CN116090013A - Dynamic configuration method and device for application file access credentials - Google Patents
Dynamic configuration method and device for application file access credentials Download PDFInfo
- Publication number
- CN116090013A CN116090013A CN202310207342.XA CN202310207342A CN116090013A CN 116090013 A CN116090013 A CN 116090013A CN 202310207342 A CN202310207342 A CN 202310207342A CN 116090013 A CN116090013 A CN 116090013A
- Authority
- CN
- China
- Prior art keywords
- target
- file
- application
- instruction
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000012544 monitoring process Methods 0.000 claims abstract description 34
- 238000004590 computer program Methods 0.000 claims abstract description 26
- 238000012216 screening Methods 0.000 claims abstract description 8
- 230000006870 function Effects 0.000 claims description 41
- 238000012795 verification Methods 0.000 claims description 24
- 230000004044 response Effects 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 11
- 238000012545 processing Methods 0.000 description 10
- 238000013475 authorization Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000003068 static effect Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Abstract
The present invention relates to the field of application security management technologies, and in particular, to a method, an apparatus, a computer device, a storage medium, and a computer program product for dynamically configuring an application file access credential. The method comprises the following steps: monitoring a system instruction sent from a target application, wherein the system instruction is used for pointing to a system file, and the system file is configured with the target file; screening out target system instructions which are directed to target files in system instructions, and acquiring dynamic access credentials responded by a password acquisition system based on the target system instructions, wherein the password acquisition system is used for managing the dynamic access credentials; accessing the target file based on the target system instruction, and replacing the access certificate in the target file with a dynamic access certificate to obtain a replaced reconstructed target file; and responding to the target system instruction sent by the target application by the reconstructed target file. The method can eliminate the security hidden trouble of hard coding of the privilege account information in the configuration file and improve the security of the application system file.
Description
Technical Field
The present invention relates to the field of application security management technologies, and in particular, to a method, an apparatus, a computer device, a storage medium, and a computer program product for dynamically configuring an application file access credential.
Background
Privileged accounts refer to various privileged accounts distributed in IT environments, such as Root accounts of UNIX, administator accounts of Windows, database management accounts, etc., and may also include business application accounts. These accounts are typically used by information and communication teams to set up IT infrastructure, install new hardware and software, run critical services, and perform maintenance operations. In addition, the privileged account may also have access to master keys that organize critical IT assets and sensitive information stored therein, underlying system accounts of the IT infrastructure, and application embedded accounts, among others.
Hard coding refers to a software development method that embeds data directly into the source code of a program or other executable object, as opposed to obtaining the data from outside or generating the data at runtime. Hard-coded data can typically only be modified by editing the source code and recompiling the executable. Thus, hard-coded data is typically used to represent relatively invariant information, such as physical constants, version numbers, and static text elements. Based on invariance of the privileged account, the privileged account information may also be stored in the configuration file of the application, typically by hard-coding. But as the last defense line of data information, the privileged account password is unchanged for a long time, so that the password is easy to leak and then is used as a back door of the system, and an attacker can directly enter an application internal network through a technical means, so that a great potential safety hazard exists.
Currently, in order to overcome the potential safety hazard caused by long-term static storage of the privilege account information in the configuration file, a privilege account management system can be generally configured, and an application dynamically obtains a password from the privilege account management system by calling an API interface and updates the password in the configuration file.
However, the current privileged account information configuration method has the following technical problems:
the passwords provided by the privileged account management system are still stored in the configuration file in a hard-coded mode, and the application still needs to obtain the passwords by reading the configuration file, so that the security is low.
Disclosure of Invention
Based on this, it is necessary to provide a dynamic configuration method, device, computer equipment, computer readable storage medium and computer program product for application file access credentials, which can eliminate the security hidden trouble of hard coding of the privileged account information in the configuration file and improve the security of the application system file.
In a first aspect, the present application provides a method for dynamically configuring an application file access credential. The method comprises the following steps:
monitoring a system instruction sent from a target application, wherein the system instruction is used for pointing to a system file, and the system file is configured with the target file;
screening out a target system instruction pointing to the target file in the system instruction, and acquiring a dynamic access credential responded by a password acquisition system based on the target system instruction, wherein the password acquisition system is used for generating the dynamic access credential;
accessing the target file based on the target system instruction, replacing an access certificate in the target file with the dynamic access certificate to obtain a replaced reconstructed target file, wherein the coded content of the reconstructed target file dynamically responds to a program memory variable;
and responding to the target system instruction sent by the target application by the reconstructed target file.
In one embodiment, the monitoring system instructions sent from the target application, the system instructions are used for pointing to a system file, and before the system file is configured with the target file, the monitoring system instructions include:
creating an application management account of the target application in the password acquisition system, authorizing the application management account, and generating the access credential;
and replacing the original hard coding certificate in the configuration file of the target application with the access certificate.
In one embodiment, before the obtaining the dynamic access credential of the response of the password access system based on the target system instruction, the method further includes:
acquiring application verification information corresponding to the target application based on the target system instruction;
and verifying the application verification information through the application management account in the password acquisition system.
In one embodiment, the screening out a target system instruction pointing to the target file in the system instruction, and obtaining, based on the target system instruction, a dynamic access credential responded by a password access system, where the password access system is configured to generate the dynamic access credential includes:
analyzing the system instruction to obtain a system function table pointer included in a system kernel of the target application;
and modifying the address pointed by the target function pointer corresponding to the target system instruction into the cipher taking function address in the cipher taking system.
In one embodiment, the obtaining the dynamic access credential of the cryptographic system response based on the target system instruction includes:
and calling the password access system through a standard application interface and/or a plug-in interface.
In one embodiment, the method further comprises:
executing a first system instruction other than the target system instruction, and responding to a conventional system file to the target application based on the first system instruction.
In a second aspect, the application further provides a device for dynamically configuring the application file access credentials. The device comprises:
the instruction monitoring module is used for monitoring a system instruction sent from a target application, wherein the system instruction is used for pointing to a system file, and the system file is configured with a target file;
the certificate acquisition module is used for screening out a target system instruction pointing to the target file in the system instruction, acquiring a dynamic access certificate responded by a password acquisition system based on the target system instruction, and the password acquisition system is used for generating the dynamic access certificate;
the certificate replacing module is used for accessing the target file based on the target system instruction, replacing the access certificate in the target file with the dynamic access certificate to obtain a replaced reconstructed target file, and dynamically responding to a program memory variable by the coded content of the reconstructed target file;
and the dynamic response module is used for responding the target system instruction sent by the target application by the reconstructed target file.
In one embodiment, the instruction snoop module includes before:
the application authorization module is used for creating an application management account of the target application in the password acquisition system, authorizing the application management account and generating the access credential;
and the hard coding credential replacing module is used for replacing the original hard coding credential in the configuration file of the target application with the access credential.
In one embodiment, before the credential acquisition module, the credential acquisition module further includes:
the verification information acquisition module is used for acquiring application verification information corresponding to the target application based on the target system instruction;
and the verification information verification module is used for verifying the application verification information through the application management account in the password acquisition system.
In one embodiment, the credential acquisition module comprises:
the kernel function pointer module is used for analyzing the system instruction to obtain a system function table pointer included in a system kernel of the target application;
and the function pointer redirection module is used for modifying the address pointed by the target function pointer corresponding to the target system instruction into the encryption function address in the encryption system.
In one embodiment, the credential acquisition module comprises:
and the interface calling module is used for calling the password access system through a standard application interface and/or a plug-in interface.
In one embodiment, the apparatus further comprises:
and the conventional instruction processing module is used for executing a first system instruction except the target system instruction and responding to a conventional system file to the target application based on the first system instruction.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the dynamic configuration method of the application file access credential according to any embodiment of the first aspect when executing the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements a method for dynamically configuring application file access credentials according to any of the embodiments of the first aspect.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which when executed by a processor implements a method for dynamically configuring application file access credentials according to any of the embodiments of the first aspect.
The above method, device, computer equipment, storage medium and computer program product for dynamically configuring the application file access certificate can achieve the following beneficial effects by deducing the technical characteristics described in the claims:
after the application is started, the system instruction sent to the system by the application is monitored, so that the target system instruction which is sent out in the system and needs to read the access certificate can be identified and intercepted. After intercepting the target system instruction, redirecting the target system instruction into a password taking system, dynamically acquiring a dynamic access credential through the password taking system, accessing a target file in a system file according to the target system instruction, replacing the dynamic access credential into the target file, responding the replaced reconstructed target file to a target application, wherein the coded content of the reconstructed file is a dynamic response program memory variable, and the change in disk storage is avoided, so that the security of the credential is improved. Finally, the purposes that the original access or starting flow of the target application is not influenced, but the hard-coded file in the system file is eliminated when the access certificate is called, and the dynamic access certificate is used for carrying out access verification are achieved, so that the encryption certificate is enabled to be transparently supplied to a demander for use, the normal processing flow of the target application is maintained, and the safety of an application system is improved.
Drawings
FIG. 1 is an application environment diagram of a dynamic configuration method for application file access credentials in one embodiment;
FIG. 2 is a schematic diagram of a first process of a dynamic configuration method of application file access credentials in one embodiment;
FIG. 3 is a schematic diagram of a cryptographic flow of a dynamic configuration method for application file access credentials in one embodiment;
FIG. 4 is a second flow diagram of a dynamic configuration method for application file access credentials in one embodiment;
FIG. 5 is a third flow diagram of a dynamic configuration method for application file access credentials in one embodiment;
FIG. 6 is a fourth flowchart of a method for dynamically configuring application file access credentials in one embodiment;
FIG. 7 is a fifth flowchart of a method for dynamically configuring access credentials of an application file according to one embodiment;
FIG. 8 is a sixth flowchart of a method for dynamically configuring access credentials of an application file according to one embodiment;
FIG. 9 is a block diagram of an apparatus for dynamically configuring application file access credentials in one embodiment;
fig. 10 is an internal structural view of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
Privileged accounts refer to various privileged accounts distributed in IT environments, such as Root accounts of UNIX, administator accounts of Windows, database management accounts, etc., and may also include business application accounts. These accounts are typically used by information and communication teams to set up IT infrastructure, install new hardware and software, run critical services, and perform maintenance operations. In addition, the privileged account may also have access to master keys that organize critical IT assets and sensitive information stored therein, underlying system accounts of the IT infrastructure, and application embedded accounts, among others. Based on invariance of the privileged account, the privileged account information may typically be stored in a configuration file of the application in a hard-coded manner. But as the last defense line of the system data information, the privileged account password is unchanged for a long time, so that the password is easy to leak and then is used as a back door of the system, and an attacker can directly enter an application internal network through a technical means, so that a great potential safety hazard exists.
Currently, in a common process of storing privileged account information, the privileged account information is generally stored in a configuration file, and an application program periodically obtains a newly generated password in a privileged account management system by calling an API interface, and replaces an original password in the configuration file with the newly generated password. However, the updated password in this process is still stored in the configuration file in a hard-coded form, and there is still a security risk caused by password leakage in the update interval.
Based on the above background, the method for dynamically configuring the access credentials of the application file provided in the embodiments of the present application may be applied to an application environment as shown in fig. 1. The system monitoring server communicates with the application program and the system file server through the system file interface. The access system may provide access credential management and like services. The encryption system can be integrated on a system monitoring server, and can also be placed on a cloud or other network servers. Specifically, the system monitoring server may monitor an instruction sent by the WEB application to the system file server, and execute corresponding processing according to a monitoring result. The system monitoring server can also communicate with the password acquisition system and is used for calling service of dynamic access credentials with the password acquisition system.
The system monitoring server and the system file server can be realized by independent servers or a server cluster formed by a plurality of servers.
In one embodiment, as shown in fig. 2, a method for dynamically configuring access credentials of an application file is provided, and the method is applied to the system listening server in fig. 1 for illustration, and includes the following steps:
step 202: system instructions issued from a target application are monitored, the system instructions being for pointing to a system file in which the target file is configured.
The target application may refer to an application program that is monitored by the system monitoring server currently, and the application program may refer to a single application and an executable file, and may include a WEB application or a mobile application. System instructions may refer to operation code executed by a computer. The basic structure of the system instructions may include: an opcode field + address code field, wherein the opcode may specify the nature of operation and function of the instruction; the address code may give the operand or the address of the operand, i.e. the memory address where the data to be processed is located. The system file may refer to a folder storing a main file of an application operating system, and may also include a configuration file for configuring parameters and initial settings for the application at the start-up of the application, where in the processing for the access ticket in this embodiment, access ticket information is typically stored in the configuration file.
Specifically, when the target application is started, the target application sends a system instruction to the system file server, and a configuration file corresponding to the target application stored in the system file server is read through the system instruction. In the process of operating the target application, the target application also sends a system instruction to the system file server, accesses a designated file in the system file server through the system instruction and executes corresponding operation. At this time, the system monitoring server may monitor a system instruction sent by the target application to the system file server. Specifically, the HOOK technology may be used to intercept the system instruction issued by the target application, so that the system instruction is monitored and intervened by the system monitoring server before being dispatched. In this embodiment, intervention is required for the process of invoking the access ticket for the target application. Therefore, a part of the file storing the access ticket can be screened out in the system file of the system file server in advance and configured as the target file.
Step 204: and screening out a target system instruction pointing to the target file in the system instruction, and acquiring a dynamic access credential responded by a password access system based on the target system instruction, wherein the password access system is used for generating the dynamic access credential.
The access credential may refer to credential data that verifies the identity of the requester during access, and may be an account password or the like. The password access system may refer to a system for providing dynamic access credentials, and may be a PIM privileged account management system. Related functions of access credential management may be included in the access system, such as: account centralized management, password management, account automatic discovery, access management, providing password call services, flow control, monitoring, auditing and the like. Under the support of the password access system, the password access system can provide dynamically generated dynamic access credentials for the target application.
Specifically, as shown in fig. 3, the target file related to the access ticket is configured in the system file server in advance. The system monitoring server can screen out target system instructions which are sent by the target application and point to the target file. Under the intervention of HOOK technology, the target system instruction can be intercepted, and the target system instruction can be subjected to preset processing by the system monitoring server preferentially. After the interception of the system monitoring server, the system monitoring server can call the password access system, and a generation request of the dynamic access credential is sent to the password access system based on a target system instruction. After the password access system receives the generation request, the password access system can respond to the generation request and generate dynamic access credentials in real time, and the generated dynamic access credentials are returned to the system monitoring server.
Step 206: and accessing the target file based on the target system instruction, replacing the access certificate in the target file with the dynamic access certificate to obtain a replaced reconstructed target file, wherein the coded content of the reconstructed target file dynamically responds to the program memory variable.
Specifically, after the system monitoring server obtains the dynamic access credential returned by the password access system, the intervention processing required to be executed after the system monitoring server intercepts the target system instruction is completed, so that the target file pointed by the system monitoring server can be continuously read based on the target system instruction. In the reading process, a native access credential is stored in the target file, and the native access credential can be a dynamic access credential acquired by the target application in the last starting and running process, or can be an access credential stored in the system file by the target application in a hard coding mode. At this point, the target system instructions may replace the carried dynamic access credentials to the storage address of the access credentials that are native in the target file. And after the original access certificate is replaced, the reconstruction of the target file can be completed, and the reconstructed target file is obtained.
Step 208: and responding to the target system instruction sent by the target application by the reconstructed target file.
Specifically, in normal execution of the target system instructions, the system file server executes the target system instructions such that the system file server returns the reconstructed target file to the target application. At this time, the reconstructed target file carries a dynamic access credential corresponding to the current target system instruction, and the dynamic access credential supports authentication in current application access.
In the dynamic configuration method of the application file access certificate, the following beneficial effects can be achieved:
after the application is started, the system instruction sent to the system by the application is monitored, so that the target system instruction which is sent out in the system and needs to read the access certificate can be identified and intercepted. And after intercepting the target system instruction, redirecting the target system instruction into the password taking system, dynamically acquiring a dynamic access credential through the password taking system, accessing a target file in a system file according to the target system instruction, replacing the dynamic access credential into the target file, and responding the replaced reconstructed target file to the target application. Finally, the purposes that the original access or starting flow of the target application is not influenced, but the hard-coded file in the system file is eliminated when the access certificate is called, and the dynamic access certificate is used for carrying out access verification are achieved, so that the encryption certificate is enabled to be transparently supplied to a demander for use, the normal processing flow of the target application is maintained, and the safety of an application system is improved.
In one embodiment, as shown in fig. 4, before step 202, the method further includes:
step 402: and creating an application management account of the target application in the password access system, authorizing the application management account, and generating the access credential.
Specifically, after the system monitors the newly added target application in the server, an application management account of the target application can be created in the password access system. In the creation, an application name, an application address, an application type, an application deployment manner, an application version, and the like of the target application may be registered, and basic function information and the like of the application may be also profiled. The created application management account may then be authorized to generate an authorization ID. The authorization ID can be corresponding to the authorization of the unified authority, and hierarchical authorization management of different authority levels can be performed according to specific rules.
Step 404: and replacing the original hard coding certificate in the configuration file of the target application with the access certificate.
Specifically, the original hard code credential in the configuration file of the target application can be directly replaced by the access credential, specifically, the original user name content in the configuration file can be replaced by the authorized id.username, and the original password content can be replaced by the authorized id.password. Taking tomcat as an example for illustration, the replacement rules may be as follows:
the comf folder entering the tomcat installation directory is opened with a notepad or editor, and the replacement contents are: < user username= "authorization id.username" password= "authorization id.password" roles= "manager-gui"/>.
In this embodiment, by creating the application management account in the password access system, the application management account is uniformly managed, which is helpful for providing the request response efficiency of the password access system to the multiparty application program. The application management account is authorized to be managed on the basis of the application management account, so that the management efficiency of the application management account is improved, and meanwhile, the security of the password taking system is improved. The hard coding certificates in the application program are replaced immediately after the application program is newly added, the application program is not required to be started or triggered by an instruction in execution, potential safety hazards caused by hard coding of the privilege account information can be eliminated immediately after the application program is accessed to the system, and timeliness of safety management is improved.
In one embodiment, as shown in fig. 5, before step 204, the method further includes:
step 502: and acquiring application verification information corresponding to the target application based on the target system instruction.
The application verification information may refer to information for performing identity verification between the application program and the password access system.
Specifically, when the application management account of the target application is created, the application verification information bound to the target application may be created at the same time. The application authentication information is used to authenticate a request from a target application in the cryptographic system. To improve the security of the application authentication information, a unique hash value may be generated based on the target application.
Step 504: and verifying the application verification information through the application management account in the password acquisition system.
Specifically, when the password access system feeds back the dynamic access credential to the system monitoring server, the system monitoring server can send application verification information to the password access system, so that the password access system can verify the application verification information through an application management account corresponding to the target application.
In this embodiment, before the access system provides the dynamic access credential to the target application, the authentication process such as identity verification and authentication is performed on the target application through the application authentication information, which is conducive to improving the security of the system, so that the access credential can be transmitted to the secure and authenticated application.
In one embodiment, as shown in FIG. 6, step 204 includes:
step 602: and analyzing the system instruction to obtain a system function table pointer included in the system kernel of the target application.
The system kernel may refer to a collection of functional modules running in a kernel mode in an operating system and responsible for managing the system. A system function may refer to a function used to express or perform a system function. A system function table may refer to a function table listing all system functions. The function pointer may refer to a pointer that may be used to store the address of the memory space allocated by the system function at compile time.
Specifically, after intercepting the system instruction, the system instruction may be parsed, thereby obtaining a system function table pointer on a system kernel level.
Step 604: and modifying the address pointed by the target function pointer corresponding to the target system instruction into the cipher taking function address in the cipher taking system.
Specifically, in order to achieve the purpose of redirecting the target system instruction, the address pointed by the target function pointer in the system function table pointer may be modified into the address of the cryptographic function corresponding to the cryptographic function in the cryptographic system. For example, the open, read function pointer in the system function table pointer may be modified to point to the address of the new cryptographic system authenticated cryptographic function.
In this embodiment, the system kernel level interception and interception are performed on the communication between the application program and the system file server, and the modification and redirection are performed based on the system function table pointer, so that unified management of applications with different account levels developed in different computer languages is facilitated, the efficiency of interception and credential replacement is improved, and in addition, the system security is further improved.
In one embodiment, as shown in FIG. 7, step 204 includes:
step 702: and calling the password access system through a standard application interface and/or a plug-in interface.
Specifically, the system monitoring server may invoke the cryptographic system through a standard application interface or plug-in interface.
In this embodiment, the access system is connected to the system monitoring server through an application interface or a plug-in, so that the access system is independent of the execution flow of the application program, and helps to avoid interference of the normal operation flow of the application program, so that the function of providing the dynamic access credential can be realized on the basis of not changing the source code of the application program.
In one embodiment, as shown in fig. 8, the method further comprises:
step 802: executing a first system instruction other than the target system instruction, and responding to a conventional system file to the target application based on the first system instruction.
Specifically, in the process of monitoring the system instructions, the first system instructions which are screened out and are irrelevant to the starting or calling access credentials can normally execute corresponding primitive functions based on the first system instructions, so that the target application can normally acquire the conventional system files requested by the first system instructions.
In this embodiment, the first system instruction is normally executed, which is conducive to improving the response efficiency of the instruction sent in the running process of the application program, so as to ensure the use experience of the application program in the process of improving the system security.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides an application file access credential dynamic configuration device for implementing the application file access credential dynamic configuration method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in one or more embodiments of the device provided below may be referred to the limitation of the dynamic configuration method of an application file access credential in the above description, which is not repeated here.
In one embodiment, as shown in fig. 9, there is provided an application file access credential dynamic configuration apparatus, including:
an instruction monitoring module 902, configured to monitor a system instruction sent from a target application, where the system instruction is used to point to a system file, and the system file is configured with a target file;
the credential acquisition module 904 is configured to screen a target system instruction pointing to the target file in the system instructions, and acquire a dynamic access credential responded by a password access system based on the target system instruction, where the password access system is configured to generate the dynamic access credential;
the credential replacing module 906 is configured to access the target file based on the target system instruction, replace an access credential in the target file with the dynamic access credential, and obtain a reconstructed target file after replacement, where the encoded content of the reconstructed target file dynamically responds to a program memory variable;
a dynamic response module 908, configured to respond to the target system instruction issued by the target application with the reconstructed target file.
In one embodiment, the instruction snoop module 902 previously includes:
the application authorization module is used for creating an application management account of the target application in the password acquisition system, authorizing the application management account and generating the access credential;
and the hard coding credential replacing module is used for replacing the original hard coding credential in the configuration file of the target application with the access credential.
In one embodiment, before the credential obtaining module 904, the method further includes:
the verification information acquisition module is used for acquiring application verification information corresponding to the target application based on the target system instruction;
and the verification information verification module is used for verifying the application verification information through the application management account in the password acquisition system.
In one embodiment, the credential acquisition module 904 includes:
the kernel function pointer module is used for analyzing the system instruction to obtain a system function table pointer included in a system kernel of the target application;
and the function pointer redirection module is used for modifying the address pointed by the target function pointer corresponding to the target system instruction into the encryption function address in the encryption system.
In one embodiment, the credential acquisition module 904 includes:
and the interface calling module is used for calling the password access system through a standard application interface and/or a plug-in interface.
In one embodiment, the apparatus further comprises:
and the conventional instruction processing module is used for executing a first system instruction except the target system instruction and responding to a conventional system file to the target application based on the first system instruction.
The modules in the dynamic configuration device for application file access credentials can be implemented in whole or in part by software, hardware and a combination thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 10. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is for storing data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method for dynamically configuring application file access credentials.
It will be appreciated by those skilled in the art that the structure shown in fig. 10 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an embodiment, there is also provided a computer device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, carries out the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as Static Random access memory (Static Random access memory AccessMemory, SRAM) or dynamic Random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A method for dynamically configuring access credentials of an application file, the method comprising:
monitoring a system instruction sent from a target application, wherein the system instruction is used for pointing to a system file, and the system file is configured with the target file;
screening out a target system instruction pointing to the target file in the system instruction, and acquiring a dynamic access credential responded by a password acquisition system based on the target system instruction, wherein the password acquisition system is used for generating the dynamic access credential;
accessing the target file based on the target system instruction, replacing an access certificate in the target file with the dynamic access certificate to obtain a replaced reconstructed target file, wherein the coded content of the reconstructed target file dynamically responds to a program memory variable;
and responding to the target system instruction sent by the target application by the reconstructed target file.
2. The method of claim 1, wherein the monitoring system instructions issued from the target application, the system instructions for pointing to a system file, the system file including, prior to configuring the target file:
creating an application management account of the target application in the password acquisition system, authorizing the application management account, and generating the access credential;
and replacing the original hard coding certificate in the configuration file of the target application with the access certificate.
3. The method of claim 2, wherein prior to obtaining dynamic access credentials for a cryptographic system response based on the target system instructions, further comprising:
acquiring application verification information corresponding to the target application based on the target system instruction;
and verifying the application verification information through the application management account in the password acquisition system.
4. The method of claim 1, wherein the screening out a target system instruction of the system instructions that points to the target file obtains a dynamic access credential of a response of a cryptographic system based on the target system instruction, the cryptographic system configured to generate the dynamic access credential comprising:
analyzing the system instruction to obtain a system function table pointer included in a system kernel of the target application;
and modifying the address pointed by the target function pointer corresponding to the target system instruction into the cipher taking function address in the cipher taking system.
5. The method of claim 1, wherein the obtaining dynamic access credentials for a cryptographic system response based on the target system instructions comprises:
and calling the password access system through a standard application interface and/or a plug-in interface.
6. The method according to claim 1, wherein the method further comprises:
executing a first system instruction other than the target system instruction, and responding to a conventional system file to the target application based on the first system instruction.
7. An application file access credential dynamic configuration apparatus, the apparatus comprising:
the instruction monitoring module is used for monitoring a system instruction sent from a target application, wherein the system instruction is used for pointing to a system file, and the system file is configured with a target file;
the certificate acquisition module is used for screening out a target system instruction pointing to the target file in the system instruction, acquiring a dynamic access certificate responded by a password acquisition system based on the target system instruction, and the password acquisition system is used for generating the dynamic access certificate;
the certificate replacing module is used for accessing the target file based on the target system instruction, replacing the access certificate in the target file with the dynamic access certificate to obtain a replaced reconstructed target file, and dynamically responding to a program memory variable by the coded content of the reconstructed target file;
and the dynamic response module is used for responding the target system instruction sent by the target application by the reconstructed target file.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310207342.XA CN116090013A (en) | 2023-03-07 | 2023-03-07 | Dynamic configuration method and device for application file access credentials |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310207342.XA CN116090013A (en) | 2023-03-07 | 2023-03-07 | Dynamic configuration method and device for application file access credentials |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116090013A true CN116090013A (en) | 2023-05-09 |
Family
ID=86202697
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310207342.XA Pending CN116090013A (en) | 2023-03-07 | 2023-03-07 | Dynamic configuration method and device for application file access credentials |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116090013A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080196101A1 (en) * | 2007-02-13 | 2008-08-14 | Cyber-Ark Software Ltd. | Methods and systems for solving problems with hard-coded credentials |
| US20100269156A1 (en) * | 2008-12-28 | 2010-10-21 | Hohlfeld Matthew W | Apparatus and methods for providing authorized device access |
| CN102724568A (en) * | 2011-03-28 | 2012-10-10 | 索尼公司 | Authentication certificates |
| US20170310659A1 (en) * | 2016-04-25 | 2017-10-26 | International Business Machines Corporation | Protection of application passwords using a secure proxy |
| US20180343239A1 (en) * | 2017-05-24 | 2018-11-29 | Micro Focus Software Inc. | Hard coded credential bypassing |
| CN110717176A (en) * | 2019-09-23 | 2020-01-21 | 广州海颐信息安全技术有限公司 | Method and device for changing application embedded privileged account on line |
| CN111563741A (en) * | 2020-04-30 | 2020-08-21 | 中国银行股份有限公司 | Transaction certificate generation method, device and system |
| CN113268743A (en) * | 2021-06-25 | 2021-08-17 | 深圳谷探科技有限公司 | Method for improving safety of dynamic loop monitoring system |
-
2023
- 2023-03-07 CN CN202310207342.XA patent/CN116090013A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080196101A1 (en) * | 2007-02-13 | 2008-08-14 | Cyber-Ark Software Ltd. | Methods and systems for solving problems with hard-coded credentials |
| US20100269156A1 (en) * | 2008-12-28 | 2010-10-21 | Hohlfeld Matthew W | Apparatus and methods for providing authorized device access |
| CN102724568A (en) * | 2011-03-28 | 2012-10-10 | 索尼公司 | Authentication certificates |
| US20170310659A1 (en) * | 2016-04-25 | 2017-10-26 | International Business Machines Corporation | Protection of application passwords using a secure proxy |
| US20180343239A1 (en) * | 2017-05-24 | 2018-11-29 | Micro Focus Software Inc. | Hard coded credential bypassing |
| CN110717176A (en) * | 2019-09-23 | 2020-01-21 | 广州海颐信息安全技术有限公司 | Method and device for changing application embedded privileged account on line |
| CN111563741A (en) * | 2020-04-30 | 2020-08-21 | 中国银行股份有限公司 | Transaction certificate generation method, device and system |
| CN113268743A (en) * | 2021-06-25 | 2021-08-17 | 深圳谷探科技有限公司 | Method for improving safety of dynamic loop monitoring system |
Non-Patent Citations (2)
| Title |
|---|
| 张志华;张?舒;胡万里;: "Android系统中密码管理器安全问题研究", 保密科学技术, no. 03 * |
| 郭昊;何小芸;孙学洁;陈红松;刘周斌;颉靖;: "国家电网边缘计算应用安全风险评估研究", 计算机工程与科学, no. 09 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110727712B (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| US20200344233A1 (en) | Systems, methods, and apparatuses for implementing a role based access control and authorization validator via blockchain smart contract execution using distributed ledger technology (dlt) | |
| US10536463B2 (en) | Environment-differentiated named credential instances for development and deployment | |
| Awaysheh et al. | Next-generation big data federation access control: A reference model | |
| US8024564B2 (en) | Automating configuration of software applications | |
| CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
| US20190097807A1 (en) | Network access control based on distributed ledger | |
| US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
| US11223626B2 (en) | Service-to-service role mapping systems and methods | |
| CN108427550B (en) | Web service generation method, device and equipment | |
| US10848323B2 (en) | Efficient certificate revocation list validation in multi-tenant cloud services | |
| US11924210B2 (en) | Protected resource authorization using autogenerated aliases | |
| CN110598434A (en) | House information processing method and device based on block chain network, electronic equipment and storage medium | |
| EP4033349A1 (en) | Method and apparatus for generating mirror image file, and computer-readable storage medium | |
| US20160371071A1 (en) | Account-based software upgrades in a multi-tenant ecosystem | |
| CN113392415A (en) | Access control method and system for data warehouse and electronic equipment | |
| WO2022116761A1 (en) | Self auditing blockchain | |
| US20100030805A1 (en) | Propagating information from a trust chain processing | |
| CN114995879B (en) | Information processing method and system based on low-coding platform | |
| CN116090013A (en) | Dynamic configuration method and device for application file access credentials | |
| US11947657B2 (en) | Persistent source values for assumed alternative identities | |
| US11356382B1 (en) | Protecting integration between resources of different services using service-generated dependency tags | |
| KR20230132878A (en) | Reduce transaction cancellations in execute-order-verify blockchain models | |
| JP2023542527A (en) | Software access through heterogeneous encryption | |
| JP2023538497A (en) | editable blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20230509 |
|
| RJ01 | Rejection of invention patent application after publication |