A secure access control method, apparatus and readable storage medium

By installing a customized operating system and a pre-built interface layer in the cloud terminal, combined with a PCI security board at the hardware layer, the security risks of the cloud terminal are solved, and the system security and data security of the cloud terminal are improved.

CN115758425BActive Publication Date: 2026-06-26ZHONGKE FANGDE SOFTWARE CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHONGKE FANGDE SOFTWARE CO LTD
Filing Date
2022-11-30
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In existing cloud desktop technologies, the security risks of cloud terminals are overlooked, affecting the information security of both the cloud terminals themselves and the remotely accessed cloud hosts.

Method used

A customized operating system is installed in the cloud terminal, unnecessary functional modules are removed, only the pre-built functional modules necessary for the normal operation of the cloud thin client are retained, and a pre-built interface layer is added between the operating system layer and the application layer. The pre-built interface layer isolates the cloud thin client from the operating system, and data access control is carried out in conjunction with the PCI security board at the hardware layer.

Benefits of technology

It improves the system security and data security of cloud terminals, realizes the lightweighting and automation of cloud terminals, and further protects the data security of remotely accessed cloud hosts.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115758425B_ABST
    Figure CN115758425B_ABST
Patent Text Reader

Abstract

Embodiments of the present application provide a secure access control method, device and readable storage medium. The method comprises: receiving a resource access request sent by a target application program, the resource access request being used to request access to a target system resource in the cloud terminal; wherein the target application program is an application program that has been authorized to run in the cloud terminal; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of a target function module in the preset function module; determining whether the resource access request has access rights to the target system resource; if it is determined that the resource access request has access rights to the target system resource, the target system resource is accessed by calling the target function module. The present application can effectively improve the system security and data security of the cloud terminal, thereby further protecting the data security of the cloud host accessed remotely.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer technology, and in particular to a secure access control method, apparatus, and readable storage medium. Background Technology

[0002] With the rapid development of cloud computing, cloud desktop technology has been continuously developed and improved. Using cloud computing technology, traditional PCs (Personal Computers) are replaced by cloud terminals. The cloud terminal is only used for displaying information and receiving user input; computing and storage capabilities are centralized in the backend cloud host, which provides a virtual desktop for the cloud terminal. This virtual desktop is called a cloud desktop. In this new model, users can log in to a remote personal virtual desktop through the cloud terminal, achieving the same experience as a PC, thereby achieving centralized management, unified operation and maintenance, and cost savings.

[0003] Current cloud desktop technologies focus more on secure access control to cloud hosts, while neglecting the potential security risks of cloud terminals. The security risks of cloud terminals not only affect the information security of the cloud terminals themselves, but may also impact the data security of remotely accessed cloud hosts. Summary of the Invention

[0004] This application provides a secure access control method, apparatus, and readable storage medium, which can improve the system security and data security of cloud terminals.

[0005] To address the aforementioned issues, this application discloses a secure access control method applied to a cloud terminal. The cloud terminal is equipped with a customized operating system, which includes pre-installed functional modules. The method includes:

[0006] The system receives a resource access request sent by a target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application that is authorized to run in the cloud terminal; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module;

[0007] Determine whether the resource access request has the necessary access permissions to the target system resource;

[0008] If it is determined that the resource access request has access rights to the target system resource, then the target system resource is accessed by invoking the target functional module.

[0009] On the other hand, this application discloses a secure access control device applied to a cloud terminal, wherein the cloud terminal is equipped with a customized operating system, the customized operating system includes pre-built functional modules, and the device includes:

[0010] A request receiving module is used to receive a resource access request sent by a target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application that is authorized to run in the cloud terminal; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module;

[0011] The permission determination module is used to determine whether the resource access request has the necessary access permissions to the target system resource;

[0012] The operation execution module is used to access the target system resource by calling the target function module if it is determined that the resource access request has access rights to the target system resource.

[0013] In another aspect, embodiments of this application disclose an apparatus for secure access control, including a memory and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by one or more processors, and the one or more programs include instructions for performing one or more of the secure access control methods described above.

[0014] In another aspect, embodiments of this application disclose a readable storage medium storing instructions that, when executed by one or more processors of the device, cause the device to perform one or more of the aforementioned secure access control methods.

[0015] The embodiments of this application have the following advantages:

[0016] This application provides a secure access control method for cloud terminals. The cloud terminal is equipped with a customized operating system, which is an operating system that removes unnecessary functional modules, retaining only the pre-installed functional modules necessary for the normal operation of the thin cloud client. This allows for lightweighting and automation of the cloud terminal while improving system security. Furthermore, this application adds a pre-installed interface layer between the operating system layer and the application layer of the cloud terminal. This pre-installed interface layer isolates the thin cloud client from the operating system, allowing it to run the necessary functions. The pre-installed interface, provided through re-encapsulation, further protects the system security of the cloud terminal. Moreover, this application integrates a PCI (Peripheral Component Interconnect) security card at the hardware layer, achieving hardware-level data access control. In summary, this application's three-layer protection system—hardware layer, operating system layer, and pre-installed interface layer—effectively improves the system and data security of the cloud terminal, thereby further protecting the data security of remotely accessed cloud hosts. Attached Figure Description

[0017] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 This is a flowchart illustrating the steps of an embodiment of a secure access control method according to this application;

[0019] Figure 2 This is a schematic diagram of the logical architecture of a cloud terminal according to this application;

[0020] Figure 3 This is a schematic diagram of a data access interaction according to this application;

[0021] Figure 4 This is a structural block diagram of an embodiment of a secure access control device according to this application;

[0022] Figure 5 This is a block diagram of a device 800 for secure access control according to this application. Detailed Implementation

[0023] The technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0024] The terms "first," "second," etc., used in the specification and claims of this application are used to distinguish similar objects and not to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that embodiments of this application can be implemented in orders other than those illustrated or described herein, and the objects distinguished by "first," "second," etc., are generally of the same class and are not limited in number; for example, a first object can be one or more. Furthermore, the term "and / or" in the specification and claims is used to describe the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A alone, A and B simultaneously, and B alone. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. In the embodiments of this application, the term "multiple" refers to two or more, and other quantifiers are similar.

[0025] Reference Figure 1 The diagram illustrates a flowchart of an embodiment of a secure access control method according to this application. The method can be applied to a cloud terminal, which is equipped with a customized operating system. The customized operating system includes pre-built functional modules, and the method may include the following steps:

[0026] Step 101: Receive a resource access request sent by the target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application that is authorized to run in the cloud terminal; the resource access request is triggered by calling the target interface provided by the preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module;

[0027] Step 102: Determine whether the resource access request has access permissions to the target system resource;

[0028] Step 103: If it is determined that the resource access request has access rights to the target system resource, then the target system resource is accessed by calling the target functional module.

[0029] The secure access control method provided in this application can be applied to cloud terminals in a cloud desktop system. The cloud desktop system mainly includes cloud terminals, a network, and a cloud host (also called a cloud server). The cloud terminal can be a thin client or any other device connected to the network, such as a cloud phone or cloud computer, etc. The cloud terminal is equipped with an access client (also called a cloud client or cloud thin client) for connecting to the cloud host via the network and accessing the cloud desktop provided by the cloud host.

[0030] A custom operating system refers to a new operating system that is rebuilt based on actual business needs, by classifying the various modules of the operating system, identifying the necessary modules that meet the business needs, and then reconstructing the operating system based on the selected necessary modules.

[0031] Pre-built function modules are the necessary modules included in the specified operating system.

[0032] In this embodiment of the application, the cloud terminal is equipped with a customized operating system. The customized operating system can be an operating system based on the general Linux operating system, with unnecessary functional modules removed and only the pre-built functional modules necessary for the normal operation of the cloud thin terminal retained. This can achieve the lightweighting and automation of the cloud terminal while improving system security.

[0033] In practical implementation, unnecessary modules that need to be removed and pre-installed functional modules that need to be retained can be determined based on actual business needs. For example, the unnecessary modules may include the operating system desktop environment. The operating system desktop environment is the graphical desktop of the upper-layer GUI (Graphical User Interface) of the operating system. The operating system desktop environment is not a necessary module for the normal operation of the cloud thin client; it not only consumes a large amount of hardware computing resources but also poses security risks. Therefore, the operating system desktop environment is removed from the customized operating system in this application embodiment.

[0034] It should be noted that the embodiments of this application do not limit the types of pre-built functional modules included in the customized operating system. In an optional embodiment of this application, the pre-built functional modules may include, but are not limited to, at least one of the following: network module, audio / video module, graphical interface module, security module, character set related module, and time zone management module.

[0035] In practical implementation, the applications running on the cloud terminal mainly include cloud thin clients. As a remote login program for the cloud desktop, the cloud thin client does not require many complex functions; it only needs to provide the basic functional modules necessary for its operation. Too many complex functional modules would not only consume more computing and storage resources but also potentially introduce more security vulnerabilities. Based on the essential functions required by the cloud thin client, the customized operating system in this embodiment may include the following pre-built functional modules: a network module, an audio / video module, a graphical interface module, a security module, a character set-related module, and a time zone management module.

[0036] The network module can retain only the modules required for wired networks, and remove all modules other than wired communication (such as wireless communication); and retain the protocols required for communication with cloud hosts (such as the SPICE protocol) and the underlying protocols on which the protocol depends, while removing other application layer protocols.

[0037] The audio and video module can retain audio and video-related modules required by the application (such as cloud thin client), such as audio and video protocols, hardware drivers and implementation frameworks, as well as graphics and image rendering functions and operation assistance modules required by the application.

[0038] The graphical interface module can retain the graphical runtime framework corresponding to the application while removing the operating system desktop environment.

[0039] The security module is a lightweight, general-purpose access control framework. Appropriate security modules can be selected and loaded onto the kernel based on actual needs. Applications do not have modification permissions for the security module.

[0040] The character set related module can retain only Chinese and English languages ​​and fonts, as well as commonly used character sets.

[0041] The time zone management module is used to manage the system's running time as well as the current date and time.

[0042] Of course, the customized operating system also includes basic runtime dependencies, such as background process management modules. After determining the pre-built functional modules that need to be retained, the operating system kernel is configured to compile only the retained pre-built functional modules, omitting those that need to be removed. After compilation, the basic runtime dependencies of these pre-built functional modules are added to the retained modules to obtain the customized operating system.

[0043] It should be noted that the operating system in this application embodiment refers to the Linux operating system. This application embodiment does not limit the type of Linux operating system. For example, the Linux operating system may include, but is not limited to, any one of Debian, Ubuntu, CentOS (Community Enterprise Operating System), UOS (Tongxin Desktop Operating System), Kylin Operating System, Fangde Operating System, etc.

[0044] In this embodiment, the cloud terminal architecture can be logically divided into four layers, from bottom to top: hardware layer, operating system layer, pre-built interface layer, and application layer. (Refer to...) Figure 2 The diagram shows a logical architecture diagram of a cloud terminal according to this application.

[0045] The hardware layer includes the CPU, memory, hard drive, network devices, input / output devices, etc. Furthermore, the hardware layer can integrate a PCI security card with hardware management capabilities.

[0046] The operating system layer includes the Linux kernel, which abstracts and schedules access to hardware resources, ensuring the safe use of system resources by various processes. System programs and user programs run in user mode; programs outside the kernel need to go through system calls to enter the operating system kernel. The operating system layer contains a customized operating system, which only includes basic pre-built functional modules.

[0047] The pre-defined interface layer provides pre-defined interfaces. Each pre-defined interface is used to call a corresponding pre-defined functional module in the operating system layer. The pre-defined functional module is used to call the system kernel call interface to execute corresponding kernel operations. In this embodiment, the original system kernel call interface of the operating system is encapsulated to obtain pre-defined interfaces, which can be APIs (Application Programming Interfaces). In this embodiment, the pre-defined interface layer is referred to as the OS-API interface layer. The OS-API interface layer can be used to isolate the application layer from the operating system layer. The application layer can only call the pre-defined functional modules in the operating system layer through the pre-defined interfaces provided by the OS-API interface layer, thereby effectively preventing applications from directly accessing the operating system and thus protecting system security.

[0048] The application layer includes applications (such as cloud thin clients) for accessing cloud desktops. Multiple cloud thin clients from different vendors can be installed on the cloud terminal.

[0049] This application embodiment adds an OS-API interface layer between the operating system layer and the application layer of the cloud terminal. Through this OS-API interface layer, the cloud thin client is isolated from the operating system, and the functions required by the cloud thin client are provided through a re-encapsulated pre-built interface. Specifically, the OS-API interface layer can provide an external dynamic library and corresponding header files, making it convenient for upper-layer applications (such as cloud thin clients) to call the operating system's pre-built function modules to perform corresponding operations.

[0050] In this embodiment, the cloud terminal can adapt to any application, while access to each application running on the cloud terminal is restricted. All access requests that require calling the operating system, such as network settings, sound settings, display settings, and security settings, must be implemented by calling the pre-built interfaces provided by the OS-API layer. Functional modules that do not provide pre-built interfaces are not provided with corresponding access permissions. The operating system layer does not directly interact with the application layer. Furthermore, by adding the OS-API layer, this embodiment not only achieves unified management of interfaces but also prevents the exposure of the specific implementation of the underlying operating system calls when the cloud client is exposed, thereby preventing the leakage of operating system permissions.

[0051] Reference Figure 3 This illustration shows a schematic diagram of data access and interaction between the application layer, the preset interface layer, and the operating system layer in an embodiment of this application. Figure 3 As shown, taking the pre-built functional modules in a customized operating system, including a network module, security module, audio / video module, and system information module, as an example, when an upper-layer application (such as a cloud thin client) needs to perform any of the following operations: network settings, security settings, audio / video settings, and information queries, these operations all require access to system resources. Therefore, network settings, security settings, audio / video settings, and information queries all need to be implemented by calling the pre-built interfaces in the OS-API interface layer. For example, the OS-API interface layer provides the following pre-built interfaces: network interface, security interface, audio / video interface, and query interface. The network interface is used to call the network module in the operating system layer to perform network settings operations. The security interface is used to call the security module in the operating system layer to perform security settings operations. The audio / video interface is used to call the audio / video module in the operating system layer to perform audio / video settings operations. The query interface is used to call the system information module in the operating system layer to perform information queries.

[0052] Understandable Figure 3 The pre-built functional modules and pre-built interfaces shown are merely one application example of this application. This application does not limit the types of pre-built functional modules included in the customized operating system or the types of pre-built interfaces included in the interface layer.

[0053] For example, the preset function module may further include a software package installation module, and the preset interface may include a preset software installation interface, which is used to call the software package installation module to perform software installation operations.

[0054] In one optional embodiment of this application, the implementation of the pre-defined interface may include calling a code-level function or calling a system operation instruction. The pre-defined interface only exposes input parameters externally; the specific implementation is processed internally, and the caller cannot obtain the internal implementation. Calling a code-level function refers to calling an API function. Calling a system operation instruction refers to calling the `system(shell_string)` instruction, which encapsulates shell instructions and only exposes input parameters externally.

[0055] In practical implementation, the cloud terminal can receive resource access requests sent by the target application through a pre-defined interface layer (OS-API interface layer). These resource access requests are used to request access to target system resources within the cloud terminal. For example, assuming the target application is a cloud thin client, and a user wants to perform network settings operations through the thin client, this network settings operation requires access to the target system resource (such as a network configuration file) on the cloud terminal. This resource access request is triggered by calling the target interface (such as a network interface) provided by the pre-defined interface layer. This target interface is used to implement the operations of the target functional module (such as the network module) within the pre-defined functional modules.

[0056] In this embodiment, the target application is an application that is authorized to run on the cloud terminal. As an aspect of the security access control in this application, only authorized applications can run on the cloud terminal. For example, if a thin client is an authorized application on the cloud terminal, then the thin client can run normally on the cloud terminal. For unauthorized applications, such as a web browser, the web browser cannot run on the cloud terminal.

[0057] It should be noted that this application embodiment does not limit the specific method of application authorization. For example, applications installed on the cloud terminal can be authorized and allowed to run through preset access control policies at the operating system level.

[0058] To further ensure the system security of the cloud terminal, this embodiment of the application, after receiving a resource access request sent by the target application at the OS-API interface layer, further determines whether the resource access request has access rights to the target system resource; only when it is determined that the resource access request has access rights to the target system resource, does it access the target system resource by calling the target functional module.

[0059] For example, suppose the target application is a cloud thin client. A user wants to perform network settings operations through the cloud thin client, which requires access to a target system resource (e.g., a network configuration file) on the cloud client. This resource access request is triggered by calling a target interface (such as a network interface) provided by a pre-defined interface layer. This target interface is used to implement the operations of a target functional module (such as a network module) within a pre-defined functional module. At this point, the cloud client's operating system authenticates the resource access request to determine if it has the necessary access permissions to the target system resource (such as the network configuration file). If authentication is successful, meaning the resource access request has the necessary access permissions to the target system resource (such as the network configuration file), then the operation of calling the target functional module (such as the network module) to access the target system resource (such as the network configuration file) can be executed.

[0060] In one optional embodiment of this application, the method may further include: if it is determined that the interface call request does not have the necessary operating permissions, then the operation of calling the target system interface is refused.

[0061] In the example above, if the operating system fails to authenticate, that is, if it is determined that the resource access request does not have the access permission to the target system resource (such as a network configuration file), then the operation of calling the target functional module (such as a network module) will be refused.

[0062] This application embodiment sets access control policies for system resources in the cloud terminal. When a target application wants to access the target system resource, in addition to calling the preset interface provided by the preset interface layer, it also needs to have the corresponding access permissions in the access control policy in order to access the target system resource.

[0063] In this embodiment, system resources may include files, directories, network ports, and other resources within the system. The files may include, but are not limited to, system configuration files, client configuration files, client information, and client logs. This embodiment further protects sensitive information in the cloud client by setting access control policies for system resources.

[0064] In an optional embodiment of this application, the method may further include: setting security information tags for resources and processes in the cloud terminal according to a preset first access control policy, wherein the first access control policy is used to specify whether there are operation permission rules for the security information tags of the processes and the security information tags of the resources.

[0065] Step 102, determining whether the resource access request has access rights to the target system resource, may include: determining whether there is a first operation permission rule in the first access control policy, wherein the first operation permission rule refers to the existence of an operation permission rule for the security information tag of the process calling the target functional module on the security information tag of the target system resource; if it is determined that the first operation permission rule exists, then it is determined that the resource access request has access rights to the target system resource.

[0066] In practice, system resources are read and modified through processes. If a process runs as the root user, it can operate on any system resource without restriction. If the root user is compromised, or if the root user makes a mistake during operation, it could have a significant impact on the system. For example, if root user privileges are maliciously obtained, the user's identity information, login address information, and data files uploaded to the cloud server via USB flash drive could be intercepted. Furthermore, some client configuration information could be arbitrarily modified, leading to serious data leaks.

[0067] To further protect system security, this application embodiment sets security information tags for resources and processes in the cloud terminal according to a preset first access control policy. The first access control policy specifies whether there are operation permission rules for the security information tags of processes and resources. Security information tags can control the access permissions of processes to specific categories of system resources. For example, by default, all processes can be prohibited from accessing system resources; however, when it is necessary to grant access to specific system resources to specific processes, operation permission rules for the security information tags of that process and the security information tags of that system resource can be added to the first access control policy.

[0068] Furthermore, embodiments of this application can also classify system resources in the cloud terminal to obtain at least one resource category, thereby enabling processes to have different access permissions to system resources of different resource categories.

[0069] For example, taking system resources as system files, this application embodiment can classify all files within the operating system and specify different access control policies based on different file categories. For instance, files within the operating system can be divided into file categories such as configuration files, library files, and executable files. According to a preset first access control policy, security information tags are set for files and processes of different file categories to control the access permissions of processes to files of specific categories.

[0070] The first access control policy can be configured according to actual needs. Furthermore, the first access control policy can adopt a mandatory access control (MAC) mechanism, such as SELinux. Mandatory access control mechanisms can manage and control the permissions of subjects in the operating system to access objects and perform operations. This restriction of permissions can effectively overcome the problem of attack sources posing as operating system administrators to attack the operating system, reducing the possibility of risks occurring.

[0071] In this embodiment, the subject can refer to a process, and the object can refer to a system resource. The object is the target accessed by the subject. Objects may include, but are not limited to, files, directories, file systems, network ports, and devices.

[0072] The operations performed by a subject accessing an object in this embodiment may include, but are not limited to, reading, writing, creating, querying, unloading, and mounting. For example, when the object is a file, the operations performed by a subject accessing the object may include, but are not limited to, a process accessing the file to perform at least one of reading, writing, and creating operations; as another example, when the object is a file system, the operations performed by a subject accessing the object may include, but are not limited to, a process accessing the file system to perform at least one of mounting and unloading operations.

[0073] SELinux controls which subjects (processes) can access which objects (system resources) by defining security policies (such as the first access control policy in this application). Both subjects and objects have their own security information labels (also called security contexts). System calls triggered by applications (such as reading files) are checked by SELinux according to the security policy. If the security policy allows the operation, execution continues; otherwise, an error message is thrown to the application.

[0074] SELinux security policies consist of a series of rules. These policies define which categories of subjects can access which categories of objects, such as which processes have security information tags that have permission rules for accessing which resource security information tags, and only users with specific permissions are authorized to operate on these security policies. For example, the first access control policy can control the permissions of each pre-defined interface in the pre-defined interface layer to call pre-defined function modules in the operating system layer to access system resources.

[0075] This application embodiment controls the access permissions of processes to system resources through a first access control policy. Even if a process is running as the root user, if there is no operation permission rule for the security information label of the target system resource that the process wants to access, the process cannot access the target system resource, which can further protect the security of system resources.

[0076] In an optional embodiment of this application, the method may further include: classifying the operating system users of the cloud terminal into roles to obtain at least one user role; and setting security information tags for resources and user roles in the cloud terminal according to a preset second access control policy, wherein the second access control policy is used to specify whether there are operation permission rules for the security information tags of the user roles and the security information tags of the resources.

[0077] Step 102, determining whether the resource access request has access rights to the target system resource, may include: determining whether there is a second operation permission rule in the second access control policy, wherein the second operation permission rule refers to the existence of an operation permission rule for the security information tag of the currently logged-in user role on the security information tag of the target system resource; if it is determined that the second operation permission rule exists, then it is determined that the resource access request has access rights to the target system resource.

[0078] To further enhance the system security of cloud terminals, this application embodiment not only controls access permissions for processes to system resources but also controls access permissions for users to system resources. Specifically, this application embodiment divides the operating system users of the cloud terminal into roles, resulting in at least one user role. According to a preset second access control policy, security information tags are set for resources and user roles in the cloud terminal. The second access control policy specifies whether there are operation permission rules for the security information tags of resources corresponding to the security information tags of user roles. This application embodiment implements refined and hierarchical management of user roles in the operating system, allowing different user roles to correspond to different access control policies, associating roles with users, thereby achieving access control for users. For example, the second access control policy can be used to grant user role A permission to set network IP addresses, and user role B permission to view client logs, etc.

[0079] It should be noted that the second access control policy can be a mandatory access control policy, such as SELinux. For the second access control policy, the subject can refer to user roles, and the object can refer to system resources. The second access control policy is defined to control which subjects (user roles) can access which objects (system resources).

[0080] Furthermore, in specific implementations, the first access control policy and the second access control policy can be used in combination to combine user role-based access control with mandatory access control. In one example, a cloud-based thin client performs a modification operation on a network configuration file by calling a network interface. Only if, according to the first and second access control policies, it is determined that the currently logged-in user role has access to the network configuration file, and the cloud-based thin client process has permission to call the network interface, and the process calling the network module also has access to the network configuration file, can the operation of calling the network module to modify the network configuration file be executed.

[0081] This application embodiment grants different user roles to operating system users, and different permissions to different user roles. Combined with mandatory access control policies, it controls the access permissions of processes to specific categories of system resources. This achieves isolation between user processes and the operating system, further ensuring the system security of cloud terminals.

[0082] In one optional embodiment of this application, the cloud terminal may be configured with a PCI security card, and the method may further include: controlling the opening or closing of a specified peripheral interface of the cloud terminal through the PCI security card.

[0083] A PCI security card is a hardware card with security policies that is inserted into the motherboard of a cloud terminal via a PCI interface. It can control the opening and closing of peripheral interfaces on the cloud terminal. The PCI security card can manage all peripherals involved in data input and output, such as network cards, USB flash drives, serial ports, and optical drives. It can also control the opening and closing of specific peripheral interfaces on the cloud terminal.

[0084] For example, in this embodiment of the application, the specified peripheral interfaces of the cloud terminal, such as USB flash drive, serial port, optical drive, and printer, are controlled to be closed by the PCI security board, while only the peripheral interfaces of mouse, keyboard and monitor are opened. This can prevent the data in the cloud terminal from being transmitted out through the peripheral interfaces, thereby protecting the data security of the cloud terminal.

[0085] In one optional embodiment of this application, the method may further include:

[0086] Step S11: Monitor in real time whether the cloud terminal is connected to the external network;

[0087] Step S12: If the cloud terminal is detected to be connected to the external network, an alarm message is sent to the preset server and the network card interface of the cloud terminal is turned off.

[0088] This application embodiment monitors in real time whether the cloud terminal is connected to the external network. If the cloud terminal is detected to be connected to the external network, an alarm can be triggered immediately and the network can be disconnected, so that data cannot continue to be transmitted, thereby achieving data access control based on the hardware level.

[0089] For example, the background of the cloud terminal can run a preset monitoring program to monitor in real time whether the cloud terminal is connected to the external network. Specifically, the monitoring program can periodically obtain the probe address in the system configuration file, communicate with the probe address via ICMP (Internet Control Message Protocol), and if the communication is successful, it indicates that the cloud terminal is connected to the external network. Then, it sends an alarm message to the preset server, controls the network card interface of the cloud terminal to be closed via the PCI security card to prevent data transmission, and performs the next round of detection.

[0090] In summary, this application provides a secure access control method for cloud terminals. The cloud terminal is equipped with a customized operating system, which refers to an operating system that has unnecessary functional modules removed, retaining only the pre-built functional modules necessary for the normal operation of the thin cloud client. This allows for lightweighting and automation of the cloud terminal while improving system security. Furthermore, this application adds a pre-built interface layer between the operating system layer and the application layer of the cloud terminal. This pre-built interface layer isolates the thin cloud client from the operating system, allowing it to run the functions required by the thin cloud client. Providing these functions through a re-encapsulated pre-built interface further protects the system security of the cloud terminal. Moreover, this application integrates a PCI security card at the hardware layer, achieving hardware-level data access control. In conclusion, this application's three-layer protection system—based on the hardware layer, operating system layer, and pre-built interface layer—effectively improves the system and data security of the cloud terminal, thereby further protecting the data security of remotely accessed cloud hosts.

[0091] It should be noted that, for the sake of simplicity, the method embodiments are all described as a series of actions. However, those skilled in the art should understand that the embodiments of this application are not limited to the described order of actions, because according to the embodiments of this application, some steps can be performed in other orders or simultaneously. Secondly, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required by the embodiments of this application.

[0092] Reference Figure 4 The diagram illustrates a structural block diagram of an embodiment of a secure access control device according to this application. The device can be applied to a cloud terminal, which is equipped with a customized operating system. The customized operating system includes pre-installed functional modules, and the device may include:

[0093] The request receiving module 401 is used to receive a resource access request sent by a target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application that is authorized to run in the cloud terminal; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module;

[0094] The permission determination module 402 is used to determine whether the resource access request has the access permission to the target system resource;

[0095] The operation execution module 403 is used to access the target system resource by calling the target function module if it is determined that the resource access request has access rights to the target system resource.

[0096] Optionally, the device further includes:

[0097] The operation rejection module is used to refuse to execute the operation of calling the target function module if it is determined that the resource access request does not have the access permission of the target system resource.

[0098] Optionally, the device further includes:

[0099] The first setting module is used to set security information tags for resources and processes in the cloud terminal according to a preset first access control policy. The first access control policy is used to specify whether there are operation permission rules for the security information tags of the processes and the security information tags of the resources.

[0100] The permission determination module includes:

[0101] The first matching submodule is used to determine whether there is a first operation permission rule in the first access control policy. The first operation permission rule refers to the existence of an operation permission rule for the security information tag of the process calling the target functional module and the security information tag of the target system resource.

[0102] The first determining submodule is used to determine, if it is determined that the first operation permission rule exists, that the resource access request has access permissions to the target system resource.

[0103] Optionally, the device further includes:

[0104] The role classification module is used to classify the operating system users of the cloud terminal into roles, thereby obtaining at least one user role;

[0105] The second setting module is used to set security information tags for resources and user roles in the cloud terminal according to a preset second access control policy. The second access control policy is used to specify whether there are operation permission rules for the security information tags of user roles and the security information tags of resources.

[0106] The permission determination module includes:

[0107] The second matching submodule is used to determine whether there is a second operation permission rule in the second access control policy. The second operation permission rule refers to the existence of an operation permission rule for the security information tag of the currently logged-in user role to the security information tag of the target system resource.

[0108] The second determining submodule is used to determine, if it is determined that the second operation permission rule exists, that the resource access request has access permissions to the target system resource.

[0109] Optionally, the device further includes:

[0110] The real-time monitoring module is used to monitor whether the cloud terminal is connected to the external network in real time;

[0111] The network disconnection alarm module is used to send an alarm message to a preset server and shut down the network card interface of the cloud terminal if it detects that the cloud terminal is connected to the external network.

[0112] Optionally, the cloud terminal is equipped with a PCI security card, and the device further includes:

[0113] The interface control module is used to control the opening or closing of a specified peripheral interface of the cloud terminal through the PCI security board.

[0114] Optionally, the preset function modules include at least one of a network module, an audio / video module, a graphical interface module, a security module, a character set related module, and a time zone management module.

[0115] In summary, this application provides a secure access control device for cloud terminals. The cloud terminal is equipped with a customized operating system, which refers to an operating system that has unnecessary functional modules removed, retaining only the pre-installed functional modules necessary for the normal operation of the thin cloud client. This allows for lightweighting and automation of the cloud terminal while improving system security. Furthermore, this application adds a pre-installed interface layer between the operating system layer and the application layer of the cloud terminal. This pre-installed interface layer isolates the thin cloud client from the operating system, allowing it to run the functions required by the thin cloud client. Providing these functions through a re-encapsulated pre-installed interface further protects the system security of the cloud terminal. Moreover, this application integrates a PCI security card at the hardware layer, achieving hardware-level data access control. In conclusion, this application's three-layer protection system—hardware layer, operating system layer, and pre-installed interface layer—effectively improves the system and data security of the cloud terminal, thereby further protecting the data security of remotely accessed cloud hosts.

[0116] As the device embodiment is basically similar to the method embodiment, the description is relatively simple, and relevant parts can be found in the description of the method embodiment.

[0117] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.

[0118] Regarding the apparatus in the above embodiments, the specific manner in which each module performs its operation has been described in detail in the embodiments related to the method, and will not be elaborated upon here.

[0119] This application provides an apparatus for secure access control, including a memory and one or more programs, wherein the programs are stored in the memory and configured to be executed by one or more processors, and the programs include methods for performing the secure access control methods described in one or more of the above embodiments.

[0120] Figure 5 This is a block diagram illustrating an apparatus 800 for secure access control according to an exemplary embodiment. For example, apparatus 800 may be a mobile phone, computer, digital broadcasting terminal, messaging device, game console, tablet device, medical device, fitness equipment, personal digital assistant, etc.

[0121] Reference Figure 5The device 800 may include one or more of the following components: a processing component 802, a memory 804, a power supply component 806, a multimedia component 808, an audio component 810, an input / output (I / O) interface 812, a sensor component 814, and a communication component 816.

[0122] Processing component 802 typically controls the overall operation of device 800, such as operations associated with display, telephone calls, data communication, camera operation, and recording operations. Processing component 802 may include one or more processors 820 to execute instructions to perform all or part of the steps of the methods described above. Furthermore, processing component 802 may include one or more modules to facilitate interaction between processing component 802 and other components. For example, processing component 802 may include a multimedia module to facilitate interaction between multimedia component 808 and processing component 802.

[0123] Memory 804 is configured to store various types of data to support the operation of device 800. Examples of this data include instructions for any application or method operating on device 800, contact data, phonebook data, messages, pictures, videos, etc. Memory 804 can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.

[0124] Power supply component 806 provides power to various components of device 800. Power supply component 806 may include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power to device 800.

[0125] Multimedia component 808 includes a screen that provides an output interface between the device 800 and the user. In some embodiments, the screen may include a liquid crystal display (LCD) and a touch panel (TP). If the screen includes a touch panel, the screen may be implemented as a touchscreen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touches, swipes, and gestures on the touch panel. The touch sensors may sense not only the boundaries of the touch or swipe action but also the duration and pressure associated with the touch or swipe operation. In some embodiments, multimedia component 808 includes a front-facing camera and / or a rear-facing camera. When the device 800 is in an operating mode, such as a shooting mode or a video mode, the front-facing camera and / or the rear-facing camera may receive external multimedia data. Each front-facing camera and rear-facing camera may be a fixed optical lens system or have focal length and optical zoom capabilities.

[0126] Audio component 810 is configured to output and / or input audio signals. For example, audio component 810 includes a microphone (MIC) configured to receive external audio signals when device 800 is in an operating mode, such as call mode, recording mode, and voice information processing mode. The received audio signals may be further stored in memory 804 or transmitted via communication component 816. In some embodiments, audio component 810 also includes a speaker for outputting audio signals.

[0127] I / O interface 812 provides an interface between processing component 802 and peripheral interface modules, such as keyboards, click wheels, buttons, etc. These buttons may include, but are not limited to, home buttons, volume buttons, power buttons, and lock buttons.

[0128] Sensor assembly 814 includes one or more sensors for providing status assessments of various aspects of device 800. For example, sensor assembly 814 can detect the on / off state of device 800, the relative positioning of components such as the display and keypad of device 800, and can also detect changes in the position of device 800 or a component of device 800, the presence or absence of user contact with device 800, the orientation or acceleration / deceleration of device 800, and temperature changes of device 800. Sensor assembly 814 may include a proximity sensor configured to detect the presence of nearby objects without any physical contact. Sensor assembly 814 may also include a light sensor, such as a CMOS or CCD image sensor, for use in imaging applications. In some embodiments, sensor assembly 814 may also include an accelerometer, a gyroscope, a magnetometer, a pressure sensor, or a temperature sensor.

[0129] Communication component 816 is configured to facilitate wired or wireless communication between device 800 and other devices. Device 800 can access wireless networks based on communication standards, such as WiFi, 2G, or 3G, or combinations thereof. In one exemplary embodiment, communication component 816 receives broadcast signals or broadcast-related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, communication component 816 also includes a near-field communication (NFC) module to facilitate short-range communication. For example, the NFC module may be implemented based on radio frequency information processing (RFID) technology, Infrared Data Association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.

[0130] In an exemplary embodiment, the apparatus 800 may be implemented by one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components to perform the methods described above.

[0131] In an exemplary embodiment, a non-transitory computer-readable storage medium including instructions is also provided, such as a memory 804 including instructions, which can be executed by a processor 820 of the device 800 to perform the above-described method. For example, the non-transitory computer-readable storage medium may be a ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, and optical data storage device, etc.

[0132] A non-transitory computer-readable storage medium that, when instructions in the storage medium are executed by a processor of a device (server or terminal), enables the device to perform... Figure 1 The security access control method shown.

[0133] A non-transitory computer-readable storage medium, wherein when the instructions in the storage medium are executed by a processor of a device (server or terminal), the device is able to perform the aforementioned... Figure 1 The description of the secure access control method in the corresponding embodiments is already provided, and therefore will not be repeated here. Furthermore, the beneficial effects of using the same method will also not be repeated. For technical details not disclosed in the computer program products or computer program embodiments related to this application, please refer to the description of the method embodiments of this application.

[0134] Furthermore, it should be noted that this application also provides a computer program product or computer program, which may include computer instructions, which may be stored in a computer-readable storage medium. The processor of a computer device reads the computer instructions from the computer-readable storage medium, and the processor may execute the computer instructions, causing the computer device to perform the aforementioned actions. Figure 1 The description of the secure access control method in the corresponding embodiments is already provided, and therefore will not be repeated here. Furthermore, the beneficial effects of using the same method will also not be repeated. For technical details not disclosed in the computer program products or computer program embodiments related to this application, please refer to the description of the method embodiments of this application.

[0135] Other embodiments of this application will readily occur to those skilled in the art upon consideration of the specification and practice of the application disclosed herein. This application is intended to cover any variations, uses, or adaptations of this application that follow the general principles of this application and include common knowledge or customary techniques in the art not disclosed herein. The specification and examples are to be considered exemplary only, and the true scope and spirit of this application are indicated by the following claims.

[0136] It should be understood that this application is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope. The scope of this application is limited only by the appended claims.

[0137] The above description is only a preferred embodiment of this application and is not intended to limit this application. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this application should be included within the protection scope of this application.

[0138] The above provides a detailed description of a secure access control method, a secure access control device, and a readable storage medium provided in this application. Specific examples have been used to illustrate the principles and implementation methods of this application. The descriptions of the above embodiments are only for the purpose of helping to understand the method and its core ideas. At the same time, for those skilled in the art, there will be changes in the specific implementation methods and application scope based on the ideas of this application. Therefore, the content of this specification should not be construed as a limitation of this application.

Claims

1. A secure access control method, characterized in that, Applied to cloud terminals, the cloud terminals are equipped with a customized operating system, the customized operating system includes pre-built functional modules; The cloud terminal is equipped with a PCI security card, and the method for controlling the opening or closing of designated peripheral interfaces of the cloud terminal through the PCI security card includes: The system receives a resource access request sent by a target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application authorized to run in the cloud terminal; the target application includes a cloud thin client; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module; the preset interface layer is located between the operating system layer and the application layer, and is used to isolate the application layer from the operating system layer; the application layer includes a cloud thin client for accessing the cloud desktop; Determine whether the resource access request has access rights to the target system resource; the access rights are determined by judging whether there are operation permission rules in the security information tags of the resources and processes in the cloud terminal, and / or, the access rights are determined by judging whether there are operation permission rules in the security information tags of the resources and user roles in the cloud terminal; the security information tags are preset according to the preset access control policy; If it is determined that the resource access request has access rights to the target system resource, then the target system resource is accessed by invoking the target functional module.

2. The method according to claim 1, characterized in that, The method further includes: If it is determined that the resource access request does not have the access permission for the target system resource, then the operation of calling the target functional module is refused.

3. The method according to claim 1, characterized in that, The method further includes: According to the preset first access control policy, security information tags are set for resources and processes in the cloud terminal respectively. The first access control policy is used to specify whether there are operation permission rules for the security information tags of the processes and the security information tags of the resources. Determining whether the resource access request has access rights to the target system resource includes: Determine whether a first operation permission rule exists in the first access control policy. The first operation permission rule refers to the existence of an operation permission rule for the security information tag of the process that calls the target functional module on the security information tag of the target system resource. If the first operation permission rule is determined to exist, then the resource access request is determined to have access permissions to the target system resource.

4. The method according to claim 1, characterized in that, The method further includes: The operating system users of the cloud terminal are assigned roles to obtain at least one user role; According to the preset second access control policy, security information tags are set for resources and user roles in the cloud terminal respectively. The second access control policy is used to specify whether there are operation permission rules for the security information tags of user roles and the security information tags of resources. Determining whether the resource access request has access rights to the target system resource includes: Determine whether a second operation permission rule exists in the second access control policy. The second operation permission rule refers to the existence of an operation permission rule for the security information tag of the currently logged-in user role on the security information tag of the target system resource. If the second operation permission rule is determined to exist, then the resource access request is determined to have access permissions to the target system resource.

5. The method according to claim 1, characterized in that, The method further includes: Real-time monitoring of whether the cloud terminal is connected to the external network; If the cloud terminal is detected to be connected to the external network, an alarm message is sent to the preset server and the network card interface of the cloud terminal is turned off.

6. The method according to claim 1, characterized in that, The preset functional modules include at least one of the following: network module, audio and video module, graphical interface module, security module, character set related module, and time zone management module.

7. A secure access control device, characterized in that, Applied to cloud terminals, the cloud terminals are equipped with a customized operating system, the customized operating system includes pre-built functional modules; The cloud terminal is equipped with a PCI security card, which controls the opening or closing of designated peripheral interfaces of the cloud terminal. The device includes: A request receiving module is used to receive resource access requests sent by a target application, the resource access request being used to request access to target system resources in the cloud terminal; wherein, the target application is an application authorized to run in the cloud terminal; the target application includes a cloud thin client; the resource access request is triggered by calling a target interface provided by a preset interface layer; the target interface is used to implement the operation of the target function module in the preset function module; the preset interface layer is located between the operating system layer and the application layer, and is used to isolate the application layer from the operating system layer; the application layer includes a cloud thin client for accessing the cloud desktop; The permission determination module is used to determine whether the resource access request has access permissions to the target system resource; the access permissions are determined by judging whether there are operation permission rules in the security information tags of the resources and processes in the cloud terminal, and / or, the access permissions are determined by judging whether there are operation permission rules in the security information tags of the resources and user roles in the cloud terminal; the security information tags are preset according to the preset access control policy; The operation execution module is used to access the target system resource by calling the target function module if it is determined that the resource access request has access rights to the target system resource.

8. A device for secure access control, characterized in that, It includes a memory and one or more programs, wherein one or more programs are stored in the memory and configured to be executed by one or more processors, wherein the one or more programs contain instructions for performing the secure access control method as described in any one of claims 1 to 7.

9. A readable storage medium having instructions stored thereon that, when executed by one or more processors of the device, cause the device to perform the secure access control method as described in any one of claims 1 to 6.