CN117056930A - File reinforcement method, device, equipment and medium based on mimicry system environment - Google Patents

File reinforcement method, device, equipment and medium based on mimicry system environment Download PDF

Info

Publication number
CN117056930A
CN117056930A CN202210479908.XA CN202210479908A CN117056930A CN 117056930 A CN117056930 A CN 117056930A CN 202210479908 A CN202210479908 A CN 202210479908A CN 117056930 A CN117056930 A CN 117056930A
Authority
CN
China
Prior art keywords
target
login
system environment
login object
environment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210479908.XA
Other languages
Chinese (zh)
Inventor
陶涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202210479908.XA priority Critical patent/CN117056930A/en
Publication of CN117056930A publication Critical patent/CN117056930A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the field of computers, and provides a file reinforcement method, device, equipment and medium based on a mimicry system environment. The method comprises the following steps: according to the object information carried by the system login request, under the condition that the target login object is determined to be a legal login object, judging whether the target login object is a restricted login object according to a local configuration file associated with the target login object, and authorizing the target login object which is the restricted login object to login a simulated system environment with the same running environment as the real system environment. The mimicry system environment and the real system environment are isolated from each other, so that the safety of the real system environment is protected. The login system environment has the same operation environment, so that the use cost and the maintenance cost of the system are reduced.

Description

File reinforcement method, device, equipment and medium based on mimicry system environment
Technical Field
The application relates to the field of computers, and provides a file reinforcement method, device, equipment and medium based on a mimicry system environment.
Background
With the development of economy and the progress of technology, information technology is rapidly developed at an unprecedented speed. However, rampant computer virus propagation and illegal network intrusion also present a serious network security threat to information networks. The information network relies on the underlying operating system to strengthen and protect the operating system, so that the security of the information network can be further enhanced.
At first, by deploying the probe program, periodically scanning whether the system file in the operating system is changed or not, and performing rule judgment on the changed system file. However, the probe program can only prevent the system file from being tampered with, and cannot protect the security of the system file when the reinforced target operating system is subject to other network attacks.
Therefore, to overcome the above drawbacks, the following ways are often used to perform reinforcement upgrade on the operating system to be reinforced on the basis of deploying the probe program:
one way is to perform rights configuration for all processes, system resources within the operating system to be consolidated, in accordance with a strong access control (Mandatory Access Control, MAC) policy.
The executable authority of each system file is listed in detail in the MAC strategy, and the target login object can normally use the target operating system only under the condition of being familiar with the MAC strategy, so that the use cost of the system is increased.
Moreover, the MAC policy cannot restrict the rights of the login object. If a login object with high authority sends out a malicious operation instruction, the target operation system still executes the operation instruction, and the aim of improving the safety of the operation system is not achieved.
Another way is to modify the kernel of the operating system to be hardened and upgrade the patch into the source code of the kernel.
Because of the modification operation related to the kernel, the kernel and related drivers need to be updated independently each time the target operating system is upgraded, which increases the maintenance cost of the system.
Disclosure of Invention
The embodiment of the application provides a file reinforcement method, device, equipment and medium based on a mimicry system environment, which are used for solving the problems of low protection degree, high use cost and high maintenance cost of a target operating system.
In a first aspect, an embodiment of the present application provides a method for reinforcing a file based on a mimicry system environment, including:
acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object;
according to the object information carried by the system login request, carrying out login authentication identification on the target login object;
Under the condition that the target login object is determined to be a legal login object, acquiring a local configuration file associated with the target login object to determine whether the target login object is a restricted login object or not;
and when the target login object is determined to be the restricted login object, authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment.
In a second aspect, an embodiment of the present application further provides a file reinforcement device based on a mimicry system environment, including:
the transmission unit is used for acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object;
the login authentication unit is used for carrying out login authentication identification on the target login object according to the object information carried by the system login request;
under the condition that the target login object is determined to be a legal login object, acquiring a local configuration file associated with the target login object to determine whether the target login object is a restricted login object or not;
and when the target login object is determined to be the restricted login object, authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment.
Optionally, before acquiring the system login request sent by the target login object, the file reinforcement device further includes a mimetic creation unit, where the mimetic creation unit is configured to:
and responding to the mimicry system environment creation instruction, and creating a mimicry system environment with the same running environment as the real system environment in the operating system to be consolidated.
Optionally, after creating the mimicry system environment having the same operation environment as the real system environment, the file reinforcement device further includes a file modification unit, where the file modification unit is configured to:
responding to a file modification instruction, and reading a local configuration file associated with each target login object from the real system environment, wherein each target login object is an object of which an account is created in the operating system to be consolidated;
adding object type identifiers in each local configuration file to obtain the reinforced target operating system; the object type identifier is used for helping the target operating system to authorize the target login object to login to the mimicry system environment when the target login object is determined to be a restricted login object.
Optionally, after authorizing the target login object to login to a mimicry system environment having the same running environment as the real system environment, the file reinforcement device further includes an instruction audit unit, where the instruction audit unit is configured to:
Receiving an authority raising request sent by the target login object through a virtual remote client through an authority raising management component deployed in the real system environment, wherein the virtual remote client is deployed in the mimicry system environment;
and judging the risk of a target operation instruction carried in the right raising request through the right raising management component, wherein the target operation instruction is an operation instruction which needs to be operated in the real system environment.
Optionally, the instruction audit unit is configured to:
the right-raising management component is used for respectively matching target operation instructions carried in the right-raising request with a plurality of groups of rules for judging the dangerous degree of the target operation instructions;
and determining whether the target operation instruction belongs to a dangerous operation instruction or not based on the obtained matching results by the right raising management component.
Optionally, after the risk judgment is performed on the target operation instruction carried in the right-raising request, the instruction audit unit is further configured to:
when the target operation instruction is determined to belong to a dangerous operation instruction, password authentication is carried out on the target login object, if the target login object inputs a correct key within a specified time, the authentication is judged to be successful, and the target operation instruction is allowed to run in the real system environment;
And allowing the target operation instruction to run in the real system environment when the target operation instruction is determined to belong to a normal operation instruction.
Optionally, before receiving, by an override management component deployed in the real system environment, an override request sent by the target login object through a virtual remote client, the instruction audit unit is further configured to:
and through an override management component deployed in the real system environment, the virtual remote login client is interconnected when the target login object is detected to access the associated port through the virtual remote login client.
Optionally, the instruction audit unit is configured to:
acquiring an object type identifier carried by the local configuration file;
when the object type identifier is a first object type identifier, determining that the target login object is a restricted login object;
and when the object type identifier is a second object type identifier, determining that the target login object is an unrestricted login object.
Optionally, before acquiring the mimetic creation instruction, the instruction auditing unit is further configured to:
deploying the right-raising management component in the real system environment;
Detecting respective ports of the target login objects through the right-raising management assembly, waiting for establishing communication connection with a virtual remote login client deployed in the mimicry system environment, so that the right-raising management assembly which is successfully interconnected receives a right-raising request sent by the target login objects through the virtual remote login client, and judging the risk of a target operation instruction carried in the right-raising request, wherein the target operation instruction is an operation instruction which needs to be operated in the real system environment.
Optionally, the instruction audit unit is configured to:
and reading local configuration files associated with the target login objects through the right-raising management component, wherein each time one local configuration file is read, a carried detection socket is obtained, and a port associated with the detection socket is detected.
Optionally, the instruction audit unit is configured to:
acquiring a component installation package through an interface of the real system environment;
and deploying the right-raising management component encapsulated in the component installation package in the real system environment.
In a third aspect, an embodiment of the present application further provides a computer device, including a processor and a memory, where the memory stores program code, where the program code, when executed by the processor, causes the processor to perform any one of the steps of the file reinforcement method based on a mimicry system environment.
In a fourth aspect, embodiments of the present application also provide a computer readable storage medium including program code for causing a computer device to perform the steps of any one of the above-described file consolidation methods based on a mimicry system environment, when the program product is run on the computer device.
In a fifth aspect, embodiments of the present application also provide a computer program product comprising computer instructions which, when executed by a processor, implement the steps of any of the proposed method for file consolidation based on a mimicry system environment.
The application has the following beneficial effects:
the embodiment of the application provides a file reinforcement method, a device, equipment and a medium based on a mimicry system environment, wherein the method comprises the following steps: acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object; according to the object information carried by the system login request, carrying out login authentication identification on a target login object, acquiring a local configuration file associated with the target login object under the condition that the target login object is determined to be a legal login object so as to determine whether the target login object is a restricted login object, and authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment under the condition that the target login object is determined to be the restricted login object.
In the embodiment of the application, whether the target login object is a restricted login object is judged according to the local configuration file associated with the target login object, and the target login object authorized as the restricted login object is logged in a simulated system environment with the same running environment as the real system environment. Because the mimicry system environment and the real system environment are isolated from each other, when a target login object logs in the mimicry system environment, a malicious operation instruction sent by the target login object can only destroy the operation environment of the mimicry system environment, the safety of the real system environment is not influenced, and the protection degree of an operation system is improved.
Moreover, the internal running environments of the two system environments are the same, and for a target login object logged into the mimicry system environment, the time is not required to relearn the use method of the system, so that the use cost of the system is reduced. In addition, in the process of creating the mimicry system environment, the modification operation in the aspect of the kernel is not involved, and the system maintenance cost is reduced.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a schematic diagram of an alternative embodiment of the present application applied to one of the application scenarios;
FIG. 2 is a schematic diagram of a target operating system according to an embodiment of the present application;
FIG. 3A is a schematic diagram of the logic for file reinforcement of an operating system to be reinforced according to an embodiment of the present application;
FIG. 3B is a flowchart illustrating a process for performing file reinforcement on an operating system to be reinforced according to an embodiment of the present application;
FIG. 3C is a schematic diagram of creating, restoring, and closing a pseudo-system environment according to an embodiment of the present application;
FIG. 4A is a flowchart of a method for reinforcing a file based on a pseudo system environment according to an embodiment of the present application;
FIG. 4B is a flowchart illustrating a target operating system identifying whether a target login object is a restricted login object according to an embodiment of the present application;
FIG. 5 is a schematic flow chart of interconnection between a right-raising management component and a virtual telnet client provided by an embodiment of the present application;
FIG. 6 is a schematic flow chart of an audit service for executing instructions on target operation instructions carried in a right-raising request according to an embodiment of the present application;
FIG. 7 is a schematic flow chart of a process for reinforcing and applying files to a Linux system according to an embodiment of the present application;
FIG. 8 is a schematic structural diagram of a file reinforcement device based on a pseudo system environment according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a computer device according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a computing device according to an embodiment of the application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, based on the embodiments described in the present document, which can be obtained by a person skilled in the art without any creative effort, are within the scope of protection of the technical solutions of the present application.
Some terms in the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.
1. Strong access control MAC:
the advent of MAC (Mandatory Access Control), forced access control, stems from confidentiality requirements for information security, and system security requirements for protection of computer virus attack systems. MACs prevent direct or indirect illegal intrusions by unavoidable access restrictions. Both the subject and the object in the system are assigned a fixed security attribute by the security administrator, which is used to determine whether a subject can access a certain object. The security properties are mandatory, and the login object or object process cannot change the security properties of itself or other subjects and objects.
The nature of MAC is a trellis-based non-circular unidirectional information flow policy. Two keys to access control are: no read-up and no write-down, i.e. the information stream can only flow from a low security level to a high security level, any violations of the non-circular information stream are prohibited.
Where a subject is generally referred to as a login object, or a process, device, that is intended to run on behalf of the login object. The principal is the active initiator of the access operation, and is the initiator of the information flow, so that the information flow flows between the entities.
An object generally refers to a carrier or an entity that receives information from any of the other subjects, objects. Principals also sometimes become access or controlled objects, e.g., one principal authorizes another principal. In the case where one process controls a plurality of sub-processes or the like, the subject or sub-process to be controlled at this time is also a kind of object.
2. Linux kernel: is a macro kernel of an open source Unix-like operating system. The whole Linux operating system family is based on the kernel and deployed on a traditional computer platform and various embedded platforms (such as routers, wireless access points, private branch exchanges and the like). Android operating systems working on tablet computers, smart phones and smart watches also have functions of the android operating systems after service provided by Linux kernels is finished.
Technically, linux is just a kernel matching the POSIX standard, and provides a set of application program interfaces (Application Programming Interface, API), and the program interacts with the kernel and hardware through interfaces provided by the Linux kernel.
3. Stacked file system (Overlay-filesystem, overlay fs): the stacked file system is a Linux-oriented file system service, and file contents of a plurality of directories can be combined into one directory according to an upper-lower layer relationship.
Stacked file systems use two directories, one above the other, and provide a single unified view to the outside. These two directories are commonly referred to as "layers", the lower directory is called lowerdir, which is a read-only directory, and the upper directory is called upperdir, which is a readable and writable directory, and the unified view exposed to the outside is called merge.
4. Jailkit: the method is a tool set of a Linux operating system, can quickly create a restricted login object in a color jail, enables the login object without super administrator authority to execute partial color operation instructions.
5. color: i.e., change Root, is a Linux operating instruction that can Change the location of the system Root directory referenced when the program is executed.
The following briefly describes the design concept of the embodiment of the present application:
with the development of economy and the progress of technology, information technology is rapidly developed at an unprecedented speed. However, rampant computer virus propagation and illegal network intrusion also present a serious network security threat to information networks. The information network relies on the underlying operating system to strengthen and protect the operating system, so that the security of the information network can be further enhanced.
At first, by deploying the probe program, periodically scanning whether the system file in the operating system is changed or not, and performing rule judgment on the changed system file. However, the probe program can only prevent the system file from being tampered with, and cannot protect the security of the system file when the reinforced target operating system is subject to other network attacks.
Therefore, to overcome the above drawbacks, the following ways are often used to perform reinforcement upgrade on the operating system to be reinforced on the basis of deploying the probe program:
one way is to perform rights configuration for all processes, system resources within the operating system to be consolidated, in accordance with a strong access control (Mandatory Access Control, MAC) policy.
The executable authority of each system file is listed in detail in the MAC strategy, and the target login object can normally use the target operating system only under the condition of being familiar with the MAC strategy, so that the use cost of the system is increased.
Moreover, the MAC policy cannot restrict the rights of the login object. If a login object with high authority sends out a malicious operation instruction, the target operation system still executes the operation instruction, and the aim of improving the safety of the operation system is not achieved.
Another way is to modify the kernel of the operating system to be hardened and upgrade the patch into the source code of the kernel.
Because of the modification operation related to the kernel, the kernel and related drivers need to be updated independently each time the target operating system is upgraded, which increases the maintenance cost of the system.
In view of this, the embodiment of the application provides a file reinforcement method, device, equipment and medium based on a mimicry system environment. The method comprises the following steps: acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object; according to the object information carried by the system login request, carrying out login authentication identification on a target login object, acquiring a local configuration file associated with the target login object under the condition that the target login object is determined to be a legal login object so as to determine whether the target login object is a restricted login object, and authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment under the condition that the target login object is determined to be the restricted login object.
In the embodiment of the application, whether the target login object is the restricted login object is judged according to the local configuration file associated with the target login object, and the target login object which is authorized to be the restricted login object is logged in the mimicry system environment with the same running environment as the real system environment.
Moreover, the internal running environments of the two system environments are the same, and for a target login object logged into the mimicry system environment, the time is not required to relearn the use method of the system, so that the use cost of the system is reduced. In addition, in the process of creating the mimicry system environment, the modification operation in the aspect of the kernel is not involved, and the system maintenance cost is reduced.
The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and not for limitation of the present application, and embodiments of the present application and features of the embodiments may be combined with each other without conflict.
The embodiment of the application can be applied to various scenes, including but not limited to cloud technology, cloud security, artificial intelligence, intelligent traffic, auxiliary driving, honey pot security, sandbox security, host reinforcement, tamper resistance, security products of fort machines and related implementation scenes.
Fig. 1 shows a schematic diagram of one application scenario, where the application scenario includes two physical terminal devices 110 and one server 130, and the two physical terminal devices 110 and the server 130 establish a communication connection through a wired network or a wireless network.
The physical terminal device 110 in the embodiment of the present application is a computer device used by a user. Computer devices include, but are not limited to, cell phones, computers, intelligent voice interaction devices, intelligent appliances, vehicle terminals, aircraft, and the like.
The server 130 in the embodiment of the present application may be an independent physical server, may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server that provides cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms, where the related embodiments may be applied to secure products and related implementation scenarios such as honeypot security, sandbox security, host reinforcement, tamper resistance, and fort machine.
The physical terminal device 110 responds to a request generation instruction triggered by the target login object, and generates a system login request of the target login object based on the object information such as an account number, a password and the like of the target login object input by the target login object in the access interface 120;
the physical terminal device 110 sends a system login request to the hardened target operating system, which is deployed on the server 130.
The target operating system carries out login authentication identification on the target login object according to the object information of the target login object carried by the system login request, and when the target login object is determined to be a legal login object, based on a local configuration file associated with the target login object, the target operating system authorizes the target login object to login to a mimicry system environment with the same running environment as the real system environment when the target login object is determined to be a restricted login object.
As shown in FIG. 2, the target operating system includes a real system environment, and a simulated system environment having the same operating environment. The two system environments differ in that-a directory created in a real system environment supports read and write operations, and a directory created in a pseudo system environment supports only read operations and not write operations.
The real system environment at least comprises: the real login management component, the right-of-pick management component, the real database, the user-level real root directory (/ opt root directory) and the plurality of real subfile directories mounted under the real/opt root directory, and the real telnet client not shown in fig. 2. And each real sub-file directory stores system files such as equipment files, customized other files and the like of the application program.
The mimicry system environment at least comprises: the system comprises a mimicry login management component, a remote login (telnet) client, a mimicry database, a mimicry root file directory (/ opt directory) and a plurality of mimicry subfile directories mounted in the mimicry root file directory. And each mimicry subfile directory also stores system files such as equipment files of the application program, other self-defined files and the like.
After knowing the structure of the target operating system, specific implementation steps for file reinforcement of the operating system to be reinforced are introduced.
Although the protection of several reinforcement schemes in common use has been upgraded, the following drawbacks still exist:
in the reinforcement scheme based on the MAC strategy, because the MAC strategy lists the executable authority of each system file in detail, the configuration difficulty of the MAC strategy is increased, and once the configuration fails, the system is possibly paralyzed and cannot operate normally. Moreover, the target login object can normally use the target operating system only under the condition of being familiar with the MAC strategy, so that the use cost of the system is increased.
In the reinforcement scheme based on the kernel, because of the modification operation related to the kernel, the drivers related to the kernel need to be recompiled on the modified kernel, and each compiled driver is redeployed in the server, so that the reinforcement step is very complicated, and the service originally operated on the system can be interrupted in the reinforcement process. In addition, each time the target operating system is upgraded, the kernel and related drivers also need to be updated independently, which increases the maintenance cost of the system.
In order to solve the problems of complicated reinforcement steps, long time consumption, high system use cost, poor compatibility and the like in a common reinforcement scheme, a file is reinforced for an operating system to be reinforced before the target operating system acquires a system login request sent by a target login object, so that the target operating system is obtained. Referring to the logic diagram shown in fig. 3A and the flowchart shown in fig. 3B, the reinforcement process of the operating system to be reinforced is as follows.
S301: the operating system to be consolidated deploys the right-raising management component in the real system environment.
In the reinforcement scheme based on the MAC strategy, the reinforced target operating system needs to audit all operation instructions called by the bottom layer, consumes a great amount of system resources and seriously affects the processing performance of the target operating system. Moreover, since the target operating system cannot capture statically compiled operating instructions or operating instructions that are not called from the system library, it cannot be audited whether the operating instructions threaten the operating environment of the target operating system.
Based on the system environment isolation characteristic of the container isolation technology, a malicious operation instruction sent by a target login object logged into the mimicry environment can only destroy the operation environment of the mimicry system environment and cannot influence the safety of the real system environment, so that the operation instruction operated in the mimicry system environment does not need to be audited.
However, considering that the target login object logged into the mimicry system environment also has a service requirement for maintaining the system, in order to protect the security of the real system environment, an override management component is deployed in the real system environment, an instruction audit service is provided for the target login object logged into the mimicry system environment, an operation instruction (such as adding, deleting, checking, etc. the system file in the real system environment) required to be operated in the real system environment is audited, and whether the operation instruction threatens the operation environment of the real system environment is judged.
The specific deployment process is as follows: and acquiring the component installation package through an interface of the real system environment, and deploying the right-raising management component packaged in the component installation package in the real system environment.
S302: the method comprises the steps that an operating system to be consolidated detects respective ports of target login objects of an account which are created in the operating system to be consolidated through an authority raising management component, and waits for communication connection with virtual remote login clients deployed in a mimicry system environment, so that the authority raising management component which is successfully interconnected receives an authority raising request sent by the target login objects through the virtual remote login clients, and carries out danger judgment on target operation instructions carried in the authority raising request, wherein the target operation instructions are operation instructions which need to be operated in the real system environment.
And reading local configuration files associated with each target login object through the right-lifting management component, wherein each time one local configuration file is read, a carried detection socket is obtained, and then a socket interface (socket) service is started based on the obtained detection socket to detect a port associated with the detection socket.
S303: and the operating system to be consolidated responds to the mimicry system environment creation instruction, and a mimicry system environment with the same running environment as the real system environment is created in the operating system to be consolidated.
And responding to a mimicry environment creation instruction triggered by a system development object, performing mimicry processing on a real system environment based on a stacked file system and container isolation technology, and creating an operating system to be consolidated, which has the same running environment as the real system environment, in the operating system to be consolidated.
The container isolation technique includes a mimicry mirroring technique. The container isolation technology has the following advantages of complex reinforcement steps, long time consumption, high system use cost, poor compatibility and the like in the common reinforcement scheme:
the first advantage is that the real system environment is isolated from the mimicry system environment. Therefore, when the target login object logs in the simulated system environment, the malicious operation instruction sent by the target login object can only destroy the running environment of the simulated system environment, the safety of the real system environment cannot be influenced, the honeypot effect of protecting the real system environment is realized, and the protection degree of the operation system is improved.
The method has the advantage that the mimicry system environment has the same operation environment as the real system environment. For a target login object logged into the mimicry system environment, the time is not required to relearn the use method of the system, and the use cost of the operating system is reduced. In addition, the kernel of the system is not modified in the process of creating the mimicry system environment, and the kernel and related drivers are not required to be specially maintained each time the target operating system is updated, so that the system maintenance cost is reduced.
The method has the advantages that the implementation steps of the container isolation technology are simple, the time consumption is short, and the originally running service on the real system environment is not interrupted in the process of creating the mimicry system environment. Moreover, the container isolation technology is suitable for the real system environments of different application scenes, and has high compatibility.
One of the system characteristics of the stacked file system is that the file contents of a plurality of directories can be merged into one directory. In order to fully utilize the system characteristic and achieve the purpose of reducing the disk occupancy rate, the stacked file system is used as a file system simulating a system environment.
Next, referring to the logic diagram shown in fig. 3C, the creation, restoration, and shutdown process of the simulated system environment will be described.
(1) The creation process of the mimicry system environment is as follows:
and the operating system to be reinforced acquires an operating instruction triggered by the system development object, loads the drive of the file system when the operating instruction is determined to be a simulated system environment creation instruction by analyzing the operating instruction, and creates a simulated root file directory in a specified disk of the simulated system environment. And based on a stacked file system, copying a plurality of real subfile catalogues mounted in a real root file catalogue to a mimicry root file catalogue, and copying system files in each real subfile catalogue to mimicry subfile catalogues with the same name to obtain a mimicry system environment.
Wherein, the mimetic subfile directory at least comprises: the system's running state directory (e.g., sys, proc, etc.), the system's critical directory, device file directory, and other directories that are custom.
The function of running various operation instructions sent by the target login object in the mimicry system environment is realized just because the device file catalog is created in the mimicry system environment and the device files for running the application program are copied into the device file catalog.
(2) The closing process of the mimicry system environment is as follows:
And the operating system to be consolidated traverses a proc process information directory of the operating system to be consolidated to find out the process in an occupied state in the operating system to be consolidated by analyzing the operating instruction, when determining that the operating instruction is a mimicry system environment closing instruction or a mimicry system environment restoring instruction, then executes a process cleaning task, closes the currently occupied processes one by one, releases system resources occupied by each process, and finally unloads each mimicry subfile directory mounted in a mimicry root file directory.
(3) The reduction process of the mimicry system environment is as follows:
and the operation system to be reinforced is used for analyzing the operation instruction, when the operation instruction is determined to be a mimicry system environment restoration instruction, executing the operation to close the mimicry system environment, deleting the mimicry root file directory created before, and re-executing the creation operation of the mimicry system environment.
S304: the method comprises the steps that an operating system to be consolidated responds to a file modification instruction, local configuration files associated with each target login object are read from a real system environment, object type identifiers are added in each local configuration file, and the consolidated target operating system is obtained; the object type identifier is used for helping the target operating system to authorize the target login object to login to the mimicry system environment when the target login object is determined to be the restricted login object.
In order to protect the service login module of the target operating system from attack, the conventional file reinforcement scheme often depends on a springboard machine, but cannot limit the authority of the login object. For example, a target login object with a super user (root) authority sends out a malicious operation instruction, and the target operation system still executes the operation instruction, so that security threat is caused to the target operation system.
In order to solve the problem, the embodiment of the application adds the object type identifier in each local configuration file through the real login management component on the basis of verifying the validity of the target login object so as to help the target operating system to identify the object type of each target login object and determine whether each target login object is a restricted login object.
The specific file modification steps are as follows: each time the operating system to be reinforced reads a local configuration file associated with a target login object, the object type of the target login object is determined based on a preset object type list, and when the target login object is a restricted login object, a first object type identifier is added in the associated local configuration file; and when the target login object is an unrestricted login object, adding a second object type identifier in the associated local configuration file.
In addition to adding the object type identifier, the real login management component can also read each local configuration file to obtain the system authority, password, directory location, application program running after login and other information of the related target login object, and execute some running environment and configuration operation related to system security based on the obtained pieces of information.
After the file reinforcement process is known, referring to the flowchart shown in fig. 3A, specific implementation steps of the file reinforcement method based on the mimicry system environment will be described.
S401: the target operating system obtains a system login request sent by a target login object, wherein the system login request carries object information of the target login object.
And acquiring a system login request through a real login management component of the target operating system, wherein the request carries object information such as an account number, a password and the like of a target login object.
S402: and the target operating system carries out login authentication identification on the target login object according to the object information carried by the system login request.
Analyzing a system login request through a real login management component of a target operating system, acquiring object information carried in the request, matching the object information with object information of each target login object of an established account stored in a real database, if the matching is consistent, indicating that the target login object is a legal login object, and continuously identifying the object type of the target login object; if the matching is inconsistent, the target login object is an illegal login object, and any system environment of the target operation system is refused to be logged in.
S403: and the target operating system acquires a local configuration file associated with the target login object under the condition that the target login object is determined to be a legal login object so as to determine whether the target login object is a restricted login object.
In order to protect the service login module of the target operating system from attack, the conventional file reinforcement scheme often depends on a springboard machine, but cannot limit the authority of the login object. For example, a target login object with a super user (root) authority sends out a malicious operation instruction, and the target operation system still executes the operation instruction, so that security threat is caused to the target operation system.
In order to solve the problem, the embodiment of the application increases the type identification of the target login object on the basis of verifying the validity of the target login object so as to determine whether the target login object is a restricted login object.
As shown in fig. 4B, the process of the target operating system identifying whether the target login object is a restricted login object is as follows.
S4031: reading an environment variable through a real login management component of a target operating system, and acquiring an account of a target login object;
s4032: acquiring a local configuration file associated with a target login object through an account of a real login management component and the target login object;
S4033: the method comprises the steps of obtaining an object type identifier carried by a local configuration file through a real login management component;
s4034: when the object type identifier is a first object type identifier, determining that the target login object is a restricted login object; and when the object type identifier is the second object type identifier, determining that the target login object is an unrestricted login object.
S404: when the target operating system determines that the target login object is the restricted login object, the target login object is authorized to login to a simulated system environment with the same running environment as the real system environment.
When the target login object is a non-limiting login object, the target login object is authorized to login the real system environment; when the target login object is a restricted login object, the jk_chromash command of the jailkit terminal is executed through the real login management component of the target operating system, and the target login object is authorized to login the mimicry system environment.
In the embodiment of the application, once the target login object with root authority is identified as the restricted login object, only the mimicry system environment can be logged in. Therefore, the malicious operation instruction sent by the target login object only damages the running environment of the mimicry system environment, reduces the probability that the target login object affects the real system environment due to misoperation and malicious operation, and protects the safety of the real system environment.
Moreover, the mimicry system environment has the same running environment, and for a target login object logged into the mimicry system environment, the time is not required to relearn the use method of the system, so that the use cost of the operating system is reduced.
In addition, the mimicry system environment is confusing, a target login object is easy to generate an illusion of logging in the real system environment, vigilance of the other party is reduced, and when a malicious operation instruction is initiated, the running environment of the mimicry system environment is destroyed, the identity of a malicious attacker is exposed, so that the target login object is prevented from adopting a targeted means to break the protection strategy of the operating system when the target login object is aware that the target login object is not logged in the real system environment.
After the authorized target login object logs in to the simulated system environment with the same running environment as the real system environment, the risk judgment can be carried out on the operation instruction which needs to run in the real system environment through the right raising management component which is deployed in the real system environment.
The right-raising management component and the virtual telnet client are communication bridges between two system environments, as shown in fig. 5, and the interconnection process between the right-raising management component and the virtual telnet client is as follows.
S501: the target operating system reads the local configuration files associated with each target login object through the right-raising management component, wherein each time one local configuration file is read, the carried detection socket is obtained, and then based on the obtained detection socket, a socket service is started, and a port associated with the detection socket is detected.
S502: the target operating system waits to establish a communication connection with the virtual telnet client through the nomadic management component.
The virtual remote client is deployed in a mimicry system environment in the following two deployment modes:
the first mode is that the component installation package is obtained through an interface of the mimicry system environment, and then the virtual remote login client packaged in the component installation package is deployed in the mimicry system environment.
The second mode is that the real remote login client is deployed in the real system environment, and when the real system environment is subjected to mimicry processing, the virtual remote login client is automatically deployed in the mimicry system environment.
S503: the target operating system judges whether the target login object accesses the local designated port or not through the right raising management component, if so, the step 504 is executed; otherwise, return to step 502.
S504: the right-raising management component of the target operating system is interconnected with the virtual remote login client, and a command line interface (cli) application program on the right-raising management component is started, so that the right-raising management component performs data transmission with the virtual remote login client through the command line interface application program.
In fact, for a target login object logged into the mimicry system environment, when the target login object is a common login object with lower system authority, the target login object can run a normal operation instruction within the authority range of the mimicry system environment; when the target login object is a management-level login object with root authority, the target login object can not only run various operation instructions on the simulated system environment, but also run operation and maintenance operation instructions such as development, installation, running programs and the like on the real system environment, and view, start or stop the service running in the real system environment.
However, in order to protect the security of the real system environment, after determining that the interconnection between the right-raising management component and the virtual telnet client is successful, as shown in fig. 6, the target operating system executes, through the right-raising management component, an instruction audit service on the target operating instruction carried in the right-raising request, so as to determine whether the target operating instruction can run in the real system environment.
S601: and the target operating system sends the right raising request of the target login object to the right raising management component through the virtual remote login client.
S602: and the target operating system receives an authority-raising request sent by the target login object through the virtual remote client through the authority-raising management component.
S603: the target operating system judges the risk of the target operating instruction carried in the right-raising request through the right-raising management component, determines whether the target operating instruction belongs to the dangerous operating instruction, if so, executes step 605; if not, go to step 604; wherein the target operation instruction refers to an operation instruction which needs to be run in a real system environment.
The specific judging process is as follows: the target operating system matches target operating instructions carried in the right-raising request with a plurality of groups of rules for judging the dangerous degree of the target operating instructions through the right-raising management component, and then determines whether the target operating instructions belong to dangerous operating instructions or not based on the obtained matching results through the right-raising management component.
Because the target operation instruction may include one operation instruction or a plurality of operation instructions, each operation instruction satisfies logic relations such as "and", "or", "not", and the like. Therefore, as shown in table 1, among the plurality of sets of rules, there are included both a rule including one judgment condition and a rule including a plurality of judgment conditions, and each judgment condition satisfies a logical relationship such as "with" "or" "not".
When the risk judgment is carried out on the target operation instruction, the target operation instruction can be matched with each group of rules one by one, and when at least one group of rules is hit, the target operation instruction is judged to belong to the risk operation instruction. And the target operation instruction can be subjected to regular operation, and when the operation result hits at least one set of rules, the target operation instruction is judged to belong to the dangerous operation instruction.
TABLE 1
Sequence number Rule content
1 Viewing device files
2 Viewing device files and writing operating instructions of an attack system
3 Deleting system files stored in key catalogue of Linux system
…… ……
Before executing step 603, the target operating system may also check, through the override management component, whether the format of the target operating instruction meets the requirements, and if so, perform risk judgment on the target operating instruction; otherwise, the reminding message is sent to the virtual remote login client through the command line interface application program of the right-raising management component, so that the virtual remote login client regenerates the right-raising request.
S604: the target operating system allows the target operating instruction to run in the real system environment when the target operating instruction is determined to belong to the normal operating instruction through the right raising management component.
Normal operation instructions refer to operation instructions that call the systemctl service, or operation instructions that are on an instruction whitelist.
The system ctl service provides an operation instruction set in terms of service management, and when the target login object calls an operation instruction of a non-root authority, a normal operation instruction is generated by inputting a system ctl command line into the virtual remote login client.
Because the security of the systemctl service is higher, the significance of carrying out password authentication on the target operation instruction based on the systemctl service is not great, the step of password authentication is omitted on the basis of not influencing the security of the real system environment, and the effects of saving system resources and reducing performance expenditure are also achieved.
The target operating system allows the target operating instruction to run in the real system environment, and synchronously displays the corresponding instruction running process and the instruction running result in the virtual remote login client of the mimicry system environment.
S605: the target operating system carries out password authentication on the target login object through the authority-raising management component when determining that the target operating instruction belongs to the dangerous operating instruction, and judges whether the authentication is successful or not, if yes, step 606 is executed; otherwise, step 607 is performed.
The dangerous operation instruction refers to an operation instruction for calling root authority. When the target login object invokes the root authority operation instruction, a manager command line is input into the virtual remote login client to generate a dangerous operation instruction.
The specific password authentication process comprises the following steps: if the target login object inputs a correct key within a specified time, judging that the authentication is successful; if the number of times of the target login object for inputting the wrong key reaches the upper limit in the set time, judging that the authentication fails.
S606: and the target operating system allows the target operating instruction to run in the real system environment through the authority-raising management component when the authentication and the authentication of the target login object are successful.
The target operating system allows the target operating instruction to run in the real system environment, and synchronously displays the corresponding instruction running process and the instruction running result in the virtual remote login client of the mimicry system environment.
S607: and the target operating system refuses to run the target operating instruction in the real system environment when determining that the authentication of the target login object fails through the authority-raising management component.
The target operating system refuses to run the target operating instruction in the real system environment, synchronously displays the instruction running result of the running failure in the virtual remote login client of the mimicry system environment, and commands the virtual remote login client to fall back to the initial command line interface.
In addition, the target operating system records the target operating instruction and sends an alarm prompt message to the target login object to inform the opposite party that the target operating instruction belongs to a dangerous operating instruction, possibly damaging the operating environment of the operating system and requesting to input a new target operating instruction.
When the target operating system refuses to run the target operating instruction in the real system environment, the target operating instruction is allowed to run in the mimicry system environment. Because the mimicry system environment and the real system environment are isolated from each other, the running environment of the mimicry system environment can only be destroyed, and the safety of the real system environment cannot be influenced.
Taking a Linux system as an example, referring to a flow chart shown in fig. 7, the file reinforcement protection and application process of the Linux system are as follows.
S701: deploying an authority-raising management component in a real system environment of the Linux system to be reinforced, and waiting to be interconnected with a virtual remote login client deployed in a mimicry system environment through the authority-raising management component;
s702: responding to a mimicry system environment creation instruction by the Linux system to be consolidated, and creating a mimicry system environment with the same running environment as the real system environment in the Linux operating system to be consolidated;
S703: the method comprises the steps that a Linux system to be reinforced responds to a file modification instruction, local configuration files associated with each target login object are read from a real system environment, object type identifiers are added in each local configuration file, and the reinforced target Linux system is obtained;
s704: the real login management component of the target Linux system acquires a system login request sent by a target login object, judges whether the target login object is a legal login object or not based on object information carried by the system login request, and if yes, executes step 706; otherwise, go to step 705;
s705: rejecting the target login object to login any one system environment of the target Linux system;
s706: obtaining, by the real login management component, a local configuration file associated with the target login object, determining whether the target login object is a restricted login object, and if so, executing step 708; otherwise, step 707 is performed;
s707: through the real login management component, the target login object is authorized to login into the real system environment;
s708: the target login object is authorized to login to the simulated system environment through the real login management component;
s709: a target login object logged into the mimicry system environment accesses a designated port on the real system environment through a virtual remote login client;
S710: the target Linux system is connected with the virtual remote login client through the right-raising management component when detecting that the target login object accesses the local designated port, and a command line interface application program on the right-raising management component is started;
s711: a target login object logged in to a mimicry system environment sends a right-raising request through a virtual remote login client;
s712: receiving an authority-raising request sent by a target login object through a virtual remote client through an authority-raising management component;
s713: judging the risk of the target operation instruction carried in the right raising request through the right raising management component, determining whether the target operation instruction belongs to the dangerous operation instruction, if so, executing step 715; if not, go to step 714; wherein, the target operation instruction refers to an operation instruction which needs to be run in a real system environment;
s714: through the right-raising management component, when the target operation instruction is determined to belong to the normal operation instruction, allowing the target operation instruction to run in the real system environment;
s715: when the target operation instruction is determined to belong to the dangerous operation instruction, the password authentication is carried out on the target login object through the authentication management component, whether the authentication is successful or not is judged, and if yes, the step 716 is executed; otherwise, go to step 717;
S716: through the authority-raising management component, when the authentication of the target login object is determined to be successful, allowing the target operation instruction to run in the real system environment;
s717: and the target operating system refuses to run the target operating instruction in the real system environment when determining that the authentication of the target login object fails through the authority-raising management component.
Based on the same inventive concept as the method embodiment, the embodiment of the application also provides a file reinforcement device based on a mimicry system environment. Referring to the schematic structure shown in fig. 8, a file reinforcement device 800 based on a mimicry system environment may include:
a transmission unit 801, configured to obtain a system login request sent by a target login object, where the system login request carries object information of the target login object;
a login authentication unit 802, configured to perform login authentication identification on a target login object according to object information carried by a system login request;
under the condition that the target login object is a legal login object, acquiring a local configuration file associated with the target login object to determine whether the target login object is a restricted login object;
and when the target login object is determined to be the restricted login object, the target login object is authorized to login to a simulated system environment with the same running environment as the real system environment.
Optionally, before acquiring the system login request sent by the target login object, the file reinforcement device 800 based on the mimicry system environment further includes a mimicry creation unit 803, where the mimicry creation unit 803 is configured to:
and responding to the mimicry system environment creation instruction, and creating a mimicry system environment with the same running environment as the real system environment in the operating system to be consolidated.
Optionally, after creating the mimicry system environment having the same operation environment as the real system environment, the apparatus further includes a file modification unit, where the file modification unit 804 is configured to:
responding to a file modification instruction, and reading a local configuration file associated with each target login object from a real system environment, wherein each target login object is an object of which an account is created in an operating system to be consolidated;
adding object type identifiers in each local configuration file to obtain a reinforced target operating system; the object type identifier is used for helping the target operating system to authorize the target login object to login to the mimicry system environment when the target login object is determined to be the restricted login object.
Optionally, after the authorized target login object logs in to the mimicry system environment having the same running environment as the real system environment, the file reinforcement device 800 based on the mimicry system environment further includes an instruction audit unit 805, where the instruction audit unit 805 is configured to:
Receiving an override request sent by a target login object through a virtual remote client through an override management component deployed in a real system environment, wherein the virtual remote client is deployed in a mimicry system environment;
and carrying out risk judgment on a target operation instruction carried in the right raising request through a right raising management component, wherein the target operation instruction is an operation instruction which needs to be operated in a real system environment.
Optionally, the instruction audit unit 805 is configured to:
the method comprises the steps that a target operation instruction carried in a right-raising request is respectively matched with a plurality of groups of rules for judging the dangerous degree of the target operation instruction through a right-raising management component;
and determining whether the target operation instruction belongs to the dangerous operation instruction or not based on the obtained matching results through the right raising management component.
Optionally, after performing risk judgment on the target operation instruction carried in the right-raising request, the instruction audit unit 805 is further configured to:
when the target operation instruction is determined to belong to the dangerous operation instruction, password authentication is carried out on the target login object, if the target login object inputs a correct key within a specified time, the authentication is judged to be successful, and the target operation instruction is allowed to run in a real system environment;
And allowing the target operation instruction to run in the real system environment when the target operation instruction is determined to belong to the normal operation instruction.
Optionally, before receiving, by the rights management component deployed in the real system environment, a rights request sent by the target login object through the virtual remote client, the instruction audit unit 805 is further configured to:
through an override management component deployed in a real system environment, upon detecting that a target login object accesses an associated port through a virtual telnet client, it is interconnected with the virtual telnet client.
Optionally, the instruction audit unit 805 is configured to:
acquiring an object type identifier carried by a local configuration file;
when the object type identifier is a first object type identifier, determining that the target login object is a restricted login object;
and when the object type identifier is the second object type identifier, determining that the target login object is an unrestricted login object.
Optionally, before acquiring the mimicry creation instruction, the instruction audit unit 805 is further configured to:
deploying an override management component in a real system environment;
the method comprises the steps that the right-raising management component detects ports of each target login object, and waits for communication connection with virtual remote login clients deployed in a mimicry system environment, so that the right-raising management component which is successfully interconnected receives right-raising requests sent by the target login objects through the virtual remote login clients, and carries out risk judgment on target operation instructions carried in the right-raising requests, wherein the target operation instructions are operation instructions which need to run in a real system environment.
Optionally, the instruction audit unit 805 is configured to:
and reading local configuration files associated with each target login object through the right-lifting management component, wherein each time one local configuration file is read, a carried detection socket is obtained, and a port associated with the detection socket is detected.
Optionally, the instruction audit unit 805 is configured to:
acquiring a component installation package through an interface of a real system environment;
and deploying the right-raising management component packaged in the component installation package in a real system environment.
For convenience of description, the above parts are described as being functionally divided into modules (or units) respectively. Of course, the functions of each module (or unit) may be implemented in the same piece or pieces of software or hardware when implementing the present application.
Having described the method and apparatus for application of a hardened operating system according to an exemplary embodiment of the present application, a computer device according to another exemplary embodiment of the present application is described next.
Those skilled in the art will appreciate that the various aspects of the application may be implemented as a system, method, or program product. Accordingly, aspects of the application may be embodied in the following forms, namely: an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects may be referred to herein as a "circuit," module "or" system.
Based on the same inventive concept as the above-mentioned method embodiment, a computer device is further provided in the embodiment of the present application, and referring to fig. 9, a computer device 900 may include at least a processor 901 and a memory 902. The memory 902 stores program code that, when executed by the processor 901, causes the processor 901 to perform any one of the steps of the file consolidation method based on a mimicry system environment.
In some possible implementations, a computing device according to the application may include at least one processor, and at least one memory. The memory stores therein program code that, when executed by the processor, causes the processor to perform the steps in the file consolidation method based on a mimicry system environment according to various exemplary embodiments of the present application described above in this specification. For example, the processor may perform the steps as shown in fig. 4A.
A computing device 1000 according to such an embodiment of the application is described below with reference to fig. 10. The computing device 1000 of fig. 10 is only one example and should not be taken as limiting the functionality and scope of use of embodiments of the present application.
As shown in fig. 10, the computing device 1000 is in the form of a general purpose computing device. Components of computing device 1000 may include, but are not limited to: the at least one processing unit 1001, the at least one memory unit 1002, a bus 1003 connecting the different system components (including the memory unit 1002 and the processing unit 1001).
Bus 1003 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures.
The storage unit 1002 may include a readable medium in the form of volatile memory, such as Random Access Memory (RAM) 10021 and/or cache storage unit 10022, and may further include Read Only Memory (ROM) 10023.
The storage unit 1002 may also include a program/utility 10025 having a set (at least one) of program modules 10024, such program modules 10024 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
The computing device 1000 may also communicate with one or more external devices 1004 (e.g., keyboard, pointing device, etc.), one or more devices that enable a user to interact with the computing device 1000, and/or any devices (e.g., routers, modems, etc.) that enable the computing device 1000 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1005. Moreover, computing device 1000 may also communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN) and/or a public network, for example, the Internet, through network adapter 1006. As shown, the network adapter 1006 communicates with other modules for the computing device 1000 over the bus 1003. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with computing device 1000, including, but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
Based on the same inventive concept as the above-described method embodiments, aspects of the application method of the hardened operating system provided by the present application may also be implemented in the form of a program product, which includes a program code for causing a computer device to perform the steps in the file hardening method based on a mimicry system environment according to the various exemplary embodiments of the present application described above, when the program product is run on the computer device, for example, the computer device may perform the steps as shown in fig. 4A.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims (15)

1. A file reinforcement method based on a mimicry system environment is characterized by comprising the following steps:
acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object;
according to the object information carried by the system login request, carrying out login authentication identification on the target login object;
under the condition that the target login object is determined to be a legal login object, acquiring a local configuration file associated with the target login object to determine whether the target login object is a restricted login object or not;
And when the target login object is determined to be the restricted login object, authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment.
2. The method of claim 1, comprising, prior to obtaining a system login request sent by a target login object:
and responding to the mimicry system environment creation instruction, and creating a mimicry system environment with the same running environment as the real system environment in the operating system to be consolidated.
3. The method of claim 2, further comprising, after creating the simulated system environment having the same operating environment as the real system environment:
responding to a file modification instruction, and reading a local configuration file associated with each target login object from the real system environment, wherein each target login object is an object of which an account is created in the operating system to be consolidated;
adding object type identifiers in each local configuration file to obtain the reinforced target operating system; the object type identifier is used for helping the target operating system to authorize the target login object to login to the mimicry system environment when the target login object is determined to be a restricted login object.
4. A method according to any one of claims 1 to 3, further comprising, after authorizing the target login object to login to a simulated system environment having the same operating environment as the real system environment:
receiving an authority raising request sent by the target login object through a virtual remote client through an authority raising management component deployed in the real system environment, wherein the virtual remote client is deployed in the mimicry system environment;
and judging the risk of a target operation instruction carried in the right raising request through the right raising management component, wherein the target operation instruction is an operation instruction which needs to be operated in the real system environment.
5. The method of claim 4, wherein the performing, by the claim management component, the risk determination on the target operation instruction carried in the claim request includes:
the right-raising management component is used for respectively matching target operation instructions carried in the right-raising request with a plurality of groups of rules for judging the dangerous degree of the target operation instructions;
and determining whether the target operation instruction belongs to a dangerous operation instruction or not based on the obtained matching results by the right raising management component.
6. The method of claim 5, further comprising, after the risk determination is made for the target operation instruction carried in the claim request:
when the target operation instruction is determined to belong to a dangerous operation instruction, password authentication is carried out on the target login object, if the target login object inputs a correct key within a specified time, the authentication is judged to be successful, and the target operation instruction is allowed to run in the real system environment;
and allowing the target operation instruction to run in the real system environment when the target operation instruction is determined to belong to a normal operation instruction.
7. The method of claim 5, further comprising, prior to receiving, by a claim management component deployed in the real system environment, a claim request sent by the target login object via a virtual remote client:
and through an override management component deployed in the real system environment, the virtual remote login client is interconnected when the target login object is detected to access the associated port through the virtual remote login client.
8. The method of claim 1, wherein the obtaining the local profile associated with the target login object to determine whether the target login object is a restricted login object comprises:
Acquiring an object type identifier carried by the local configuration file;
when the object type identifier is a first object type identifier, determining that the target login object is a restricted login object;
and when the object type identifier is a second object type identifier, determining that the target login object is an unrestricted login object.
9. The method of claim 3, prior to obtaining the mimicry creation instruction, further comprising:
deploying the right-raising management component in the real system environment;
detecting respective ports of the target login objects through the right-raising management assembly, waiting for establishing communication connection with a virtual remote login client deployed in the mimicry system environment, so that the right-raising management assembly which is successfully interconnected receives a right-raising request sent by the target login objects through the virtual remote login client, and judging the risk of a target operation instruction carried in the right-raising request, wherein the target operation instruction is an operation instruction which needs to be operated in the real system environment.
10. The method of claim 9, wherein the detecting, by the override management component, the respective port of the respective target login object comprises:
And reading local configuration files associated with the target login objects through the right-raising management component, wherein each time one local configuration file is read, a carried detection socket is obtained, and a port associated with the detection socket is detected.
11. The method of claim 9, wherein the deploying an override management component in the real system environment comprises:
acquiring a component installation package through an interface of the real system environment;
and deploying the right-raising management component encapsulated in the component installation package in the real system environment.
12. A document strengthening apparatus based on a mimicry system environment, comprising:
the transmission unit is used for acquiring a system login request sent by a target login object, wherein the system login request carries object information of the target login object;
the login authentication unit is used for carrying out login authentication identification on the target login object according to the object information carried by the system login request;
under the condition that the target login object is determined to be a legal login object, acquiring a local configuration file associated with the target login object to determine whether the target login object is a restricted login object or not;
And when the target login object is determined to be the restricted login object, authorizing the target login object to login to a simulated system environment with the same running environment as the real system environment.
13. A computer device comprising a processor and a memory, wherein the memory stores program code that, when executed by the processor, causes the processor to perform the steps of the method of any of claims 1 to 11.
14. A computer readable storage medium, characterized in that it comprises a program code for causing a computer device to perform the steps of the method according to any one of claims 1-11, when said program code is run on said computer device.
15. A computer program product comprising computer instructions which, when executed by a processor, implement the steps of the method of any one of claims 1 to 11.
CN202210479908.XA 2022-05-05 2022-05-05 File reinforcement method, device, equipment and medium based on mimicry system environment Pending CN117056930A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210479908.XA CN117056930A (en) 2022-05-05 2022-05-05 File reinforcement method, device, equipment and medium based on mimicry system environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210479908.XA CN117056930A (en) 2022-05-05 2022-05-05 File reinforcement method, device, equipment and medium based on mimicry system environment

Publications (1)

Publication Number Publication Date
CN117056930A true CN117056930A (en) 2023-11-14

Family

ID=88661347

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210479908.XA Pending CN117056930A (en) 2022-05-05 2022-05-05 File reinforcement method, device, equipment and medium based on mimicry system environment

Country Status (1)

Country Link
CN (1) CN117056930A (en)

Similar Documents

Publication Publication Date Title
US9047468B2 (en) Migration of full-disk encrypted virtualized storage between blade servers
CN110661831B (en) Big data test field security initialization method based on trusted third party
CN101594360B (en) Local area network system and method for maintaining safety thereof
CN109379347B (en) Safety protection method and equipment
WO2002008870A2 (en) Distributive access controller
CN1981277A (en) Quarantine system
CN112231726B (en) Access control method and device based on trusted verification and computer equipment
US20220417273A1 (en) Anomalous action security assessor
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
US8826275B2 (en) System and method for self-aware virtual machine image deployment enforcement
US20230362263A1 (en) Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain
CN104796432A (en) Data protection method and safety bastion host
US8713640B2 (en) System and method for logical separation of a server by using client virtualization
WO2017016231A1 (en) Policy management method, system and computer storage medium
WO2019037521A1 (en) Security detection method, device, system, and server
JP2005527905A (en) Tamper evident removable media for storing executable code
JP2023517531A (en) System and method for protecting folders from unauthorized file modification
US20080127352A1 (en) System and method for protecting a registry of a computer
KR102034934B1 (en) Securing the network access of local devices by using TPM
KR20210023161A (en) Data Storage Device with Variable Computer File System
CN117056930A (en) File reinforcement method, device, equipment and medium based on mimicry system environment
CN113179285B (en) High-performance password service method, device and system for video Internet of things
CN114329444A (en) System safety improving method and device
KR102201218B1 (en) Access control system and method to security engine of mobile terminal
CN113515779A (en) File integrity checking method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination