CN116360797A - DSL-based security baseline creation method, system, device and medium - Google Patents
DSL-based security baseline creation method, system, device and medium Download PDFInfo
- Publication number
- CN116360797A CN116360797A CN202310650068.3A CN202310650068A CN116360797A CN 116360797 A CN116360797 A CN 116360797A CN 202310650068 A CN202310650068 A CN 202310650068A CN 116360797 A CN116360797 A CN 116360797A
- Authority
- CN
- China
- Prior art keywords
- target
- basic
- dsl
- grammar tree
- language
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 230000014509 gene expression Effects 0.000 claims abstract description 82
- 238000013507 mapping Methods 0.000 claims description 15
- 238000012545 processing Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 10
- 238000005457 optimization Methods 0.000 claims description 8
- 230000008707 rearrangement Effects 0.000 claims description 6
- 230000003993 interaction Effects 0.000 claims description 4
- 230000006870 function Effects 0.000 description 47
- 230000008569 process Effects 0.000 description 11
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008929 regeneration Effects 0.000 description 1
- 238000011069 regeneration method Methods 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/42—Syntactic analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/31—Programming languages or programming paradigms
- G06F8/315—Object-oriented languages
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Devices For Executing Special Programs (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application provides a DSL-based security baseline creation method, a DSL-based security baseline creation system, DSL-based security baseline creation equipment and DSL-based security baseline creation medium. The method comprises the following steps: obtaining a basic expression, wherein the basic expression is written in DSL language; analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language; and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component. The user can obtain the target grammar tree by converting the basic grammar tree only by inputting the basic expression of DSL language, and further obtain the source code of the corresponding target language, thus obtaining the self-defined safety baseline assembly. The user can define his own security baseline through this language and implement the relevant security measures.
Description
Technical Field
The embodiments of the application belong to the technical field of computer security, in particular to a DSL-based security baseline creation method, a DSL-based security baseline creation system, DSL-based security baseline creation equipment and DSL-based security baseline creation medium.
Background
In modern IT environments, security has been an important issue. To ensure the security of computer systems and networks, enterprises need to use security baselines to specify security requirements and implement corresponding security measures. Conventional methods typically use wizard-type definition methods to create custom security baselines, which have some drawbacks in terms of flexibility and programmability. If a programming mode is adopted to self-define the safety base line, the difficulty is higher, and the cost is higher. Thus, a new approach is needed to balance flexibility and programmability.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, the present invention aims to provide a method, a system, a device and a medium for establishing a secure baseline based on DSL, which can solve the problem of high difficulty in establishing the secure baseline in the prior art.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in one aspect, the present invention provides a DSL-based security baseline creation method, including:
obtaining a basic expression, wherein the basic expression is written in DSL language;
analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language;
and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
Further, the method for converting the basic grammar tree into the target grammar tree corresponding to the target language specifically includes:
acquiring all first node data on the basic grammar tree;
obtaining second node data corresponding to all the first node data based on the mapping set;
and obtaining the target grammar tree based on all the second node data.
Further, DSL administrative operations are included;
the DSL administrative operations include:
and carrying out data expansion on the mapping set based on the increase of the demand.
Further, after obtaining the basic syntax tree, the method further includes:
and carrying out optimization processing on the target grammar tree to obtain an optimized basic grammar tree, wherein the optimization processing comprises logic rearrangement on the basic grammar tree based on execution logic.
Further, the determining mode of the target language comprises a fixed mode and a dynamic adjusting mode;
the dynamic adjustment mode specifically comprises the following steps:
acquiring basic operation parameters of a target system;
the target language is matched based on the base operating parameters.
Further, the method further comprises the following steps:
and storing the security baseline component in an associated mode by taking the corresponding basic expression as a label, so that the corresponding security baseline component is directly output when the same basic expression is obtained later.
On the other hand, the invention provides a security baseline creation method, which is applied to a server and comprises the following steps:
receiving a basic expression sent by an intelligent terminal, wherein the basic expression is written by using DSL language;
analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language;
and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding safety baseline component to feed back to a target terminal.
Further, the target terminal comprises the intelligent terminal and other appointed intelligent terminals.
In another aspect, the present invention provides a security baseline creation system, comprising:
the first interaction module is used for acquiring a basic expression, and the basic expression is written in DSL language;
the processing module is used for analyzing the basic expression to obtain a basic grammar tree and converting the basic grammar tree into a target grammar tree corresponding to a target language; and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
In another aspect, the present invention provides a security baseline creation system, comprising:
the intelligent terminal is used for sending a basic expression to the server, wherein the basic expression is written by DSL language; and receiving a security baseline component sent by the server;
the server side is used for acquiring a basic expression; analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language; obtaining a target source code based on the target grammar tree, further obtaining a corresponding safety baseline component and feeding back the safety baseline component to a target terminal; the target terminal comprises the intelligent terminal and other appointed intelligent terminals.
In another aspect, the present invention provides an electronic device, including:
a memory storing a computer program;
and the processor is used for realizing the safety baseline creation method based on DSL when executing the computer program.
In another aspect, the invention provides a computer readable medium storing a computer program which when executed by a processor implements a method of establishing a DSL-based security baseline according to the above.
Compared with the prior art, the DSL-based security baseline creation method, system, device and medium provided by the invention have the following beneficial effects: the user can obtain the target grammar tree by converting the basic grammar tree only by inputting the basic expression of DSL language, and further obtain the source code of the corresponding target language, thus obtaining the self-defined safety baseline assembly. The user can define his own security baseline through this language and implement the relevant security measures. When a user builds a security baseline, the user can flexibly develop and customize the security baseline component meeting the requirements of the user at low cost without mastering excessive professional computers and network security knowledge. The method has higher flexibility and programmability when the security base line is created, simplifies the writing and execution of common operation, has low cost and convenience, and is more convenient and easy to use than the traditional method.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. Some specific embodiments of the present application will be described in detail hereinafter by way of example and not by way of limitation with reference to the accompanying drawings. The same reference numbers in the drawings denote the same or similar parts or portions, and it will be understood by those skilled in the art that the drawings are not necessarily drawn to scale, in which:
fig. 1 is a flow chart of a DSL-based security baseline creation method provided by the present invention;
FIG. 2 is a flow chart of the conversion of a base syntax tree into a target syntax tree provided by the present invention;
FIG. 3 is a block diagram illustrating one embodiment of a secure baseline creation system provided by the present invention;
fig. 4 is a block diagram of another embodiment of a security baseline creation system provided by the present invention.
Detailed Description
In order to enable those skilled in the art to better understand the present application, the following description will make clear and complete descriptions of the technical solutions in the embodiments of the present application with reference to the accompanying drawings in the embodiments of the present application. It will be apparent that the described embodiments are merely some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps, but may include other steps not expressly listed or inherent to such process or method. Likewise, without further limitations, one or more devices or subsystems beginning with "comprising". A "neither does an element or structure or component have no further limitations, excluding the presence of other devices or other subsystems or other elements or other structures or other components or other devices or other subsystems or other elements or other structures or other components. The appearances of the phrases "in one embodiment," "in another embodiment," and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs.
Referring to fig. 1, the present invention provides a method for creating a security baseline based on DSL (Domain Specific Language ), comprising:
s1, acquiring a basic expression, wherein the basic expression is written by using DSL language; specifically, the DSL language is constructed based on conventional technical content in an application field, where the application field is a field where a computer needs to be applied to perform basic control, for example, a security baseline field, etc.
Further, in some embodiments, it is desirable to create a DSL language in advance that should be able to support a variety of common operations and functions, such as string operations, mathematical operations, and boolean operations, while also supporting a functional control structure. In this embodiment, the DSL language may be named alpha.
Further, the design elements of the DSL language include:
domain specificity: the target area of this DSL language is the creation and management of secure baselines. The DSL language provides specific operations and functions for the security baseline domain, and can support user-defined personalized security baseline policies.
Expression construction: the user may construct expressions from the operations and functions provided by the DSL language for defining rules for the security base line. The parsing process of the expression can generate an abstract syntax tree, then map the abstract syntax tree to an execution function and a control flow on a target system, and recompile the abstract syntax tree into a language code form required by executing a security baseline so as to execute the abstract syntax tree on an actually executed probe program.
Language extensibility: DSL languages provide some of the usual operations and functions, but also support user-defined functions and operations. Users can write their own functions and operations to extend the capabilities of the DSL language to achieve more customized secure baseline management requirements.
Code reusability: operations and functions in the DSL language may be encapsulated by the host language, with the actual logic being implemented by the functions written in the host language. Thus, the DSL language function can be realized, and meanwhile, the capability of a host language can be utilized, so that the code multiplexing property and maintainability are improved.
Meanwhile, the grammar design of the DSL language is biased to the expression and the functional programming style, and mainly comprises the following parts:
the expression: the core concept of DSL language consists of operands and operators. The operands may be constants, variables, function calls, and the like, and the operators include arithmetic, comparison, logical operators, and the like, capable of expressing a variety of conditions and logical relationships. The priority of the expression is determined by the operator, and the priority can be changed by brackets.
The variables: DSL language supports custom variables, the variable names may contain letters, numbers, and underlining, case sensitive.
Function: the DSL language incorporates a number of functions, such as read file, exec, map, match. The user can also customize functions, function names and parameters similar to conventional programming languages, supporting nested function calls. The format of function calls and regular expressions is similar to conventional programming languages.
Control flow: DSL language supports a variety of control structures such as if, for, while, etc. The control flow statements consist of conditional expressions and statement blocks.
Annotation: DSL languages support a single line of notes beginning with # and multiple lines of notes surrounding with- [ [ and- ]).
Character string: DSL language supports a variety of string representations such as single quotation marks, double quotation marks, reverse slash escape, etc.
S2, analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language; specifically, the basic expression is analyzed, and a corresponding analyzer and a lexical analyzer are adopted. In this embodiment, the basic syntax tree and the target syntax tree are both abstract syntax trees, and a common conversion manner in the art is adopted for the mutual conversion of the abstract syntax trees, so that a person skilled in the art can perform conversion according to actual requirements.
And S3, obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
By using the DSL-based security baseline creation method provided by the invention, a user can obtain a target grammar tree by converting the basic grammar tree only by inputting the basic expression of DSL language, and further obtain source codes of the corresponding target language, thereby obtaining the customized security baseline assembly. The user can define his own security baseline through this language and implement the relevant security measures. When a user builds a security baseline, the user can flexibly develop and customize the security baseline component meeting the requirements of the user at low cost without mastering excessive professional computers and network security knowledge. The method has higher flexibility and programmability when the security base line is created, simplifies the writing and execution of common operation, has low cost and convenience, and is more convenient and easy to use than the traditional method.
That is, to implement DSL language functionality, common operations and functions are packaged into target language functions in a specific operation, so that the smart device can run the corresponding security baseline component. These functions should be able to implement the actual logic of the functions and operations defined in the DSL language. For example, the string manipulation function should be capable of string concatenation, string replacement, and the like.
Namely, the security baseline creation method provided by the invention has higher flexibility and expandability, and can meet the requirements in different scenes. Meanwhile, the method also improves the implementation efficiency of the safety base line and reduces the workload of manual writing.
Further, referring to fig. 2, in this embodiment, the converting the basic syntax tree into a target syntax tree corresponding to a target language specifically includes:
acquiring all first node data on the basic grammar tree;
obtaining second node data corresponding to all the first node data based on the mapping set; specifically, the mapping set is constructed based on a functional mapping relationship between DSL language and target language. A corresponding mapper module may further be generated to perform the corresponding procedure.
And obtaining the target grammar tree based on all the second node data.
Further, as a preferred solution, the present embodiment further includes DSL management operation;
the DSL administrative operations include:
and carrying out data expansion on the mapping set based on the increase of the demand. Thus, the accuracy of DSL language can be greatly increased, and the expansibility of DSL language is fully embodied. The user may write own personalized functions (e.g., built-in functions added to the DSL in the mapping set) and operate to extend the capabilities of the DSL language to achieve more customized security baseline management requirements.
In actual operation, a user communicates with a server through an intelligent terminal, and a personalized function and a corresponding mapping set are sent to the server. After receiving the corresponding mapping set and the personalized function, the server side stores the user independently and fuses the user into the corresponding DSL language function. Of course, the operation and maintenance personnel in the background can directly operate on the server. Of course, the personalized function can be updated in an online automatic update mode, an offline upgrade package update mode, a user-defined mode, a mode of pushing the user to a server, a mode of directly updating a database at the server and the like.
Further, considering that the basic expression written by the user is relatively coarse, if the basic expression is directly performed on the target syntax tree of the basic expression in this case, accurate target source codes may not be obtained, and in this embodiment, after obtaining the basic syntax tree, the method further includes:
and carrying out optimization processing on the target grammar tree to obtain an optimized basic grammar tree, wherein the optimization processing comprises logic rearrangement on the basic grammar tree based on execution logic. Specifically, the execution logic is the operation logic of the device when the code is operated, for example, a main function, an interface and the like are needed in the code, and after the normal logic rearrangement, the execution logic is easier to machine execution. After the rearranged basic grammar tree is converted into the source code, the obtained new basic expression is in a basic expression logic rearrangement form of the original simplified state, so that the new basic expression accords with the execution logic of the machine. The basic grammar tree in the state is used for obtaining a target grammar tree, and then the converted target source code accords with the machine realization logic.
Further, the optimizing process may further be:
and obtaining an optimized basic grammar tree based on the internal association set.
The following description will be given by taking a DSL language corresponding to the security baseline field, where the target language is the Lua language as an example:
in the present embodiment, the basic expression to be explained is as follows:
and(
read_glob_file("/etc/security/limits.d/*")
.map("\\*hard core 0".match)
) && "gpgcheck\\s*=\\s*1".match(
read_file("/etc/security/limits.conf")
) || linux_sysctl_list()["fs.suid_dumpable"] == 0
the whole expression means: searching the content matched with 'hard core 0' from all 'etc/security/limits.d/' files, at the same time search in the 'etc/security/limits. Conf' file content matching "gpgcheck = \\s = \s 1". If both searches succeed, or the value of the system parameter 'fs.subjdump' is equal to 0, the result of the whole expression is 'True', otherwise it is 'False'.
The following is a process for this basic expression:
1. and the intelligent equipment sends the basic expression to a server. The intelligent device can already realize target language functions of necessary functions, such as the key function calls of read_glob_file, read_file, match and the like in the above expression. The intelligent device (which may send the basic expression to the intelligent device or may be another intelligent device, that is, the corresponding generated security baseline component may be applied to another intelligent device) is an actuator of the security baseline component. The secure baseline component is generated and executed in the form of a plug-in. And after receiving the basic expression sent by the intelligent equipment, the server generates a security baseline component formed by the target language.
2. The server side parses the basic expression and generates a corresponding basic syntax tree, and for convenience of presentation, the structure of function call is simplified, and examples are as follows:
or
├─ and
│ ├─ map
│ │ ├─ read_glob_file
│ │ │ └─ "/etc/security/limits.d/*"
│ │ └─ method: match (of "\\*hard core 0")
│ └─ method: match (of "gpgcheck\\s*=\\s*1")
│ └─ read_file
│ └─ "/etc/security/limits.conf"
└─ equal
├─ index
│ ├─ linux_sysctl_list
│ └─ "fs.suid_dumpable"
└─ 0
(a) At the top level, we have an 'or' operator that performs a boolean or operation on the left and right calculations.
(b) On the left side there is an 'and' operator which performs a boolean and operation on the results on the left and right sides.
(c) To the left of the "and" operator is a "map" function. This function receives two parameters: the 'read_glob_file' function and the 'match' method.
The 'read_glob_file' function has one parameter, namely, file path mode: the function reads all files matching the schema and returns a list of file contents.
"match" is a method of string "\\hard core 0', which receives a parameter (here, the file content returned from" read_glob_file ") and matches using this string as a regular expression.
(d) To the right of the "and" operator is the invocation of the "match" method, which is a method of the string "gpgcheck \\s = \\s \1". This 'match' method is used as a parameter for the 'read_file' function. The 'read_file' function receives a parameter, namely the file path: "etc/security/limits. Conf", and returns the contents of the file.
(e) The right side of the 'or' operator is an equality comparison 'equal', the left side is an 'index' operation, and the right side is the number 0.
To the left of the "index" operator is a call to the "linux_sysctl_list" function, which returns a hashmap.
To the right of the "index" operator is "fs.subjdump", which is used as a key to the hashmap.
3. And rearranging the basic grammar tree based on the internal association set to obtain a state conforming to the execution logic of the equipment. The internal association set is an association set in the DSL language, and the obtained basic grammar tree is still an abstract grammar tree corresponding to the DSL language. For example, boolean operators map to homofunctions, cyclic processing functions such as maps to internal corresponding implementations, and function calls map to homonym functions of the host. In this embodiment, a specific internal association set is exemplified as follows, where the arrow is preceded by a representation in the expression and the arrow points to a representation in the host language:
&& -> and
|| -> or
map -> map
read_glob_file -> read_glob_file
match -> match
read_file -> read_file
linux_sysctl_list -> linux_sysctl_list
although the front and back of the partial association set look the same, it is actually a representation in a different language, with different implementations inside. The convenience and efficiency of maintaining the association set is improved by using the same identifier as much as possible. And rearranging the basic grammar tree by using the internal association set to obtain an optimized basic grammar tree (the basic grammar tree is not shown). The optimized base syntax tree rendering (i.e., back-translating into source code) yields the following code (the code at this time conforms to the device's execution logic):
and(map(read_glob_file("/etc/security/limits.d/"),
function (c)
return "\ hard core 0".match(c)
end)
) and "gpgcheck\s*=\s*1".match(
read_file("/etc/security/limits.conf")
) or linux_sysctl_list()["fs.suid_dumpable"] == 0
4. based on the mapping set, the optimized basic grammar tree is converted into a target grammar tree, and in the embodiment, the target grammar tree suitable for Lua is converted, so that a source code recompiled into Lua is finally obtained, and a corresponding safety baseline assembly is generated. The key point is that map is mapped into a structure realized based on for circulation, then the execution results of each individual statement are respectively stored into corresponding variables, and finally the results of each variable are corresponding to the original Boolean operation sequence to obtain a calculation result and return. Wherein the map-to-for-loop structure has a fixed correspondence and a fixed transformation operation, and the map operation can be mapped to the for-loop after the transformation is applied. The resulting AST (abstract syntax tree, corresponding to the present embodiment) of Lua may be rendered to obtain a result similar to the following example:
local function main()
local _f = function()
local _tbl_0 = read_glob_file("/etc/security/limits.d/")
local _accum_0 = true
for _index_0 = 1, #_tbl_0 do
local c = _tbl_0[_index_0]
local _tmp = "\ hard core 0".match(c)
_accum_ = _accum_ and _tmp
end
return _accum_0
end
local _v0 = "gpgcheck\s*=\s*1".match(
read_file("/etc/security/limits.conf")
)
local _v1 = linux_sysctl_list()["fs.suid_dumpable"] == 0
return _f() and _v0 or _v1
end
return main()
5. and sending the generated security baseline component to a designated intelligent terminal.
Further, as a preferred solution, in this embodiment, the determining manner of the target language includes a fixed manner and a dynamic adjustment manner; in particular, the implementation target language is preferably Lua language or WASM language, so as to be executed on the actually executed probe program. At compile time, the security and efficiency of the code need to be considered, avoiding possible loopholes and performance problems. By executing on the probe program, it can benefit from an already built baseline execution environment. Wherein the logic formed after compiling has both the computing power of the plug-in itself and the capabilities provided by the target device program.
Further, the target language is typically fixed, i.e., a fixed manner, which allows for simple programming and avoids operational and usage data disturbances.
The dynamic adjustment mode specifically comprises the following steps:
acquiring basic operation parameters of a target system;
the target language is matched based on the base operating parameters. The dynamic adjustment mode is to give a better security baseline component, such as an android system, and the security baseline component is correspondingly converted into Java language. At the moment, the mapping set corresponding to Java language can be used only when the target grammar tree is converted, and the expansion is convenient.
Further, as a preferred solution, the present embodiment further includes:
and storing the security baseline component in an associated mode by taking the corresponding basic expression as a label, so that the corresponding security baseline component is directly output when the same basic expression is obtained later. The corresponding safety baseline component can be quickly given in the subsequent operation, and regeneration is not needed each time.
Based on the same conception, the invention also provides a security baseline creation method which is applied to the server and comprises the following steps:
receiving a basic expression sent by an intelligent terminal, wherein the basic expression is written by using DSL language;
analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language;
and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding safety baseline component to feed back to a target terminal.
In this embodiment, the target terminal includes the intelligent terminal and other specified intelligent terminals. The device information of the other specified intelligent terminals can be simultaneously sent to the server side along with the basic expression, or the target device confirmation instruction can be sent to the intelligent terminals according to the server side, and the corresponding device information can be sent to the server side.
Referring to fig. 3, based on the same concept, the present invention further provides a security baseline creation system, applied to a server, including:
the first interaction module is used for acquiring a basic expression, and the basic expression is written in DSL language;
the processing module is used for analyzing the basic expression to obtain a basic grammar tree and converting the basic grammar tree into a target grammar tree corresponding to a target language; and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
Further, the process is further configured to perform:
acquiring all first node data on the basic grammar tree;
obtaining second node data corresponding to all the first node data based on the mapping set;
and obtaining the target grammar tree based on all the second node data.
Further, the process is further configured to perform DSL administrative operations;
the DSL administrative operations include:
and carrying out data expansion on the mapping set based on the increase of the demand.
Further, the process is further configured to perform:
and carrying out optimization processing on the target grammar tree to obtain an optimized basic grammar tree, wherein the optimization processing comprises logic rearrangement on the basic grammar tree based on execution logic.
The determining mode of the target language comprises a fixed mode and a dynamic adjusting mode;
further, the process is further configured to perform:
acquiring basic operation parameters of a target system;
the target language is matched based on the base operating parameters.
Further, the process is further configured to perform:
and storing the security baseline component in an associated mode by taking the corresponding basic expression as a label, so that the corresponding security baseline component is directly output when the same basic expression is obtained later.
Referring to fig. 4, based on the same concept, the present invention further provides a security baseline creation system, including:
the intelligent terminal is used for sending a basic expression to the server, wherein the basic expression is written by DSL language; and receiving a security baseline component sent by the server;
the server side is used for acquiring a basic expression; analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language; obtaining a target source code based on the target grammar tree, further obtaining a corresponding safety baseline component and feeding back the safety baseline component to a target terminal; the target terminal comprises the intelligent terminal and other appointed intelligent terminals.
Further, the method for creating the security baseline executed by the intelligent terminal comprises the following steps:
transmitting a basic expression to a server, wherein the basic expression is formed based on DSL language;
receiving a security baseline component sent by the server;
the security baseline component generation process comprises the following steps:
analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree of a corresponding target language;
and obtaining a target source code based on the target grammar tree, and further obtaining the corresponding safety baseline component.
Further, the intelligent terminal includes:
the second interaction module is used for sending a basic expression to the server, and the basic expression is formed based on DSL language; and receiving the security baseline component sent by the server.
Of course, further, the intelligent terminal further comprises a basic module, and the basic module comprises a storage module, a communication module, a display module and the like.
Based on the same conception, the present invention also provides an electronic apparatus including:
a memory storing a computer program;
and the processor is used for realizing the safety baseline creation method based on DSL when executing the computer program.
Based on the same conception, the present invention also provides a computer readable medium storing a computer program which when executed by a processor implements a method for establishing a DSL-based security baseline according to the above.
More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A DSL-based security baseline creation method, comprising:
obtaining a basic expression, wherein the basic expression is written in DSL language;
analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language;
and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
2. The DSL-based security baseline creation method of claim 1, wherein the converting the base syntax tree into a target syntax tree corresponding to a target language specifically comprises:
acquiring all first node data on the basic grammar tree;
obtaining second node data corresponding to all the first node data based on the mapping set;
and obtaining the target grammar tree based on all the second node data.
3. The DSL-based security baseline creation method of claim 2 further comprising DSL management operations;
the DSL administrative operations include:
and carrying out data expansion on the mapping set based on the increase of the demand.
4. The DSL-based security baseline creation method of claim 1, further comprising, after obtaining the base syntax tree:
and carrying out optimization processing on the target grammar tree to obtain an optimized basic grammar tree, wherein the optimization processing comprises logic rearrangement on the basic grammar tree based on execution logic.
5. The DSL-based security baseline creation method of claim 1, wherein the determination means of the target language includes a fixed means and a dynamic adjustment means;
the dynamic adjustment mode specifically comprises the following steps:
acquiring basic operation parameters of a target system;
the target language is matched based on the base operating parameters.
6. The DSL-based security baseline creation method of claim 1 further comprising:
and storing the security baseline component in an associated mode by taking the corresponding basic expression as a label, so that the corresponding security baseline component is directly output when the same basic expression is obtained later.
7. A security baseline creation system, comprising:
the first interaction module is used for acquiring a basic expression, and the basic expression is written in DSL language;
the processing module is used for analyzing the basic expression to obtain a basic grammar tree and converting the basic grammar tree into a target grammar tree corresponding to a target language; and obtaining a target source code based on the target grammar tree, and further obtaining a corresponding security baseline component.
8. A security baseline creation system, comprising:
the intelligent terminal is used for sending a basic expression to the server, wherein the basic expression is written by DSL language; and receiving a security baseline component sent by the server;
the server side is used for acquiring a basic expression; analyzing the basic expression to obtain a basic grammar tree, and converting the basic grammar tree into a target grammar tree corresponding to a target language; obtaining a target source code based on the target grammar tree, further obtaining a corresponding safety baseline component and feeding back the safety baseline component to a target terminal; the target terminal comprises the intelligent terminal and other appointed intelligent terminals.
9. An electronic device, comprising:
a memory storing a computer program;
a processor, when executing the computer program, implements a DSL-based security baseline creation method according to any of claims 1-6.
10. A computer readable medium, characterized in that a computer program is stored, which computer program, when being executed by a processor, implements a DSL-based security baseline creation method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310650068.3A CN116360797B (en) | 2023-06-02 | 2023-06-02 | DSL-based security baseline creation method, system, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310650068.3A CN116360797B (en) | 2023-06-02 | 2023-06-02 | DSL-based security baseline creation method, system, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116360797A true CN116360797A (en) | 2023-06-30 |
| CN116360797B CN116360797B (en) | 2023-10-27 |
Family
ID=86913472
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310650068.3A Active CN116360797B (en) | 2023-06-02 | 2023-06-02 | DSL-based security baseline creation method, system, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116360797B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109861976A (en) * | 2018-12-27 | 2019-06-07 | 广州天源信息科技股份有限公司 | Internet of things equipment protocol fitting method |
| CN111309752A (en) * | 2019-11-26 | 2020-06-19 | 上海金融期货信息技术有限公司 | Service flow data processing oriented domain specific language assembly and operation method thereof |
| CN112148343A (en) * | 2020-09-02 | 2020-12-29 | 广州市双照电子科技有限公司 | Rule issuing method and device and terminal equipment |
| CN112667240A (en) * | 2020-12-23 | 2021-04-16 | 平安普惠企业管理有限公司 | Program code conversion method and related device |
| CN113553238A (en) * | 2021-07-23 | 2021-10-26 | 浪潮云信息技术股份公司 | Cloud platform resource exception automatic processing system and method |
| CN115202648A (en) * | 2022-09-06 | 2022-10-18 | 浩鲸云计算科技股份有限公司 | Method for realizing low-code front-end view layer based on domain-specific language |
-
2023
- 2023-06-02 CN CN202310650068.3A patent/CN116360797B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109861976A (en) * | 2018-12-27 | 2019-06-07 | 广州天源信息科技股份有限公司 | Internet of things equipment protocol fitting method |
| CN111309752A (en) * | 2019-11-26 | 2020-06-19 | 上海金融期货信息技术有限公司 | Service flow data processing oriented domain specific language assembly and operation method thereof |
| CN112148343A (en) * | 2020-09-02 | 2020-12-29 | 广州市双照电子科技有限公司 | Rule issuing method and device and terminal equipment |
| CN112667240A (en) * | 2020-12-23 | 2021-04-16 | 平安普惠企业管理有限公司 | Program code conversion method and related device |
| CN113553238A (en) * | 2021-07-23 | 2021-10-26 | 浪潮云信息技术股份公司 | Cloud platform resource exception automatic processing system and method |
| CN115202648A (en) * | 2022-09-06 | 2022-10-18 | 浩鲸云计算科技股份有限公司 | Method for realizing low-code front-end view layer based on domain-specific language |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116360797B (en) | 2023-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8516458B2 (en) | System representation and handling techniques | |
| CA2246948C (en) | Method and means for encoding storing and retrieving hierarchical data processing information for a computer system | |
| US20030093420A1 (en) | Method and system for retrieving sharable information using a hierarchically dependent directory structure | |
| US6083282A (en) | Cross-project namespace compiler and method | |
| CN103164249A (en) | Extension mechanism for scripting language compiler | |
| JPH0383153A (en) | Message processing system and method | |
| CN111880777A (en) | Program information issuing method and device and electronic equipment | |
| CN115016793A (en) | Code generation method and device based on syntax tree, electronic equipment and storage medium | |
| Uhl et al. | An attribute grammar for the semantic analysis of Ada | |
| CN105260223B (en) | A kind of SCPI command definitions, the method for parsing, execution and test | |
| EP0520708B1 (en) | Method and apparatus for converting high level form abstract syntaxes into an intermediate form | |
| CN117033418A (en) | Statement rewriting method, system and device | |
| Fredriksson et al. | Seamless distributed computing from the geometry of interaction | |
| CN116360797B (en) | DSL-based security baseline creation method, system, device and medium | |
| CN101470607A (en) | Data normalization method | |
| US7487227B2 (en) | Scripting engine having a sequencer table and a plurality of secondary tables for network communication software | |
| Mezei et al. | The dynamic sensor data description and data format conversion language. | |
| CA2714189C (en) | System representation and handling techniques | |
| US7343597B1 (en) | Methods and apparatus for communication between an application and a device | |
| CN114090017A (en) | Method and device for analyzing programming language and nonvolatile storage medium | |
| CN110018816B (en) | Virtual machine control system based on C/C + + compiling system and control method thereof | |
| Tenma et al. | A system for generating language-oriented editors | |
| CN112241505A (en) | Page updating method, page updating device, medium and electronic equipment | |
| CN117555925B (en) | Database access code conversion method and device and electronic equipment | |
| CN116756727B (en) | Data authority control method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |