CN113703880B - Application program starting method and device, electronic equipment and readable storage medium - Google Patents

Application program starting method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN113703880B
CN113703880B CN202111235230.2A CN202111235230A CN113703880B CN 113703880 B CN113703880 B CN 113703880B CN 202111235230 A CN202111235230 A CN 202111235230A CN 113703880 B CN113703880 B CN 113703880B
Authority
CN
China
Prior art keywords
request
enclave
program
rpc
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111235230.2A
Other languages
Chinese (zh)
Other versions
CN113703880A (en
Inventor
曹京奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Baidu Netcom Science and Technology Co Ltd
Original Assignee
Beijing Baidu Netcom Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Baidu Netcom Science and Technology Co Ltd filed Critical Beijing Baidu Netcom Science and Technology Co Ltd
Priority to CN202111235230.2A priority Critical patent/CN113703880B/en
Publication of CN113703880A publication Critical patent/CN113703880A/en
Application granted granted Critical
Publication of CN113703880B publication Critical patent/CN113703880B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/448Execution paradigms, e.g. implementations of programming paradigms
    • G06F9/4488Object-oriented
    • G06F9/449Object-oriented method invocation or resolution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms
    • G06F8/315Object-oriented languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/54Link editing before load time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Abstract

The disclosure provides a starting method and device of an application program, electronic equipment and a readable storage medium, and relates to the technical field of computers, in particular to the field of system security or trusted computing. The specific scheme is as follows: starting an enclave loading program, wherein the enclave loading program is generated based on a preset Ocall method; and loading and starting the enclave program through the enclave loading program, wherein the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method. In the scheme, the Ocall method and the Ecall method are preset, so that the Ocall method and the Ecall method are prevented from being repeatedly developed, the development workload is reduced, and the development efficiency of the enclave program is improved.

Description

Application program starting method and device, electronic equipment and readable storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for starting an application program, an electronic device, and a readable storage medium.
Background
Trusted Computing (TC) is a Trusted Computing platform supported by a wide range of hardware-based security modules in Computing and communication systems. The trusted computing can process the data strictly according to the preset processing logic, and the privacy and the safety of the data are guaranteed.
Currently, a typical application of Trusted computing technology is to build a Trusted Execution Environment (TEE) based on CPU hardware, and obtain Trusted computing power in the TEE.
The program running in the TEE environment is called an enclave (enclave) program, and the enclave program cannot obtain system call (syscall) capability inside, so that the enclave program needs to exchange data with the outside world through an external call (Ocall) and an enclave call (Ecall) method. Therefore, a large number of methods of Ocall and Ecall need to be developed when the enclave program is developed, which results in a large development amount and influences the development efficiency of the enclave program.
Disclosure of Invention
In order to solve at least one of the above drawbacks, the present disclosure provides an application program starting method, an application program starting device, an electronic device, and a readable storage medium.
According to a first aspect of the present disclosure, there is provided a method for starting an application, the method including:
starting an enclave loading program, wherein the enclave loading program is generated based on a preset Ocall method;
and loading and starting the enclave program through the enclave loading program, wherein the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method.
According to a second aspect of the present disclosure, there is provided an apparatus for starting an application, the apparatus including:
the loading program starting module is used for starting an enclave loading program, wherein the enclave loading program is generated based on a preset Ocall method;
the enclave program starting module is used for loading and starting the enclave program through an enclave loading program, wherein the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to an Ocall method.
According to a third aspect of the present disclosure, there is provided an electronic apparatus comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor, the instructions being executable by the at least one processor to enable the at least one processor to perform the method for launching the application program.
According to a fourth aspect of the present disclosure, there is provided a non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute the startup method of the above application program.
According to a fifth aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method of launching an application program as described above.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present disclosure, nor do they limit the scope of the present disclosure. Other features of the present disclosure will become apparent from the following description.
Drawings
The drawings are included to provide a better understanding of the present solution and are not to be construed as limiting the present disclosure. Wherein:
fig. 1 is a schematic flowchart of a method for starting an application according to an embodiment of the present disclosure;
FIG. 2 is a schematic structural diagram of an RPC frame provided by an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a network packet of a customized transport protocol provided in an embodiment of the present disclosure;
FIG. 4 is a schematic structural diagram of an application program starting device provided in accordance with the present disclosure;
fig. 5 is a block diagram of an electronic device for implementing a method for starting an application program according to an embodiment of the present disclosure.
Detailed Description
Exemplary embodiments of the present disclosure are described below with reference to the accompanying drawings, in which various details of the embodiments of the disclosure are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the present disclosure. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
With the development and increasing opening of internet technology, the security requirement for private data is also higher and higher. In some application scenarios, to ensure the security of the private data, the private data often exists in the form of individual data islands. Different private data may have a data cooperative computing requirement, and in order to ensure the security of the private data during cooperative computing, a trusted computing technology is generally adopted to perform the cooperative computing of the private data.
Trusted Computing (TC) is a Trusted Computing platform supported by a wide range of hardware-based security modules in Computing and communication systems. The trusted computing can realize the computation of the private data according to the preset processing logic strictly, and the privacy and the safety of the private data are ensured.
Currently, a typical application of Trusted computing technology is to build a Trusted Execution Environment (TEE) based on CPU hardware, and obtain Trusted computing power in the TEE. Typical implementations of the TEE technology include Intel Software protection Extensions (Intel SGX) technology, ARM trusted zone (ARM TrustZone), and the like. Among them, in the general server field, the Intel SGX technology is used more.
The program running in the TEE environment is called an enclave (enclave) program, and the enclave program cannot obtain system call (syscall) capability inside, so that the enclave program needs to exchange data with the outside world through an external call (Ocall) and an enclave call (Ecall) method. Therefore, a large number of methods of Ocall and Ecall need to be developed when the enclave program is developed, which results in a large development amount and influences the development efficiency of the enclave program.
An enclave program based on the Intel SGX technology is usually developed by C/C + + language, and the development difficulty of the enclave program is high due to the fact that the C/C + + language development threshold is high.
The application program starting method and device, the electronic device and the readable storage medium provided by the embodiments of the application program aim to solve at least one of the above technical problems in the prior art.
Fig. 1 shows a flowchart of a method for starting an application program according to an embodiment of the present disclosure, and as shown in fig. 1, the method mainly includes:
step S110: starting an enclave loading program, wherein the enclave loading program is generated based on a preset Ocall method;
step S120: and loading and starting the enclave program through the enclave loading program, wherein the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method.
The enclave loader is used for guiding loading and starting of the enclave program and simultaneously providing implementation of an Ocall method.
The Ocall method is linked with a system calling method in a preset standard library, so that the enclave program can realize system calling by calling the Ocall method.
The preset standard library can be obtained by modifying a standard library of a programming language, and specifically, a system calling method at the bottom layer of the standard library can be linked with an Ocall method, so that system calling can be realized by calling the Ocall method.
The Ecall method can be used as an entry of an enclave program and used for starting the enclave program.
In the related art, a large number of methods of Ocall and Ecall are required to be developed respectively aiming at multiple functions of enclave programs, so that the development amount is large. In the embodiment of the disclosure, because the Ocall method and the Ecall method are preset, a developer can perform data interaction with the outside through the preset Ocall method and the Ecall method on the service function to be realized, and the Ocall method and the Ecall method do not need to be repeatedly developed, so that the development workload is reduced.
In the embodiment of the disclosure, after the enclave loading program is started, a program path of the enclave program may be introduced, and then the enclave program is loaded and started through the enclave loading program.
According to the method provided by the embodiment of the disclosure, an enclave loading program is generated based on an Ocall method by presetting an Ocall method and an Ecall method, the enclave program is generated based on the Ecall method and a preset standard library, so that after the enclave loading program is started, the enclave program is loaded and started through the enclave loading program, and based on the scheme, the Ocall method and the Ecall method are preset, so that the Ocall method and the Ecall method are prevented from being repeatedly developed, the development workload is reduced, and the development efficiency of the enclave program is ensured.
In an optional implementation manner of the present disclosure, the enclave loader is generated based on a preset Ocall method, and the enclave loader is generated by the following method:
compiling a first code corresponding to the Ocall method to generate a first target file;
compiling a second code corresponding to the enclave loading program to generate a second target file;
and linking the first target file and the second target file to generate an enclave loading program.
In the embodiment of the disclosure, the first code is a code for implementing a preset Ocall method, the second code is a program code for implementing an enclave loader, and the enclave loader can be generated by compiling the first code into a first target file, compiling the second code into a second target file, and then linking the first target file and the second target file.
In an optional embodiment of the present disclosure, an enclave program is generated based on a preset Ecall method and a preset standard library, and the enclave program is generated by the following method:
compiling a third code corresponding to the Ecall method to generate a third target file;
compiling the fourth code to generate a fourth target file, wherein the fourth code comprises a user code and a fifth code corresponding to a preset standard library;
and linking the third target file and the fourth target file to generate an enclave program.
In the embodiment of the present disclosure, the third code is a code for implementing a preset Ecall method. The user code is related code such as a business logic method developed by a user and is used for realizing a specific business function. The fifth code is a code for implementing a preset criteria library. The third code may be compiled into a third object file, the user code and a code (i.e., a fifth code) corresponding to the preset standard library are compiled into a fourth object file, and then the enclave loader is generated by linking the third object file and the fourth object file.
Based on the scheme, a developer can develop an enclave program only aiming at user codes, and a service function required to be realized can perform data interaction with the outside through a preset Ocall method and an Ecall method without repeatedly developing the Ocall method, so that the development workload is reduced.
In an optional manner of the present disclosure, the user code is implemented by GO Programming Language (golang), and the preset standard library is constructed based on the standard library of the golang.
In the embodiment of the disclosure, the user code can be written by golang, and the golang has a lower development threshold compared with programming languages such as C/C + +, and the like, so that the development difficulty can be reduced. Correspondingly, the preset standard library can be obtained by modifying the standard library based on the golang, namely, the preset standard library is obtained by linking a system calling method at the bottom layer of the standard library of the golang with an Ocall method.
In an optional manner of the present disclosure, the fourth code further includes a sixth code corresponding to a Remote Procedure Call Protocol (RPC) framework.
In the embodiment of the disclosure, the communication between the enclave program and the outside world can be realized based on the RPC framework, and the sixth code corresponding to the RPC framework, the user code and the fifth code corresponding to the preset standard library can be compiled together to obtain the fourth target file.
In the embodiment of the present disclosure, the sixth code corresponding to the RPC frame may be written by golang. The method is suitable for developing the enclave program of the Client-Server mode, and the enclave program can be developed quickly and at low cost based on the RPC framework.
As one example, the RPC framework may include a logical network layer, a service layer, and a business layer. The logic network layer is used for monitoring the RPC request, analyzing the RPC request and forwarding the analyzed RPC request to the service layer. Since the enclave program is located in the trusted zone, a network layer in the true sense does not exist, and the enclave program is called a logic network layer.
The service layer is used for receiving the RPC request submitted by the logic network layer, routing (Route) the RPC request to a service logic method developed by a user according to the method name in the request information of the RPC request, and completing a specific task. The business logic method developed by the user can be registered to the service layer according to the method name.
The business layer is a business logic method developed by the user, and the methods finally realize the calculation requirement of the user. These methods need to register with the service layer to be able to be invoked.
In an optional mode of the present disclosure, the method further includes:
receiving an RPC request;
and verifying the RPC request based on a verification mode corresponding to the request type of the RPC request.
In the embodiment of the disclosure, a corresponding verification mode can be preconfigured for the request type of the RPC request, so that the verification of the request can be realized by adopting the corresponding verification mode for different request types, and the method is suitable for the use requirement in an actual scene.
As one example, the request types may include requests initiated externally by enclave and requests initiated internally by enclave. The request initiated from outside the enclave, namely, the request initiated from outside the enclave to inside the enclave. The request initiated by enclave is a request initiated by one enclave program to another enclave program in enclave.
In an optional manner of the present disclosure, receiving an RPC request includes:
and receiving the RPC request through an RPC interface corresponding to the request type of the RPC request.
In the embodiment of the present disclosure, RPC interfaces may be respectively preset for RPC requests of different request types, for example, two RPC interfaces are provided, where one RPC interface is used to receive a request initiated by an enclave external part, and the other RPC interface is used to receive a request initiated by an enclave internal part.
The logic network layer can monitor the two RPC interfaces respectively.
In an optional manner of the present disclosure, if the request type of the RPC request is a request initiated by an enclave outside, the RPC request is verified based on a verification manner corresponding to the request type of the RPC request, including:
and enabling a request initiator of the RPC request to authenticate the enclave program.
In the embodiment of the present disclosure, when the request type of the RPC request is a request initiated by an enclave outside, a security Transport Layer (TLS) channel may be established, so that the request initiator performs identity authentication on the enclave program. For example, the certificate of the enclave program may be verified by a digital certificate Registry (RA).
In an optional manner of the present disclosure, if the request type of the RPC request is a request initiated by enclave internally, the RPC request is verified based on a verification manner corresponding to the request type of the RPC request, including:
and performing identity authentication on the request initiator of the RPC request, and performing identity authentication on the enclave program by the request initiator of the RPC request.
In the embodiment of the present disclosure, when the request type of the RPC request is a request initiated by an enclave inside, that is, a request initiated from one enclave program to another enclave program.
As an example, the enclave program in this example is used as the request receiving party of the RPC request, and the enclave program in this example (i.e., the enclave program that receives the RPC request) may authenticate the request initiating party of the RPC request, and the request initiating party of the RPC request may authenticate the enclave program in this example.
Specifically, a TLS channel may be established, and the identity of the request initiator and the identity of the request receiver may be verified through the TLS channel. For example, the certificate of the request initiator and the certificate of the request receiver may be verified separately by the RA.
As an example, fig. 2 shows a schematic structural diagram of an RPC framework provided by the embodiment of the present disclosure, and as shown in fig. 2, an enclave program is deployed in a trusted area and is denoted as a first enclave program, and the first enclave program performs data interaction with the outside through an Ecall method and an Ocall method. The RPC framework of the first enclave program includes a logical network layer, a service layer, and a service layer. The Client is a Client, and the Client can initiate a request to the enclave program, namely a request initiated by the enclave outside. The Client Port, a user interface, i.e., an RPC interface, is used to receive requests initiated externally by enclave. Another node, that is, an enclave program deployed in another trusted zone, is denoted as a second enclave program, and may initiate a request to the first enclave program, that is, a request initiated inside the enclave. PeerPort, a node interface, i.e., RPC interface, is used to receive requests initiated internally by enclave.
Listener & Conn, namely, the logic network layer monitors the two RPC interfaces respectively, and analyzes the monitored request.
And Service & Handler, namely registering a method corresponding to the Service logic of the user to a Service layer so as to process the request.
TLS + RA, i.e. establishing a TLS tunnel, verifies the certificate of the requesting recipient through RA.
TLS + double RA, namely establishing a TLS channel, and verifying the certificate of the request initiator and the certificate of the request receiver respectively through RA.
In an optional mode of the disclosure, a network data packet of the RPC request includes a header and a body, and if a data size of a request parameter of the RPC request is smaller than a preset value, the request parameter is located in the header; and if the data volume of the request parameter of the RPC request is not less than the preset value, the request parameter is located in the body.
Some existing protocols may cause additional data transmission if applied directly to the current scenario, and some protocols may not support streaming, so that large data files cannot be transmitted or a huge performance loss is caused. In order to reduce the performance loss caused by the transmission protocol to the enclave program and improve the flexibility of the RPC request as much as possible, in the embodiment of the disclosure, a custom transmission protocol may be used for data transmission.
In the custom transmission protocol, the position of the request parameter in the network data packet may be specified according to the difference of the data amount of the request parameter in the network data packet, specifically, the request parameter with a larger data amount may be written into the body, and the request parameter with a smaller data amount may be written into the header. By specifying the writing position of the request parameter, the user-defined transmission protocol can support the transmission of the request parameter with large data volume and the transmission of the request parameter with small data volume.
In the embodiment of the disclosure, the preset value can be set according to actual needs, and when the data volume of the request parameter is smaller than the preset value, the data volume of the request parameter can be considered to be smaller; when the data volume of the request parameter is not less than the preset value, the data volume of the request parameter can be considered to be larger.
As an example, fig. 3 illustrates a structural diagram of a network packet of a custom transport protocol provided by an embodiment of the present disclosure, and as shown in fig. 3, the network packet may include three parts, a header length (header length), a header, and a body.
A header length for marking the length of the header, and the length of the part can be fixed to 4 bytes.
The header includes fields such as a method (method), a payload (payload), an error (error), and a body length (body len), where the method indicates a request method, the payload is used to record request parameters with small data size, the error is used to indicate an error, and the body len is used to indicate a length of the body. The header is of variable length.
body: and the method is used for recording request parameters with large data volume, such as large files and the like. The body is of variable length.
Based on the same principle as the method shown in fig. 1, fig. 4 shows a schematic structural diagram of a starting apparatus of an application program provided by an embodiment of the present disclosure, and as shown in fig. 4, the starting apparatus 40 of the application program may include:
the loader starting module 410 is used for starting an enclave loader, wherein the enclave loader is generated based on a preset Ocall method;
and the enclave program starting module 420 is used for loading and starting the enclave program through an enclave loading program, the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method.
According to the device provided by the embodiment of the disclosure, an enclave loading program is generated based on an Ocall method by presetting an Ocall method and an Ecall method, the enclave program is generated based on the Ecall method and a preset standard library, so that after the enclave loading program is started, the enclave program is loaded and started through the enclave loading program, and based on the scheme, the Ocall method and the Ecall method are preset, so that the Ocall method and the Ecall method are prevented from being repeatedly developed, the development workload is reduced, and the development efficiency of the enclave program is ensured.
Optionally, generating an enclave loader based on a preset Ocall method, by:
compiling a first code corresponding to the Ocall method to generate a first target file;
compiling a second code corresponding to the enclave loading program to generate a second target file;
and linking the first target file and the second target file to generate an enclave loading program.
Optionally, the enclave program is generated based on a preset Ecall method and a preset standard library, and the method includes:
compiling a third code corresponding to the Ecall method to generate a third target file;
compiling the fourth code to generate a fourth target file, wherein the fourth code comprises a user code and a fifth code corresponding to a preset standard library;
and linking the third target file and the fourth target file to generate an enclave program.
Optionally, the user code is implemented by golang, and the preset standard library is constructed based on the standard library of golang.
Optionally, the fourth code further includes a sixth code corresponding to the RPC framework.
Optionally, the apparatus further comprises:
and the request verification module is used for receiving the RPC request and verifying the RPC request based on a verification mode corresponding to the request type of the RPC request.
Optionally, when receiving the RPC request, the request verification module is specifically configured to:
and receiving the RPC request through an RPC interface corresponding to the request type of the RPC request.
Optionally, if the request type of the RPC request is a request initiated by an enclave external, the request verification module is specifically configured to, when verifying the RPC request based on a verification manner corresponding to the request type of the RPC request:
and enabling a request initiator of the RPC request to authenticate the enclave program.
Optionally, if the request type of the RPC request is a request initiated inside enclave, the request verification module is specifically configured to, when verifying the RPC request based on a verification manner corresponding to the request type of the RPC request:
and performing identity authentication on the request initiator of the RPC request, and performing identity authentication on the enclave program by the request initiator of the RPC request.
Optionally, the network data packet of the RPC request includes a header and a body, and if the data size of the request parameter of the RPC request is smaller than a preset value, the request parameter is located in the header; and if the data volume of the request parameter of the RPC request is not less than the preset value, the request parameter is located in the body.
It is understood that the above modules of the starting device of the application program in the embodiment of the present disclosure have functions of implementing the corresponding steps of the starting method of the application program in the embodiment shown in fig. 1. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above. The modules can be software and/or hardware, and each module can be implemented independently or by integrating a plurality of modules. For the functional description of each module of the starting apparatus of the application program, reference may be specifically made to the corresponding description of the starting method of the application program in the embodiment shown in fig. 1, and details are not described here again.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations and do not violate the good customs of the public order.
The present disclosure also provides an electronic device, a readable storage medium, and a computer program product according to embodiments of the present disclosure.
The electronic device includes: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the starting method of the application program provided by the embodiment of the disclosure.
Compared with the prior art, the electronic equipment generates an enclave loading program based on the Ocall method by presetting the Ocall method and the Ecall method, generates the enclave program based on the Ecall method and the preset standard library, so that the enclave loading program is loaded and started after the enclave loading program is started, and avoids repeated development of the Ocall method and the Ecall method by presetting the Ocall method and the Ecall method based on the scheme, thereby reducing the development workload and ensuring the development efficiency of the enclave program.
The readable storage medium is a non-transitory computer readable storage medium storing computer instructions for causing a computer to execute the method for starting an application program according to the embodiment of the present disclosure.
Compared with the prior art, the readable storage medium generates an enclave loading program based on an Ocall method by presetting an Ocall method and an Ecall method, generates the enclave program based on the Ecall method and a preset standard library, so that the enclave loading program is loaded and started after the enclave loading program is started, and avoids repeated development of the Ocall method and the Ecall method by presetting the Ocall method and the Ecall method based on the scheme, thereby reducing the development workload and ensuring the development efficiency of the enclave program.
The computer program product comprises a computer program which, when executed by a processor, implements the method for launching an application program as provided by embodiments of the present disclosure.
Compared with the prior art, the computer program product generates an enclave loading program based on an Ocall method by presetting an Ocall method and an Ecall method, generates the enclave program based on the Ecall method and a preset standard library, so that the enclave loading program is loaded and started after the enclave loading program is started, and avoids repeated development of the Ocall method and the Ecall method by presetting the Ocall method and the Ecall method based on the scheme, thereby reducing the development workload and ensuring the development efficiency of the enclave program.
Fig. 5 illustrates a schematic block diagram of an example electronic device 2000, which may be used to implement embodiments of the present disclosure. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular phones, smart phones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be examples only, and are not meant to limit implementations of the disclosure described and/or claimed herein.
As shown in fig. 5, the device 2000 includes a computing unit 2010, which may perform various appropriate actions and processes in accordance with a computer program stored in a Read Only Memory (ROM) 2020, or a computer program loaded from a storage unit 2080 into a Random Access Memory (RAM) 2030. In the RAM 2030, various programs and data required for the operation of the device 2000 can also be stored. The computing unit 2010, ROM 2020, and RAM 2030 are coupled to each other via bus 2040. An input/output (I/O) interface 2050 is also connected to bus 2040.
Various components in device 2000 are connected to I/O interface 2050, including: an input unit 2060 such as a keyboard, a mouse, or the like; an output unit 2070 such as various types of displays, speakers, and the like; a storage unit 2080 such as a magnetic disk, an optical disk, and the like; and a communication unit 2090, such as a network card, modem, wireless communication transceiver, etc. The communication unit 2090 allows the device 2000 to exchange information/data with other devices over a computer network, such as the internet, and/or various telecommunication networks.
Computing unit 2010 may be a variety of general purpose and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 2010 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The computing unit 2010 executes the startup method of the application program provided in the embodiment of the present disclosure. For example, in some embodiments, the launch methods of executing the application programs provided in the embodiments of the present disclosure may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as the storage unit 2080. In some embodiments, some or all of the computer program may be loaded onto and/or installed onto the device 2000 via the ROM 2020 and/or the communication unit 2090. When the computer program is loaded into RAM 2030 and executed by computing unit 2010, one or more steps of the method for launching an application program provided in the embodiments of the present disclosure may be performed. Alternatively, in other embodiments, the computing unit 2010 may be configured in any other suitable manner (e.g., by way of firmware) to perform the launch method of the application program provided in the disclosed embodiments.
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, Field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for implementing the methods of the present disclosure may be written in any combination of one or more programming languages. These program codes may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the program codes, when executed by the processor or controller, cause the functions/operations specified in the flowchart and/or block diagram to be performed. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), Wide Area Networks (WANs), and the Internet.
The computer system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server with a combined blockchain.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present disclosure may be executed in parallel or sequentially or in different orders, and are not limited herein as long as the desired results of the technical solutions disclosed in the present disclosure can be achieved.
The above detailed description should not be construed as limiting the scope of the disclosure. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.

Claims (17)

1. A starting method of an application program comprises the following steps:
starting an enclave loading program, wherein the enclave loading program is generated based on a preset external call Ocall method;
loading and starting an enclave program through the enclave loader, wherein the enclave program calls an Ecall method based on a preset enclave and generates a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method;
the enclave program is generated based on a preset Ecall method and a preset standard library, and the enclave program is generated through the following modes:
compiling a third code corresponding to the Ecall method to generate a third target file;
compiling a fourth code to generate a fourth target file, wherein the fourth code comprises a user code and a fifth code corresponding to a preset standard library;
and linking the third target file and the fourth target file to generate the enclave program.
2. The method as claimed in claim 1, wherein the enclave loader is generated based on a preset Ocall method by:
compiling a first code corresponding to the Ocall method to generate a first target file;
compiling a second code corresponding to the enclave loading program to generate a second target file;
and linking the first target file and the second target file to generate the enclave loading program.
3. Method according to claim 1 or 2, wherein said user code is implemented by the GO programming language golang, said preset standard library being built on the basis of the standard library of golang.
4. The method of claim 3, wherein the fourth code further comprises sixth code corresponding to a remote procedure call protocol (RPC) framework.
5. The method of claim 4, further comprising:
receiving an RPC request;
and verifying the RPC request based on a verification mode corresponding to the request type of the RPC request.
6. The method of claim 5, the receiving an RPC request comprising:
and receiving the RPC request through an RPC interface corresponding to the request type of the RPC request.
7. The method of claim 5 or 6, wherein if the request type of the RPC request is a request initiated by enclave, the verifying the RPC request based on a verification manner corresponding to the request type of the RPC request comprises:
and enabling a request initiator of the RPC request to authenticate the enclave program.
8. The method of claim 5 or 6, wherein if the request type of the RPC request is a request initiated inside enclave, the verifying the RPC request based on a verification manner corresponding to the request type of the RPC request comprises:
and performing identity authentication on the request initiator of the RPC request, and performing identity authentication on the enclave program by the request initiator of the RPC request.
9. The method of claim 5 or 6, wherein the network data packet of the RPC request comprises a header and a body, and if the data volume of the request parameter of the RPC request is smaller than a preset value, the request parameter is located in the header; and if the data volume of the request parameter of the RPC request is not less than a preset value, the request parameter is located in the body.
10. An apparatus for starting an application program, comprising:
the system comprises a loader starting module, a loader starting module and a loading module, wherein the loader starting module is used for starting an enclave loader, and the enclave loader is generated based on a preset Ocall method;
the enclave program starting module is used for loading and starting the enclave program through the enclave loading program, wherein the enclave program is generated based on a preset Ecall method and a preset standard library, and a system calling method in the preset standard library is linked to the Ocall method;
the enclave program is generated based on a preset Ecall method and a preset standard library, and the enclave program is generated through the following modes:
compiling a third code corresponding to the Ecall method to generate a third target file;
compiling a fourth code to generate a fourth target file, wherein the fourth code comprises a user code and a fifth code corresponding to a preset standard library;
and linking the third target file and the fourth target file to generate the enclave program.
11. The apparatus of claim 10, wherein the enclave loader is generated based on a preset Ocall method by:
compiling a first code corresponding to the Ocall method to generate a first target file;
compiling a second code corresponding to the enclave loading program to generate a second target file;
and linking the first target file and the second target file to generate the enclave loading program.
12. The apparatus of claim 10 or 11, wherein the fourth code further comprises a sixth code corresponding to an RPC framework.
13. The apparatus of claim 12, further comprising:
and the request verification module is used for receiving the RPC request and verifying the RPC request based on a verification mode corresponding to the request type of the RPC request.
14. The apparatus of claim 13, wherein if the RPC request is a request initiated from outside of enclave, the request verification module is specifically configured to, when verifying the RPC request based on a verification manner corresponding to the RPC request, perform:
and enabling a request initiator of the RPC request to authenticate the enclave program.
15. The apparatus of claim 13, wherein if the RPC request is a request initiated inside enclave, the request verification module is specifically configured to, when verifying the RPC request based on a verification manner corresponding to the RPC request, perform:
and performing identity authentication on the request initiator of the RPC request, and performing identity authentication on the enclave program by the request initiator of the RPC request.
16. An electronic device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-9.
17. A non-transitory computer readable storage medium having stored thereon computer instructions for causing the computer to perform the method of any one of claims 1-9.
CN202111235230.2A 2021-10-22 2021-10-22 Application program starting method and device, electronic equipment and readable storage medium Active CN113703880B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111235230.2A CN113703880B (en) 2021-10-22 2021-10-22 Application program starting method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111235230.2A CN113703880B (en) 2021-10-22 2021-10-22 Application program starting method and device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN113703880A CN113703880A (en) 2021-11-26
CN113703880B true CN113703880B (en) 2022-02-22

Family

ID=78646814

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111235230.2A Active CN113703880B (en) 2021-10-22 2021-10-22 Application program starting method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN113703880B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108108162A (en) * 2016-11-24 2018-06-01 腾讯科技(深圳)有限公司 Application programming interface generation method and device
CN113138797A (en) * 2020-01-20 2021-07-20 上海交通大学 Intel SGX-oriented program automatic transplanting system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9087200B2 (en) * 2009-12-22 2015-07-21 Intel Corporation Method and apparatus to provide secure application execution
US9058494B2 (en) * 2013-03-15 2015-06-16 Intel Corporation Method, apparatus, system, and computer readable medium to provide secure operation
CN110674474B (en) * 2019-09-19 2021-07-20 大唐高鸿信安(浙江)信息科技有限公司 Operation control method and device for application program
CN111858004A (en) * 2020-07-21 2020-10-30 中国人民解放军国防科技大学 TEE expansion-based real-time application dynamic loading method and system for computer security world

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108108162A (en) * 2016-11-24 2018-06-01 腾讯科技(深圳)有限公司 Application programming interface generation method and device
CN113138797A (en) * 2020-01-20 2021-07-20 上海交通大学 Intel SGX-oriented program automatic transplanting system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Intel SGX开发者参考书(四);Honglala;《CSDN》;20200421;第1-40页 *
计算机那些事(5)链接、静态链接、动态链接;楚权的世界;《百度http://chuquan.me/2018/06/03/linking-static-linking -dynamic-linking/》;20180613;第1-13页 *

Also Published As

Publication number Publication date
CN113703880A (en) 2021-11-26

Similar Documents

Publication Publication Date Title
US9973472B2 (en) Methods and systems for orchestrating physical and virtual switches to enforce security boundaries
US9444627B2 (en) System and method for providing global platform compliant trusted execution environment
US11914986B2 (en) API gateway self paced migration
CN111930709B (en) Data storage method, apparatus, electronic device, and computer readable medium
US20170324686A1 (en) System and method for secure and efficient communication within an organization
CN112416632B (en) Event communication method and device, electronic equipment and computer readable medium
JP2020198636A (en) System and method for efficient call processing
CN113595927A (en) Method and device for processing mirror flow in bypass mode
US20200195728A1 (en) Tunneling protcol and gateway for distributed computing environments
CN114124929A (en) Cross-network data processing method and device
US20130151721A1 (en) Remote Session Management
CN113791792A (en) Application calling information acquisition method and device and storage medium
CN113765867B (en) Data transmission method, device, equipment and storage medium
CN113703880B (en) Application program starting method and device, electronic equipment and readable storage medium
US9450906B2 (en) Managing a messaging queue in an asynchronous messaging system
CN112929453B (en) Method and device for sharing session data
US20220244976A1 (en) Containers on demand
CN115333851A (en) Automatic driving data transmission method and device and electronic equipment
CN115374207A (en) Service processing method and device, electronic equipment and computer readable storage medium
CN114205414A (en) Data processing method, device, electronic equipment and medium based on service grid
CN115250276A (en) Distributed system and data processing method and device
CN114448703B (en) Request processing method, request processing device, electronic equipment and storage medium
CN114222005B (en) Request processing method, apparatus, device, computer readable storage medium and product
US20210281629A1 (en) Processing of web-based applications
CN116781571A (en) Health detection method and device of load balancing equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant