Search

CN-121598433-B - Access control method and electronic equipment

CN121598433BCN 121598433 BCN121598433 BCN 121598433BCN-121598433-B

Abstract

The invention discloses an access control method and electronic equipment, which relate to the technical field of digital information transmission and comprise the steps of dynamically updating a hash chain of a target access control main body according to an access process while operating the target access control main body based on an access control request, dynamically verifying the integrity of the target access control main body when updating the hash chain each time through a pre-stored hash value, immediately freezing the access process under the condition that verification is not passed, avoiding enlarging the influence, and recovering the target access control main body through the pre-stored hash value, so that the target access control main body can pass the integrity verification, solving the technical problems that the related technology lacks the integrity verification of the access main body, is difficult to detect malicious tampering, further is difficult to ensure the safety of system resources of a server, and reducing the influence of the malicious tampering on the server resources through the dynamic verification of the integrity of the target access control main body, and preventing external attacks during operation.

Inventors

  • Huo wen
  • SU ZHIYUAN

Assignees

  • 苏州元脑智能科技有限公司

Dates

Publication Date
20260508
Application Date
20260128

Claims (9)

  1. 1. An access control method, comprising the steps of: responding to an access control request of a target access control main body, and calculating a dynamic hash value of current key area information of the target access control main body; generating a hash chain of the target access control subject based on the dynamic hash value and a pre-stored hash value of the target access control subject, or updating the hash chain based on the dynamic hash value, so as to detect whether the target access control subject meets a preset integrity condition by using the hash chain; Freezing the current access process of the target access control subject in response to the target access control subject not meeting the preset integrity condition, and restoring the key region information of the target access control subject by utilizing the pre-backed up reference key region information so as to grant the access control authority of the target access control subject under the condition that the target access control subject meets the preset integrity condition; The method comprises the steps of responding to the access control request, obtaining a target instruction sequence of the target access control main body, identifying annotation marks meeting preset integrity conditions in the target instruction sequence, extracting key functions from the target instruction sequence based on the annotation marks, storing positioning data of the key functions into a preset integrity metadata table, and embedding the preset integrity metadata table into an initial target access control main body generated by the target instruction sequence to obtain the target access control main body.
  2. 2. The access control method according to claim 1, characterized by further comprising, before calculating the dynamic hash value of the current critical area information of the target access control body: detecting whether an operating system of a server completes an initialization action; And if the operating system is detected to finish the initialization action, starting the target access control main body, and loading the preset integrity metadata table into a kernel memory of the operating system.
  3. 3. The access control method according to claim 2, further comprising, before calculating the dynamic hash value of the current critical area information of the target access control body: Determining the number of key areas of the target access control subject based on the preset integrity metadata table; Matching target memories in the kernel memories based on the number, forming a correctness buffer area meeting preset read-write conditions in the target memories, and storing the preset integrity metadata table by utilizing the correctness buffer area; And creating a continuity buffer zone meeting the preset size condition based on the size of the correctness buffer zone so as to store the current key area information by utilizing the continuity buffer zone.
  4. 4. The access control method according to claim 3, further comprising, before calculating the dynamic hash value of the current critical area information of the target access control body: obtaining initial reference key area information of the target access control main body based on the preset integrity metadata table; Acquiring file extension attributes of the target access control main body; Detecting whether the target access control subject meets a preset updating condition or not based on the file extension attribute; And if the preset updating condition is met, updating the initial reference key region information based on the file extension attribute to obtain the reference key region information.
  5. 5. The access control method according to claim 3, characterized by further comprising, after obtaining the reference key area information: reading key area information in a memory of the target access control main body; Calculating an actual hash value of the target access control subject based on the key region information; calculating the pre-stored hash value by utilizing the reference key region information; detecting whether the target access control main body meets a preset operation condition or not by utilizing the actual hash value and the pre-stored hash value; And if the preset operation condition is met, allowing the target access control main body to operate, and calculating a dynamic hash value of the current key area information of the target access control main body.
  6. 6. The access control method according to claim 3, wherein the updating the hash chain of the target access control subject based on the dynamic hash value to detect whether the target access control subject satisfies a preset integrity condition using the hash chain comprises: The target access control main body is operated, and when the execution flow of the target access control main body passes through any key point function, the identification of any key point function is obtained; storing the identification into the continuous buffer area to update the hash chain of the target access control body in combination with the stored identification in the continuous buffer area.
  7. 7. The access control method according to claim 3, further comprising: associating the reference critical area information with a thread identifier running the target access control subject; Taking the thread identifier and the pre-stored hash value as labels, storing the reference key region information into a memory of the server meeting preset safety conditions, and generating the reference key region information of the preparation; And after the target access control main body exits, searching the reference key region information of the preparation part from the memory by taking the label as an index, and deleting the reference key region information of the preparation part and the label.
  8. 8. The access control method according to claim 7, wherein the restoring the key area information of the target access control body using the pre-stored hash value comprises: when the key area information of the target access control main body is restored, inquiring the reference key area information of the preparation from the memory by taking the label as an index; and recovering the key region information by using the reference key region information of the preparation.
  9. 9. An electronic device, comprising: A memory for storing a computer program; processor for implementing the steps of the access control method according to any of claims 1 to 8 when executing said computer program.

Description

Access control method and electronic equipment Technical Field The present invention relates to the field of digital information transmission technologies, and in particular, to an access control method and an electronic device. Background In the related art, access control models, such as DAC (Discretionary Access Control, autonomous access control), RBAC (Role-Based Access Control ) and ABAC (Attribute-based access control), generally perform authority checking when an access control request occurs, and the decision of the access control model is based on static information such as user identity, role or environmental Attribute, so as to perform identity authentication and static authority allocation, which lacks integrity verification on an access subject, is difficult to detect malicious tampering, and further is difficult to ensure the security of system resources of a server. Disclosure of Invention The invention provides an access control method and electronic equipment, which at least solve the problems that the related technology lacks of integrity verification of an access subject, is difficult to detect malicious tampering, and further is difficult to guarantee the security calculation of system resources of a server. The invention provides an access control method which comprises the following steps of responding to an access control request of a target access control main body, calculating a dynamic hash value of current key area information of the target access control main body, generating a hash chain of the target access control main body based on the dynamic hash value and a pre-stored hash value of the target access control main body, or updating the hash chain based on the dynamic hash value to detect whether the target access control main body meets a preset integrity condition or not by using the hash chain, responding to the target access control main body not meeting the preset integrity condition, freezing the current access process of the target access control main body, and recovering the key area information of the target access control main body by using pre-backed up basic key area information so as to grant the access control authority of the target access control main body under the condition that the target access control main body meets the preset integrity condition. The invention further provides an access control device, which comprises a calculation module, a detection module and a control module, wherein the calculation module is used for responding to an access control request of a target access control main body, calculating a dynamic hash value of current key area information of the target access control main body, the detection module is used for generating a hash chain of the target access control main body based on the dynamic hash value and a prestored hash value of the target access control main body or updating the hash chain based on the dynamic hash value so as to detect whether the target access control main body meets a preset integrity condition or not by using the hash chain, and the control module is used for responding to the target access control main body not meeting the preset integrity condition, freezing the current access process of the target access control main body and recovering the key area information of the target access control main body by using the pre-backed up reference key area information so as to grant the access control authority of the target access control main body under the condition that the target access control main body meets the preset integrity condition. The invention also provides an electronic device comprising a memory for storing a computer program and a processor for implementing the steps of any one of the above access control methods when executing the computer program. The present invention also provides a computer readable storage medium having a computer program stored therein, wherein the computer program when executed by a processor implements the steps of any of the above access control methods. The invention also provides a computer program product comprising a computer program which when executed by a processor implements the steps of any of the above access control methods. According to the invention, the target access control main body is dynamically updated according to the access process while the target access control main body is operated based on the access control request, the target access control main body is dynamically verified in integrity through the prestored hash value when the hash chain is updated each time, unauthorized operation by malicious codes through legal identities is prevented through dynamic verification, the program is ensured to be executed according to the expected control flow, an attacker is prevented from hijacking and changing the program behavior through the control flow, the access process is prevented from being frozen immediately under the condition that verificatio