An endpoint management method and apparatus

Abstract

The application relates to the technical field of computer operating systems, in particular to an endpoint management method, which comprises the following steps: based on a preset endpoint processing strategy, at least one target endpoint capable of realizing inter-thread communication is created for a new thread, and the new thread and each endpoint are associated, and the new thread is started to execute a target task, wherein the new thread follows the principle of minimum authority, the new thread carries a minimum authority set for completing the target task, each endpoint corresponds to a corresponding owner list and an access control list, and the access control list is used for limiting access to each endpoint; the preset endpoint processing strategy comprises an endpoint creation strategy and an endpoint destruction strategy; in the process of executing the target task by each endpoint, an endpoint table is used to monitor the state of each endpoint in real time, a safety alarm is triggered and corresponding measures are taken in the case that the state of the endpoint is in an abnormal communication behavior; communication activities of each endpoint in the process of executing the target task are recorded, and the endpoints between seL4 microkernel processes are managed through analysis and auditing.

Description

Technical Field

[0001] This application relates to the field of computer operating system technology, and in particular to an endpoint management method and apparatus. Background Technology

[0002] seL4 is a high-performance, highly secure microkernel operating system that provides an endpoint-based IPC mechanism, allowing processes to send messages and permissions to each other. However, in traditional implementations, the lack of fine-grained endpoint management poses potential security risks.

[0003] In view of this, how to provide an endpoint management method to ensure that only legitimate and authorized processes can communicate effectively has become an urgent technical problem to be solved. Summary of the Invention

[0004] This application provides an endpoint management method, an endpoint management device, an electronic setting, and a computer storage medium to address the problem of preventing unauthorized processes from accessing and modifying endpoint data, thereby ensuring system security and stability.

[0005] In a first aspect of this application, an endpoint management method is provided, characterized by comprising: creating at least one target endpoint capable of inter-thread communication for a new thread based on a preset endpoint processing strategy, associating the new thread with each endpoint, and starting the new thread to execute a target task, wherein the new thread follows the principle of least privilege, carries a set of minimum privileges required to complete the target task, and each endpoint has a corresponding owner list and access control list for restricting access to each endpoint; the preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy; during the execution of the target task by each endpoint, the status of each endpoint is monitored in real time using an endpoint table, and a security alarm is triggered and corresponding measures are taken when the status of an endpoint is in an abnormal communication state; the communication activities of each endpoint during the execution of the target task are recorded, and endpoints between seL4 microkernel processes are managed through analysis and auditing.

[0006] In a second aspect of this application, an endpoint management device is provided, characterized in that it includes:

[0007] The association module is configured to create at least one target endpoint that enables inter-thread communication for a new thread based on a preset endpoint processing strategy, associate the new thread with each endpoint, and start the new thread to execute the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy.

[0008] The monitoring module is configured to monitor the status of each endpoint in real time using an endpoint table during the execution of the target task at each endpoint, and to trigger a security alarm and take corresponding measures if the status of an endpoint is in abnormal communication behavior.

[0009] The management module is configured to record the communication activities of each endpoint during the execution of the target task, and manage the endpoints between seL4 microkernel processes through analysis and auditing.

[0010] In a third aspect of this application, a computing device is provided, comprising:

[0011] Memory and processor;

[0012] The memory is used to store computer-executable instructions, and the processor is used to execute the computer-executable instructions, which, when executed by the processor, implement the steps of the endpoint management method described above.

[0013] According to a fourth aspect of the present application, a computer-readable storage medium is provided that stores computer-executable instructions that, when executed by a processor, implement the steps of the endpoint management method described above.

[0014] This application provides an endpoint management method, comprising: First, based on a preset endpoint processing strategy, creating at least one target endpoint capable of inter-thread communication for a new thread, associating the new thread with each endpoint, and starting the new thread to execute a target task. The new thread follows the principle of least privilege, carrying a set of minimum privileges required to complete the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy. Then, during the execution of the target task by each endpoint, the status of each endpoint is monitored in real time using an endpoint table. If an endpoint exhibits abnormal communication behavior, a security alarm is triggered, and corresponding measures are taken. Finally, the communication activities of each endpoint during the execution of the target task are recorded, and endpoint management between seL4 microkernel processes is performed through analysis and auditing.

[0015] The endpoint management method provided in this application has the following advantages:

[0016] Enhanced Security: By implementing granular access control and ownership management of endpoints, this invention significantly improves the security of IPC in the seL4 system. Access Control Lists (ACLs) ensure that only authorized processes can communicate with endpoints, effectively preventing unauthorized access and potential security threats.

[0017] Performance Optimization: The seL4 microkernel is designed with a focus on balancing performance and security. This invention enhances security and helps maintain high system performance by optimizing endpoint management. This is because optimized endpoint management reduces unnecessary security checks and data transfers, thereby mitigating the impact of performance bottlenecks.

[0018] Formal Verification: seL4 emphasizes the formal verification of its IPC mechanism, meaning that the endpoint management method of this invention can be verified for its correctness and security through formal methods. This verification process helps ensure the stability and reliability of the system;

[0019] Flexibility and scalability: The endpoint management method of this invention provides a flexible framework that can be adjusted according to different application scenarios and security requirements. This flexibility enables the system to adapt to constantly changing security environments and technical requirements;

[0020] Easy to maintain and update: By introducing endpoint status monitoring and communication auditing, this invention makes system maintenance and updates much easier. Any abnormal behavior can be detected and handled promptly, and the recording of communication logs facilitates post-event analysis and auditing.

[0021] In summary, this application optimizes the management of endpoint structures and power structures, ensuring that only legitimate and authorized processes can communicate effectively. This not only enhances the security of IPC in the seL4 system but also provides the possibility of formal verification while maintaining high system performance, increases system flexibility and scalability, makes system maintenance and updates easier, and ensures data confidentiality.

[0022] The above description is merely an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, specific embodiments of this application are given below. Attached Figure Description

[0023] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the scope of this application. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:

[0024] Figure 1 This application provides a schematic diagram of the structure of an endpoint management system.

[0025] Figure 2 A flowchart illustrating an endpoint management method provided in an embodiment of this application;

[0026] Figure 3 This is a schematic diagram of the structure of an endpoint management device provided in an embodiment of this application;

[0027] Figure 4 This is a structural block diagram of a computing device provided in an embodiment of this application. Detailed Implementation

[0028] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

[0029] See Figure 1 , Figure 1 This is a schematic diagram of the structure of an endpoint management system provided in an embodiment of this application. Figure 1 As shown, this endpoint management system involves several key components that work closely together to achieve highly secure and flexible inter-process communication (IPC).

[0030] Specifically, the endpoint management system is based on the seL4 microkernel. The core components of the system's component architecture include: kernel (Kernel) 101, endpoint (Endpoint) 102, capability space (CSpace) 103, thread (Thread) 104, IPC framework (IPC Framework) 105, frame (Frame) 106, and scheduler (Scheduler) 107.

[0031] The seL4 kernel 101 is the core of the system, responsible for managing hardware resources, scheduling threads, handling interrupts, and providing basic system services. The kernel itself is very small, containing only the most basic functions to reduce the attack surface. It operates by interacting with user space through a message-passing mechanism to ensure system stability and security.

[0032] Endpoint 102 is the basic unit of IPC, used for message passing between threads. Each endpoint has a unique identifier and can be in different states (such as idle, connected, waiting, etc.). How it works: Threads send and receive messages through endpoints, and the kernel is responsible for maintaining the endpoint states and message queues.

[0033] Capability Space Function 103: Each thread has its own capability space, which contains all the capabilities that thread can access. A capability is an unforgeable credential used to access specific objects (such as endpoints, frames, threads, etc.). How it works: Capability spaces use access control to ensure that only threads with the corresponding capabilities can access specific resources, thereby achieving strong isolation and security.

[0034] Thread 104 is the basic unit of execution in the system. Each thread has its own register state, stack, and capability space. How it functions: Threads communicate with other threads through endpoints, and the kernel is responsible for scheduling thread execution.

[0035] IPC Framework 105 is a mechanism in SEL4 used to implement efficient IPC, supporting multiple communication modes and protocols. How it works: The IPC framework uses endpoints and message passing mechanisms to achieve inter-thread communication, ensuring both security and efficiency.

[0036] Frame 106 is a memory area used to store data, which can be shared or exclusively used by multiple threads. How it works: Frames are managed through capability spaces; only threads with the corresponding capabilities can access the data within a frame.

[0037] Scheduler 107 manages the threads in the system and determines which thread should receive CPU time. Its function is to allocate CPU time based on thread priority and status, ensuring system fairness and responsiveness.

[0038] In this embodiment, the components function as follows: between the kernel and endpoints, the kernel is responsible for creating, destroying, and managing endpoints, maintaining their state and message queues; between endpoints and threads, threads send and receive messages through endpoints to achieve inter-process communication; between capability space and endpoints / frames, capability space contains access capabilities to endpoints and frames, ensuring that only threads with the corresponding capabilities can access these resources; between the IPC framework and endpoints, the IPC framework uses endpoints as the basic unit of communication, achieving inter-thread communication through message passing; between the scheduler and threads, the scheduler allocates CPU time based on thread priority and state to ensure system fairness and responsiveness.

[0039] In summary, highly secure and flexible inter-process communication is achieved through the close collaboration of a series of key components. These components include the kernel, endpoints, capability spaces, threads, IPC framework, frames, and the scheduler. They achieve security and efficiency through capability-based access control and messaging mechanisms. Simultaneously, security mechanisms such as the principle of least privilege and formal verification are followed to ensure the overall security and reliability of the system.

[0040] See Figure 2 , Figure 2 This is a flowchart illustrating an endpoint management method provided in an embodiment of this application. Figure 2 As shown, the specific steps include:

[0041] Step S202: Based on a preset endpoint processing strategy, create at least one target endpoint for the new thread that enables inter-thread communication, associate the new thread with each endpoint, and start the new thread to execute the target task. The new thread follows the principle of least privilege, carrying a set of minimum privileges required to complete the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy.

[0042] Step S204: During the execution of the target task at each endpoint, the status of each endpoint is monitored in real time using an endpoint table. If the status of an endpoint is in an abnormal communication behavior, a security alarm is triggered and corresponding measures are taken.

[0043] Step S206: Record the communication activities of each endpoint during the execution of the target task, and manage the endpoints between seL4 microkernel processes through analysis and auditing.

[0044] It's important to note that this refers to the principle of least privilege: seL4 adheres to this principle, meaning each thread possesses only the minimum set of privileges required to complete a task. This helps reduce potential security risks.

[0045] Access Control Lists (ACLs) here: Through capability spaces and ACLs, seL4 implements fine-grained access control and strong isolation. Only threads with the corresponding capabilities can access specific resources, thereby preventing unauthorized access and potential security threats.

[0046] This application provides an endpoint management method to enhance the security of inter-process communication in a sel4 microkernel system. By optimizing the management of endpoint structures and authority structures, it ensures that only legitimate and authorized processes can conduct effective communication. Specifically, it includes the following steps: endpoint creation and destruction, endpoint access control, endpoint ownership transfer, endpoint status monitoring, endpoint encrypted communication, and endpoint communication auditing.

[0047] This application defines a strict endpoint creation and destruction policy to ensure that each newly created endpoint has a clear owner and access control list (ACL) and is destroyed in a timely manner when the endpoint is no longer needed.

[0048] In this embodiment of the application, based on a preset endpoint creation strategy, at least one target endpoint capable of inter-thread communication is created for a new thread, including:

[0049] When creating a new thread, a corresponding thread control block and virtual address space are allocated to the new thread, and the thread state in the thread control block is initialized. The thread control block carries the thread state and thread attributes corresponding to the new thread, and the thread state carries the thread priority and scheduling policy. The virtual address space carries the thread code, thread data and thread stack corresponding to the new thread.

[0050] Based on the thread control block and the virtual address space corresponding to the new thread, at least one endpoint is created, and each endpoint corresponds to an access control list, wherein each endpoint corresponding to the new thread listed in the access control list is used to receive or send messages.

[0051] In practical applications, endpoint creation involves the following steps: First, create a thread control block (TCB): In seL4, each thread has a TCB, which contains the thread's state and attributes. When a new thread needs to be created, a TCB must first be allocated for that thread. Next, allocate an address space: Allocate a Virtual Address Space (VAS) for the new thread; this address space will contain the thread's code, data, and stack. Second, create IPC endpoints: In seL4, inter-process communication (IPC) is implemented through endpoints. An endpoint is an object used to send and receive messages. To enable inter-thread communication, one or more endpoints need to be created for the new thread. Third, set the thread state: Initialize the thread state in the TCB, including thread priority, scheduling policy, etc. Fourth, associate endpoints with the thread: Associate the created endpoints with the new thread so that the thread can communicate with other threads through these endpoints. Finally, start the thread: After completing the above steps, the new thread can be started and begin executing its tasks.

[0052] The preset endpoint destruction strategy creates at least one target endpoint for a new thread that enables inter-thread communication, including: when the thread corresponding to the target task terminates, reclaiming the thread control block and automatically destroying each endpoint corresponding to the new thread.

[0053] It also includes: when the thread process corresponding to the target task executed by the new thread conforms to the burst thread, before the thread terminates, manually destroy the new thread to conform to the target endpoint corresponding to the burst thread, wherein, before manually destroying each endpoint, it is determined that the target endpoint has completed the message sending and receiving task, as well as the interaction task with other endpoints.

[0054] In practical applications, endpoint destruction can be achieved in two ways: automatic destruction and manual destruction. Automatic destruction occurs when a thread terminates, its TCB (Trusted Buffer Block) is reclaimed, and all endpoints associated with that thread are automatically destroyed. This is the primary endpoint destruction strategy in seL4, ensuring timely resource release. Manual destruction occurs in certain situations where a thread may need to manually destroy its endpoints before termination. This can be achieved by calling relevant system calls or APIs, but it is generally not recommended because the automatic destruction mechanism is already efficient and safe enough.

[0055] Furthermore, this application embodiment also considers security during destruction: before destroying the endpoint, seL4 ensures that there are no incomplete message transmissions or other activities related to the endpoint. This is achieved by checking the endpoint's state and related data structures to ensure the security of the destruction operation.

[0056] In another embodiment of this application, the method further includes: when the ownership of the target endpoint is transferred in the new thread corresponding to the target task, a verification strategy is used to perform permission checks, state checks, and consistency checks on the thread executing the target task. The permission check involves checking the capability set of the thread corresponding to the target task to determine if it has the right to modify the state information and owner information of each endpoint on the thread. The state check involves checking the current state of each endpoint on the thread corresponding to the target task to determine if all endpoints on the thread are in an unused state. The consistency check involves using a synchronization mechanism to check the system data structure.

[0057] In practical applications, endpoint verification specifically includes the following three aspects: First, permission checks: Before transferring endpoint ownership, the system must verify that the thread initiating the transfer has sufficient permissions to perform the operation. This typically involves checking the thread's capability set to ensure it has the right to modify the endpoint's state and owner information. Second, state checks: The system also needs to check the endpoint's current state to ensure it is in a state where transfer is safe. For example, if the endpoint is being used (e.g., during message transmission), it may be necessary to wait for the current operation to complete before transferring ownership. Third, consistency checks: When updating system data structures, it must be ensured that all related changes are atomic and do not lead to data inconsistencies or race conditions. This may require the use of locks or other synchronization mechanisms to protect critical data structures.

[0058] During the execution of the target task at each endpoint, the status of each endpoint is monitored in real time using an endpoint table, including: using an endpoint table to track the status of each endpoint, wherein the endpoint table carries an entry corresponding to each endpoint, the entry carries a set of status bits, and the status bits carry the status information of each endpoint; and periodically checking the endpoint table to update the status information of each endpoint.

[0059] In practical applications, the specific implementation method for endpoint status monitoring is as follows: monitor the endpoint status in real time, and any abnormal communication behavior will trigger a security alarm and take corresponding measures.

[0060] Specifically, methods for real-time monitoring of endpoint status include: using endpoint tables, status bits, periodic checks, event-driven mechanisms, and strict permissions and access controls to achieve real-time monitoring of endpoint status.

[0061] More specifically, the endpoint table: The endpoint table is used to track the status of all endpoints in the system. Each endpoint has a corresponding entry in the table, which contains the endpoint's status information, such as whether it is in use, the ID of the other endpoint it is connected to, permissions, etc.

[0062] Status bits: Each entry in the endpoint table contains a set of status bits to indicate different endpoint states, such as idle, busy, waiting to close, etc. These status bits provide the system with real-time information about the current state of the endpoint.

[0063] Periodic checks: Periodically check the endpoint table to update the endpoint status, ensuring that the system is aware of the current status of the endpoints in a timely manner, especially for long-running or resource-intensive tasks.

[0064] Event-driven: Supports event-driven monitoring mechanisms. When the state of an endpoint changes (e.g., from idle to busy), the system triggers an event and notifies the relevant monitoring module or handler.

[0065] Access permissions: Access to endpoint tables is controlled. Only threads or processes with appropriate permissions can access or modify endpoint tables. This helps prevent unauthorized access and potential security risks.

[0066] Capability System: Employs a capability-based access control model where each process has its own capability space (CSpace). The capability space contains references to all resources (including endpoints) that the process can access. This ensures that only legitimate operations can access or modify the state of endpoints.

[0067] Debugging Interface: Provides a debugging interface that allows developers or system administrators to view and modify the endpoint status in real time. The interface can include command-line tools, a graphical interface, or an API.

[0068] Log recording: To facilitate post-event analysis and troubleshooting, the history of endpoint state changes is recorded. These logs can provide valuable information about system behavior and performance.

[0069] When the endpoint exhibits abnormal communication behavior, a security alert is triggered, and corresponding measures are taken, including: triggering a security alert and generating an error report, which is then logged, whereby the abnormal communication behavior corresponds to exception types such as permission violations, endpoint non-existence, deadlock, memory leaks, and security vulnerability exploitation; taking corresponding measures based on the exception type and severity of the abnormal communication behavior; employing spatial isolation and communication isolation to strongly isolate the endpoint corresponding to the abnormal communication behavior in the thread; taking resource reclamation and cleanup measures in response to resource leaks or failure to release resources properly due to the abnormal communication behavior; and sending the abnormal communication behavior to the user terminal and executing the corresponding instructions sent by the user terminal.

[0070] It should be noted that here, permission violation refers to an event that occurs when a thread attempts to access an endpoint it does not have permission to access.

[0071] Endpoint not found: If a thread attempts to access an endpoint that has been destroyed or never created, this may result in an endpoint not found exception. Message queue overflow: In some implementations, if an endpoint's message queue is full and another thread attempts to send more messages to that queue, this may result in a message queue overflow exception.

[0072] Deadlock here: Although not very common, in complex IPC scenarios, a deadlock may occur if multiple threads are waiting for each other to release resources (such as endpoints). In this case, the system will be unable to continue execution until the deadlock is resolved.

[0073] Memory leaks can occur if endpoints or their associated resources (such as message queues, buffers, etc.) are not properly released when they are no longer needed. Over time, this can deplete the system's available memory and affect system stability.

[0074] Security vulnerability exploitation here: Despite the high level of security offered by seL4, potential vulnerabilities still exist. If these vulnerabilities are exploited, attackers could attempt to manipulate the state or behavior of endpoints to bypass security mechanisms or perform malicious actions.

[0075] Response measures for abnormal behavior include: error reporting and logging, anomaly handling mechanisms, security isolation, resource reclamation and cleanup, user notification and intervention, and self-repair and recovery.

[0076] Specifically, error reporting and logging: When abnormal behavior is detected at an endpoint, the seL4 microkernel generates an error report and logs the relevant information. These logs can be used for post-incident analysis to help developers or system administrators understand the cause and context of the anomaly.

[0077] Exception Handling Mechanism: The seL4 microkernel has a robust exception handling mechanism capable of capturing and handling various exceptional situations. For abnormal endpoint behavior, the kernel will take appropriate measures based on the type and severity of the exception. For example, for exceptions such as permission violations or endpoint non-existence, the kernel may terminate the relevant operation and return an error code to the caller.

[0078] Security Isolation: The seL4 microkernel uses spatial and communication isolation to achieve strong isolation between processes. This isolation mechanism prevents abnormal behavior of one process from affecting other processes. When abnormal behavior is detected at an endpoint, the kernel ensures that the exception is confined to the relevant process and does not propagate to other processes or system components.

[0079] Resource reclamation and cleanup: If abnormal endpoint behavior leads to resource leaks or failure to release resources properly, the seL4 microkernel will take resource reclamation and cleanup measures. This may include closing endpoints that are no longer needed, releasing associated message queues or buffers, etc. Through these measures, the kernel can ensure system stability and the rational use of resources.

[0080] User Notifications and Interventions: In certain situations, the seL4 microkernel may send notifications to users informing them of abnormal endpoint behavior. This helps users stay informed about the system's operational status and take intervention measures when necessary. For example, a user might receive an error message indicating that an endpoint has a permission issue or has been closed.

[0081] Self-healing and recovery: In some simple abnormal situations, the seL4 microkernel may attempt self-healing and recovery. For example, if an endpoint becomes unable to communicate due to a temporary network problem, the kernel may automatically re-establish the connection after the problem is resolved. However, for more complex abnormal situations, self-healing may not be a viable option, requiring intervention from the user or system administrator.

[0082] In another embodiment of this application, the method further includes: encrypting sensitive data using an encryption algorithm.

[0083] In practical applications, the specific implementation method of endpoint encrypted communication is as follows: for the transmission of sensitive information, encryption algorithms are used to encrypt the data to ensure that even if the data is intercepted, it cannot be interpreted by unauthorized processes.

[0084] Encrypted communication at endpoints is achieved through capability-based access control. Each thread has its own capability space (CSpace), which contains the capabilities of all resources that the thread can access. When a thread needs to communicate with other threads, it uses IPC (Inter-Process Communication) mechanisms to send or receive messages through endpoints. During message passing, it ensures that only threads with the corresponding capabilities can access specific endpoints, thus achieving encrypted and isolated communication. This mechanism effectively prevents unauthorized access and potential security threats.

[0085] In practical applications, the specific implementation method for endpoint communication auditing is to record all communication activities conducted through the endpoint, including time, participating processes, and the amount of data transmitted, for subsequent analysis and auditing.

[0086] The above methods can effectively enhance the security of inter-process communication in the seL4 microkernel system and protect the system from potential security threats.

[0087] The methods provided in the embodiments of this application can bring a series of advantages and beneficial effects, including but not limited to the following:

[0088] Enhanced Security: By implementing granular access control and ownership management of endpoints, this invention significantly improves the security of IPC in the seL4 system. Access Control Lists (ACLs) ensure that only authorized processes can communicate with endpoints, effectively preventing unauthorized access and potential security threats.

[0089] Performance Optimization: The seL4 microkernel is designed with a focus on balancing performance and security. This invention enhances security and helps maintain high system performance by optimizing endpoint management. This is because optimized endpoint management reduces unnecessary security checks and data transfers, thereby mitigating the impact of performance bottlenecks.

[0090] Formal Verification: seL4 emphasizes the formal verification of its IPC mechanism, meaning that the endpoint management method of this invention can be verified for its correctness and security through formal methods. This verification process helps ensure the stability and reliability of the system;

[0091] Flexibility and scalability: The endpoint management method of this invention provides a flexible framework that can be adjusted according to different application scenarios and security requirements. This flexibility enables the system to adapt to constantly changing security environments and technical requirements;

[0092] Easy to maintain and update: By introducing endpoint status monitoring and communication auditing, this invention makes system maintenance and updates much easier. Any abnormal behavior can be detected and handled promptly, and the recording of communication logs facilitates post-event analysis and auditing.

[0093] Data confidentiality: For the transmission of sensitive information, this invention uses encryption algorithms to encrypt the data, ensuring data confidentiality and preventing information leakage even if the data is intercepted;

[0094] In summary, this invention not only enhances the security of IPC in the seL4 system, but also provides the possibility of formal verification while maintaining high system performance, increases system flexibility and scalability, and makes system maintenance and updates easier, while ensuring data confidentiality. These advantages and benefits make this invention of significant application value and broad market potential in the operating system field.

[0095] Corresponding to the above method embodiments, this specification also provides an embodiment of an endpoint management device. Figure 3 This is a schematic diagram of an endpoint management device provided in an embodiment of this application. Figure 3 As shown, the device includes:

[0096] The association module 302 is configured to create at least one target endpoint that enables inter-thread communication for a new thread based on a preset endpoint processing strategy, associate the new thread with each endpoint, and start the new thread to execute the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy.

[0097] The monitoring module 304 is configured to monitor the status of each endpoint in real time using an endpoint table during the execution of the target task at each endpoint, and to trigger a security alarm and take corresponding measures if the status of an endpoint is in abnormal communication behavior.

[0098] Management module 306 is configured to record the communication activities of each endpoint during the execution of the target task, and manage the endpoints between seL4 microkernel processes through analysis and auditing.

[0099] In one optional embodiment, the association module 302 is further configured as follows:

[0100] When creating a new thread, a corresponding thread control block and virtual address space are allocated to the new thread, and the thread state in the thread control block is initialized. The thread control block carries the thread state and thread attributes corresponding to the new thread, and the thread state carries the thread priority and scheduling policy. The virtual address space carries the thread code, thread data and thread stack corresponding to the new thread.

[0101] Based on the thread control block and the virtual address space corresponding to the new thread, at least one endpoint is created, and each endpoint corresponds to an access control list, wherein each endpoint corresponding to the new thread listed in the access control list is used to receive or send messages.

[0102] In one optional embodiment, the association module 302 is further configured as follows:

[0103] When the thread corresponding to the target task terminates, the thread control block is reclaimed and each endpoint corresponding to the new thread is automatically destroyed.

[0104] In one optional embodiment, the association module 302 is further configured as follows:

[0105] When the new thread executes the thread process corresponding to the target task and conforms to the burst thread, the new thread is manually destroyed before the thread terminates so that it conforms to the target endpoint corresponding to the burst thread. Before manually destroying each endpoint, it is determined that the target endpoint has completed the message sending and receiving task and the interaction task with other endpoints.

[0106] In one optional embodiment, the device is further configured to:

[0107] The verification module is configured to perform permission checks, state checks, and consistency checks on the thread executing the target task when the ownership of the target endpoint is transferred in the new thread corresponding to the target task, using a verification strategy. Specifically, the permission check determines the thread's right to modify the state and owner information of each endpoint on the thread by examining the thread's capability set; the state check determines that all endpoints on the thread are in an unused state by checking the current state of each endpoint on the thread; and the consistency check uses a synchronization mechanism to check the system data structure.

[0108] In one optional embodiment, the monitoring module 304 is further configured to:

[0109] An endpoint table is used to track the endpoint status corresponding to each endpoint. The endpoint table carries an entry corresponding to each endpoint, and the entry carries a set of status bits, which carry the status information of each endpoint.

[0110] The endpoint table is periodically checked to update the status information of each endpoint.

[0111] In one optional embodiment, the monitoring module 304 is further configured to:

[0112] If the endpoint is in an abnormal communication state, a security alert is triggered and an error report is generated and recorded in the log. The abnormal communication behavior includes the following types of abnormalities: permission violation, endpoint non-existence, deadlock, memory leak, and security vulnerability exploitation.

[0113] Based on the abnormal type and severity of the abnormal communication behavior, take appropriate measures;

[0114] Strong isolation is achieved by using spatial isolation and communication isolation to isolate the endpoints corresponding to abnormal communication behaviors in the thread;

[0115] In response to the abnormal communication behavior indicating resource leakage or failure to release resources normally, resource reclamation and cleanup measures are taken.

[0116] The abnormal communication behavior is sent to the user terminal, and the corresponding instructions sent by the user terminal are executed.

[0117] In one optional embodiment, the device is further configured to:

[0118] The encryption module is configured to use encryption algorithms to encrypt sensitive data.

[0119] The apparatus provided in the embodiments of this application can bring a series of advantages and beneficial effects, including but not limited to the following:

[0120] Enhanced Security: By implementing granular access control and ownership management of endpoints, this invention significantly improves the security of IPC in the seL4 system. Access Control Lists (ACLs) ensure that only authorized processes can communicate with endpoints, effectively preventing unauthorized access and potential security threats.

[0121] Performance Optimization: The seL4 microkernel is designed with a focus on balancing performance and security. This invention enhances security and helps maintain high system performance by optimizing endpoint management. This is because optimized endpoint management reduces unnecessary security checks and data transfers, thereby mitigating the impact of performance bottlenecks.

[0122] Formal Verification: seL4 emphasizes the formal verification of its IPC mechanism, meaning that the endpoint management method of this invention can be verified for its correctness and security through formal methods. This verification process helps ensure the stability and reliability of the system;

[0123] Flexibility and scalability: The endpoint management method of this invention provides a flexible framework that can be adjusted according to different application scenarios and security requirements. This flexibility enables the system to adapt to constantly changing security environments and technical requirements;

[0124] Easy to maintain and update: By introducing endpoint status monitoring and communication auditing, this invention makes system maintenance and updates much easier. Any abnormal behavior can be detected and handled promptly, and the recording of communication logs facilitates post-event analysis and auditing.

[0125] Data confidentiality: For the transmission of sensitive information, this invention uses encryption algorithms to encrypt the data, ensuring data confidentiality and preventing information leakage even if the data is intercepted;

[0126] In summary, this invention not only enhances the security of IPC in the seL4 system, but also provides the possibility of formal verification while maintaining high system performance, increases system flexibility and scalability, and makes system maintenance and updates easier, while ensuring data confidentiality. These advantages and benefits make this invention of significant application value and broad market potential in the operating system field.

[0127] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the endpoint management device is basically similar to the endpoint management method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions of the endpoint management method embodiments.

[0128] Figure 4 This is a structural block diagram of a computing device provided in an embodiment of this application. The components of the computing device 400 include, but are not limited to, a memory 410 and a processor 420. The processor 420 is connected to the memory 410 via a bus 430, and a database 450 is used to store data.

[0129] The computing device 400 also includes an access device 440, which enables the computing device 400 to communicate via one or more networks 460. Examples of these networks include Public Switched Telephone Network (PSTN), Local Area Network (LAN), Wide Area Network (WAN), Personal Area Network (PAN), or combinations of communication networks such as the Internet. The access device 440 may include one or more of any type of wired or wireless network interface (e.g., a network interface controller (NIC)), such as an IEEE 802.11 Wireless Local Area Network (WLAN) wireless interface, a Wi-MAX (Worldwide Interoperability for Microwave Access) interface, an Ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a Bluetooth interface, or a Near Field Communication (NFC) interface.

[0130] In one embodiment of this specification, the aforementioned components of the computing device 400 and Figure 4 Other components, not shown, can also be connected to each other, for example, via a bus. It should be understood that... Figure 4 The block diagram of the computing device shown is for illustrative purposes only and is not intended to limit the scope of this specification. Those skilled in the art can add or replace other components as needed.

[0131] Computing device 400 can be any type of stationary or mobile computing device, including mobile computers or mobile computing devices (e.g., tablet computers, personal digital assistants, laptop computers, notebook computers, netbooks, etc.), mobile phones (e.g., smartphones), wearable computing devices (e.g., smartwatches, smart glasses, etc.) or other types of mobile devices, or stationary computing devices such as desktop computers or personal computers (PCs). Computing device 400 can also be a mobile or stationary server.

[0132] The processor 420 is configured to execute the following computer-executable instructions, which, when executed by the processor, implement the steps of the endpoint management method described above.

[0133] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the computing device embodiments are basically similar to the endpoint management method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions of the endpoint management method embodiments.

[0134] An embodiment of this specification also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the endpoint management method described above.

[0135] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on its differences from other embodiments. In particular, the computer-readable storage medium embodiments are relatively simple in description because they are fundamentally similar to the endpoint management method embodiments; relevant parts can be referred to in the description of the endpoint management method embodiments.

[0136] An embodiment of this specification also provides a computer program, wherein when the computer program is executed in a computer, it causes the computer to perform the steps of the above-described endpoint management method.

[0137] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the computer program embodiments are basically similar to the endpoint management method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions of the endpoint management method embodiments.

[0138] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0139] The computer instructions include computer program code, which may be in the form of source code, object code, executable file, or some intermediate form. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording media, USB flash drive, portable hard drive, magnetic disk, optical disk, computer memory, read-only memory (ROM), random access memory (RAM), electrical carrier signals, telecommunication signals, and software distribution media, etc. It should be noted that the content included in the computer-readable medium may be appropriately added to or subtracted according to the requirements of legislation and patent practice in the jurisdiction. For example, in some jurisdictions, according to legislation and patent practice, computer-readable media may not include electrical carrier signals and telecommunication signals.

[0140] It should be noted that the above description describes specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recorded in the claims can be performed in a different order than that shown in the embodiments and still achieve the desired results. Furthermore, the processes depicted in the drawings do not necessarily require a specific or sequential order to achieve the desired results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous. Secondly, those skilled in the art should also understand that the embodiments described in the specification are preferred embodiments, and the actions and modules involved are not necessarily essential to the embodiments of this specification.

[0141] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0142] The preferred embodiments disclosed above are merely illustrative of this specification. The optional embodiments do not exhaustively describe all details, nor do they limit the invention to the specific implementations described. Clearly, many modifications and variations can be made based on the embodiments described herein. These embodiments are selected and specifically described in this specification to better explain the principles and practical applications of the embodiments, thereby enabling those skilled in the art to better understand and utilize this specification. This specification is limited only by the claims and their full scope and equivalents.

Claims

1. An endpoint management method, characterized in that, include: Based on a preset endpoint processing strategy, at least one target endpoint capable of inter-thread communication is created for a new thread, and the new thread and each endpoint are associated. The new thread is then started to execute the target task. The new thread follows the principle of least privilege, carrying a set of minimum privileges required to complete the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy. During the execution of the target task at each endpoint, the status of each endpoint is monitored in real time using an endpoint table. If the status of an endpoint is in an abnormal communication behavior, a security alarm is triggered and corresponding measures are taken. Record the communication activities of each endpoint during the execution of the target task, and manage the endpoints between seL4 microkernel processes through analysis and auditing; The preset endpoint processing strategy creates at least one target endpoint for the new thread that enables inter-thread communication, including: When the thread corresponding to the target task terminates, the thread control block is reclaimed and each endpoint corresponding to the new thread is automatically destroyed. When the thread process corresponding to the target task executed by the new thread conforms to the burst thread, the new thread is manually destroyed before the thread terminates so that it conforms to the target endpoint corresponding to the burst thread. Before the target endpoint is manually destroyed, it is determined that the target endpoint has completed message sending and receiving tasks, as well as interaction tasks with other endpoints. Before destroying an endpoint, seL4 ensures that there are no outstanding message transmissions or other activities associated with that endpoint, specifically by checking the endpoint's state and related data structures.

2. The method according to claim 1, characterized in that, The preset endpoint processing strategy creates at least one target endpoint for the new thread that enables inter-thread communication, including: When creating a new thread, a corresponding thread control block and virtual address space are allocated to the new thread, and the thread state in the thread control block is initialized. The thread control block carries the thread state and thread attributes corresponding to the new thread, and the thread state carries the thread priority and scheduling policy. Based on the thread control block and the virtual address space corresponding to the new thread, at least one endpoint is created, and each endpoint corresponds to an access control list, wherein each endpoint corresponding to the new thread listed in the access control list is used to receive or send messages.

3. The method according to claim 1, characterized in that, The method further includes: When the ownership of the target endpoint is transferred in the new thread corresponding to the target task, a verification strategy is used to perform permission checks, state checks, and consistency checks on the thread executing the target task. Specifically, the permission check is performed by checking the capability set of the thread corresponding to the target task to determine whether it has the right to modify the state information and owner information of each endpoint on the thread; the state check is performed by checking the current state of each endpoint on the thread corresponding to the target task to determine whether each endpoint on the thread is in an unused state; and the consistency check is performed by using a synchronization mechanism to check the system data structure.

4. The method according to claim 1, characterized in that, During the execution of the target task at each endpoint, the status of each endpoint is monitored in real time using an endpoint table, including: An endpoint table is used to track the endpoint status corresponding to each endpoint. The endpoint table carries an entry corresponding to each endpoint, and the entry carries a set of status bits, which carry the status information of each endpoint. The endpoint table is periodically checked to update the status information of each endpoint.

5. The method according to claim 1, characterized in that, If the endpoint exhibits abnormal communication behavior, a security alert is triggered, and corresponding measures are taken, including: If the endpoint is in an abnormal communication state, a security alert is triggered and an error report is generated and recorded in the log. The abnormal communication behavior includes the following types of abnormalities: permission violation, endpoint non-existence, deadlock, memory leak, and security vulnerability exploitation. Based on the abnormal type and severity of the abnormal communication behavior, take appropriate measures; Strong isolation is achieved by using spatial isolation and communication isolation to isolate the endpoints corresponding to abnormal communication behaviors in the thread; In response to the abnormal communication behavior indicating resource leakage or failure to release resources normally, resource reclamation and cleanup measures are taken. The abnormal communication behavior is sent to the user terminal, and the corresponding instructions sent by the user terminal are executed.

6. The method according to claim 1, characterized in that, The method further includes: Sensitive data is encrypted using encryption algorithms.

7. An endpoint management device, characterized in that, include: The association module is configured to create at least one target endpoint that enables inter-thread communication for a new thread based on a preset endpoint processing strategy, associate the new thread with each endpoint, and start the new thread to execute the target task. Each endpoint has a corresponding owner list and access control list to restrict access to each endpoint. The preset endpoint processing strategy includes an endpoint creation strategy and an endpoint destruction strategy. The monitoring module is configured to monitor the status of each endpoint in real time using an endpoint table during the execution of the target task at each endpoint, and to trigger a security alarm and take corresponding measures if the status of an endpoint is in abnormal communication behavior. The management module is configured to record the communication activities of each endpoint during the execution of the target task, and manage the endpoints between seL4 microkernel processes through analysis and auditing. The preset endpoint processing strategy creates at least one target endpoint for the new thread that enables inter-thread communication, including: When the thread corresponding to the target task terminates, the thread control block is reclaimed and each endpoint corresponding to the new thread is automatically destroyed. When the thread process corresponding to the target task executed by the new thread conforms to the burst thread, the new thread is manually destroyed before the thread terminates so that it conforms to the target endpoint corresponding to the burst thread. Before the target endpoint is manually destroyed, it is determined that the target endpoint has completed message sending and receiving tasks, as well as interaction tasks with other endpoints. Before destroying an endpoint, seL4 ensures that there are no outstanding message transmissions or other activities associated with that endpoint, specifically by checking the endpoint's state and related data structures.

8. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores an implementation program for information transmission, which, when executed by a processor, implements the steps of the method as described in any one of claims 1 to 6.

Images