CN112115117B - Big data blockchain authority management method and system for covering data full life cycle - Google Patents

Big data blockchain authority management method and system for covering data full life cycle Download PDF

Info

Publication number
CN112115117B
CN112115117B CN202010809485.4A CN202010809485A CN112115117B CN 112115117 B CN112115117 B CN 112115117B CN 202010809485 A CN202010809485 A CN 202010809485A CN 112115117 B CN112115117 B CN 112115117B
Authority
CN
China
Prior art keywords
intelligent contract
contract
consumption
authority
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010809485.4A
Other languages
Chinese (zh)
Other versions
CN112115117A (en
Inventor
蔡华谦
胡凌绚
朱晓旻
张舒汇
郭京申
舒俊宜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhirong Yunhe Technology Co ltd
Original Assignee
Beijing Zhirong Yunhe Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhirong Yunhe Technology Co ltd filed Critical Beijing Zhirong Yunhe Technology Co ltd
Priority to CN202010809485.4A priority Critical patent/CN112115117B/en
Publication of CN112115117A publication Critical patent/CN112115117A/en
Application granted granted Critical
Publication of CN112115117B publication Critical patent/CN112115117B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the invention provides a big data blockchain authority management method and a big data blockchain authority management system for covering a full life cycle of data, wherein the method and the system are particularly used for monitoring system tasks executed by intelligent contract codes based on an R-TBAC model; based on the autonomous access control mechanism, performing authority checking and authorization on the inside of the intelligent contract, and further controlling the calling of the inside of the intelligent contract; controlling the running state of the intelligent contract code based on the design management and control of the contract external authority, and further controlling the execution of the tool class calling task; and controlling the running state of the intelligent contract code based on a pre-designed shutdown mechanism, and further controlling the execution of the node resource consumption task. According to the rights management method and system provided by the embodiment of the invention, based on the R-TBAC model, a shutdown mechanism and contract rights design are added, and autonomous access control is added in the intelligent contract, so that the coverage of the large data blockchain rights management on the whole life cycle of data is realized.

Description

Big data blockchain authority management method and system for covering data full life cycle
Technical Field
The invention relates to the technical field of big data blockchains, in particular to a big data blockchain authority management method covering a full life cycle of data and a big data blockchain authority management system covering the full life cycle of the data.
Background
Access control refers to a policy that allows a particular authorized subject object to access a guest object while preventing services from being provided to unauthorized subjects. That is, the related access rights of a series of questions such as "who can access what data resource", "who can operate the data resource", "what can be operated" are managed.
In the application scenario of access control of a big data blockchain, an R-TBAC model based on role and task access control is proposed, and trusted circulation of data in the big data blockchain is completed based on the model. However, this model may suffer from the following drawbacks when applied to blockchain data distribution: similar to the Turn-down problem in Ethernet (an open-source public blockchain platform with intelligent contract function), when node resources in the blockchain are accessed based on corresponding task authorities, the non-controlled consumption of the node resources can generate security problems such as dead loops and the like; and the library called by the tool class cannot guarantee that each tool class is related to the transaction, and excessive node resources are occupied to influence the transaction of other contracts on the nodes. Therefore, the prior art cannot truly realize the coverage of the full life cycle of the data in the large data blockchain authority management. In addition, the access control of the existing big data blockchain is not capable of well guaranteeing reasonable consumption of node resources and data security due to lack of fine authority design and management and control for intelligent contract IO tool class.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention provide a large data blockchain authority management method and a large data blockchain authority management system that cover a full data lifecycle that overcome or at least partially solve the foregoing problems.
In order to solve the above problems, an embodiment of the present invention provides a big data blockchain authority management method for covering a full life cycle of data, the method including: performing authority management on access among system resources of the big data blockchain based on an R-TBAC model; monitoring system tasks executed by intelligent contract codes in the big data block chain, wherein the system tasks comprise consumption class tasks of node resources and calling class tasks of IO tool classes; based on an autonomous access control mechanism, adding a self-defined DAC authority template, and defining the inside of the intelligent contract code to complete the checking and authorization of the authority inside the intelligent contract, thereby controlling the call of a user role to the intelligent contract and the call of the intelligent contract to the intelligent contract; based on the external authority design of the intelligent contract code in advance, controlling the running state of the intelligent contract code, and further controlling the execution of the calling class task of the IO tool class; based on a pre-designed shutdown mechanism, the running state of the intelligent contract code is controlled through different control instructions, and further the execution of the consumption task of the node resource is controlled.
Optionally, the system task performed by the smart contract code includes: and updating and/or modifying the data resource and/or the node resource in the system.
Optionally, the customized DAC authority template includes: the access control policy part and the import part of the import are performed when the contract code is used by the specific data.
Optionally, based on the external authority design of the intelligent contract code in advance, controlling the running state of the intelligent contract code, and further controlling the execution of the call class task of the IO tool class, including: when the intelligent contract provides and writes the contract, the authorized intelligent contract can normally operate by authorizing related tools according to the content of the intelligent contract or the transaction of the intelligent contract, and the user of the intelligent contract can select the authorized intelligent contract permission set to be opened or closed according to the current transaction state.
Optionally, the pre-designed shutdown mechanism includes: during the operation of the smart contract code, if execution does not end within the original program or the existing consumption, the operation of the smart contract code will be forcibly stopped.
Optionally, based on a pre-designed shutdown mechanism, the running state of the intelligent contract code is controlled through different control instructions, so as to control the execution of the consumption task of the node resource, including: if the transaction Fee Fee is exhausted in the running process of the intelligent contract code, stopping the running process of the intelligent contract code; if the transaction Fee Fee is exhausted after the operation of the intelligent contract code is completed, the task of consuming the node resource is successfully executed; and if the transaction Fee Fee is exhausted before the operation of the intelligent contract code is completed, the execution of the consumption task of the node resource fails.
Optionally, the control instruction includes: wait instruction, shutdown instruction, no-operation instruction.
Optionally, before controlling the running state of the smart contract code by different control instructions based on a pre-designed shutdown mechanism, the method further includes: acquiring and counting all consumption data required under the condition of normal operation of the intelligent contract code, calculating an estimated consumption result in the contract operation process, and further controlling the contract operation state based on the shutdown mechanism according to the estimated consumption result; the consumption data includes: method calls, number of executions of conditional statements, and instructions of the operand stack.
Optionally, acquiring and counting all consumption data required under the condition of normal operation of the intelligent contract code, and calculating an estimated consumption result in the contract operation process, including: the method for monitoring and controlling the code running time based on structure reflection is used, the method is dynamically inserted in a conditional statement, the execution times of a jump branch and a circulation statement in the running time are obtained, meanwhile, the instruction and the method calling times of an operand stack are counted by using the data in the running time, and the estimated consumption result is calculated according to the consumption data in the running time through a ProgrammPointCount module.
The embodiment of the invention also provides a big data blockchain authority management system covering the whole life cycle of data, which specifically comprises: the master control module is used for performing authority management on the access among the system resources of the big data block chain based on the R-TBAC model; the task monitoring module is used for monitoring system tasks executed by the intelligent contract codes in the big data blockchain, wherein the system tasks comprise consumption class tasks of node resources and calling class tasks of IO tool classes; the contract internal control module is used for adding a self-defined DAC authority template based on an autonomous access control mechanism, and defining the inside of the intelligent contract code to complete the examination and authorization of the intelligent contract internal authority, thereby controlling the call of a user role to the intelligent contract and the call of the intelligent contract to the intelligent contract; the tool class task control module is used for controlling the running state of the intelligent contract code based on the external authority design of the intelligent contract code in advance, and further controlling the execution of the calling class task of the IO tool class; and the shutdown control module is used for controlling the running state of the intelligent contract code through different control instructions based on a pre-designed shutdown mechanism so as to control the execution of the consumption task of the node resource.
According to the technical scheme, the embodiment of the invention provides a trusted mechanism authority management method and a trusted mechanism authority management system for a big data blockchain, which take the current situation of access control in the big data blockchain into consideration, and based on authority management of access among system resources of the big data blockchain by using an R-TBAC model, a shutdown mechanism is designed aiming at a contract language, and a shutdown operation is carried out on consumption tasks of node resources so as to avoid meaningless consumption of the node resources and contract operation dead cycles; meanwhile, aiming at specific categories of tool classes, corresponding contract authorities are designed, unnecessary occupation of calling class tasks of IO tool classes on nodes is reduced, node load pressure is reduced, and malicious consumption is prevented; and the DAC access control mechanism based on the custom authority template realizes the call of the user role to the intelligent contract and the call of the intelligent contract to the intelligent contract through the intelligent contract code, so that the data security of the user calling the intelligent contract is further ensured. Through the combination of the means, the coverage of the large data blockchain authority management on the whole life cycle of the data can be truly realized, and the trusted circulation of the large data blockchain data resources is completed.
Drawings
FIG. 1 is a technical architecture diagram of a big data blockchain system;
FIG. 2 is a flow chart of steps of a trusted mechanism authority management method for big data blockchains provided by the present invention;
FIG. 3 is a schematic diagram of a partitioning of large data blockchain system resources according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an autonomous access control model structure abstracted as an Access Control List (ACL) provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of an autonomous access control model abstract as an Access Control Matrix (ACM) according to an embodiment of the present invention;
FIG. 6 is a flow chart of smart contract usage after adding an external rights design to a smart contract code, provided by an embodiment of the present invention;
fig. 7 is a UML class diagram for controlling authority design of an IO tool class according to an embodiment of the present invention;
FIG. 8 is a schematic flow chart of a shutdown operation provided by an embodiment of the present invention;
FIG. 9 is a particular flow diagram of a control flow graph program (CFG) provided by an embodiment of the present invention;
FIG. 10 is a UML class diagram for access control based on a shutdown mechanism provided by an embodiment of the present invention;
FIG. 11 is a block diagram of a trusted mechanism authority management system for big data blockchains in accordance with the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The big data blockchain is based on the big data field, and the functions of safe and reliable sharing, flowing, opening, fusion rendering and the like of the data asset are guaranteed through the big data intelligent trusted operating system by combining the thought of the blockchain.
FIG. 1 illustrates a technical architecture diagram of a big data blockchain system, wherein the operation of a trusted computing layer is based on a trusted intelligent contract engine technology, the trusted computing of random multi-node mutual verification is realized through a customized intelligent contract language, and an interface of a trusted storage layer is supported to be called to store contract execution process information to the trusted storage layer. Meanwhile, based on a self-defined programming language and a framework, a writing description and a remote call interface are provided for an upper layer, trusted computing and certification can be realized by writing a program according to the framework, and a third party library call module of a contract development environment, an operation environment and other programming languages is provided around an intelligent contract language by the trusted computing layer.
With the explosive growth of data, the data acquisition mode, the role of acquiring the data and the application scene in the big data blockchain respectively show respective diversity, and the problem is that the difficulty of multidimensional data management and access control becomes larger and larger.
The earliest concept of access control originated from the protection technology in the multi-layer security approach of the us registration information, which is tag display and authorization protection of sensitive information in objects. In subsequent developments, resource management and security in the system has shown good regularity and security, and has become an important part of the security measures that are indispensable in computer systems today.
In the current scene application of the big data blockchain, an R-TBAC model based on role and task access control is proposed, and the trusted circulation of the data in the big data blockchain is completed based on the model. According to the embodiment provided by the invention, based on the R-TBAC model, the fine authority management and control design of shutdown control and tool class call is carried out on the execution of system tasks in the R-TBAC model, and a customized autonomous access control mechanism is added to the call between the intelligent contract and the user role and between the intelligent contract and the intelligent contract, so that the authority management of the big data blockchain covering the whole life cycle of data is truly realized.
Example 1
FIG. 2 is a flowchart illustrating steps of a big data blockchain rights management method covering a full life cycle of data according to the present invention. As shown in fig. 2, the method provided in this embodiment is applied to a big data blockchain, and the specific method includes the following steps:
and step S101, performing authority management on access among system resources of the big data blockchain based on an R-TBAC model.
As shown in fig. 3, in the embodiment of the present invention, based on a highly customized R-TBAC model, different access control mechanisms may be used for different system resources, and based on an operation relationship between the system resources, a mapping set of a corresponding rights relationship is established, so as to implement efficient and safe access rights management.
The R-TBAC model (Role-Task-Based Access Control based access control) consists of two modules, namely RBAC (Role-Based Access Control based access control) and TBAC (Task-Based Access Control based access control), and can realize Role-based access control and Task-based access control.
The RBAC module in the R-TBAC model is used for performing access control, and the access control is mainly used for managing and calling node resources in the face of user roles. And the access control is performed based on a TBAC module in the R-TBAC model, mainly facing the task in use, and the authority management is performed by judging whether a user access controlled subject or object has access control authority or not according to the task and the task state of the system.
Step S102, monitoring system tasks which are executed by intelligent contract codes in the big data blockchain, wherein the system tasks comprise consumption class tasks of node resources and calling class tasks of IO tool classes.
In the embodiment of the invention, the system tasks of the big data blockchain include: and updating and/or modifying the data resource and/or the node resource in the system.
According to the management mechanism of the R-TBAC model, the system task of the big data blockchain is monitored by a TBAC module in the R-TBAC model, and likewise, the authority management of access control is also carried out by the TBAC module.
In the embodiment of the present invention, the calling task of the IO tool class may not include the tool class of the intelligent contract native function, that is, the tool class of the native function may be accessed without the need of authorization of the TBAC module in the embodiment of the present invention.
In the embodiment of the invention, the intelligent contract writing language of the big data blockchain uses a complete YJS (yet another js) code of a figure, which is a contract language similar to javascript grammar, and an interpretation and execution engine is customized based on the na short (java 8+ support) depth.
Examples of the YJS code, including contract class names, contract methods, contract execution, output, return, are shown in part in the embodiments of the present invention as follows.
Step S103, based on an autonomous access control mechanism, adding a self-defined DAC authority template, and defining the inside of the intelligent contract code to complete the checking and authorization of the authority inside the intelligent contract, thereby controlling the calling of the user role to the intelligent contract and the calling of the intelligent contract to the intelligent contract.
The execution mechanism of the big data blockchain is that each user in the node network can be subjected to intelligent contract issuing and calling operation through identity authentication and admission. Such as the simplest anonymous call and call using a signature. The subject of the call contract may be the user or some contract, and if the contract call is made with a used contract, the associated signature is carried. Because the use scene of the intelligent contract has flexible definition for data users and data providers, in the embodiment of the invention, a customized DAC autonomous access control mechanism is provided, and the calling of the intelligent contract is realized through the intelligent contract code, so that the authority management coverage in a large data block chain is further perfected.
Fig. 4 shows a schematic diagram of an autonomous access control model abstracted as an Access Control List (ACL), where the Access Control List (ACL) is a table marking authority levels of various resources, as shown in fig. 5, each object resource (file) in the list is a core, each object has an independent table (ACL 1) capable of corresponding to specific authority, and after the access control list is added, a specific operation (read, write, etc.) generated by a certain subject request on a certain object needs to be verified by the ACL.
Fig. 5 shows a schematic diagram of an autonomous access control model structure abstracted as an Access Control Matrix (ACM), which is provided in an embodiment of the present invention, and the frequency of use of the Access Control Matrix (ACM) is higher than that of the access control list. As shown in fig. 6, when a matrix is used to represent access control, each row in the matrix represents a subject (authorized user), each column represents an object (file), and the intersection of the rows and columns represents the authority of a subject to a specific resource owned by the object, including an owner (Own), read (R), write (Write), and Execute (X). When the host requests access to the object, the corresponding rows and columns in the access control matrix and the intersection can be checked to judge whether the access control matrix has a certain authority, if the rows and columns exist, the access control at the intersection can be authorized, the access can be performed, and otherwise, the access can be refused.
In embodiments of the present invention, an Access Control Matrix (ACM) is preferred for model autonomous access control within the smart contract.
In a preferred embodiment provided by the present invention, the customized DAC autonomous access control mechanism includes: the access control policy part and the import part of the import are performed when the contract code is used by the specific data.
The specific data is imported in a language like java when using the contract code, and other classes in the project or project files can be imported through importing single-type contract.
Wherein, specific functions and state variables are provided for the reusable access control policy, and table 1 shows a corresponding explanation of each function/state variable.
TABLE 1
Referring to table 1, in an embodiment of the present invention, the functions and state variables of the reusable access control policy include: initializing init (requester), which is used to initialize the state variable related to access control, so that the contract of the policy needs to call the function during initialization; a rights check checkPermission (requester) for checking whether the user has the associated rights; rights application apply (requester) for applying for related rights; authorization pass Accept (request, pubkey) for passing related rights; the method comprises the steps of storing global.owner of contract user information, storing public key information of contract users and a user list global.applyiist of authority application, wherein the user list is used for applying authority; the authorized user list global.
The contract user specifically comprises a contract initiator, a contract executor and a contract terminator based on the division of the functional relation between the contract user and the contract. Taking a contract initiator as an example, the autonomous access control flow of the contract initiator for determining whether other people have permission to call is as follows:
1) When the contract is started, the initial method of the access control strategy is called, and the public key of the contract starter is recorded in the state variable Global.
2) An apply function may be used in the data use contract to initiate a request for a rights application;
3) The accept function can only be called by a contract initiator, and the public key of the allowed visitor can be added into the state variable Global accept List of the intelligent contract after the call is successful;
4) When the access controlled method is called, the checkPermission method is called, in which the global. Accpetlist is checked and returned whether the user has access.
The DAC authority template is not particularly limited in the embodiment of the invention, and can be completely customized by a user. An example of the automatic access control template portion YJS code of the DAC provided by the embodiment of the invention is shown below, to further illustrate the DAC authority template in the steps of the method of the embodiment of the invention.
The DAC authority template is used for contract codes, and DAC autonomous access control is used on a code layer to check and authorize the internal authority of the contract, so that the data security and strong isolation of calling intelligent contract users can be ensured; based on the DAC rights template, the loading type or the role of the rights is specified in the process of contract writing, and as shown above, a coin-issuing contract, the rights template is directly added in the code for autonomous access control because only the owner is limited to coin. Similar to the blockchain platform like the ethernet, the "request" variable in the intelligent contract call is a built-in variable, that is, the public key of the caller, and of course, the developer can specify whether to allow anonymous call or not in an annotated manner. The finer granularity access control can be realized by using more complex access control rules, and the permission check permission can be checked, the public key accept public key can be acquired and the corresponding value can be returned by adding a request variable in the code; the contract, in addition to the reusable access control policy portion, requires import of specific data using the contract code to import other YJS type files in this YJS item, such as "import 'naivedac.yjs'".
Step S104, based on the external authority design of the intelligent contract code in advance, the running state of the intelligent contract code is controlled, and further execution of the calling class task of the IO tool class is controlled.
FIG. 6 illustrates a flow chart of smart contract usage after adding an external rights design to the smart contract code in accordance with an embodiment of the present invention. In the embodiment of the invention, when the intelligent contract provider writes the contract through the online IDE, the intelligent contract provider performs the authorization of the related tools according to the content of the intelligent contract or the transaction of the intelligent contract, and the authorized intelligent contract can normally run, and if the authorization is lack or wrong, the contract provider returns to be rewritten. The intelligent contracts and the current contract authorities are deployed and displayed by a contract administrator, and users of the intelligent contracts can select whether to open or close the authority set of the authorized intelligent contracts according to the current transaction state. If not authorized, the contract user can prompt errors when the intelligent contract is operated and stop calling the related tools without authorization, and other authorized tools can be normally used. If the contract user wants to use an unauthorized tool class, an application needs to be initiated to the contract provider, who will upload a new contract code if agreeing, otherwise the contract user cannot use the tool class.
The intelligent contract authority design method provided by the embodiment of the invention can be used for performing simple system tasks such as inserting in the contract codes, and tool class calling is not needed, so that unnecessary occupation of node resources is reduced, and the influence on transactions of other contracts on nodes is reduced.
The external rights of the intelligent contract code are the use of control tools, and table 2 shows specific classifications for the intelligent contract rights according to the classifications of the specific tools, and referring to table 2, more efficient rights design and management can be performed according to the specific rights classifications. According to the related description of the intelligent contract authority, in the intelligent contract IDE interface, a contract provider performs selection and authorization when writing the contract, and only the current contract authority and the process of applying the authority are required to be displayed for a contract user.
TABLE 2
Table 3 shows a data structure table of the YJS language Intelligent contract rights. Referring to table 3, the present embodiment divides the data structure of the smart contract rights by the rights flags for the tool classes of the contract.
TABLE 3 Table 3
The embodiment of the invention uses the data structure of the Enum enumeration type to finish the specific realization of the intelligent contract authority according to the category of the intelligent contract authority. Because there are different annotations to the data structure in the contract language YJS, the branch field in, for example, logType will record the running process of the conditional statement in all methods to obtain the runtime division of the conditional statement in the dynamic running process. Access control is also defined and applied for the current contract by adding notes @ Permission using the data structure enumerated by enum. If different tool classes may be cited in the contract code to use and consume the block link point resource, the annotation of the relevant authority is required to be added above the code, and the used tool classes are declared in advance one by one.
Fig. 7 shows a UML class diagram for controlling authority design of an IO tool class according to an embodiment of the present invention. As shown in fig. 7, the authority assignment is performed by the desktop engine module, the dynamic analysis and the authority display are performed by the contract process module, the contract node module obtains the authority, and finally the interface authority module completes the analysis of the tool class so as to realize the authority design management and control of the specific IO tool class.
Step S105, based on a pre-designed shutdown mechanism, controls the running state of the intelligent contract code through different control instructions, thereby controlling the execution of the consumption task of the node resource.
The control instruction includes: wait instructions, stall instructions, no-op instructions, etc.
The shutdown instruction is used for stopping the execution of the intelligent contract, and when the current contract example of the user is executed, one shutdown instruction can be set. When the waiting instruction is used for executing the contract by multiple users, stopping is not allowed, the user program which does not execute the contract is in a waiting execution state, and in addition to the operation of keeping the intelligent contract through the control of the waiting instruction, the small loop program with only a small amount of instructions can be executed. The no-op instruction then causes the intelligent complex to not generate any actual operations at about the time the request was not executed.
The set of access rights in the TBAC module is not static but changes with the context in which the system is running. Rights management is performed in the TBAC model in the form of a workflow, which refers to the same business process formed by integrating a plurality of related work tasks when a certain requirement is completed. The TBAC model is actually an information protection authority problem for each workflow, and in the working environment, each step of processing data and operations is closely related to the last processed process, so should the task-based access control process, so that the authority management of the TBAC model is related to the context information. In addition, the TBAC model not only can have different authority mechanisms for different workflows, but also can have different authority mechanisms for the same workflow, so the TBAC has the characteristic of performing authority management based on an instance.
The TBAC is a model with timeliness, and the task is time-limited, so that each authorized user has time limitation in the access control, and the user has corresponding access right only when executing the task, thereby ensuring the corresponding relation between the user operation right and the task and the synchronous execution effect. The activated authority AS is symbolized by the authorization step P, and the life cycle at this time is the life cycle of the authorization step under the activated authority AS. However, before the authorization step is activated, the protection state and the permission function cannot be exerted, if and only if the relevant authority operation value is activated by the authorization step, the subject can be granted the relevant authority applied by the subject, and at the same time, the life cycle of the authority starts to be timed, the authorized task can be optionally executed within the time range allowed by the life cycle, and after the life cycle time is finished, all the tasks are restored to the state without authorization before, namely, the operation capability of the related information of the previous authorization is lost.
However, as the TBAC controls the node resources through the intelligent contract code with complete graphics, the problem of graphics shutdown exists, and whether the process of the contract instance is in a dead loop cannot be detected, which causes the problems of unavoidable malicious consumption of system resources, occupied system memory and the like.
In order to solve the above problem and ensure that the big data blockchain can normally operate under the autonomous condition, the invention provides a shutdown mechanism in the operation process of intelligent contract codes, which comprises the following steps: during the operation of the smart contract code, if execution does not end within the original program or the existing consumption, the operation of the smart contract code will be forcibly stopped.
FIG. 8 is a schematic flow chart of a shutdown operation provided by the embodiment of the present invention, and referring to FIG. 8, the embodiment of the present invention performs the shutdown operation, in which, in the first step, consumption of a contract is estimated by a CountFee module in combination with dynamic analysis, and a consumption estimated value is given; secondly, obtaining the highest cost Fee executed by the user according to the contract according to the predicted value through a Feelimit module, generally giving a value higher than the predicted value, and then executing the contract; thirdly, deducting fees according to a charging standard through a ProgrammPointCount module; step four, judging whether the residual expense is enough, if so, ending the operation, deducting the expense in the operation, and returning the residual expense balance Fee to the user; if the Fee given during execution has been exhausted, the contract will be shutdown, i.e., the execution of the contract is stopped, rolling back to the pre-deduction state; and fifthly, ending the shutdown mechanism.
In an embodiment of the present invention, the shutdown mechanism further includes: if the transaction Fee Fee is exhausted in the running process of the intelligent contract code, stopping the running process of the intelligent contract code; if the transaction Fee Fee is exhausted after the operation of the intelligent contract code is completed, the task of consuming the node resource is successfully executed; and if the transaction Fee Fee is exhausted before the operation of the intelligent contract code is completed, the execution of the consumption task of the node resource fails.
In the embodiment of the invention, the estimated consumption result in the contract operation process is obtained by acquiring and counting all consumption data required under the condition of normal operation of the intelligent contract code, and the contract operation state is controlled according to the estimated consumption result. The consumption data, i.e. the system data that the shutdown mechanism needs to monitor, includes: method calls, number of executions of conditional statements, and instructions of the operand stack. The shutdown mechanism sets corresponding consumption values through different types of the consumption data and is used for calculating consumption results.
Table 4 shows the complete classification of all consumption data and the corresponding interpretation.
TABLE 4 Table 4
Table 5 shows the classification, description, and corresponding consumption values of the consumption data using an Enum enumeration type data structure provided by an embodiment of the present invention.
TABLE 5
Classification Consumption value Description of the invention
BdgetMethod 60 Operand stack storage
BdsetMethod 50 Operand stack loading
BDcallFuntion 40 Calling other methods
BDcallUtil 30 Calling tool class method
BDcall 10 Calling native methods
BDJump 20 Jump sentence
BDInsn 1 General sentence
In the embodiment of the invention, all consumption data required under the condition of normal operation of the intelligent contract code is acquired and counted, and the method specifically comprises the following steps: the contract code is first converted into a form of byte code, and then the contract byte code blocks are traversed by a byte code operation tool ASM to obtain a control flow graph (Control Flow Graph, CFG).
Fig. 9 shows a specific flowchart of the control flow graph program (CFG) provided by an embodiment of the present invention. The control flow graph is an abstract data structure used in a compiler, the compiler maintains the abstract data structure internally, the execution process of a program is composed of all blocks, each situation is traversed, a graph mode with edges and blocks is generated to represent possible flow directions and changes of all basic blocks in the execution process of the program, and a byte code operation tool ASM is used for traversing each statement of each basic block.
In the embodiment of the invention, a method for realizing monitoring and control during code running based on structural reflection can be used, the method is dynamically inserted in a conditional statement, the execution times of jump branches and circulation statements during running are obtained, meanwhile, the instruction and method calling times of an operand stack are counted by using the data during running, the actual consumption error during contract running is smaller, the accuracy is higher, and the estimated consumption result is more accurate. In the embodiment of the invention, the consumption result is calculated by using the ProgrammPointCount module through the data in the running process.
In the embodiment of the invention, the contract user can estimate the contract consumption before the contract is operated, and then the maximum contract consumption value of the contract execution is given in the self-payable range according to the estimated consumption cost. Typically, higher than predicted consumption values are given for smooth operation of the contract. If the execution is successful, the value consumed by the execution of the contract is deducted from the account of the contract user, and the rest part is returned to the contract user according to the original path. If the contract user gives a value lower than the value actually consumed by the contract, the program is stopped immediately after the value given by the contract provider is consumed, but the value consumed by the operation that has been performed does not return, that is, the operation failure state is restored to before the operation, but the value that has been consumed does not return.
In addition, because the intelligent contract in the big data blockchain is the main way for completing the acquisition and the use of the data resources, in the embodiment of the invention, corresponding records are needed for each function call, and the user for providing the intelligent contract also needs to accurately grasp and prescribe the intelligent contract code call and the branch information, so that the faults of the whole system caused by endless consumption of resources entering a dead loop are avoided. Tracemark is required for each function call to learn more detailed runtime information of the smart contract code.
Fig. 10 illustrates a UML class diagram for access control based on a shutdown mechanism according to an embodiment of the present invention. Referring to fig. 10, in the embodiment of the present invention, an interface trace method is implemented in a program counting module, so as to obtain runtime information between modules in a program, inherit a log method in a contract process method, then perform a counting function between contract modules corresponding to each contract process, output the runtime information between modules to a console in a contract log manner, predict each consumption value in a contract running process, and also predict each consumption value by the predicted modules before using the contract, complete the prediction of the whole contract consumption value by traversing and function methods of a basic block, and then display the predicted consumption value to a user in the console. In this process, real-time statistics and presentation can be performed on each contract run-time information, and the contract provider can control the conditions of contract running according to the information.
In the method embodiment provided by the invention, considering the current situation of access control in a big data block chain, on the basis of performing authority management on access among system resources of the big data block chain by using an R-TBAC model, a shutdown mechanism is designed aiming at a contract language, and shutdown operation is performed on consumption tasks of node resources so as to avoid meaningless consumption of the node resources and contract operation dead cycles; meanwhile, aiming at the specific category of the tool class, the corresponding contract authority is designed, so that unnecessary occupation of the calling class task of the IO tool class on the node is reduced, and the load pressure of the node is reduced; and the DAC access control mechanism based on the custom authority template realizes the call of the user role to the intelligent contract and the call of the intelligent contract to the intelligent contract through the intelligent contract code, so that the data security of the user calling the intelligent contract is further ensured. Through the combination of the means, the coverage of the large data blockchain authority management on the whole life cycle of the data can be truly realized, and the trusted circulation of the large data blockchain data resources is completed.
Example two
FIG. 11 is a block diagram illustrating a large data blockchain rights management system that covers a full lifecycle of data in accordance with the present invention. As shown in fig. 11, the system provided in this embodiment is applied to a big data blockchain, and the specific system includes:
And the master control module 201 is used for performing authority management on the access among the system resources of the big data blockchain based on the R-TBAC model.
The monitoring module 202 is configured to monitor system tasks in the big data blockchain, where the system tasks are executed through intelligent contract codes, and the system tasks include a consumption task for node resources and a call task for IO tools.
The contract internal control module 203 is configured to add a customized DAC authority template based on an autonomous access control mechanism, and define inside the intelligent contract code to complete checking and authorization of the authority inside the intelligent contract, thereby controlling the call of the user role to the intelligent contract and the call of the intelligent contract to the intelligent contract.
The tool class task control module 204 controls the running state of the intelligent contract code based on the external authority design of the intelligent contract code in advance, and further controls the execution of the calling class task of the IO tool class.
The shutdown control module 205 is configured to control, based on a pre-designed shutdown mechanism, an operation state of the intelligent contract code through different control instructions, thereby controlling execution of the consumption task of the node resource.
In the system provided by the embodiment of the invention, considering the current situation of access control in a big data block chain, on the basis of performing authority management on access among system resources of the big data block chain by using an R-TBAC model, a shutdown mechanism is designed aiming at a contract language, and shutdown operation is performed on consumption tasks of node resources so as to avoid meaningless consumption of the node resources and contract operation dead cycles; meanwhile, aiming at the specific category of the tool class, the corresponding contract authority is designed, so that unnecessary occupation of the calling class task of the IO tool class on the node is reduced, and the load pressure of the node is reduced; and the DAC access control mechanism based on the custom authority template realizes the call of the user role to the intelligent contract and the call of the intelligent contract to the intelligent contract through the intelligent contract code, so that the data security of the user calling the intelligent contract is further ensured. Through the combination of the means, the coverage of the large data blockchain authority management on the whole life cycle of the data can be truly realized, and the trusted circulation of the large data blockchain data resources is completed.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The above description of the present invention provides a big data blockchain authority management method and a big data blockchain authority management system for covering a full life cycle of data, and specific examples are applied to illustrate the principles and embodiments of the present invention, and the above description of the embodiments is only used to help understand the method and core idea of the present invention; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present invention, the present description should not be construed as limiting the present invention in view of the above.

Claims (10)

1. A big data blockchain rights management method covering a full lifecycle of data, the method comprising:
performing authority management on access among system resources of the big data blockchain based on an R-TBAC model;
monitoring system tasks executed by intelligent contract codes in the big data block chain, wherein the system tasks comprise consumption class tasks of node resources and calling class tasks of IO tool classes;
based on an autonomous access control mechanism, adding a self-defined DAC authority template, and defining the inside of the intelligent contract code to complete the checking and authorization of the authority inside the intelligent contract, thereby controlling the call of a user role to the intelligent contract and the call of the intelligent contract to the intelligent contract;
based on the external authority design of the intelligent contract code in advance, controlling the running state of the intelligent contract code, and further controlling the execution of the calling class task of the IO tool class;
based on a pre-designed shutdown mechanism, the running state of the intelligent contract code is controlled through different control instructions, and further the execution of the consumption task of the node resource is controlled.
2. The method of claim 1, wherein the system tasks performed by smart contract code comprise: and updating and/or modifying the data resource and/or the node resource in the system.
3. The method of claim 1, wherein the custom DAC authority template comprises: the access control policy part and the import part of the import are performed when the contract code is used by the specific data.
4. The method of claim 1, wherein controlling the running state of the smart contract code, and thus the execution of the call class task of the IO tool class, based on the external rights design for the smart contract code in advance, comprises:
when the intelligent contract provides and writes the contract, the authorized intelligent contract can normally operate by authorizing related tools according to the content of the intelligent contract or the transaction of the intelligent contract, and the user of the intelligent contract can select the authorized intelligent contract permission set to be opened or closed according to the current transaction state.
5. The method of claim 1, wherein the pre-designed shutdown mechanism comprises:
during the operation of the smart contract code, if execution does not end within the original program or the existing consumption, the operation of the smart contract code will be forcibly stopped.
6. The method of claim 5, wherein controlling the running state of the smart contract code, and thus the execution of the consumption class task of the node resource, by different control instructions based on a pre-designed shutdown mechanism comprises:
if the transaction Fee Fee is exhausted in the running process of the intelligent contract code, stopping the running process of the intelligent contract code; if the transaction Fee Fee is exhausted after the operation of the intelligent contract code is completed, the task of consuming the node resource is successfully executed; and if the transaction Fee Fee is exhausted before the operation of the intelligent contract code is completed, the execution of the consumption task of the node resource fails.
7. The method of claim 5 or 6, wherein the control instruction comprises: wait instruction, shutdown instruction, no-operation instruction.
8. The method of claim 1, wherein prior to controlling the operating state of the smart contract code via different control instructions based on a pre-designed shutdown mechanism, further comprising:
acquiring and counting all consumption data required under the condition of normal operation of the intelligent contract code, calculating an estimated consumption result in the contract operation process, and further controlling the contract operation state based on the shutdown mechanism according to the estimated consumption result; the consumption data includes: method calls, number of executions of conditional statements, and instructions of the operand stack.
9. The method of claim 8, wherein obtaining and counting all consumption data required for normal operation of the smart contract code, calculating estimated consumption results during operation of the contract, comprises:
the method for monitoring and controlling the code running time based on structure reflection is used, dynamic instrumentation is carried out in a conditional statement, the execution times of jump branches and circulation statements in the running time are obtained, meanwhile, the instruction and method calling times of an operand stack are counted by using the consumption data in the running time, and the estimated consumption result is calculated according to the consumption data in the running time through a ProgrammPointCount module.
10. A big data blockchain rights management system that covers a full lifecycle of data, the system comprising:
the master control module is used for performing authority management on the access among the system resources of the big data block chain based on the R-TBAC model;
the monitoring module is used for monitoring system tasks executed by the intelligent contract codes in the big data blockchain, wherein the system tasks comprise consumption class tasks of node resources and calling class tasks of IO tool classes;
the contract internal control module is used for adding a self-defined DAC authority template based on an autonomous access control mechanism, and defining the inside of the intelligent contract code to complete the examination and authorization of the intelligent contract internal authority, thereby controlling the call of a user role to the intelligent contract and the call of the intelligent contract to the intelligent contract;
The tool class task control module is used for controlling the running state of the intelligent contract code based on the external authority design of the intelligent contract code in advance, and further controlling the execution of the calling class task of the IO tool class;
and the shutdown control module is used for controlling the running state of the intelligent contract code through different control instructions based on a pre-designed shutdown mechanism so as to control the execution of the consumption task of the node resource.
CN202010809485.4A 2020-08-12 2020-08-12 Big data blockchain authority management method and system for covering data full life cycle Active CN112115117B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010809485.4A CN112115117B (en) 2020-08-12 2020-08-12 Big data blockchain authority management method and system for covering data full life cycle

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010809485.4A CN112115117B (en) 2020-08-12 2020-08-12 Big data blockchain authority management method and system for covering data full life cycle

Publications (2)

Publication Number Publication Date
CN112115117A CN112115117A (en) 2020-12-22
CN112115117B true CN112115117B (en) 2024-02-23

Family

ID=73805256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010809485.4A Active CN112115117B (en) 2020-08-12 2020-08-12 Big data blockchain authority management method and system for covering data full life cycle

Country Status (1)

Country Link
CN (1) CN112115117B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114153529B (en) * 2021-05-13 2022-07-19 北京天德科技有限公司 Intelligent contract system based on state machine synchronization and control
CN113515764B (en) * 2021-06-24 2021-11-30 南京可信区块链与算法经济研究院有限公司 Data management and control method
CN113835972B (en) * 2021-11-26 2022-03-08 南京金宁汇科技有限公司 ASM-based alliance chain intelligent contract resource consumption detection method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109493042A (en) * 2018-10-24 2019-03-19 南京邮电大学 A kind of intelligent contract possessing access control function is credible to deposit card method and system
CN109522735A (en) * 2018-11-29 2019-03-26 上海中信信息发展股份有限公司 A kind of data permission verification method and device based on intelligent contract
CN111131229A (en) * 2019-12-26 2020-05-08 湖南天河国云科技有限公司 Block chain-based industrial internet trusted control method, device and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109493042A (en) * 2018-10-24 2019-03-19 南京邮电大学 A kind of intelligent contract possessing access control function is credible to deposit card method and system
CN109522735A (en) * 2018-11-29 2019-03-26 上海中信信息发展股份有限公司 A kind of data permission verification method and device based on intelligent contract
CN111131229A (en) * 2019-12-26 2020-05-08 湖南天河国云科技有限公司 Block chain-based industrial internet trusted control method, device and system

Also Published As

Publication number Publication date
CN112115117A (en) 2020-12-22

Similar Documents

Publication Publication Date Title
US10986080B1 (en) Permission management method and system for trustworthiness mechanism of big-data blockchain
CN112115117B (en) Big data blockchain authority management method and system for covering data full life cycle
Beyer et al. Benchmarking and resource measurement
Hamlen et al. Computability classes for enforcement mechanisms
Guo et al. Assertion guided symbolic execution of multithreaded programs
TWI650650B (en) Third party application execution method and system
Chong et al. Code-level model checking in the software development workflow
US20120101929A1 (en) Parallel processing development environment and associated methods
Holt et al. Disciplined inconsistency with consistency types
CN102902834A (en) Verification method and verification system of SOC (System on Chip)
Rocha et al. Hybrid static-runtime information flow and declassification enforcement
CN110968437A (en) Method, device, equipment and medium for parallel execution of single contract based on Java intelligent contract
Dietrich et al. Global optimization of fixed-priority real-time systems by RTOS-aware control-flow analysis
Dietrich et al. Cross-Kernel Control-Flow--Graph Analysis for Event-Driven Real-Time Systems
Rindell et al. Aligning security objectives with agile software development
Hussein et al. Security-policy monitoring and enforcement with JavaMOP
US8086455B2 (en) Model development authoring, generation and execution based on data and processor dependencies
Hunt et al. Just forget it–the semantics and enforcement of information erasure
Abdulla et al. Optimal stateless model checking for causal consistency
Parizek et al. Identifying future field accesses in exhaustive state space traversal
Ehlers Self-adaptive performance monitoring for component-based software systems
Demetrovics et al. Intersections of isotone clones on a finite set
US8458790B2 (en) Defending smart cards against attacks by redundant processing
CN111045891B (en) Monitoring method, device, equipment and storage medium based on java multithreading
Kanade Event-Based Concurrency: Applications, Abstractions, and Analyses

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant