CN118013510A - Control method and device - Google Patents
Control method and device Download PDFInfo
- Publication number
- CN118013510A CN118013510A CN202410139362.2A CN202410139362A CN118013510A CN 118013510 A CN118013510 A CN 118013510A CN 202410139362 A CN202410139362 A CN 202410139362A CN 118013510 A CN118013510 A CN 118013510A
- Authority
- CN
- China
- Prior art keywords
- target
- application
- memory
- storage area
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 97
- 230000004044 response Effects 0.000 claims abstract description 31
- 238000012795 verification Methods 0.000 claims description 111
- 230000006399 behavior Effects 0.000 claims description 58
- 238000012545 processing Methods 0.000 claims description 27
- 238000004891 communication Methods 0.000 claims description 9
- 238000001514 detection method Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 30
- 238000004590 computer program Methods 0.000 description 17
- 238000013507 mapping Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 235000014510 cooky Nutrition 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000003607 modifier Substances 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a control method and a control device, wherein the method comprises the following steps: in response to obtaining a target access operation of a target application to a memory of an electronic device, controlling the memory to enter a first permission state, wherein a target storage area of the memory can only be accessed by the target application in the first permission state, and the target storage area is at least part of a storage space of the memory; and after the target application finishes the target access operation on the target storage area, controlling the memory to enter a second authority state, wherein the target storage area cannot be accessed or can be accessed by any application in the second authority state.
Description
Technical Field
The present application relates to the field of computer technologies, but not limited to, and in particular, to a control method and apparatus.
Background
When an application accesses a memory space to perform a data reading operation, some malicious software may read actions of the application to obtain corresponding operation data, thereby bringing a great threat to information security of a user.
For example, for an application program that stores user's user name and password information, even if the application program performs a multi-layer encryption action on the password information, when a user logs in with the stored user name and password, the application program needs to populate the stored password in a plaintext form into a password box, and thus, may still be attacked by malware.
Therefore, how to protect the information security of the application program is a problem to be solved.
Disclosure of Invention
In view of this, the present application provides at least a control method and apparatus.
The technical scheme of the application is realized as follows:
in one aspect, the present application provides a control method, the method comprising:
In response to obtaining a target access operation of a target application to a memory of an electronic device, controlling the memory to enter a first permission state, wherein a target storage area of the memory can only be accessed by the target application in the first permission state, and the target storage area is at least part of a storage space of the memory;
And after the target application finishes the target access operation on the target storage area, controlling the memory to enter a second authority state, wherein the target storage area cannot be accessed or can be accessed by any application in the second authority state.
In some embodiments, the method further comprises:
And carrying out authority verification on the target application and/or the target access operation so as to execute the step of controlling the memory to enter a first authority state after the target application and/or the target access operation pass the corresponding authority verification.
In some embodiments, performing rights verification on the target application and/or the target access operation includes at least one of:
After carrying out hash processing on the identification information of the target application, comparing the identification information with target hash data in the firmware of the memory, and taking the obtained comparison result as an authority verification result of the target application;
performing validity verification and/or hash verification on the signature data of the target application to obtain a permission verification result of the target application;
Performing identification comparison on the operation behavior data of the target access operation, and taking the obtained identification comparison result as an authority verification result of the target access operation;
Carrying out hash verification and/or validity verification on the target application, and carrying out identification comparison on the operation behavior data of the target access operation after the target application passes the verification;
and performing identification comparison on the operation behavior data of the target access operation, and performing hash verification and/or validity verification on the target application after the operation behavior data are subjected to identification comparison.
In some embodiments, in response to obtaining a target access operation of a target application to a memory of an electronic device, controlling the memory to enter a first permission state includes:
determining a target storage area to be accessed from the memory based on the identification information of the target application and/or the operation behavior data of the target access operation;
and controlling the target storage area to enter a first permission state which only allows the target application to access based on the identification information and/or the operation behavior data.
In some embodiments, controlling the target storage area to enter a first permission state that only allows access to the target application based on the identification information and/or the operational behavior data includes at least one of:
Responding to the operation of obtaining target login information read by a first application from a memory of electronic equipment, and controlling a first storage area appointed in the memory to enter a permission state which only allows the first application to access;
Responding to the operation of obtaining target login information read by a second application from a memory of electronic equipment, and controlling a second storage area matched with the second application in the memory to enter a permission state only allowing the second application to access;
In response to obtaining a target access operation of a third application and an associated application thereof to a memory of the electronic device, controlling a third storage area appointed in the memory to enter a permission state allowing the third application and the associated application thereof to access, wherein the associated application is an application passing through credibility verification;
And controlling a fourth storage area designated in the memory or a fifth storage area matched with the fourth application in the memory to enter a permission state only allowing the fourth application to access in response to the operation of obtaining the fourth application to access the target data from the memory of the electronic device or share the target data.
In some embodiments, after the target application completes the target access operation to the target storage area, controlling the memory to enter the second permission state includes:
And controlling the memory to perform erasure processing and/or initialization processing on the target storage area in response to the notice of completing the target access operation by the target application or in response to the detection of completing the read operation of the target data in the target storage area by the target application, so that the target storage area cannot be accessed or can be accessed by any application.
In some embodiments, the controlling the memory to perform the erasing process and/or the initializing process on the target storage area includes at least one of the following:
controlling the memory to execute an erasing operation or an initializing operation on the target storage area based on the attribute information of the target storage area;
And controlling the memory to erase and/or initialize the target storage area based on the identification information of the target application and/or the operation behavior data of the target access operation.
In some embodiments, the method further comprises:
And after the target application reads target login information from the target storage area and fills the target login information into a corresponding input box to perform login verification with a target server, updating target verification data aiming at the target application.
In some embodiments, the method further comprises:
storing the updated target verification data of the target application to at least one of the following locations:
Memory firmware of the electronic device;
A chip memory of a baseboard management controller of the electronic device;
and the target device is communicated with the electronic device through a target communication interface.
In another aspect, the present application also provides a control device, including:
The first control module is used for controlling the memory to enter a first authority state in response to obtaining a target access operation of a target application to the memory of the electronic device, and in the first authority state, a target storage area of the memory can only be accessed by the target application, wherein the target storage area is at least part of a storage space of the memory;
And the second control module is used for controlling the memory to enter a second authority state after the target application finishes the target access operation on the target storage area, and the target storage area can not be accessed or can be accessed by any application in the second authority state.
In yet another aspect, the application provides a computer device comprising a memory and a processor, the memory storing a computer program executable on the processor, the processor implementing some or all of the steps of the above method when the program is executed.
In yet another aspect, the application provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs some or all of the steps of the above method.
In yet another aspect, the present application provides a computer program comprising computer readable code which, when run in a computer device, causes a processor in the computer device to perform some or all of the steps for carrying out the above method.
In yet another aspect, the application provides a computer program product comprising a non-transitory computer readable storage medium storing a computer program which, when read and executed by a computer, performs some or all of the steps of the above method.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the aspects of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
FIG. 1 is a schematic diagram of an implementation flow of a control method according to the present application;
FIG. 2 is a schematic diagram of an implementation flow of an embodiment of a control method according to the present application;
FIG. 3 is a timing diagram of an embodiment of a control method according to the present application;
FIG. 4 is a schematic diagram of a control device according to the present application;
fig. 5 is a schematic diagram of a hardware entity of a computer device according to the present application.
Detailed Description
The technical solution of the present application will be further elaborated with reference to the accompanying drawings and examples, which should not be construed as limiting the application, but all other embodiments which can be obtained by one skilled in the art without making inventive efforts are within the scope of protection of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
The term "first/second/third" is merely to distinguish similar objects and does not represent a particular ordering of objects, it being understood that the "first/second/third" may be interchanged with a particular order or precedence, as allowed, to enable embodiments of the application described herein to be implemented in other than those illustrated or described herein.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing the application only and is not intended to be limiting of the application.
In the related art, in order to protect important data related to an application, for example, a login password of the application, various solutions have been proposed. In the following, two related solutions are described taking the example of protecting the login password security of an application:
In the first scheme, when an application accesses a physical memory space to decrypt a user password, a memory management unit (Memory Management Unit, MMU) is utilized to confirm the access authority of the application to the memory space, so that the operation of accessing the memory space by the application is protected. In this approach, however, the MMU allows tool class software, such as the modifier (CHEAT ENGINE, CE), to modify access to memory space by calling an application programming interface (Application Programming Interface, API) provided by the system, thereby posing a threat to the data security of the application.
In the second scheme, the decryption private key corresponding to the user password is stored in a third-party server, and in order to ensure the storage security of the private key, the third-party server is usually a server outside an intranet or a local area network. According to the scheme, the server outside the intranet or the local area network is required to be accessed, so that the password security of the application running only in the intranet or the local area network cannot be effectively protected; meanwhile, after the secret key is obtained from the third party server, the password is still required to be decrypted locally and the plaintext information of the password is displayed, so that the security of the plaintext of the password is difficult to protect locally; in addition, a third party server of an external network is introduced, so that potential safety hazards of network transmission exist.
Based on this, the present application provides a control method that can be executed by a processor of a computer device. The computer device may be a device with data processing capability, such as a server, a notebook computer, a tablet computer, a desktop computer, a smart television, a set-top box, a mobile device (e.g., a mobile phone, a portable video player, a personal digital assistant, a dedicated messaging device, and a portable game device).
Fig. 1 is a schematic implementation flow chart of a control method provided by the present application, as shown in fig. 1, the method includes steps S101 to S102 as follows:
In step S101, in response to obtaining a target access operation of a target application to a memory of an electronic device, the memory is controlled to enter a first permission state, and in the first permission state, a target storage area of the memory can only be accessed by the target application, where the target storage area is at least part of a storage space of the memory.
Here, the target application is an application program running on the electronic device. In some embodiments, the target application may include a client application installed on the electronic device, and may also include a web browser, and a web application presented through the web browser.
The memory of the electronic device refers to the physical memory of the electronic device.
The target access operation refers to an operation which is executed by the target application by using the memory space of the electronic equipment and has higher data security requirement. In some embodiments, the target access operation may include: the method comprises the steps of decrypting the password by using the memory space of the electronic device and filling the decrypted password plaintext into a password frame of a target application, or accessing the specified information by using the memory space of the electronic device.
The permission status refers to the accessible permission status of the memory. In some embodiments, the permission status of the electronic device may include one of: access state is prohibited, state of process access of an application is allowed to be specified, and state of process access of all applications is allowed.
The first permission state refers to that a target storage area of the memory only allows a process corresponding to the target application to access.
And under the condition that the target access operation of the target application to the memory of the electronic equipment is obtained, controlling the memory of the electronic equipment to enter a first authority state, so that the target storage area of the memory only allows the process corresponding to the target application to access, and prohibiting other applications from accessing. Thus, during the target access operation of the target application, the target storage area in the memory is in a single-process access state or a multi-process (i.e., a plurality of processes belonging to the target application) access state excluding other application accesses outside the target application, thereby improving the security of the data in the target storage area.
Step S102, after the target application completes the target access operation to the target storage area, controlling the memory to enter a second permission state, where the target storage area cannot be accessed or can be accessed by any application.
Here, the target application completing the target access operation to the target memory area means that target data processing is completed by using the target memory area. Here, the target data processing operation may include: finishing login operation of the target application; or the operation of decrypting the password into the plaintext is completed; or completing the operation of filling the plaintext of the password into a designated password frame; or complete the access operation to the specified information, etc.
In some embodiments, when the target storage area is set to be used only for a target access operation (e.g., a decryption operation for a password) of at least one target application, the memory is in the second permission state after the target application completes the target access operation, at which time the target storage area cannot be accessed, i.e., the target storage area enters the disabled state.
In some embodiments, when the target storage area is only the target access operation of the at least one target application temporarily used for specification, and the target access operation of the target storage area is completed by the target application, the memory is in the second authority state, and at this time, the target storage area is restored to a state that can be accessed by any application, or the target storage area is restored to the initialized state.
In the control method provided by the application, on one hand, the memory is controlled to enter the first authority state in response to the target access operation of the target application to the memory of the electronic device, and in the first authority state, the target storage area of the memory can only be accessed by the target application, namely, when the target application executes the target access operation, the target storage area only allows the single process or multiple processes of the target application to access, so that the processes of other applications can be prevented from reading data related to the target access operation of the target application, and the data security of the target application is improved.
In some embodiments, before executing the controlling of the memory in step S101 to enter the first permission state, the controlling method further includes the following step S103:
step S103, performing permission verification on the target application and/or the target access operation, so as to execute the step of controlling the memory to enter the first permission state after the target application and/or the target access operation passes the corresponding permission verification.
Here, the permission verification refers to verifying the use permission or the access permission of the target application and/or the target access operation to the target storage area in the memory.
In some embodiments, the authorization verification is performed on the target application, including verification on a hash value, signature data, or identification information corresponding to the target application, and the like. For example, whether the identification information corresponding to the target application is matched with at least one target identification information stored in advance is verified, and if the verification result indicates that the identification information corresponding to the target application is matched with the at least one target identification information, the target application is determined to pass the authority verification.
In some embodiments, verifying the rights of the target access operation refers to verifying the operational behavior data of the target access operation. For example, when the operation behavior data of the target access operation matches the operation behavior specified in advance, it is determined that the target access operation passes the authority verification.
In the above embodiment, by performing authority verification on the target application and/or the target access operation, and determining whether to control the memory to enter the first authority state based on the verification result, the range of the target application and/or the target access operation can be determined in advance, and the data security of the designated application and/or the access operation is improved.
In some embodiments, the verifying of the authority of the target application and/or the target access operation in the step S103 may be implemented by at least one of the following steps S1031 to S1034:
Step S1031, comparing the hash processing of the identification information of the target application with the target hash data in the firmware of the memory, and taking the obtained comparison result as the permission verification result of the target application.
Here, the identification information of the target application refers to information for uniquely identifying the target application. The identification information of the target application may be generated based on installation information of the target application, library file information, password update information of the target application, and the like. The generation manner of the identification information of the target application is not particularly limited here.
The hash processing is performed on the identification information of the target application, namely, the constructed hash function is utilized to process the identification information of the target application so as to obtain a hash value corresponding to the identification information of the target application.
Here, the hash function that hashes the identification information of the target application is specified in advance, that is, the identification information is hashed according to a specified rule.
The target hash data stored in the memory firmware is predetermined hash data of at least one application which controls the memory to enter the first permission state when the target hash data performs target access operation on the memory of the electronic equipment.
In some embodiments, the target hash data may be hash data corresponding to an application pre-specified by the user. For example, the user selects at least one application in the setting item; responding to the checking operation of the user, and generating corresponding target hash data for each checked application; each target hash data is stored in memory firmware.
In some embodiments, the target hash data is determined based on the application type. For example, for a client application installed by a user and having a high security requirement, or a web application accessed by the user through a browser and having a high security requirement, for example, a financial application, corresponding target hash data may be automatically generated for such an application, and each generated target hash data may be stored in firmware in a memory.
In some embodiments, the identification information of the application specified by the user or determined based on the application type may be processed by using a pre-specified hash function to obtain the corresponding target hash data.
Here, in the case that the hash value corresponding to the identification information of the target application matches the target hash data in the memory firmware, determining that the authority verification result corresponding to the target application passes; otherwise, it is determined that the signal does not pass.
In the above embodiment, the target hash data for verifying the authority of the target application is stored in the firmware of the memory, so that the data protection of the target application by using the lower-layer memory firmware is realized, and the malicious attack of the software level can be reduced, thereby improving the data security of the target application.
Step S1032, carrying out validity verification and/or hash verification on the signature data of the target application to obtain the authority verification result of the target application.
Here, the signature data is that a developer of an application digitally signs its software program, application program, and driver program using an application digital certificate to prevent unauthorized parties from tampering with or destroying the application program. Thus, the signature data for each application may also identify the corresponding application.
In some embodiments, the signature data of the target application is validated, i.e. it is validated whether the signature data of the target application matches with at least one predetermined application that controls the memory to enter the first permission state when it performs the target access operation on the memory of the electronic device. If so, determining that the authority verification result corresponding to the target application is passed; otherwise, it is determined that the signal does not pass.
In some embodiments, validity verification is performed on signature data of the target application, that is, signature data of the target application is verified, and in the case that it is determined that the target application is not tampered or destroyed, a right verification result corresponding to the target application is determined to pass; otherwise, it is determined that the signal does not pass.
The hash verification is performed on the signature data of the target application, namely hash processing is performed on the signature data of the target application to obtain a hash value, and whether the target application is matched with at least one application which is determined in advance and controls the memory to enter a first permission state when the target application performs target access operation on the memory of the electronic device is determined based on the hash value. If so, determining that the authority verification result corresponding to the target application is passed; otherwise, it is determined that the signal does not pass.
Step S1033, performing identification comparison on the operation behavior data of the target access operation, and taking the obtained identification comparison result as the permission verification result of the target access operation.
Here, the operation behavior data of the target access operation refers to an operation track, an interaction path, or a type and content corresponding to the operation behavior corresponding to the target access operation. When the operation behavior data of the target operation is matched with the pre-stored target operation behavior data, determining that the authority verification result corresponding to the target access operation is passed; otherwise, it is determined that the signal does not pass.
For example, the pre-stored target operation track is: firstly, an application initiates a login operation; then, applying for access rights to the memory space; then, obtaining a target storage area address; then, decrypting the password in the target storage area by using the private key; and finally, the application reads the password plaintext and feeds back the user name and the password plaintext to the corresponding server so as to authenticate at the corresponding server. In this way, when the track corresponding to the target access operation is the same as the track, determining that the authority verification result corresponding to the target access operation passes; otherwise, it is determined that the signal does not pass.
For another example, when the operation behavior type of the target access operation is reading login information, determining that the authority verification result corresponding to the target access operation is passed; otherwise, it is determined that the signal does not pass.
Step S1034, performing hash verification and/or validity verification on the target application, and performing identification comparison on the operation behavior data of the target access operation after the target application passes the verification.
Here, for detailed description of hash verification and/or validity verification of the target application, reference may be made to the above description of step S1031 and step S1032, which are not repeated here.
For a detailed description of the identification comparison of the operation behavior data of the target access operation, refer to the description of step S1033, which is not repeated here.
In the above embodiment, hash verification and/or validity verification is performed on the target application, and after verification is passed, identification comparison of operation behavior data of the target access operation is continuously performed, so that double verification is realized, and accuracy of authority verification results is improved.
Step S1035, performing identification comparison on the operation behavior data of the target access operation, and performing hash verification and/or validity verification on the target application after the operation behavior data is identified and compared.
Here, for a detailed description of the identification comparison of the operation behavior data of the target access operation, reference may be made to the above description of step S1033, which is not repeated here.
For a detailed description of hash verification and/or validity verification of the target application, reference may be made to the above description of step S1031 and step S1032, which are not repeated here.
In the above embodiment, the identification and comparison of the operation behavior data of the target access operation are performed first, and after the comparison is passed, the hash verification and/or the validity verification are continuously performed on the target application, so that the dual verification is realized, and the accuracy of the authority verification result is improved.
In some embodiments, in response to obtaining a target access operation of a target application to a memory of an electronic device, controlling the memory to enter a first permission state, that is, the step S101 may be implemented by the following steps S1011 to S1012:
Step S1011, determining a target storage area to be accessed from the memory based on the identification information of the target application and/or the operation behavior data of the target access operation.
Here, the identification information of the target application is information for uniquely identifying the target application. In some embodiments, the identification information of the target application includes at least one of: application name information, version information, and digital signature certificate information of the target application, and the like.
The operation behavior data of the target access operation refers to the data processing behavior pointed by the target access operation. In some embodiments, the operational behavior data includes one of: account login behavior, access information to specified data, data sharing behavior to specified data, and so forth.
In some embodiments, a mapping relationship of at least one application and/or at least one memory access operation to a storage area in at least one memory is pre-specified. In this way, after obtaining the target access operation of the target application to the memory of the electronic device, the target storage area to be accessed may be determined based on the mapping relationship, the identification information of the target application, and/or the operation behavior data of the target access operation.
Step S1012, controlling the target storage area to enter a first permission state allowing only the target application to access based on the identification information and/or the operation behavior data.
Here, after the target storage area is determined, the target storage area is controlled to enter a first permission state allowing only the target application to access, that is, the target storage area is set to a single-process access state or a multi-process access state of the target application during the target access operation, so as to reduce the risk of attack of target application data in the target storage area by other application processes.
In some embodiments, controlling the target storage area to enter the first permission state allowing only the target application to access based on the identification information and/or the operation behavior data, that is, the above step S1012, may be achieved by at least one of the following steps S1013 to S1016:
In step S1013, in response to obtaining the operation of the first application to read the target login information from the memory of the electronic device, the first storage area specified in the memory is controlled to enter the permission state allowing only the first application to access.
Here, the identification information of the target application indicates that the target application is the first application.
The operation behavior data of the target access operation indicates that the target access operation is to read target login information from a memory of the electronic device.
The target storage area is a first storage area designated in the memory.
The target login information includes password information for logging in the first application. In some embodiments, the target login information may be data (cookies) stored on the user's local terminal that is loaded locally and decrypted into plaintext in the first storage area. In some embodiments, the target login information may be password information that is obtained from the server and decrypted into plaintext in the first storage area.
The first application reads target login information from the memory of the electronic device, namely, the first application reads the decrypted password plaintext from the first storage area to perform application login.
In the above embodiment, the first storage area is set to a specified memory area that can enter the single-process access state or the multi-process access state of the target application, that is, only the first application is allowed to be accessed during the specified operation by the first application.
In step S1014, in response to obtaining the operation of the second application to read the target login information from the memory of the electronic device, the second storage area in the memory, which is matched with the second application, is controlled to enter the permission state allowing only the second application to access.
Here, the identification information of the target application indicates that the target application is the second application.
The operation behavior data of the target access operation indicates that the target access operation is to read target login information from a memory of the electronic device.
The target storage area is a second storage area matched with the second application in the memory.
The target login information includes password information for logging in the second application. In some embodiments, the target login information may be cookies loaded locally and decrypted into plaintext in the second storage area; or a cipher text obtained from the server and decrypted into a text in the second storage area.
The second application reads the target login information from the memory of the electronic device, that is, the second application reads the password plaintext decrypted into plaintext from the second storage area to perform application login.
In the above embodiment, the mapping relationship between the second application and the second storage area is established, so as to control the second storage area to enter the permission state that only the second application is allowed to access only when the second application reads the target login information from the memory.
In some embodiments, the second application may comprise at least one fifth application, and the second storage area comprises at least one sixth storage area; thus, the above embodiment further comprises: and pre-establishing a mapping relation between each fifth application and each sixth storage area.
In step S1015, in response to obtaining the target access operation of the third application and the associated application to the memory of the electronic device, the third storage area specified in the memory is controlled to enter the permission state for allowing the third application and the associated application to access, where the associated application is an application that passes the trust verification.
Here, the identification information of the target application indicates that the target application is the third application and its associated applications.
The associated application of the third application refers to an application associated with a launch or run action of the third application. For example, in the third application, when the picture is opened, a picture reader or browser is automatically started to display the picture, and the picture reader or browser is the associated application of the third application.
The associated application of the third application is an application passing the credibility verification, so that when the third application accesses the third storage area, the malicious application is prevented from attacking the data of the third application related to the target access operation, and the data security is improved. In some embodiments, it may be determined whether the associated application passes the trust verification based on the trust verification between the third application and the associated application; the associated application may also be trusted based on other information related to the associated application, such as, for example, a storage address of an installation file of the associated application, an access path of the associated application, a signature certificate of the associated application, identification information of the associated application, and so on.
In the above embodiment, under the condition that the target access operation of the third application and the associated application to the memory is obtained, the third storage area designated in the memory is controlled to enter the permission state for allowing the access of the third application and the associated application, so that the access of the at least two associated applications to the designated memory area can be realized.
In step S1016, in response to obtaining the operation of the fourth application to access the target data from the memory of the electronic device or to share the target data, the fourth storage area specified in the memory or the fifth storage area matched with the fourth application in the memory is controlled to enter the permission state allowing only the fourth application to access.
Here, the identification information of the target application indicates that the target application is the fourth application.
The operational behavior data of the target access operation indicates that the target access operation is to access or analyze target data from a memory of the electronic device.
The target storage area is a fourth storage area in the memory or a fifth storage area matched with the fourth application.
In the above embodiment, when the fourth application accesses the target data from the memory of the electronic device or analyzes the target data, the fourth storage area specified in the memory or the fifth storage area matched with the fourth application in the memory may be determined as the target storage area, so that the target storage area may be flexibly selected based on the usage condition of the specified fourth storage area, or the target storage area may be determined based on the size of the target data to be accessed by the fourth application or the shared target data. For example: when the data amount of the target data or the shared target data is small, the fifth storage area matched with the fourth application can be determined to be the target storage area; when the data amount of the target data or the shared target data is large, the designated fourth storage area can be determined as the target storage area; wherein the storage capacity of the fourth storage area is larger than the storage capacity of the fifth storage area.
In some embodiments, after the target application completes the target access operation to the target storage area in the step S102, the controlling the memory to enter the second permission state may be implemented by the following step S1021:
In step S1021, in response to obtaining a notification that the target application completes the target access operation, or in response to monitoring that the target application completes a read operation of target data in the target storage area, the memory is controlled to perform an erase process and/or an initialization process on the target storage area, so that the target storage area cannot be accessed or can be accessed by any application.
Here, the target application completes the target access operation, for example, the target application completes the operation of reading the target login information, or the target application and its associated application complete the target access operation, or the target application completes the access or sharing operation to the target data.
In some embodiments, a notification from the driver that the target application completed the target access operation may be obtained; the read operation of the target application on the target storage area can be monitored to obtain the use condition of the target application on the target storage area.
Here, performing the erase processing on the target storage area means erasing data written in the target storage area. In some embodiments, only data loaded into the target storage area that is relevant to the target access operation of the target application may be erased, e.g., the encrypted plaintext loaded into the target storage area that has been decrypted, or the access data of the target application to the target storage area. In some embodiments, all data in the target storage area may also be erased, i.e., the target storage area is formatted or the partition of the target storage area is deleted.
Initializing a target storage area means that the target storage area is restored to a pre-configured state, that is, only a designated application is allowed to access the target storage area when a target access operation is completed, or only an application that occupies the target storage area first is allowed to access the target storage area, or a partition to the target storage area is deleted.
Thus, after the erasure processing and/or the initialization processing is performed on the target memory area, if the target memory area is restored to a state that only the specified application is allowed to access when the target access operation is completed, the target memory area cannot be accessed without the target access operation of the specified application; if the target storage area is deleted or restored to allow only the application which is occupied first to access, the memory space where the target storage area is located can be accessed by any application.
In some embodiments, the controlling the memory in the step S1021 to perform the erasing process and/or the initializing process on the target storage area may be implemented by at least one of the following steps S1022 to S1023:
Step S1022, controlling the memory to perform an erasing operation or an initializing operation on the target storage area based on the attribute information of the target storage area.
Here, the attribute information of the target storage area includes a determination manner corresponding to the target storage area.
In some embodiments, the attribute information of the target storage area may include one of: a memory area reserved in the memory space based on the pre-specification; and determining the designated storage area based on the mapping relation between the pre-designated application and the storage area and the identification information of the target application. The reserved storage area can be accessed by any target application in a single process or multiple processes belonging to the same target application during the target access operation; the designated memory area allows only the target application having the mapping relationship to make a single-process or multi-process access of the target application during the target access operation.
And controlling the memory to execute an erasing operation or an initializing operation on the target storage area based on the attribute information of the target storage area, namely determining the type of operation executed on the target storage area based on the corresponding determination mode of the target storage area. For example, in the case where the target memory area is a reserved memory area, an erasing operation is performed on the target memory area to erase data related to the target application within the target memory area; and when the target storage area is a designated storage area with a mapping relation with the target application, executing initialization operation on the target storage area. For another example, in the case where the target memory area is a reserved memory area, an initialization operation is performed on the target memory area; and when the target storage area is a designated storage area with a mapping relation with the target application, executing an erasing operation on the target storage area to erase data related to the target application in the target storage area.
Step S1023, controlling the memory to erase and/or initialize the target storage area based on the identification information of the target application and/or the operation behavior data of the target access operation.
Here, the memory is controlled to perform the erasing process and/or the initializing process on the target storage area based on the identification information of the target application, that is, the processing manner performed on the target storage area by the memory is controlled to be different for different target applications. For example, when the identification information of the target application indicates that the target application is a browser, the control memory performs an erasing process on the target storage area; when the identification information of the target application indicates that the target application is a client application, controlling a memory to execute initialization processing on a target storage area; etc.
And controlling the memory to erase and/or initialize the target storage area based on the operation behavior data of the target access operation, namely controlling the memory to execute different processing modes on the target storage area according to different operation behaviors of the target application. For example, when the operation behavior of the target application is a login operation, the control memory performs an erase process on the target storage area; when the operation behavior of the target application is the consulting or sharing operation of the target data, the memory is controlled to execute initialization processing on the target storage area; etc.
In some embodiments, the control method provided by the present application further includes the following step S104:
step S104, after the target application reads the target login information from the target storage area and fills the target login information into a corresponding input box to perform login verification with a target server, target verification data for the target application is updated.
Here, the target access operation of the target application to the memory of the electronic device is an operation that the target application reads target login information from the target storage area of the memory and fills the target login information into the corresponding input box. The target login information is a cipher text decrypted in the target storage area.
Updating the target verification data for the target application may include updating hash data corresponding to identification information of the target application, hash data corresponding to signature data of the target application, operation behavior data of the target access operation, and the like. Here, the detailed description of the hash data corresponding to the identification information of the target application, the hash data corresponding to the signature data of the target application, and the operation behavior data of the target access operation may refer to the descriptions in the above steps S1031 to S1034, and will not be repeated here.
In the above embodiment, by updating the target verification data of the target application, the reliability of the verification process of the target application can be improved, and further, the security of the target access operation of the target application to the target storage area can be improved.
In some embodiments, after the step S104, the following step S105 is further included:
Step S105, storing the updated target verification data of the target application to at least one of the following locations: memory firmware of the electronic device; a chip memory of a baseboard management controller of the electronic device; and the target device is communicated with the electronic device through a target communication interface.
Here, the target device may include a cloud server, an edge device, or other third party device.
Therefore, the target verification data are stored in the memory firmware and the chip memory of the baseboard management controller, the effect of protecting the target verification data of the target application from a lower layer can be achieved, and the safety of the target verification data is further improved; and storing the target verification data to target equipment outside the electronic equipment, so that the threat to the verification data is not caused by the malicious attack on the electronic equipment, and the security of the target verification data is further improved.
An embodiment of automatically logging in a browser account by using the control method provided by the present application will be described in detail with reference to fig. 2. Referring to fig. 2, this embodiment includes the following steps S201 to S208:
Step S201, receiving a memory access request of a decryption password from a browser; after that, step S202 is performed;
here, the memory access request includes identification information of the browser and a password. Meanwhile, the memory access request is encrypted information.
Step S202, judging whether to start a memory protection mechanism; if not, executing step S203; if yes, go to step S205;
here, a key for decrypting the memory access request is obtained from the memory firmware, and the memory access request is decrypted by using the key, so as to obtain a decrypted memory access request; then, carrying out hash processing on the identification information of the browser to obtain a hash value corresponding to the identification information; then, comparing the hash value corresponding to the browser with target hash data prestored in the memory firmware; and under the condition that the hash value corresponding to the browser is matched with the target hash value prestored in the memory firmware, determining to start a memory protection mechanism, and otherwise, not starting the memory protection mechanism.
Step S203, obtaining a secret key corresponding to the password from the local cookies, and decrypting the password by using the free memory space to obtain a password plaintext; after that, step S204 is performed;
step S204, filling the password plaintext into a password frame of the browser, and sending the user name and the password plaintext to a corresponding server for authentication so as to complete login operation;
step S205, starting a memory protection mechanism; after that, step S206 is performed;
Step S206, obtaining a cipher key corresponding to the cipher from the memory firmware, and decrypting the cipher in the reserved memory space to obtain a cipher plaintext; after that, step S207 is performed;
step S207, filling the password plaintext into a password frame of the browser, and sending the user name and the password plaintext to a corresponding server for authentication; after that, step S208 is performed;
in step S208, in response to completing the browser login operation, the login information in the reserved memory space is erased.
The following describes the interaction sequence of the above embodiment in detail by using the browser, the secure driver and the memory firmware as interaction bodies. As shown in fig. 3, the interaction sequence includes the following steps S301 to S315:
In step S301, the browser 310 determines the registered user name and the corresponding password in response to the user selection.
In step S302, the browser 310 sends an encrypted memory access request to the secure driver 320.
Here, the memory access request includes identification information of the browser and a password corresponding to the user name selected by the user.
Step S303, the secure driver 320 obtains the first key from the memory firmware 330; the memory access request is decrypted using the first key.
In step S304, the security driver 320 hashes the browser identification information in the memory access request to obtain a hash value of the identification information.
Step S305, the secure driver 320 obtains pre-stored target hash data from the memory firmware 330; and verifying the hash value corresponding to the browser by utilizing the pre-stored target hash data.
In step S306, if the verification is passed, the secure driver 320 obtains the second key corresponding to the password from the memory firmware 330.
In step S307, the secure driver 320 decrypts the password in the reserved memory space by using the second key to obtain the plaintext of the password.
In step S308, the secure driver 320 fills the password plaintext into the password frame of the browser in the reserved memory space.
In step S309, the browser 310 sends the user name and the password plaintext to the corresponding server for authentication, so as to complete the login operation.
In step S311, the browser 310 transmits login completion information to the secure firmware 320.
In step S312, the secure driver 320 regenerates the hash data, the identification information and the password for the browser in the reserved memory space, and encrypts the identification information and the password by using the public key.
In step S313, the secure driver 320 transmits the encrypted identification information and password to the browser.
Step S314, the secure driver 320 sends the encrypted identification information and the updated first key corresponding to the password to the memory firmware 330; the updated second key corresponding to the password is sent to the memory firmware 330.
In step S315, the secure driver 320 erases the data related to the browser login information in the reserved memory space.
According to the control method provided by the embodiment of the application, the reserved memory space only allows the corresponding process of the browser to access during the login of the browser, so that malicious application can be prevented from stealing the password plaintext information in the memory space; in addition, after the browser logs in, the identification information, the password information, the hash data, the secret key and the like aiming at the browser are regenerated, so that the safety of the browser login data can be further improved.
Based on the foregoing embodiments, the embodiments of the present application provide a control apparatus, where the apparatus includes units included, and modules included in the units may be implemented by a processor in a computer device; of course, the method can also be realized by a specific logic circuit; in an implementation, the Processor may be a central processing unit (Central Processing Unit, CPU), a microprocessor (Microprocessor Unit, MPU), a digital signal Processor (DIGITAL SIGNAL Processor, DSP), or a field programmable gate array (Field Programmable GATE ARRAY, FPGA), or the like.
Fig. 4 is a schematic structural diagram of a control device according to an embodiment of the present application, and as shown in fig. 4, a control device 400 includes: a first control module 410 and a second control module 420, wherein:
a first control module 410, configured to control, in response to obtaining a target access operation of a target application to a memory of an electronic device, the memory to enter a first permission state, where a target storage area of the memory is only accessible to the target application, and the target storage area is at least part of a storage space of the memory;
And the second control module 420 is configured to control the memory to enter a second permission state after the target application completes the target access operation to the target storage area, where the target storage area cannot be accessed or can be accessed by any application in the second permission state.
In some embodiments, the apparatus 400 further comprises a verification module 430;
The verification module 430 is configured to perform authority verification on the target application and/or the target access operation, so that the first control module 410 performs a step of controlling the memory to enter the first authority state after the target application and/or the target access operation passes the corresponding authority verification.
In some embodiments, the verification module 430 is configured to perform at least one of:
After carrying out hash processing on the identification information of the target application, comparing the identification information with target hash data in the firmware of the memory, and taking the obtained comparison result as an authority verification result of the target application;
performing validity verification and/or hash verification on the signature data of the target application to obtain a permission verification result of the target application;
Performing identification comparison on the operation behavior data of the target access operation, and taking the obtained identification comparison result as an authority verification result of the target access operation;
Carrying out hash verification and/or validity verification on the target application, and carrying out identification comparison on the operation behavior data of the target access operation after the target application passes the verification;
and performing identification comparison on the operation behavior data of the target access operation, and performing hash verification and/or validity verification on the target application after the operation behavior data are subjected to identification comparison.
In some embodiments, the first control module 410 includes:
A determining module 411, configured to determine a target storage area to be accessed from the memory based on the identification information of the target application and/or the operation behavior data of the target access operation;
A first control sub-module 412 is configured to control the target storage area to enter a first permission state that only allows the target application to access, based on the identification information and/or the operation behavior data.
In some embodiments, the first control sub-module 412 is configured to perform at least one of:
Responding to the operation of obtaining target login information read by a first application from a memory of electronic equipment, and controlling a first storage area appointed in the memory to enter a permission state which only allows the first application to access;
Responding to the operation of obtaining target login information read by a second application from a memory of electronic equipment, and controlling a second storage area matched with the second application in the memory to enter a permission state only allowing the second application to access;
In response to obtaining a target access operation of a third application and an associated application thereof to a memory of the electronic device, controlling a third storage area appointed in the memory to enter a permission state allowing the third application and the associated application thereof to access, wherein the associated application is an application passing through credibility verification;
And controlling a fourth storage area designated in the memory or a fifth storage area matched with the fourth application in the memory to enter a permission state only allowing the fourth application to access in response to the operation of obtaining the fourth application to access the target data from the memory of the electronic device or share the target data.
In some embodiments, the second control module 420 is configured to:
And controlling the memory to perform erasure processing and/or initialization processing on the target storage area in response to the notice of completing the target access operation by the target application or in response to the detection of completing the read operation of the target data in the target storage area by the target application, so that the target storage area cannot be accessed or can be accessed by any application.
In some embodiments, the second control module 420 is configured to perform at least one of:
controlling the memory to execute an erasing operation or an initializing operation on the target storage area based on the attribute information of the target storage area;
And controlling the memory to erase and/or initialize the target storage area based on the identification information of the target application and/or the operation behavior data of the target access operation.
In some embodiments, the apparatus 400 further comprises:
And the updating module 440 is configured to update target verification data for the target application after the target application reads target login information from the target storage area and fills the target login information into a corresponding input box to perform login verification with a target server.
In some embodiments, the updating module 440 is further configured to store the updated target verification data of the target application to at least one of the following locations:
Memory firmware of the electronic device;
A chip memory of a baseboard management controller of the electronic device;
and the target device is communicated with the electronic device through a target communication interface.
The description of the apparatus embodiments above is similar to that of the method embodiments above, with similar advantageous effects as the method embodiments. In some embodiments, the functions or modules included in the apparatus provided by the embodiments of the present disclosure may be used to perform the methods described in the embodiments of the methods, and for technical details that are not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the description of the embodiments of the methods of the present disclosure for understanding.
It should be noted that, in the embodiment of the present application, if the control method is implemented in the form of a software functional module, and sold or used as a separate product, the control method may also be stored in a computer readable storage medium. Based on such understanding, the technical solution of the embodiments of the present application may be essentially or some of contributing to the related art may be embodied in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read Only Memory (ROM), a magnetic disk, an optical disk, or other various media capable of storing program codes. Thus, embodiments of the application are not limited to any specific hardware, software, or firmware, or any combination of hardware, software, and firmware.
The embodiment of the application provides a computer device, which comprises a memory and a processor, wherein the memory stores a computer program capable of running on the processor, and the processor realizes part or all of the steps in the method when executing the program.
Embodiments of the present application provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs some or all of the steps of the above-described method. The computer readable storage medium may be transitory or non-transitory.
Embodiments of the present application provide a computer program comprising computer readable code which, when run in a computer device, causes a processor in the computer device to perform some or all of the steps for carrying out the above method.
Embodiments of the present application provide a computer program product comprising a non-transitory computer-readable storage medium storing a computer program which, when read and executed by a computer, performs some or all of the steps of the above-described method. The computer program product may be realized in particular by means of hardware, software or a combination thereof. In some embodiments, the computer program product is embodied as a computer storage medium, and in other embodiments, the computer program product is embodied as a software product, such as a software development kit (Software Development Kit, SDK), or the like.
It should be noted here that: the above description of various embodiments is intended to emphasize the differences between the various embodiments, the same or similar features being referred to each other. The above description of apparatus, storage medium, computer program and computer program product embodiments is similar to that of method embodiments described above, with similar advantageous effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus, the storage medium, the computer program and the computer program product of the present application, reference should be made to the description of the embodiments of the method of the present application.
It should be noted that, fig. 5 is a schematic diagram of a hardware entity of a computer device according to an embodiment of the present application, and as shown in fig. 5, the hardware entity of the computer device 500 includes: a processor 501, a communication interface 502 and a memory 503, wherein:
The processor 501 generally controls the overall operation of the computer device 500.
The communication interface 502 may enable the computer device to communicate with other terminals or servers over a network.
The memory 503 is configured to store instructions and applications executable by the processor 501, and may also cache data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or processed by the various modules in the processor 501 and the computer device 500, and may be implemented by a FLASH memory (FLASH) or a random access memory (Random Access Memory, RAM). Data transfer may be performed between the processor 501, the communication interface 502 and the memory 503 via the bus 504.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in various embodiments of the present application, the sequence number of each step/process described above does not mean that the execution sequence of each step/process should be determined by its functions and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present application. The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units; can be located in one place or distributed to a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read Only Memory (ROM), a magnetic disk or an optical disk, or the like, which can store program codes.
Or the above-described integrated units of the application may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the related art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a removable storage device, a ROM, a magnetic disk, or an optical disk.
The foregoing is merely an embodiment of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application.
Claims (10)
1. A control method, comprising:
In response to obtaining a target access operation of a target application to a memory of an electronic device, controlling the memory to enter a first permission state, wherein a target storage area of the memory can only be accessed by the target application in the first permission state, and the target storage area is at least part of a storage space of the memory;
And after the target application finishes the target access operation on the target storage area, controlling the memory to enter a second authority state, wherein the target storage area cannot be accessed or can be accessed by any application in the second authority state.
2. The method of claim 1, further comprising:
And carrying out authority verification on the target application and/or the target access operation so as to execute the step of controlling the memory to enter a first authority state after the target application and/or the target access operation pass the corresponding authority verification.
3. The method of claim 2, wherein verifying rights of the target application and/or the target access operation comprises at least one of:
After carrying out hash processing on the identification information of the target application, comparing the identification information with target hash data in the firmware of the memory, and taking the obtained comparison result as an authority verification result of the target application;
performing validity verification and/or hash verification on the signature data of the target application to obtain a permission verification result of the target application;
Performing identification comparison on the operation behavior data of the target access operation, and taking the obtained identification comparison result as an authority verification result of the target access operation;
Carrying out hash verification and/or validity verification on the target application, and carrying out identification comparison on the operation behavior data of the target access operation after the target application passes the verification;
and performing identification comparison on the operation behavior data of the target access operation, and performing hash verification and/or validity verification on the target application after the operation behavior data are subjected to identification comparison.
4. A method according to any one of claims 1 to 3, wherein controlling the memory to enter the first permission state in response to obtaining a target access operation of the target application to the memory of the electronic device comprises:
determining a target storage area to be accessed from the memory based on the identification information of the target application and/or the operation behavior data of the target access operation;
and controlling the target storage area to enter a first permission state which only allows the target application to access based on the identification information and/or the operation behavior data.
5. The method of claim 4, wherein controlling the target storage area into a first permission state that only allows access to the target application based on the identification information and/or the operational behavior data comprises at least one of:
Responding to the operation of obtaining target login information read by a first application from a memory of electronic equipment, and controlling a first storage area appointed in the memory to enter a permission state which only allows the first application to access;
Responding to the operation of obtaining target login information read by a second application from a memory of electronic equipment, and controlling a second storage area matched with the second application in the memory to enter a permission state only allowing the second application to access;
In response to obtaining a target access operation of a third application and an associated application thereof to a memory of the electronic device, controlling a third storage area appointed in the memory to enter a permission state allowing the third application and the associated application thereof to access, wherein the associated application is an application passing through credibility verification;
And controlling a fourth storage area designated in the memory or a fifth storage area matched with the fourth application in the memory to enter a permission state only allowing the fourth application to access in response to the operation of obtaining the fourth application to access the target data from the memory of the electronic device or share the target data.
6. The method of claim 1, wherein controlling the memory to enter the second permission state after the target application completes the target access operation to the target storage area comprises:
And controlling the memory to perform erasure processing and/or initialization processing on the target storage area in response to the notice of completing the target access operation by the target application or in response to the detection of completing the read operation of the target data in the target storage area by the target application, so that the target storage area cannot be accessed or can be accessed by any application.
7. The method of claim 6, wherein controlling the memory to erase and/or initialize the target storage area comprises at least one of:
controlling the memory to execute an erasing operation or an initializing operation on the target storage area based on the attribute information of the target storage area;
And controlling the memory to erase and/or initialize the target storage area based on the identification information of the target application and/or the operation behavior data of the target access operation.
8. The method of claim 1 or 6, further comprising:
And after the target application reads target login information from the target storage area and fills the target login information into a corresponding input box to perform login verification with a target server, updating target verification data aiming at the target application.
9. The method of claim 8, further comprising:
storing the updated target verification data of the target application to at least one of the following locations:
Memory firmware of the electronic device;
A chip memory of a baseboard management controller of the electronic device;
and the target device is communicated with the electronic device through a target communication interface.
10. A control apparatus comprising:
The first control module is used for controlling the memory to enter a first authority state in response to obtaining a target access operation of a target application to the memory of the electronic device, and in the first authority state, a target storage area of the memory can only be accessed by the target application, wherein the target storage area is at least part of a storage space of the memory;
And the second control module is used for controlling the memory to enter a second authority state after the target application finishes the target access operation on the target storage area, and the target storage area can not be accessed or can be accessed by any application in the second authority state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410139362.2A CN118013510A (en) | 2024-01-31 | 2024-01-31 | Control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410139362.2A CN118013510A (en) | 2024-01-31 | 2024-01-31 | Control method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118013510A true CN118013510A (en) | 2024-05-10 |
Family
ID=90953205
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410139362.2A Pending CN118013510A (en) | 2024-01-31 | 2024-01-31 | Control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118013510A (en) |
-
2024
- 2024-01-31 CN CN202410139362.2A patent/CN118013510A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7545419B2 (en) | Ransomware Mitigation in Integrated and Isolated Applications | |
| US9647847B2 (en) | Tamper evidence per device protected identity | |
| US8213618B2 (en) | Protecting content on client platforms | |
| US8429389B2 (en) | ROM BIOS based trusted encrypted operating system | |
| US8204233B2 (en) | Administration of data encryption in enterprise computer systems | |
| CN103827881A (en) | Method and system for dynamic platform security in a device operating system | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| JP6072091B2 (en) | Secure access method and secure access device for application programs | |
| CN109508224B (en) | User data isolation protection system and method based on KVM | |
| CN101529366A (en) | Identification and visualization of trusted user interface objects | |
| CN111431707B (en) | Service data information processing method, device, equipment and readable storage medium | |
| US8656190B2 (en) | One time settable tamper resistant software repository | |
| CN112000933B (en) | Application software activation method and device, electronic equipment and storage medium | |
| CN109445705A (en) | Firmware authentication method and solid state hard disk | |
| CN104955043B (en) | A kind of intelligent terminal security protection system | |
| US20110145596A1 (en) | Secure Data Handling In A Computer System | |
| CN118013510A (en) | Control method and device | |
| CN111046440B (en) | Tamper verification method and system for secure area content | |
| CN104866761B (en) | A kind of high security Android intelligent terminal | |
| CN114244565A (en) | Key distribution method, device, equipment, storage medium and computer program product | |
| CN114791834B (en) | Application program starting method and device, electronic equipment and storage medium | |
| CN113051630B (en) | Control method and electronic equipment | |
| US20240176634A1 (en) | Updating secure guest metadata of a specific guest instance | |
| US20230106491A1 (en) | Security dominion of computing device | |
| US20240176885A1 (en) | Updating secure guest metadata of a specific guest instance |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |