WO2023098579A1 - Access control method and related device - Google Patents

Access control method and related device Download PDF

Info

Publication number
WO2023098579A1
WO2023098579A1 PCT/CN2022/134254 CN2022134254W WO2023098579A1 WO 2023098579 A1 WO2023098579 A1 WO 2023098579A1 CN 2022134254 W CN2022134254 W CN 2022134254W WO 2023098579 A1 WO2023098579 A1 WO 2023098579A1
Authority
WO
WIPO (PCT)
Prior art keywords
policy
application
policy set
application process
kernel
Prior art date
Application number
PCT/CN2022/134254
Other languages
French (fr)
Chinese (zh)
Inventor
曹建龙
方锐
周广宇
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023098579A1 publication Critical patent/WO2023098579A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the embodiments of the present application relate to the field of computers, and in particular, to an access control method and related equipment.
  • Access control technology is used to distinguish the access rights of different applications to objects. Access control technology stores policies on a trusted base to ensure that policies cannot be tampered with. When an application requests access to an object, it is determined whether the application has permission to access the object by querying the policies in the trust base.
  • the trusted base usually runs in the kernel space, and the application runs in the user space, context switching is required when applying query policies, resulting in high overhead for policy access and policy query during access control.
  • Embodiments of the present application provide an access control method and related equipment, which are used to reduce policy access and policy query overhead during access control.
  • the embodiment of the present application provides an access control method, including: the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, and the target application policy set is used to instruct the subject application process to control the object The access rights of the objects on the application process; where the objects include services and/or resources; the object application process determines the subject application process based on the query requirements for the access rights of the first service and according to the target application policy set mapped to the user address space A first application policy with the first service; the object application process determines the access authority of the subject application process to the first service according to the first application policy.
  • the object on the object application process is also called the object, so the object application process is also called the object application process.
  • the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, so that the object application process can query the relevant The object's application policy, which determines access rights.
  • access rights ie, access control
  • context switching between the object application process and the kernel is not required, thereby reducing policy access and policy query overhead during access control.
  • the kernel maps the memory address where the target application policy set is located to the user address space of the object application process through a binary loader of the kernel.
  • the kernel writes the memory address to which the target application policy set is mapped to the auxiliary vector in the executable file of the object application process.
  • the mapping address information is transmitted through the auxiliary vector.
  • the mapping address information is transmitted through the auxiliary vector, which is relatively simple and has low performance overhead.
  • the auxiliary vector is located at the top of the stack of the object application process.
  • the executable file of the object application process includes a service mask corresponding to the target application policy set; before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, The kernel parses the policy source file to obtain a source policy set; then, the kernel determines a target application policy set from the source policy set according to the service mask, wherein the target application policy set is used to protect objects on the object application process.
  • the kernel determines the target application policy set corresponding to the object application process from the source policy set through the service mask, realizes the screening of the policy set, and does not map the application policies that are not related to the object application process, thereby reducing the The occupation of the user address space of the object application process is reduced, and the central processing unit (central processing unit, CPU) resource occupied during the mapping process is also reduced.
  • the executable file also includes a signature for the executable file; the kernel verifies the validity of the signature; if the signature is legal, the kernel determines from the source policy set according to the service mask A collection of target application policies.
  • the validity of the service mask and the executable file is verified through the signature, so as to ensure that the service mask is not tampered with, thereby ensuring the integrity and accuracy of the application policy mapped to the user address space of the object application process (If the mask is not tampered with, it can ensure that all application policies related to the object application process are mapped), ensuring that the object application process can query all application policies related to the object application process.
  • the service mask corresponding to the target application policy set is used to identify the target application policy set in the source policy set.
  • the executable file of the object application process includes a service mask corresponding to the target application policy set; the kernel determines the partial policy source corresponding to the target application policy set from the policy source file according to the service mask Then, the kernel maps the memory address where the target application policy set is located to the user address space of the object application process; the object application process parses the above part of policy source files to the above memory address to obtain the target application policy set.
  • the policy source file is parsed by the object application process in the user space, and the kernel does not need to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
  • the kernel before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, the kernel randomizes an address in the user address space of the object application process.
  • the address of the object application process is randomized before mapping, which can reduce the risk of the address where the application policy set is located being leaked, and also avoid the address where the application policy set is mapped to and the address reserved by the user. Space conflicts.
  • the embodiment of the present application provides an access control method, including: the kernel maps the memory address of the policy source file to the address space of the access control management process; the access control management process parses the policy source file to obtain the source policy set; The access control management process loads the target application policy set in the source policy set into the shared memory space of the object application process; wherein, the target application policy set is used to determine the access rights of objects on the object application process; The policy set is mapped to the user address space of the object application process.
  • the policy source file is parsed through the access control management process, and the kernel is not required to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
  • the access control management process parses the configuration file of the object application process to obtain the target ID of the target application policy set in the source policy set; the access control management process determines the target ID from the source policy set according to the target ID A target application policy set; the access control management process loads the target application policy set into the shared memory corresponding to the object application process.
  • the access control management process determines the target application policy set corresponding to the object application process from the source policy set according to the configuration file, and realizes the screening of the policy set.
  • the policy is applied, thereby reducing the occupation of the user address space of the object application process, and also reducing the CPU resources occupied during the mapping process.
  • an access control management process parses a policy source file once to implement application policy mapping for multiple object application processes, reducing the number of times of parsing the policy source file and reducing CPU resource occupation.
  • the access control management process parses the service mask in the configuration file of the object application process to obtain the target identifier of the target application policy set in the source policy set.
  • the application management process identifies the shared memory corresponding to the object application process through a unique identifier of the object application process (for example, process identification (process identification, PID), application number app name, etc.).
  • an embodiment of the present application provides a computing device, including a processor and a memory; the processor is coupled to the memory; the memory is used to store a program; the processor is used to execute the program in the memory, so that the processor executes the first aspect or The access control method described in the second aspect.
  • the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed, the method described in the above-mentioned first aspect or the second aspect is realized .
  • the embodiment of the present application provides a computer program product
  • the computer program product includes: computer program code, when the computer program code is executed, the method described in the above first aspect or the second aspect is executed .
  • the present application provides a chip or a chip system, where the chip or chip system includes a processor, configured to implement the method in the first aspect or the second aspect above.
  • the chip or chip system further includes a memory for storing program instructions and/or data.
  • the system-on-a-chip may consist of chips, or may include chips and other discrete devices.
  • an embodiment of the present application provides a server, where the server includes the chip described in the sixth aspect.
  • Fig. 1a is an architecture diagram of the access control method provided by the embodiment of the present application.
  • Figure 1b is another architecture diagram of the access control method provided by the embodiment of the present application.
  • Figure 1c is another architecture diagram of the access control method provided by the embodiment of the present application.
  • FIG. 2 is a schematic diagram of an access control method provided in an embodiment of the present application.
  • FIG. 3 is a schematic flow chart of an access control method provided in an embodiment of the present application.
  • FIG. 4 is another schematic flowchart of the access control method provided by the embodiment of the present application.
  • FIG. 5 is a schematic diagram of an executable file of the access control method provided by the embodiment of the present application.
  • FIG. 6 is another schematic diagram of the access control method provided by the embodiment of the present application.
  • FIG. 7 is another schematic flowchart of the access control method provided by the embodiment of the present application.
  • FIG. 8 is another schematic diagram of the access control method provided by the embodiment of the present application.
  • FIG. 9a is another schematic flowchart of the access control method provided by the embodiment of the present application.
  • FIG. 9b is another schematic diagram of the access control method provided by the embodiment of the present application.
  • FIG. 10 is a structural diagram of an access control method provided by an embodiment of the present application.
  • FIG. 11 is a schematic structural diagram of a computing device provided by an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a chip provided by an embodiment of the present application.
  • the embodiment of the present application provides an access control method, which is used to reduce the performance overhead of the kernel and improve the operating efficiency of the kernel.
  • FIG. 1a is a structural diagram of an access control method provided by an embodiment of the present application.
  • the architecture includes a subject application process, an object application process and a kernel.
  • the subject application process and the object application process run on the user space.
  • the object application process includes objects (also referred to as objects), and there is a policy library in the kernel.
  • the policy library includes a policy library 1 (also referred to as a target application policy set in this embodiment of the application), and the policy library 1 includes the subject application process and The first application policy between objects.
  • a policy includes a subject, an object, and an action.
  • the subject represents the execution subject of the access action, which is the subject application process in the embodiment of this application;
  • the object represents the object to be accessed, including services and/or resources in the embodiment of the application;
  • the behavior represents whether the subject can access the object.
  • the object application process is also referred to as the object application process. Since the application process includes the object, it is called the object application process.
  • the kernel is used to map the policy library 1 to the user address space of the object application process.
  • the object application process is used to protect the object. When the subject application process needs to access the object, it needs to query the first application policy; the object application process can query the first application policy through the mapping of the policy library 1 in the user address space.
  • FIG. 1b is another architecture diagram of the access control method provided by the embodiment of the present application.
  • the architecture includes a subject application process, an object application process and a kernel.
  • the kernel is used to determine a part of the policy source file corresponding to the object application process from the policy source file (encoded policy of interest, ePOI) (this part of the policy source file is the target application policy set after parsing), and maps the target application policy set to the user address space of the guest application process.
  • the object application process is used to parse the part of the policy source file, and load the parsed policy set into the user address space of the object application process to obtain the target application policy set (namely policy library 1) of the object application process.
  • the target application policy set is used to protect the object (object) on the object application process.
  • the subject application process needs to access the object on the object application process, it needs to query the first application policy;
  • the first application policy is queried for the mapping of the target application policy set (that is, the policy library 1).
  • FIG. 1c is another architecture diagram of the access control method provided by the embodiment of the present application.
  • the architecture includes a subject application process, multiple object application processes, an access control management process and a kernel.
  • the object application process includes objects, and there is a policy library in the kernel, and the policy library includes policy library 1, policy library 2, ... policy library n.
  • the policy library 1 includes the policies related to the object 1 on the object application process 1, which is also called the target application policy set; other policy libraries can be deduced in the same way, and will not be repeated here.
  • the kernel is used to map the policy library to the access control management process
  • the access control management process is used to map the part of the policy library related to the object application process in the policy library to the user address space of the corresponding object application process (for example, the policy library 1 is mapped to the user address space of the guest application process 1).
  • the object application process 1 is used to protect the object 1.
  • the subject application process needs to access the object 1, it needs to query the first application policy; the object application process 1 can query the first application policy through the mapping of the user address space to the policy library 1.
  • Strategy The functions of other object application processes can be deduced by analogy, and will not be repeated here.
  • the object application process can also be called a policy enforcement point (Policy enforcement point , PEP); Since the object application process can be used to perform policy queries, the object application process can also be called a policy decision point (policy decision point, PDP).
  • Policy enforcement point Policy enforcement point
  • PDP policy decision point
  • Fig. 2 is a schematic diagram of the access control method.
  • the policy mapping module in the kernel maps the application policy set related to the object (on the object application process) to the user address space of the object application process.
  • the policy query module PDP on the object application process can query the application policy set through the mapping of the application policy set on the user address space based on the access authority query requirements of the object, Therefore, the first application policy between the subject application process and the object is determined, and the access authority of the subject application process to the object is determined according to the first application policy.
  • FIG. 3 uses the object application process as an example of the object application process to illustrate the access control method provided by the embodiment of the present application.
  • the method includes:
  • the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, and the target application policy set is used to indicate the access rights of the subject application process to objects on the object application process; where the objects include services and/or or resources.
  • the kernel can determine the memory address where the target application policy set is located, and before the object application process starts, the kernel can map the memory address of the target application policy set to the user address space of the object application process.
  • the kernel can realize the above-mentioned communication after the mapped address through the auxiliary vector. Specifically, before the object application process is started, the kernel may write the memory address to which the target application policy set is mapped to the auxiliary vector of the executable file of the object application process.
  • the auxiliary vector can be used to record the mapping address of the target application policy set (that is, the storage address on the object application process for storing application policies).
  • the object application process determines the first application policy between the subject application process and the first object according to the target application policy set in the user address space based on the access permission query requirement of the subject application process for the first object.
  • the object application process needs to query the access rights of the first object, and the object application process can query the access rights of the first object based on the requirements in the user address space
  • the policy search is performed in the target application policy set, so as to determine the first application policy between the subject application process and the first object.
  • the object application process determines the access right of the subject application process to the first object according to the first application policy.
  • the subject in the first application policy is the subject application process that accesses the first object, and the object is the first object on the object application process.
  • the object application process can determine the access of the subject application process to the first object according to the behavior of the first application policy permission. If the behavior of the first application policy is access, the subject application process can access the first object.
  • the set of target application policies may be derived from parsing policy source files.
  • the embodiments of the present application may include the following situations: 1. The policy source file is parsed by the kernel; 2. The policy source file is parsed by the application management process.
  • the policy source file is parsed by the kernel.
  • Fig. 4 is a schematic diagram of the access control method provided by the embodiment of the present application.
  • the method for parsing the policy source file by the kernel is shown in Fig. 4.
  • This method can be implemented based on the architecture shown in Fig. 1a, and the method includes:
  • the kernel reads the policy source file.
  • the kernel parses the policy source file to obtain a source policy set, which includes policies between all subjects and all objects.
  • the object may be resource and/or service; the location where the object is located may be the object application process.
  • the policy When the object of the policy is an object running on the object application process in the user process space, the policy is called an application policy.
  • the embodiment of the present application is used to avoid the context switch in the process of querying the access rights of the object application process, so it focuses on the application policy, so the application policy is called the policy of interest (POI), and the policy source file is called encoded POIs (ePOIs).
  • POI policy of interest
  • ePOIs encoded POIs
  • POIs there are one or more POIs, so in this embodiment of the application, POIs are also referred to as an application policy set.
  • the kernel can verify the validity of the executable file of the object application process by verifying the signature, so as to ensure that the executable file has not been tampered with. If the kernel verifies that the signature is valid, the subsequent steps are performed.
  • the kernel extracts policies according to the service mask.
  • the executable file includes the service mask of the guest application process.
  • the service mask is used to identify the identifier (identifier, ID) of the POI in the source policy set.
  • the kernel can determine the POI from the source policy set parsed in step 1 according to the service mask, and realize the screening of the application policy. . In this embodiment of the application, this step is also called extracting a policy.
  • the service mask may be a 32-bit integer, and the service mask may identify the ID of the POI in the source policy set by means of or, matching ID, and the like. It should be noted that 32 bits is just an example of the number of bits in the service mask, and the service mask can be more or less bits, such as 16 bits, 64 bits, etc., which is not limited here.
  • the enterprise manager (Oracle Enterprise Manager, OEM) can use the service mask, signature (that is, the signature in step 3 of this embodiment) and the source executable file of the object application process Perform packaging to form an executable file of the object application process.
  • the service mask and signature information may be described in the header of the executable file.
  • the service mask in addition to determining the service mask before leaving the factory, if there are new objects included in the object application process after leaving the factory, the service mask can also be modified after leaving the factory.
  • the service mask can be modified by a trusted subject (such as the kernel) to ensure the accuracy of the service mask.
  • the kernel prepares the address space mapping strategy.
  • the kernel prepares a process address space for the object application process, and at the same time maps the memory address of the POI to the process address space.
  • the kernel assigns the auxiliary vector as the policy map address.
  • the kernel stores the mapping address information into the auxiliary vector, so as to transfer the mapping address information of the application policy to the object application process.
  • the auxiliary vector is a part of the executable file, and during the parsing process of the executable file, the auxiliary vector will be resolved to the above agreed address. Therefore, the kernel assigns the auxiliary vector as the mapping address of the POI, so that the information of the mapping address can be transferred through the auxiliary vector.
  • an AT_POLICY vector may be added in a C standard library (C standard library, Libc), and the vector is used to write to a memory location reserved in the user address space.
  • C standard library C standard library, Libc
  • the AT_POLICY vector can reserve a vector array on the stack top of the object application process when creating the auxiliary vector table of the object application process.
  • the vector array is the auxiliary vector, and each element (vector) in the vector array corresponds to An application policy, an AT_POLICY vector is an element in this array, and the AT_POLICY vector is used to indicate the address of the mapping location of the application policy in the user process space.
  • the kernel When the kernel creates the object application process, it can assign the mapping address of the application policy in the POI to AT_POLICY.
  • the application process queries the policy, it can obtain the mapping address of the target application policy set (POI) at the [AT_POLICY] position corresponding to the auxiliary vector on the top of the stack.
  • the kernel returns to the user address space.
  • the kernel completes the above steps 1 to 6, it completes the mapping of the POI memory address to the auxiliary vector in the user address space of the object application process, so it can return to the user address space so that the application process can start and perform subsequent steps.
  • the application process can query the access rights of the object.
  • the object application process obtains the policy mapping address through the auxiliary vector.
  • the object application process can obtain the mapping address through the auxiliary vector based on the access permission query requirement of the subject application process for the first object, and query the application policy that the subject is the subject application process and the object is the first object through the mapping address.
  • the analysis of the policy source file is implemented through the kernel. Since the policy source file itself is stored on the kernel, the analysis speed is fast and the efficiency is high. Moreover, the kernel parsing and mapping are completed before the application process is started, and the policy can be queried immediately after the application process is started, which improves the efficiency of policy query.
  • the policy source file is parsed by the object application process.
  • the embodiment of the present application can transplant the action of parsing the policy source files to the object application process on the user space, so as to reduce the cost of the kernel. Performance overhead, improve the operating efficiency of the kernel.
  • FIG. 7 is a schematic flow diagram of an access control method provided in the embodiment of the present application. The method can be implemented through the architecture shown in FIG. 1b. As shown in FIG. 7, the method includes:
  • the kernel reads the policy source file ePOI.
  • the kernel verifies the signature.
  • the kernel can verify the validity of the executable file of the object application process by verifying the signature, so as to ensure that the executable file has not been tampered with. If the kernel verifies that the signature is valid, the subsequent steps are performed.
  • the kernel extracts part of the policy source files corresponding to the object application process according to the service mask.
  • the executable file includes the service mask of the guest application process.
  • the service mask is used to identify the identifier (identifier, ID) of the POI in the source policy set.
  • the kernel can determine the part of the policy source file corresponding to the POI in the policy source file ePOI according to the service mask, so as to realize the screening of the application policy. In this embodiment of the application, this step is also called extracting a policy.
  • step 4 in FIG. 4 For the description of the service mask, refer to step 4 in FIG. 4 , which will not be repeated here.
  • the kernel prepares the address space for mapping ePOI.
  • the kernel prepares an address space for the object application process, and at the same time maps the memory address of the POI to the address space of the object application process.
  • the kernel assigns the auxiliary vector as the policy map address.
  • the kernel stores the mapping address information into the auxiliary vector, so as to transfer the mapping address information of the application policy to the object application process.
  • the mapping address information into the auxiliary vector, so as to transfer the mapping address information of the application policy to the object application process.
  • the kernel returns to the user address space.
  • Step 6 and Step 7 refer to the description of Step 7 and Step 8 in FIG. 4 , which will not be repeated here.
  • the object application process obtains the policy mapping address through the auxiliary vector.
  • the object application process can obtain the mapping address from the auxiliary vector based on the query requirements of the subject application process for the access right of the first object, and determine the location of the application policy through the mapping address.
  • the object application process parses part of the policy source files in the ePOI corresponding to the POI determined in step 3, and obtains the POI. Since the kernel has prepared an address space in step 4 for mapping this part of the policy source file, the object application process can find the POI of the application according to the mapping in step 4, and parse and load it into the process address space (the source policy is mapped in step 4 file, so the object application process can find the source file through this mapping address, and then resolve it to its own user address space, and then query the policy from the source file parsed policy when querying the policy).
  • the policy source file is parsed through the object application process, and the kernel is not required to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
  • the policy source file is parsed by the access control management process.
  • the application policy can only be queried after step 9 is executed, and each object application process needs to parse the ePOI into a POI before performing policy query.
  • both the object application process 1 and the object application process 2 need to parse the ePOI to the POI before performing the subsequent POI query operation, and the ePOI parsing will slow down the startup speed of each object application process.
  • this application implements a method that performs an ePOI parsing in the access control management process to obtain the source policy set, and then collects the application policy sets required by each object application process through shared memory Mapping to the user address space of the corresponding object application process in other user states to realize the mapping from the POI to the corresponding object application process. Therefore, multiple object application processes in the user mode only need to analyze the ePOI once, so as to ensure that all object application processes can query policies.
  • the access control management process is used to analyze and manage all application access control policies.
  • Fig. 9a is a schematic flowchart of an access control method provided by an embodiment of the present application, and the method can be implemented based on the architecture shown in Fig. 1c. As shown in Figure 9a, the specific steps of the method are as follows:
  • the kernel reads the policy source file ePOI.
  • the kernel verifies the signature.
  • the kernel verifies the signature of the source executable file of the object application process.
  • the source executable file does not include the service mask.
  • the function of signature verification is to verify the legitimacy of the access control management process.
  • the kernel maps the policy source file ePOI to the access control management process.
  • the kernel prepares to access the address space of the control management process, and maps the policy source file ePOI to it.
  • the ePOI mapped here is a policy source file, which contains information about all policies.
  • the kernel transmits the mapping address information of the ePOI to the access control management process through the auxiliary vector.
  • the kernel stores the mapping address information of the ePOI into the auxiliary vector, thereby delivering the mapping address information of the ePOI to the access control management process.
  • the auxiliary vector refer to the description of step 6 in FIG. 4 , which will not be repeated here.
  • the kernel returns to the user address space.
  • the access control management process obtains the mapping address of the ePOI through the auxiliary vector.
  • the access control management process parses the ePOI to obtain the source policy set.
  • the access control management process parses the ePOI to obtain the source policy set, and parses the source policy set into the process space of the access management process; please refer to Figure 9b, step 9 in Figure 9a corresponds to step 1 in Figure 9b.
  • the access control management process determines the respective POIs of the object application processes (each object application process corresponds to one) according to the service IDs of the object application processes.
  • the access control management process can obtain the configuration file of the object application process, thereby parsing the service mask in the configuration file of the object application process, and obtaining the target application policy set (POI) in the source policy set
  • the policy ID also referred to herein as the target ID, or service ID
  • the access control management process can determine the target application policy set (POI) from the source policy set according to the target identifier.
  • the policy ID in addition to obtaining the policy ID of the POI of the object application process in the source policy set by parsing the service mask in the configuration file; the policy ID can also be obtained by other means, such as inter-process communication IPC, etc. There is no limit.
  • the access control management process loads the POI into the shared memory space of the corresponding object application process.
  • the access control management process After the access control management process determines the target application policy set (POI), it can load the memory address of the target application policy set into the shared memory corresponding to the object application process, thereby mapping the target application policy set (POI) to the object application process corresponding shared memory.
  • this step may be performed by a policy parser on the access control management process, see step 2 in FIG. 9b.
  • the shared memory space between the access control management process and each object application process is specified by a different shared memory file, and the shared memory file name corresponds to each object application process, which can be the app name or other unique identifier of each object application process , there is no restriction here.
  • the object application process finds the corresponding shared memory file according to their respective app names (or other unique identifiers), and maps the POI in the shared memory file to the user process space of the object application process. Wherein, the POI of the object application process is saved in the shared memory file. This step should be the step 3 in Figure 9b.
  • an access control management process is used to analyze all policies in the user state, and map the application policies of multiple object application processes, avoiding the need for each object application process when starting Policy analysis reduces system complexity.
  • the embodiment of the present application provides a policy query framework.
  • the object application process is started by the system process, and after entering the kernel, the kernel uses a binary loader to load the executable file of the object application process.
  • the header analyzer in the kernel analyzes the header mark of the executable file to see if there is a security marker for identity verification.
  • the signature analyzer verifies the identity. If the identity is legal, the policy in the kernel is randomly mapped to the process address space, and the address information is passed to the object application process through the auxiliary vector. After the object application process is started, the memory can be quickly queried to obtain the access policy.
  • the kernel is a trusted computing base (trusted computing base, TCB)
  • TCB trusted computing base
  • the access control method provided by the embodiment of the present application has the following advantages:
  • the method in this embodiment of the application can query policies without privilege switching.
  • the mapping in the embodiment of the present application is implemented by the kernel, and the kernel belongs to the trusted base, which ensures the credibility of the policy mapping.
  • the policy manager server (PMS) running in the user space stores application policies related to the application process of the object to reduce context switching, but this method requires an information processing center (information processing center, IPC) and PMS communication can only be realized, and IPC performance loss cannot be avoided.
  • IPC information processing center
  • the method of the embodiment of the present application does not require IPC to communicate with the PMS, the policy can be directly mapped to the address space of the object application process, and no new privileged process is required.
  • the kernel needs to protect shared resources through atomic locks, and the performance is degraded under a symmetric multi-processing architecture (symmetric multi-processor, SMP).
  • SMP symmetric multi-processor
  • each object application process has a mapping of the required application strategy locally, and the kernel does not need to protect shared resources through atomic locks, and the performance under SMP is improved.
  • an embodiment of the present application provides a computing device 1100, including a processor 1101 and a memory 1102; the processor 1101 is coupled to the memory 1102; the memory 1101 is used to store programs; the processor 1102 is used to execute the The program enables the processor 1102 to execute the access control methods described in FIG. 2 to FIG. 10 .
  • the embodiment of the present application provides a chip 1200, the chip 1200 includes at least one processor 1201 and a communication interface 1202, the communication interface 1202 and at least one processor 1201 are interconnected by lines, and at least one processor 1201 is used for Running a computer program or instruction to implement the access control method corresponding to any one of the above-mentioned embodiments in FIG. 2 to FIG. 10 .
  • the communication interface 1202 in the chip may be an input/output interface, a pin or a circuit, and the like.
  • the chip 1200 described above in this application further includes at least one memory 1203 , and instructions are stored in the at least one memory 1203 .
  • the memory 1203 may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
  • the disclosed system, device and method can be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division. In actual implementation, there may be other division methods.
  • multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
  • the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium.
  • the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed in embodiments of the present application is an access control method, for use in reducing policy access and policy query overhead during access control. The method in the embodiments of the present application comprises: a kernel maps into a user address space of an object application progress a memory address where a target application policy set is located, the target application policy set being used for indicating an access permission of a subject application progress on an object of the object application progress, wherein the object comprises service and/or a resource; the object application progress determines a first application policy between the subject application progress and a first object on the basis of an access permission query requirement for the first object and according to the target application policy set mapped in the user address space; and the object application progress determines an access permission of the subject application progress on the first object according to the first application policy.

Description

一种访问控制方法和相关设备An access control method and related equipment
本申请要求于2021年11月30日提交中国国家知识产权局、申请号为CN202111446740.4、发明名称为“一种访问控制方法和相关设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number CN202111446740.4 and the title of the invention "An access control method and related equipment" filed with the State Intellectual Property Office of China on November 30, 2021, the entire contents of which are incorporated by reference incorporated in this application.
技术领域technical field
本申请实施例涉及计算机领域,尤其涉及一种访问控制方法和相关设备。The embodiments of the present application relate to the field of computers, and in particular, to an access control method and related equipment.
背景技术Background technique
访问控制技术是用于区分不同应用对对象的访问权限。访问控制技术将策略存储在可信基上,确保策略不会被篡改。在应用请求访问对象时,通过在可信基中查询策略,确定该应用是否具有访问该对象的权限。Access control technology is used to distinguish the access rights of different applications to objects. Access control technology stores policies on a trusted base to ensure that policies cannot be tampered with. When an application requests access to an object, it is determined whether the application has permission to access the object by querying the policies in the trust base.
但是,由于可信基通常都运行在内核空间中,而应用运行在用户空间中,因此在应用查询策略时,需要进行上下文切换,导致访问控制时的策略访问和策略查询开销大。However, since the trusted base usually runs in the kernel space, and the application runs in the user space, context switching is required when applying query policies, resulting in high overhead for policy access and policy query during access control.
发明内容Contents of the invention
本申请实施例提供了一种访问控制方法和相关设备,用于减小访问控制时的策略访问和策略查询开销。Embodiments of the present application provide an access control method and related equipment, which are used to reduce policy access and policy query overhead during access control.
第一方面,本申请实施例提供了一种访问控制方法,包括:内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间,目标应用策略集合用于指示主体应用进程对客体应用进程上的对象的访问权限;其中,对象包括服务和/或资源;客体应用进程基于对第一服务的访问权限查询需求,根据映射到用户地址空间上的目标应用策略集合,确定主体应用进程与第一服务之间的第一应用策略;客体应用进程根据第一应用策略,确定主体应用进程对第一服务的访问权限。In the first aspect, the embodiment of the present application provides an access control method, including: the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, and the target application policy set is used to instruct the subject application process to control the object The access rights of the objects on the application process; where the objects include services and/or resources; the object application process determines the subject application process based on the query requirements for the access rights of the first service and according to the target application policy set mapped to the user address space A first application policy with the first service; the object application process determines the access authority of the subject application process to the first service according to the first application policy.
在本申请实施例中,客体应用进程上的对象也称为客体,因此客体应用进程也称为客体应用进程。In this embodiment of the present application, the object on the object application process is also called the object, so the object application process is also called the object application process.
在本申请实施例中,通过内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间,使得客体应用进程根据用户地址空间中对应于策略集合的映射,即可查询到对相关对象的应用策略,从而确定访问权限。在确定访问权限(即访问控制)的过程中,不需要进行客体应用进程与内核之间的上下文切换,从而减小了访问控制时的策略访问和策略查询开销。In this embodiment of the application, the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, so that the object application process can query the relevant The object's application policy, which determines access rights. In the process of determining access rights (ie, access control), context switching between the object application process and the kernel is not required, thereby reducing policy access and policy query overhead during access control.
在一种可选的实施方式中,内核通过内核的二进制加载器,将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间。In an optional implementation manner, the kernel maps the memory address where the target application policy set is located to the user address space of the object application process through a binary loader of the kernel.
在一种可选的实施方式中,内核将目标应用策略集合映射至的内存地址,写入客体应用进程的可执行文件中的辅助向量上。In an optional implementation manner, the kernel writes the memory address to which the target application policy set is mapped to the auxiliary vector in the executable file of the object application process.
在本申请实施例中,通过辅助向量传递映射至的地址,相较于系统调用等性能开销较大的方式,通过辅助向量的方式传递映射地址信息,较为简单,性能开销小。In the embodiment of the present application, the mapping address information is transmitted through the auxiliary vector. Compared with the system call and other methods with high performance overhead, the mapping address information is transmitted through the auxiliary vector, which is relatively simple and has low performance overhead.
在一种可选的实施方式中,辅助向量位于客体应用进程的栈顶。In an optional implementation manner, the auxiliary vector is located at the top of the stack of the object application process.
在一种可选的实施方式中,客体应用进程的可执行文件包括目标应用策略集合对应的服务掩码;在内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间之前,内核解析策略源文件,得到源策略集合;然后,内核根据服务掩码,从源策略集合中确定目标应用策略集合,其中,目标应用策略集合用于保护客体应用进程上的对象。In an optional implementation manner, the executable file of the object application process includes a service mask corresponding to the target application policy set; before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, The kernel parses the policy source file to obtain a source policy set; then, the kernel determines a target application policy set from the source policy set according to the service mask, wherein the target application policy set is used to protect objects on the object application process.
在本申请实施例中,内核通过服务掩码从源策略集合中确定客体应用进程对应的目标应用策略集合,实现对策略集合的筛选,不对与客体应用进程无关的应用策略进行映射,从而减小了对客体应用进程的用户地址空间的占用,并且也减小了映射过程中所占用的中央处理器(central processing unit,CPU)资源。In the embodiment of this application, the kernel determines the target application policy set corresponding to the object application process from the source policy set through the service mask, realizes the screening of the policy set, and does not map the application policies that are not related to the object application process, thereby reducing the The occupation of the user address space of the object application process is reduced, and the central processing unit (central processing unit, CPU) resource occupied during the mapping process is also reduced.
在一种可选的实施方式中,可执行文件还包括对所述可执行文件的签名;内核验证该签名的合法性;若该签名合法,则内核根据服务掩码,从源策略集合中确定目标应用策略集合。In an optional implementation manner, the executable file also includes a signature for the executable file; the kernel verifies the validity of the signature; if the signature is legal, the kernel determines from the source policy set according to the service mask A collection of target application policies.
在本申请实施例中,通过签名验证服务掩码和可执行文件的合法性,从而确保服务掩码不被篡改,从而确保映射至客体应用进程的用户地址空间的应用策略的完整性与准确性(掩码不被篡改,即可保证所有与客体应用进程相关的应用策略都被映射),确保客体应用进程可以查询到所有与客体应用进程相关的应用策略。In this embodiment of the application, the validity of the service mask and the executable file is verified through the signature, so as to ensure that the service mask is not tampered with, thereby ensuring the integrity and accuracy of the application policy mapped to the user address space of the object application process (If the mask is not tampered with, it can ensure that all application policies related to the object application process are mapped), ensuring that the object application process can query all application policies related to the object application process.
在一种可选的实施方式中,目标应用策略集合对应的服务掩码用于标识源策略集合中的目标应用策略集合。In an optional implementation manner, the service mask corresponding to the target application policy set is used to identify the target application policy set in the source policy set.
在一种可选的实施方式中,客体应用进程的可执行文件包括目标应用策略集合对应的服务掩码;内核根据该服务掩码,从策略源文件中确定目标应用策略集合对应的部分策略源文件;然后,内核将目标应用策略集合所在的内存地址,映射至客体应用进程的用户地址空间;客体应用进程将上述部分策略源文件解析至上述内存地址,得到目标应用策略集合。In an optional implementation manner, the executable file of the object application process includes a service mask corresponding to the target application policy set; the kernel determines the partial policy source corresponding to the target application policy set from the policy source file according to the service mask Then, the kernel maps the memory address where the target application policy set is located to the user address space of the object application process; the object application process parses the above part of policy source files to the above memory address to obtain the target application policy set.
在本申请实施例中,通过用户空间上的客体应用进程解析策略源文件,内核不需要解析策略源文件,减小了内核的性能开销,提升了内核的运行效率。In the embodiment of the present application, the policy source file is parsed by the object application process in the user space, and the kernel does not need to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
在一种可选的实施方式中,在内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间之前,内核对客体应用进程的用户地址空间的地址进行随机化。In an optional implementation manner, before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, the kernel randomizes an address in the user address space of the object application process.
在本申请实施例中,在映射前对客体应用进程的地址进行随机化,可以减少应用策略集合所在地址被泄露的风险,并且,也可避免应用策略集合映射至的地址与用户预留的地址空间相冲突。In the embodiment of this application, the address of the object application process is randomized before mapping, which can reduce the risk of the address where the application policy set is located being leaked, and also avoid the address where the application policy set is mapped to and the address reserved by the user. Space conflicts.
第二方面,本申请实施例提供了一种访问控制方法,包括:内核将策略源文件的内存地址映射至访问控制管理进程的地址空间;访问控制管理进程解析策略源文件,得到源策略集合;访问控制管理进程将源策略集合中的目标应用策略集合,加载至客体应用进程的共享内存空间中;其中,目标应用策略集合用于确定客体应用进程上对象的访问权限;客体应用进程将目标应用策略集合映射至客体应用进程的用户地址空间。In the second aspect, the embodiment of the present application provides an access control method, including: the kernel maps the memory address of the policy source file to the address space of the access control management process; the access control management process parses the policy source file to obtain the source policy set; The access control management process loads the target application policy set in the source policy set into the shared memory space of the object application process; wherein, the target application policy set is used to determine the access rights of objects on the object application process; The policy set is mapped to the user address space of the object application process.
在本申请实施例中,通过访问控制管理进程进行策略源文件的解析,不需要内核进行策略源文件的解析,减小了内核的性能开销,提升了内核的运行效率。In the embodiment of the present application, the policy source file is parsed through the access control management process, and the kernel is not required to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
在一种可选的实施方式中,访问控制管理进程解析客体应用进程的配置文件,得到目 标应用策略集合在源策略集合中的目标标识;访问控制管理进程根据目标标识,从源策略集合中确定目标应用策略集合;访问控制管理进程将目标应用策略集合加载至客体应用进程对应的共享内存。In an optional implementation, the access control management process parses the configuration file of the object application process to obtain the target ID of the target application policy set in the source policy set; the access control management process determines the target ID from the source policy set according to the target ID A target application policy set; the access control management process loads the target application policy set into the shared memory corresponding to the object application process.
在本申请实施例中,访问控制管理进程根据配置文件从源策略集合中确定客体应用进程对应的目标应用策略集合,实现对策略集合的筛选,针对客体应用进程,不映射与客体应用进程无关的应用策略,从而减小了对客体应用进程的用户地址空间的占用,并且也减小了映射过程中所占用的CPU资源。并且,一个访问控制管理进程解析一次策略源文件,就能实现对多个客体应用进程的应用策略映射,减少了对策略源文件的解析次数;可以减小对CPU资源的占用。In this embodiment of the application, the access control management process determines the target application policy set corresponding to the object application process from the source policy set according to the configuration file, and realizes the screening of the policy set. The policy is applied, thereby reducing the occupation of the user address space of the object application process, and also reducing the CPU resources occupied during the mapping process. Moreover, an access control management process parses a policy source file once to implement application policy mapping for multiple object application processes, reducing the number of times of parsing the policy source file and reducing CPU resource occupation.
在一种可选的实施方式中,访问控制管理进程解析客体应用进程的配置文件中的服务掩码,得到目标应用策略集合在源策略集合中的目标标识。In an optional implementation manner, the access control management process parses the service mask in the configuration file of the object application process to obtain the target identifier of the target application policy set in the source policy set.
在一种可选的实施方式中,应用管理进程通过客体应用进程的唯一标识(例如进程标识(process identification,PID)、应用号app name等),来标识客体应用进程对应的共享内存。In an optional implementation manner, the application management process identifies the shared memory corresponding to the object application process through a unique identifier of the object application process (for example, process identification (process identification, PID), application number app name, etc.).
第三方面,本申请实施例提供了一种计算设备,包括处理器和存储器;处理器与存储器耦合;存储器用于存储程序;处理器用于执行存储器中的程序,使得处理器执行第一方面或第二方面所述的访问控制方法。In a third aspect, an embodiment of the present application provides a computing device, including a processor and a memory; the processor is coupled to the memory; the memory is used to store a program; the processor is used to execute the program in the memory, so that the processor executes the first aspect or The access control method described in the second aspect.
第四方面,本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,当该计算机程序被运行时,实现上述第一方面或第二方面所述的方法。In the fourth aspect, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores a computer program, and when the computer program is executed, the method described in the above-mentioned first aspect or the second aspect is realized .
第五方面,本申请实施例提供了一种计算机程序产品,该计算机程序产品包括:计算机程序代码,当该计算机程序代码被运行时,使得上述第一方面或第二方面所述的方法被执行。In the fifth aspect, the embodiment of the present application provides a computer program product, the computer program product includes: computer program code, when the computer program code is executed, the method described in the above first aspect or the second aspect is executed .
第六方面,本申请提供了一种芯片或芯片系统,该芯片或芯片系统包括处理器,用于实现上述第一方面或第二方面的方法。在一种可能的设计该所述芯片或芯片系统还包括存储器,用于保存程序指令和/或数据。该芯片系统,可以由芯片构成,也可以包括芯片和其他分立器件。In a sixth aspect, the present application provides a chip or a chip system, where the chip or chip system includes a processor, configured to implement the method in the first aspect or the second aspect above. In a possible design, the chip or chip system further includes a memory for storing program instructions and/or data. The system-on-a-chip may consist of chips, or may include chips and other discrete devices.
第七方面,本申请实施例提供了一种服务器,该服务器包括第六方面所述的芯片。In a seventh aspect, an embodiment of the present application provides a server, where the server includes the chip described in the sixth aspect.
本申请实施例第三方面至第七方面的有益效果参见第一方面或第二方面,此处不再赘述。For the beneficial effects of the third aspect to the seventh aspect of the embodiments of the present application, refer to the first aspect or the second aspect, and details are not repeated here.
附图说明Description of drawings
图1a为本申请实施例提供的访问控制方法的一个架构图;Fig. 1a is an architecture diagram of the access control method provided by the embodiment of the present application;
图1b为本申请实施例提供的访问控制方法的另一架构图;Figure 1b is another architecture diagram of the access control method provided by the embodiment of the present application;
图1c为本申请实施例提供的访问控制方法的另一架构图;Figure 1c is another architecture diagram of the access control method provided by the embodiment of the present application;
图2为本申请实施例提供的访问控制方法的一个示意图;FIG. 2 is a schematic diagram of an access control method provided in an embodiment of the present application;
图3为本申请实施例提供的访问控制方法的一个流程示意图;FIG. 3 is a schematic flow chart of an access control method provided in an embodiment of the present application;
图4为本申请实施例提供的访问控制方法的另一流程示意图;FIG. 4 is another schematic flowchart of the access control method provided by the embodiment of the present application;
图5为本申请实施例提供的访问控制方法的一个可执行文件示意图;FIG. 5 is a schematic diagram of an executable file of the access control method provided by the embodiment of the present application;
图6为本申请实施例提供的访问控制方法的另一示意图;FIG. 6 is another schematic diagram of the access control method provided by the embodiment of the present application;
图7为本申请实施例提供的访问控制方法的另一流程示意图;FIG. 7 is another schematic flowchart of the access control method provided by the embodiment of the present application;
图8为本申请实施例提供的访问控制方法的另一示意图;FIG. 8 is another schematic diagram of the access control method provided by the embodiment of the present application;
图9a本申请实施例提供的访问控制方法的另一流程示意图;FIG. 9a is another schematic flowchart of the access control method provided by the embodiment of the present application;
图9b为本申请实施例提供的访问控制方法的另一示意图;FIG. 9b is another schematic diagram of the access control method provided by the embodiment of the present application;
图10为本申请实施例提供的访问控制方法的一个架构图;FIG. 10 is a structural diagram of an access control method provided by an embodiment of the present application;
图11为本申请实施例提供的计算设备的一个结构示意图;FIG. 11 is a schematic structural diagram of a computing device provided by an embodiment of the present application;
图12为本申请实施例提供的芯片的一个结构示意图。FIG. 12 is a schematic structural diagram of a chip provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请实施例提供了一种访问控制方法,用于减小内核的性能开销,提升内核的运行效率。The embodiment of the present application provides an access control method, which is used to reduce the performance overhead of the kernel and improve the operating efficiency of the kernel.
请参阅图1a,图1a为本申请实施例提供的访问控制方法的一个架构图。如图1a所示,该架构包括主体应用进程、客体应用进程和内核。Please refer to FIG. 1a. FIG. 1a is a structural diagram of an access control method provided by an embodiment of the present application. As shown in Figure 1a, the architecture includes a subject application process, an object application process and a kernel.
其中,主体应用进程和客体应用进程运行在用户空间上。客体应用进程中包括对象(也称为客体),内核中有策略库,该策略库包括策略库1(本申请实施例中也称为目标应用策略集合),策略库1中包括主体应用进程与客体之间的第一应用策略。Wherein, the subject application process and the object application process run on the user space. The object application process includes objects (also referred to as objects), and there is a policy library in the kernel. The policy library includes a policy library 1 (also referred to as a target application policy set in this embodiment of the application), and the policy library 1 includes the subject application process and The first application policy between objects.
在本申请实施例中,策略包括主体、客体和行为。主体表示访问动作的执行主体,在本申请实施例中为主体应用进程;客体表示被访问的对象,在本申请实施例中包括服务和/或资源;行为表示主体是否可以访问客体。In this embodiment of the application, a policy includes a subject, an object, and an action. The subject represents the execution subject of the access action, which is the subject application process in the embodiment of this application; the object represents the object to be accessed, including services and/or resources in the embodiment of the application; the behavior represents whether the subject can access the object.
在本申请实施例中,客体应用进程也称为客体应用进程,由于该应用进程中包括客体,因此称为客体应用进程。In this embodiment of the present application, the object application process is also referred to as the object application process. Since the application process includes the object, it is called the object application process.
内核用于将策略库1映射至客体应用进程的用户地址空间上。客体应用进程用于保护客体,在主体应用进程需要访问对象的情况下,需要查询第一应用策略;客体应用进程可以通过用户地址空间上对策略库1的映射,查询第一应用策略。The kernel is used to map the policy library 1 to the user address space of the object application process. The object application process is used to protect the object. When the subject application process needs to access the object, it needs to query the first application policy; the object application process can query the first application policy through the mapping of the policy library 1 in the user address space.
请参阅图1b,图1b为本申请实施例提供的访问控制方法的另一架构图。如图1b所示,该架构包括主体应用进程、客体应用进程和内核。Please refer to FIG. 1b. FIG. 1b is another architecture diagram of the access control method provided by the embodiment of the present application. As shown in Figure 1b, the architecture includes a subject application process, an object application process and a kernel.
内核用于从策略源文件(encoded policy of interest,ePOI)中确定与客体应用进程对应的部分策源文件(该部分策略源文件解析后即为目标应用策略集合),并将目标应用策略集合映射至客体应用进程的用户地址空间上。客体应用进程用于解析该部分策略源文 件,并将解析得到策略集合加载至客体应用进程的用户地址空间上,得到该客体应用进程的目标应用策略集合(即策略库1)。The kernel is used to determine a part of the policy source file corresponding to the object application process from the policy source file (encoded policy of interest, ePOI) (this part of the policy source file is the target application policy set after parsing), and maps the target application policy set to the user address space of the guest application process. The object application process is used to parse the part of the policy source file, and load the parsed policy set into the user address space of the object application process to obtain the target application policy set (namely policy library 1) of the object application process.
目标应用策略集合用于保护该客体应用进程上的对象(客体),在主体应用进程需要访问客体应用进程上的对象的情况下,需要查询第一应用策略;客体应用进程可以通过用户地址空间上对目标应用策略集合(即策略库1)的映射,查询第一应用策略。The target application policy set is used to protect the object (object) on the object application process. When the subject application process needs to access the object on the object application process, it needs to query the first application policy; The first application policy is queried for the mapping of the target application policy set (that is, the policy library 1).
请参阅图1c,图1c为本申请实施例提供的访问控制方法的另一架构图。如图1c所示,该架构包括主体应用进程、多个客体应用进程、访问控制管理进程和内核。Please refer to FIG. 1c. FIG. 1c is another architecture diagram of the access control method provided by the embodiment of the present application. As shown in Figure 1c, the architecture includes a subject application process, multiple object application processes, an access control management process and a kernel.
其中,主体应用进程、客体应用进程和访问控制管理进程运行在用户空间上。客体应用进程中包括对象,内核中有策略库,该策略库包括策略库1、策略库2、……策略库n。策略库1中包括与客体应用进程1上的对象1相关的策略,也称为目标应用策略集合;其他策略库以此类推,不再赘述。Among them, the subject application process, the object application process and the access control management process run on the user space. The object application process includes objects, and there is a policy library in the kernel, and the policy library includes policy library 1, policy library 2, ... policy library n. The policy library 1 includes the policies related to the object 1 on the object application process 1, which is also called the target application policy set; other policy libraries can be deduced in the same way, and will not be repeated here.
内核用于将策略库映射至访问控制管理进程上,访问控制管理进程用于将策略库中与客体应用进程相关的部分策略库映射至对应的客体应用进程的用户地址空间上(例如将策略库1映射至客体应用进程1的用户地址空间上)。客体应用进程1用于保护对象1,在主体应用进程需要访问对象1的情况下,需要查询第一应用策略;客体应用进程1可以通过用户地址空间上对策略库1的映射,查询第一应用策略。其他客体应用进程的作用以此类推,不再赘述。The kernel is used to map the policy library to the access control management process, and the access control management process is used to map the part of the policy library related to the object application process in the policy library to the user address space of the corresponding object application process (for example, the policy library 1 is mapped to the user address space of the guest application process 1). The object application process 1 is used to protect the object 1. When the subject application process needs to access the object 1, it needs to query the first application policy; the object application process 1 can query the first application policy through the mapping of the user address space to the policy library 1. Strategy. The functions of other object application processes can be deduced by analogy, and will not be repeated here.
在图1a、图1b和图1c所示的架构中,以及本申请的其他实施例中,由于客体应用进程可以用于发起查询策略,因此客体应用进程也可称为策略强制点(Policy enforcement point,PEP);由于客体应用进程可以用于执行策略查询,因此客体应用进程也可称为策略决策点(policy decision point,PDP)。In the framework shown in Figure 1a, Figure 1b and Figure 1c, and in other embodiments of the present application, since the object application process can be used to initiate query policies, the object application process can also be called a policy enforcement point (Policy enforcement point , PEP); Since the object application process can be used to perform policy queries, the object application process can also be called a policy decision point (policy decision point, PDP).
基于图1a、图1b和图1c中任一项所示的架构,本申请实施例提供了一种访问控制方法,图2为该访问控制方法的一个示意图。如图2所示,内核中的策略映射模块,将与(客体应用进程上的)对象相关的应用策略集合,映射至客体应用进程的用户地址空间上。若主体应用进程需要访问客体应用进程上的对象,客体应用进程上的策略查询模块PDP可以基于对该对象的访问权限查询需求,通过用户地址空间上对应用策略集合的映射,查询应用策略集合,从而确定该主体应用进程与该对象之间的第一应用策略,根据该第一应用策略确定该主体应用进程对该对象的访问权限。Based on the architecture shown in any one of Fig. 1a, Fig. 1b and Fig. 1c, an embodiment of the present application provides an access control method, and Fig. 2 is a schematic diagram of the access control method. As shown in FIG. 2 , the policy mapping module in the kernel maps the application policy set related to the object (on the object application process) to the user address space of the object application process. If the subject application process needs to access the object on the object application process, the policy query module PDP on the object application process can query the application policy set through the mapping of the application policy set on the user address space based on the access authority query requirements of the object, Therefore, the first application policy between the subject application process and the object is determined, and the access authority of the subject application process to the object is determined according to the first application policy.
通过本申请实施例的访问控制方法,在客体应用进程(PDP)需要查询主体应用进程对对象的访问权限时,只需要PDP通过映射到用户地址空间上的应用策略查询对应的策略,不需要内核参与,也就不需要进行上下文切换,减小了访问控制时的策略访问和策略查询开销。Through the access control method of the embodiment of the present application, when the object application process (PDP) needs to query the access authority of the subject application process to the object, only the PDP needs to query the corresponding policy through the application policy mapped to the user address space, and no kernel is required. Participation, there is no need for context switching, which reduces the policy access and policy query overhead during access control.
请参阅图3,图3以客体应用进程作为客体应用进程的示例,说明本申请实施例提供的访问控制方法,该方法包括:Please refer to FIG. 3. FIG. 3 uses the object application process as an example of the object application process to illustrate the access control method provided by the embodiment of the present application. The method includes:
301、内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间,目标应用策略集合用于指示主体应用进程对客体应用进程上的对象的访问权限;其中,对象包括服务和/或资源。301. The kernel maps the memory address where the target application policy set is located to the user address space of the object application process, and the target application policy set is used to indicate the access rights of the subject application process to objects on the object application process; where the objects include services and/or or resources.
在本申请实施例中,内核可以确定目标应用策略集合所在的内存地址,在客体应用进程启动之前,内核可以将目标应用策略集合的内存地址映射至客体应用进程的用户地址空间。In the embodiment of the present application, the kernel can determine the memory address where the target application policy set is located, and before the object application process starts, the kernel can map the memory address of the target application policy set to the user address space of the object application process.
可选的,内核可以通过辅助向量,实现上述映射地址后的通信。具体的,在客体应用进程启动之前,内核可以将目标应用策略集合所映射至的内存地址,写入客体应用进程的可执行文件的辅助向量上。客体应用进程启动时,即可通过该辅助向量记录目标应用策略集合的映射地址(即客体应用进程上用于存放应用策略的存储地址)。Optionally, the kernel can realize the above-mentioned communication after the mapped address through the auxiliary vector. Specifically, before the object application process is started, the kernel may write the memory address to which the target application policy set is mapped to the auxiliary vector of the executable file of the object application process. When the object application process is started, the auxiliary vector can be used to record the mapping address of the target application policy set (that is, the storage address on the object application process for storing application policies).
302、客体应用进程基于主体应用进程对第一对象的访问权限查询需求,根据用户地址空间上的目标应用策略集合,确定主体应用进程与第一对象之间的第一应用策略。302. The object application process determines the first application policy between the subject application process and the first object according to the target application policy set in the user address space based on the access permission query requirement of the subject application process for the first object.
若主体应用进程需要访问客体应用进程上的第一对象,则客体应用进程需要对第一对象的访问权限进行查询,客体应用进程可以基于对第一对象的访问权限查询需求,在用户地址空间上的目标应用策略集合中进行策略检索,从而确定主体应用进程与第一对象之间的第一应用策略。If the subject application process needs to access the first object on the object application process, then the object application process needs to query the access rights of the first object, and the object application process can query the access rights of the first object based on the requirements in the user address space The policy search is performed in the target application policy set, so as to determine the first application policy between the subject application process and the first object.
303、客体应用进程根据第一应用策略,确定主体应用进程对第一对象的访问权限。303. The object application process determines the access right of the subject application process to the first object according to the first application policy.
第一应用策略中的主体为访问第一对象的主体应用进程,客体为客体应用进程上的第一对象,客体应用进程可以根据第一应用策略的行为,确定主体应用进程对第一对象的访问权限。若第一应用策略的行为是可以访问,则主体应用进程可以访问第一对象。The subject in the first application policy is the subject application process that accesses the first object, and the object is the first object on the object application process. The object application process can determine the access of the subject application process to the first object according to the behavior of the first application policy permission. If the behavior of the first application policy is access, the subject application process can access the first object.
可选的,目标应用策略集合可以来源于对策略源文件的解析。本申请实施例中,根据策略源文件的解析位置的不同,可以将本申请实施例可以包括以下几种情况:一、策略源文件由内核解析;二、策略源文件由应用管理进程解析。Optionally, the set of target application policies may be derived from parsing policy source files. In the embodiment of the present application, according to different parsing positions of the policy source file, the embodiments of the present application may include the following situations: 1. The policy source file is parsed by the kernel; 2. The policy source file is parsed by the application management process.
接下来将分别展开说明:Next, the description will be expanded separately:
一、策略源文件由内核解析。1. The policy source file is parsed by the kernel.
图4为本申请实施例提供的访问控制方法的一个示意图,策略源文件由内核解析的方法如图4所示,该方法可以基于图1a所示的架构实现,该方法包括:Fig. 4 is a schematic diagram of the access control method provided by the embodiment of the present application. The method for parsing the policy source file by the kernel is shown in Fig. 4. This method can be implemented based on the architecture shown in Fig. 1a, and the method includes:
1、内核读取策略源文件。1. The kernel reads the policy source file.
2、内核解析策略源文件。2. Kernel parses policy source files.
内核解析策略源文件,得到源策略集合,源策略集合中包括所有主体与所有客体之间的策略。其中,客体可以是资源和/或服务;客体所在的位置可以是客体应用进程。The kernel parses the policy source file to obtain a source policy set, which includes policies between all subjects and all objects. Wherein, the object may be resource and/or service; the location where the object is located may be the object application process.
当策略的客体为运行在用户进程空间上的客体应用进程上的对象,则称该策略为应用策略。本申请实施例用于避免客体应用进程查询访问权限过程中的上下文切换,因此聚焦于应用策略,于是将应用策略称为感兴趣的策略(policy of interest,POI),将策略源文件称为encoded POI(ePOI)。When the object of the policy is an object running on the object application process in the user process space, the policy is called an application policy. The embodiment of the present application is used to avoid the context switch in the process of querying the access rights of the object application process, so it focuses on the application policy, so the application policy is called the policy of interest (POI), and the policy source file is called encoded POIs (ePOIs).
POI的数量为一个或多个,因此在本申请实施例中,POI也称为应用策略集合。There are one or more POIs, so in this embodiment of the application, POIs are also referred to as an application policy set.
3、内核验证签名。3. The kernel verifies the signature.
在启动客体应用进程之前,内核可以通过验证签名,确认客体应用进程的可执行文件的合法性,以确保可执行文件未被篡改。若内核验证签名合法,则执行后续的步骤。Before starting the object application process, the kernel can verify the validity of the executable file of the object application process by verifying the signature, so as to ensure that the executable file has not been tampered with. If the kernel verifies that the signature is valid, the subsequent steps are performed.
4、内核按服务掩码提取策略。4. The kernel extracts policies according to the service mask.
可执行文件中包括客体应用进程的服务掩码。服务掩码用于标识POI在源策略集合中的标识符(identifier,ID),内核可以根据服务掩码,从第1步中解析出的源策略集合中,确定POI,实现对应用策略的筛选。在本申请实施例中,该步骤也称为提取策略。The executable file includes the service mask of the guest application process. The service mask is used to identify the identifier (identifier, ID) of the POI in the source policy set. The kernel can determine the POI from the source policy set parsed in step 1 according to the service mask, and realize the screening of the application policy. . In this embodiment of the application, this step is also called extracting a policy.
可选的,服务掩码可以是32位的整数,服务掩码可以通过亦或、匹配ID等方式,标识POI在源策略集合中的ID。值得注意的是,32位仅是对服务掩码位数的一个示例,服务掩码可以是更多或更少位,例如16位、64位等,此处不做限定。Optionally, the service mask may be a 32-bit integer, and the service mask may identify the ID of the POI in the source policy set by means of or, matching ID, and the like. It should be noted that 32 bits is just an example of the number of bits in the service mask, and the service mask can be more or less bits, such as 16 bits, 64 bits, etc., which is not limited here.
如图5所示,在客体应用进程出厂之前,企业管理器(Oracle Enterprise Manager,OEM)可以将服务掩码、签名(即本实施例步骤3中的签名)和客体应用进程的源可执行文件进行打包形成客体应用进程的可执行文件。可选的,可以在该可执行文件的头部描述服务掩码与签名信息。As shown in Figure 5, before the object application process leaves the factory, the enterprise manager (Oracle Enterprise Manager, OEM) can use the service mask, signature (that is, the signature in step 3 of this embodiment) and the source executable file of the object application process Perform packaging to form an executable file of the object application process. Optionally, the service mask and signature information may be described in the header of the executable file.
可选的,除了在出厂之前确定服务掩码,若在出厂后客体应用进程中包括的对象有新增,也可以在出厂后对服务掩码进行修改。在这种情况下,可以通过可信的主体(例如内核)对服务掩码进行修改,以确保服务掩码的准确性。Optionally, in addition to determining the service mask before leaving the factory, if there are new objects included in the object application process after leaving the factory, the service mask can also be modified after leaving the factory. In this case, the service mask can be modified by a trusted subject (such as the kernel) to ensure the accuracy of the service mask.
5、内核准备地址空间映射策略。5. The kernel prepares the address space mapping strategy.
内核为客体应用进程准备进程地址空间,同时将POI的内存地址映射至该进程地址空间。The kernel prepares a process address space for the object application process, and at the same time maps the memory address of the POI to the process address space.
6、内核将辅助向量赋值为策略映射地址。6. The kernel assigns the auxiliary vector as the policy map address.
内核将该映射地址信息存入辅助向量,从而向客体应用进程传递应用策略的映射地址信息。具体的,辅助向量为可执行文件的一部分,在可执行文件解析的过程中,辅助向量将会解析到上述约定地址上。因此,内核将辅助向量赋值为POI的映射地址,从而通过辅助向量,实现映射地址信息的传递。The kernel stores the mapping address information into the auxiliary vector, so as to transfer the mapping address information of the application policy to the object application process. Specifically, the auxiliary vector is a part of the executable file, and during the parsing process of the executable file, the auxiliary vector will be resolved to the above agreed address. Therefore, the kernel assigns the auxiliary vector as the mapping address of the POI, so that the information of the mapping address can be transferred through the auxiliary vector.
示例地,如图6所示,可以在C语言标准库(C standard library,Libc)中新增AT_POLICY向量,该向量用于写入用户地址空间中预留的内存位置。Exemplarily, as shown in FIG. 6 , an AT_POLICY vector may be added in a C standard library (C standard library, Libc), and the vector is used to write to a memory location reserved in the user address space.
可选地,AT_POLICY向量可以在创建客体应用进程的辅助向量表时,在客体应用进程的栈顶预留一个向量数组,该向量数组即为辅助向量,向量数组中的每一个元素(向量)对应一个应用策略,一个AT_POLICY向量即为这个数组中的一个元素,AT_POLICY向量用于指示应用策略的映射位置在用户进程空间中的地址。Optionally, the AT_POLICY vector can reserve a vector array on the stack top of the object application process when creating the auxiliary vector table of the object application process. The vector array is the auxiliary vector, and each element (vector) in the vector array corresponds to An application policy, an AT_POLICY vector is an element in this array, and the AT_POLICY vector is used to indicate the address of the mapping location of the application policy in the user process space.
内核在创建客体应用进程时,可以将POI中应用策略的映射地址赋值给AT_POLICY。应用进程在查询策略时,即可在栈顶上辅助向量对应的[AT_POLICY]位置上获取到目标应用策略集合(POI)的映射地址。When the kernel creates the object application process, it can assign the mapping address of the application policy in the POI to AT_POLICY. When the application process queries the policy, it can obtain the mapping address of the target application policy set (POI) at the [AT_POLICY] position corresponding to the auxiliary vector on the top of the stack.
7、内核返回用户地址空间。7. The kernel returns to the user address space.
内核完成上述步骤1至6后,即完成了POI内存地址到客体应用进程的用户地址空间上的辅助向量的映射,因此可以返回用户地址空间,以便应用进程启动,执行后续的步骤。After the kernel completes the above steps 1 to 6, it completes the mapping of the POI memory address to the auxiliary vector in the user address space of the object application process, so it can return to the user address space so that the application process can start and perform subsequent steps.
8、客体应用进程启动。8. The object application process starts.
在本申请实施例中,客体应用进程启动后,即可实现应用进程对对象的访问权限的查询。In the embodiment of the present application, after the object application process is started, the application process can query the access rights of the object.
9、客体应用进程通过辅助向量获取策略映射地址。9. The object application process obtains the policy mapping address through the auxiliary vector.
客体应用进程可以基于主体应用进程对第一对象的访问权限查询需求,通过辅助向量获取映射地址,通过映射地址查询主体为该主体应用进程,客体为第一对象的应用策略。The object application process can obtain the mapping address through the auxiliary vector based on the access permission query requirement of the subject application process for the first object, and query the application policy that the subject is the subject application process and the object is the first object through the mapping address.
在本申请实施例中,通过内核实现策略源文件的解析,由于策略源文件本身就是保存在内核上的,因此解析速度快、效率高。并且,内核解析与映射是在应用进程启动之前就完成的,应用进程启动后就可以马上查询策略,提升了策略查询的效率。In the embodiment of the present application, the analysis of the policy source file is implemented through the kernel. Since the policy source file itself is stored on the kernel, the analysis speed is fast and the efficiency is high. Moreover, the kernel parsing and mapping are completed before the application process is started, and the policy can be queried immediately after the application process is started, which improves the efficiency of policy query.
二、策略源文件由客体应用进程解析。2. The policy source file is parsed by the object application process.
上述通过内核解析策略源文件的方法,由于内核解析策略源文件会占用内核的资源,因此本申请实施例可以将解析策略源文件的动作移植到用户空间上的客体应用进程上,以降低内核的性能开销,提升内核的运行效率。In the above-mentioned method of parsing policy source files by the kernel, since the kernel parsing the policy source files will occupy kernel resources, the embodiment of the present application can transplant the action of parsing the policy source files to the object application process on the user space, so as to reduce the cost of the kernel. Performance overhead, improve the operating efficiency of the kernel.
图7为本申请实施例提供的访问控制方法的一个流程示意图,该方法可以通过图1b所示的架构实现,如图7所示,该方法包括:FIG. 7 is a schematic flow diagram of an access control method provided in the embodiment of the present application. The method can be implemented through the architecture shown in FIG. 1b. As shown in FIG. 7, the method includes:
1、内核读取策略源文件ePOI。1. The kernel reads the policy source file ePOI.
2、内核验证签名。2. The kernel verifies the signature.
当需要启动客体应用进程时,内核可以通过验证签名,确认客体应用进程的可执行文件的合法性,以确保可执行文件未被篡改。若内核验证签名合法,则执行后续的步骤。When the object application process needs to be started, the kernel can verify the validity of the executable file of the object application process by verifying the signature, so as to ensure that the executable file has not been tampered with. If the kernel verifies that the signature is valid, the subsequent steps are performed.
3、内核按服务掩码提取客体应用进程对应的部分策略源文件。3. The kernel extracts part of the policy source files corresponding to the object application process according to the service mask.
可执行文件中包括客体应用进程的服务掩码。服务掩码用于标识POI在源策略集合中的标识符(identifier,ID),内核可以根据服务掩码,确定策略源文件ePOI中与POI对应的部分策略源文件,实现对应用策略的筛选。在本申请实施例中,该步骤也称为提取策略。The executable file includes the service mask of the guest application process. The service mask is used to identify the identifier (identifier, ID) of the POI in the source policy set. The kernel can determine the part of the policy source file corresponding to the POI in the policy source file ePOI according to the service mask, so as to realize the screening of the application policy. In this embodiment of the application, this step is also called extracting a policy.
对服务掩码的说明参见图4的步骤4,此处不再赘述。For the description of the service mask, refer to step 4 in FIG. 4 , which will not be repeated here.
4、内核准备地址空间映射ePOI。4. The kernel prepares the address space for mapping ePOI.
内核为客体应用进程准备地址空间,同时将POI的内存地址映射至客体应用进程的地址空间。The kernel prepares an address space for the object application process, and at the same time maps the memory address of the POI to the address space of the object application process.
5、内核将辅助向量赋值为策略映射地址。5. The kernel assigns the auxiliary vector as the policy map address.
内核将该映射地址信息存入辅助向量,从而向客体应用进程传递应用策略的映射地址信息。具体过程参见图4中步骤6的说明,此处不再赘述。The kernel stores the mapping address information into the auxiliary vector, so as to transfer the mapping address information of the application policy to the object application process. For the specific process, refer to the description of step 6 in FIG. 4 , which will not be repeated here.
6、内核返回用户地址空间。6. The kernel returns to the user address space.
7、客体应用进程启动。7. The object application process starts.
步骤6和步骤7参见图4中步骤7和步骤8的说明,此处不再赘述。For Step 6 and Step 7, refer to the description of Step 7 and Step 8 in FIG. 4 , which will not be repeated here.
8、客体应用进程通过辅助向量获取策略映射地址。8. The object application process obtains the policy mapping address through the auxiliary vector.
客体应用进程可以基于主体应用进程对第一对象的访问权限查询需求,从辅助向量中 获取映射地址,通过映射地址确定应用策略所在的位置。The object application process can obtain the mapping address from the auxiliary vector based on the query requirements of the subject application process for the access right of the first object, and determine the location of the application policy through the mapping address.
9、客体应用进程解析策略ePOI→POI。9. Object application process resolution policy ePOI→POI.
客体应用进程将步骤3中确定的,ePOI中与POI对应的部分策略源文件解析,得到POI。由于步骤4中内核已经准备了地址空间用于映射该部分策略源文件,因此客体应用进程可以根据步骤4的映射找到应用的POI,并解析加载至进程地址空间中(步骤4映射的是源策略文件,所以客体应用进程可以通过这个映射地址找到源文件,再解析到自己的用户地址空间上,查询策略的时候再从源文件解析后的策略里查询)。The object application process parses part of the policy source files in the ePOI corresponding to the POI determined in step 3, and obtains the POI. Since the kernel has prepared an address space in step 4 for mapping this part of the policy source file, the object application process can find the POI of the application according to the mapping in step 4, and parse and load it into the process address space (the source policy is mapped in step 4 file, so the object application process can find the source file through this mapping address, and then resolve it to its own user address space, and then query the policy from the source file parsed policy when querying the policy).
在本申请实施例中,通过客体应用进程解析策略源文件,不需要内核进行策略源文件的解析,减小了内核的性能开销,提升了内核的运行效率。In the embodiment of the present application, the policy source file is parsed through the object application process, and the kernel is not required to parse the policy source file, which reduces the performance overhead of the kernel and improves the operating efficiency of the kernel.
三、策略源文件由访问控制管理进程解析。3. The policy source file is parsed by the access control management process.
图7所示的方法,在步骤9执行之后,才能查询到应用策略,每个客体应用进程都需要将ePOI解析成POI之后才能进行策略查询。如图8所示,客体应用进程1和客体应用进程2都需要在解析ePOI至POI后,才能进行后续的POI查询操作,ePOI的解析会减慢每个客体应用进程的启动速度。In the method shown in FIG. 7 , the application policy can only be queried after step 9 is executed, and each object application process needs to parse the ePOI into a POI before performing policy query. As shown in Fig. 8, both the object application process 1 and the object application process 2 need to parse the ePOI to the POI before performing the subsequent POI query operation, and the ePOI parsing will slow down the startup speed of each object application process.
为了避免每个客体应用进程都需要解析ePOI,本申请实施例了一种方法,在访问控制管理进程进行一次ePOI解析,得到源策略集合,再通过共享内存将各客体应用进程需要的应用策略集合映射至其他的用户态的对应客体应用进程的用户地址空间上,实现POI到对应客体应用进程的映射。从而使得多个用户态的客体应用进程,只需要进行一次ePOI的解析,即可保证所有的客体应用进程都能查询策略。In order to prevent each object application process from needing to parse the ePOI, this application implements a method that performs an ePOI parsing in the access control management process to obtain the source policy set, and then collects the application policy sets required by each object application process through shared memory Mapping to the user address space of the corresponding object application process in other user states to realize the mapping from the POI to the corresponding object application process. Therefore, multiple object application processes in the user mode only need to analyze the ePOI once, so as to ensure that all object application processes can query policies.
在本申请实施例中,访问控制管理进程用于进行对所有应用访问控制策略的解析和管理。In this embodiment of the application, the access control management process is used to analyze and manage all application access control policies.
图9a为本申请实施例提供的访问控制方法的一个流程示意图,该方法可以基于图1c所示的架构实现。如图9a所示,该方法的具体步骤如下:Fig. 9a is a schematic flowchart of an access control method provided by an embodiment of the present application, and the method can be implemented based on the architecture shown in Fig. 1c. As shown in Figure 9a, the specific steps of the method are as follows:
1、内核读取策略源文件ePOI。1. The kernel reads the policy source file ePOI.
2、内核验证签名。2. The kernel verifies the signature.
内核验证客体应用进程的源可执行文件的签名,源可执行文件不包括服务掩码,验签的作用是校验访问控制管理进程的合法性。The kernel verifies the signature of the source executable file of the object application process. The source executable file does not include the service mask. The function of signature verification is to verify the legitimacy of the access control management process.
3、内核向访问控制管理进程映射策略源文件ePOI。3. The kernel maps the policy source file ePOI to the access control management process.
内核准备访问控制管理进程的地址空间,并向其映射策略源文件ePOI。此处映射的ePOI为策略源文件,包含所有策略的信息。The kernel prepares to access the address space of the control management process, and maps the policy source file ePOI to it. The ePOI mapped here is a policy source file, which contains information about all policies.
4、内核通过辅助向量,向访问控制管理进程传递ePOI的映射地址信息。4. The kernel transmits the mapping address information of the ePOI to the access control management process through the auxiliary vector.
内核将ePOI的映射地址信息存入辅助向量,从而向访问控制管理进程传递ePOI的映射地址信息。对辅助向量的说明参见图4中步骤6的说明,此处不再赘述。The kernel stores the mapping address information of the ePOI into the auxiliary vector, thereby delivering the mapping address information of the ePOI to the access control management process. For the description of the auxiliary vector, refer to the description of step 6 in FIG. 4 , which will not be repeated here.
5、内核返回用户地址空间。5. The kernel returns to the user address space.
6、访问控制管理进程启动。6. The access control management process starts.
7、访问控制管理进程通过辅助向量获取ePOI的映射地址。7. The access control management process obtains the mapping address of the ePOI through the auxiliary vector.
8、访问控制管理进程解析ePOI得到源策略集合。8. The access control management process parses the ePOI to obtain the source policy set.
访问控制管理进程解析ePOI得到源策略集合,并将源策略集合解析至访问管理进程的进程空间上;请参阅图9b,图9a中的步骤9即对应于图9b中的步骤①。The access control management process parses the ePOI to obtain the source policy set, and parses the source policy set into the process space of the access management process; please refer to Figure 9b, step 9 in Figure 9a corresponds to step ① in Figure 9b.
9、访问控制管理进程根据客体应用进程的服务ID,确定客体应用进程各自的POI(每个客体应用进程对应一个)。9. The access control management process determines the respective POIs of the object application processes (each object application process corresponds to one) according to the service IDs of the object application processes.
可选的,在客体应用进程启动后,访问控制管理进程可以获取客体应用进程的配置文件,从而解析客体应用进程的配置文件中的服务掩码,得到目标应用策略集合(POI)在源策略集合中的策略ID(本文也称为目标标识,或者服务ID)。访问控制管理进程根据目标标识,即可从源策略集合中确定目标应用策略集合(POI)。Optionally, after the object application process is started, the access control management process can obtain the configuration file of the object application process, thereby parsing the service mask in the configuration file of the object application process, and obtaining the target application policy set (POI) in the source policy set The policy ID (also referred to herein as the target ID, or service ID) in . The access control management process can determine the target application policy set (POI) from the source policy set according to the target identifier.
在本申请实施例中,除了通过解析配置文件中的服务掩码,获取客体应用进程的POI在源策略集合中的策略ID;也可以通过其他方式获取策略ID,例如进程间通信IPC等,此处不做限定。In this embodiment of the application, in addition to obtaining the policy ID of the POI of the object application process in the source policy set by parsing the service mask in the configuration file; the policy ID can also be obtained by other means, such as inter-process communication IPC, etc. There is no limit.
10、访问控制管理进程将POI加载至对应客体应用进程的共享内存空间中。10. The access control management process loads the POI into the shared memory space of the corresponding object application process.
访问控制管理进程确定了目标应用策略集合(POI),即可将目标应用策略集合的内存地址,加载至客体应用进程对应的共享内存,从而将目标应用策略集合(POI)映射至客体应用进程对应的共享内存。可选的,该步骤可以由访问控制管理进程上的策略解析器执行,参见图9b中的步骤②。After the access control management process determines the target application policy set (POI), it can load the memory address of the target application policy set into the shared memory corresponding to the object application process, thereby mapping the target application policy set (POI) to the object application process corresponding shared memory. Optionally, this step may be performed by a policy parser on the access control management process, see step ② in FIG. 9b.
访问控制管理进程与每个客体应用进程的共享内存空间由不同的共享内存文件指定,共享内存文件名对应到每个客体应用进程,可以是每个客体应用进程的app name或者其他的唯一标识符,这里不做限制。The shared memory space between the access control management process and each object application process is specified by a different shared memory file, and the shared memory file name corresponds to each object application process, which can be the app name or other unique identifier of each object application process , there is no restriction here.
11、客体应用进程映射对应的共享内存文件。11. The shared memory file corresponding to the object application process mapping.
客体应用进程根据各自的app name(或者其他的唯一标识符),找到对应的共享内存文件,将共享内存文件中的POI映射至该客体应用进程的用户进程空间上。其中,共享内存文件中保存着该客体应用进程的POI。该步骤应于图9b中的步骤③。The object application process finds the corresponding shared memory file according to their respective app names (or other unique identifiers), and maps the POI in the shared memory file to the user process space of the object application process. Wherein, the POI of the object application process is saved in the shared memory file. This step should be the step ③ in Figure 9b.
在本申请实施例中,通过一个访问控制管理进程实现在用户态对所有策略进行解析,并对多个客体应用进程的应用策略的进行映射,避免了每个客体应用进程在启动时都需要进行策略解析,减少了系统复杂度。In this embodiment of the application, an access control management process is used to analyze all policies in the user state, and map the application policies of multiple object application processes, avoiding the need for each object application process when starting Policy analysis reduces system complexity.
如图10所示,本申请实施例提供了一种策略查询框架。客体应用进程通过系统进程启动,在进入内核后,内核使用二进制加载器加载客体应用进程的可执行文件。内核中的头部分析器分析可执行文件的头部标记,看是否存在security marker用于校验身份。签名分析器校验身份,若身份合法,则将内核中的策略随机映射至进程地址空间中,并通过辅助向量将地址信息传递给客体应用进程。在客体应用进程启动后,即可快速进行查询内存,获取到访问策略。As shown in FIG. 10 , the embodiment of the present application provides a policy query framework. The object application process is started by the system process, and after entering the kernel, the kernel uses a binary loader to load the executable file of the object application process. The header analyzer in the kernel analyzes the header mark of the executable file to see if there is a security marker for identity verification. The signature analyzer verifies the identity. If the identity is legal, the policy in the kernel is randomly mapped to the process address space, and the address information is passed to the object application process through the auxiliary vector. After the object application process is started, the memory can be quickly queried to obtain the access policy.
可选的,若内核为可信计算基(trusted computing base,TCB),则使用策略加载组件将策略加载并映射至客体应用进程的用户地址空间,该方法可以保证可信加载、策略安全, 并且避免了策略查询时内核的上下文切换,减小了内核的性能开销。Optionally, if the kernel is a trusted computing base (trusted computing base, TCB), use the policy loading component to load and map the policy to the user address space of the object application process. This method can ensure trusted loading and policy security, and It avoids context switching of the kernel during policy query and reduces the performance overhead of the kernel.
相较于现有技术,本申请实施例提供的访问控制方法具有以下优点:Compared with the prior art, the access control method provided by the embodiment of the present application has the following advantages:
1、在现有的访问控制技术中,通过特权隔离实现内核与用户态应用的访问隔离,因此每次查询策略都需要经过特权切换,即需要进行上下文切换。1. In the existing access control technology, the access isolation between the kernel and user mode applications is realized through privilege isolation, so each query strategy needs to go through privilege switching, that is, context switching is required.
本申请实施例的方法不需要特权切换即可查询策略。并且,本申请实施例的映射是内核实现的,内核属于可信基,保证了策略映射的可信。The method in this embodiment of the application can query policies without privilege switching. Moreover, the mapping in the embodiment of the present application is implemented by the kernel, and the kernel belongs to the trusted base, which ensures the credibility of the policy mapping.
2、在一种现有技术中,通过运行在用户空间中的策略管理服务(policy manager server,PMS),存储客体应用进程相关的应用策略,减少对上下文的切换,但该方法需要信息处理中心(information processing center,IPC)与PMS通信才能实现,无法避免IPC性能损耗。2. In a prior art, the policy manager server (PMS) running in the user space stores application policies related to the application process of the object to reduce context switching, but this method requires an information processing center (information processing center, IPC) and PMS communication can only be realized, and IPC performance loss cannot be avoided.
本申请实施例的方法不需要IPC与PMS通信,策略可直接映射至客体应用进程的地址空间,且无需新增特权进程。The method of the embodiment of the present application does not require IPC to communicate with the PMS, the policy can be directly mapped to the address space of the object application process, and no new privileged process is required.
3、在现有技术中,内核需要通过原子锁进行共享资源的防护,在对称多处理架构(symmetric multi-processor,SMP)下性能下降。3. In the prior art, the kernel needs to protect shared resources through atomic locks, and the performance is degraded under a symmetric multi-processing architecture (symmetric multi-processor, SMP).
本申请实施例的方法,各客体应用进程本地具有所需应用策略的映射,无需内核通过原子锁进行共享资源的防护,SMP下性能提升。In the method of the embodiment of the present application, each object application process has a mapping of the required application strategy locally, and the kernel does not need to protect shared resources through atomic locks, and the performance under SMP is improved.
上面说明了本申请实施例提供的访问控制方法,下面说明本申请实施例提供的设备。The above describes the access control method provided by the embodiment of the present application, and the following describes the device provided by the embodiment of the present application.
请参阅图11,本申请实施例提供了一种计算设备1100,包括处理器1101和存储器1102;处理器1101与存储器1102耦合;存储器1101用于存储程序;处理器1102用于执行存储器1101中的程序,使得处理器1102执行图2至图10所述的访问控制方法。Referring to FIG. 11 , an embodiment of the present application provides a computing device 1100, including a processor 1101 and a memory 1102; the processor 1101 is coupled to the memory 1102; the memory 1101 is used to store programs; the processor 1102 is used to execute the The program enables the processor 1102 to execute the access control methods described in FIG. 2 to FIG. 10 .
请参阅图12,本申请实施例提供了一种芯片1200,该芯片1200包括至少一个处理器1201和通信接口1202,通信接口1202和至少一个处理器1201通过线路互联,至少一个处理器1201用于运行计算机程序或指令,以进行前述图2至图10中任一实施例对应的访问控制方法。Please refer to FIG. 12 , the embodiment of the present application provides a chip 1200, the chip 1200 includes at least one processor 1201 and a communication interface 1202, the communication interface 1202 and at least one processor 1201 are interconnected by lines, and at least one processor 1201 is used for Running a computer program or instruction to implement the access control method corresponding to any one of the above-mentioned embodiments in FIG. 2 to FIG. 10 .
其中,芯片中的通信接口1202可以为输入/输出接口、管脚或电路等。Wherein, the communication interface 1202 in the chip may be an input/output interface, a pin or a circuit, and the like.
在一种可能的实现中,本申请中上述描述的芯片1200还包括至少一个存储器1203,该至少一个存储器1203中存储有指令。该存储器1203可以为芯片内部的存储单元,例如,寄存器、缓存等,也可以是该芯片的存储单元(例如,只读存储器、随机存取存储器等)。In a possible implementation, the chip 1200 described above in this application further includes at least one memory 1203 , and instructions are stored in the at least one memory 1203 . The memory 1203 may be a storage unit inside the chip, such as a register, a cache, etc., or a storage unit of the chip (eg, a read-only memory, a random access memory, etc.).
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the above-described system, device and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统,装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的 划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device and method can be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or May be integrated into another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in one place, or may be distributed to multiple network units. Part or all of the units can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, each unit may exist separately physically, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware or in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is realized in the form of a software function unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application is essentially or part of the contribution to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), magnetic disk or optical disc and other media that can store program codes. .

Claims (14)

  1. 一种访问控制方法,其特征在于,包括:An access control method, characterized in that, comprising:
    内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间,所述目标应用策略集合用于指示主体应用进程对所述客体应用进程上的对象的访问权限;其中,所述对象包括服务和/或资源;The kernel maps the memory address where the target application policy set is located to the user address space of the object application process, and the target application policy set is used to indicate the subject application process's access rights to objects on the object application process; wherein, the object including services and/or resources;
    所述客体应用进程基于对第一对象的访问权限查询需求,根据映射到所述用户地址空间上的所述目标应用策略集合,确定所述主体应用进程与所述第一对象之间的第一应用策略;The object application process determines the first object between the subject application process and the first object according to the target application policy set mapped to the user address space based on the query requirement for the access right of the first object. application strategy;
    所述客体应用进程根据所述第一应用策略,确定所述主体应用进程对所述第一对象的访问权限。The object application process determines the access authority of the subject application process to the first object according to the first application policy.
  2. 根据权利要求1所述的方法,其特征在于,所述内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间,包括:The method according to claim 1, wherein the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, including:
    所述内核将所述目标应用策略集合映射至的内存地址,写入客体应用进程的可执行文件中的辅助向量上。The kernel writes the memory address to which the target application policy set is mapped to the auxiliary vector in the executable file of the object application process.
  3. 根据权利要求1或2所述的方法,其特征在于,所述客体应用进程的可执行文件包括所述目标应用策略集合对应的服务掩码;The method according to claim 1 or 2, wherein the executable file of the object application process includes a service mask corresponding to the target application policy set;
    在内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间之前,所述方法还包括:Before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, the method further includes:
    所述内核解析策略源文件,得到源策略集合;The kernel parses the policy source file to obtain a source policy set;
    所述内核根据所述服务掩码,从所述源策略集合中确定所述目标应用策略集合,所述目标应用策略集合用于保护所述客体应用进程上的所述对象。The kernel determines the target application policy set from the source policy set according to the service mask, and the target application policy set is used to protect the object on the object application process.
  4. 根据权利要求3所述的方法,其特征在于,所述可执行文件还包括对所述可执行文件的签名;The method according to claim 3, wherein the executable file further includes a signature of the executable file;
    所述内核根据所述服务掩码,从所述源策略集合中确定所述目标应用策略集合,包括:The kernel determines the target application policy set from the source policy set according to the service mask, including:
    所述内核验证所述签名的合法性;The kernel verifies the legality of the signature;
    若所述签名合法,则所述内核根据所述服务掩码,从所述源策略集合中确定所述目标应用策略集合。If the signature is valid, the kernel determines the target application policy set from the source policy set according to the service mask.
  5. 根据权利要求3或4所述的方法,其特征在于,所述目标应用策略集合对应的服务掩码用于标识所述源策略集合中的所述目标应用策略集合。The method according to claim 3 or 4, wherein the service mask corresponding to the target application policy set is used to identify the target application policy set in the source policy set.
  6. 根据权利要求1或2所述的方法,其特征在于,所述客体应用进程的可执行文件包括所述目标应用策略集合对应的服务掩码;The method according to claim 1 or 2, wherein the executable file of the object application process includes a service mask corresponding to the target application policy set;
    在内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间之前,所述方法还包括:Before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, the method further includes:
    所述内核根据所述服务掩码,从所述策略源文件中确定所述目标应用策略集合对应的部分策略源文件;The kernel determines a part of policy source files corresponding to the target application policy set from the policy source files according to the service mask;
    所述方法还包括:The method also includes:
    所述客体应用进程将所述部分策略源文件解析至所述内存地址,得到所述目标应用策 略集合。The object application process parses the part of policy source files to the memory address to obtain the target application policy set.
  7. 根据权利要求1至6中任一项所述的方法,其特征在于,在所述内核将目标应用策略集合所在的内存地址映射至客体应用进程的用户地址空间之前,所述方法还包括:The method according to any one of claims 1 to 6, wherein before the kernel maps the memory address where the target application policy set is located to the user address space of the object application process, the method further comprises:
    所述内核对所述客体应用进程的用户地址空间的地址进行随机化。The kernel randomizes addresses of the user address space of the guest application process.
  8. 一种访问控制方法,其特征在于,所述方法包括:An access control method, characterized in that the method comprises:
    内核将策略源文件的内存地址映射至访问控制管理进程的地址空间;The kernel maps the memory address of the policy source file to the address space of the access control management process;
    所述访问控制管理进程解析所述策略源文件,得到源策略集合;The access control management process parses the policy source file to obtain a source policy set;
    所述访问控制管理进程将所述源策略集合中的目标应用策略集合,加载至客体应用进程的共享内存空间中;其中,所述目标应用策略集合用于确定所述客体应用进程上对象的访问权限;The access control management process loads the target application policy set in the source policy set into the shared memory space of the object application process; wherein the target application policy set is used to determine the access of objects on the object application process authority;
    所述客体应用进程将所述目标应用策略集合映射至所述客体应用进程的用户地址空间。The object application process maps the set of target application policies to a user address space of the object application process.
  9. 根据权利要求8所述的方法,其特征在于,所述访问控制管理进程将所述源策略集合中目标应用策略集合的内存地址,加载至客体应用进程对应的共享空间中,包括:The method according to claim 8, wherein the access control management process loads the memory address of the target application policy set in the source policy set into the shared space corresponding to the object application process, including:
    所述访问控制管理进程解析所述客体应用进程的配置文件,得到所述目标应用策略集合在所述源策略集合中的目标标识;The access control management process parses the configuration file of the object application process, and obtains the target identifier of the target application policy set in the source policy set;
    所述访问控制管理进程根据所述目标标识,从所述源策略集合中确定所述目标应用策略集合;The access control management process determines the target application policy set from the source policy set according to the target identifier;
    所述访问控制管理进程将所述目标应用策略集合加载至所述客体应用进程对应的共享内存。The access control management process loads the target application policy set into the shared memory corresponding to the object application process.
  10. 一种计算设备,其特征在于,包括处理器和存储器;所述处理器与所述存储器耦合;A computing device, comprising a processor and a memory; the processor is coupled to the memory;
    所述存储器,用于存储程序;The memory is used to store programs;
    所述处理器,用于执行所述存储器中的程序,使得所述处理器执行如权利要求1至9中任一项所述的访问控制方法。The processor is configured to execute the program in the memory, so that the processor executes the access control method according to any one of claims 1-9.
  11. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质用于存储计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行如权利要求1至9中任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium is used to store a computer program, and when the computer program runs on a computer, the computer executes any one of claims 1 to 9. method described in the item.
  12. 一种计算机程序产品,其特征在于,所述计算机程序产品包括:计算机程序代码;A computer program product, characterized in that the computer program product comprises: computer program code;
    当所述计算机程序代码被运行时,实现如权利要求1至9中任一项所述的方法。When the computer program code is executed, the method according to any one of claims 1 to 9 is realized.
  13. 一种芯片,其特征在于,包括至少一个处理器和接口;A chip, characterized in that it includes at least one processor and an interface;
    所述接口,用于为所述至少一个处理器提供程序指令或者数据;said interface for providing program instructions or data to said at least one processor;
    所述至少一个处理器用于执行所述程序指令,以实现如权利要求1至9中任一项所述的方法。The at least one processor is configured to execute the program instructions to implement the method as claimed in any one of claims 1-9.
  14. 一种服务器,其特征在于,包括权利要求13所述的芯片。A server, characterized by comprising the chip according to claim 13.
PCT/CN2022/134254 2021-11-30 2022-11-25 Access control method and related device WO2023098579A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111446740.4 2021-11-30
CN202111446740.4A CN116204858A (en) 2021-11-30 2021-11-30 Access control method and related equipment

Publications (1)

Publication Number Publication Date
WO2023098579A1 true WO2023098579A1 (en) 2023-06-08

Family

ID=86515174

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/134254 WO2023098579A1 (en) 2021-11-30 2022-11-25 Access control method and related device

Country Status (2)

Country Link
CN (1) CN116204858A (en)
WO (1) WO2023098579A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103971067A (en) * 2014-05-30 2014-08-06 中国人民解放军国防科学技术大学 Operating system nucleus universal access control method supporting entities inside and outside nucleus
CN104112089A (en) * 2014-07-17 2014-10-22 中国人民解放军国防科学技术大学 Multi-strategy integration based mandatory access control method
CN104885092A (en) * 2012-11-13 2015-09-02 奥克兰服务有限公司 Security system and method for operating systems
CN105701416A (en) * 2016-01-11 2016-06-22 华为技术有限公司 Mandatory access control method and device as well as physical host
CN109992983A (en) * 2019-04-15 2019-07-09 苏州浪潮智能科技有限公司 A kind of forced access control method, device, equipment and readable storage medium storing program for executing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104885092A (en) * 2012-11-13 2015-09-02 奥克兰服务有限公司 Security system and method for operating systems
CN103971067A (en) * 2014-05-30 2014-08-06 中国人民解放军国防科学技术大学 Operating system nucleus universal access control method supporting entities inside and outside nucleus
CN104112089A (en) * 2014-07-17 2014-10-22 中国人民解放军国防科学技术大学 Multi-strategy integration based mandatory access control method
CN105701416A (en) * 2016-01-11 2016-06-22 华为技术有限公司 Mandatory access control method and device as well as physical host
CN109992983A (en) * 2019-04-15 2019-07-09 苏州浪潮智能科技有限公司 A kind of forced access control method, device, equipment and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN116204858A (en) 2023-06-02

Similar Documents

Publication Publication Date Title
US11392506B2 (en) Apparatus and method for secure memory access using trust domains
EP0803101B1 (en) A mechanism for linking together the files of emulated and host system for access by emulated system users
US10726120B2 (en) System, apparatus and method for providing locality assertion between a security processor and an enclave
US20070168567A1 (en) System and method for file based I/O directly between an application instance and an I/O adapter
CN108073823B (en) Data processing method, device and system
US11481339B2 (en) Trusted intermediary realm
EP3867783B1 (en) Parameter signature for realm security configuration parameters
US7577761B2 (en) Out of user space I/O directly between a host system and a physical adapter using file based linear block address translation
EP1989627A2 (en) Prevention of executable code modification
KR101356223B1 (en) Apparatus and method for guaranteeing computing resource in cloud computing environment for cloud customer
WO2023098579A1 (en) Access control method and related device
JP4853671B2 (en) Access authority determination system, access authority determination method, and access authority determination program
CN112214769B (en) Active measurement system of Windows system based on SGX architecture
Giantsidi et al. Treaty: Secure Distributed Transactions
US11748140B2 (en) Virtual machine security policy implementation
CN116521306A (en) Method for enabling selinux by container and computer equipment
CN112631720B (en) Memory control method, medium and equipment
US12001541B2 (en) Parameter signature for realm security configuration parameters
US20230195652A1 (en) Method and apparatus to set guest physical address mapping attributes for trusted domain
US20230098288A1 (en) Apparatus and method for role-based register protection for tdx-io
Suann Zircon on seL4
Zhang IEEE Case 2007 Program Chair

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22900383

Country of ref document: EP

Kind code of ref document: A1