CN116204858A - Access control method and related equipment - Google Patents

Access control method and related equipment Download PDF

Info

Publication number
CN116204858A
CN116204858A CN202111446740.4A CN202111446740A CN116204858A CN 116204858 A CN116204858 A CN 116204858A CN 202111446740 A CN202111446740 A CN 202111446740A CN 116204858 A CN116204858 A CN 116204858A
Authority
CN
China
Prior art keywords
application
application process
strategy
kernel
policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111446740.4A
Other languages
Chinese (zh)
Inventor
曹建龙
方锐
周广宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202111446740.4A priority Critical patent/CN116204858A/en
Priority to PCT/CN2022/134254 priority patent/WO2023098579A1/en
Publication of CN116204858A publication Critical patent/CN116204858A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application discloses an access control method which is used for reducing the strategy access and strategy query cost in the access control process. The method comprises the following steps: the kernel maps a memory address where a target application strategy set is located to a user address space of a guest application process, wherein the target application strategy set is used for indicating the access authority of a host application process to an object on the guest application process; wherein the object comprises a service and/or a resource; the object application process determines a first application strategy between the host application process and the first object according to a target application strategy set mapped to a user address space based on access right query requirement of the first object; and the object application process determines the access authority of the host application process to the first object according to the first application strategy.

Description

Access control method and related equipment
Technical Field
Embodiments of the present disclosure relate to the field of computers, and in particular, to an access control method and related devices.
Background
Access control techniques are used to distinguish between access rights of different applications to an object. The access control technique stores the policy on a trusted base, ensuring that the policy is not tampered with. When an application requests access to an object, it is determined whether the application has rights to access the object by querying the trusted base for policies.
However, since the trusted base is generally running in the kernel space and the application is running in the user space, when the query policy is applied, context switching is required, resulting in large policy access and policy query overhead in access control.
Disclosure of Invention
The embodiment of the application provides an access control method and related equipment, which are used for reducing the strategy access and strategy query cost during access control.
In a first aspect, an embodiment of the present application provides an access control method, including: the kernel maps a memory address where a target application strategy set is located to a user address space of a guest application process, wherein the target application strategy set is used for indicating the access authority of a host application process to an object on the guest application process; wherein the object comprises a service and/or a resource; the guest application process determines a first application strategy between the host application process and the first service according to a target application strategy set mapped to a user address space based on access right query requirement of the first service; and the object application process determines the access authority of the host application process to the first service according to the first application strategy.
In the embodiment of the present application, the object on the object application process is also referred to as an object, and therefore the object application process is also referred to as an object application process.
In the embodiment of the application, the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, so that the object application process can query the application policy of the related object according to the mapping corresponding to the policy set in the user address space, thereby determining the access right. In the process of determining the access authority (namely, access control), the context switching between the guest application process and the kernel is not needed, so that the strategy access and strategy query cost in the access control process is reduced.
In an alternative embodiment, the kernel maps the memory address where the target application policy set is located to the user address space of the guest application process through the binary loader of the kernel.
In an alternative embodiment, the kernel maps the target application policy set to a memory address, and writes the memory address to an auxiliary vector in an executable file of the guest application process.
In the embodiment of the application, the address mapped by the auxiliary vector is transferred, and compared with the mode with larger performance cost such as system call and the like, the method has the advantages that the information of the mapped address is transferred by the auxiliary vector, and the method is simpler and has small performance cost.
In an alternative embodiment, the auxiliary vector is located at the top of the stack of the guest application process.
In an alternative embodiment, the executable file of the guest application process includes a service mask corresponding to the target application policy set; before the kernel maps the memory address of the target application strategy set to the user address space of the guest application process, the kernel analyzes the strategy source file to obtain a source strategy set; then, the kernel determines a target application policy set from the source policy set according to the service mask, wherein the target application policy set is used for protecting the object on the object application process.
In the embodiment of the application, the kernel determines the target application policy set corresponding to the object application process from the source policy set through the service mask, so that the policy set is screened, the application policies irrelevant to the object application process are not mapped, the occupation of the user address space of the object application process is reduced, and the resources of a central processing unit (central processing unit, CPU) occupied in the mapping process are also reduced.
In an alternative embodiment, the executable file further comprises a signature of the executable file; the kernel verifies the validity of the signature; if the signature is legal, the kernel determines a target application policy set from the source policy set according to the service mask.
In the embodiment of the application, the service mask and the validity of the executable file are verified through the signature, so that the service mask is not tampered, the integrity and the accuracy of the application strategy mapped to the user address space of the object application process are ensured (the mask is not tampered, that is, all the application strategies related to the object application process are mapped), and the object application process can inquire all the application strategies related to the object application process.
In an alternative embodiment, the service mask corresponding to the target application policy set is used to identify the target application policy set in the source policy set.
In an alternative embodiment, the executable file of the guest application process includes a service mask corresponding to the target application policy set; the kernel determines partial strategy source files corresponding to the target application strategy set from strategy source files according to the service mask; then, the kernel maps the memory address of the target application strategy set to the user address space of the guest application process; and the object application process analyzes the partial strategy source file into the memory address to obtain a target application strategy set.
In the embodiment of the application, the policy source file is analyzed by the object application process in the user space, so that the kernel does not need to analyze the policy source file, the performance cost of the kernel is reduced, and the running efficiency of the kernel is improved.
In an alternative embodiment, the kernel randomizes the addresses of the user address space of the guest application process before the kernel maps the memory address where the target application policy set resides to the user address space of the guest application process.
In the embodiment of the application, the address of the object application process is randomized before mapping, so that the risk that the address where the application policy set is located is revealed can be reduced, and the conflict between the address mapped by the application policy set and the address space reserved by the user can be avoided.
In a second aspect, an embodiment of the present application provides an access control method, including: the kernel maps the memory address of the strategy source file to the address space of the access control management process; the access control management process analyzes the strategy source file to obtain a source strategy set; the access control management process loads a target application strategy set in the source strategy set into a shared memory space of the object application process; the target application strategy set is used for determining the access right of the object on the object application process; the guest application process maps the set of target application policies to a user address space of the guest application process.
In the embodiment of the application, the analysis of the strategy source file is carried out through the access control management process, the analysis of the strategy source file by the kernel is not needed, the performance cost of the kernel is reduced, and the running efficiency of the kernel is improved.
In an optional embodiment, the access control management process analyzes a configuration file of the object application process to obtain a target identifier of the target application policy set in the source policy set; the access control management process determines a target application strategy set from the source strategy set according to the target identification; and the access control management process loads the target application strategy set to the shared memory corresponding to the object application process.
In the embodiment of the application, the access control management process determines the target application policy set corresponding to the object application process from the source policy set according to the configuration file, so that the screening of the policy set is realized, and the application policy irrelevant to the object application process is not mapped for the object application process, thereby reducing the occupation of the user address space of the object application process and reducing the CPU resource occupied in the mapping process. In addition, one access control management process analyzes one policy source file, so that application policy mapping of a plurality of object application processes can be realized, and analysis times of the policy source file are reduced; occupation of CPU resources can be reduced.
In an alternative embodiment, the access control management process parses the service mask in the configuration file of the guest application process to obtain the target identifier of the target application policy set in the source policy set.
In an alternative embodiment, the application management process identifies the shared memory corresponding to the guest application process by a unique identification of the guest application process (e.g., process identification (process identification, PID), application number app name, etc.).
In a third aspect, embodiments of the present application provide a computing device comprising a processor and a memory; the processor is coupled with the memory; the memory is used for storing programs; the processor is configured to execute a program in the memory, so that the processor executes the access control method according to the first aspect or the second aspect.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program, which when executed, implements the method of the first or second aspect.
In a fifth aspect, embodiments of the present application provide a computer program product comprising: computer program code which, when executed, causes the method of the first or second aspect described above to be performed.
In a sixth aspect, the present application provides a chip or chip system comprising a processor for implementing the method of the first or second aspect described above. In one possible design the chip or chip system further comprises a memory for holding program instructions and/or data. The chip system can be composed of chips, and can also comprise chips and other discrete devices.
In a seventh aspect, embodiments of the present application provide a server, where the server includes the chip set forth in the sixth aspect.
Advantageous effects of embodiments of the third aspect to the seventh aspect refer to the first aspect or the second aspect, and are not described here again.
Drawings
FIG. 1a is a block diagram of an access control method according to an embodiment of the present disclosure;
FIG. 1b is another architecture diagram of an access control method provided in an embodiment of the present application;
FIG. 1c is another architecture diagram of an access control method provided in an embodiment of the present application;
fig. 2 is a schematic diagram of an access control method according to an embodiment of the present application;
fig. 3 is a schematic flow chart of an access control method according to an embodiment of the present application;
fig. 4 is another flow chart of an access control method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an executable file of an access control method according to an embodiment of the present application;
fig. 6 is another schematic diagram of an access control method provided in an embodiment of the present application;
fig. 7 is another flow chart of an access control method according to an embodiment of the present application;
fig. 8 is another schematic diagram of an access control method provided in an embodiment of the present application;
FIG. 9a is another schematic flow chart of an access control method according to an embodiment of the present application;
fig. 9b is another schematic diagram of an access control method according to an embodiment of the present application;
fig. 10 is a schematic diagram of an access control method according to an embodiment of the present application;
FIG. 11 is a schematic diagram of a computing device according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a chip according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides an access control method which is used for reducing the performance overhead of a kernel and improving the running efficiency of the kernel.
Referring to fig. 1a, fig. 1a is a schematic diagram of an access control method according to an embodiment of the present application. As shown in fig. 1a, the architecture includes a host application process, a guest application process, and a kernel.
Wherein the subject application process and the guest application process run on the user space. The object application process includes an object (also referred to as an object), and the kernel includes a policy repository, where the policy repository includes a policy repository 1 (also referred to as a target application policy set in the embodiment of the present application), and the policy repository 1 includes a first application policy between the host application process and the object.
In the embodiment of the application, the policy includes a subject, an object and a behavior. The subject represents an execution subject of the access action, which in the embodiment of the present application is a subject application process; the object represents an object being accessed, including in embodiments of the present application, a service and/or resource; the behavior indicates whether the subject has access to the object.
In the embodiment of the present application, the object application process is also referred to as an object application process, and since the application process includes an object, the application process is referred to as an object application process.
The kernel is used to map the policy repository 1 onto the user address space of the guest application process. The object application process is used for protecting an object, and under the condition that the object is required to be accessed by the host application process, a first application strategy is required to be queried; the guest application process may query the first application policy by mapping the policy repository 1 on the user address space.
Referring to fig. 1b, fig. 1b is another architecture diagram of an access control method according to an embodiment of the present application. As shown in fig. 1b, the architecture includes a host application process, a guest application process, and a kernel.
The kernel is used for determining a part of strategy source files (the target application strategy set is obtained after analysis of the part of strategy source files) corresponding to the object application process from strategy source files (encoded policy of interest, ePOI), and mapping the target application strategy set to a user address space of the object application process. The object application process is used for analyzing the partial strategy source file, and loading the analyzed strategy set into the user address space of the object application process to obtain the target application strategy set (namely strategy library 1) of the object application process.
The target application strategy set is used for protecting an object (object) on the object application process, and the first application strategy is required to be queried under the condition that the object on the object application process needs to be accessed by the host application process; the guest application process may query the first application policy by mapping the target application policy set (i.e., policy store 1) on the user address space.
Referring to fig. 1c, fig. 1c is another architecture diagram of an access control method according to an embodiment of the present application. As shown in fig. 1c, the architecture includes a subject application process, a plurality of guest application processes, an access control management process, and a kernel.
The host application process, the guest application process and the access control management process run on the user space. The object application process comprises an object, and a policy library is arranged in a kernel, wherein the policy library comprises a policy library 1, a policy library 2 and a … … policy library n. The policy library 1 includes policies related to the object 1 on the object application process 1, which is also called a target application policy set; the other policy libraries are analogized and are not described in detail.
The kernel is configured to map the policy repository to an access control management process, where the access control management process is configured to map a portion of the policy repository related to the guest application process to a user address space of a corresponding guest application process (e.g., map the policy repository 1 to the user address space of the guest application process 1). The object application process 1 is used for protecting the object 1, and under the condition that the object 1 needs to be accessed by the host application process, a first application strategy needs to be queried; the guest application process 1 may query the first application policy by mapping the policy repository 1 on the user address space. The role of other object application processes is analogized and will not be described in detail.
In the architecture shown in fig. 1a, 1b and 1c, and in other embodiments of the present application, since the guest application process may be used to initiate a query policy, the guest application process may also be referred to as a policy enforcement point (Policy enforcement point, PEP); since the guest application process may be used to perform policy queries, the guest application process may also be referred to as a policy decision point (policy decision point, PDP).
Based on the architecture shown in any one of fig. 1a, fig. 1b and fig. 1c, an embodiment of the present application provides an access control method, and fig. 2 is a schematic diagram of the access control method. As shown in fig. 2, the policy mapping module in the kernel maps the application policy set associated with the object (on the guest application process) to the user address space of the guest application process. If the subject application process needs to access the object on the object application process, the policy query module PDP on the object application process can query the application policy set through mapping of the application policy set on the user address space based on the access right query requirement on the object, thereby determining a first application policy between the subject application process and the object, and determining the access right of the subject application process to the object according to the first application policy.
By the access control method, when the object application process (PDP) needs to inquire the access right of the host application process to the object, the PDP only needs to inquire the corresponding strategy through the application strategy mapped to the user address space, kernel participation is not needed, context switching is not needed, and strategy access and strategy inquiry cost in access control is reduced.
Referring to fig. 3, fig. 3 illustrates an access control method provided in an embodiment of the present application, where the method includes:
301. the kernel maps a memory address where a target application strategy set is located to a user address space of a guest application process, wherein the target application strategy set is used for indicating the access authority of a host application process to an object on the guest application process; wherein the object comprises a service and/or a resource.
In the embodiment of the application, the kernel may determine the memory address where the target application policy set is located, and before the guest application process starts, the kernel may map the memory address of the target application policy set to the user address space of the guest application process.
Optionally, the kernel may implement the above-mentioned communication after mapping the address through the auxiliary vector. Specifically, before the guest application process is started, the kernel may write the memory address mapped to by the target application policy set into an auxiliary vector of the executable file of the guest application process. When the guest application process is started, the mapping address of the target application policy set (namely, the storage address for storing the application policies on the guest application process) can be recorded through the auxiliary vector.
302. The object application process determines a first application policy between the host application process and the first object according to a target application policy set on a user address space based on access right query requirements of the host application process on the first object.
If the subject application process needs to access the first object on the object application process, the object application process needs to query the access right of the first object, and the object application process can perform policy retrieval in the target application policy set on the user address space based on the access right query requirement of the first object, so as to determine the first application policy between the subject application process and the first object.
303. And the object application process determines the access authority of the host application process to the first object according to the first application strategy.
The subject in the first application policy is a subject application process accessing the first object, the object is the first object on the object application process, and the object application process can determine the access authority of the subject application process to the first object according to the behavior of the first application policy. If the behavior of the first application policy is accessible, the subject application process may access the first object.
Alternatively, the set of target application policies may originate from parsing of the policy source file. In this embodiment of the present application, according to the difference of the parsing positions of the policy source files, the embodiment of the present application may include the following cases: 1. the policy source file is parsed by the kernel; 2. the policy source file is parsed by the application management process.
The following will respectively explain:
1. the policy source file is parsed by the kernel.
Fig. 4 is a schematic diagram of an access control method provided in an embodiment of the present application, where a method for parsing a policy source file by a kernel is shown in fig. 4, and the method may be implemented based on the architecture shown in fig. 1a, and the method includes:
1. the kernel reads the policy source file.
2. The kernel parses the policy source file.
The kernel analyzes the strategy source file to obtain a source strategy set, wherein the source strategy set comprises strategies between all subjects and all objects. Wherein the object may be a resource and/or a service; the location where the object is located may be an object application process.
When the object of the policy is an object on an object application process running on the user process space, the policy is referred to as an application policy. The embodiment of the application is used for avoiding context switching in the process of inquiring the access authority by the object application process, so that the application strategy is focused on, and is called an interested strategy (policy of interest, POI), and a strategy source file is called an encoded POI (ePOI).
The number of POIs is one or more, so in embodiments of the present application, POIs are also referred to as application policy sets.
3. The kernel verifies the signature.
Before starting the guest application process, the kernel can confirm the legitimacy of the executable file of the guest application process by verifying the signature so as to ensure that the executable file is not tampered. If the kernel verifies that the signature is legal, the subsequent steps are executed.
4. The kernel extracts policies by service mask.
The executable file includes a service mask of the guest application process. The service mask is used for identifying an Identifier (ID) of the POI in the source policy set, and the kernel can determine the POI from the source policy set analyzed in the step 1 according to the service mask, so as to realize screening of application policies. In the present embodiment, this step is also referred to as an extraction strategy.
Alternatively, the service mask may be a 32-bit integer, and the service mask may identify the ID of the POI in the source policy set by means of either matching the ID or the like. It is noted that 32 bits are just one example of a number of bits for a service mask, and that the service mask may be more or less bits, such as 16 bits, 64 bits, etc., without limitation.
As shown in fig. 5, before the object application process leaves the factory, the enterprise manager (Oracle Enterprise Manager, OEM) may package the service mask, signature (i.e., the signature in step 3 of this embodiment) and source executable file of the object application process to form an executable file of the object application process. Alternatively, the service mask and signature information may be described in the header of the executable file.
Optionally, in addition to determining the service mask before the factory, if the object included in the object application process is newly added after the factory, the service mask may be modified after the factory. In this case, the service mask may be modified by a trusted agent (e.g., kernel) to ensure the accuracy of the service mask.
5. The kernel prepares an address space mapping policy.
The kernel prepares a process address space for the guest application process, and maps the memory address of the POI to the process address space.
6. The kernel assigns the auxiliary vector as a policy mapped address.
The kernel stores the mapping address information into the auxiliary vector, thereby delivering the mapping address information of the application policy to the guest application process. Specifically, the auxiliary vector is a part of the executable file, and in the process of resolving the executable file, the auxiliary vector will be resolved to the appointed address. Therefore, the kernel assigns the auxiliary vector as the mapping address of the POI, so that the transfer of the mapping address information is realized through the auxiliary vector.
For example, as shown in fig. 6, an at_policy vector may be added to the C language standard library (C standard library, libc) and used to write to a reserved memory location in the user address space.
Optionally, when the at_policy vector is created in the auxiliary vector table of the guest application process, a vector array is reserved AT the stack top of the guest application process, where the vector array is an auxiliary vector, each element (vector) in the vector array corresponds to an application POLICY, and an at_policy vector is an element in the array, where the at_policy vector is used to indicate an address of a mapping location of the application POLICY in a user process space.
When the kernel creates the guest application process, the mapping address of the application POLICY in the POI can be assigned to the at_policy. When the application process queries the strategy, the mapping address of the target application strategy set (POI) can be obtained AT the [ AT_POLICY ] position corresponding to the auxiliary vector on the stack top.
7. The kernel returns the user address space.
After the kernel finishes the steps 1 to 6, the mapping from the POI memory address to the auxiliary vector on the user address space of the guest application process is finished, so that the user address space can be returned to facilitate the application process to start, and the subsequent steps are executed.
8. The guest application process is started.
In the embodiment of the application, after the guest application process is started, the query of the application process on the access authority of the object can be realized.
9. The object application process obtains the policy mapping address through the auxiliary vector.
The object application process can obtain a mapping address through the auxiliary vector based on the access right query requirement of the object application process on the first object, query the object as the object application process through the mapping address, and the object as the application strategy of the first object.
In the embodiment of the application, the analysis of the strategy source file is realized through the kernel, and the strategy source file is stored on the kernel, so that the analysis speed is high and the efficiency is high. In addition, the kernel analysis and mapping are completed before the application process is started, and the strategy can be queried immediately after the application process is started, so that the strategy query efficiency is improved.
2. The policy source file is parsed by the guest application process.
According to the method for analyzing the strategy source file through the kernel, the kernel analyzes the strategy source file to occupy the resources of the kernel, so that the embodiment of the application can transplant the action of analyzing the strategy source file to the object application process in the user space, the performance cost of the kernel is reduced, and the running efficiency of the kernel is improved.
Fig. 7 is a schematic flow chart of an access control method according to an embodiment of the present application, where the method may be implemented by using the architecture shown in fig. 1b, and as shown in fig. 7, the method includes:
1. The kernel reads the policy source file ePOI.
2. The kernel verifies the signature.
When the guest application process needs to be started, the kernel can confirm the legitimacy of the executable file of the guest application process by verifying the signature so as to ensure that the executable file is not tampered. If the kernel verifies that the signature is legal, the subsequent steps are executed.
3. The kernel extracts a part of strategy source file corresponding to the object application process according to the service mask.
The executable file includes a service mask of the guest application process. The service mask is used for identifying an Identifier (ID) of the POI in the source policy set, and the kernel can determine a part of policy source files corresponding to the POI in the policy source file ePOI according to the service mask, so as to realize screening of application policies. In the present embodiment, this step is also referred to as an extraction strategy.
The description of the service mask is referred to step 4 in fig. 4, and will not be repeated here.
4. The kernel prepares an address space map ePOI.
The kernel prepares an address space for the guest application process and maps the memory address of the POI to the address space of the guest application process.
5. The kernel assigns the auxiliary vector as a policy mapped address.
The kernel stores the mapping address information into the auxiliary vector, thereby delivering the mapping address information of the application policy to the guest application process. The specific process is described with reference to step 6 in fig. 4, and will not be described here again.
6. The kernel returns the user address space.
7. The guest application process is started.
Step 6 and step 7 refer to the descriptions of step 7 and step 8 in fig. 4, and are not described herein.
8. The object application process obtains the policy mapping address through the auxiliary vector.
The guest application process may obtain a mapping address from the auxiliary vector based on the access rights query requirement of the host application process for the first object, and determine the location of the application policy by the mapping address.
9. The object application process analyzes the policy ePOI- & gt POI.
And (3) the object application process analyzes part of the strategy source files corresponding to the POIs in the ePOI determined in the step (3) to obtain the POIs. Because the kernel in step 4 has prepared an address space for mapping the part of policy source files, the guest application process can find the applied POI according to the mapping in step 4 and analyze and load the POI into the process address space (the mapping in step 4 is the source policy file, so the guest application process can find the source files through the mapping address and then analyze the source files into the own user address space, and query the policies from the policies analyzed by the source files when querying the policies).
In the embodiment of the application, the policy source file is analyzed through the object application process, and the kernel is not required to analyze the policy source file, so that the performance cost of the kernel is reduced, and the running efficiency of the kernel is improved.
3. The policy source file is parsed by an access control management process.
The method shown in fig. 7, after being executed in step 9, can query the application policy, and each object application process needs to parse the ePOI into POIs before the policy query can be performed. As shown in fig. 8, after the ePOI to POI are parsed, the subsequent POI query operation needs to be performed by both the guest application process 1 and the guest application process 2, and the ePOI parsing slows down the starting speed of each guest application process.
In order to avoid that each object application process needs to analyze the ePOI, the embodiment of the application provides a method, which performs ePOI analysis once in the access control management process to obtain a source policy set, and maps the application policy set required by each object application process to a user address space of a corresponding object application process in other user states through a shared memory to realize the mapping from the POI to the corresponding object application process. Therefore, the guest application processes of a plurality of user states can be ensured to query the strategy only by analyzing the ePOI once.
In the embodiment of the application, the access control management process is used for analyzing and managing all application access control policies.
Fig. 9a is a schematic flow chart of an access control method according to an embodiment of the present application, which may be implemented based on the architecture shown in fig. 1 c. As shown in fig. 9a, the specific steps of the method are as follows:
1. the kernel reads the policy source file ePOI.
2. The kernel verifies the signature.
The kernel verifies the signature of the source executable file of the guest application process, the source executable file does not include a service mask, and the function of the verification signature is to verify the legitimacy of the access control management process.
3. The kernel maps the policy source file ePOI to the access control management process.
The kernel prepares an address space for access control management processes and maps a policy source file ePOI thereto. The ePOI mapped here is a policy source file containing information of all policies.
4. The kernel transmits the mapping address information of the ePOI to the access control management process through the auxiliary vector.
The kernel stores the mapping address information of the ePOI into the auxiliary vector, thereby transferring the mapping address information of the ePOI to the access control management process. The description of the auxiliary vector is referred to in step 6 of fig. 4, and will not be repeated here.
5. The kernel returns the user address space.
6. The access control management process is started.
7. The access control management process obtains the mapping address of the ePOI through the auxiliary vector.
8. The access control management process analyzes the ePOI to obtain a source policy set.
The access control management process analyzes the ePOI to obtain a source strategy set, and analyzes the source strategy set to a process space of the access management process; referring to fig. 9b, step 9 in fig. 9a corresponds to step (1) in fig. 9 b.
9. The access control management process determines respective POIs of the object application processes (one corresponding to each object application process) according to the service IDs of the object application processes.
Optionally, after the guest application process is started, the access control management process may obtain a configuration file of the guest application process, so as to analyze a service mask in the configuration file of the guest application process, and obtain a policy ID (herein also referred to as a target identifier, or service ID) of the target application policy set (POI) in the source policy set. The access control management process may determine a target application policy set (POI) from the source policy set based on the target identity.
In the embodiment of the application, except for analyzing the service mask in the configuration file, the strategy ID of the POI of the object application process in the source strategy set is obtained; the policy ID may also be obtained by other means, such as inter-process communication IPC, etc., without limitation.
10. The access control management process loads the POI into the shared memory space of the corresponding object application process.
The access control management process determines a target application policy set (POI), namely, the memory address of the target application policy set can be loaded to the shared memory corresponding to the object application process, so that the target application policy set (POI) is mapped to the shared memory corresponding to the object application process. Alternatively, this step may be performed by a policy resolver on the access control management process, see step (2) in fig. 9 b.
The shared memory space between the access control management process and each object application process is specified by a different shared memory file, and the shared memory file name corresponds to each object application process, which may be an app name or other unique identifier of each object application process, which is not limited herein.
11. The object application process maps the corresponding shared memory file.
The object application process finds out the corresponding shared memory file according to the respective app name (or other unique identifier), and maps the POI in the shared memory file to the user process space of the object application process. The POI of the guest application process is stored in the shared memory file. This step corresponds to step (3) in fig. 9 b.
In the embodiment of the application, all policies are analyzed in a user mode through one access control management process, and application policies of a plurality of object application processes are mapped, so that the need of policy analysis when each object application process is started is avoided, and the complexity of a system is reduced.
As shown in fig. 10, an embodiment of the present application provides a policy query framework. The guest application process is started through the system process, and after entering the kernel, the kernel loads an executable file of the guest application process by using a binary loader. A header analyzer in the kernel analyzes the header tag of the executable file to see if a security marker exists for verifying the identity. The signature analyzer checks the identity, if the identity is legal, the strategy in the kernel is mapped to the process address space randomly, and the address information is transmitted to the object application process through the auxiliary vector. After the guest application process is started, the memory can be quickly queried, and the access strategy is obtained.
Optionally, if the kernel is a trusted computing base (trusted computing base, TCB), the policy loading component is used to load and map the policy to the user address space of the guest application process.
Compared with the prior art, the access control method provided by the embodiment of the application has the following advantages:
1. in the existing access control technology, the access isolation between the kernel and the user mode application is realized through privilege isolation, so that each query strategy needs to be subjected to privilege switching, namely, context switching is needed.
The method of the embodiment of the application can inquire the strategy without privilege switching. In addition, the mapping of the embodiment of the application is realized by the kernel, the kernel belongs to a trusted base, and the credibility of the strategy mapping is ensured.
2. In one prior art, the switching of contexts is reduced by storing application policies related to the guest application process by a policy management service (policy manager server, PMS) running in the user space, but this approach requires an information processing center (information processing center, IPC) to communicate with the PMS before IPC performance loss cannot be avoided.
The method of the embodiment of the application does not need IPC to communicate with PMS, the strategy can be directly mapped to the address space of the guest application process, and a new privilege process is not needed.
3. In the prior art, a kernel needs to perform protection of shared resources through an atomic lock, and performance is reduced under a symmetric multi-processor (SMP) architecture.
According to the method, mapping of the required application strategy is locally provided for each object application process, the kernel is not required to protect shared resources through an atomic lock, and performance under SMP is improved.
The access control method provided by the embodiment of the application is described above, and the device provided by the embodiment of the application is described below.
Referring to fig. 11, an embodiment of the present application provides a computing device 1100 including a processor 1101 and a memory 1102; the processor 1101 is coupled to a memory 1102; the memory 1101 is used for storing programs; the processor 1102 is configured to execute a program in the memory 1101, so that the processor 1102 performs the access control method described in fig. 2 to 10.
Referring to fig. 12, an embodiment of the present application provides a chip 1200, where the chip 1200 includes at least one processor 1201 and a communication interface 1202, the communication interface 1202 and the at least one processor 1201 are interconnected by a line, and the at least one processor 1201 is configured to execute a computer program or instructions to perform an access control method corresponding to any of the foregoing embodiments of fig. 2 to 10.
The communication interface 1202 in the chip may be an input/output interface, a pin, a circuit, or the like.
In one possible implementation, the chip 1200 described above in the present application further includes at least one memory 1203, where the at least one memory 1203 has instructions stored therein. The memory 1203 may be a memory unit inside the chip, for example, a register, a cache, or the like, or may be a memory unit of the chip (for example, a read only memory, a random access memory, or the like).
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Claims (14)

1. An access control method, comprising:
the method comprises the steps that a kernel maps a memory address where a target application strategy set is located to a user address space of a guest application process, wherein the target application strategy set is used for indicating access rights of a host application process to objects on the guest application process; wherein the object comprises a service and/or a resource;
the object application process determines a first application strategy between the subject application process and the first object according to the target application strategy set mapped to the user address space based on access right query requirement of the first object;
and the object application process determines the access right of the subject application process to the first object according to the first application strategy.
2. The method of claim 1, wherein the kernel maps the memory address where the target application policy set is located to a user address space of the guest application process, comprising:
and the kernel writes the memory address mapped by the target application strategy set into an auxiliary vector in an executable file of the object application process.
3. The method according to claim 1 or 2, wherein the executable file of the guest application process comprises a service mask corresponding to the target application policy set;
Before the kernel maps the memory address where the target application policy set is located to the user address space of the guest application process, the method further includes:
the kernel analyzes the strategy source file to obtain a source strategy set;
and the kernel determines the target application strategy set from the source strategy set according to the service mask, wherein the target application strategy set is used for protecting the object on the object application process.
4. The method of claim 3, wherein the executable file further comprises a signature of the executable file;
the kernel determining the target application policy set from the source policy set according to the service mask, including:
the kernel verifies the validity of the signature;
and if the signature is legal, the kernel determines the target application strategy set from the source strategy set according to the service mask.
5. The method of claim 3 or 4, wherein a service mask corresponding to the target set of application policies is used to identify the target set of application policies in the source set of policies.
6. The method according to claim 1 or 2, wherein the executable file of the guest application process comprises a service mask corresponding to the target application policy set;
Before the kernel maps the memory address where the target application policy set is located to the user address space of the guest application process, the method further includes:
the kernel determines partial strategy source files corresponding to the target application strategy set from the strategy source files according to the service mask;
the method further comprises the steps of:
and the object application process analyzes the partial strategy source file to the memory address to obtain the target application strategy set.
7. The method of any of claims 1 to 6, wherein before the kernel maps the memory address where the target application policy set is located to the user address space of the guest application process, the method further comprises:
the kernel randomizes the addresses of the user address space of the guest application process.
8. An access control method, the method comprising:
the kernel maps the memory address of the strategy source file to the address space of the access control management process;
the access control management process analyzes the strategy source file to obtain a source strategy set;
the access control management process loads a target application strategy set in the source strategy set into a shared memory space of the object application process; the target application strategy set is used for determining the access authority of the object on the object application process;
The guest application process maps the set of target application policies to a user address space of the guest application process.
9. The method of claim 8, wherein the access control management process loads a memory address of a target application policy set in the source policy set into a shared space corresponding to a guest application process, comprising:
the access control management process analyzes the configuration file of the object application process to obtain a target identifier of the target application policy set in the source policy set;
the access control management process determines the target application policy set from the source policy set according to the target identifier;
and the access control management process loads the target application strategy set to the shared memory corresponding to the object application process.
10. A computing device comprising a processor and a memory; the processor is coupled with the memory;
the memory is used for storing programs;
the processor configured to execute a program in the memory, so that the processor performs the access control method according to any one of claims 1 to 9.
11. A computer readable storage medium for storing a computer program which, when run on a computer, causes the computer to perform the method of any one of claims 1 to 9.
12. A computer program product, the computer program product comprising: computer program code;
the computer program code, when executed, implements the method of any of claims 1 to 9.
13. A chip comprising at least one processor and an interface;
the interface is used for providing program instructions or data for the at least one processor;
the at least one processor is configured to execute the program instructions to implement the method of any one of claims 1 to 9.
14. A server comprising the chip of claim 13.
CN202111446740.4A 2021-11-30 2021-11-30 Access control method and related equipment Pending CN116204858A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202111446740.4A CN116204858A (en) 2021-11-30 2021-11-30 Access control method and related equipment
PCT/CN2022/134254 WO2023098579A1 (en) 2021-11-30 2022-11-25 Access control method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111446740.4A CN116204858A (en) 2021-11-30 2021-11-30 Access control method and related equipment

Publications (1)

Publication Number Publication Date
CN116204858A true CN116204858A (en) 2023-06-02

Family

ID=86515174

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111446740.4A Pending CN116204858A (en) 2021-11-30 2021-11-30 Access control method and related equipment

Country Status (2)

Country Link
CN (1) CN116204858A (en)
WO (1) WO2023098579A1 (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8893222B2 (en) * 2012-11-13 2014-11-18 Auckland Uniservices Ltd. Security system and method for the android operating system
CN103971067B (en) * 2014-05-30 2015-06-03 中国人民解放军国防科学技术大学 Operating system nucleus universal access control method supporting entities inside and outside nucleus
CN104112089B (en) * 2014-07-17 2017-02-01 中国人民解放军国防科学技术大学 Multi-strategy integration based mandatory access control method
CN105701416B (en) * 2016-01-11 2019-04-05 华为技术有限公司 Forced access control method, device and physical host
CN109992983A (en) * 2019-04-15 2019-07-09 苏州浪潮智能科技有限公司 A kind of forced access control method, device, equipment and readable storage medium storing program for executing

Also Published As

Publication number Publication date
WO2023098579A1 (en) 2023-06-08

Similar Documents

Publication Publication Date Title
US11334562B2 (en) Blockchain based data management system and method thereof
CN110297689B (en) Intelligent contract execution method, device, equipment and medium
US8346805B2 (en) Filter driver for identifying disk files by analysis of content
US9081967B2 (en) System and method for protecting computers from software vulnerabilities
EP0803101B1 (en) A mechanism for linking together the files of emulated and host system for access by emulated system users
US7974985B1 (en) System and method for duplication of virtual server files
US20110277038A1 (en) Information flow tracking and protection
US20080141338A1 (en) Secure policy description method and apparatus for secure operating system
US10528749B2 (en) Methods and apparatus for containerized secure computing resources
CN108898012B (en) Method and apparatus for detecting illegal program
WO2007103192A2 (en) Prevention of executable code modification
CN112989313A (en) Identification registration method and device, electronic equipment and storage medium
CN113312615A (en) Terminal detection and response system
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
CN117693737A (en) Protection of processes for setting up subdirectories and network interfaces for container instances
US20160092313A1 (en) Application Copy Counting Using Snapshot Backups For Licensing
US20070038572A1 (en) Method, system and computer program for metering software usage
JP2005234661A (en) Access policy creation system, method and program
CN116204858A (en) Access control method and related equipment
CN109495432B (en) Authentication method of anonymous account and server
CN112214769B (en) Active measurement system of Windows system based on SGX architecture
CN114697440B (en) Network management method and mobile terminal
CN116521306A (en) Method for enabling selinux by container and computer equipment
US8635331B2 (en) Distributed workflow framework
CN114490010A (en) Resource operation control method, electronic device, chip and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication