CN116126470A - Method, system and medium for managing script execution in container - Google Patents
Method, system and medium for managing script execution in container Download PDFInfo
- Publication number
- CN116126470A CN116126470A CN202310028277.4A CN202310028277A CN116126470A CN 116126470 A CN116126470 A CN 116126470A CN 202310028277 A CN202310028277 A CN 202310028277A CN 116126470 A CN116126470 A CN 116126470A
- Authority
- CN
- China
- Prior art keywords
- container
- script
- script file
- file
- parent process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a method, a system and a medium for managing script execution in a container, wherein the method for managing script execution in the container comprises the steps of establishing association with a parent process for establishing a script file when the script file is established in the container; when the script file in the container is monitored to be executed, judging whether an execution program for executing the script file is established as an associated parent process, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed; in addition, the method also comprises a management script interpreter which refuses to execute the script files created in the container. The invention can ensure the safety of the container and reduce the influence on the operation of the business in the container by utilizing the association binding of the script file and the father process.
Description
Technical Field
The invention relates to the field of container security, in particular to a method, a system and a medium for managing script execution in a container.
Background
The container is a sandbox technology, the main purpose of which is to keep the application running in it isolated from the outside and to facilitate the transfer of this sandbox to other host machines. Essentially, the container is a special process. Resources, files, devices, states, and configurations are partitioned into a separate space by Namespace (Namespace), control groups (Control groups), and root-cutting (color) techniques. The container technology is favored by enterprises because of the characteristics of less occupied resources, high deployment speed, convenient migration and the like. With the increasing popularity of container technology, container security issues have become increasingly important. The program written based on the script language does not need to be compiled, and the script file can be interpreted and executed only by having a degree of authority on the script file through the script interpreter. And because the script files are mostly in a pure text form, an attacker can easily encode and confuse the content of the script, so that the script bypasses a detection mechanism and also bypasses manual identification of a user. Attacks with script files within a container can destroy the running environment within the container, even with vulnerabilities or misconfigurations that cause the container to escape.
Although some script management methods exist at present, the existing methods all need to perform corresponding processing on a script interpreter, such as adding a security mark to the script interpreter or recording the path of the script interpreter. However, the script interpreter used by the container is contained in the container image, so that the script interpreter in the container needs to be processed when the execution of the script file in the container is to be controlled, the script interpreter in the new image needs to be processed every time the container is created by using the new image, and the path of the script interpreter needs to be manually positioned every time a new image is pulled, and when the number of the used images increases, the execution control of the script file in the container is difficult to be finished by the existing method. In addition, the existing script execution control methods are based on verification of labels or metric values of the script to be executed, and execution is refused if the labels or metric values are not met, which may affect normal operation of the business in the container.
Disclosure of Invention
The invention aims to solve the technical problems: aiming at the problems in the prior art, the invention provides a method, a system and a medium for managing and controlling script execution in a container, which aim to ensure the security of the container and reduce the influence on the operation of business in the container.
In order to solve the technical problems, the invention adopts the following technical scheme:
a method of script execution management in a container, comprising:
s101, when a script file is created in a container, establishing association with a parent process for creating the script file for the script file;
s102, when the script file in the container is monitored to be executed, judging whether an execution program for executing the script file is established as an associated parent process, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
Optionally, when the association with the parent process that creates the script file is established for the script file in step S101, the association information of the parent process refers to a hash value of the absolute path of the file of the parent process or the absolute path of the file of the parent process.
Alternatively, when the association with the parent process for creating the script file is established for the script file in step S101, it means that the association information of the parent process is recorded into the extension attribute of the script file to form the association with the parent process for creating the script file.
Optionally, the recording the associated information of the parent process into the extension attribute of the script file refers to recording the identity information of the parent process into the extension attribute of the script file, and adding an inexecutable flag to the script file.
Optionally, step S101 is preceded by a step of automatically adding a security mark to the directory and the file in the container image when the container image is pulled, and the type of automatically adding the security mark includes: script interpreter marks are added for script interpreter files, and parent process marks are added for all files except the script interpreter.
Optionally, the step of automatically adding the security mark for the directory and the file in the container mirror image when the container mirror image is pulled is that after the container mirror image is pulled for the container by the container engine, the downloaded graphic driver of the mirror image is obtained by the container inspection function to obtain the corresponding directory, and then the function of adding the security mark in the kernel is called to recursively add the corresponding security mark to the obtained directory.
Optionally, before the step of automatically adding the security marks to the directories and files in the container mirror image when the container mirror image is pulled, the method further comprises installing a container patch to modify the container engine, so that the container engine adds a function of automatically adding the security marks to the directories and files in the container mirror image when the container mirror image is pulled.
Optionally, the responding processing in step S102 when it is detected that the script file in the container is executed includes:
s201, respectively reading the script file and the security mark of the execution program of the script file,
s202, checking the type of the security mark of the execution program of the script file, if the security mark is marked by a script interpreter, jumping to the step S203, and if the security mark is marked by a parent process, jumping to the step S204;
s203, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, prohibiting the script file from being executed; otherwise, allowing the script file to be executed and exiting;
s204, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, jumping to the step S205; otherwise, allowing the script file to be executed and exiting;
s205, checking whether identity information of a parent process carried in a security mark of the script file and identity information of an execution program executing the script file are consistent, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
In addition, the invention also provides a system for controlling script execution in a container, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the method for controlling script execution in the container.
Furthermore, the present invention provides a computer readable storage medium having stored therein a computer program for programming or configuring by a microprocessor to perform the method of script execution management within a container.
Compared with the prior art, the invention has the following advantages: when a script file is created in a container, establishing association with a parent process for creating the script file for the script file; when the script file in the container is monitored to be executed, judging whether an executing program for executing the script file is established as an associated parent process, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed, and reducing the influence on the operation of the business in the container while ensuring the safety of the container by utilizing the association binding of the script file and the parent process.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the invention.
Fig. 2 is a complete flow chart of the second method according to the embodiment of the invention.
Fig. 3 is a flow chart of response processing when a script file is executed in the second embodiment of the present invention.
Detailed Description
Embodiment one:
as shown in fig. 1, the method for controlling script execution in the container of the present embodiment includes:
s101, when a script file is created in a container, establishing association with a parent process for creating the script file for the script file;
s102, when the script file in the container is monitored to be executed, judging whether an execution program for executing the script file is established as an associated parent process, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
It should be noted that, when the association with the parent process for creating the script file is established for the script file in step S101, the association information of the parent process may be actually required to be specified, for example, a file absolute path of the parent process or a hash value of the file absolute path of the parent process may be adopted. Since the hash value has the characteristics of strong confidentiality, fixed length and the like, the hash value of the absolute path of the file of the parent process is preferably adopted in the embodiment, and a group of hash values are recorded in the extension attribute of the script file, wherein the hash values are obtained by performing hash operation on the absolute path of the parent process by a kernel function.
In this embodiment, when the association with the parent process for creating the script file is established for the script file in step S101, the association information of the parent process is recorded in the extension attribute of the script file to form the association with the parent process for creating the script file, which is relatively simple and direct, and in addition, the association information of the parent process of each script file may be considered to be recorded through a special database or file, which may also achieve the purpose of implementation.
In this embodiment, the recording the association information of the parent process into the extension attribute of the script file refers to recording the identity information of the parent process into the extension attribute of the script file.
Embodiment two:
further extensions to embodiment one include type extension of security marks, and extension of the manner of processing when it is monitored that the script file within the container is executed.
As shown in fig. 2, step S101 in the present embodiment further includes a step of automatically adding a security mark to the directory and the file in the container image when the container image is pulled, where the type of automatically adding the security mark includes: the script interpreter mark is added for the script interpreter file, the parent process mark is added for all files except the script interpreter, the parent process mark is added for the files except the script interpreter in the mirror image, and the script interpreter file (such as flash, shell and the like) is added with the script interpreter mark. The file generated by the process with the parent process tag will be provided with an unexecutable tag (recording the associated information of the parent process into the extended attribute of the script file means recording the identity information of the parent process into a field in the extended attribute of the script file different from the security tag, and adding the unexecutable tag to the script file). The security marks used in this embodiment therefore comprise three types in total, as shown in table 1.
Table 1: the type of security tag and the descriptive table.
| Security mark type | Description of the invention |
| Non-executable labels | Executing control tags with the tag file defaulting to non-executable |
| Script interpreter markup | Flags for setting various interpreters (avoiding modification of source code packages) |
| Parent process tagging | With the markup file, the sub-file generated by the user can be executed |
In this embodiment, the step of automatically adding a security tag to a directory and a file in a container mirror when the container mirror is pulled is to obtain a corresponding directory by obtaining a graphics driver of the downloaded mirror through a container inspection function (dock facility) after the container mirror is pulled by a container engine, and then call a function of adding the security tag in a kernel to recursively add the corresponding security tag to the obtained directory.
In this embodiment, before the step of automatically adding the security marks to the directories and files in the container mirror image when the container mirror image is pulled, the method further includes installing a container patch to modify the container engine, so that the container engine adds a function of automatically adding the security marks to the directories and files in the container mirror image when the container mirror image is pulled.
Based on adding a script interpreter flag to the script interpreter file, and adding a parent process flag to all files except the script interpreter, the embodiment further includes an extension of the processing manner when it is detected that the script file in the container is executed. When the script file is executed by the script interpreter, the kernel checks the security marks of the executing program and the script file, and if the executing program is marked by the script interpreter, the executing of the script file with the non-executable mark is refused. When the script file is executed by other processes, the kernel checks the security marks of the execution program and the script file, if the execution program is a parent process mark, the execution of the script file with the non-executable mark is not directly refused, but the kernel judges whether the hash value recorded in the file extension attribute of the script file is consistent with the hash value of the absolute path of the execution program, and if so, the execution is allowed. Otherwise, execution is denied. By the method, the script file can only be executed by the parent process, and the security mark attribute of the script file cannot be changed after the execution is completed. Thus when execution control is on, the only way that the script within the container is executed is through its parent process. Specifically, as shown in fig. 3, the response processing in step S102 of the present embodiment when it is detected that the script file in the container is executed includes:
s201, respectively reading the script file and the security mark of the execution program of the script file,
s202, checking the type of the security mark of the execution program of the script file, if the security mark is marked by a script interpreter, jumping to the step S203, and if the security mark is marked by a parent process, jumping to the step S204;
s203, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, prohibiting the script file from being executed (refusing the script file created in the script interpreter execution container); otherwise, allowing the script file to be executed and exiting;
s204, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, jumping to the step S205; otherwise, allowing the script file to be executed and exiting;
s205, checking whether identity information of a parent process carried in a security mark of the script file and identity information (for example, hash value in the embodiment) of an executing program executing the script file are consistent, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
Specifically, in this embodiment, the version of the experimental environment operating system is kylin server v10, and the version of Docker is 18.09. To verify the validity of script execution management, we have written a simple test program test, which has two functions: a script file and an execution script file are created. The main purpose of adding the mark to the file in the container is to install a patch for the container engine, so that the patch can add a corresponding security mark to the file in the image when the image is pulled, and the problem that the newly pulled image has no security mark or the script in the container interpreter is not modified so as to not manage script execution in the container is avoided. The main purpose of recording the hash value is to add the hash value to the file generated by the father process in the container, so as to ensure the effectiveness of the follow-up execution management and control. The main purpose of the file execution pipe is to utilize the security mark and the hash value added in the first two steps to control the execution of the script in the container, so that the security of the container during operation can be improved while the normal operation of the business in the container is ensured. First, a docker is installed on a physical machine on which a kylin server v10 operating system is installed, and a patch is installed for the docker. Then, a docker pull instruction is used for pulling the centos container image, and during the pulling process, the docker scans the file in the image and adds a security mark according to the file type.
For example: when the test program test generates a script file test_script, the kernel function records the hash value of the absolute path of the test in the file extension attribute of the script file test_script. Finally, when executing the script file test_script using the script interpreter flash, the kernel first verifies the security tag values of the executing program and the script file, and the script file test_script is refused to be executed because flash carries the script interpreter tag and the file test_script generated by the program with the parent process tag carries the non-executable tag. When the test program test executes the script file test_script, the kernel first checks the security tag values of the execution program and the script file, the test carries a parent process tag, the security tag value of the test_script is an inexecutable tag, but since the hash value recorded in the test_script file extension attribute may be consistent with the hash value of the test absolute path, the test process may execute the test_script.
Also for example: program A, program B and script interpreter flash in the container, program A generates script a1. When pulling the image, program A and program B will be marked by parent processes and script interpreter flash will be marked by script interpreter. Program a generates script a1, a1 will have an unexecutable flag. When the program A executes the program a1, the mark a1 is judged as the non-executable mark, and then whether the parent process information recorded in the security extension attribute a1 and used for generating the parent process information is consistent with the program currently executing the parent process information is judged, and the execution is allowed because the program A executes the program. Similarly, when the program B is executed, the execution is refused because whether the parent process information recorded in the a1 security extension attribute for generating it is inconsistent with the program currently executing it. When the script interpreter flash executes a1, the execution program is identified as the script interpreter, and a1 is an inexecutable mark, so that the direct refusal of the execution does not carry out subsequent comparison. The reason for judging whether the executed program is a script interpreter is that the control principle of the script interpreter is different from that of a general program, so that a unique script interpreter mark is added for the script interpreter in the embodiment.
In summary, the method for managing script execution in a container in this embodiment modifies the container engine to enable the container engine to add a security mark to the file in the container when pulling the container image, thereby solving the problem that the script execution in the container cannot be managed because the newly pulled image has no security mark or the script interpreter in the container has not been modified. By using the mode of combining the security mark and the hash value to control script execution in the container, the security of the container during operation is improved while the normal operation of the service in the container is ensured. The method for managing and controlling the execution of the script in the container can realize the management and control of the execution of the script in the container by verifying the security marks of the container mirror image file and the script interpreter in the container and comparing the hash value recorded in the script file expansion attribute. And when the security mark of the script file is illegal, the script file can be executed by a parent process generating the script file, so that the security of the container is ensured, and the influence on the operation of business in the container is reduced. Meanwhile, the container engine is modified, so that the container engine can automatically mark corresponding security marks on files in the container mirror image when the mirror image is pulled, and when the mirror image operation container added with the security marks is used, the files in the container can also be provided with the security marks, so that the problem of adding the security marks to the files in the container is solved.
In addition, the embodiment also provides a system for controlling script execution in a container, which comprises a microprocessor and a memory which are connected with each other, wherein the microprocessor is programmed or configured to execute the method for controlling script execution in the container.
In addition, the present embodiment also provides a computer-readable storage medium having a computer program stored therein for programming or configuring by a microprocessor to perform the method of script execution management within the container.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-readable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and the protection scope of the present invention is not limited to the above examples, and all technical solutions belonging to the concept of the present invention belong to the protection scope of the present invention. It should be noted that modifications and adaptations to the present invention may occur to one skilled in the art without departing from the principles of the present invention and are intended to be within the scope of the present invention.
Claims (10)
1. A method for controlling script execution in a container, comprising:
s101, when a script file is created in a container, establishing association with a parent process for creating the script file for the script file;
s102, when the script file in the container is monitored to be executed, judging whether an execution program for executing the script file is established as an associated parent process, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
2. The method according to claim 1, wherein when the association with the parent process that created the script file is established for the script file in step S101, the association information of the parent process refers to a hash value of the absolute path of the file of the parent process or the absolute path of the file of the parent process.
3. The method according to claim 1, wherein when establishing association with the parent process for creating the script file for the script file in step S101, recording association information of the parent process into an extended attribute of the script file to form association with the parent process for creating the script file.
4. A method for controlling script execution in a container according to claim 3, wherein the recording of the association information of the parent process into the extension attribute of the script file means recording the identity information of the parent process into the extension attribute of the script file and adding an unexecutable flag to the script file.
5. The method of claim 4, further comprising the step of automatically adding security marks to the directories and files in the container image when the container image is pulled, and wherein the automatically adding security marks comprises: script interpreter marks are added for script interpreter files, and parent process marks are added for all files except the script interpreter.
6. The method for controlling script execution in a container according to claim 5, wherein the step of automatically adding security marks to the directories and files in the container image when the container image is pulled is to obtain corresponding directories by obtaining graphic drivers of the downloaded image through a container inspection function after the container image is pulled for the container by the container engine, and then calling a function of adding security marks in the kernel to recursively add corresponding security marks to the obtained directories.
7. The method of claim 6, wherein before the step of automatically adding security marks to the directories and files in the container image when the container image is pulled, further comprising installing a container patch to modify the container engine, so that the container engine adds the function of automatically adding security marks to the directories and files in the container image when the container image is pulled.
8. The method for controlling execution of scripts in a container of claim 5, wherein the responding processing in step S102 when it is detected that the script files in the container are executed includes:
s201, respectively reading the script file and the security mark of the execution program of the script file;
s202, checking the type of the security mark of the execution program of the script file, if the security mark is marked by a script interpreter, jumping to the step S203, and if the security mark is marked by a parent process, jumping to the step S204;
s203, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, prohibiting the script file from being executed; otherwise, allowing the script file to be executed and exiting;
s204, checking the type of the security mark of the script file, and if the security mark is an inexecutable mark, jumping to the step S205; otherwise, allowing the script file to be executed and exiting;
s205, checking whether identity information of a parent process carried in a security mark of the script file and identity information of an execution program executing the script file are consistent, if so, allowing the script file to be executed, otherwise, prohibiting the script file from being executed.
9. A system for controlling script execution in a container comprising a microprocessor and a memory interconnected, wherein the microprocessor is programmed or configured to perform the method for controlling script execution in a container of any of claims 1-8.
10. A computer readable storage medium having a computer program stored therein, wherein the computer program is for programming or configuring by a microprocessor to perform the method of in-container script execution management of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310028277.4A CN116126470A (en) | 2023-01-09 | 2023-01-09 | Method, system and medium for managing script execution in container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310028277.4A CN116126470A (en) | 2023-01-09 | 2023-01-09 | Method, system and medium for managing script execution in container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116126470A true CN116126470A (en) | 2023-05-16 |
Family
ID=86296843
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310028277.4A Pending CN116126470A (en) | 2023-01-09 | 2023-01-09 | Method, system and medium for managing script execution in container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116126470A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116302210A (en) * | 2023-05-17 | 2023-06-23 | 阿里云计算有限公司 | Image file importing method and device, electronic equipment and storage medium |
-
2023
- 2023-01-09 CN CN202310028277.4A patent/CN116126470A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116302210A (en) * | 2023-05-17 | 2023-06-23 | 阿里云计算有限公司 | Image file importing method and device, electronic equipment and storage medium |
| CN116302210B (en) * | 2023-05-17 | 2023-08-04 | 阿里云计算有限公司 | Image file importing method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3528149B1 (en) | Software repackaging prevention method and device | |
| KR101740604B1 (en) | Generic unpacking of applications for malware detection | |
| RU2005110042A (en) | EFFECTIVE CORRECTION OF PROGRAMS | |
| US10474832B2 (en) | Method for controlling file input-output in virtualization system | |
| CN107066884A (en) | A kind of compatible processing method of linux system software white list | |
| CN116126470A (en) | Method, system and medium for managing script execution in container | |
| CN105335197A (en) | Starting control method and device for application program in terminal | |
| CN104252594A (en) | Virus detection method and device | |
| CN113256296A (en) | Intelligent contract execution method, system, device and storage medium | |
| CN114676419A (en) | Method, system, equipment and medium for real-time early warning of tampering of application program file | |
| CN113946854B (en) | File access control method and device and computer readable storage medium | |
| US20160078227A1 (en) | Data processing system security device and security method | |
| CN106529281A (en) | Executable file processing method and device | |
| CN110348180B (en) | Application program starting control method and device | |
| CN108647516B (en) | Method and device for defending against illegal privilege escalation | |
| US20110185353A1 (en) | Mitigating Problems Arising From Incompatible Software | |
| US20190102541A1 (en) | Apparatus and method for defending against unauthorized modification of programs | |
| US20240031166A1 (en) | Web-side data signature method and apparatus and computer device | |
| US11893113B2 (en) | Return-oriented programming protection | |
| CN110414230B (en) | Virus checking and killing method and device, computer equipment and storage medium | |
| CN112052439A (en) | Access right control method and device of embedded system and storage medium | |
| CN108183920A (en) | A kind of industrial control system malicious code defending system and its defence method | |
| JP7476140B2 (en) | Information processing device, information processing method, and program | |
| CN115080966B (en) | Dynamic white list driving method and system | |
| US20230137661A1 (en) | Verification method and verification system for information and communication safety protection mechanism |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |