CN-122020635-A - Sandbox development method, system, equipment and storage medium based on layered isolation

Abstract

The invention relates to the technical field of data security and privacy computation, in particular to a sandbox development method, system, equipment and storage medium based on layered isolation, which comprises the steps of obtaining original data, and constructing development configuration data based on the original data; the method comprises the steps of carrying out an instantiation of an initial sandbox based on development configuration data, constructing a sandbox model, loading a running environment in a trusted data space based on the sandbox model, constructing a physically isolated application sandbox, executing controlled data access based on the application sandbox, and configuring key decryption and field decryption in the application sandbox. The invention realizes the physical isolation operation of the development state and the operation state in the trusted data space, and avoids the mutual access of the data and the program in different stages, thereby ensuring that the safety boundary of each stage is not broken through.

Inventors

• LI YANG
• LUO QINGCAI
• ZHAO YIFEI
• QI GUANGPENG
• SHANG GUANGYONG

Assignees

• 浪潮云洲工业互联网有限公司

Dates

Publication Date

20260512

Application Date

20251210

Claims (10)

1. 1. The sandbox development method based on layered isolation is characterized by comprising the following steps of: Acquiring original data, and constructing development configuration data based on the original data; instantiating the initial sandbox based on development configuration data, and constructing a sandbox model; loading a running environment in a trusted data space based on a sandbox model, and constructing a physically isolated application sandbox; controlled data access is performed based on the application sandbox and key decryption and field decryption are configured within the application sandbox.
2. 2. The method of claim 1, wherein obtaining the raw data, constructing development configuration data based on the raw data, comprises: importing the original data into a trusted data space from a service database, extracting a field name, a field type, a field length and a data source identifier of the original data, and obtaining field data; Performing field authorization configuration on field data in a trusted data space, wherein the field authorization configuration comprises an allowed access field, an authorization time limit, a field sensitive attribute, an encryption identifier and an encryption algorithm type; determining a field needing encryption processing according to the encryption identification to obtain an encryption field; Based on the encryption identification and the encryption algorithm type, generating a random symmetric key ENCRYPTKEY, and encrypting ENCRYPTKEY by using a preset SM2 public key to obtain an encryption strategy; Generating an authorization identifier authId based on the encryption strategy and the field authorization configuration, and associating the encryption strategy with the authorization identifier authId to obtain a field access control rule; Development configuration data is derived based on the allowed access field, the encrypted identification, the encryption policy, and the field access control rules.
3. 3. The method of claim 2, wherein instantiating the initial sandbox based on the development configuration data, constructing the sandbox model, comprises: Constructing an initialization configuration environment according to the allowed access field, the encryption identifier, the encryption strategy and the field access control rule in the development configuration data; Distributing an isolation operation container for the initial sandbox, loading an allowed access field, shielding unauthorized fields, and enabling the encrypted fields to exist in a ciphertext form to obtain a sandbox instance; based on the sandbox instance, the allowed access field, the encrypted field and the field access control rule, coding, compiling and testing operations are executed in the isolated operation container, and a development operation result is obtained; Based on the development and operation results, the program files, model files, operation dependencies and operation parameters of the sandbox instance are encapsulated and bound with the authorization identifier authId to obtain the sandbox model associated with the authorization identifier authId.
4. 4. The method of claim 3, wherein building a physically isolated application sandbox based on the sandbox model to load the execution environment in the trusted data space comprises: Creating an application sandbox based on a sandbox model associated with the authorization identifier authId, wherein the application sandbox is deployed in a trusted data space in a physical isolation manner to obtain an application sandbox deployment environment; Loading a sandbox model based on an application sandbox deployment environment, wherein the loading process comprises a program file, a model file, an operation dependence and an operation parameter which are imported into the sandbox model, and a binding relation between the sandbox model and an authorization identifier authId is maintained in the loading process to obtain an operation loading configuration; constructing an operation environment of an application sandbox based on the operation loading configuration, wherein the operation environment comprises a program execution environment, a network isolation strategy and resource allocation parameters, and setting a unique call inlet for a sandbox model in the operation environment to obtain the operation environment configuration; Based on the running environment configuration, the application sandbox is physically isolated from the development sandbox, the sandbox instance and the development configuration data, so that the running environment configuration can independently run in the trusted data space, and the physically isolated application sandbox is obtained.
5. 5. The method of claim 4, wherein performing controlled data access based on the application sandbox and configuring key decryption and field decryption within the application sandbox comprises: receiving a data access request based on a physically isolated application sandbox, and inquiring a field access control rule according to an authorization identifier authId in the application sandbox to obtain an access control configuration; determining whether the target field is an encryption field based on the access control configuration, and reading an encryption policy associated with the authorization identifier authId for the encryption field, wherein the encryption policy comprises an encryption identifier, an encryption algorithm type and ENCRYPTKEY encrypted by an SM2 public key, so as to obtain decryption initialization information; Decrypting ENCRYPTKEY by using a preset SM2 private key in the application sandbox based on the decryption initialization information to obtain DECRYPTKEY, wherein DECRYPTKEY only exists in the application sandbox memory to obtain a key decryption result; Based on the key decryption result, performing field-level decryption on the encrypted field in the application sandbox according to the encryption algorithm type, wherein the performing process of field-level decryption does not write decryption data into a disk or transmit the decryption data to the outside of the application sandbox, so as to obtain a field decryption result; and based on the field decryption result, combining the field decryption result with the access result of the unencrypted field to form a controlled data access result, enabling the controlled data access result to be used in an isolation environment of the application sandbox, and preventing the controlled data access result from flowing back to the development sandbox or sandbox instance.
6. 6. The method of claim 5, further comprising the step of performing encryption comprising: performing field-level encryption on the original data corresponding to the encrypted field by adopting a symmetric encryption algorithm based on a field access control rule, wherein the symmetric encryption algorithm comprises SM4 or AES to obtain a field ciphertext; Carrying out asymmetric encryption on ENCRYPTKEY for symmetric encryption by using an SM2 public key based on field ciphertext to obtain a key encryption result; Writing the field ciphertext and the key encryption and decryption result into development configuration data and a sandbox example based on the key encryption result to obtain a development state ciphertext storage structure; Based on the development state ciphertext storage structure, only the field ciphertext and the encryption policy are allowed to be accessed in the development state, and the DECRYPTKEY or the field plaintext is not allowed to be accessed, so that the development state field access restriction configuration is obtained.
7. 7. The method of claim 5, further comprising the step of performing decryption, comprising: acquiring a key encryption result and a field ciphertext in the application sandbox according to the authorization identifier authId based on the development state ciphertext storage structure to obtain running state decryption preparation information; Decrypting ENCRYPTKEY by using a preset SM2 private key in the application sandbox based on the running state decryption preparation information to obtain DECRYPTKEY, and writing DECRYPTKEY into a session memory of the application sandbox to obtain running state key information; Performing field level decryption on the field ciphertext according to the corresponding symmetric encryption algorithm based on the running state key information to obtain a field decryption result; Based on the field decryption result, using field plaintext in an application sandbox for model reasoning, algorithm execution and business processing, and obtaining a controlled field use result without writing into a disk, recording a log and caching into a persistence space; And performing memory clearing on DECRYPTKEY and the field decryption result at the end of the session based on the controlled field use result to obtain a session clearing result.
8. 8. A sandbox development system based on hierarchical isolation, comprising: the configuration data construction module is used for acquiring the original data and constructing development configuration data based on the original data; The sandbox model building module is used for instantiating the initial sandbox based on development configuration data to build a sandbox model; the application sandbox construction module is used for loading a running environment in a trusted data space based on a sandbox model to construct a physically isolated application sandbox; and the decryption configuration module is used for executing controlled data access based on the application sandbox and configuring key decryption and field decryption in the application sandbox.
9. 9. An apparatus, comprising: a memory for storing a sandbox development program based on hierarchical isolation; A processor for implementing the steps of the sandbox development method based on hierarchical isolation as claimed in any one of claims 1 to 7 when executing the sandbox development program based on hierarchical isolation.
10. 10. A computer readable storage medium storing a computer program, characterized in that the readable storage medium has stored thereon a sandbox development program based on hierarchical isolation, which when executed by a processor implements the steps of the sandbox development method based on hierarchical isolation as claimed in any one of claims 1 to 7.

Description

Sandbox development method, system, equipment and storage medium based on layered isolation Technical Field The invention belongs to the technical field of data security and privacy computation, and particularly relates to a sandbox development method, system, equipment and storage medium based on layered isolation. Background With the continuous penetration of digital construction, industries such as finance, social security, medical treatment, government affairs, enterprises and the like accumulate a large amount of high-value data resources. If the data can be effectively shared, fused and utilized, sufficient data support is provided for risk control, business decision, intelligent service, innovation application and the like. However, in practical application, the data sharing generally has the problems of unclear responsibility, uncontrollable privacy, high inter-subject cooperation cost and the like, so that each unit prefers to store the data in a closed manner and is not willing to open to the outside under the condition of lacking security. The data is locked inside the respective institution for a long time, forming a typical "data island", severely limiting the release of the data value. In the prior art, the concept of a "data sandbox" has emerged in the industry. However, most of the existing data sandbox technologies serve inside a single organization, a trusted data flow link cannot be formed among a plurality of data providers, developers and operators, and a multi-main collaborative data sharing mechanism is lacking. In addition, most of the conventional sandboxes are of a single-layer structure, i.e., are configured, developed, tested and run simultaneously in the same environment. The structure has two obvious problems that firstly, a development environment is not effectively isolated from an operation environment, and once the development environment is subjected to misoperation, improper parameter configuration or security loopholes, the production state application can be directly influenced, secondly, a developer can still have the opportunity to touch part of real data in a sandbox, the risk of sensitive information leakage can not be fundamentally avoided, and the high-level data security requirement of 'usable invisible' can not be met. Meanwhile, the data protection mechanism of the existing sandbox technology is weak, and generally, data is encrypted integrally only by using a single algorithm, field level management and control cannot be realized, and fine authorization and dynamic access control cannot be performed on sensitive fields. The key management mechanism is not strict enough, the key security depends on single point storage, and once the key is revealed, the whole data set is exposed. In addition, most traditional sandboxes lack a trusted audit mechanism, record multi-dependent database logs of key steps such as data flow, authority application, application release, service call and the like, and the logs are easy to be tampered maliciously and difficult to be used as trusted evidence in a multi-subject environment, so that sufficient trust cannot be established for a data provider. Disclosure of Invention Aiming at the defects in the prior art, the invention provides a sandbox development method, system, equipment and storage medium based on layered isolation, so as to solve the technical problems. In a first aspect, the present invention provides a sandbox development method based on layered isolation, including: Acquiring original data, and constructing development configuration data based on the original data; instantiating the initial sandbox based on development configuration data, and constructing a sandbox model; loading a running environment in a trusted data space based on a sandbox model, and constructing a physically isolated application sandbox; controlled data access is performed based on the application sandbox and key decryption and field decryption are configured within the application sandbox. In an alternative embodiment, the obtaining of the raw data, the constructing of the development configuration data based on the raw data, includes: importing the original data into a trusted data space from a service database, extracting a field name, a field type, a field length and a data source identifier of the original data, and obtaining field data; Performing field authorization configuration on field data in a trusted data space, wherein the field authorization configuration comprises an allowed access field, an authorization time limit, a field sensitive attribute, an encryption identifier and an encryption algorithm type; determining a field needing encryption processing according to the encryption identification to obtain an encryption field; Based on the encryption identification and the encryption algorithm type, generating a random symmetric key ENCRYPTKEY, and encrypting ENCRYPTKEY by using a preset SM2 public key to obtain an encryption strat