CN116910744B - Variable access management method, device, computer equipment and storage medium - Google Patents

Variable access management method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN116910744B
CN116910744B CN202310922022.2A CN202310922022A CN116910744B CN 116910744 B CN116910744 B CN 116910744B CN 202310922022 A CN202310922022 A CN 202310922022A CN 116910744 B CN116910744 B CN 116910744B
Authority
CN
China
Prior art keywords
variable
determining
preset
behavior
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310922022.2A
Other languages
Chinese (zh)
Other versions
CN116910744A (en
Inventor
赵兴
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hexin Technology Co ltd
Shanghai Hexin Digital Technology Co ltd
Original Assignee
Hexin Technology Co ltd
Shanghai Hexin Digital Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hexin Technology Co ltd, Shanghai Hexin Digital Technology Co ltd filed Critical Hexin Technology Co ltd
Priority to CN202310922022.2A priority Critical patent/CN116910744B/en
Priority to CN202410280769.7A priority patent/CN118171265A/en
Publication of CN116910744A publication Critical patent/CN116910744A/en
Application granted granted Critical
Publication of CN116910744B publication Critical patent/CN116910744B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Stored Programmes (AREA)

Abstract

The invention relates to the technical field of Internet and discloses a variable access management method, a device, computer equipment and a storage medium.

Description

Variable access management method, device, computer equipment and storage medium
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a variable access management method, a variable access management device, a computer device, and a storage medium.
Background
The firmware uses variables to save system settings and user settings, the variables are provided with setting interfaces at petitboot interfaces, users or administrators can set the variables by themselves and can also provide modification interfaces for the OS, so that some non-regular software changes the system settings by modifying the variables under the condition that the users are not aware, and the system is easy to fail and has poor safety.
Disclosure of Invention
In view of the above, the present invention provides a variable access management method, apparatus, computer device, and storage medium, so as to solve the problem that a system is prone to failure caused by changing a system setting by modifying a variable without knowledge of the occurrence of non-normal software.
In a first aspect, the present invention provides a variable access management method, the method including: responding to the monitoring that a process modifies a system variable with preset permission, and judging whether the corresponding behavior of the process meets preset conditions or not based on the behavior logs of all the processes, wherein the preset conditions are preset process behavior requirements for modifying the system variable; and in response to determining that the behavior corresponding to the process meets the preset condition, allowing the process to modify the system variable.
According to the variable access management method provided by the invention, whether the process accesses and modifies the system variable with the preset authority is monitored, when the process accesses and modifies the system variable is monitored, whether the process meets the requirement is judged based on the behavior logs of all the processes recorded in advance, if yes, the process is allowed to access and modify the system variable, before the process accesses and modifies the system variable, whether the process meets the condition is judged, if yes, the process is allowed to access and modify the system variable, the safety and the functional effectiveness of the system are ensured, the access and modification of the process to the variable are realized by the automatic management process, and the system is more flexible.
In an alternative embodiment, the behavior log of all processes is obtained by tracking and recording the behaviors of all processes in the micro-service system, and the behavior log of all processes includes at least one of the following: the installation time and the installation platform of the software corresponding to the process, and whether the modification of the process to the system variable is user operation or not; the behavior corresponding to the process is judged to meet the preset condition Comprising the following steps: in response to determining that the installation time of the software corresponding to the process is within a preset time range, judging whether a software installation platform corresponding to the process meets the requirement of the preset installation platform; responding to the fact that the software installation platform corresponding to the process meets the requirement of the preset installation platform, and judging whether the modification of the system variable by the process is user operation or not; and in response to determining that the modification of the system variable by the process is user operation, determining that the behavior corresponding to the process meets the preset condition.
According to the method and the device, whether the process meets the condition of allowing modification of the variable is judged based on the software installation time, the installation platform and the operation mode of accessing the modification variable by the process, and meanwhile, whether the process meets the requirement is judged by considering various factors, so that the accuracy of process judgment is improved, and the modification of the variable by the denormal software can be accurately prevented.
In an optional implementation manner, the determining that the behavior corresponding to the process meets the preset condition further includes: in response to determining that the installation time of the software corresponding to the process is not within the preset time range, judging whether the access modification of the process to the system variable is user operation or not; and in response to determining that the access modification of the process to the system variable is a user operation, determining that the behavior corresponding to the process meets a preset condition.
In an optional implementation manner, the behavior log of the process further includes whether modification of the system variable by the process belongs to shortcut key operation, and the determining that the behavior corresponding to the process meets a preset condition further includes: responsive to determining that the access modification of the process to the system variable is not a user operation, determining whether the access modification of the process to the system variable belongs to a shortcut key operation; and in response to determining that the access modification of the process to the system variable belongs to the shortcut key operation, determining that the behavior corresponding to the process meets the preset condition.
In an optional implementation manner, the determining that the behavior corresponding to the process does not meet the preset condition includes: in response to determining that the access modification of the process to the system variable does not belong to the shortcut key operation, determining that the behavior corresponding to the process does not meet a preset condition; in response to determining that the software installation platform corresponding to the process does not meet the requirement of the preset installation platform, determining that the behavior corresponding to the process does not meet the preset condition; and intercepting access modification of the process to the system variable in response to determining that the behavior corresponding to the process does not meet the preset condition.
When judging that the process does not meet the preset condition, the invention intercepts the process, can prevent the system from being failed due to the change of system variables by non-normal software and the like, and ensures the safety of the system.
In an alternative embodiment, the method further comprises: copying all variables in the system as first variables in the starting process of the host; copying all variables in the system as second variables in the starting process of the entering system; judging whether the first variable and the second variable are different; in response to determining that the first variable and the second variable are distinct, the first variable is overridden over the variables in the current system.
The invention copies all variables when the host is started, copies all the variables at the moment when the system is started, judges whether the two variables are different, and if so, covers the variables in the current system by the variables when the host is started, thereby avoiding that some processes modify the system variables under the condition of unknowing when the system is loaded and ensuring the normal operation of the system.
In an alternative embodiment, the method further comprises: monitoring the running states of all processes, wherein the running states of the processes are determined according to the running behaviors of the processes in the micro-service tracking system; responding to the monitoring that the first process stably operates within a preset time threshold, and improving the trust level of the first process; in response to determining that the trust level of the first process reaches a preset level threshold, the first process is allowed to directly access the modification system variable.
In the invention, when a certain process continuously and stably operates within the preset time threshold, the trust level of the process is improved, and when the trust level of the process reaches the preset level threshold, the process is allowed to directly access and modify the system variable, so that the time for judging whether the process meets the requirement of modifying the system variable is saved, and the flexibility of system variable access management is improved.
In a second aspect, the present invention provides a variable access management apparatus, the apparatus comprising: the process judging module is used for responding to the condition that the system variable with the process access modification preset permission is monitored, judging whether the corresponding behavior of the process meets the preset condition or not based on the behavior logs of all the processes recorded in advance, wherein the preset condition is preset to meet the process behavior requirement for the system variable modification; and the process access module is used for allowing the process to modify the system variable in response to determining that the behavior corresponding to the process meets the preset condition.
In a third aspect, the present invention provides a computer device comprising: the variable access management system comprises a memory and a processor, wherein the memory and the processor are in communication connection, the memory stores computer instructions, and the processor executes the computer instructions, so that the variable access management method of the first aspect or any corresponding implementation mode of the first aspect is executed.
In a fourth aspect, the present invention provides a computer-readable storage medium having stored thereon computer instructions for causing a computer to execute the variable access management method of the first aspect or any of the embodiments corresponding thereto.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow diagram of a variable access management method according to an embodiment of the present invention;
FIG. 2 is a flow diagram of another variable access management method according to an embodiment of the present invention;
FIG. 3 is a flow chart corresponding to a variable access management method according to an embodiment of the present invention;
FIG. 4 is a flow diagram of yet another variable access management method according to an embodiment of the present invention;
FIG. 5 is a block diagram of a variable access management apparatus according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a hardware structure of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The firmware uses variables to save System settings and user settings, the variables have setting interfaces on petiboot interfaces, users or administrators can set the variables themselves, and can also provide modification interfaces for an OS (Operating System), so that some denormal software changes the System settings by modifying the variables without the knowledge of the users, such as parameters of bootloader (boot loader) set in a petiboot interface based on kexec (Kernel execution) call, and the like are tampered by malicious software, which leads to easy failure of the System and poor security.
The embodiment of the invention provides a variable access management method, which monitors whether a process accesses and modifies a system variable with preset authority, when the process accesses and modifies the system variable, judges whether the process meets the requirement based on a pre-recorded behavior log of all the processes, if so, allows the process to access and modify the system variable, and before the process accesses and modifies the system variable, the process needs to judge whether the process meets the condition, if so, allows the process to access and modify the system variable, thereby ensuring the safety and the functional effectiveness of the system, realizing the access and modification of the process to the variable by the automatic management process, and ensuring the system to be more flexible.
According to an embodiment of the present invention, there is provided a variable access management method embodiment, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that although a logical order is shown in the flowchart, in some cases the steps shown or described may be performed in an order other than that shown or described herein.
In this embodiment, a variable access management method is provided, which may be used in the above-mentioned computer device, and fig. 1 is a flowchart of a variable access management method according to an embodiment of the present invention, as shown in fig. 1, where the flowchart includes the following steps:
step S101, in response to monitoring that a process modifies a system variable with preset authority, judging whether the corresponding behavior of the process meets preset conditions or not based on the behavior logs of all the processes recorded in advance.
Wherein the preset condition is preset to meet the process behavior requirement of modifying the system variable
In this embodiment of the present application, permission setting is added in advance to a system variable, for example, the system variable may be accessed and not modifiable inside a module, may not be accessed and not modifiable outside the module, and the permission ACESS_PERFORMANCE_LEVEL may be set for a Boot Control (output CONSOLE used in an OS system), a bconsole variable in a supporting Boot Control may be set to ACESS_BOOT_CONSOLE, and an Access_control field may be added to a structure body:
after the permission is set for the system variable, whether any process wants to access to modify any system variable can be monitored.
The embodiment of the application can record and store the behaviors of all processes in advance in the running process of the system, for example, the method can comprise an installation platform of the software corresponding to the process, the closing times of the process and the like, and is not limited by the embodiment, and the method is only used as an example, the preset condition is that the user can set behavior conditions capable of performing variable access modification in the system in advance, the downloading platform of the software corresponding to the process must be an official downloading platform, such as an application store corresponding to the system and the like, or the closing times of the process must be smaller than a preset threshold value, and if the closing times of the process is larger than the threshold value, the method indicates that the user cannot use the process in the running process of the system or the user detects that the process is not normal in the running process of the system, and the user actively closes, which is only used as an example.
In the embodiment of the application, when a process is monitored to access and modify a system variable, whether the behavior of the process meets a preset behavior requirement is judged based on a pre-recorded behavior log corresponding to the process.
Step S102, in response to determining that the behavior corresponding to the process meets the preset condition, allowing the process to modify the system variable.
In the embodiment of the present application, if it is determined that the behavior corresponding to the process meets the requirement, for example, if the software installation platform corresponding to the process is an official download platform, or if the number of times that the process is closed is smaller than a threshold, the process is allowed to access and modify the system variable.
According to the variable access management method provided by the embodiment, whether the process accesses and modifies the system variable with the preset authority is monitored, when the process accesses and modifies the system variable is monitored, whether the process meets the requirement is judged based on the behavior logs of all the processes recorded in advance, if yes, the process is allowed to access and modify the system variable, before the process accesses and modifies the system variable, whether the process meets the condition is judged, if yes, the process is allowed to access and modify the system variable, and the safety and the functional effectiveness of the system are ensured.
In this embodiment, a variable access management method is provided, which may be used in the above-mentioned computer device, and fig. 2 is a flowchart of another variable access management method according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S201, in response to monitoring that a process modifies a system variable with preset authority, judging whether the corresponding behavior of the process meets preset conditions or not based on the pre-recorded behavior logs of all the processes.
The preset conditions are preset process behavior requirements for modifying the system variables.
The behavior logs of all the processes are obtained by tracking and recording the behaviors of all the processes in the system through the micro-services, and the behavior logs of the processes can comprise the installation time and the installation platform corresponding to the processes, and whether the access modification of the processes to the system variables is user operation or not.
In a specific embodiment, a run-time Service may be started, and System and process behavior tracking learning is performed through a system_study_service (System learning Service), for example, a structure app_info (application_information) is defined to control relevant attributes of APPs, for example, which APPs are installed, and which APPs are installed through an OS preload (normal software installation platform corresponding to an OS System); defining a structure user_op to control the active behavior of the USER, such as recording the modification of system variables by the USER or manager through a manual operating system interface, and storing the system variables as log (log); a structure KEY_OP is defined to record the modification of system variables by a user through a shortcut KEY operation system and is saved as log, and the related structure Variable array is finally obtained, and can be checked through a variable_Access_control start check when the access modification of the system by a process is monitored, and a run_operation command is used for checking.
Specifically, the step S201 includes:
in step S2011, in response to determining that the installation time of the software corresponding to the process is within the preset time range, whether the software installation platform corresponding to the process meets the requirement of the preset installation platform is determined.
In this embodiment, when the installation time of the software is within the preset time range, it indicates that the software corresponding to the process belongs to the newly installed APP, where the time range may be set automatically based on the actual requirement, for example, the software installed within 24 hours belongs to the newly installed APP, and when the process wants to access and modify the system variable at this time, it is first determined whether the installation time of the software corresponding to the process is within the preset time range.
If the installation time corresponding to the process is judged to be within the preset time range, the APP which is newly installed is indicated, whether the software installation platform corresponding to the process meets the requirement of the preset installation platform is continuously judged, and in the specific embodiment, the installation platform must be an OS preload platform.
Step 2012, in response to determining that the software installation platform corresponding to the process meets the preset installation platform requirement, determining whether the modification of the system variable by the process is a user operation.
In the embodiment of the application, if it is determined that the software installation platform corresponding to the process meets the requirement of the preset installation platform, whether the access modification of the process to the system variable is USER operation needs to be continuously determined, and in the specific embodiment, the user_op array is checked, and whether the access modification of the process to the system variable is USER operation is determined.
In step S2013, in response to determining that the modification of the system variable by the process is a user operation, it is determined that the behavior corresponding to the process meets the preset condition.
In the embodiment of the application, the user and the administrator are trusted, if the access modification of the process to the system variable is judged to be user operation, the corresponding behavior of the process is indicated to meet the requirement, and the process can be allowed to access and modify the system variable.
According to the method and the device, whether the process meets the condition of allowing modification of the variable is judged based on the software installation time, the installation platform and the operation mode of accessing the modification variable by the process, and meanwhile, whether the process meets the requirement is judged by considering various factors, so that the accuracy of process judgment is improved, and the modification of the variable by the denormal software can be accurately prevented.
Specifically, in step S2011, determining that the behavior corresponding to the process meets the preset condition further includes:
and a step a1, in response to determining that the installation time of the software corresponding to the process is not within the preset time range, judging whether the access modification of the process to the system variable is user operation or not.
In this embodiment of the present application, if it is determined that the installation time of the software corresponding to the process is not within the preset time range, which indicates that the software is not an APP that is newly installed, it may not be determined that the installation platform of the APP is not needed, and it is directly determined whether the access modification of the process to the system variable is active operation of the user.
And a step a2, wherein in response to determining that the access modification of the process to the system variable is a user operation, the corresponding behavior of the process is determined to meet the preset condition.
In the embodiment of the application, if the access modification of the process to the system variable is operated by the user, determining that the corresponding behavior of the process meets the requirement, and allowing the process to access and modify the system variable.
Specifically, in step a2, the behavior log of the process further includes whether modification of the system variable by the process belongs to shortcut key operation, and determining that the behavior corresponding to the process meets the preset condition further includes:
and b1, in response to determining that the access modification of the process to the system variable is not a user operation, judging whether the access modification of the process to the system variable belongs to a shortcut key operation.
In a specific embodiment, the LSK_OP array is checked to determine whether the access modification of the process to the system variable belongs to a shortcut key operation.
And b2, determining that the behavior corresponding to the process meets the preset condition in response to determining that the access modification of the process to the system variable belongs to the shortcut key operation.
If the modification of the system variable by the process is judged not to be operated by the user, whether the modification belongs to the shortcut key operation or not needs to be continuously judged, if the modification of the access of the system variable by the process is judged to belong to the shortcut key operation, the behavior corresponding to the process is indicated to meet the preset condition, and the access modification of the system variable by the process is allowed.
Specifically, in step 2012, the behavior corresponding to the process does not satisfy the preset condition includes:
and step c1, in response to determining that the access of the process to the system variable does not belong to the shortcut key operation, determining that the behavior corresponding to the process does not meet the preset condition.
In response to determining that the access of the process to the system variable neither belongs to user operation nor shortcut key operation, the embodiment of the application shows that the corresponding behavior of the process does not meet the preset condition, and then the access modification of the process to the system variable is intercepted.
And step c2, determining that the behavior corresponding to the process does not meet the preset condition in response to determining that the software installation platform corresponding to the process does not meet the preset installation platform requirement.
And step c3, intercepting access modification of the process to the system variable in response to determining that the behavior corresponding to the process does not meet the preset condition.
In the embodiment of the present application, if it is determined that the software installation platform corresponding to the process does not meet the requirement of the preset installation platform, it may be directly determined that the behavior corresponding to the process does not meet the preset condition, and then the access modification of the process to the system variable is intercepted, which may specifically refer to the flowchart shown in fig. 3.
When judging that the process does not meet the preset condition, the invention intercepts the process, can prevent the system from being failed due to the change of system variables by non-normal software and the like, and ensures the safety of the system.
Step S202, in response to determining that the behavior corresponding to the process meets the preset condition, allowing the process to modify the system variable. Please refer to step S102 in the embodiment shown in fig. 1 in detail, which is not described herein.
In this embodiment, there is provided another variable access management method, which may be used in the above-mentioned computer device, and fig. 4 is a flowchart of the variable access management method according to an embodiment of the present invention, as shown in fig. 4, where the flowchart includes the following steps:
step S301, in response to monitoring that a process modifies a system variable with preset authority, judging whether the corresponding behavior of the process meets preset conditions or not based on the pre-recorded behavior logs of all the processes. Please refer to step S201 in the embodiment shown in fig. 2 in detail, which is not described herein.
Step S302, in response to determining that the behavior corresponding to the process meets the preset condition, allowing the process to modify the system variable. Please refer to step S202 in the embodiment shown in fig. 2, which is not described herein.
Step S303, copying all variables in the system as first variables in the starting process of the host; copying all variables in the system as second variables in the starting process of the entering system; judging whether the first variable and the second variable are different; in response to determining that the first variable and the second variable are distinct, the first variable is overridden over the variables in the current system.
In a specific embodiment, all variables are backed up in a hostboot stage and can be used as normal variables, wherein the system start process can be to enter a petiboot stage, back up all variables again and be used as a maybe_modification_variable, whether the two variables are different or not is judged, if so, non-normal software may be used to modify the system variables in the system operation process, and the normal_variable can be used for covering the variables of the current system, which is only taken as an example.
The invention copies all variables when the host is started, copies all the variables at the moment when the system is started, judges whether the two variables are different, and if so, covers the variables in the current system by the variables when the host is started, thereby avoiding that some processes modify the system variables under the condition of unknowing when the system is loaded and ensuring the normal operation of the system.
Step S304, monitoring the running states of all the processes, wherein the running states of the processes are determined according to the running behaviors of the processes in the micro-service tracking system; responding to the monitoring that the first process stably operates within a preset time threshold, and improving the trust level of the first process; in response to determining that the trust level of the first process reaches a preset level threshold, the first process is allowed to directly access the modification system variable.
In this embodiment of the present application, the preset time threshold may be set automatically according to an actual requirement, for example, the process may be set automatically according to an actual requirement, for example, the level threshold may be set automatically according to an actual requirement, for example, the process level may reach 5 levels, if it is determined that a certain process is continuously and stably running within the preset time threshold, the level of the process is increased, and after the process reaches a certain level, the process may directly access and modify the system variable without performing the condition determination in the foregoing embodiment. In a specific embodiment, for example, the level of the first run of the process a is 4, and the process a keeps running stably within 10 hours, the level of the process a is raised to 5, and at this time, the process a is controlled by the system management service, and can directly access and modify the system variable, which is only taken as an example.
In the invention, when a certain process continuously and stably operates within the preset time threshold, the trust level of the process is improved, and when the trust level of the process reaches the preset level threshold, the process is allowed to directly access and modify the system variable, so that the time for judging whether the process meets the requirement of modifying the system variable is saved, and the flexibility of system variable access management is improved.
The embodiment also provides a variable access management device, which is used for implementing the above embodiment and the preferred implementation manner, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a variable access management apparatus, as shown in fig. 5, including:
the process judging module 501 is configured to respond to monitoring that a process accesses a system variable with a preset permission, and judge, based on a pre-recorded behavior log of all processes, whether a behavior corresponding to the process meets a preset condition, where the preset condition is a preset process behavior requirement meeting the modification of the system variable;
and a process access module 502, configured to allow the process to modify the system variable in response to determining that the behavior corresponding to the process meets the preset condition.
In some alternative embodiments, the process determination module 501 includes: the first judging unit is used for judging whether the software installation platform corresponding to the process meets the requirement of the preset installation platform or not in response to the fact that the installation time of the software corresponding to the process is determined to be in the preset time range; the second judging unit is used for judging whether the modification of the system variable by the process is user operation or not in response to the fact that the software installation platform corresponding to the process meets the requirement of the preset installation platform; and the third judging unit is used for determining that the behavior corresponding to the process meets the preset condition in response to the fact that the modification of the system variable by the process is user operation.
In some optional embodiments, the process installation platform determining unit includes: a second process access operation judging subunit, configured to judge whether access modification of the process to a system variable is a user operation in response to determining that an installation time of software corresponding to the process is not within the preset time range; and the second process behavior determination subunit is used for determining that the behavior corresponding to the process meets the preset condition in response to determining that the access modification of the process to the system variable is user operation.
In some alternative embodiments, the second process behavior determination subunit includes: a third process access operation judging subunit, configured to judge whether the access modification of the process to the system variable belongs to a shortcut key operation in response to determining that the access modification of the process to the system variable is not a user operation; and the third process behavior determination subunit is used for determining that the behavior corresponding to the process meets the preset condition in response to determining that the access modification of the process to the system variable belongs to the shortcut key operation.
In some alternative embodiments, the process access operation determination unit includes: a fourth process behavior determination subunit, configured to determine, in response to determining that the access modification of the process to the system variable does not belong to a shortcut key operation, that the behavior corresponding to the process does not meet the preset condition, and a fifth process behavior determination subunit, configured to determine, in response to determining that the software installation platform corresponding to the process does not meet the preset installation platform requirement, that the behavior corresponding to the process does not meet the preset condition; and the access interception subunit is used for intercepting the access modification of the process to the system variable in response to the fact that the behavior corresponding to the process does not meet the preset condition.
In some alternative embodiments, the variable access management apparatus further includes: the first variable copying module is used for copying all variables in the system as first variables in the starting process of the host; the second variable copying module is used for copying all variables in the system as second variables in the process of entering the system start; the variable comparison module is used for judging whether the first variable and the second variable are different; and the variable covering module is used for covering the first variable with the variable in the current system in response to determining that the first variable and the second variable are different.
In some alternative embodiments, the variable access management apparatus further includes: the running condition monitoring module is used for monitoring the running conditions of all the processes, wherein the running conditions of the processes are determined according to the running behaviors of the processes in the micro-service tracking system; the process level lifting module is used for responding to the monitoring that the first process stably operates within a preset time threshold, and lifting the trust level of the first process; and the process access module is used for allowing the first process to directly access and modify the system variable in response to determining that the trust level of the first process reaches a preset level threshold.
Further functional descriptions of the above respective modules and units are the same as those of the above corresponding embodiments, and are not repeated here.
The variable access management device in this embodiment is presented in the form of functional units, where the units refer to ASIC (Application Specific Integrated Circuit ) circuits, processors and memories executing one or more software or fixed programs, and/or other devices that can provide the above described functionality.
The embodiment of the invention also provides computer equipment, which is provided with the variable access management device shown in the figure 6.
Referring to fig. 6, fig. 6 is a schematic structural diagram of a computer device according to an alternative embodiment of the present invention, as shown in fig. 6, the computer device includes: one or more processors 10, memory 20, and interfaces for connecting the various components, including high-speed interfaces and low-speed interfaces. The various components are communicatively coupled to each other using different buses and may be mounted on a common motherboard or in other manners as desired. The processor may process instructions executing within the computer device, including instructions stored in or on memory to display graphical information of the GUI on an external input/output device, such as a display device coupled to the interface. In some alternative embodiments, multiple processors and/or multiple buses may be used, if desired, along with multiple memories and multiple memories. Also, multiple computer devices may be connected, each providing a portion of the necessary operations (e.g., as a server array, a set of blade servers, or a multiprocessor system). One processor 10 is illustrated in fig. 6.
The processor 10 may be a central processor, a network processor, or a combination thereof. The processor 10 may further include a hardware chip, among others. The hardware chip may be an application specific integrated circuit, a programmable logic device, or a combination thereof. The programmable logic device may be a complex programmable logic device, a field programmable gate array, a general-purpose array logic, or any combination thereof.
Wherein the memory 20 stores instructions executable by the at least one processor 10 to cause the at least one processor 10 to perform a method for implementing the embodiments described above.
The memory 20 may include a storage program area that may store an operating system, at least one application program required for functions, and a storage data area; the storage data area may store data created according to the use of the computer device, etc. In addition, the memory 20 may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid-state storage device. In some alternative embodiments, memory 20 may optionally include memory located remotely from processor 10, which may be connected to the computer device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Memory 20 may include volatile memory, such as random access memory; the memory may also include non-volatile memory, such as flash memory, hard disk, or solid state disk; the memory 20 may also comprise a combination of the above types of memories.
The computer device also includes a communication interface 30 for the computer device to communicate with other devices or communication networks.
The embodiments of the present invention also provide a computer readable storage medium, and the method according to the embodiments of the present invention described above may be implemented in hardware, firmware, or as a computer code which may be recorded on a storage medium, or as original stored in a remote storage medium or a non-transitory machine readable storage medium downloaded through a network and to be stored in a local storage medium, so that the method described herein may be stored on such software process on a storage medium using a general purpose computer, a special purpose processor, or programmable or special purpose hardware. The storage medium can be a magnetic disk, an optical disk, a read-only memory, a random access memory, a flash memory, a hard disk, a solid state disk or the like; further, the storage medium may also comprise a combination of memories of the kind described above. It will be appreciated that a computer, processor, microprocessor controller or programmable hardware includes a storage element that can store or receive software or computer code that, when accessed and executed by the computer, processor or hardware, implements the methods illustrated by the above embodiments.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (9)

1. A method of variable access management, the method comprising:
responding to the monitoring that a process modifies a system variable with preset permission, and judging whether the corresponding behavior of the process meets preset conditions or not based on the behavior logs of all the processes, wherein the preset conditions are preset process behavior requirements for modifying the system variable;
allowing the process to modify the system variable in response to determining that the behavior corresponding to the process satisfies the preset condition;
the method further comprises the steps of:
monitoring the running states of all processes, wherein the running states of the processes are determined according to the running behaviors of the processes in the micro-service tracking system;
responding to the monitoring that the first process stably operates within a preset time threshold, and improving the trust level of the first process;
in response to determining that the trust level of the first process reaches a preset level threshold, the first process is allowed to directly access the modification system variable.
2. The variable access management method according to claim 1, wherein the behavior logs of all processes are obtained by tracking and recording behaviors of all processes in a micro-service system, the behavior logs of all processes including at least one of:
the installation time and the installation platform of the software corresponding to the process, and whether the modification of the process to the system variable is user operation or not;
the behavior corresponding to the process is judged to meet the preset condition Comprising the following steps:
in response to determining that the installation time of the software corresponding to the process is within a preset time range, judging whether a software installation platform corresponding to the process meets the requirement of the preset installation platform;
responding to the fact that the software installation platform corresponding to the process meets the requirement of the preset installation platform, and judging whether the modification of the system variable by the process is user operation or not;
and in response to determining that the modification of the system variable by the process is user operation, determining that the behavior corresponding to the process meets the preset condition.
3. The variable access management method according to claim 2, wherein the determining that the behavior corresponding to the process satisfies the preset condition further includes:
in response to determining that the installation time of the software corresponding to the process is not within the preset time range, judging whether the access modification of the process to the system variable is user operation or not;
and in response to determining that the access modification of the process to the system variable is a user operation, determining that the behavior corresponding to the process meets a preset condition.
4. A variable access management method according to claim 2 or 3, wherein the behavior log of the process further includes whether modification of a system variable by the process belongs to a shortcut key operation, and the determining that the behavior corresponding to the process satisfies a preset condition further includes:
responsive to determining that the access modification of the process to the system variable is not a user operation, determining whether the access modification of the process to the system variable belongs to a shortcut key operation;
and in response to determining that the access modification of the process to the system variable belongs to the shortcut key operation, determining that the behavior corresponding to the process meets the preset condition.
5. The variable access management method according to claim 2, wherein the determining that the behavior corresponding to the process does not satisfy the preset condition includes:
in response to determining that the access modification of the process to the system variable does not belong to the shortcut key operation, determining that the behavior corresponding to the process does not meet a preset condition;
in response to determining that the software installation platform corresponding to the process does not meet the requirement of the preset installation platform, determining that the behavior corresponding to the process does not meet the preset condition;
and intercepting access modification of the process to the system variable in response to determining that the behavior corresponding to the process does not meet the preset condition.
6. The variable access management method according to claim 1, characterized in that the method further comprises:
copying all variables in the system as first variables in the starting process of the host;
copying all variables in the system as second variables in the starting process of the entering system;
judging whether the first variable and the second variable are different;
in response to determining that the first variable and the second variable are distinct, the first variable is overridden over the variables in the current system.
7. A variable access management apparatus, the apparatus comprising:
the process judging module is used for responding to the condition that the system variable with the process access modification preset permission is monitored, judging whether the corresponding behavior of the process meets the preset condition or not based on the behavior logs of all the processes recorded in advance, wherein the preset condition is preset to meet the process behavior requirement for the system variable modification;
a process access module, which is used for allowing the process to modify the system variable in response to determining that the behavior corresponding to the process meets the preset condition;
the running state monitoring module is used for monitoring the running states of all the processes, and the running states of the processes are determined according to the running behaviors of the processes in the micro-service tracking system;
the process level lifting module is used for responding to the monitoring that the first process stably operates within a preset time threshold, and lifting the trust level of the first process;
and the process access module is used for allowing the first process to directly access and modify the system variable in response to determining that the trust level of the first process reaches a preset level threshold.
8. A computer device, comprising:
a memory and a processor, the memory and the processor being communicatively connected to each other, the memory having stored therein computer instructions, the processor executing the computer instructions to perform the variable access management method of any one of claims 1 to 6.
9. A computer-readable storage medium having stored thereon computer instructions for causing a computer to execute the variable access management method of any one of claims 1 to 6.
CN202310922022.2A 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium Active CN116910744B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310922022.2A CN116910744B (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium
CN202410280769.7A CN118171265A (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310922022.2A CN116910744B (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202410280769.7A Division CN118171265A (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116910744A CN116910744A (en) 2023-10-20
CN116910744B true CN116910744B (en) 2024-04-12

Family

ID=88366552

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202310922022.2A Active CN116910744B (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium
CN202410280769.7A Pending CN118171265A (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN202410280769.7A Pending CN118171265A (en) 2023-07-25 2023-07-25 Variable access management method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (2) CN116910744B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN106022117A (en) * 2016-05-18 2016-10-12 北京金山安全软件有限公司 Method and device for preventing system environment variable from being modified and electronic equipment
CN114329452A (en) * 2021-12-31 2022-04-12 深信服科技股份有限公司 Abnormal behavior detection method and device and related equipment
CN115016944A (en) * 2022-06-30 2022-09-06 龙芯中科技术股份有限公司 Process access method and device and electronic equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230026664A1 (en) * 2020-01-31 2023-01-26 Hewlett-Packard Development Company, L.P. Access filter for bios variables

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101231682A (en) * 2007-01-26 2008-07-30 李贵林 Computer information safe method
CN106022117A (en) * 2016-05-18 2016-10-12 北京金山安全软件有限公司 Method and device for preventing system environment variable from being modified and electronic equipment
CN114329452A (en) * 2021-12-31 2022-04-12 深信服科技股份有限公司 Abnormal behavior detection method and device and related equipment
CN115016944A (en) * 2022-06-30 2022-09-06 龙芯中科技术股份有限公司 Process access method and device and electronic equipment

Also Published As

Publication number Publication date
CN116910744A (en) 2023-10-20
CN118171265A (en) 2024-06-11

Similar Documents

Publication Publication Date Title
EP2696282B1 (en) System and method for updating authorized software
KR101498614B1 (en) Apparatus and method of deactivating malicious codes
KR102513435B1 (en) Security verification of firmware
US7721153B2 (en) System, method and program product for recovering from a failure
JP6481900B2 (en) Hardware configuration reporting apparatus, hardware configuration arbitration method, program, machine-readable recording medium, and hardware configuration arbitration apparatus
US20070113062A1 (en) Bootable computer system circumventing compromised instructions
US9870282B2 (en) Systems and methods for providing service and support to computing devices with boot failure
CN106599709B (en) Method, device and terminal for preventing privacy information leakage
CN110764846B (en) Method for realizing cross-browser calling of computer external equipment based on local proxy service
US20170177878A1 (en) Computer-implemented command control in information technology service environment
US20070294530A1 (en) Verification System and Method for Accessing Resources in a Computing Environment
EP3271818A1 (en) Dynamic firmware module loader in a trusted execution environment container
JP4671418B2 (en) Method for managing secondary storage device in user terminal and user terminal
CN115061871A (en) Computer performance test method, device and medium
CN111090546A (en) Method, device and equipment for restarting operating system and readable storage medium
KR101305502B1 (en) Computer system and control method thereof
CN116910744B (en) Variable access management method, device, computer equipment and storage medium
CN108573153B (en) Vehicle-mounted operating system and using method thereof
CN113051576A (en) Control method and electronic device
US11714744B2 (en) System and method for diagnosing a computing device in safe mode
CN109409123B (en) Electronic equipment, control method and processing device
WO2022255005A1 (en) Monitoring system, monitoring method, monitoring device, and function restricting device
CN114138365B (en) Authentication method, authentication device, electronic equipment and storage medium
CN111177705A (en) Credible guarantee method, device and equipment for execution component of embedded operating system
CN114238988A (en) Computer interface control method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant