CN117519896A - Design method and system based on mirror image security detection function - Google Patents
Design method and system based on mirror image security detection function Download PDFInfo
- Publication number
- CN117519896A CN117519896A CN202311424245.2A CN202311424245A CN117519896A CN 117519896 A CN117519896 A CN 117519896A CN 202311424245 A CN202311424245 A CN 202311424245A CN 117519896 A CN117519896 A CN 117519896A
- Authority
- CN
- China
- Prior art keywords
- image
- mirror image
- token
- new
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000013461 design Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 100
- 230000008014 freezing Effects 0.000 claims description 8
- 238000007710 freezing Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 description 12
- 230000000694 effects Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000001419 dependent effect Effects 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000737 periodic effect Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Abstract
The invention provides a design method and a system based on a mirror image security detection function. The design method based on the mirror image security detection function comprises the following steps: determining a verification mode according to the mirror image security detection requirement; when a new mirror image is pulled from the mirror image library, sending an encrypted character as a token; decrypting the token, and corresponding the decrypted information with an official mirror image library to judge the security of the current new mirror image. The system comprises modules corresponding to the method steps.
Description
Technical Field
The invention provides a design method and a system based on a mirror image security detection function, and belongs to the technical field of mirror image security detection.
Background
When a user is creating a Docker container, it is possible to base an unsafe Docker image so that an attacker can easily take over the container and even the entire host. The started application program runs in root user identity, so that once an attacker utilizes a vulnerability and obtains shell rights, the attacker can take over the host running by the Docker daemon; security problems also occur when the image is established based on an unsafe base image.
Disclosure of Invention
The invention provides a design method and a system based on a mirror image security detection function, which are used for solving the problem of lower security performance of a Docker container in the prior art, and the adopted technical scheme is as follows:
the design method based on the mirror image security detection function comprises the following steps:
determining a verification mode according to the mirror image security detection requirement;
when a new mirror image is pulled from the mirror image library, sending an encrypted character as a token;
decrypting the token, and corresponding the decrypted information with an official mirror image library to judge the security of the current new mirror image.
Further, determining the verification mode according to the mirror image security detection requirement includes:
invoking the mirror image security detection requirement required by the current mirror image security detection;
and determining a verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
Further, when a new image is pulled from the image library, sending the encrypted character as a token, including:
generating a unique token by encrypting characters by utilizing an encryption algorithm; wherein the token comprises mirror element data, a digital signature and a validity period;
associating the token with the mirror image related information in the mirror image library;
and sending the token to the user terminal.
Further, decrypting the token, and corresponding the decrypted information with an official mirror image library to judge the security of the current new mirror image, including:
when a new mirror image is pulled from a mirror image library, a token corresponding to the new mirror image is sent to a server through a user terminal;
after receiving a token corresponding to the new mirror image sent by a user terminal, the server decrypts the token to obtain information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image metadata, a digital signature and a validity period;
consistency comparison is carried out on the target information data and the data information corresponding to the new mirror image in an official mirror image library;
and when the target information data is consistent with the data information corresponding to the new image in the official image library, the current new image is indicated to have security.
Further, the design method based on the mirror image security detection function further comprises the following steps:
when the current new image has security, the user terminal is allowed to download the current new image;
when the current new image has unsafe, the user terminal is not allowed to download the current new image and marks the new image;
and when the number of times of unqualified safety verification of the new image exceeds a preset number of times threshold, freezing the new image of which the number of times of unqualified safety verification exceeds the preset number of times threshold, and prohibiting the new image of which the number of times of unqualified safety verification exceeds the preset number of times threshold from being pulled and verified.
The design system based on the mirror image security detection function comprises:
the verification mode determining module is used for determining a verification mode according to the mirror image security detection requirement;
the mirror image pulling module is used for sending the encrypted character as a token when a new mirror image is pulled from the mirror image library;
and the token decryption module is used for decrypting the token, and corresponding the decrypted information with the official mirror image library to judge the security of the current new mirror image.
Further, the verification manner determining module includes:
the mirror image security detection requirement calling module is used for calling the mirror image security detection requirement required by the current mirror image security detection;
and the verification mode acquisition execution module is used for determining the verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
Further, the mirror pull module includes:
the token generation module is used for generating a unique token in an encrypted character mode by utilizing an encryption algorithm; wherein the token comprises mirror element data, a digital signature and a validity period;
the image related information association module is used for associating the token with the image related information in the image library;
and the token sending module is used for sending the token to the user terminal.
Further, the token decryption module includes:
the new mirror image pulling execution module is used for sending a token corresponding to the new mirror image to the server through the user terminal when the new mirror image is pulled from the mirror image library;
the target information data acquisition module is used for decrypting the token after receiving the token corresponding to the new mirror image sent by the user terminal, and obtaining information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image element data, a digital signature and a validity period;
the consistency comparison module is used for carrying out consistency comparison on the target information data and the data information corresponding to the new mirror image in the official mirror image library;
and the security judging module is used for indicating that the current new image has security when the target information data is consistent with the data information corresponding to the new image in the official image library.
Further, the design system based on the mirror image security detection function further comprises:
the new image download allowing module is used for allowing the user terminal to download the current new image when the current new image has security;
a new image downloading disallowing module, configured to disallow the user terminal to download the current new image and mark the new image when the current new image has unsafe;
and the new image downloading prohibition module is used for freezing the new image with the unqualified security verification frequency exceeding the preset frequency threshold when the unqualified security verification frequency of the new image exceeds the preset frequency threshold, and prohibiting the new image with the unqualified security verification frequency exceeding the preset frequency threshold from being pulled and verified.
The invention has the beneficial effects that:
when the design method and the system based on the mirror image security detection function solve the security problem of the mirror image level, the encryption character string generated by a section of mirror image library is sent to serve as a token when a new mirror image is pulled from the mirror image library for the first time by using a token-like verification mode, and the mirror image is represented to be safe and reliable when the token can be corresponding to an official mirror image library after decryption. When the images are selected in the image library, the security of image extraction can be improved by verifying the correctness of the token to detect the image security. In addition, the minimum basic mirror image or the trusted basic mirror image can be used as much as possible when the mirror image is built, so that the safety of the Docker container is improved.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
fig. 2 is a system block diagram of the system of the present invention.
Detailed Description
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings, it being understood that the preferred embodiments described herein are for illustration and explanation of the present invention only, and are not intended to limit the present invention.
The embodiment of the invention provides a design method based on a mirror image security detection function, as shown in fig. 1, the design method based on the mirror image security detection function comprises the following steps:
s1, determining a verification mode according to mirror image security detection requirements;
s2, when a new mirror image is pulled from the mirror image library, sending an encrypted character as a token;
s3, decrypting the token, and corresponding the decrypted information with an official mirror image library to judge the security of the current new mirror image.
The working principle of the technical scheme is as follows: determining a verification method (step S1): first, a verification method is determined according to specific mirror image security detection requirements. This may include any one or more authentication mechanisms to ensure the legitimacy and security of the image.
When the new mirror image is pulled, the encrypted character is sent as a token (step S2): when a user or system attempts to pull a new image from the image library, the system generates an encrypted character that is used as a token.
Decrypting the token (step S3): the token will then be decrypted to obtain the information contained therein. This may include some metadata or other information identifying the new image.
The decrypted information is corresponding to the official mirror image library: the decrypted information will correspond to the data in the official mirror library. This may include comparing the hash values of the images, digital signatures, author information, etc. By comparing this information, the system can verify whether the new image pulled is consistent with the images in the official image library.
Judging the security of the current new mirror image: finally, the system determines the security of the current new image. If the decrypted information matches the official image library and no anomalies or problems occur, the current new image may be considered secure. Conversely, if a mismatch or exception occurs, a security alarm may be triggered or the pull operation may be denied.
The technical scheme has the effects that: mirror image security verification: the above technical solution of the present embodiment may be used to verify whether the pulled new image is safe. By comparing the token with an official mirror library, the validity and integrity of the mirror can be checked.
The mirror image security is improved: the technical scheme of the embodiment is beneficial to improving the security of the pulling mirror image and reducing the risk. It may prevent a user or system from pulling an unverified, malicious or tampered image.
Meets the safety requirement: the security requirements of different environments and application scenes can be met by selecting a verification mode according to specific security requirements.
In general, the above-mentioned technical solution of the present embodiment provides a way to enhance the security of the container image, and by using a verification mechanism, the validity and integrity of the pulled image are ensured, which is helpful to reduce the security risk.
According to one embodiment of the invention, determining a verification mode according to mirror image security detection requirements comprises:
s101, calling the mirror image security detection requirement required by the current mirror image security detection;
s102, determining a verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
The working principle of the technical scheme is as follows: invoking the image security detection requirement required for the current image security detection (step S101): first, the system will acquire or invoke the current mirror security detection requirements. These requirements may be established in a particular environment or in a particular application scenario, in accordance with security requirements, policies, regulations, and the like.
Determining a verification manner of the image security detection according to the image security detection requirement required by the current image security detection (step S102): the system will determine the appropriate authentication means based on the acquired security requirements. These verification means may include, but are not limited to:
mirror hash value verification: checking whether the hash value of the pulled image matches the hash value in the official image library.
Digital signature verification: the digital signature of the image is verified to ensure that it has not been tampered with.
Authentication based on access control list: only the official or authorized mirror image is allowed to be pulled.
Metadata-based verification: legitimacy is verified by comparing metadata (e.g., author, version, creation date, etc.) of the pulled image.
And (3) safety scanning verification: the images are scanned using an automated tool to detect known vulnerabilities or malware.
Periodic examination and verification: regular security reviews and updates are made to the pulled image.
The technical scheme has the effects that: and (5) customized safety verification: according to specific mirror image security requirements, the above technical solution of the present embodiment allows selecting the most suitable verification method. This helps ensure that certain security standards and policies are met.
The adaptability is improved: since the verification mode is dependent on the requirement, the method provides a mechanism for adapting to different situations. This can be used for a variety of different types of mirroring to meet different security requirements.
Risk reduction: selecting a verification style based on specific security requirements may help reduce potential risks associated with pulling the image. This helps to improve the overall security of the system.
In summary, the above technical solution of the present embodiment may customize the image verification manner according to specific requirements, so as to ensure that the pulled image meets specific security standards and requirements and improves security at the same time.
In one embodiment of the present invention, when a new image is pulled from an image library, sending an encrypted character as a token includes:
s201, generating a unique token by utilizing an encryption algorithm in an encryption character mode; wherein the token comprises mirror element data, a digital signature and a validity period;
s202, associating the token with mirror image related information in a mirror image library;
s203, the token is sent to the user terminal.
The working principle of the technical scheme is as follows: generating a token using an encryption algorithm (step S201): first, the system will generate a unique token using an encryption algorithm. This token typically includes the following:
mirror metadata: information about the image, such as author, version, hash value, etc.
Digital signature: a digital signature for verifying the authenticity and integrity of the token.
Validity period: the validity period of the token ensures the security.
Associate token with mirror information (step S202): the generated token will be associated with the relevant information in the mirror library. This means that the mirror library will save these tokens for use in subsequent verification to ensure the security of the pulled mirror.
Send token to user terminal (step S203): the generated token will be sent to the user terminal so that the user can use it when pulling the image. The user will use this token for authentication when pulling the image.
The technical scheme has the effects that: safety: the technical scheme of the embodiment ensures the security of the token by generating the token by using an encryption algorithm and comprising the digital signature and the validity period. The uniqueness of the token and the digital signature may prevent tampering or counterfeiting.
Simplicity of verification: the generated token can be easily sent to the user terminal for the user to use when pulling the image. This simplifies the authentication process, enabling the user to easily verify the authenticity of the image.
Traceability: associating the token with the image information allows the system to track and verify the pulled image during subsequent authentication. This helps track and manage the use of the mirror library.
In summary, the above technical solution of the present embodiment generates a token by using encryption, associates it with image information, and sends it to a user terminal, which provides an effective way to ensure the security of the pulled image, and makes verification simpler and safer.
In one embodiment of the present invention, decrypting the token, and corresponding the decrypted information to an official mirror library to determine the security of the current new mirror, including:
s301, when a new mirror image is pulled from a mirror image library, a token corresponding to the new mirror image is sent to a server through a user terminal;
s302, after receiving a token corresponding to the new mirror image sent by a user terminal, the server decrypts the token to obtain information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image metadata, a digital signature and a validity period;
s303, carrying out consistency comparison on the target information data and data information corresponding to the new mirror image in an official mirror image library;
and S304, when the target information data is consistent with the data information corresponding to the new image in the official image library, the current new image is indicated to have security.
The working principle of the technical scheme is as follows: send token to server (step S301): when a new image is pulled from the image library, the user terminal sends a token corresponding to the new image to the server. This token is used to verify the security of the new image.
Decryption token (step S302): after receiving the token, the server decrypts the token to obtain the information data contained in the token. These information data include mirror image metadata, digital signatures, and expiration dates. The decrypted information data becomes target information data.
Consistency comparison (step S303): the server compares the target information data with the data information corresponding to the new mirror image in the official mirror image library in a consistency mode. This means that the server will verify that the target information data matches the data in the official mirror library. If so, the current new image is safe.
Judging security (step S304): when the target information data is consistent with the data information in the official mirror image library, the server judges that the current new mirror image is safe, and allows the user terminal to pull and use the mirror image.
The technical scheme has the effects that: and (3) safety verification: the above-described solution of the present embodiment provides an efficient verification mechanism for the security of new images by decrypting the token and comparing the data consistency with the official image library.
Risk is reduced: pulling the image is only allowed if the target information data is consistent with the data in the official image repository, thereby reducing the risk of an untrusted or unverified image.
The method is user-friendly: the technical scheme of the embodiment is simple and convenient to operate on the user terminal, and the server can execute the verification process in the background because the user only needs to send the token.
In summary, the above technical solution of the present embodiment provides an effective mechanism to determine the security of a new image by decrypting the token and comparing the data with the official image library, thereby reducing the potential security risk.
In one embodiment of the present invention, the design method based on the mirror image security detection function further includes:
step 1, when a current new image has security, allowing a user terminal to download the current new image;
step 2, when the current new image has unsafe, the user terminal is not allowed to download the current new image, and the new image is marked;
and 3, when the number of unqualified security verification times of the new mirror image exceeds a preset number of times threshold, freezing the new mirror image of which the number of unqualified security verification times exceeds the preset number of times threshold, and prohibiting the new mirror image of which the number of unqualified security verification times exceeds the preset number of times threshold from being pulled and verified.
The working principle of the technical scheme is as follows: download allowed (step 1): when the current new image is determined to be safe after the security verification, the user terminal is allowed to download the current new image.
Inhibit downloading and marking (step 2): if the current new image is determined to be non-secure, the user terminal will be prohibited from downloading this image and the new image may be marked as non-secure.
Freeze unsafe mirror image (step 3): if the number of failed security verifications of a new image exceeds a preset number of times threshold, the new image will be frozen. This means that new images whose number of security verification failures exceeds a threshold are not allowed to be pulled and verified.
The technical scheme has the effects that: the safety is improved: the technical scheme of the embodiment can prevent unsafe images from being downloaded and used, thereby improving the safety of the system.
Marking the unsafe mirror image: by marking unsafe images, other users or administrators can easily identify and avoid using the images.
Abuse prevention: by freezing the mirror image with the number of security verification failures exceeding the threshold, possible misuse or malicious behavior is prevented.
In a word, the technical scheme of the embodiment improves the security control of the system on the new mirror image and reduces the risk of unsafe mirror images through a reasonable security verification control and marking mechanism, thereby enhancing the security of the whole system.
The embodiment of the invention provides a design system based on a mirror image security detection function, as shown in fig. 2, the design system based on the mirror image security detection function comprises:
the verification mode determining module is used for determining a verification mode according to the mirror image security detection requirement;
the mirror image pulling module is used for sending the encrypted character as a token when a new mirror image is pulled from the mirror image library;
and the token decryption module is used for decrypting the token, and corresponding the decrypted information with the official mirror image library to judge the security of the current new mirror image.
The working principle of the technical scheme is as follows: determining a verification mode: first, a verification method is determined according to specific mirror image security detection requirements. This may include any one or more authentication mechanisms to ensure the legitimacy and security of the image.
When the new mirror image is pulled, the encrypted character is sent as a token: when a user or system attempts to pull a new image from the image library, the system generates an encrypted character that is used as a token.
Decrypting the token: the token will then be decrypted to obtain the information contained therein. This may include some metadata or other information identifying the new image.
The decrypted information is corresponding to the official mirror image library: the decrypted information will correspond to the data in the official mirror library. This may include comparing the hash values of the images, digital signatures, author information, etc. By comparing this information, the system can verify whether the new image pulled is consistent with the images in the official image library.
Judging the security of the current new mirror image: finally, the system determines the security of the current new image. If the decrypted information matches the official image library and no anomalies or problems occur, the current new image may be considered secure. Conversely, if a mismatch or exception occurs, a security alarm may be triggered or the pull operation may be denied.
The technical scheme has the effects that: mirror image security verification: the above technical solution of the present embodiment may be used to verify whether the pulled new image is safe. By comparing the token with an official mirror library, the validity and integrity of the mirror can be checked.
The mirror image security is improved: the technical scheme of the embodiment is beneficial to improving the security of the pulling mirror image and reducing the risk. It may prevent a user or system from pulling an unverified, malicious or tampered image.
Meets the safety requirement: the security requirements of different environments and application scenes can be met by selecting a verification mode according to specific security requirements.
In general, the above-mentioned technical solution of the present embodiment provides a way to enhance the security of the container image, and by using a verification mechanism, the validity and integrity of the pulled image are ensured, which is helpful to reduce the security risk.
In one embodiment of the present invention, the verification manner determining module includes:
the mirror image security detection requirement calling module is used for calling the mirror image security detection requirement required by the current mirror image security detection;
and the verification mode acquisition execution module is used for determining the verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
The working principle of the technical scheme is as follows: invoking the mirror image security detection requirement required by the current mirror image security detection: first, the system will acquire or invoke the current mirror security detection requirements. These requirements may be established in a particular environment or in a particular application scenario, in accordance with security requirements, policies, regulations, and the like.
Determining a verification mode of image security detection according to the image security detection requirement required by the current image security detection: the system will determine the appropriate authentication means based on the acquired security requirements. These verification means may include, but are not limited to:
mirror hash value verification: checking whether the hash value of the pulled image matches the hash value in the official image library.
Digital signature verification: the digital signature of the image is verified to ensure that it has not been tampered with.
Authentication based on access control list: only the official or authorized mirror image is allowed to be pulled.
Metadata-based verification: legitimacy is verified by comparing metadata (e.g., author, version, creation date, etc.) of the pulled image.
And (3) safety scanning verification: the images are scanned using an automated tool to detect known vulnerabilities or malware.
Periodic examination and verification: regular security reviews and updates are made to the pulled image.
The technical scheme has the effects that: and (5) customized safety verification: according to specific mirror image security requirements, the above technical solution of the present embodiment allows selecting the most suitable verification method. This helps ensure that certain security standards and policies are met.
The adaptability is improved: since the verification mode is dependent on the requirement, the method provides a mechanism for adapting to different situations. This can be used for a variety of different types of mirroring to meet different security requirements.
Risk reduction: selecting a verification style based on specific security requirements may help reduce potential risks associated with pulling the image. This helps to improve the overall security of the system.
In summary, the above technical solution of the present embodiment may customize the image verification manner according to specific requirements, so as to ensure that the pulled image meets specific security standards and requirements and improves security at the same time.
In one embodiment of the present invention, the mirror pull module includes:
the token generation module is used for generating a unique token in an encrypted character mode by utilizing an encryption algorithm; wherein the token comprises mirror element data, a digital signature and a validity period;
the image related information association module is used for associating the token with the image related information in the image library;
and the token sending module is used for sending the token to the user terminal.
The working principle of the technical scheme is as follows: generating a token using an encryption algorithm: first, the system will generate a unique token using an encryption algorithm. This token typically includes the following:
mirror metadata: information about the image, such as author, version, hash value, etc.
Digital signature: a digital signature for verifying the authenticity and integrity of the token.
Validity period: the validity period of the token ensures the security.
Associating the token with the mirrored information: the generated token will be associated with the relevant information in the mirror library. This means that the mirror library will save these tokens for use in subsequent verification to ensure the security of the pulled mirror.
Transmitting the token to the user terminal: the generated token will be sent to the user terminal so that the user can use it when pulling the image. The user will use this token for authentication when pulling the image.
The technical scheme has the effects that: safety: the technical scheme of the embodiment ensures the security of the token by generating the token by using an encryption algorithm and comprising the digital signature and the validity period. The uniqueness of the token and the digital signature may prevent tampering or counterfeiting.
Simplicity of verification: the generated token can be easily sent to the user terminal for the user to use when pulling the image. This simplifies the authentication process, enabling the user to easily verify the authenticity of the image.
Traceability: associating the token with the image information allows the system to track and verify the pulled image during subsequent authentication. This helps track and manage the use of the mirror library.
In summary, the above technical solution of the present embodiment generates a token by using encryption, associates it with image information, and sends it to a user terminal, which provides an effective way to ensure the security of the pulled image, and makes verification simpler and safer.
In one embodiment of the present invention, the token decryption module includes:
the new mirror image pulling execution module is used for sending a token corresponding to the new mirror image to the server through the user terminal when the new mirror image is pulled from the mirror image library;
the target information data acquisition module is used for decrypting the token after receiving the token corresponding to the new mirror image sent by the user terminal, and obtaining information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image element data, a digital signature and a validity period;
the consistency comparison module is used for carrying out consistency comparison on the target information data and the data information corresponding to the new mirror image in the official mirror image library;
and the security judging module is used for indicating that the current new image has security when the target information data is consistent with the data information corresponding to the new image in the official image library.
The working principle of the technical scheme is as follows: sending the token to the server: when a new image is pulled from the image library, the user terminal sends a token corresponding to the new image to the server. This token is used to verify the security of the new image.
Decryption token: after receiving the token, the server decrypts the token to obtain the information data contained in the token. These information data include mirror image metadata, digital signatures, and expiration dates. The decrypted information data becomes target information data.
Consistency comparison: the server compares the target information data with the data information corresponding to the new mirror image in the official mirror image library in a consistency mode. This means that the server will verify that the target information data matches the data in the official mirror library. If so, the current new image is safe.
Judging safety: when the target information data is consistent with the data information in the official mirror image library, the server judges that the current new mirror image is safe, and allows the user terminal to pull and use the mirror image.
The technical scheme has the effects that: and (3) safety verification: the above-described solution of the present embodiment provides an efficient verification mechanism for the security of new images by decrypting the token and comparing the data consistency with the official image library.
Risk is reduced: pulling the image is only allowed if the target information data is consistent with the data in the official image repository, thereby reducing the risk of an untrusted or unverified image.
The method is user-friendly: the technical scheme of the embodiment is simple and convenient to operate on the user terminal, and the server can execute the verification process in the background because the user only needs to send the token.
In summary, the above technical solution of the present embodiment provides an effective mechanism to determine the security of a new image by decrypting the token and comparing the data with the official image library, thereby reducing the potential security risk.
In one embodiment of the present invention, the design system based on the mirror image security detection function further includes:
the new image download allowing module is used for allowing the user terminal to download the current new image when the current new image has security;
a new image downloading disallowing module, configured to disallow the user terminal to download the current new image and mark the new image when the current new image has unsafe;
and the new image downloading prohibition module is used for freezing the new image with the unqualified security verification frequency exceeding the preset frequency threshold when the unqualified security verification frequency of the new image exceeds the preset frequency threshold, and prohibiting the new image with the unqualified security verification frequency exceeding the preset frequency threshold from being pulled and verified.
The working principle of the technical scheme is as follows: allowing the download: when the current new image is determined to be safe after the security verification, the user terminal is allowed to download the current new image.
Download is prohibited and marked: if the current new image is determined to be non-secure, the user terminal will be prohibited from downloading this image and the new image may be marked as non-secure.
Freeze unsafe mirror images: if the number of failed security verifications of a new image exceeds a preset number of times threshold, the new image will be frozen. This means that new images whose number of security verification failures exceeds a threshold are not allowed to be pulled and verified.
The technical scheme has the effects that: the safety is improved: the technical scheme of the embodiment can prevent unsafe images from being downloaded and used, thereby improving the safety of the system.
Marking the unsafe mirror image: by marking unsafe images, other users or administrators can easily identify and avoid using the images.
Abuse prevention: by freezing the mirror image with the number of security verification failures exceeding the threshold, possible misuse or malicious behavior is prevented.
In a word, the technical scheme of the embodiment improves the security control of the system on the new mirror image and reduces the risk of unsafe mirror images through a reasonable security verification control and marking mechanism, thereby enhancing the security of the whole system.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (10)
1. The design method based on the mirror image security detection function is characterized by comprising the following steps:
determining a verification mode according to the mirror image security detection requirement;
when a new mirror image is pulled from the mirror image library, sending an encrypted character as a token;
decrypting the token, and corresponding the decrypted information with an official mirror image library to judge the security of the current new mirror image.
2. The design method based on the mirror image security detection function according to claim 1, wherein determining the verification mode according to the mirror image security detection requirement comprises:
invoking the mirror image security detection requirement required by the current mirror image security detection;
and determining a verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
3. The method for designing a mirror image security detection function according to claim 1, wherein when a new mirror image is pulled from a mirror image library, sending an encrypted character as a token, comprises:
generating a unique token by encrypting characters by utilizing an encryption algorithm; wherein the token comprises mirror element data, a digital signature and a validity period;
associating the token with the mirror image related information in the mirror image library;
and sending the token to the user terminal.
4. The method for designing a security detection function based on an image according to claim 1, wherein decrypting the token, and associating the decrypted information with an official image library, and determining the security of the current new image comprises:
when a new mirror image is pulled from a mirror image library, a token corresponding to the new mirror image is sent to a server through a user terminal;
after receiving a token corresponding to the new mirror image sent by a user terminal, the server decrypts the token to obtain information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image metadata, a digital signature and a validity period;
consistency comparison is carried out on the target information data and the data information corresponding to the new mirror image in an official mirror image library;
and when the target information data is consistent with the data information corresponding to the new image in the official image library, the current new image is indicated to have security.
5. The design method based on the mirror image security detection function according to claim 1, further comprising:
when the current new image has security, the user terminal is allowed to download the current new image;
when the current new image has unsafe, the user terminal is not allowed to download the current new image and marks the new image;
and when the number of times of unqualified safety verification of the new image exceeds a preset number of times threshold, freezing the new image of which the number of times of unqualified safety verification exceeds the preset number of times threshold, and prohibiting the new image of which the number of times of unqualified safety verification exceeds the preset number of times threshold from being pulled and verified.
6. The design system based on the mirror image security detection function is characterized by comprising:
the verification mode determining module is used for determining a verification mode according to the mirror image security detection requirement;
the mirror image pulling module is used for sending the encrypted character as a token when a new mirror image is pulled from the mirror image library;
and the token decryption module is used for decrypting the token, and corresponding the decrypted information with the official mirror image library to judge the security of the current new mirror image.
7. The design system based on the mirror image security detection function according to claim 6, wherein the verification manner determining module includes:
the mirror image security detection requirement calling module is used for calling the mirror image security detection requirement required by the current mirror image security detection;
and the verification mode acquisition execution module is used for determining the verification mode of the image security detection according to the image security detection requirement required by the current image security detection.
8. The mirror security detection function-based design system of claim 6, wherein the mirror pull module comprises:
the token generation module is used for generating a unique token in an encrypted character mode by utilizing an encryption algorithm; wherein the token comprises mirror element data, a digital signature and a validity period;
the image related information association module is used for associating the token with the image related information in the image library;
and the token sending module is used for sending the token to the user terminal.
9. The image security detection function-based design system of claim 6, wherein the token decryption module comprises:
the new mirror image pulling execution module is used for sending a token corresponding to the new mirror image to the server through the user terminal when the new mirror image is pulled from the mirror image library;
the target information data acquisition module is used for decrypting the token after receiving the token corresponding to the new mirror image sent by the user terminal, and obtaining information data contained in the token as target information data, wherein the information data contained in the token comprises mirror image element data, a digital signature and a validity period;
the consistency comparison module is used for carrying out consistency comparison on the target information data and the data information corresponding to the new mirror image in the official mirror image library;
and the security judging module is used for indicating that the current new image has security when the target information data is consistent with the data information corresponding to the new image in the official image library.
10. The mirror image security detection function-based design system of claim 6, further comprising:
the new image download allowing module is used for allowing the user terminal to download the current new image when the current new image has security;
a new image downloading disallowing module, configured to disallow the user terminal to download the current new image and mark the new image when the current new image has unsafe;
and the new image downloading prohibition module is used for freezing the new image with the unqualified security verification frequency exceeding the preset frequency threshold when the unqualified security verification frequency of the new image exceeds the preset frequency threshold, and prohibiting the new image with the unqualified security verification frequency exceeding the preset frequency threshold from being pulled and verified.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311424245.2A CN117519896A (en) | 2023-10-31 | 2023-10-31 | Design method and system based on mirror image security detection function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311424245.2A CN117519896A (en) | 2023-10-31 | 2023-10-31 | Design method and system based on mirror image security detection function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117519896A true CN117519896A (en) | 2024-02-06 |
Family
ID=89752258
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311424245.2A Pending CN117519896A (en) | 2023-10-31 | 2023-10-31 | Design method and system based on mirror image security detection function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117519896A (en) |
-
2023
- 2023-10-31 CN CN202311424245.2A patent/CN117519896A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Kim et al. | Certified malware: Measuring breaches of trust in the windows code-signing pki | |
| KR100615021B1 (en) | Contents distributing/receiving method | |
| US8984293B2 (en) | Secure software product identifier for product validation and activation | |
| EP2988238B1 (en) | Optimized integrity verification procedures | |
| US9118666B2 (en) | Computing device integrity verification | |
| CN107438849B (en) | System and method for verifying integrity of electronic device | |
| US8775797B2 (en) | Reliable software product validation and activation with redundant security | |
| US20040268339A1 (en) | Firmware validation | |
| KR100702499B1 (en) | System and method for guaranteeing software integrity | |
| US9292681B2 (en) | Password audit system | |
| US7552092B2 (en) | Program distribution method and system | |
| CN112000933B (en) | Application software activation method and device, electronic equipment and storage medium | |
| CN116484379A (en) | System starting method, system comprising trusted computing base software, equipment and medium | |
| CN106971105B (en) | IOS-based application program defense method against false face attack | |
| CN117519896A (en) | Design method and system based on mirror image security detection function | |
| CN115879087A (en) | Safe and trusted starting method and system for power terminal | |
| WO2019235450A1 (en) | Information processing device, information processing method, information processing program, and information processing system | |
| CN117252599B (en) | Dual security authentication method and system for intelligent POS machine | |
| CN112597449B (en) | Software encryption method, device, equipment and storage medium | |
| CN117892268A (en) | Distributed watermark embedding software protection method | |
| Yatsenko et al. | Secure mobile application development | |
| CN114357385A (en) | Software protection and authorization method, system and device | |
| CN117688577A (en) | Firmware upgrading protection method, device, equipment and readable storage medium | |
| CN117411714A (en) | Authorization authentication method and device for mimicry defending network equipment, electronic equipment and storage medium | |
| da Silveira Serafim et al. | Restraining and repairing file system damage through file integrity control |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |