[go: up one dir, main page]

CN111858114A - Equipment start exception handling method, device start control method, device and system - Google Patents

Equipment start exception handling method, device start control method, device and system Download PDF

Info

Publication number
CN111858114A
CN111858114A CN201910365274.3A CN201910365274A CN111858114A CN 111858114 A CN111858114 A CN 111858114A CN 201910365274 A CN201910365274 A CN 201910365274A CN 111858114 A CN111858114 A CN 111858114A
Authority
CN
China
Prior art keywords
equipment
system administrator
configuration
caused
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910365274.3A
Other languages
Chinese (zh)
Other versions
CN111858114B (en
Inventor
付颖芳
肖鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201910365274.3A priority Critical patent/CN111858114B/en
Publication of CN111858114A publication Critical patent/CN111858114A/en
Application granted granted Critical
Publication of CN111858114B publication Critical patent/CN111858114B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0793Remedial or corrective actions
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0751Error or fault detection not based on redundancy

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses equipment start exception handling, and an equipment start control method, device and system. Wherein, the method comprises the following steps: in the process of credibility measurement, detecting abnormal starting of equipment; identifying whether the device start-up anomaly is caused by a predetermined cause; and if the identification result is yes, controlling the equipment to process the abnormal starting of the equipment in a mode corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the service by the equipment.

Description

Equipment start exception handling method, device start control method, device and system
Technical Field
The invention relates to the field of security computing, in particular to a method, a device and a system for processing equipment starting abnormity and controlling equipment starting.
Background
As computer applications become more popular and hardware attacks become more rampant, security (e.g., integrity assurance) of systems (alternatively referred to as platforms and systems) is becoming more and more appreciated. Measurement is a technical means to protect the integrity of the platform and system: at some particular time, the target is measured to obtain some information about the target (e.g., a hash value for the file), and the value of this information is compared to a pre-recorded standard value to determine if the integrity of the target has been compromised. The measurement is realized based on a Trusted system, and at present, there are two technologies related to the Trusted system (or referred to as a Platform and a system), namely, a Trusted Platform Control Module (TPCM for short) and a Trusted Platform Module (TPM for short). However, in the process of performing platform and system integrity measurement calculation, when the abnormal start of the device is found, the measures taken by the two technologies are generally: either the start is terminated or the alarm authorization enters the protected mode start, but the following disadvantages exist in the process: for example, if a certain protection mode is activated when the anomaly is due to a hacking attack, sensitive data may be leaked; when the exception is caused by configuration, if the starting is forbidden, the processing of the service is influenced. Therefore, in the related art, in the process of the credibility measurement, the abnormal starting of the equipment cannot be correspondingly processed, so that the normal processing of the service is influenced because the system is not safe.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a system for processing equipment starting abnormity and controlling equipment starting, and aims to at least solve the technical problem that in the related technology, in the process of credibility measurement, the normal processing of a service is influenced because the equipment is abnormally started and cannot be correspondingly processed, and the system is unsafe.
According to an aspect of the embodiments of the present invention, there is provided a method for handling an exception during device boot, including: in the process of credibility measurement, detecting abnormal starting of equipment; identifying whether the device start-up anomaly is caused by a predetermined cause; and if the identification result is yes, controlling the equipment to process the equipment starting abnormity in a mode corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the equipment on the service.
According to another aspect of the embodiments of the present invention, there is provided an apparatus start control method, including: measuring equipment to be started to obtain a measurement result; verifying whether the measurement result is normal; if the verification result is that the measurement result is abnormal, identifying whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a system administrator, controlling the equipment to be normally started after the configuration of the system administrator is updated normally, and otherwise controlling the equipment to be started in an alarm protection mode or to be prohibited from being started.
According to still another aspect of the embodiments of the present invention, there is provided an apparatus start control method, including: the credible measurement main body measures the equipment to be started to obtain a measurement result; the credible verification subject verifies whether the measurement result is normal; under the condition that the verification result is that the measurement result is abnormal, the trusted audit subject identifies whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a system administrator, the trusted control body controls the equipment to be normally started after the configuration of the system administrator is updated normally, otherwise, the trusted control body controls the equipment to be started in an alarm protection mode or to be prohibited from being started.
According to an aspect of the embodiments of the present invention, there is provided an apparatus for processing a device boot exception, including: the detection module is used for detecting the abnormal starting of the equipment in the credibility measurement process; the first identification module is used for identifying whether the equipment starting abnormity is caused by a preset reason; and the first control module is used for controlling the equipment to process the equipment starting abnormity in a mode corresponding to the preset reason under the condition that the identification result is yes so as to ensure the system safety of the equipment and/or the normal processing of the equipment on the service.
According to another aspect of the embodiments of the present invention, there is provided an apparatus start control device including: the measurement module is used for measuring the equipment to be started to obtain a measurement result; the verification module is used for verifying whether the measurement result is normal; the second identification module is used for identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator under the condition that the verification result is that the measurement result is abnormal; and the second control module is used for controlling the equipment to be normally started after the configuration of the system administrator is updated normally under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, and otherwise, controlling the equipment to be started in an alarm protection mode or forbidding the equipment to be started.
According to still another aspect of the embodiments of the present invention, there is provided an apparatus start control system including: the device comprises a credibility measurement main body, a credibility verification main body, a credibility audit main body and a credibility control main body, wherein the credibility measurement main body is used for measuring equipment to be started to obtain a measurement result; the credible verification main body is used for verifying whether the measurement result is normal or not; the credible auditing main body is used for identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator under the condition that the verification result of the credible verifying main body is that the measurement result is abnormal; and the trusted control body is used for controlling the equipment to be normally started after the configuration of the system administrator is updated normally under the condition that the identification result of the trusted audit body is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, and otherwise, controlling the equipment to be started in an alarm protection mode or prohibited from being started.
According to an aspect of the embodiments of the present invention, there is provided a storage medium storing a program, wherein the program, when executed by a processor, causes the processor to perform the method of any one of the above.
According to an aspect of the embodiments of the present invention, there is provided a processor configured to execute a program, wherein the program is configured to cause the processor to perform the method according to any one of the above.
According to an aspect of an embodiment of the present invention, there is provided a computer apparatus including: a memory and a processor, the memory storing a computer program; the processor is configured to execute the computer program stored in the memory, and the computer program causes the processor to perform any one of the above methods when the computer program runs.
In the embodiment of the invention, in the process of measuring the credibility, the starting abnormality of the equipment is detected; identifying whether the device start-up anomaly is caused by a predetermined cause; and if the identification result is yes, controlling the equipment to process the equipment starting abnormity in a manner corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the service by the equipment, and achieving the purpose that the equipment starting abnormity can be processed in a manner corresponding to the preset reason of the equipment starting abnormity under the condition of the equipment starting abnormity, so that the technical effect of ensuring the system safety of the equipment and/or normal processing of the service by the equipment is achieved, and further solving the technical problem that in the related technology, in the process of credibility measurement, the equipment cannot be correspondingly processed due to abnormal starting, so that the system is unsafe, and normal processing of the service is influenced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a diagram of a TPM device boot trust chain in the related art;
fig. 2 is a diagram of a related art TPCM device initiating a chain of trust transfer;
fig. 3 is a flowchart of a device boot exception handling method according to embodiment 1 of the present invention;
FIG. 4 is a flow diagram of a device boot exception handling provided in accordance with a preferred embodiment of the present invention;
fig. 5 is a flowchart of an apparatus start-up control method according to embodiment 2 of the present invention;
FIG. 6 is a flowchart of a preferred apparatus startup control method according to embodiment 2 of the present invention;
FIG. 7 is a flowchart of an apparatus abnormal start control method according to a preferred embodiment of the present invention;
fig. 8 is a block diagram of a device boot exception handling apparatus according to embodiment 3 of the present invention;
FIG. 9 is a block diagram showing the construction of an apparatus start-up control device according to embodiment 4 of the present invention;
fig. 10 is a block diagram of a device start-up control system according to embodiment 5 of the present invention;
Fig. 11 is a block diagram of a configuration of a computer apparatus according to embodiment 6 of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
the safety of the system is as follows: it should be noted that the security of the System herein is a broad understanding of the entire execution environment, and may be understood as the security of the platform and (specific) System, for example, may refer to that the hardware and software platforms and systems such as a Basic Input Output System (BIOS) of the device, hardware firmware, and an operating System Loader (OS Loader) are complete and legal. To specifically describe the technical solution, the following embodiments take "platform and system" as an example to describe the system.
And (3) trusted computing: trusted Computing (Trusted Computing) is a Trusted Computing platform widely used in Computing and communication systems and supported by hardware-based security modules, so as to improve the security of the whole system.
Trusted Platform Module (TPM)/Trusted Platform Control Module (TPCM) (TPM/TPCM): security chips that provide integrity and authenticity assurance for evidence are typically strongly bound to a computing platform by physical means.
And (3) credibility measurement: at some particular time, the target is measured to obtain some information about the target (e.g., a hash value for the file), and the value of this information is compared to a pre-recorded standard value to determine if the integrity of the target has been compromised.
Metric computation-the process of performing a metric operation (e.g., a hash operation) on a metric object.
Firmware: refers to a program stored in hardware that cannot be easily changed, and also refers to the underlying hardware on which some of the above programs are located.
Example 1
In the related art, there are two technologies related to a Trusted system (or referred to as a Platform and a system) at present, namely, a Trusted Platform Control Module (TPCM) and a Trusted Platform Module (TPM). The TPM and TPCM boot metric calculations are described separately below.
(1) TPM boot measurement computation
A Trusted Platform Module (TPM) in a Trusted Computer Group (TCG) specification is a hardware root of a Trusted computing Platform, and the TPM is a security chip providing protected secure storage and cryptographic operation capabilities. The TPM is physically connected to the computing platform and to the CPU via an external bus, for example, a PC platform that is directly fixed to the motherboard and connected via an LPC bus.
The definition of trustworthiness (trusted) is given in the TCG specification: an entity is always operating in a predictable manner for a particular target. The core mechanism of trusted computing is to construct a trusted computing environment through a trust chain mechanism, and whether a current running entity is trusted is the basis of establishing whether the previous running process of a system is trusted. FIG. 1 is a diagram of a TPM device boot trust chain of the related art, as shown in FIG. 1, based on the trust relationship, if the system starts from an initial trust root, at each conversion of the platform computing environment, the trust can be maintained by means of transitive maintenance, so that a first level of authentication is established on the computing platform, a first level of trust is provided to the trust chain, the computing environment is always trusted, and the computing environment can be trusted by the local user or the remote entity.
In the TCG specification, the metric value PCRi of each item is stored in the storage, and the extended value of the metric value is stored in the TPM, and PCRi New is HASH (PCRi Old value to add).
(2) TPCM initiated metric computation
Fig. 2 is a schematic diagram of a TPCM device initiating a chain of trust transfer in the related art, and as shown in fig. 2, a flow of TPCM initiation metric calculation includes the following steps:
1) Powering on the TPCM, self-checking whether the firmware of the TPCM is legal, if the firmware is legal, executing the step 2), otherwise, shutting down or alarming;
2) verifying the BMC and the BIOS, if the verification is passed, then step 3), otherwise, shutting down or alarming;
3) powering on a mainboard;
4) verifying the integrity of the platform; and 5) if the verification is passed, turning off or alarming.
5) Verifying the OS loader; step 6) if the verification is passed, otherwise, shutting down or alarming;
6) verifying the OS Kernel, and if the verification is passed, performing step 7), otherwise, shutting down or alarming;
7) dynamic metric validation vTPCM;
8) the dynamic metrics validate the application system.
However, in the process of performing platform and system integrity measurement calculation, when the abnormal start of the device is found, the measures taken by the two technologies are generally: either the initiation is terminated or the alert authorizes entry into a protected mode initiation. However, the adoption of such processing can cause that the abnormal starting of the equipment cannot be correspondingly processed, and the problem that the normal processing of the service is influenced because the system is unsafe is caused. Because the cause of the startup abnormality is not identified, for example, whether the abnormal startup is caused by hacking or by wrong configuration of the system administrator is not identified. Two types of problems may thereby result: (1) because the real reason of the abnormity can not be identified, if the abnormity is caused by a hacker, but the existence of the abnormity is ignored by a system administrator, if the authorization mode is normally started, sensitive data can not be protected, and if the authorization alarm or the protection mode is started, the continuity of the service can not be ensured; (2) because the real reason of the abnormity can not be identified, if the abnormity is caused by the abnormal configuration of the system administrator, if the system administrator mistakenly considers that the abnormity is caused by a hacker, the start of the equipment is forbidden, and the normal operation of the service is delayed.
Based on this, in the embodiment of the present invention, an embodiment of a method for processing an apparatus start exception is provided, and the embodiment of the method for processing an apparatus start exception provided in embodiment 1 of the present application may be executed in a mobile terminal, a computer terminal, or a similar metric calculating device. Fig. 3 is a flowchart of a device boot exception handling method according to embodiment 1 of the present invention, and as shown in fig. 3, the flowchart includes the following steps:
step S302, in the process of credibility measurement, detecting that the equipment is started abnormally;
as an alternative embodiment, the execution subject may be a trusted audit subject for determining a device boot exception and identifying the cause of the device boot exception. The credible audit main body can be an independent credible audit main body, can also be a functional entity attached to other entity devices, and can be flexibly selected according to requirements.
As an optional embodiment, in the trusted measurement process, when the device is measured, the hardware and the software of the device are measured respectively, and in the process of starting the device, if the measurement result shows that the device is not normal, for example, when the hardware and/or the software of the measurement device is not normal, the device may be considered to be abnormally started.
As an alternative embodiment, when the device start-up abnormality is detected, a plurality of detection manners may be adopted, for example, the detection may be implemented by a comparison manner, for example, when the hardware of the device is measured, if the measurement result is inconsistent with a predetermined measurement result, it is determined that the measurement result of the hardware of the device is abnormal, and thus it is determined that the device start-up abnormality occurs. The software of the device may also adopt the similar detection manner of comparison, which is not described herein again.
Step S304, identifying whether the abnormal starting of the equipment is caused by a predetermined reason;
as an alternative embodiment, the abnormal start-up of the device may be caused by a plurality of abnormal causes, and the characteristics exhibited by the plurality of abnormal causes may not be the same, so that when the cause of the abnormal start-up of the device is identified, which cause is caused may be determined according to the characteristics exhibited by the abnormal cause.
As an alternative embodiment, since the cause of the device start-up abnormality may include a plurality of causes, the cause of the device abnormality may be looked up from a certain cause, for example, whether the device abnormality is caused by a predetermined cause is identified according to some characteristics exhibited by the device abnormality. It should be noted that the predetermined reason may be a common reason, a reason that is easy to cause abnormal start of the device, or a reason for a certain feature. The most probable cause is preferentially identified from a plurality of abnormal causes, so that the speed and the accuracy of identifying the abnormal causes can be improved to a certain extent.
And step S306, if the identification result is yes, the control device processes the device start exception in a mode corresponding to the preset reason so as to ensure the system safety of the device and/or normal processing of the device on the service.
As an optional embodiment, after determining the reason for the abnormal start of the device, the abnormal start of the device may be handled by directly specifying the reason for the abnormality and determining a manner corresponding to the specific reason for the abnormality. For example, it may be determined whether the cause of the abnormality allows the device to continue to be started, and if the device is allowed to continue to be started, a start mode corresponding to the cause of the abnormality may be determined. No matter what processing method is adopted to process the abnormal starting of the equipment, the safety of a system where the equipment is located and/or the normal processing of the equipment on the service need to be ensured. It should be noted that the security of the system referred to herein includes that the hardware in the system is secure, the software of the system is also secure, and some data stored in the system is not leaked, etc. The normal processing of the service by the device may also include multiple types, for example, the normal processing may include ensuring continuity of the service, ensuring that the service is not delayed, and the like.
As an alternative embodiment, in the course of the trusted measurement, the device boot exception is more commonly divided into two cases, namely, the device is subjected to a hacking attack and the device boot exception is caused by the configuration exception of the system administrator. When determining whether the abnormal start of the device is caused by a predetermined reason selected in the above embodiments, the two reasons are as follows: the device boot abnormality caused by the hacking and the configuration abnormality of the system administrator can be used as the predetermined cause to preferentially determine whether the predetermined cause is the cause of the device boot abnormality.
As an alternative embodiment, the predetermined reason for the device boot exception is a configuration exception of a system administrator. In the case where the predetermined cause is a configuration abnormality of a system administrator, when identifying whether the device start-up abnormality is caused by the predetermined cause, it may be identified in various ways, for example, in the following ways: acquiring an operation behavior log of a system administrator; auditing whether the operation behavior of a system administrator exists according to the operation behavior log; and determining that the equipment starting abnormity is caused by other reasons which are not the predetermined reasons under the condition that the operation behavior of the system administrator does not exist as a result of the audit. This mode will be explained below.
As an alternative embodiment, when the operation behavior log of the system administrator is obtained, various manners may be adopted. The system administrator records the operation behavior log related to the operation or configuration of the system, and records the detailed operation details or configuration details. For example, when a system administrator updates or modifies the measurement policy of a device, the corresponding operation behavior log records the version of the specific update, the parameters of the specific modification, and the like. Therefore, the operation behavior log of the system administrator is important, and in order to ensure the security of the operation behavior log in the system management, an authorized entity is required to store, view or call the operation behavior log.
As an optional embodiment, when the operation behavior log of the system administrator is obtained, the obtaining of the operation behavior log of the system administrator may be implemented by the trusted module. For example, obtaining the operation behavior log of the system administrator may be implemented in the following manner: receiving an operation behavior log of a system administrator, which is encrypted by the trusted module by adopting an encryption key of the public and private symmetric key; and decrypting the encrypted operation behavior log of the system administrator by adopting a decryption key corresponding to the public-private symmetric key to obtain the operation behavior log of the system administrator. Before receiving the operation behavior log of the system administrator encrypted by the encryption key of the public and private symmetric key, the trusted module can perform mutual identity confirmation with the trusted module, and under the condition that both sides confirm the credibility, the trusted module is allowed to receive the operation behavior log in the system management encrypted by the trusted module.
As an optional embodiment, when the operation behavior log in the system management sent by the trusted module is sent by using the encryption key, multiple encryption manners may be used, where the encryption manner is mainly used to further ensure the security of transmission on the premise that the trusted module is reliable as the provider of the operation behavior log of the system administrator. When the encryption mode is selected, in order to ensure the reliability of transmission again, an encryption mode of a public-private symmetric key with higher security level can be adopted, that is, an encryption key of a trusted module and a decryption key for decrypting an operation behavior log after the operation behavior log in system management is received are symmetric, so that the transmission security is ensured higher.
As an optional embodiment, when whether the operation behavior of the system administrator exists is audited according to the operation behavior log, since the operation behavior in the system management may include multiple types, when the audit does not exist, the audit can be performed on whether the multiple types of operation behaviors exist respectively. For example, auditing whether there is an operational behavior of a system administrator from the operational behavior log may include at least one of: auditing whether a system administrator has a login behavior; whether an auditing system administrator has configuration action on a measurement strategy of the credibility measurement; and auditing whether a system administrator has a configuration behavior of a verification strategy of the credibility measurement or not and whether the system administrator has an updating behavior of the firmware of the credibility measurement or not.
As an optional embodiment, when the auditing system administrator has the login behavior, if the login behavior of the system administrator does not exist, it can be directly determined that the operation behavior of the system administrator does not exist; when an auditing system administrator has configuration behavior of the measurement strategy of the credibility measurement, the configuration behavior of the measurement strategy of the credibility measurement can be determined to exist according to whether configuration records for configuring the measurement strategy of the credibility measurement exist in an operation behavior log or not; when the auditing system administrator has a configuration action on the verification strategy of the credible measurement, the auditing system administrator can also determine that the configuration action on the verification strategy of the credible measurement exists according to whether a configuration record for configuring the verification strategy of the credible measurement exists in the operation action log or not; when the auditing system administrator has the updating behavior of the firmware of the credibility measurement, the auditing system administrator can determine that the updating behavior of the firmware of the credibility measurement exists according to whether the updating record for updating the firmware of the credibility measurement exists in the operation behavior log or not.
As an alternative embodiment, after auditing whether the operation behavior of the system administrator exists according to the operation behavior log, in the case that the operation behavior of the system administrator does not exist as an auditing result, it is determined that the device start-up abnormality is caused by other reasons than the predetermined reason. I.e. if the audit result indicates that there is no operation behavior of the system administrator, it is directly possible to exclude that the abnormal start of the device is caused by the predetermined reason mentioned above, i.e. the abnormal start of the device is caused by other reasons than the predetermined reason.
As an optional embodiment, after auditing whether the operation behavior of the system administrator exists according to the operation behavior log, auditing the validity of the measured object in the credibility measurement process under the condition that the identification result is that the operation behavior of the system administrator exists; determining that the abnormal starting of the equipment is caused by a predetermined reason under the condition that the measured object is legal in the process of measuring the credibility as an auditing result; and/or determining that the device start-up anomaly is caused by other reasons than the predetermined reason in the case that the measured object is illegal during the process of measuring the credible result by the auditing result. When the validity of the measured object in the credibility measurement process is audited, whether the strategy and the firmware of the measured object are the same as the standby strategy and the standby firmware can be audited, and if the auditing result is the same, the abnormal starting of the equipment is determined to be caused by the preset reason. For example, when the legitimacy of the device is measured, whether the software and/or hardware of the device is the same as the pre-stored standby software and/or hardware or not can be audited, and if the audited result is the same, the abnormal starting of the device is determined to be caused by the predetermined reason. Therefore, in the case that the operation behavior of the system administrator exists as the identification result, if the measured object is legal in the trusted measurement process, the device boot exception is determined to be caused by the configuration exception of the system administrator; and in the case that the operation behavior of the system administrator exists as the recognition result, if the measured object in the credible measurement process is illegal, the device starting abnormity can be determined not to be caused by the configuration abnormity of the system administrator, namely, other abnormity causes.
As an alternative embodiment, when the predetermined reason is an abnormality in the configuration of the system administrator, other reasons other than the predetermined reason may include hacking. In a case where the device start-up abnormality is caused by a configuration abnormality of a system administrator, the controlling device may process the device start-up abnormality in a manner corresponding to a predetermined cause, including: and after the abnormal configuration is modified into the normal configuration, the control equipment is started normally. In the case that the device boot exception is caused by a hacking attack, in this optional embodiment, the method further includes: the control device processes the device boot exception in a manner corresponding to the hacking attack, wherein the control device processes the device boot exception in a manner corresponding to the hacking attack comprises: the control device is enabled or disabled in an alarm protection mode.
Through the embodiment, in the process of credibility measurement, the starting abnormality of the equipment is detected; identifying whether the device start-up anomaly is caused by a predetermined cause; if the identification result is yes, the control device processes the device start exception in a manner corresponding to the predetermined reason to ensure the safety of a system where the device is located and/or normal processing of the service by the device, so that the purpose that the device start exception can be processed in a manner corresponding to the predetermined reason of the device start exception under the condition of the device start exception is achieved, the technical effect of ensuring the safety of the system where the device is located and/or normal processing of the service by the device is achieved, and the technical problem that in the related technology, in the process of credibility measurement, the system is not safe because the device is abnormally started and cannot be correspondingly processed, so that the normal processing of the service is influenced is solved.
In this embodiment, a preferred embodiment of a method for processing an exception at device start is further provided, and it should be noted that, in this preferred embodiment, it may be assumed that the system at least includes: a trusted metrics body, a trusted verification body, a trusted audit body, a trusted control body, and a system administrator (it should be noted that these several bodies may be performed by different entities or assumed by the same entity). Any action by the system administrator is logged, e.g., the latest policy configuration or updated firmware is documented; the operation behavior log of the system administrator, the configured strategy and the updated firmware are all protected safely and are accessed in an authorized mode.
In a preferred embodiment of the present invention, a method for identifying whether a device boot exception is caused by a hacker or by a configuration exception of a system administrator is specifically provided, and fig. 4 is a flowchart of device boot exception handling provided in accordance with the preferred embodiment of the present invention, as shown in fig. 4, the flowchart includes the following steps:
1. discovering abnormal starting in the starting process of the equipment;
2. a trusted audit subject audits an operation behavior log of a system administrator;
3. The trusted auditing subject audits whether the system administrator has operation behavior, for example, the following method can be adopted:
a, identifying the identity of a trusted audit subject and a trusted module (namely the TPM/TPCM);
b, if the mutual identification is passed, the trusted module signs the operation behavior log private key and encrypts the operation behavior log private key by using the trusted audit subject public key, and feeds the operation behavior log private key back to the trusted audit subject, otherwise, the communication is terminated;
c, the credible auditing main body decrypts the encrypted operation behavior log, and the signature verification operation behavior log really comes from the credible module;
d. is the audit not relevant to the action, such as whether the recent system administrator has logged on? Is there a configuration behavior of the measurement policy, the verification policy? Is there firmware update activity? And the like (note: the operation behavior audit does not limit the method), otherwise, the step 6 is entered, and otherwise, the step 4 is entered.
4. The credible auditing main body audits the strategy and firmware validity of the measured object;
5. is the audit judged to be legal? The audit can adopt the following method: if the strategy and firmware of the measured object are the same as the standby strategy and firmware, the step 7 is entered, otherwise, the step 6 is entered;
6. the hacker attack is;
7. the system administrator.
In the preferred embodiment, the operation behavior of the trusted audit subject auditing the system administrator is introduced to identify whether the device boot exception is caused by a hacker or a configuration exception from the system administrator, so that the specific reason of the device boot exception can be determined, a processing mode corresponding to the specific reason can be provided for the device, and the device boot exception can be processed.
Example 2
There is also provided, in accordance with an embodiment of the present invention, a method embodiment of an apparatus startup control method, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
The method embodiment provided in embodiment 2 of the present application may be executed in a mobile terminal, a computer terminal, or a similar trusted computing device. Fig. 5 is a flowchart of an apparatus start-up control method according to embodiment 2 of the present invention, and as shown in fig. 5, the flowchart includes the steps of:
step S502, measuring the equipment to be started to obtain a measurement result;
As an alternative embodiment, the executing subject of the above steps may be a computer terminal, for example, a user terminal such as a smart phone, a mobile phone, a tablet computer, a notebook computer, a smart watch, etc. The execution subject of the above steps may be a separate chip for executing the trusted metrics, or may be a network device such as a server for executing the trusted metrics function.
As an alternative embodiment, when measuring the device to be started, the hardware and/or software of the device to be started may be measured, and the hardware of the device may include physical firmware of the device, for example, the hardware may be a video card, a memory, a processor, or the like; the software of the device may include system software of the device and application software of the device, for example, the system software may be software when the system runs, and the application software may be software corresponding to some applications used by the device. Therefore, the measurement result of the above-included aspects can be obtained by measuring the device.
Step S504, verify whether the measurement result is normal;
as an alternative embodiment, since the measurement result obtained by measuring the device may have multiple aspects of measurement results, when verifying whether the measurement result of the device is normal, if one of the multiple aspects of measurement results is abnormal, it may be determined that the measurement result of the device is abnormal. And confirming that the measurement result of the equipment is normal only when the measurement results of all aspects of the equipment are normal.
Step S506, under the condition that the verification result is that the measurement result is abnormal, identifying whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator;
as an alternative embodiment, in the case that the verification result is that the measurement result is abnormal, the cause of the device start-up abnormality is identified, for example, whether the device start-up abnormality is caused by a configuration abnormality of a system administrator is identified. Because the configuration abnormity of the administrator is more common and easier to find than other complicated abnormity, whether the configuration abnormity is caused by the configuration abnormity of the system administrator is preferentially eliminated or confirmed, the identification efficiency can be improved to a certain extent, and the effective control on the starting of the equipment is realized.
Step S508, if the identification result is that the device start abnormality is caused by the configuration abnormality of the system administrator, after the configuration of the system administrator is updated normally, the device is controlled to start normally, otherwise, the device is controlled to start in an alarm protection mode or to prohibit starting.
As an optional embodiment, in a case that the identification result is that the device start abnormality is caused by a configuration abnormality of a system administrator, a notification may be sent to the system administrator to notify the system administrator to perform reconfiguration, so that after the configuration is normal, the control device is normally started. It should be noted that, when sending a notification to the system administrator for reconfiguration, before the system administrator performs reconfiguration, the account and the password that the system administrator logs in may be set, and when the input account and password are both correct, it is determined that the identity in the system management is legal, and the system administrator is allowed to perform reconfiguration. The identity of a system administrator is verified by setting an account and a password, so that the safety of configuration on equipment is improved to a certain extent.
As an alternative embodiment, in the case where the identification result is not that the device start-up abnormality is caused by a configuration abnormality of a system administrator, the control device starts up or prohibits start-up in the alarm protection mode. It should be noted that the activation in the alarm protection mode referred to herein may be an alarm notifying a system administrator, and then the activation in the protection mode. The protected mode is an untrusted mode environment, but the device is protected from sensitive data, for example, by encrypting the sensitive data to boot the device.
As an alternative embodiment, identifying whether a device boot exception is caused by a configuration exception of a system administrator may be performed in a variety of ways, for example, in the following manner: firstly, calling an operation behavior log of a system administrator through a trusted module; and then, identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator according to the operation behavior log.
As an optional embodiment, when the operation behavior log of the system administrator is called by the trusted module, the operation behavior log of the system administrator is sent to the trusted module, the trusted module may encrypt the operation behavior log of the system administrator by using an encryption key of a public-private symmetric key to obtain an encrypted operation behavior log of the system administrator, and then the trusted module transmits the encrypted operation behavior log of the system administrator to the call requester. It should be noted that before the trusted module transmits the encrypted operation behavior log of the system administrator to the invocation requester, the trusted module and the invocation requester may perform mutual identity confirmation, and perform communication after the identity confirmation to transmit the operation behavior log in the system management. And after the calling requester receives the encrypted operation behavior log of the system administrator, decrypting the encrypted operation behavior log by adopting a decryption key corresponding to the encryption key of the public and private symmetric key to obtain the required operation behavior log. The encryption and decryption mode is adopted for transmission, and the transmission safety is further ensured on the premise of protecting the reliability of providing the operation behavior log.
As an alternative embodiment, when it is identified whether the device boot abnormality is caused by the configuration abnormality of the system administrator according to the operation behavior log, since the operation behavior log includes a plurality of operation behaviors of the system administrator, when it is identified whether the device boot abnormality is caused by the configuration abnormality of the system administrator, the device boot abnormality may be identified according to whether the operation behaviors of the system administrator exist in the operation behavior log, for example, the device boot abnormality may be identified according to whether the operation behavior log includes a plurality of operation behaviors respectively. For example, identifying whether the device boot exception is caused by a configuration exception of a system administrator from the operational behavior log may include at least one of: identifying whether a system administrator has a login behavior according to the operation behavior log, and determining the system administrator is caused by configuration abnormality when the identification result is that the login behavior exists; identifying whether a system administrator has a configuration behavior of a measurement strategy of the credibility measurement according to the operation behavior log, and determining that the configuration behavior of the system administrator is caused by abnormal configuration when the identification result is that the configuration behavior of the measurement strategy of the credibility measurement exists; identifying whether a system administrator has a configuration behavior of a verification strategy for the credibility measurement according to the operation behavior log, and determining that the configuration behavior is caused by configuration abnormality of the system administrator when the identification result is that the configuration behavior of the verification strategy for the credibility measurement exists; and identifying whether the system administrator has the updating behavior of the firmware of the credibility measurement according to the operation behavior log, and determining the updating behavior of the firmware of the credibility measurement is caused by the configuration exception of the system administrator when the identification result is that the updating behavior of the firmware of the credibility measurement is present.
As an optional embodiment, after identifying whether the device start-up exception is caused by a configuration exception of a system administrator, the method further includes: and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a non-system administrator, determining that the equipment starting abnormity is caused by hacker attack, and controlling the equipment to start in an alarm protection mode or forbidding starting.
In this embodiment, a preferred device start-up control method is further provided, and fig. 6 is a flowchart of the preferred device start-up control method according to embodiment 2 of the present invention, as shown in fig. 6, the flowchart includes the following steps:
step S602, the credible measurement subject measures the equipment to be started to obtain a measurement result;
step S604, the credible verification main body verifies whether the measurement result is normal;
step S606, under the condition that the verification result is that the measurement result is abnormal, the credible audit subject identifies whether the equipment starting abnormality is caused by the configuration abnormality of the system administrator;
step S608, if the identification result is that the device start abnormality is caused by the configuration abnormality of the system administrator, the trusted control main body controls the device to start normally after the configuration of the system administrator is updated normally, otherwise, the device is controlled to start in the alarm protection mode or to prohibit starting.
As an optional embodiment, the above-mentioned trusted measurement subject, the trusted verification subject, the trusted audit subject and the trusted control subject may exist in different hardware or software entities separately, and of course, at least one of the above-mentioned trusted measurement subject, the trusted verification subject, the trusted audit subject and the trusted control subject is integrated into one entity, that is, each of the above-mentioned entities may exist separately or in an integrated form, and the specific existence form is not limited.
Through the embodiment and the preferred embodiment, under the condition that the verification result is that the measurement result is abnormal, whether the equipment starting abnormity is caused by the configuration abnormity of the system administrator is identified, and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, the equipment is controlled to be normally started after the configuration of the system administrator is updated normally, otherwise, the equipment is controlled to be started in the alarm protection mode or to be prohibited from being started, so that under the condition that the equipment starting abnormity is caused, the purpose of processing the equipment starting abnormity in a mode corresponding to the equipment starting abnormity can be achieved, the technical effects of ensuring the safety of the system where the equipment is located and/or normally processing the service by the equipment are achieved, further, the problem that in the related technology, in the credibility measurement process, the system is unsafe due to the fact that the equipment is started abnormally and cannot be correspondingly processed is solved, or technical problems affecting normal processing of the service.
In a preferred embodiment of the present invention, there is further provided an apparatus abnormal starting control method, and fig. 7 is a flowchart of the apparatus abnormal starting control method in the preferred embodiment of the present invention, as shown in fig. 7, the flowchart includes the following steps:
1. starting the equipment;
2. self-checking the firmware of the trusted module;
3. is the trusted module self-test passed? If yes, step 4, otherwise step 12;
4. a trusted measurement principal (e.g., a trusted module or CPU) measures a measured object (e.g., software and/or hardware of a device, etc.);
5. is the trusted verification principal verifying that the device metric is normal? If the result is normal, executing the step 11), otherwise, executing the step 6);
6. the credible auditing main body calls a credible module to audit the operation behavior log of the administrator;
7. identify if the abnormal boot is an administrator? If not, executing the step 12), otherwise, executing the step 8);
8. the trusted control subject alarms and notifies an administrator of reconfiguration;
9. the administrator inputs an authorized password, if the authorized password is incorrect, the step 12) is executed, otherwise, the step 10) is executed;
10. the administrator reconfigures the measurement strategy or updates the firmware of the measured object;
11. the trusted control body allows the equipment to be started normally;
12. The trusted control main body alarms, and the equipment alarm protection mode is started or the equipment is prohibited from being started.
In the device abnormal start identification method and the device abnormal start control method provided in the above preferred embodiment, the trusted auditing agent is introduced to audit the operation line of the system administrator, so as to identify whether the device start abnormality is caused by a hacker or a configuration abnormality from the system administrator; and then according to the abnormal starting recognition result obtained by the credible audit main body, the credible control main body controls the equipment to enter a corresponding starting mode: if the equipment is abnormally started and is not subjected to hacker action, the equipment is normally started to ensure the service continuity; if the abnormal starting of the device is the result of the hacker, the device is started in an alarm data protection mode or is prohibited from being started so as to prevent sensitive information from being leaked.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 3
According to an embodiment of the present invention, there is further provided a device boot exception handling apparatus for implementing the device boot exception handling method according to embodiment 1, and fig. 8 is a block diagram of a device boot exception handling apparatus according to embodiment 3 of the present invention, and as shown in fig. 8, the device boot exception handling apparatus includes: the detection module 82, the first identification module 84, and the first control module 86 will now be described with reference to the device start-up exception handling apparatus.
A detection module 82, configured to detect a device boot exception during the confidence measurement; a first identification module 84, connected to the detection module 82, for identifying whether the abnormal start-up of the device is caused by a predetermined reason; and the first control module 86 is connected to the first identification module 84, and is configured to, if the identification result is yes, control the device to process the device start exception in a manner corresponding to the predetermined reason, so as to ensure system security where the device is located and/or normal processing of the service by the device.
It should be noted that the detection module 82, the first identification module 84 and the first control module 86 correspond to steps S302 to S306 in the above embodiment 1, and the modules are the same as the corresponding steps in the implementation example and the application scenario, but are not limited to the disclosure in the above embodiment 1. It should be noted that the modules described above may be implemented in a computer terminal as part of an apparatus.
Example 4
According to an embodiment of the present invention, there is further provided an apparatus start-up control device for implementing the apparatus start-up control method of embodiment 2, and fig. 9 is a block diagram of an apparatus start-up control device according to embodiment 4 of the present invention, and as shown in fig. 9, the apparatus start-up control device includes: a metrology module 92, a verification module 94, a second identification module 96 and a second control module 98, the device activation control means being described below.
A measurement module 92, configured to measure a device to be started, and obtain a measurement result; a verification module 94, connected to the measurement module 92, for verifying whether the measurement result is normal; a second identification module 96, connected to the verification module 94, for identifying whether the abnormal start-up of the device is caused by the abnormal configuration of the system administrator if the verification result is that the measurement result is abnormal; and a second control module 98, connected to the second identification module 96, for controlling the normal start of the device after the configuration of the system administrator is updated normally when the identification result is that the device start abnormality is caused by the configuration abnormality of the system administrator, otherwise, controlling the start of the device in the alarm protection mode or prohibiting the start.
It should be noted that the measurement module 92, the verification module 94, the second identification module 96 and the second control module 98 correspond to steps S502 to S508 in embodiment 2, and the modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 2. It should be noted that the modules described above may be implemented in a computer terminal as part of an apparatus.
Example 5
According to an embodiment of the present invention, there is further provided an apparatus start-up control system for implementing the apparatus start-up control method of embodiment 2, and fig. 10 is a block diagram of an apparatus start-up control system according to embodiment 5 of the present invention, and as shown in fig. 10, the apparatus start-up control system includes: a trusted metrics body 102, a trusted verification body 104, a trusted audit body 106, and a trusted control body 108, which are described below with respect to the device boot control system.
A credible measurement main body 102, configured to measure a device to be started, and obtain a measurement result; a trusted verification agent 104, connected to the trusted measurement agent 102, for verifying whether the measurement result is normal; a trusted audit agent 106, connected to the trusted verification agent 104, for identifying whether the device boot exception is caused by the configuration exception of the system administrator, if the verification result of the trusted verification agent is that the measurement result is not normal; and the trusted control main body 108 is connected to the trusted audit main body 106, and is used for controlling the normal start of the device after the configuration of the system administrator is updated normally when the identification result of the trusted audit main body is that the device start abnormality is caused by the configuration abnormality of the system administrator, otherwise, controlling the start or forbidding the start of the device in an alarm protection mode.
It should be noted here that the above-mentioned trusted measurement subject 102, trusted verification subject 104, trusted audit subject 106 and trusted control subject 108 correspond to steps S602 to S608 in embodiment 2, and the modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to what is disclosed in the above-mentioned embodiment 2. It should be noted that the modules described above may be implemented in a computer terminal as part of an apparatus.
Example 6
An embodiment of the present invention may provide a computer device, and fig. 11 is a block diagram of a computer device according to embodiment 6 of the present invention, and as shown in fig. 11, the computer device 110 includes: a memory 112 and a processor 114, the memory storing computer programs; a processor for executing a computer program stored in the memory, the computer program when executed performing the method of any of the above.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the security vulnerability detection method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by operating the software programs and modules stored in the memory, that is, implements the data security processing method. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory may further include memory located remotely from the processor, which may be connected to a computer terminal or a network device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
In an alternative embodiment, the processor may invoke the information stored in the memory and the application program via the transmission device to execute the program code of the following steps: in the process of credibility measurement, detecting abnormal starting of equipment; identifying whether the device start-up anomaly is caused by a predetermined cause; and if the identification result is yes, the control equipment processes the equipment starting abnormity in a mode corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the equipment on the service.
Optionally, the processor may further execute the program code of the following steps: in the case where the predetermined cause is a configuration abnormality of a system administrator, identifying whether the device start-up abnormality is caused by the predetermined cause includes: acquiring an operation behavior log of a system administrator; auditing whether the operation behavior of a system administrator exists according to the operation behavior log; and in the case that the auditing result is that the operation behavior of a system administrator does not exist, determining that the equipment starting abnormity is caused by other reasons which are not predetermined reasons.
Optionally, the processor may further execute the program code of the following steps: when the auditing result is that the operation behavior of a system administrator exists, auditing the validity of the measured object in the credible measuring process; determining that the abnormal starting of the equipment is caused by a predetermined reason under the condition that the measured object is legal in the process of measuring the credibility as an auditing result; and/or determining that the device start-up anomaly is caused by other reasons than the predetermined reason in the case that the measured object is illegal during the process of measuring the credible result by the auditing result.
Optionally, the processor may further execute the program code of the following steps: the acquiring of the operation behavior log of the system administrator comprises the following steps: receiving an operation behavior log of a system administrator, which is encrypted by the trusted module by adopting an encryption key of the public and private symmetric key; and decrypting the encrypted operation behavior log of the system administrator by adopting a decryption key corresponding to the public-private symmetric key to obtain the operation behavior log of the system administrator.
Optionally, the processor may further execute the program code of the following steps: auditing whether the operation behavior of a system administrator exists according to the operation behavior log comprises at least one of the following steps: auditing whether a system administrator has a login behavior; whether an auditing system administrator has configuration action on a measurement strategy of the credibility measurement; and auditing whether a system administrator has a configuration behavior of a verification strategy of the credibility measurement or not and whether the system administrator has an updating behavior of the firmware of the credibility measurement or not.
Optionally, the processor may further execute the program code of the following steps: other causes not intended include hacking.
Optionally, the processor may further execute the program code of the following steps: the control device processing the device start-up abnormality in a manner corresponding to the predetermined cause includes: and after the abnormal configuration is modified into the normal configuration, the control equipment is started normally.
Optionally, the processor may further execute the program code of the following steps: the control device processes the device boot exception in a manner corresponding to the hacking attack, wherein the control device processes the device boot exception in a manner corresponding to the hacking attack comprises: the control device is enabled or disabled in an alarm protection mode.
In another alternative embodiment, the processor may invoke the information stored in the memory and the application program via the transmission device to execute the program code of the following steps: measuring equipment to be started to obtain a measurement result; verifying whether the measurement result is normal; under the condition that the verification result is that the measurement result is abnormal, identifying whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, the control equipment is normally started after the configuration of the system administrator is updated normally, otherwise, the control equipment is started in an alarm protection mode or is prohibited from being started.
Optionally, the processor may further execute the program code of the following steps: identifying whether the device boot exception is caused by a configuration exception by a system administrator includes: calling an operation behavior log of a system administrator through a trusted module; and identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator according to the operation behavior log.
Optionally, the processor may further execute the program code of the following steps: and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a non-system administrator, determining that the equipment starting abnormity is caused by hacker attack, and controlling the equipment to start in an alarm protection mode or forbidding starting.
In yet another alternative embodiment, the processor may invoke the information stored in the memory and the application program via the transmission means to execute the program code of the following steps: the credible measurement main body measures the equipment to be started to obtain a measurement result; the credible verification main body verifies whether the measurement result is normal; under the condition that the verification result is that the measurement result is abnormal, the trusted audit subject identifies whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, the trusted control main body controls the equipment to be normally started after the configuration of the system administrator is updated normally, otherwise, the equipment is controlled to be started in an alarm protection mode or to be prohibited from being started.
Optionally, the processor may further execute the program code of the following steps: at least one of the trusted metrics body, the trusted verification body, the trusted audit body and the trusted control body is integrated in one entity.
Through the computer equipment, the purpose that the equipment starting abnormity can be processed in a mode corresponding to the equipment starting abnormity under the condition of the equipment starting abnormity is achieved, so that the technical effect of ensuring the system safety of the equipment and/or normal processing of the equipment on the service is achieved, and the technical problem that in the related technology, in the credibility measurement process, the equipment is abnormally started and cannot be correspondingly processed, so that the system is unsafe or the normal processing of the service is influenced is solved.
Example 7
The embodiment of the invention also provides a storage medium. Alternatively, in this embodiment, the storage medium may be configured to store the program codes executed by the methods provided in embodiments 1 and 2.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in an implementation manner of this embodiment, the storage medium is configured to store program codes for performing the following steps: in the process of credibility measurement, detecting abnormal starting of equipment; identifying whether the device start-up anomaly is caused by a predetermined cause; and if the identification result is yes, the control equipment processes the equipment starting abnormity in a mode corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the equipment on the service.
Optionally, the storage medium is further arranged to store program code for performing the steps of: in the case where the predetermined cause is a configuration abnormality of a system administrator, identifying whether the device start-up abnormality is caused by the predetermined cause includes: acquiring an operation behavior log of a system administrator; auditing whether the operation behavior of a system administrator exists according to the operation behavior log; and in the case that the auditing result is that the operation behavior of a system administrator does not exist, determining that the equipment starting abnormity is caused by other reasons which are not predetermined reasons.
Optionally, the storage medium is further arranged to store program code for performing the steps of: when the auditing result is that the operation behavior of a system administrator exists, auditing the validity of the measured object in the credible measuring process; determining that the abnormal starting of the equipment is caused by a predetermined reason under the condition that the measured object is legal in the process of measuring the credibility as an auditing result; and/or determining that the device start-up anomaly is caused by other reasons than the predetermined reason in the case that the measured object is illegal during the process of measuring the credible result by the auditing result.
Optionally, the storage medium is further arranged to store program code for performing the steps of: the acquiring of the operation behavior log of the system administrator comprises the following steps: receiving an operation behavior log of a system administrator, which is encrypted by the trusted module by adopting an encryption key of the public and private symmetric key; and decrypting the encrypted operation behavior log of the system administrator by adopting a decryption key corresponding to the public-private symmetric key to obtain the operation behavior log of the system administrator.
Optionally, the storage medium is further arranged to store program code for performing the steps of: auditing whether the operation behavior of a system administrator exists according to the operation behavior log comprises at least one of the following steps: auditing whether a system administrator has a login behavior; whether an auditing system administrator has configuration action on a measurement strategy of the credibility measurement; and auditing whether a system administrator has a configuration behavior of a verification strategy of the credibility measurement or not and whether the system administrator has an updating behavior of the firmware of the credibility measurement or not.
Optionally, the storage medium is further arranged to store program code for performing the steps of: other causes not intended include hacking.
Optionally, the storage medium is further arranged to store program code for performing the steps of: the control device processing the device start-up abnormality in a manner corresponding to the predetermined cause includes: and after the abnormal configuration is modified into the normal configuration, the control equipment is started normally.
Optionally, the storage medium is further arranged to store program code for performing the steps of: the control device processes the device boot exception in a manner corresponding to the hacking attack, wherein the control device processes the device boot exception in a manner corresponding to the hacking attack comprises: the control device is enabled or disabled in an alarm protection mode.
Optionally, in another implementation of this embodiment, the storage medium is configured to store program code for performing the following steps: measuring equipment to be started to obtain a measurement result; verifying whether the measurement result is normal; under the condition that the verification result is that the measurement result is abnormal, identifying whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, the control equipment is normally started after the configuration of the system administrator is updated normally, otherwise, the control equipment is started in an alarm protection mode or is prohibited from being started.
Optionally, the storage medium is further arranged to store program code for performing the steps of: identifying whether the device boot exception is caused by a configuration exception by a system administrator includes: calling an operation behavior log of a system administrator through a trusted module; and identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator according to the operation behavior log.
Optionally, the storage medium is further arranged to store program code for performing the steps of: and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a non-system administrator, determining that the equipment starting abnormity is caused by hacker attack, and controlling the equipment to start in an alarm protection mode or forbidding starting.
Optionally, in another implementation of this embodiment, the storage medium is configured to store program code for performing the following steps: the credible measurement main body measures the equipment to be started to obtain a measurement result; the credible verification main body verifies whether the measurement result is normal; under the condition that the verification result is that the measurement result is abnormal, the trusted audit subject identifies whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator; and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, the trusted control main body controls the equipment to be normally started after the configuration of the system administrator is updated normally, otherwise, the equipment is controlled to be started in an alarm protection mode or to be prohibited from being started.
Optionally, the storage medium is further arranged to store program code for performing the steps of: at least one of the trusted metrics body, the trusted verification body, the trusted audit body and the trusted control body is integrated in one entity.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.

Claims (19)

1. A method for processing equipment starting exception is characterized by comprising the following steps:
in the process of credibility measurement, detecting abnormal starting of equipment;
identifying whether the device start-up anomaly is caused by a predetermined cause;
and if the identification result is yes, controlling the equipment to process the equipment starting abnormity in a mode corresponding to the preset reason so as to ensure the system safety of the equipment and/or normal processing of the equipment on the service.
2. The method of claim 1, wherein in the event that the predetermined cause is a configuration exception by a system administrator, identifying whether the device boot exception was caused by the predetermined cause comprises:
acquiring an operation behavior log of a system administrator;
auditing whether the operation behavior of the system administrator exists according to the operation behavior log;
and in the case that the auditing result is that the operation behavior of the system administrator does not exist, determining that the equipment starting abnormity is caused by other reasons which are not the preset reasons.
3. The method of claim 2, further comprising:
when the auditing result is that the operation behavior of the system administrator exists, auditing the validity of the measured object in the credibility measuring process;
Determining that the abnormal starting of the equipment is caused by the predetermined reason under the condition that the measured object is legal in the credible measurement process as an auditing result; and/or determining that the device start-up anomaly is caused by other reasons than the predetermined reason in the case that the measured object is illegal in the process of measuring the credible measurement as the audit result.
4. The method of claim 2, wherein obtaining the log of operational behavior of the system administrator comprises:
receiving an operation behavior log of the system administrator, which is encrypted by a trusted module by adopting an encryption key of a public and private symmetric key;
and decrypting the encrypted operation behavior log of the system administrator by adopting a decryption key corresponding to the public and private symmetric key to obtain the operation behavior log of the system administrator.
5. The method of claim 2, wherein auditing whether the system administrator's operational behavior exists from the operational behavior log comprises at least one of:
auditing whether the system administrator has login behavior; auditing whether the system administrator has configuration behavior of the measurement strategy of the credibility measurement; auditing whether the system administrator has the configuration behavior of the verification strategy of the credibility measurement or not and auditing whether the system administrator has the updating behavior of the firmware of the credibility measurement or not.
6. A method according to any one of claims 2 to 5, wherein other causes than the predetermined cause include hacking.
7. The method of claim 6, wherein controlling the device to handle device boot exceptions corresponding to the predetermined cause comprises:
and controlling the equipment to be normally started after the abnormal configuration is modified into the normal configuration.
8. The method of claim 6, further comprising: controlling the device to process the device boot exception in a manner corresponding to a hacking attack, wherein controlling the device to process the device boot exception in a manner corresponding to the hacking attack comprises: controlling the device to be enabled or disabled in an alarm protection mode.
9. An apparatus start-up control method characterized by comprising:
measuring equipment to be started to obtain a measurement result;
verifying whether the measurement result is normal;
if the verification result is that the measurement result is abnormal, identifying whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator;
and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a system administrator, controlling the equipment to be normally started after the configuration of the system administrator is updated normally, and otherwise controlling the equipment to be started in an alarm protection mode or to be prohibited from being started.
10. The method of claim 9, wherein identifying whether the device boot exception was caused by a configuration exception by a system administrator comprises:
calling an operation behavior log of the system administrator through a trusted module;
and identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator according to the operation behavior log.
11. The method of claim 9 or 10, further comprising:
and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a non-system administrator, determining that the equipment starting abnormity is caused by hacker attack, and controlling the equipment to start in an alarm protection mode or forbidding starting.
12. An apparatus start-up control method characterized by comprising:
the credible measurement main body measures the equipment to be started to obtain a measurement result;
the credible verification subject verifies whether the measurement result is normal;
under the condition that the verification result is that the measurement result is abnormal, the trusted audit subject identifies whether the equipment starting abnormality is caused by the configuration abnormality of a system administrator;
and under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of a system administrator, the trusted control body controls the equipment to be normally started after the configuration of the system administrator is updated normally, otherwise, the trusted control body controls the equipment to be started in an alarm protection mode or to be prohibited from being started.
13. The method of claim 12, wherein at least one of the trusted metrics principal, the trusted verification principal, the trusted auditing principal, and the trusted control principal is integrated into one entity.
14. An apparatus boot exception handling apparatus, comprising:
the detection module is used for detecting the abnormal starting of the equipment in the credibility measurement process;
the first identification module is used for identifying whether the equipment starting abnormity is caused by a preset reason;
and the first control module is used for controlling the equipment to process the equipment starting abnormity in a mode corresponding to the preset reason under the condition that the identification result is yes so as to ensure the system safety of the equipment and/or the normal processing of the equipment on the service.
15. An apparatus start-up control device characterized by comprising:
the measurement module is used for measuring the equipment to be started to obtain a measurement result;
the verification module is used for verifying whether the measurement result is normal;
the second identification module is used for identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator under the condition that the verification result is that the measurement result is abnormal;
And the second control module is used for controlling the equipment to be normally started after the configuration of the system administrator is updated normally under the condition that the identification result is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, and otherwise, controlling the equipment to be started in an alarm protection mode or forbidding the equipment to be started.
16. An equipment activation control system, comprising: a trusted metrics body, a trusted verification body, a trusted audit body, and a trusted control body, wherein,
the credible measurement main body is used for measuring the equipment to be started to obtain a measurement result;
the credible verification main body is used for verifying whether the measurement result is normal or not;
the credible auditing main body is used for identifying whether the equipment starting abnormity is caused by the configuration abnormity of a system administrator under the condition that the verification result of the credible verifying main body is that the measurement result is abnormal;
and the trusted control body is used for controlling the equipment to be normally started after the configuration of the system administrator is updated normally under the condition that the identification result of the trusted audit body is that the equipment starting abnormity is caused by the configuration abnormity of the system administrator, and otherwise, controlling the equipment to be started in an alarm protection mode or prohibited from being started.
17. A storage medium, characterized in that the storage medium stores a program, wherein the program, when executed by a processor, causes the processor to perform the method of any one of claims 1 to 13.
18. A processor for running a program, wherein the program when run causes the processor to perform the method of any one of claims 1 to 13.
19. A computer device, comprising: a memory and a processor, wherein the processor is capable of,
the memory stores a computer program;
the processor for executing a computer program stored in the memory, the computer program when executed causing the processor to perform the method of any of claims 1 to 13.
CN201910365274.3A 2019-04-30 2019-04-30 Device starting exception handling and device starting control method, device and system Active CN111858114B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910365274.3A CN111858114B (en) 2019-04-30 2019-04-30 Device starting exception handling and device starting control method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910365274.3A CN111858114B (en) 2019-04-30 2019-04-30 Device starting exception handling and device starting control method, device and system

Publications (2)

Publication Number Publication Date
CN111858114A true CN111858114A (en) 2020-10-30
CN111858114B CN111858114B (en) 2024-06-14

Family

ID=72965848

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910365274.3A Active CN111858114B (en) 2019-04-30 2019-04-30 Device starting exception handling and device starting control method, device and system

Country Status (1)

Country Link
CN (1) CN111858114B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117389657A (en) * 2023-12-12 2024-01-12 荣耀终端有限公司 Methods of starting up electronic equipment, electronic equipment and storage media

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060107329A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Special PC mode entered upon detection of undesired state
CN1859203A (en) * 2006-03-15 2006-11-08 华为技术有限公司 Locating method and its device for system repeatedly start fault
US20070219748A1 (en) * 2006-03-17 2007-09-20 Fujitsu Limited Computer apparatus, start-up controlling method, and storage medium
WO2010102259A2 (en) * 2009-03-06 2010-09-10 Interdigital Patent Holdings, Inc. Platform validation and management of wireless devices
KR20110106579A (en) * 2010-03-23 2011-09-29 (주)이월리서치 Fault management system for intelligent network switching device
US20150067402A1 (en) * 2013-08-30 2015-03-05 International Business Machines Corporation Providing a remote diagnosis for an information appliance via a secure connection
CN106571954A (en) * 2016-10-24 2017-04-19 上海斐讯数据通信技术有限公司 Abnormal restart reason detecting method and device of AP equipment
US20180109538A1 (en) * 2016-10-17 2018-04-19 Mocana Corporation System and method for policy based adaptive application capability management and device attestation
WO2018076169A1 (en) * 2016-10-25 2018-05-03 华为技术有限公司 Recovery method for power-on failure of terminal device, and terminal device
CN109542724A (en) * 2018-11-14 2019-03-29 北京达佳互联信息技术有限公司 Application exception processing method, device, electronic equipment and storage medium
CN109614799A (en) * 2018-11-28 2019-04-12 北京可信华泰信息技术有限公司 A kind of information weight mirror method
CN109684155A (en) * 2018-08-27 2019-04-26 平安科技(深圳)有限公司 Monitor configuration method, device, equipment and readable storage medium storing program for executing

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060107329A1 (en) * 2004-11-15 2006-05-18 Microsoft Corporation Special PC mode entered upon detection of undesired state
CN1859203A (en) * 2006-03-15 2006-11-08 华为技术有限公司 Locating method and its device for system repeatedly start fault
US20070219748A1 (en) * 2006-03-17 2007-09-20 Fujitsu Limited Computer apparatus, start-up controlling method, and storage medium
WO2010102259A2 (en) * 2009-03-06 2010-09-10 Interdigital Patent Holdings, Inc. Platform validation and management of wireless devices
KR20110106579A (en) * 2010-03-23 2011-09-29 (주)이월리서치 Fault management system for intelligent network switching device
US20150067402A1 (en) * 2013-08-30 2015-03-05 International Business Machines Corporation Providing a remote diagnosis for an information appliance via a secure connection
US20180109538A1 (en) * 2016-10-17 2018-04-19 Mocana Corporation System and method for policy based adaptive application capability management and device attestation
CN106571954A (en) * 2016-10-24 2017-04-19 上海斐讯数据通信技术有限公司 Abnormal restart reason detecting method and device of AP equipment
WO2018076169A1 (en) * 2016-10-25 2018-05-03 华为技术有限公司 Recovery method for power-on failure of terminal device, and terminal device
CN109684155A (en) * 2018-08-27 2019-04-26 平安科技(深圳)有限公司 Monitor configuration method, device, equipment and readable storage medium storing program for executing
CN109542724A (en) * 2018-11-14 2019-03-29 北京达佳互联信息技术有限公司 Application exception processing method, device, electronic equipment and storage medium
CN109614799A (en) * 2018-11-28 2019-04-12 北京可信华泰信息技术有限公司 A kind of information weight mirror method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
游夏;马云;胡明星;: "安全可信的嵌入式系统架构", 数字技术与应用, no. 02, 5 February 2018 (2018-02-05), pages 196 - 198 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117389657A (en) * 2023-12-12 2024-01-12 荣耀终端有限公司 Methods of starting up electronic equipment, electronic equipment and storage media
CN117389657B (en) * 2023-12-12 2024-05-10 荣耀终端有限公司 Electronic device startup method, electronic device and storage medium

Also Published As

Publication number Publication date
CN111858114B (en) 2024-06-14

Similar Documents

Publication Publication Date Title
KR101216306B1 (en) Updating configuration parameters in a mobile terminal
CN110737897B (en) Method and system for starting measurement based on trusted card
EP2693789B1 (en) Mobile terminal encryption method, hardware encryption device and mobile terminal
US20180019880A1 (en) System and method for verifying integrity of an electronic device
CN110245495B (en) BIOS checking method, configuration method, device and system
WO2008030659A2 (en) Component authentication for computer systems
US11222116B2 (en) Heartbeat signal verification
US11531769B2 (en) Information processing apparatus, information processing method, and computer program product
CN113626803A (en) BMC firmware protection method, system and device and readable storage medium
CN119004521B (en) Server firmware management method
US8533829B2 (en) Method for monitoring managed device
CN120162795A (en) Automotive MCU chip secure startup method and system based on national secret algorithm
CN119783115A (en) Secure startup method and device, storage medium and electronic device
CN111858114B (en) Device starting exception handling and device starting control method, device and system
CN113127873A (en) Credible measurement system of fortress machine and electronic equipment
CN111506897B (en) Data processing method and device
CN106778286A (en) A kind of system and method whether attacked for detection service device hardware
CN111625831A (en) Trusted security measurement method and device
US11615188B2 (en) Executing software
CN117852001A (en) Data transmission management method
CN117473466A (en) Interface protection method, device, nonvolatile storage medium and computer equipment
CN115879087B (en) A secure and reliable startup method and system for power terminals
Msgna et al. Secure application execution in mobile devices
CN110933028B (en) Message transmission method, device, network device and storage medium
CN108228219B (en) Method and device for verifying BIOS validity during in-band refreshing of BIOS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant