Object memory credibility verification method and system in access control

Abstract

The embodiment of the invention provides an object memory credibility verification method and system in access control, and the method comprises the steps: obtaining an object memory in an access control process, and dividing the object memory into an object process memory and an IPC object shared memory; and performing credibility verification on the object process memory and the IPC object shared memory respectively. Accoridng to the object memory credibility verification method and system in access control, object memory data is divided into an object process memory serving as a subject service object and an IPC object shared memory serving as inter-process communication; and credibility verification is carried out on the two object memories respectively, so that credibility verification of the uncertain object data neglected by the existing scheme is realized, and dynamic credibility of the application program in the running process is ensured.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a method and system for authenticating object memory in access control. Background technique [0002] With the rapid development of the Internet, the application of computer networks has gradually penetrated into all aspects of people's lives, resulting in an increasingly strong demand for building trusted network systems. Especially with the maturity of "cloud computing" technology, which is designed with the concept of dynamic resource allocation and on-demand services, the attack methods and tools it faces are becoming more and more diversified, and cloud security issues have also become constraints to the development of this emerging technology. bottleneck. With the rise of trusted computing technology, trusted operating systems have gradually become a research hotspot. The establishment of credibility not only requires the consistency measurement of the operati...

AI Technical Summary

Problems solved by technology

However, the shortcomings of the solution are: 1. TPM is used as the trusted anchor point, and there is no support for the national secret algorithm package; 2. The verification system is too cumbersome and superficial, that is, only the owner identity and creation time of the relevant static objects are passed. Create an image file of a static object for credible verification

However, the disadvantages of this scheme are: 1. The credible verification is still carried out by means of identifying the identity of the subject and the object and encrypting the dynamic object information by the TPM, which has considerable limitations; The specific information of the dynamic object is classified and processed, and the credibility is not high

[0006] In the patent document with the patent publication number CN 106295319, a security protection scheme for the operating system is disclosed by controlling the trust status of the subject and the object, but the classification of the object is mainly for the static file category, ignoring the important Dynamic objects, that is, processes, inter-process communication, etc., the security protection capability is not outstanding

[0007] Patent Publication No. CN 109992992A proposes a method of allocating sensitive data including statically allocated .data and .bss segments of trusted applications, and dynamically allocated stack and heap segments to internal random memory protected by trusted chips. The security domain of the access memory, and load the code and non-sensitive data into the security domain of the dynamic random access memory to realize the trusted protection of application data, but this solution only proposes to use the so-called "security domain" to protect sensitive data. However, there is a lack of credible dynamic verification of relevant sensitive data. Once the "security domain" is breached by an attacker, the application data is not credible.

[0008] To sum up, the existing trusted operation schemes do not classify the types of objects when dealing with trusted verification of objects, and the proposed requirements for trusted verification of objects are all aimed at those who can only act as subjects. "static objects" of the recipient, such as files, directories, devices, etc.

However, there is a lack of trusted verification of dynamic objects such as processes and inter-process communication

The credibility of the object cannot be effectively guaranteed, therefore, the trusted operation of the upper-layer application cannot be guaranteed

Images