CN115495777A - Data protection method and device, storage medium and electronic equipment - Google Patents
Data protection method and device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN115495777A CN115495777A CN202211100611.4A CN202211100611A CN115495777A CN 115495777 A CN115495777 A CN 115495777A CN 202211100611 A CN202211100611 A CN 202211100611A CN 115495777 A CN115495777 A CN 115495777A
- Authority
- CN
- China
- Prior art keywords
- program
- data
- code
- user
- application program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computing Systems (AREA)
- Medical Informatics (AREA)
- Databases & Information Systems (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The specification discloses a data protection method, a data protection device, a storage medium and electronic equipment, wherein a tangent plane program is injected into a business application program through a tangent plane base which is pre-deployed in the business application program. In the running process of the business application program, when the fact that the business application program is about to execute the designated code is monitored, the tangent plane program is called to obtain code information of the designated code, and data analysis is carried out on the code information so as to judge whether privacy data of a user are called or not when the designated code is executed. If yes, executing a preset instruction through the section program to stop executing the specified code. The method can monitor whether the business application program is about to execute the operation of calling the privacy data of the user or not in real time through the tangent plane program, and can stop the business application program from executing the calling behavior of calling the data privacy of the user illegally through the tangent plane program, so that the privacy data of the user is protected from being leaked.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a data protection method and apparatus, a storage medium, and an electronic device.
Background
With the rapid development of internet technology, the importance degree of user privacy data security is gradually improved in various fields. For the internet industry, during the process of using various types of application software, a user may be involved in a situation that the application software needs to acquire user-related data, for example, acquiring a current location of the user.
In the prior art, in order to avoid that privacy data of a user is acquired by some application software when the user uses the application software, before each application software is on-line, privacy compliance detection is performed on each application software to judge whether the user illegally calls the privacy data of the user.
However, the above method cannot monitor whether the application software invokes the user's private data in real time during the process of using the application software by the user.
Disclosure of Invention
The present specification provides a data protection method and apparatus, so as to reduce the cost of security protection while improving security protection through a security tangent plane.
The technical scheme adopted by the specification is as follows:
the present specification provides a safety protection method, including:
injecting a tangent plane program into the business application program through a tangent plane base which is pre-deployed in the business application program, and running the tangent plane program;
when it is monitored that the appointed code is to be executed in the running process of the business application program, calling the section program to acquire the code information of the appointed code;
performing data analysis on the code information through the tangent plane program to judge whether private data of a user can be called when the specified code is executed;
if yes, executing a preset instruction through the section program to stop executing the specified code.
Optionally, injecting the tangent plane program into the service application program through a tangent plane base pre-deployed in the service application program, specifically including:
determining an interface for calling private data from all data calling interfaces contained in the service application program as a specified interface;
determining a tangent point according to the position of a calling program calling the designated interface in the service application program;
injecting the tangent program into the tangent point through a pre-deployed tangent base.
Optionally, monitoring that the service application program is to execute the designated code in the running process includes:
and if the code to be executed contains the pre-deployed detection point, determining that the specified code to be executed in the operation process of the service application program is monitored.
Optionally, before executing a preset instruction by the tangent plane program to stop executing the specified code, the method further includes:
determining a data calling interface of the data calling authority granted by the user from all data calling interfaces contained in the service application program through the section program as a target interface;
executing a preset instruction through the tangent plane program to stop executing the specified code, specifically comprising:
when the specified code is determined to be executed to call the private data of the user, judging whether a data call interface used by the specified code to call the private data of the user is the target interface;
if not, executing a preset instruction through the tangent plane program to stop executing the designated code.
Optionally, the method further comprises:
and if the data calling interface used by the specified code for calling the private data of the user is determined to be the target interface, executing the specified code and generating a private data calling record of the specified code.
This specification provides a data protection apparatus comprising:
the injection module is used for injecting the tangent plane program into the business application program through a tangent plane base which is pre-deployed in the business application program and running the tangent plane program;
the monitoring module is used for calling the section program to acquire code information of the designated code when the fact that the designated code is to be executed in the running process of the business application program is monitored;
the data protection module is used for carrying out data analysis on the code information through the section program so as to judge whether the private data of the user can be called when the appointed code is executed; if yes, executing a preset instruction through the section program to stop executing the designated code.
Optionally, the data protection module is specifically configured to determine, from data call interfaces included in the service application program, a data call interface to which the user grants a data call permission, as a target interface, through the section program; when the fact that the private data of the user can be called when the specified code is executed is determined, whether a data calling interface used by the specified code for calling the private data of the user is the target interface is judged; if not, executing a preset instruction through the tangent plane program to stop executing the designated code.
Optionally, the data protection module is specifically configured to, if it is determined that a data call interface used by the specified code to call the private data of the user is the target interface, execute the specified code, and generate a private data call record of the specified code.
The present specification provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the above-described data protection method.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the above-mentioned data protection method when executing the program.
The technical scheme adopted by the specification can achieve the following beneficial effects:
in the data inclusion method provided in this specification, a tangent plane program is injected into a business application program through a tangent plane base pre-deployed in the business application program. In the running process of the business application program, when the fact that the business application program is about to execute the designated code is monitored, the tangent plane program is called to obtain code information of the designated code, and data analysis is carried out on the code information so as to judge whether privacy data of a user are called or not when the designated code is executed. If yes, executing a preset instruction through the section program to stop executing the specified code.
The method can be seen in that whether the business application program is about to execute the operation of calling the privacy data of the user can be monitored in real time through the section program, and the calling behavior of the business application program for illegally calling the data privacy of the user can be stopped through the section program, so that the privacy data of the user are prevented from being leaked.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the specification and not to limit the specification in a non-limiting sense. In the drawings:
fig. 1 is a schematic flow chart of a data protection method in the present specification;
FIG. 2 is a schematic diagram of a data protection device provided herein;
fig. 3 is a schematic diagram of an electronic device corresponding to fig. 1 provided in the present specification.
Detailed Description
To make the objects, technical solutions and advantages of the present specification clearer and more complete, the technical solutions of the present specification will be described in detail and completely with reference to the specific embodiments of the present specification and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present specification without any creative effort belong to the protection scope of the present specification.
With the rapid development of the internet, the use of the internet has become very popular, and most commonly, users use various Applications (APPs) on electronic devices.
For the APP on the mobile terminal, in the process of using the APP by the user, the APP generally needs to apply for the permission on the mobile terminal of the user in order to better implement various service functions therein. Specifically, when the APP relates to pushing a message to a user, accessing a photo on a mobile terminal, calling a camera on the mobile terminal where the APP is located, authorization needs to be applied to the user, and after the user agrees to the authorization, the APP can call a related application programming interface to acquire related data, wherein the acquired related data generally relates to the personal privacy of the user and belongs to the privacy data of the user.
In order to ensure the security of the private data of the user, the APP is usually detected before being online, so as to determine whether the APP calls the private data of the user in an illegal manner in the process of using the APP by the user, where the private data of the APP calling the user in an illegal manner can be understood as that the APP still obtains the relevant data when the user does not authorize the relevant application programming interface.
In the prior art, a method of statically scanning or dynamically scanning program codes of an APP is generally adopted to determine whether the APP may invoke private data of a user illegally.
For static scanning, before the APP is put on shelf, the pseudo code of the APP is determined through the service executed by the APP, and whether the code content related to the illegal calling of the private data of the user exists in the pseudo code of the APP is judged, however, because the static scanning cannot truly reflect the actual operation behavior of the user when the APP is actually used, even though the APP has a program code related to calling the private data of the user, it cannot be proved that the APP can execute the operation of calling the APP in the process of using the user, the method is inaccurate, a large amount of false alarms easily exist, and meanwhile, the real-time monitoring of the calling behavior of the APP in the process of using the APP by the user cannot be realized.
For dynamic scanning, before the APP is put on shelf, a simulation user uses the APP, namely the simulation APP runs, and whether the APP has behaviors of calling the privacy data of the user illegally is monitored. However, the method has limited triggerable scenes in a test environment, cannot cover all operating environments and service scenes in online operation, and cannot realize real-time monitoring.
Based on this, the data protection method provided in this specification can inject the section program into the business application program (program code of the APP) in a secure section manner, so as to implement real-time monitoring of whether the private data of the APP calling user is illegal.
The above-mentioned security profile refers to a method for dynamically adding or modifying a profile program for implementing a security profile service in the running logic of a service application program by using an Aspect-oriented Programming (AOP) mode without modifying the service application program. The method and the system enable the program for realizing the safe tangent plane service to be decoupled with the service application program while realizing the safe tangent plane service, thereby avoiding the development iteration problem caused by high coupling.
The tangent plane program is an enhanced program for realizing the safe tangent plane service based on the service operation logic. The method can inject the tangent plane program into the corresponding tangent point of the service application program by adopting a tangent plane-oriented programming mode, and the tangent plane program is triggered and executed in the process of executing the service application program, so that the required safe tangent plane service function is realized.
When a service application executes a service, the service application generally performs service execution through calls between methods. Therefore, any method in the business application program can be used as the cut-in point of the section program, namely the cut-in point, and the section program is injected into the corresponding cut-in point. When the service application program is executed to the tangent point, namely the method of the service application program corresponding to the tangent point is called, the tangent plane program injected at the tangent point is executed.
Generally, there is high reusability of the code responsible for injecting the tangent program into the tangent point, and therefore, the program implementing the process is generally abstracted into one service module, i.e., the tangent base. The section base can obtain a section program to be deployed and a tangent point in the service application program from a third party providing the safe section service, and inject the corresponding section program into the tangent point of the service application program after the application container is started.
The business application may be a business application that provides business services in a server of the business platform. The service may be a service provided by a server of the service platform to a user, such as an inquiry service, a payment service, and the like. The service may also be a service provided by a server of the service platform to another server, such as a settlement service.
Of course, as can be seen from the above description, in order to decouple the program of the secure cut-plane service from the service application, the present specification makes the program of the secure cut-plane service and the service application be interleaved during service execution by using a cut-plane-oriented programming method, but are parallel to each other and can be maintained independently. Therefore, unlike the service provider of the service application program, a third party providing the security tangent plane service may manage the content related to the security tangent plane service through the management and control platform, for example, configuration of a security tangent plane service management and control policy, version iteration of the tangent plane program, configuration of a deployment rule of the tangent plane program, and the like. Of course, the service providing the security profile may be a third party or a service provider.
After the tangent plane program is injected into the tangent point of the service application program, the service application program can trigger the tangent plane program in the execution process so as to realize the corresponding safe tangent plane service function.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow diagram of a data protection method in this specification, which specifically includes the following steps:
s100: injecting the tangent plane program into the business application program through the tangent plane base pre-deployed in the business application program, and running.
The execution main body of the data protection method provided in this specification may be a terminal device, such as a mobile phone, a notebook computer, or the like, or may be a separate monitoring system as the execution main body, which is not limited in this specification. For convenience of description, the following description will be made only by taking the execution subject as a terminal device as an example.
First, the core idea of the data protection method provided in this specification is: and injecting a section program for enhancing detection to call privacy data logic into the business program code of the APP to be monitored. In the process that the user used APP, if the tangent plane procedure had been triggered, then accessible tangent plane procedure detected that APP will carry out whether the calling behavior to user's private data is compliant, if, then call behavior this time through tangent plane procedure record, if not, then call behavior this time through tangent plane procedure management and control to make APP can't carry out this time and call the behavior, APP also can't call user's private data.
In an embodiment of the present specification, after a user downloads an APP to a terminal device, the terminal device may deploy a tangent plane base in a service application corresponding to the APP, and inject the tangent plane program into the tangent plane program through the tangent plane base deployed in the service application, where the tangent plane program is used to monitor whether to execute an enhanced logic code corresponding to private data of the user in real time when the APP is used.
Specifically, the business application program may determine, according to a preset injection rule, a tangent point for injecting the tangent plane program in the business application program itself, and inject the tangent plane program into each tangent point through the tangent plane base.
In one embodiment of the present specification, each data call interface included in the service application may be determined by a tangent plane base deployed in the service application, and a data call interface for calling the privacy data is determined from each data call interface as the designated interface. And then, determining a tangent point according to the position of the calling program appointed to be connected by each call in the service application program, and injecting the tangent plane program into the service application program through the tangent plane base.
Therefore, after the section program is injected into the service application program, when the user reuses the APP, whether the privacy data of the user is called in the service execution process of the service application program can be monitored in real time through the section program.
S102: and when the fact that the appointed codes are executed in the running process of the business application program is monitored, calling the tangent plane program to obtain the code information of the appointed codes.
S104: and performing data analysis on the code information through the tangent plane program to judge whether privacy data of a user can be called when the specified code is executed, and if so, executing S106.
In a certain embodiment of this description, the above-mentioned tangent plane program is not necessarily injected in each tangent point, but only one tangent plane program may be deployed, where each tangent point corresponds to a specific code, and when a service application runs to a certain tangent point, it indicates that the tangent point is triggered. The tangent plane program can monitor that the tangent point is triggered, determine code information of an appointed code corresponding to the triggered tangent point, and perform data analysis on the code information to judge whether the triggered tangent point relates to calling of the privacy data of the user, namely whether the privacy data of the user is called when the appointed code is executed.
In an embodiment of this specification, as for data analysis of code information by a tangent plane program, specifically, the tangent plane program may perform data analysis of the code information to determine a code type to which the code information belongs, and determine whether the code type to which the code information belongs to a preset specified code type, if so, it is determined that private data of a user is invoked when the specified code is executed, and if not, it is determined that private data of the user is not invoked when the specified code is executed.
The specified code type mentioned above may refer to a code having a data calling function, and therefore, when it is determined that the code type to which the code information belongs is the specified code type, a data source of data called after the specified code is executed may be further determined (where the data source is used to indicate where the called data comes out), if it is determined that the data source is a data source recording user privacy data, it is determined that the specified code will call the user privacy data, otherwise, it is determined that the specified code will not call the user privacy data.
S106: and executing a preset instruction through the tangent plane program to stop the specified code.
In actual operation, if the called private data is in a state of being granted with a calling authority by a user, the private data of the calling user of the service application program does not belong to the private data of the illegal calling user actually. The called private data is in a state that the calling authority is not granted by the user, if the business application program still executes the private data of the calling user, at this time, the business application program belongs to the private data of the illegal calling user, and the data protection method provided by the specification is to monitor the condition of the private data of the illegal calling user through the tangent plane program and stop the business application program from executing the private data of the illegal calling user through the tangent plane program.
Based on the above description, in this embodiment of the present specification, a data call interface for which a user grants a data call authority may be determined as a target interface from among data call interfaces included in a service application program by a tangent plane program. The tangent plane program can determine the return value corresponding to each data call interface through the operating system of the terminal device where the service application program is located, so as to determine the authorization state of each data call interface. And for each data call interface, when the return value corresponding to the data call interface is within a specified threshold value, determining that the data call interface is a target interface and indicating that the user allows the service application program to call the private data of the user through the data call interface.
The section program can judge whether the used data calling interface is a target interface when the designated code calls the private data of the user, if so, the section program indicates that the user allows the service application program to call the private data of the user through the data calling interface, and then the section program can enable the service application program to continuously execute the designated code and generate the private data calling record of the designated code. The private data call record at least includes identification information of a user, identification information of a terminal device where the service application program is located, call stack information, call time, and a service module that specifically executes a call behavior, and may also record other information according to an actual service requirement, which is not limited in this specification.
If not, the user prohibits (disallows) the service application program from calling the user privacy data through the data calling interface, so that the service application program is stopped from executing the specified code by executing the preset instruction through the section program, and the service application program is prohibited from calling the user privacy data. When the tangent plane program determines that the data calling interface used for calling the private data of the user is not the target interface, the tangent plane program can execute a return operation based on the return function, so that the service application program cannot execute the specified code and the subsequent calling program for calling the private data of the user.
Based on the data protection method shown in fig. 1, the tangent plane program is injected into the service application program through the tangent plane base pre-deployed in the service application program. In the operation process of the business application program, when the fact that the business application program is about to execute the specified code is monitored, the section program is called to obtain code information of the specified code, and data analysis is conducted on the code information so as to judge whether privacy data of a user are called or not when the specified code is executed. If yes, executing a preset instruction through the section program to stop executing the specified code.
The method can be seen in that whether the business application program is about to execute the operation of calling the privacy data of the user can be monitored in real time through the section program, and the calling behavior of the business application program for illegally calling the data privacy of the user can be stopped through the section program, so that the privacy data of the user are prevented from being leaked.
Furthermore, when the APP is started each time, the section program injected into the service application program of the APP can be started together with the APP, and the current privacy data authorization state of the service application program is recorded. Specifically, the tangent plane program can obtain the return value of each data call interface through the operating system where the APP is located, determine the authorization state of each data call interface through the return value of each data call interface, and record the authorization state. The section program can record the authorization state of each data call interface by carrying out snapshot recording on the return value of each data call interface. The tangent plane program may record identification information of a user, identification information of a terminal device where the APP is located, and a return value of each data call interface to record an authorization state of each data call interface, and may further include other information, which is not limited in this specification.
In this embodiment of the present specification, injecting a tangent plane program into a service application program may be implemented by installing a configuration file on a terminal device. Taking the terminal device as the mobile device as an example, the SDK for injecting the tangent plane program may be installed on the mobile device, and then the tangent plane program may be injected into the service application program through the SDK.
In this embodiment of the present specification, the number of the tangent plane programs injected into the service application program may be one or multiple, which is not limited in this specification. When the number of the section programs is multiple, the same section program can be respectively injected into each section point. When the number of the tangent plane programs is one, detection points may be deployed at the calling program corresponding to each data calling interface based on a preset deployment rule, so that when the service application program executes a code corresponding to the detection points, the tangent plane program may determine that the service application program is to execute an execution code, and perform the operations of steps S104 to S108.
Furthermore, the data protection method provided by the present specification can detect the private data of the user invoked by the service application program through the tangent plane program, and has traceability. In this embodiment of the present specification, the tangent plane program may monitor an authorized operation of a user on each data interface, and in an actual operation, before the business application program calls the private data of the user, the business application program may display an authorized page to the user to inquire whether the user authorizes the APP to use the data call interface to call the private data corresponding to the data call interface.
Responding to the permission operation executed by the user on the authorization page, indicating that the data call interface is authorized, recording the time of the user for executing the permission operation, the data call interface granted with the call authority, the user identification, the device identification of the terminal device where the APP is located and other information by the tangent plane program, storing the information to the local, determining that the data call interface is a target interface, and then allowing the service application program to execute subsequent operation and generating a call record if the service application program calls the privacy data of the user through the data call interface.
Responding to the refusing operation executed by the user on the authorization page, indicating that the data calling interface is not authorized, similarly, recording the time of the refusing operation executed by the user, the information of the data calling interface, the user identification, the equipment identification of the terminal equipment where the APP is located and the like by the tangent plane program, and storing the information to the local. And if the service application program calls the privacy data of the user through the data call interface, the section program can execute a preset instruction to stop the call behavior.
Based on the same idea, the data protection method provided in one or more embodiments of this specification further provides a corresponding data protection device, as shown in fig. 2.
Fig. 2 is a schematic diagram of a data protection apparatus provided in this specification, which specifically includes:
an injection module 201, a monitoring module 202, a data protection module 203, wherein,
an injection module 201, configured to inject a tangent plane program into a service application program through a tangent plane base pre-deployed in the service application program, and operate the tangent plane program;
the monitoring module 202 is configured to, when it is monitored that a specified code is to be executed in the running process of the business application program, call the section program to obtain code information of the specified code;
the data protection module 203 is configured to perform data analysis on the code information through the tangent plane program to determine whether to invoke the private data of the user when executing the designated code; if yes, executing a preset instruction through the section program to stop executing the designated code.
Optionally, the injection module 201 is further configured to determine, from among data call interfaces included in the service application program, an interface used for calling private data as a designated interface; determining a tangent point according to the position of a calling program calling the specified interface in the service application program; injecting the tangent program into the tangent point through a pre-deployed tangent base.
Optionally, the monitoring module 202 is specifically configured to determine that the specified code is to be executed in the running process of the service application program if it is determined that the code to be executed includes a pre-deployed detection point.
Optionally, the data protection module 203 is further configured to determine, from data call interfaces included in the service application program, a data call interface for the user to grant a data call permission, as a target interface; the data protection module 203 specifically includes, when it is determined that executing the designated code will call the private data of the user, determining whether a data call interface used by the designated code to call the private data of the user is the target interface; if not, executing a preset instruction through the tangent plane program to stop executing the specified code.
Optionally, the data protection module 203 is further configured to, if it is determined that a data call interface used by the designated code to call the private data of the user is the target interface, execute the designated code, and generate a private data call record of the designated code.
It should be noted that all actions of acquiring signals, information or data in the present application are performed under the premise of complying with the corresponding data protection regulation policy of the country of the location and obtaining the authorization given by the owner of the corresponding device.
The present specification also provides a computer-readable storage medium storing a computer program, which can be used to execute the security protection method provided in fig. 1.
This specification also provides a schematic block diagram of the electronic device shown in fig. 3. As shown in fig. 3, at the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs the computer program to implement the security protection method described in fig. 1. Of course, besides the software implementation, the present specification does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may be hardware or logic devices.
In the 90's of the 20 th century, improvements to a technology could clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements to process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as ABEL (Advanced Boolean Expression Language), AHDL (alternate Hardware Description Language), traffic, CUPL (core universal Programming Language), HDCal, jhddl (Java Hardware Description Language), lava, lola, HDL, PALASM, rhyd (Hardware Description Language), and vhigh-Language (Hardware Description Language), which is currently used in most popular applications. It will also be apparent to those skilled in the art that hardware circuitry for implementing the logical method flows can be readily obtained by a mere need to program the method flows with some of the hardware description languages described above and into an integrated circuit.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be conceived to be both a software module implementing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more pieces of software and/or hardware in the practice of this description.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the system embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and reference may be made to the partial description of the method embodiment for relevant points.
The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.
Claims (10)
1. A method of data protection, comprising:
injecting a tangent plane program into a business application program through a tangent plane base which is pre-deployed in the business application program, and running;
when it is monitored that the appointed code is to be executed in the running process of the business application program, calling the section program to acquire the code information of the appointed code;
performing data analysis on the code information through the tangent plane program to judge whether private data of a user can be called when the specified code is executed;
if yes, executing a preset instruction through the section program to stop executing the specified code.
2. The method according to claim 1, wherein injecting the tangent plane program into the business application program through a tangent plane base pre-deployed in the business application program specifically comprises:
determining an interface for calling private data from all data calling interfaces contained in the service application program as a designated interface;
determining a tangent point according to the position of a calling program calling the designated interface in the service application program;
injecting the tangent program into the tangent point through a pre-deployed tangent base.
3. The method according to claim 1, wherein monitoring that the specified code is to be executed in the operation process of the business application program specifically comprises:
and if the code to be executed contains the pre-deployed detection point, determining that the specified code to be executed in the operation process of the service application program is monitored.
4. The method of claim 1, before executing a preset instruction to stop executing the designated code by the tangent program, the method further comprising:
determining a data calling interface of the data calling authority granted by the user from all data calling interfaces contained in the service application program through the tangent plane program as a target interface;
executing a preset instruction through the tangent plane program to stop executing the specified code, specifically comprising:
when the specified code is determined to be executed to call the private data of the user, judging whether a data call interface used by the specified code to call the private data of the user is the target interface;
if not, executing a preset instruction through the tangent plane program to stop executing the designated code.
5. The method of claim 4, further comprising:
and if the data calling interface used by the specified code for calling the private data of the user is determined to be the target interface, executing the specified code and generating a private data calling record of the specified code.
6. A data protection device, comprising:
the injection module is used for injecting the tangent plane program into the business application program through a tangent plane base which is pre-deployed in the business application program and running the tangent plane program;
the monitoring module is used for calling the section program to acquire code information of the designated code when the fact that the designated code is to be executed in the running process of the business application program is monitored;
the data protection module is used for carrying out data analysis on the code information through the section program so as to judge whether the private data of the user is called when the specified code is executed; if yes, executing a preset instruction through the section program to stop executing the specified code.
7. The apparatus according to claim 6, wherein the data protection module is specifically configured to determine, as a target interface, a data call interface to which the user grants a data call permission from among data call interfaces included in the service application program through the tangent plane program; when the specified code is determined to be executed to call the private data of the user, judging whether a data call interface used by the specified code to call the private data of the user is the target interface; if not, executing a preset instruction through the tangent plane program to stop executing the designated code.
8. The apparatus according to claim 6, wherein the data protection module is specifically configured to, if it is determined that the data call interface used by the designated code to call the private data of the user is the target interface, execute the designated code, and generate a private data call record of the designated code.
9. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method of any one of the preceding claims 1 to 5.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any of the preceding claims 1 to 5 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211100611.4A CN115495777A (en) | 2022-09-08 | 2022-09-08 | Data protection method and device, storage medium and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211100611.4A CN115495777A (en) | 2022-09-08 | 2022-09-08 | Data protection method and device, storage medium and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115495777A true CN115495777A (en) | 2022-12-20 |
Family
ID=84468118
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211100611.4A Pending CN115495777A (en) | 2022-09-08 | 2022-09-08 | Data protection method and device, storage medium and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115495777A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115904365A (en) * | 2023-02-14 | 2023-04-04 | 支付宝(杭州)信息技术有限公司 | Interface resource identification method, device, equipment and readable storage medium |
-
2022
- 2022-09-08 CN CN202211100611.4A patent/CN115495777A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115904365A (en) * | 2023-02-14 | 2023-04-04 | 支付宝(杭州)信息技术有限公司 | Interface resource identification method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102546601B1 (en) | Method and apparatus for protecting kernel control-flow integrity using static binary instrumentaiton | |
| Yang et al. | IntentFuzzer: detecting capability leaks of android applications | |
| WO2015124018A1 (en) | Method and apparatus for application access based on intelligent terminal device | |
| EP3089068A1 (en) | Application program management method, device, terminal, and computer storage medium | |
| CN108763951B (en) | Data protection method and device | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN110889691B (en) | Information display method, device and equipment | |
| CN103218552B (en) | Based on method for managing security and the device of user behavior | |
| CN115374481B (en) | Data desensitization processing method and device, storage medium and electronic equipment | |
| CN115185534A (en) | Data desensitization method and device, readable storage medium and electronic equipment | |
| CN110727941A (en) | Private data protection method and device, terminal equipment and storage medium | |
| CN114546639B (en) | Service call processing method and device | |
| CN115357940A (en) | Data processing method and device, storage medium and electronic equipment | |
| CN115185605A (en) | Service execution method, device, storage medium and electronic equipment | |
| CN115495777A (en) | Data protection method and device, storage medium and electronic equipment | |
| CN112948824B (en) | Program communication method, device and equipment based on privacy protection | |
| CN111460428A (en) | Authority management method and device of android system and readable medium | |
| CN114547569A (en) | Account login processing method and device | |
| CN115495343A (en) | Safety maintenance method and device, storage medium and electronic equipment | |
| JP6798669B2 (en) | Methods and devices for hiding user information contained in applications | |
| CN116956272A (en) | Authority calling monitoring method and device and electronic equipment | |
| Jain | Android security: Permission based attacks | |
| Gasparis et al. | Figment: Fine-grained permission management for mobile apps | |
| Paul et al. | Achieving optional Android permissions without operating system modifications | |
| CN112926049A (en) | Information risk prevention and control method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |