Search

CN-122020632-A - Equipment security assessment method and device

CN122020632ACN 122020632 ACN122020632 ACN 122020632ACN-122020632-A

Abstract

The application discloses an equipment safety assessment method and device. The method comprises the steps of collecting multidimensional data of target equipment by utilizing a reconstructed kernel protocol stack, wherein the reconstructed kernel protocol stack is obtained by embedding three layers of capabilities of dynamic evaluation based on trusted roots, hardware-enhanced password encryption and strategic security management and control in an original kernel protocol stack of an operating system of the target equipment through a hook technology, and processing the multidimensional data of the target equipment by taking trusted firmware as a trusted root and combining a preset security policy model to obtain a security evaluation result of the target equipment. The application solves the technical problem that the application layer security scheme adopted in the related technology is easy to bypass.

Inventors

  • TIAN JIANSHENG
  • Duan Guna
  • WANG LIANGLIANG
  • WANG ANSHENG
  • XUAN YANJIE

Assignees

  • 北京可信华泰技术服务有限公司
  • 北京可信华泰信息技术有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. A method for evaluating device security, comprising: Collecting multidimensional data of target equipment by using a reconstruction kernel protocol stack, wherein the reconstruction kernel protocol stack is obtained by embedding three layers of capabilities of dynamic evaluation based on trusted roots, hardware-enhanced password encryption and strategic security management into an original kernel protocol stack of an operating system of the target equipment through a hook technology; and processing the multidimensional data of the target equipment by taking the trusted firmware as a trust root and combining a preset security policy model to obtain a security evaluation result of the target equipment.
  2. 2. The method of claim 1, wherein prior to collecting the multi-dimensional data of the target device using the reconstruction kernel protocol stack, the method further comprises: Acquiring an original kernel protocol stack of an operating system of the target device, wherein the original kernel protocol stack defines a set of operation functions facing a stream type socket in an IPv4 address group; And modifying the original kernel protocol stack through a hook technology to customize a communication security enhancement system of flow-oriented communication behavior in the IPv4 address family.
  3. 3. The method of claim 2, wherein prior to retrieving the original kernel protocol stack of the operating system of the target device, the method further comprises: Initializing the target equipment, creating equipment nodes of the target equipment, and realizing corresponding ioctl interfaces, wherein the ioctl interfaces are used for receiving and processing policy configuration and management instructions from a user space.
  4. 4. The method of claim 2, wherein modifying the original kernel protocol stack by hook technology comprises: Reconstructing an inet_stream_connect interface of a socket operation layer structure body in the original kernel protocol stack, namely realizing embedded strategy checking and credibility grading verification logic before initiating TCP connection; reconstructing an inet_accept interface of a socket operation layer structure body in the original kernel protocol stack, namely implementing opposite end identity verification and security policy matching and credible grading verification logic in a receiving connection stage; Reconstructing an inet_sendsg interface of a socket operation layer structure body in the original kernel protocol stack, wherein the inet_sendsg interface integrates a trusted score verification logic and a self-synchronizing stream cipher algorithm in the data transmission process; Integrating trusted score verification logic and implementing real-time decryption processing in the data receiving process, and verifying the integrity and legitimacy of communication data; Reconstructing an inet_release interface of a socket operation layer structure body in the original kernel protocol stack, wherein related context resources are safely cleaned when connection is released; and creating and activating a kernel timer through the timer_setup and add_timer interfaces, so as to trigger the credible evaluation update task at fixed time.
  5. 5. The method according to any one of claims 1 to 4, further comprising encrypting data as follows: Acquiring conn_stream_hash linked list metadata of a socket operation layer structure body in the reconstructed kernel protocol stack, wherein a user sets a key and an encryption stream key reference value; initializing an encryption context of the sm4_ecb algorithm using the user set key; Encrypting an encryption stream key reference value using the encryption context, thereby generating an encryption stream key; performing encryption operation circularly on the data to be transmitted by taking 16 bytes as a unit until the unprocessed data is less than 16 bytes, performing exclusive OR operation on the 16 bytes of the data to be processed and the encryption stream key, updating the encryption stream key reference value to be the encrypted data, and recalculating the encryption stream key by using the new encryption stream key reference value; with unprocessed data of less than 16 bytes, only the data part and other parts of the encryption stream key reference value are updated and reserved.
  6. 6. The method according to any one of claims 1 to 4, further comprising encrypting data as follows: Acquiring conn_stream_hash linked list metadata of a socket operation layer structure body in the reconstructed kernel protocol stack, wherein a user sets a key and a decryption stream key reference value; initializing a decryption context of an sm4_ecb algorithm using the user-set key; Encrypting a decryption stream key reference value using the decryption context, thereby generating a decryption stream key; Performing decryption operation on the received data circularly by taking 16 bytes as a unit until the unprocessed data is less than 16 bytes, performing exclusive OR operation on the 16 bytes of data to be processed and a decryption stream key, updating a decryption stream key reference value to be decrypted data, and recalculating a decryption stream key by using a new decryption stream key reference value; With unprocessed data of less than 16 bytes, only the data part and other parts of the decryption stream key reference value are updated and reserved.
  7. 7. The method according to any one of claims 1 to 4, further comprising: receiving a configuration indication; And configuring a communication strategy according to the configuration instruction, wherein the communication strategy comprises setting a privilege connection list, defining a timeout range of session establishment and designating legal connection rules allowing communication.
  8. 8. An apparatus for evaluating the safety of a device, comprising: The system comprises an acquisition unit, a control unit and a control unit, wherein the acquisition unit is used for acquiring multidimensional data of target equipment by utilizing a reconstructed kernel protocol stack, and the reconstructed kernel protocol stack is obtained by embedding three layers of capabilities of dynamic evaluation based on a trusted root, hardware enhanced password encryption and strategic security control into an original kernel protocol stack of an operating system of the target equipment through a hook technology; the evaluation unit is used for processing the multidimensional data of the target equipment by taking the trusted firmware as a trust root and combining a preset security policy model to obtain a security evaluation result of the target equipment.
  9. 9. A computer readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program when run performs the method of any of the preceding claims 1 to 7.
  10. 10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor performs the method of any of the preceding claims 1 to 7 by means of the computer program.

Description

Equipment security assessment method and device Technical Field The application relates to the field of computer security, in particular to an equipment security assessment method and device. Background This section is intended to provide a background or context for the matter recited in the claims or specification, which is not admitted to be prior art by inclusion in this section. With the rapid development of technologies such as the internet of things, an industrial control system and edge computing, mass equipment continuously performs data exchange and collaborative computing in a network, and higher requirements on communication safety are provided. Traditional network security schemes, such as TLS/SSL, IPsec, and the like, rely mainly on digital certificates and static identity authentication mechanisms to negotiate session keys through asymmetric encryption and then use symmetric encryption to protect data transmission. Although the scheme has a certain effect in the aspects of identity authentication and communication encryption, the scheme has obvious defects that the application layer security scheme is easy to bypass and still has security problems. In view of the above problems, no effective solution has been proposed at present. Disclosure of Invention The embodiment of the application provides a device security assessment method and device, which at least solve the technical problem that application layer security schemes are easy to bypass in the related technology. According to one aspect of the embodiment of the application, the method for evaluating the safety of the equipment comprises the steps of collecting multidimensional data of the target equipment by utilizing a reconstruction kernel protocol stack, wherein the reconstruction kernel protocol stack is obtained by embedding three layers of capabilities of dynamic evaluation based on a trusted root, hardware-enhanced password encryption and strategic safety control into an original kernel protocol stack of an operating system of the target equipment through a hook technology, and processing the multidimensional data of the target equipment by taking a trusted firmware as a trusted root and combining a preset safety strategy model to obtain a safety evaluation result of the target equipment. Optionally, before the multi-dimensional data of the target device is acquired by utilizing the reconstructed kernel protocol stack, the method further comprises the steps of acquiring an original kernel protocol stack of an operating system of the target device, wherein the original kernel protocol stack defines a set of operation functions of a flow-oriented socket in an IPv4 address group, and modifying the original kernel protocol stack through a hook technology to customize a communication security enhancement system of flow-oriented communication behaviors in the IPv4 address group. Optionally, before acquiring the original kernel protocol stack of the operating system of the target device, the method further comprises initializing the target device, creating a device node of the target device, and implementing a corresponding ioctl interface, wherein the ioctl interface is used for receiving and processing policy configuration and management instructions from a user space. Optionally, the original kernel protocol stack is modified by a hook technology, comprising reconstructing an inet_stream_connect interface of a socket operation layer structure body in the original kernel protocol stack, and realizing embedding strategy checking and credibility grading verification logic before initiating TCP connection; the method comprises the steps of reconstructing an inet_accept interface of a socket operation layer structure body in an original kernel protocol stack, implementing opposite end identity verification, security policy matching and credible score verification logic in a receiving connection stage, reconstructing an inet_sendmsg interface of the socket operation layer structure body in the original kernel protocol stack, integrating the credible score verification logic and real-time encryption processing of a self-synchronizing stream cipher algorithm in a data sending process, reconstructing the inet_recvmsg interface of the socket operation layer structure body in the original kernel protocol stack, integrating the credible score verification logic and implementing real-time decryption processing in a data receiving process, verifying the integrity and legality of communication data, reconstructing an inet_release interface of the socket operation layer structure body in the original kernel protocol stack, safely cleaning related context resources when connection is released, and creating and activating a kernel timer through the timer_setup interface, so that credible evaluation update tasks are triggered at fixed time. Optionally, the method further comprises the steps of obtaining conn_stream_hash linked list metadata of a socket