allows to access.
According to another aspect of the present invention, there is also provided a computer device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the above-mentioned kernel-based cloud data protection method when executing the computer program.
According to another aspect of the present invention, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described kernel-based cloud data protection method.
According to the cloud data protection method based on the kernel, the cloud server, the system, the computer device and the storage medium, the security policy is obtained through the kernel program running on the kernel layer, and the file operation function of the cloud server is taken over, wherein the authority array in the security policy is the authority corresponding relation between the process and the folder, and as the execution path of the program of the kernel layer is related to the user executing the program, the authority corresponding relation between the process ID corresponding to the program and the folder also designates the authority corresponding relation between the user executing the program and the folder; therefore, whether the first process can operate the first folder or not can be judged according to the first process identification number and the permission array. According to the method, the file operation authority can be separated from the administrator authority and only related to the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.
Drawings
Fig. 1 is a schematic view of an application scenario of a kernel-based cloud data protection method according to an embodiment of the present invention;
FIG. 2 is a first flowchart of a method for kernel-based cloud data protection according to an embodiment of the present invention;
FIG. 3 is a flowchart of a kernel-based cloud data protection method according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a method of a cloud server for kernel-based cloud data protection according to an embodiment of the present invention;
fig. 5 is a first schematic diagram of a cloud server for kernel-based cloud data protection according to an embodiment of the present invention;
fig. 6 is a second schematic diagram of a cloud server for kernel-based cloud data protection according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Fig. 1 is a schematic view of an application scenario of a cloud data protection method based on a kernel according to an embodiment of the present invention, and the method may be applied to the application environment shown in fig. 1. The cloud server 102 and the cloud management machine 104 communicate with each other through a network. The cloud server 102 is a program serving as a virtual computer, running on an operating system of the cloud-side management machine 104, and provides virtual hardware to a user operating system, where the virtual hardware includes a CPU, a memory, a hard disk drive, a network interface, and other devices. The user operating system may run in a window on the host operating system, just like any other program on the computer, so to say, from the perspective of the user operating system, the cloud server 102 is a real physical computer, and the management machine 104 is responsible for scheduling and managing resources of all the cloud servers 102 running on the management machine 104. The server 104 may be implemented as a stand-alone server or as a server cluster comprised of multiple servers.
In an embodiment, fig. 2 is a flowchart of a first method for protecting cloud data based on a kernel according to an embodiment of the present invention, and as shown in fig. 2, a method for protecting cloud data based on a kernel is provided, which is described by taking an example that the method is applied to the cloud server 102 in fig. 1, and includes the following steps:
step S210, a kernel program on the cloud server 102 acquires a security policy, wherein the security policy comprises a permission number, and the permission number indicates a permission corresponding relation between a process and a folder;
in this step S210, the cloud server 102 obtains a security policy from the management end 104, where the security policy includes a permission array, and the permission array describes an authorized process corresponding to the cloud server 102 and folder information authorized to be accessed. After the cloud server 102 is started, the kernel program deployed on the cloud server 102 acquires the policy from the management machine 104 to complete the set protection operation. The security policy is generated by a policy generator that associates the process with the protected folder.
Step S220, the kernel program takes over the file operation function of the cloud server;
the kernel program installed on the cloud server 102 modifies the kernel source code to take over the main file operation functions of the virtual machine, which include sys _ open (open file), sys _ create (new file), sys _ news (modify file attribute), sys _ rename (rename file), sys _ chdir (change current path), sys _ mkdir (create folder), sys _ unlinkat (delete file), sys _ rmdir (delete folder), so that the kernel program can complete the management and control of file operation from the kernel level.
Step S230, obtaining a first process identification number of the first process, querying the permission array, determining whether the permission array has the first process identification number, if so, determining whether the first folder is a folder that the first process identification number allows to access, and if so, allowing the first process to operate the first folder by the file operation function.
In step S230, if the first process wants to access the file in the protected first folder, it is first queried whether the permission array has the process identification number of the first process, such as the process ID, and if not, it is directly rejected; if yes, whether the first folder is in the folder array authorized to be accessed is inquired, if not, interception is carried out, and if yes, the first process can access the files in the first folder and carry out operation.
In the above cloud data protection method based on the kernel, a security policy is obtained by a kernel program running on a kernel layer and takes over a file operation function of the cloud server 102, wherein a permission array in the security policy is a permission corresponding relationship between a process and a folder; in the kernel level, different users may generate different process identification numbers for the execution of the program, and the process identification numbers reflect whether the access is executed by the allowed user, so that, according to the first process identification number and the permission array, it may be determined whether the first process may operate the first folder. According to the method, the file operation authority can be separated from the administrator authority and only related to the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.
In an embodiment, fig. 3 is a flowchart of a second method for protecting cloud data based on a kernel according to an embodiment of the present invention, as shown in fig. 3, after the kernel program on the cloud server 102 acquires the security policy, the method further includes:
step S310: the kernel program takes over the process loading function of the cloud server 102;
in step S310, the kernel program installed on the cloud server 102 modifies the kernel source code, and takes over the process loading function sys _ execute of the cloud server 102, thereby completing management and control of program loading of the cloud server 102 from the kernel layer.
Step S320: acquiring program information of a first program to be started, comparing the program information with a white list in a security policy, and allowing the first program to be started by a process loading function if the program information is matched with the information in the white list; acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number into an authority array according to the program information and the file authority set;
in step S320, when the first program is loaded on the cloud server 102, the kernel program may first obtain detailed information of the first program, compare the program information with the white list, and if the first program is not in the white list, the process loading function of the cloud server 102 rejects the start of the first program. Under the condition that the first program is in the program white list, the process loading function of the cloud server 102 allows the program to be started, then the first program is compared with the file permission set to obtain a folder array which is allowed to be accessed by the first program, and a second process identification number corresponding to a second process generated by the program operation and the corresponding folder array which is allowed to be accessed are inserted into the permission array, so that the permission array comprises the process identification number and a protected folder array which is authorized to be accessed by the process identification number.
The cloud data protection method based on the kernel takes over the process loading function of the cloud server 102 through the kernel program, adds the process of filtering and intercepting the program by utilizing the white list in the security policy, meanwhile, the authority arrays corresponding to the processes and the accessible folders one by one are simplified into the program and the file authority sets corresponding to the accessible folders, because a program may generate a plurality of processes when running, and therefore, the workload of defining all processes that can access a certain folder one by one is large, the method in this embodiment divides the acquisition of the permission array into two steps, whether the program is started or not is determined through the white list, the process number is acquired after the program is started, the folder array which can be accessed by the program is obtained through the file authority set, and the permission array is obtained and can be used for judging whether the process has the right to access the protected folder or not later. The second process in this embodiment may be the same process as the first process, or may be different processes, and the program loading and the file accessing may be independent processes. And under the condition that the first process and the second process are the same process, the first process can find the corresponding process identification number in the permission array and can access the protected folder corresponding to the first process. According to the embodiment, the program start white list is added, the generation process of the authority array is simplified, and the safety of cloud data is further improved.
In one embodiment, the placing the folder to which the second process identification number and the second process identification number have access right into the permission array according to the program information and the file permission set includes:
inquiring a file authority set according to program information, and acquiring a folder which a first program is allowed to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; and putting the second process identification number and the folder and operation which are allowed to be accessed by the first program into the permission array.
In the embodiment, the file authority set only extracts hash values of the program path name, the path name length, the file name length and the file name in the program information, and further detailed definition of the file access authority is added. By the method, the access authority of the program can be determined by extracting as little program information as possible, meanwhile, the management and control of the authority are further refined through the added authority description, different types of access authorities can be set according to different properties of files, and the safety of cloud data is further improved.
In one embodiment, obtaining program information of a first program to be started, comparing the program information with a white list in a security policy, and if the program information matches information in the white list, the process loading function allowing the first program to be started includes:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with a white list; if the program information matches information in the white list, the process load function allows the first program to start.
In this embodiment, the white list only extracts key information in the program information for comparison, extracts as little program information as possible to determine the loading authority of the program, enhances the efficiency of organizing the loading of the suspicious program, and further improves the security of the cloud data.
In a specific embodiment, fig. 4 is a schematic diagram of a method of a cloud server 102 for kernel-based cloud data protection according to a specific embodiment of the present invention, as shown in fig. 4,
when the cloud server 102 is started, the kernel program deployed on the cloud server 102 acquires the security policy from the management machine 104, and completes the set protection operation. The security policy is generated by a script associating the program with the protected folder, the script detailing which process can access a folder
In the security policy, a path name pnam, a path name long name _ le, a right, a file name long flash, and a hash value hash of the authorized program are described, and according to the above description, only if the path name matches the pnam, the name long equals name _ len, the program file length equals flash, and the hash of the program file name is hash, there is a right (read or write, etc.) right in the protected file.
In the security policy, a path name pnam, a path name long name _ le, a file name long flash, and a hash value hash of the program are described in the white list, and according to the above description, only if the path name matches the pnam, the name long is equal to name _ len, the program file length is equal to flash, and the hash of the program file name is a hash program, the operation on the cloud server 102 is allowed.
A kernel installed on the cloud server 102 takes over a process loading function sys _ execute of the virtual machine, and takes over main file operating functions of the virtual machine, which are sys _ open (open file), sys _ create (new file), sys _ news (modify file attribute), sys _ rename (rename file), sys _ chdir (change current path), sys _ mkdir (create folder), sys _ unlinkat (delete file), sys _ rmdir (delete folder).
When a program is loaded, the kernel program firstly obtains the full path name of the program, then obtains the file length and the file content hash of the program, and under the condition that the information of the program is not in the program white list, the process loading function refuses the program to start. And under the condition that the information of the program is matched with the information in the white list, starting the program, comparing the program information with the file authority set to obtain a folder array which the program has access to, inserting the process ID generated by the program and the folder array which the program has access to into the authority array, wherein the authority array comprises the process ID and the protected folder array which the program has access to.
If a program on the cloud server 102 wants to access a file, it is first determined whether the file is in a protected folder, and if not, the file can be directly accessed. Under the condition that the file is in the protected folder, the kernel program firstly inquires whether the process ID exists in the authority array, and if not, directly refuses; if so, the kernel program inquires whether the folder is in the folder array authorized to be accessed by the process ID, if not, the interception is carried out, and if so, the process can successfully access the file.
The embodiment can ensure that the file can be accessed by authorized programs, usually service programs, and can prevent the file from being illegally used by intruders with administrator rights or Lesog viruses or malicious internal personnel, thereby ensuring the safety of important files on public clouds; the program white list function can prevent the operation similar to the Lessovirus and also can prevent the suspicious module from killing the kernel security program after the operation, and under the necessary condition, the kernel program can also upgrade the self-protection function and enhance the behavior of preventing the suspicious module from trying to unload the kernel program.
In an embodiment, fig. 5 is a first schematic diagram of a cloud server 102 for kernel-based cloud data protection according to an embodiment of the present invention, as shown in fig. 5, the cloud server 102 includes:
the policy module 52 is configured to obtain a security policy, where the security policy includes a permission array, where the permission array indicates a permission correspondence between a process and a folder;
a takeover module 54, configured to take over a file operation function of the cloud server 102;
the first permission module 56 is configured to obtain a first process identifier of the first process, query a permission array, determine whether the permission array includes the first process identifier, determine whether the first folder is a folder that the first process identifier allows to access if the permission array includes the first process identifier, and allow the first process to perform a first operation on the first folder if the permission array includes the first process identifier.
In an embodiment, fig. 6 is a second schematic diagram of a cloud server for kernel-based cloud data protection according to an embodiment of the present invention, and as shown in fig. 6, the cloud server 102 further includes:
the takeover module 56 is further configured to take over a process loading function of the cloud server 102;
the cloud server 102 further includes a second permission module 62, configured to acquire program information of a first program to be started, compare the program information with a white list, and if the program information matches information in the white list in the security policy, the process loading function allows the first program to be started; acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number in an authority array according to the program information and a file authority set in the security policy;
in one embodiment, the second permission module 52 is further configured to query the file permission set according to the program information, obtain a folder that the first program is allowed to access and allow an operation to be performed on the folder, where the program information includes: a program path name, a program path name length, a program file name length and a program file name hash value; and putting the second process identification number and the folder and operation which are allowed to be accessed by the first program into the permission array.
In one embodiment, the second authority module 52 is further configured to obtain program information of the first program to be started, where the program information includes: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with a white list; if the program information matches information in the white list, the process load function allows the first program to start.
The cloud server 102 for cloud data protection based on the kernel acquires the security policy through the kernel program running on the kernel layer and takes over the file operation function of the cloud server 102, wherein the file authority set in the security policy is the authority corresponding relationship between the program and the folder, and since the execution path of the program of the kernel layer is related to the user executing the program, the authority corresponding relationship between the process identification number corresponding to the program and the folder also designates the authority corresponding relationship between the user executing the program and the folder; therefore, whether the first process can operate the first folder or not can be judged according to the first process identification number and the permission array. According to the method, the file operation authority can be separated from the administrator authority and only related to the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.
In one embodiment, a kernel-based cloud data protection system is provided, which includes a hypervisor 104 and a cloud server 102:
the management machine 104 issues a security policy to the cloud server 102 after the cloud server 102 is started;
a kernel program of the cloud server 102 acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates a permission corresponding relation between a process and a folder; the kernel program takes over the file operation function of the cloud server 102; the method comprises the steps of obtaining a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, if so, judging whether a first folder is a folder which is allowed to be accessed by the first process identification number, and if so, allowing the first process to carry out first operation on the first folder by a file operation function.
In one embodiment, after the kernel program on the cloud server 102 acquires the security policy, the kernel program on the cloud server 102 takes over the process loading function of the cloud server 102; the cloud server 102 acquires program information of a first program to be started, compares the program information with a white list in a security policy, and allows the first program to be started by a process loading function if the program information is matched with information in the white list; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number in the permission array according to the program information and the file permission set in the security policy.
In one embodiment, the cloud server 102 queries the file authority set according to program information, acquires a folder that the first program is allowed to access and an operation that is allowed to be performed on the folder, where the program information includes: and the program path name, the program path name length, the program file name length and the hash value of the program file name, and the second process identification number, the folder which the first program is allowed to access and the operation are put into the permission array.
In one embodiment, the cloud server 102 obtains program information of a first program to be started, where the program information includes: the program path name, the program path name length, the program file name length and the program file name hash value, and comparing the program information with the white list, if the program information is matched with the information in the white list, the process loading function allows the first program to be started.
According to the cloud data protection system based on the kernel, the file operation authority can be separated from the administrator authority and only related to the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.
In one embodiment, a computer device is provided, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
a kernel program on the cloud server 102 acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates a permission corresponding relation between a process and a folder; the kernel program takes over the file operation function of the cloud server 102; the method comprises the steps of obtaining a first process identification number of a first process, inquiring an authority array, judging whether the first process identification number exists in the authority array, judging whether a first folder is a folder which is allowed to be accessed by the first process identification number if the first process identification number exists in the authority array, and allowing the first process to operate the first folder by a file operation function if the first process identification number exists in the authority array.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
the kernel program takes over the process loading function of the cloud server 102; acquiring program information of a first program to be started, comparing the program information with a white list in a security policy, and allowing the first program to be started by a process loading function if the program information is matched with the information in the white list; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number in the permission array according to the program information and the file permission set in the security policy.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
inquiring a file authority set according to program information, and acquiring a folder which a first program is allowed to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; and putting the second process identification number and the folder and operation which are allowed to be accessed by the first program into the permission array.
In one embodiment, the processor, when executing the computer program, further performs the steps of:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with a white list; if the program information matches information in the white list, the process load function allows the first program to start.
According to the computer equipment, the file operation authority can be separated from the administrator authority, and only the file operation authority is associated with the user, so that the protection of the data on the cloud is enhanced, and the safety of the data on the cloud is improved.
In one embodiment, a readable storage medium is provided having an executable program stored thereon, the executable program when executed by a processor implementing the steps of:
a kernel program on the cloud server 102 acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates a permission corresponding relation between a process and a folder;
the kernel program takes over the file operation function of the cloud server 102;
the method comprises the steps of obtaining a first process identification number of a first process, inquiring an authority array, judging whether the first process identification number exists in the authority array, judging whether a first folder is a folder which is allowed to be accessed by the first process identification number if the first process identification number exists in the authority array, and allowing the first process to operate the first folder by a file operation function if the first process identification number exists in the authority array.
In one embodiment, the executable program when executed by the processor further performs the steps of:
the kernel program takes over the process loading function of the cloud server 102; acquiring program information of a first program to be started, comparing the program information with a white list in a security policy, and allowing the first program to be started by a process loading function if the program information is matched with the information in the white list; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number in the permission array according to the program information and the file permission set in the security policy.
In one embodiment, the executable program when executed by the processor further performs the steps of:
inquiring a file authority set according to program information, and acquiring a folder which a first program is allowed to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; and putting the second process identification number and the folder and operation which are allowed to be accessed by the first program into the permission array.
In one embodiment, the executable program when executed by the processor further performs the steps of:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with a white list; if the program information matches information in the white list, the process load function allows the first program to start.
The readable storage medium can strip file operation authority from administrator authority, and is only associated with a user, so that protection of data on the cloud is enhanced, and safety of the data on the cloud is improved.
It should be understood that, although the steps in the flowchart of fig. 3 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in fig. 3 may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (11)

1. A method for cloud data protection based on a kernel, the method comprising:
a kernel program on a cloud server acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder;
the kernel program takes over the file operation function of the cloud server;
the method comprises the steps of obtaining a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, judging whether a first folder is a folder which is allowed to be accessed by the first process identification number if the first process identification number exists in the permission array, and allowing the first process to operate the first folder by the file operation function if the first folder is allowed to be accessed by the first process identification number.
2. The method of claim 1, wherein after the kernel program on the cloud server obtains the security policy, the method comprises:
the kernel program takes over a process loading function of the cloud server;
acquiring program information of a first program to be started, comparing the program information with a white list in the security policy, and allowing the first program to be started by the process loading function if the program information is matched with information in the white list; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number into an authority array according to the program information and the file authority set in the security policy.
3. The method of claim 2, wherein the placing the folder into the permission array, to which the second process identification number and the second process identification number have access, according to the program information and the file permission set comprises:
inquiring the file authority set according to the program information, and acquiring a folder which the first program allows to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value;
and putting a second process identification number, the folder which the first program is allowed to access and the operation into a permission array.
4. The method of claim 2, wherein the obtaining program information of a first program to be started, comparing the program information with a white list in the security policy, and if the program information matches information in the white list, the allowing the first program to be started by the process loading function comprises:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value;
comparing the program information with the white list;
and if the program information is matched with the information in the white list, allowing the first program to be started by the process loading function.
5. A cloud server, the cloud server comprising:
the system comprises a policy module, a file processing module and a file management module, wherein the policy module is used for acquiring a security policy, and the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder;
the takeover module is used for taking over a file operation function of the cloud server;
the first permission module is used for acquiring a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, if so, judging whether a first folder is a folder which the first process identification number allows to access, and if so, allowing the first process to perform first operation on the first folder by the file operation function.
6. The cloud server of claim 5, wherein the cloud server further comprises:
the takeover module is also used for taking over the process loading function of the cloud server;
the second authority module is used for acquiring program information of a first program to be started, comparing the program information with the white list, and allowing the first program to be started by the process loading function if the program information is matched with information in the white list in the security policy; and acquiring a second process identification number generated by the operation of the first program, and putting a folder which is accessed by the second process identification number and the second process identification number into an authority array according to the program information and the file authority set in the security policy.
7. The cloud server of claim 6, wherein the second permission module is further configured to:
inquiring the file authority set according to the program information, and acquiring a folder which the first program allows to access and an operation which is allowed to be executed on the folder, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; and putting a second process identification number, the folder which the first program is allowed to access and the operation into a permission array.
8. The cloud server of claim 6, wherein the second permission module is further configured to:
acquiring program information of a first program to be started, wherein the program information comprises: a program path name, a program path name length, a program file name length and a program file name hash value; comparing the program information with the white list; and if the program information is matched with the information in the white list, allowing the first program to be started by the process loading function.
9. A cloud data protection system based on a kernel is characterized in that the system comprises a management machine and a cloud server:
the management machine issues a security policy to the cloud server after the cloud server is started;
a kernel program on a cloud server acquires a security policy, wherein the security policy comprises a permission array, and the permission array indicates the permission corresponding relation between a process and a folder; the kernel program takes over the file operation function of the cloud server; the method comprises the steps of obtaining a first process identification number of a first process, inquiring a permission array, judging whether the first process identification number exists in the permission array, judging whether a first folder is a folder which the first process identification number allows to access if the first process identification number exists in the permission array, and allowing the first process to perform first operation on the first folder by a file operation function if the first folder is the folder which the first process identification number allows to access.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method of any of claims 1 to 4 are implemented when the computer program is executed by the processor.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 4.
CN201911022164.3A 2019-10-25 2019-10-25 Cloud data protection method based on kernel, cloud server and system Active CN110990844B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911022164.3A CN110990844B (en) 2019-10-25 2019-10-25 Cloud data protection method based on kernel, cloud server and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911022164.3A CN110990844B (en) 2019-10-25 2019-10-25 Cloud data protection method based on kernel, cloud server and system

Publications (2)

Publication Number Publication Date
CN110990844A true CN110990844A (en) 2020-04-10
CN110990844B CN110990844B (en) 2022-04-08

Family

ID=70082358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911022164.3A Active CN110990844B (en) 2019-10-25 2019-10-25 Cloud data protection method based on kernel, cloud server and system

Country Status (1)

Country Link
CN (1) CN110990844B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859429A (en) * 2020-07-21 2020-10-30 北京四维益友软件有限公司 Processing method for protecting computer data
CN113918955A (en) * 2021-09-29 2022-01-11 杭州默安科技有限公司 Linux kernel vulnerability permission promotion detection blocking method and system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN102034052A (en) * 2010-12-03 2011-04-27 北京工业大学 Operation system architecture based on separation of permissions and implementation method thereof
JP2012252492A (en) * 2011-06-02 2012-12-20 Ntt Data Corp Virtualization device, control method for virtualization device, and control program for virtualization device
CN106295355A (en) * 2016-08-11 2017-01-04 南京航空航天大学 A kind of active safety support method towards Linux server
CN109831420A (en) * 2018-05-04 2019-05-31 360企业安全技术(珠海)有限公司 The determination method and device of kernel process permission

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101788915A (en) * 2010-02-05 2010-07-28 北京工业大学 White list updating method based on trusted process tree
CN102034052A (en) * 2010-12-03 2011-04-27 北京工业大学 Operation system architecture based on separation of permissions and implementation method thereof
JP2012252492A (en) * 2011-06-02 2012-12-20 Ntt Data Corp Virtualization device, control method for virtualization device, and control program for virtualization device
CN106295355A (en) * 2016-08-11 2017-01-04 南京航空航天大学 A kind of active safety support method towards Linux server
CN109831420A (en) * 2018-05-04 2019-05-31 360企业安全技术(珠海)有限公司 The determination method and device of kernel process permission

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859429A (en) * 2020-07-21 2020-10-30 北京四维益友软件有限公司 Processing method for protecting computer data
CN113918955A (en) * 2021-09-29 2022-01-11 杭州默安科技有限公司 Linux kernel vulnerability permission promotion detection blocking method and system

Also Published As

Publication number Publication date
CN110990844B (en) 2022-04-08

Similar Documents

Publication Publication Date Title
US11611586B2 (en) Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots
US11354446B2 (en) Peer integrity checking system
US11334562B2 (en) Blockchain based data management system and method thereof
US11170128B2 (en) Information security using blockchains
Gül et al. A survey on anti-forensics techniques
US11658978B2 (en) Authentication using blockchains
CN110990844B (en) Cloud data protection method based on kernel, cloud server and system
AU2021319159B2 (en) Advanced ransomware detection
CN113886835A (en) Method and device for preventing container from escaping, computer equipment and storage medium
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
US20200159915A1 (en) Selective Import/Export Address Table Filtering
CN111324799B (en) Search request processing method and device
US20210042043A1 (en) Secure Data Processing
US10073975B2 (en) Application integrity verification in multi-tier architectures
US11750660B2 (en) Dynamically updating rules for detecting compromised devices
US20220255962A1 (en) Systems and methods for creation, management, and storage of honeyrecords
CN112947864B (en) Metadata storage method, apparatus, device and storage medium
KR102309695B1 (en) File-based deception technology for thwarting malicious users
US20240114034A1 (en) Generation of the Digital Fingerprints Library with Hierarchical Structure
CN116578968A (en) Method and device for providing safety protection for application program in power control system
US20220366035A1 (en) Execution control system, execution control method, and program
CN113468528A (en) Malicious device identification method and device, server and storage medium
CN117668861A (en) Object operation method and device, electronic equipment and computer readable storage medium
CN117009969A (en) Virus scanning method and object storage system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant