[go: up one dir, main page]

CN119089500A - Safety control method and device, computer program product and electronic device - Google Patents

Safety control method and device, computer program product and electronic device Download PDF

Info

Publication number
CN119089500A
CN119089500A CN202411205124.3A CN202411205124A CN119089500A CN 119089500 A CN119089500 A CN 119089500A CN 202411205124 A CN202411205124 A CN 202411205124A CN 119089500 A CN119089500 A CN 119089500A
Authority
CN
China
Prior art keywords
database
security
service request
plug
security plug
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411205124.3A
Other languages
Chinese (zh)
Inventor
蒋帅
彭智
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi'an Tongxing Hengyao Information Technology Co ltd
Original Assignee
Jingdong Technology Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jingdong Technology Information Technology Co Ltd filed Critical Jingdong Technology Information Technology Co Ltd
Priority to CN202411205124.3A priority Critical patent/CN119089500A/en
Publication of CN119089500A publication Critical patent/CN119089500A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • G06F9/44526Plug-ins; Add-ons
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure relates to the field of computer technology, and more particularly, to a security control method and apparatus, a computer program product, and an electronic device. The security control method comprises the steps of responding to the occurrence of a target event, loading a database security plug-in to a shared memory on a server where the database is located, configuring a security rule file by the database security plug-in, obtaining a service request, analyzing the service request, triggering the database security plug-in according to the service request, checking an analysis result of the service request through the security rule file of the database security plug-in, and controlling the service request according to the checking result. The method and the device can realize the security control of the database in finer granularity under the condition of not invading the database, and avoid the performance loss caused by the security control.

Description

Security control method and device, computer program product and electronic equipment
Technical Field
The present disclosure relates to the field of computer technology, and more particularly, to a security control method, a security control apparatus, a computer program product, and an electronic device.
Background
The native authority control system of the database can control the access authority of the user through authorization and recycling, and the granularity is at the object level. The user has or has no rights to a database object, and this way can create roles that execute system commands, with security risks. If the kernel source code of the database is modified to realize safety control, the version of the database is easily updated and cannot be matched with the open source database, so that the database cannot be quickly and iteratively adjusted according to the requirement. When the safety control agent software is used for carrying out safety protection on the database, the performance of the database is always lost, and the database cannot be accessed due to the failure of the safety control agent software. Therefore, there is a need to provide a method that can achieve security control of databases at finer granularity without invading the databases, reducing performance loss.
It should be noted that the information of the present invention in the above background section is only for enhancing understanding of the background of the present disclosure, and thus may include information that does not form the prior art that is already known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure aims to provide a security control method and device, a computer program product and an electronic device, so as to realize security control of a database in finer granularity at least under the condition of not invading the database, and avoid performance loss caused by the security control.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to one aspect of the disclosure, a security control method is provided, which includes loading a database security plug-in to a shared memory on a server where a database is located in response to occurrence of a target event, the database security plug-in being configured with a security rule file, acquiring a service request, analyzing the service request, triggering the database security plug-in according to the service request, verifying an analysis result of the service request through the security rule file of the database security plug-in, and controlling the service request according to the verification result.
In an exemplary embodiment of the disclosure, the loading the database security plug-in into the shared memory on the server where the database is located in response to the occurrence of the target event includes loading the database security plug-in into the shared memory according to a configuration path of the database security plug-in a database configuration file when the database is started or a database connection is established, where the database security plug-in is pre-configured on the server where the database is located.
In an exemplary embodiment of the disclosure, the security rule file includes a built-in rule file of a database security plug-in, and the loading the database security plug-in to the shared memory on the server where the database is located includes loading the built-in rule file of the database security plug-in to the shared memory.
In an exemplary embodiment of the present disclosure, the method further includes detecting whether the database security plug-in has a configurable external rule file, and if so, loading the external rule file into the shared memory according to a configuration path of the external rule file.
In one exemplary embodiment of the present disclosure, the method further includes updating the external rule file in response to a configuration operation for the external rule file, and configuring the updated external rule file to the database security plug-in.
In an exemplary embodiment of the disclosure, the parsing the service request and triggering the database security plug-in according to the service request to verify the parsing result of the service request through the security rule file of the database security plug-in includes verifying the grammar validity of the service request through a parser, parsing the service request if the grammar of the service request is valid, generating a parse tree according to the parsing result, and performing security verification on the parse tree by utilizing the security rule file of the database security plug-in.
In an exemplary embodiment of the disclosure, the loading the database security plug-in into the shared memory on the server where the database is located further includes performing security verification on the database security plug-in, and if the database security plug-in passes the security verification, loading the database security plug-in into the shared memory on the server where the database is located.
In an exemplary embodiment of the disclosure, if the database security plug-in fails the security check, a backup configuration file of the database security plug-in is obtained from a server, and the database security plug-in is loaded to the shared memory according to the backup configuration file.
According to one aspect of the disclosure, a security control device is provided, which comprises a loading module, a security verification module and a control module, wherein the loading module is used for responding to the occurrence of a target event and loading a database security plug-in to a shared memory on a server where a database is located, the database security plug-in is configured with a security rule file, the security verification module is used for acquiring a service request, analyzing the service request and triggering the database security plug-in according to the service request so as to verify the analysis result of the service request through the security rule file of the database security plug-in, and the control module is used for controlling the service request according to the verification result.
According to one aspect of the present disclosure, there is provided a computer program product comprising a computer program which, when executed by a processor, implements the method of any of the above.
According to one aspect of the disclosure, there is provided an electronic device comprising a processor and a memory for storing executable instructions of the processor, wherein the processor is configured to perform the method of any one of the above via execution of the executable instructions.
According to the security control method in the exemplary embodiment of the disclosure, in response to occurrence of a target event, a database security plug-in is loaded to a shared memory on a server where a database is located, a service request is acquired, the service request is analyzed, the database security plug-in is triggered according to the service request, an analysis result of the service request is checked through a security rule file of the database security plug-in, and the service request is controlled according to the check result. On the one hand, compared with a native authority control system in a database, the method and the device can verify the analysis result of the service request through the database security plug-in unit loaded to the shared memory, and can perform security verification on the service request on finer granularity, and are not limited to an object level, so that the accuracy of security control is improved. On the other hand, the analysis result of the service request is checked in a plug-in mode, the intrusion of the open source code is small, plug-ins of different versions can be adapted, the plug-in can be combined with a native control system, and the applicability is high. On the other hand, by configuring the security rule file of the database security plug-in, the service request is not analyzed or checked by external application or service, the performance loss caused by security control is reduced, and the injection attack introduced by external security control can be avoided.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. In the drawings, several embodiments of the present disclosure are shown by way of example and not by way of limitation.
Fig. 1 illustrates a system architecture diagram according to an exemplary embodiment of the present disclosure.
Fig. 2 shows a flowchart of a safety control method according to an exemplary embodiment of the present disclosure.
FIG. 3 illustrates a flowchart of one implementation of loading an external rule file, according to an exemplary embodiment of the present disclosure.
FIG. 4 illustrates a flowchart of an implementation of a security profile updating a database security plug-in accordance with an exemplary embodiment of the present disclosure.
Fig. 5 illustrates a flowchart of one implementation of verifying the resolution of a service request according to an exemplary embodiment of the present disclosure.
FIG. 6 illustrates a flowchart of an implementation of a check of a database security plugin according to an example embodiment of the present disclosure.
Fig. 7 illustrates yet another system architecture diagram according to an exemplary embodiment of the present disclosure.
Fig. 8 shows a complete flow chart of a safety control method according to an exemplary embodiment of the present disclosure.
Fig. 9 shows a schematic composition diagram of a safety control device according to an exemplary embodiment of the present disclosure.
Fig. 10 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many different forms and should not be construed as limited to the examples set forth herein, but rather, these examples are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus detailed descriptions thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the disclosed aspects may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known structures, methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more software-hardened modules, or in different networks and/or processor devices and/or microcontroller devices.
The existing database security control mode has the following defects that a native authority control system of the database can control user access authority through authorization and recovery, and granularity is of an object level. The user has or has no rights to a database object, and this way can create roles that execute system commands, with security risks. If the kernel source code of the database is modified to realize safety control, the version of the database is easily updated and cannot be matched with the open source database, so that the database cannot be quickly and iteratively adjusted according to the requirement. When the safety control agent software is used for carrying out safety protection on the database, the performance of the database is always lost, and the database cannot be accessed due to the failure of the safety control agent software.
Fig. 1 shows a system architecture diagram of an exemplary embodiment of the present disclosure. As shown in fig. 1, the database security plug-in and the external configuration file (if any) may be stored in a server where the database is located, so that the database security plug-in is loaded into the shared memory where the database is located when the target event occurs.
The database security plug-in is a tool or an application program for maintaining database security, as shown in fig. 1, the database security plug-in an exemplary embodiment of the present disclosure interacts with a parser, and the parser of the database parses a service request (such as SQL (Structured Query Language, structured query language) statement), and transmits the parsed result to the database security plug-in, so as to verify the parsed result through the database security plug-in. The process performs security verification from a finer granularity of the resolution results of the service request than the verification at the object level such as password verification or authentication at the connection of the database, the query process, etc.
Referring to fig. 2, a flow chart of a safety control method of an exemplary embodiment of the present disclosure is shown. As shown in fig. 2, the safety control method includes steps S210 to S230, specifically as follows:
in step S210, in response to the occurrence of the target event, the database security plug-in is loaded into the shared memory on the server where the database resides.
In an exemplary embodiment of the present disclosure, a target event refers to an event that triggers loading of a database security plug-in, which may be a database initiation or establishment of a database connection. The method comprises the steps that when a database is started, a database security plug-in is loaded to a shared memory of a server where the database is located, and the global security control is realized, namely, the database security plug-in loaded in the mode performs security verification on a global service request. The method comprises the steps of loading a database security plug-in to a shared memory when establishing database connection, and controlling local security.
As an example, taking the PostgreSQL database as an example, each client's process is connected to a back-end process, so when a database connection is established between a client and the database, a database security plug-in is loaded into shared memory in such a way that the database security plug-in is only validated against the data store between the client and the database.
It should be appreciated that exemplary embodiments of the present disclosure may determine the type of the target event according to actual needs, without limitation.
The database security plug-in is configured with a security rule file, wherein the security rule file refers to a rule file used for carrying out security check on a service request when the database security plug-in is triggered, and comprises specific rule content. For example, rules determined by the content of SQL type, function name, conditional token, etc. For example, the permission of the user to execute the system command, the permission of the user to read the server file, the permission to execute the delete statement without "where condition" may be prohibited by the security rule file, and so on. Exemplary embodiments of the present disclosure may configure security rule files according to actual requirements for implementing finer granularity of verification of service requests.
Meanwhile, it should be understood that the service request is checked through the security rule file, so that interception or authority control of the service request can be realized, that is, the service request can be refused based on a check result, and part or all of authorities involved in the service request can be limited, so that the service request can be flexibly set according to actual requirements.
In step S220, a service request is acquired, the service request is parsed, and a database security plug-in is triggered according to the service request, so that the parsing result of the service request is verified through the security rule file of the database security plug-in.
In an exemplary embodiment of the present disclosure, the service request may be obtained from data, stored in data, deleted in data, etc., and the parsing of the service request is to decompose the input service request (e.g., SQL statement) into syntax elements, and convert the syntax elements into data structures represented internally, so as to finally generate an executable query plan, thereby performing fine-grained verification on the service request through the security rule file of the database security plug-in.
In an alternative embodiment, the database security plug-in may be implemented in the form of a Hook function, which when enabled will call upon the arrival of a particular event. The function mechanism of the Hook function is to hang the Hook function into the system through system call so as to be started in advance in normal operation of the program, and to check and modify information transmitted to the program. Whenever a particular message is sent, the Hook function will capture the message before the destination window is reached, i.e. the Hook function gains control first. At this point, the Hook function may process (change) the message, or may continue to deliver the message without processing, or force the delivery of the message to end. According to the exemplary embodiment of the disclosure, the database security plug-in is realized through a Hook function, and the database security plug-in is compiled into a binary file to be configured on a server where the database is located, so that after a service request is acquired and analyzed, security verification is carried out on an analysis result before the service request is continuously transmitted to a destination window (such as a planner and an executor of the database) so as to intercept or control authority of the service request and the like.
In step S230, the service request is controlled according to the verification result.
In an exemplary embodiment of the present disclosure, it is determined to continue to transfer the resolution result to perform partial/full execution or return error prompt information according to a verification result of the resolution result of the service request.
According to the security control method in the exemplary embodiment of the disclosure, on one hand, compared with a native authority control system in a database, the security control method can verify the analysis result of the service request through the database security plug-in unit loaded to the shared memory, and can verify the security of the service request on finer granularity, and is not limited to an object level, so that the accuracy of security control is improved. On the other hand, the analysis result of the service request is checked in a plug-in mode, the intrusion of the open source code is small, plug-ins of different versions can be adapted, the plug-in can be combined with a native control system, and the applicability is high. On the other hand, by configuring the security rule file of the database security plug-in, the service request is not analyzed or checked by external application or service, the performance loss caused by security control is reduced, and the injection attack introduced by external security control can be avoided.
In an exemplary embodiment, loading the database security plug-in into the shared memory on the server where the database resides in response to the occurrence of the target event comprises:
When a database is started or database connection is established, the database security plug-in is loaded to a shared memory according to a configuration path of the database security plug-in a database configuration file, wherein the database security plug-in is pre-configured on a server where the database is located.
The loading mode of the database security plug-in is realized through database configuration, and specifically, the configuration file name of the database security plug-in can be configured on a dependence path of the database configuration file, so that the corresponding configuration file can be loaded when the database security plug-in is triggered according to the dependence path.
Taking the PostgreSQL database as an example, the profile name "security" of the database security plug-in may be configured to a "PostgreSQL. Conf" file. For example, "shared_ preload _lists= 'security'" is configured if the database security plug-in is loaded when the database needs to be started, and "local_ preload _lists= 'security'" is configured if the database security plug-in is loaded when the database connection needs to be established. Of course, this requires that the profile name of the database security plug-in be configured on the dependency path of the database profile according to the database type and the specific situation of the corresponding database profile.
In some alternative embodiments, when the database connection is established, the service request type is further determined according to the service request, so that whether the client to be connected with the database needs to load the database security plug-in or not is determined according to the service request type, and therefore the security control of the database is more targeted and flexible.
As an example, when the client a establishes a connection with the database, if it is determined, according to the database configuration file, that the client type to which the client a belongs needs to load the database security plug-in, the database security plug-in is loaded to the shared memory according to the configuration path of the database configuration file, so as to perform security check on the service request of the client a in the data interaction process with the database. In contrast, if it is determined according to the database configuration file that the client type to which the client B belongs does not need to load the database security plug-in, the data result of the service request is normally transferred.
In an exemplary embodiment, the security rule file configured by the database security plug-in includes a built-in rule file of the database security plug-in, that is, an intrinsic rule of the database security plug-in, and, as an option, any service request needs to be security checked according to the built-in rule file.
Based on the above, loading the database security plug-in into the shared memory on the server where the database is located includes loading the built-in rule file of the database security plug-in into the shared memory.
Specifically, no matter whether the type of the target event is to start the database or establish database connection, the built-in rule file is loaded to the shared memory, and the basic security guarantee for the service request can be ensured by loading the built-in rule file which is necessary to select into the shared memory.
The built-in rule file may be configured according to a database type or a service request type of the database, and the like, and is not particularly limited.
In an exemplary embodiment, an implementation of loading an external rule file is also provided in view of flexible adjustment of the database security plug-in. As shown in fig. 3, the implementation may include:
Step S310, detecting whether the configurable external rule file exists in the database security plug-in.
Step S320, if the external rule file exists, the external rule file is loaded to the shared memory according to the configuration path of the external rule file.
The method can detect whether the database security plug-in has a configurable external rule file or not besides the internal rule file of the necessary database security plug-in. Optionally, the external rule file may be checked by a blacklist, for example, by prohibiting the user from executing a system cat command "COPY cmd_ exec FROM PROGRAM 'cat';" command, so that the external rule file is configured to prevent the user from viewing the sensitive file on the server. Of course, the verification manner of the external rule file may also be selected according to information such as a database type, which is not particularly limited by the exemplary embodiments of the present disclosure.
When detecting whether the database security plug-in has the configurable external rule file, it can detect whether the configuration path of the external rule file exists, for example, "service_path= 'rule_txt'", if so, the external rule file can be loaded into the shared memory according to the configuration path. Otherwise, the security check is carried out on the analysis result of the service request through the built-in rule file.
Because the external rule file is configurable, the file content can be adjusted at any time according to actual requirements, and the verification content of the database security plug-in can be quickly customized and iterated.
Specifically, FIG. 4 illustrates a flow chart of an implementation of updating a security profile of a database security plug-in, which may include:
step S410, updating the external rule file in response to the configuration operation for the external rule file.
And S420, configuring the updated external rule file in the database security plugin.
The user can modify, add or delete the external rule file according to the actual requirement to obtain an updated external rule file, the configuration operation does not need external application or service to analyze or audit the request statement of the service request, and the updated external rule file is configured in the database security plug-in, namely, the configuration path of the external rule file is configured, so that when the database security assembly is triggered, the updated external rule file is loaded to the shared memory according to the configuration path, thereby reducing the performance loss caused by security control, avoiding the injection risk caused by the external security control in the related technology, and having high security.
In some alternative embodiments, when the updated external rule file is configured in the database security plug-in the scenario that the database security plug-in is loaded when the database is started, the database needs to be restarted to validate the updated external rule file.
In some optional embodiments, in the scenario of loading the database security plug-in when the database connection is established, after the updated external rule file is configured in the database security plug-in, the updated external rule file can be validated through the reset session, so that the flexibility of rule configuration is high, and the system performance consumption is reduced.
In an exemplary embodiment, an implementation is provided for verifying a resolution result of a service request. As shown in fig. 5, resolving the service request, and triggering the database security plug-in according to the service request, so as to verify the resolving result of the service request through the security rule file of the database security plug-in includes:
step S510, verifying the grammar validity of the service request through a parser.
The parser verifies the grammar validity of the service request, can check whether the grammar structure of the sentence of the service request, the spelling of the keyword and the using method are correct, and can acquire potential errors to correct so as to ensure that the grammar of the service request is correct. The exemplary embodiments of the present disclosure are not limited to the specific manner of grammar checking.
And step S520, if the grammar of the service request is valid, analyzing the service request, and generating an analysis tree according to the analysis result.
In case the syntax of the service request is valid, the service request may be parsed by a parser, i.e. a process of syntax parsing. Parsing the service request converts the lexical symbol table into an abstract parse tree, and in the process, the parser parses each lexical symbol one by one according to a grammar specification (e.g., SQL grammar specification) to construct a parse tree with a hierarchical structure.
And step S530, utilizing the security rule file of the database security plug-in to carry out security check on the analysis tree.
After the analysis tree is obtained and the database security plug-in is loaded into the shared memory, the security rule file can be utilized to carry out security check on the analysis tree. The security rule file may be an internal rule file and/or an external rule file, and the corresponding rule file is loaded according to actual conditions.
The security rule file may include check contents controlled by SQL type, function name, conditional token, etc. For example, the authority to prohibit the user from executing the system command, the authority to prohibit the user from reading the server file, the authority to prohibit the execution of the delete statement without the "where condition" and the like are not particularly limited.
When the analysis tree passes the security check, a corresponding service request can be executed and a result is returned, otherwise, error information can be returned to realize interception of the service request or control of part or all of the authorities, and compared with the original authority control system of the database, the security control is carried out from an object level by the authority control system, and the exemplary embodiment of the disclosure provides finer granularity security control.
In an exemplary embodiment, an implementation of verification of a database security plug-in is also provided, in view of the small intrusion into open source code in the form of a database security plug-in while also avoiding the security threat introduced by loading the database security plug-in. As shown in fig. 6, the loading the database security plug-in into the shared memory on the server where the database is located further includes:
And step S610, carrying out security check on the database security plug-in.
Step S620, if the database security plug-in passes the security check, the database security plug-in is loaded to the shared memory on the server where the database is located.
The security check is to verify whether the database security plug-in is modified, for example, by verifying whether the version of the database security plug-in the configuration path of the database configuration file is consistent with the corresponding plug-in version number of the server. As an example, when the database security plug-in is modified, its corresponding plug-in version number is changed, unlike the plug-in version stored by the server, so that the database security plug-in is modified by obtaining the plug-in version number from the server, and by matching the plug-in version number with the version of the database security plug-in, if not, it is indicated that the database security plug-in is modified.
Specifically, the verification request information can be sent to the server to request the plug-in version number, the verification request information can be encrypted through a public key of the server, verification response information of the server is obtained, the verification response information is decrypted by using a private key of the database, a request result is obtained, and the request result at least comprises the plug-in version number, so that the version of the database security plug-in is verified by using the plug-in version number. The server can maintain a version number table of the database security plug-in, and update the version number table according to the normal update of the database security plug-in.
The safety verification is carried out on the database safety plug-in before the database safety plug-in is loaded to the shared memory, and the safety and accuracy of the database safety plug-in are ensured before the service request is verified, so that the effectiveness of safety verification on the service request is further ensured, and double protection is realized.
Based on the foregoing exemplary embodiment, if the database security plug-in fails the security check, a backup configuration file of the database security plug-in is obtained from the server, and the database security plug-in is loaded into the shared memory according to the backup configuration file.
The request result returned by the server can also comprise a link address of the backup configuration file, so that the backup configuration file of the database security plug-in is obtained according to the link address, and the database security plug-in is loaded to the shared memory according to the backup configuration file. When maintaining the version number table of the database security plug-in the server, the link address of the backup configuration file can also be simultaneously maintained in the version number table.
After the database security plug-in is modified, the correct database security plug-in can be loaded to the shared memory through the standby configuration file, so that the accuracy of the subsequent verification of the service request is ensured.
Fig. 7 illustrates yet another system architecture diagram of an exemplary embodiment of the present disclosure, a database security plug-in and external configuration files (if any) may be stored at a server where the database resides to load the database security plug-in to a shared memory where the database resides upon occurrence of a target event. Fig. 8 is a complete flowchart of a security control method according to an exemplary embodiment of the present disclosure, and in conjunction with fig. 7 and 8, the security control method according to an exemplary embodiment of the present disclosure is described below by taking a case that a database security plug-in is loaded into a shared memory on a server where a database is located when a database connection is established as an example.
Step 810, the client requests to establish a database connection with the database.
And responding to establishment of database connection, loading the database security plug-in to a shared memory on a server where the database is located, wherein the built-in rule file of the database security plug-in is loaded to the shared memory.
The database security plug-in can be subjected to security check, and if the database security plug-in passes the security check, the database security plug-in is loaded to a shared memory on a server where the database is located. If the database security plug-in fails the security check, the backup configuration file of the database security plug-in is obtained from the server, and the database security plug-in is loaded to the shared memory according to the backup configuration file.
Step S820, detecting whether the database security plug-in has a configurable external rule file.
If the external rule file exists, the external rule file is loaded to the shared memory according to the configuration path of the external rule file, otherwise, the step S830 is performed.
Step S830, verifying the grammar validity of the service request by the parser.
If the syntax of the service request is valid, the process goes to step S840, otherwise, an error prompt message is returned.
And step S840, analyzing the service request, and generating an analysis tree according to the analysis result.
And S850, carrying out safety check on the analysis tree by utilizing the safety rule file of the database safety plug-in.
The database security plug-in interacts with the parser, the parser of the database parses the service request, and transmits the parsing result to the database security plug-in to verify the parsing result through the database security plug-in, and when the parsing result passes the verification, the parsing result is sent to a subsequent component (such as a planner and an executor) to execute the service request, otherwise, an error message is returned.
It should be noted that, the specific contents of step S810 to step S850 are described in the above-mentioned exemplary embodiments, and are not described herein again.
According to the security control method in the exemplary embodiment of the disclosure, in response to occurrence of a target event, a database security plug-in is loaded to a shared memory on a server where a database is located, a service request is acquired, the service request is analyzed, the database security plug-in is triggered according to the service request, an analysis result of the service request is checked through a security rule file of the database security plug-in, and the service request is controlled according to the check result. On the one hand, compared with a native authority control system in a database, the method and the device have the advantages that the analysis result of the service request can be verified through the database security plug-in loaded into the shared memory, the service request can be safely verified on finer granularity, interception or authority limitation of the service request is realized, the method and the device are not limited to object level, and the accuracy of security control is improved. On the other hand, the analysis result of the service request is checked in a plug-in mode, the intrusion of the open source code is small, plug-ins of different versions can be adapted, the plug-in can be combined with a native control system, and the applicability is high. On the other hand, by configuring the security rule file of the database security plug-in, the service request is analyzed or audited independently of external application or service, the performance loss caused by security control is reduced, and the injection type attack introduced by the external security control is avoided.
In an exemplary embodiment of the present disclosure, a safety control device is also provided. Referring to fig. 9, the security control apparatus 900 may include a loading module 910, a security check module 920, and a control module 930. Specifically:
The system comprises a loading module 910, a security check module 920, a control module 930 and a control module, wherein the loading module 910 is used for responding to the occurrence of a target event and loading a database security plug-in to a shared memory on a server where the database is located, the database security plug-in is configured with a security rule file, the security check module 920 is used for acquiring a service request, analyzing the service request and triggering the database security plug-in according to the service request so as to check the analysis result of the service request through the security rule file of the database security plug-in, and the control module 930 is used for controlling the service request according to the check result.
In an exemplary embodiment of the present disclosure, the loading module 910 is configured to perform, when a database is started or a database connection is established, loading the database security plugin to the shared memory according to a configuration path of the database security plugin in a database configuration file, where the database security plugin is configured on a server where the database is located in advance.
In one exemplary embodiment of the present disclosure, the security rule file comprises a built-in rule file of a database security plug-in, and the loading module 910 is configured to perform loading the built-in rule file of the database security plug-in into the shared memory.
In an exemplary embodiment of the present disclosure, the loading module 910 is further configured to perform detecting whether the database security plug-in has a configurable external rule file, and if so, loading the external rule file into the shared memory according to a configuration path of the external rule file.
In one exemplary embodiment of the present disclosure, the loading module 910 is further configured to perform updating the external rule file in response to a configuration operation for the external rule file;
And configuring the updated external rule file in the database security plug-in.
In an exemplary embodiment of the present disclosure, the security verification module 920 is further configured to perform verifying, by a parser, validity of the syntax of the service request, parse the service request if the syntax of the service request is valid, generate a parse tree according to a result of the parsing, and perform security verification on the parse tree using a security rule file of the database security plug-in.
In an exemplary embodiment of the present disclosure, the loading module 910 is further configured to perform a security check on the database security plug-in, and if the database security plug-in passes the security check, load the database security plug-in into a shared memory on a server where the database is located.
In an exemplary embodiment of the present disclosure, the loading module 910 is further configured to execute, if the database security plugin fails the security check, obtaining a backup configuration file of the database security plugin from a server, and loading the database security plugin to the shared memory according to the backup configuration file.
Since the details of the respective functional modules of the safety control device of the exemplary embodiment of the present disclosure have been described in the exemplary embodiments of the safety control method described above, a detailed description thereof will be omitted herein.
It should be noted that although several modules or units of the safety control device are mentioned in the above detailed description, this division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Exemplary embodiments of the present disclosure also provide a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the safety control method described above.
In one embodiment, the computer program product may be a tangible product comprising a computer program, such as a computer readable storage medium having the computer program stored thereon. The readable storage medium may be a storage medium based on signals of electric, magnetic, optical, electromagnetic, infrared, etc., including, but not limited to, random Access Memory (RAM), read Only Memory (ROM), magnetic tape, floppy disk, flash memory (Flash), mechanical hard disk (HDD), solid State Disk (SSD), etc. By way of example, the computer program product may be embodied as a non-volatile storage medium, such as read-only memory, nand flash memory (NAND FLASH), or the like, in which the computer program is stored.
In one embodiment, the computer program product may be an intangible product containing a computer program. By way of example, the computer program product may be embodied as a virtual digital product, such as a digital file, an executable file storing a computer program, an installation package, or the like.
The code of the computer program may be written in one or more programming languages. Programming languages such as C language, java, c++, etc. The program code may execute entirely on the user's computing device, or partly on the user's computing device, or as a stand-alone software package, or partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, such as a Local Area Network (LAN), wide Area Network (WAN), etc., or may be connected to an external computing device (e.g., an Internet connection provided by an operator).
The computer program may be carried or transmitted by signals of electronic, magnetic, optical, electromagnetic, infrared, etc. The electronic device may convert a signal carrying the computer program into a digital signal, thereby running the computer program. When the computer program runs on an electronic device, its code is for causing the electronic device to execute (more specifically, the processor of the electronic device may be caused to execute) the method steps of the various exemplary embodiments of the present disclosure, as may be performed by the security control method described above.
In addition, in an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided. Those skilled in the art will appreciate that the various aspects of the present disclosure may be implemented as a system, method, or program product. Accordingly, aspects of the present disclosure may be embodied in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, micro-code, etc.) or an embodiment combining hardware and software aspects that may be referred to herein generally as a "circuit," module, "or" system.
An electronic device 1000 according to such an embodiment of the present disclosure is described below with reference to fig. 10. The electronic device 1000 shown in fig. 10 is merely an example and should not be construed as limiting the functionality and scope of use of the disclosed embodiments.
As shown in fig. 10, the electronic device 1000 is embodied in the form of a general purpose computing device. The components of the electronic device 1000 may include, but are not limited to, at least one processing unit 1010 described above, at least one memory unit 1020 described above, a bus 1030 connecting the various system components (including the memory unit 1020 and the processing unit 1010), and a display unit 1040.
Wherein the storage unit stores program code that is executable by the processing unit 1010 such that the processing unit 1010 performs steps according to various exemplary embodiments of the present disclosure described in the above-described "exemplary methods" section of the present specification.
The memory unit 1020 may include readable media in the form of volatile memory units such as Random Access Memory (RAM) 1021 and/or cache memory unit 1022, and may further include Read Only Memory (ROM) 1023.
Storage unit 1020 may also include a program/utility 1024 having a set (at least one) of program modules 1025, such program modules 1025 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.
Bus 1030 may be representing one or more of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 1000 can also communicate with one or more external devices 1100 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 1000, and/or with any device (e.g., router, modem, etc.) that enables the electronic device 1000 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 1050. Also, electronic device 1000 can communicate with one or more networks such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the Internet, through network adapter 1060. As shown, the network adapter 1060 communicates with other modules of the electronic device 1000 over the bus 1030. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with the electronic device 1000, including, but not limited to, microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.
From the above description of embodiments, those skilled in the art will readily appreciate that the example embodiments described herein may be implemented in software, or in combination with the necessary hardware. Thus, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disk, a mobile hard disk, etc.) or on a network, and includes several instructions to cause a computing device (may be a personal computer, a server, a terminal device, or a network device, etc.) to perform the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are only schematic illustrations of processes included in the method according to the exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (11)

1.一种安全控制方法,其特征在于,包括:1. A safety control method, comprising: 响应目标事件的发生,将数据库安全插件加载至数据库所在服务器上的共享内存,所述数据库安全插件配置有安全规则文件;In response to the occurrence of a target event, a database security plug-in is loaded into a shared memory on a server where the database is located, wherein the database security plug-in is configured with a security rule file; 获取服务请求,将所述服务请求进行解析,并根据所述服务请求触发所述数据库安全插件,以通过所述数据库安全插件的安全规则文件对所述服务请求的解析结果进行校验;Obtaining a service request, parsing the service request, and triggering the database security plug-in according to the service request to verify the parsing result of the service request through a security rule file of the database security plug-in; 根据校验结果对所述服务请求进行控制。The service request is controlled according to the verification result. 2.根据权利要求1所述的方法,其特征在于,所述响应目标事件的发生,将数据库安全插件加载至数据库所在服务器上的共享内存,包括:2. The method according to claim 1, characterized in that, in response to the occurrence of the target event, loading the database security plug-in into the shared memory on the server where the database is located comprises: 在启动数据库或建立数据库连接时,根据所述数据库安全插件在数据库配置文件的配置路径,将所述数据库安全插件加载至所述共享内存;When starting a database or establishing a database connection, loading the database security plug-in into the shared memory according to the configuration path of the database security plug-in in the database configuration file; 其中,所述数据库安全插件预先配置于所述数据库所在服务器上。The database security plug-in is pre-configured on the server where the database is located. 3.根据权利要求1所述的方法,其特征在于,所述安全规则文件包括数据库安全插件的内置规则文件;所述将数据库安全插件加载至数据库所在服务器上的共享内存,包括:3. The method according to claim 1, wherein the security rule file comprises a built-in rule file of a database security plug-in; and the step of loading the database security plug-in into a shared memory on a server where the database is located comprises: 将所述数据库安全插件的内置规则文件加载至所述共享内存。The built-in rule file of the database security plug-in is loaded into the shared memory. 4.根据权利要求3所述的方法,其特征在于,所述方法还包括:4. The method according to claim 3, characterized in that the method further comprises: 检测所述数据库安全插件是否存在可配置的外置规则文件;Detecting whether the database security plug-in has a configurable external rule file; 若存在外置规则文件,则根据所述外置规则文件的配置路径,将所述外置规则文件加载至所述共享内存。If an external rule file exists, the external rule file is loaded into the shared memory according to the configuration path of the external rule file. 5.根据权利要求4所述的方法,其特征在于,所述方法还包括:5. The method according to claim 4, characterized in that the method further comprises: 响应于针对所述外置规则文件的配置操作,更新所述外置规则文件;In response to a configuration operation on the external rule file, updating the external rule file; 将更新后的外部规则文件配置于所述数据库安全插件。The updated external rule file is configured in the database security plug-in. 6.根据权利要求1所述的方法,其特征在于,所述将所述服务请求进行解析,并根据所述服务请求触发所述数据库安全插件,以通过所述数据库安全插件的安全规则文件对所述服务请求的解析结果进行校验,包括:6. The method according to claim 1, characterized in that the parsing of the service request and triggering the database security plug-in according to the service request to verify the parsing result of the service request through the security rule file of the database security plug-in include: 通过解析器验证所述服务请求的语法有效性;Verifying the grammatical validity of the service request through a parser; 若所述服务请求的语法为有效,则对所述服务请求进行解析,根据解析结果生成解析树;If the syntax of the service request is valid, the service request is parsed, and a parse tree is generated according to the parsing result; 利用所述数据库安全插件的安全规则文件对所述解析树进行安全校验。The security rule file of the database security plug-in is used to perform security verification on the parse tree. 7.根据权利要求1至6中任一项所述的方法,其特征在于,所述将数据库安全插件加载至数据库所在服务器上的共享内存,还包括:7. The method according to any one of claims 1 to 6, characterized in that the step of loading the database security plug-in into a shared memory on a server where the database is located further comprises: 对所述数据库安全插件进行安全校验;Performing security verification on the database security plug-in; 若所述数据库安全插件通过安全校验,则将数据库安全插件加载至数据库所在服务器上的共享内存。If the database security plug-in passes the security check, the database security plug-in is loaded into the shared memory on the server where the database is located. 8.根据权利要求7所述的方法,其特征在于,8. The method according to claim 7, characterized in that 若所述数据库安全插件未通过安全校验,则从服务器获取所述数据库安全插件的备份配置文件;If the database security plug-in fails the security check, obtaining a backup configuration file of the database security plug-in from the server; 根据所述备份配置文件,将所述数据库安全插件加载至所述共享内存。According to the backup configuration file, the database security plug-in is loaded into the shared memory. 9.一种安全控制装置,其特征在于,所述装置包括:9. A safety control device, characterized in that the device comprises: 加载模块,用于响应目标事件的发生,将数据库安全插件加载至数据库所在服务器上的共享内存,所述数据库安全插件配置有安全规则文件;A loading module, used for responding to the occurrence of a target event, loading a database security plug-in into a shared memory on a server where the database is located, wherein the database security plug-in is configured with a security rule file; 安全校验模块,用于获取服务请求,将所述服务请求进行解析,并根据所述服务请求触发所述数据库安全插件,以通过所述数据库安全插件的安全规则文件对所述服务请求的解析结果进行校验;A security verification module, used to obtain a service request, parse the service request, and trigger the database security plug-in according to the service request to verify the parsing result of the service request through the security rule file of the database security plug-in; 控制模块,用于根据校验结果对所述服务请求进行控制。A control module is used to control the service request according to the verification result. 10.一种计算机程序产品,包括计算机程序,其特征在于,所述计算机程序被处理器执行时实现权利要求1至8任一项所述的方法。10. A computer program product, comprising a computer program, characterized in that when the computer program is executed by a processor, the method according to any one of claims 1 to 8 is implemented. 11.一种电子设备,其特征在于,包括:11. An electronic device, comprising: 处理器;以及Processor; and 存储器,用于存储所述处理器的可执行指令;A memory, configured to store executable instructions of the processor; 其中,所述处理器配置为经由执行所述可执行指令来执行权利要求1至8中任一项所述的方法。The processor is configured to perform the method of any one of claims 1 to 8 by executing the executable instructions.
CN202411205124.3A 2024-08-29 2024-08-29 Safety control method and device, computer program product and electronic device Pending CN119089500A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411205124.3A CN119089500A (en) 2024-08-29 2024-08-29 Safety control method and device, computer program product and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411205124.3A CN119089500A (en) 2024-08-29 2024-08-29 Safety control method and device, computer program product and electronic device

Publications (1)

Publication Number Publication Date
CN119089500A true CN119089500A (en) 2024-12-06

Family

ID=93698737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411205124.3A Pending CN119089500A (en) 2024-08-29 2024-08-29 Safety control method and device, computer program product and electronic device

Country Status (1)

Country Link
CN (1) CN119089500A (en)

Similar Documents

Publication Publication Date Title
RU2568295C2 (en) System and method for temporary protection of operating system of hardware and software from vulnerable applications
US9569602B2 (en) Mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device
KR101280048B1 (en) Anti-hack protection to restrict installation of operating systems and other software
US11620179B1 (en) Method, apparatus, device, storage medium and program product for log information processing
CN111143816A (en) Verification and authorization method and verification server
CN110333868B (en) Method and system for generating installation packages of sub-applications
US20130007470A1 (en) Secure hosted execution architecture
CN111475795A (en) Method and device for unified authentication and authorization facing to multiple applications
CN102804194A (en) Method, Apparatus, And Computer Program For Providing Application Security
US10853473B2 (en) Enforcing trusted application settings for shared code libraries
CN113239308B (en) A page access method, device, equipment and storage medium
CN111966422B (en) A localized plug-in service method, device, electronic device and storage medium
US11496304B2 (en) Information processing device, information processing method, and storage medium
US12248575B2 (en) System and method for monitoring delivery of messages passed between processes from different operating systems
US12141269B2 (en) System and method for building a security monitor
US20240323032A1 (en) Commit signing service
CN114048506A (en) Application control method, device, equipment and storage medium
CN119089500A (en) Safety control method and device, computer program product and electronic device
CN111222122A (en) Application authority management method and device and embedded equipment
CN119066635A (en) Data processing method, device, electronic device and storage medium
CN109857488B (en) Application program call control method and device, terminal and readable storage medium
US9519759B2 (en) Secure access to programming data
US20200401561A1 (en) Method, device, and computer program product for managing data object
US20250258921A1 (en) System and Method for Automated Whitelisting Prior to Installation
US12348522B2 (en) Extended security scheme for reducing the prevalence of broken object level authorization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20250821

Address after: 710076 Shaanxi Province, Xi'an City, High-tech Development Zone, Tangu 8th Road, No. 156, Xi'an Software Park R&D Base Phase II, Building C2, Room 1302

Applicant after: Xi'an Tongxing Hengyao Information Technology Co.,Ltd.

Country or region after: China

Address before: 100176 6 6th Floor 601, No. 2 Building, 18 Kechuang 11th Street, Beijing Daxing District, Beijing Economic and Technological Development Zone

Applicant before: Jingdong Technology Information Technology Co.,Ltd.

Country or region before: China