CN114254331B - Security protection method and device for terminal equipment, electronic equipment and storage medium - Google Patents

Security protection method and device for terminal equipment, electronic equipment and storage medium Download PDF

Info

Publication number
CN114254331B
CN114254331B CN202111602671.1A CN202111602671A CN114254331B CN 114254331 B CN114254331 B CN 114254331B CN 202111602671 A CN202111602671 A CN 202111602671A CN 114254331 B CN114254331 B CN 114254331B
Authority
CN
China
Prior art keywords
detected
attribute information
terminal equipment
file
audio
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111602671.1A
Other languages
Chinese (zh)
Other versions
CN114254331A (en
Inventor
王毅
黄磊
童志明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Antiy Technology Group Co Ltd
Original Assignee
Antiy Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Antiy Technology Group Co Ltd filed Critical Antiy Technology Group Co Ltd
Priority to CN202111602671.1A priority Critical patent/CN114254331B/en
Publication of CN114254331A publication Critical patent/CN114254331A/en
Application granted granted Critical
Publication of CN114254331B publication Critical patent/CN114254331B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephone Function (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to the field of computer security, in particular to a security protection method and device of terminal equipment, electronic equipment and a storage medium. The safety protection method of the terminal equipment comprises the following steps: after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations; analyzing the detection instruction to determine an object to be detected; wherein the object to be detected comprises at least one of UEFI firmware, EFI boot program, and system critical location; and threat detection is carried out on the file in the object to be detected of the terminal equipment at present. The technical scheme provided by the invention can improve the safety protection capability of the terminal equipment.

Description

Security protection method and device for terminal equipment, electronic equipment and storage medium
Technical Field
The embodiment of the invention relates to the field of computer security, in particular to a security protection method and device of terminal equipment, electronic equipment and a storage medium.
Background
With the continuous development of network attack technology, the attack mode of the operating system of the terminal device by utilizing the technologies of firmware vulnerabilities, bootKit and the like has appeared, and the attack mode tends to be hidden.
In the related art, the security protection of the terminal device mainly depends on various types of antivirus software installed in an operating system. Because the antivirus software runs on the operating system, the antivirus software belongs to the application layer software, and the control authority of the application layer software is lower.
However, the manner in which firmware utilizes classes of attacks typically acts prior to operating system boot-up. That is, when a terminal device is attacked by such an attack, some critical data (e.g., system files) may have been tampered with (e.g., injected with malicious code) before the operating system is started.
Disclosure of Invention
In order to improve the security protection capability of terminal equipment, the embodiment of the invention provides a security protection method and device of terminal equipment, electronic equipment and a storage medium.
In a first aspect, an embodiment of the present invention provides a method for protecting security of a terminal device, including:
after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
Analyzing the detection instruction to determine an object to be detected; wherein the object to be detected comprises at least one of UEFI firmware, EFI boot program, and system critical location;
and threat detection is carried out on the file in the object to be detected of the terminal equipment at present.
In one possible design, the threat detection on the file in the object to be detected of the terminal device includes:
Acquiring a file in an object to be detected after the terminal equipment is started last time;
Extracting first data attribute information for representing a file in an object to be detected of the terminal equipment and second data attribute information for representing a file in the object to be detected after the terminal equipment is started last time;
and detecting the threat to the file in the object to be detected of the terminal equipment currently based on the first data attribute information and the second data attribute information.
In one possible design, the threat detection for the file in the object to be detected of the terminal device currently based on the first data attribute information and the second data attribute information includes:
Respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first audio attribute information and the second audio attribute information.
In one possible design, the first data attribute information and the second data attribute information each include at least one of:
Data type, data size, creation time, last modification time, last opening time, version information and signature information;
And/or the number of the groups of groups,
The first audio attribute information and the second audio attribute information each include at least one of:
musical instrument type, cycle time, tempo, spatial distance, direction change frequency, and sound effect.
In one possible design, the threat detection for the file in the object to be detected of the terminal device currently based on the first audio attribute information and the second audio attribute information includes:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
Playing the first audio data and the second audio data with an audio decoder;
and based on the playing result, threat detection is carried out on the file in the object to be detected of the terminal equipment at present.
In one possible design, the threat detection on the file in the object to be detected of the terminal device includes:
Acquiring a first hash value carried by a file in an object to be detected of the terminal equipment at present;
carrying out hash calculation on a file in an object to be detected of the terminal equipment to obtain a second hash value;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first hash value and the second hash value.
In one possible design, the threat detection on the file in the object to be detected of the terminal device includes:
acquiring a digital signature carried by a file in an object to be detected of the terminal equipment at present; the digital signature is obtained by encrypting the hash value of the file;
decrypting the encrypted digital signature by using a preset secret key to obtain a first hash value;
carrying out hash calculation on a file in an object to be detected of the terminal equipment to obtain a second hash value;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first hash value and the second hash value.
In a second aspect, an embodiment of the present invention further provides a security protection apparatus for a terminal device, including:
The acquisition module is used for acquiring a detection instruction triggered by a user after the terminal equipment enters a UEFI mode; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
The analysis module is used for analyzing the detection instruction and determining an object to be detected; wherein the object to be detected comprises at least one of UEFI firmware, EFI boot program, and system critical location;
and the detection module is used for detecting the threat to the file in the object to be detected of the terminal equipment at present.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the method described in any embodiment of the present specification is implemented.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform a method according to any of the embodiments of the present specification.
The embodiment of the invention provides a safety protection method, a safety protection device, electronic equipment and a storage medium of terminal equipment, which are used for acquiring a detection instruction triggered by a user after the terminal equipment enters a UEFI mode, then analyzing the detection instruction and determining an object to be detected, so that threat detection can be carried out on a file in the object to be detected of the current terminal equipment. The security protection method is carried out before the operating system is loaded, namely the terminal equipment has equipment access right and capacity after entering the UEFI mode, so that threat detection can be carried out on some key data, and the attack of firmware on the operating system by utilizing a class attack mode can be avoided, so that the security protection capacity of the terminal equipment is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a method for protecting security of a terminal device according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for protecting security of a terminal device according to an embodiment of the present invention;
fig. 3 is a flowchart of a security protection method of another terminal device according to an embodiment of the present invention;
FIG. 4 is a hardware architecture diagram of an electronic device according to an embodiment of the present invention;
fig. 5 is a structural diagram of a security protection apparatus for a terminal device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments, and all other embodiments obtained by those skilled in the art without making any inventive effort based on the embodiments of the present invention are within the scope of protection of the present invention.
As described above, in the related art, the security protection of the terminal device mainly depends on various types of antivirus software installed in the operating system. Because the antivirus software runs on the operating system, the antivirus software belongs to the application layer software, and the control authority of the application layer software is lower.
Firmware is software that runs on the bottom layer of a computer and runs prior to operating system boot-up. Thus, malicious code in firmware is not discoverable by antivirus software and security tools. The running process of the firmware is extremely high in authority, can tamper and destroy hardware, a file system, an operating system and specific software, and has extremely strong attack capability.
Firmware is an indispensable important component in a computer, and is a bridge connecting basic hardware and system software of the computer. The basic input output system (Basic Input Output System, BIOS) is one of the most important firmware on a computer. After the power-on is started, the firmware checks the states of the registers, the timing chip, the programmable interrupt device and the DMA controller in the CPU, and simultaneously initializes and sets the mainboard chipset, the dynamic memory, the display card and the registers of the related periphery. On the premise that the above device is operating normally, the firmware will be responsible for booting the operating system.
In the process from power-on to operating system loading, firmware has extremely high system permission. Once a security hole exists in the firmware or a Trojan horse is implanted, a serious threat is posed to the computer. For example, by adding a backdoor program to the firmware (which is a way for the firmware to utilize class attacks), such as using a system management mode (SYSTEM MANAGEMENT Modal, SMM), the computer data may be retrieved implicitly without being detected by the operating system.
The inventors found during the development process that: the attack style of the firmware utilization class typically acts before the operating system is booted. That is, when a terminal device is attacked by such an attack, some critical data (e.g., system files) may have been tampered with (e.g., injected with malicious code) before the operating system is started. If the operating system has been tampered with prior to boot, any threat detection after the operating system boot will no longer be significant.
To address this technical problem, the inventors contemplate threat detection for some critical data prior to operating system startup. If the aim is to be achieved, the inventor considers a mechanism that some necessary drivers of the terminal equipment can be loaded after the terminal equipment enters the UEFI mode, namely the terminal equipment already has equipment access authority and capability after the terminal equipment enters the UEFI mode, so that threat detection can be carried out on some key data, thereby avoiding the attack of firmware on an operating system by utilizing a class attack mode and improving the safety protection capability of the terminal equipment.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a method for protecting security of a terminal device, where the method includes:
Step 100: after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
Step 102: analyzing the detection instruction to determine an object to be detected; the object to be detected comprises at least one of UEFI firmware, EFI bootstrap program and a system key position;
Step 104: and threat detection is carried out on the file in the object to be detected of the current terminal equipment.
In the embodiment of the invention, after the terminal equipment enters the UEFI mode, the detection instruction triggered by the user is acquired, and then the detection instruction is analyzed to determine the object to be detected, so that the threat detection can be performed on the file in the object to be detected of the current terminal equipment. The security protection method is carried out before the operating system is loaded, namely the terminal equipment has equipment access right and capacity after entering the UEFI mode, so that threat detection can be carried out on some key data, and the attack of firmware on the operating system by utilizing a class attack mode can be avoided, so that the security protection capacity of the terminal equipment is improved.
It should be noted that, the operation process of the firmware is divided into four phases, specifically including a hardware initialization phase, a driver service execution phase, a startup device selection phase and an operating system operation phase, where:
(1) Hardware initialization phase:
Executing a firmware component realized by assembly language codes, mainly realizing safety verification of a hardware platform and a firmware initial starting code, initializing a system cache, and preparing necessary storage space for subsequent hardware initialization; at the same time, the processor, memory, chipset, and other chips and devices are initialized.
The hardware initialization stage is the stage where the firmware first runs, and is the basic stone for ensuring that the computer hardware and firmware are complete and reliable. If the firmware runs malicious code in this stage, it will be able to break the security check of the hardware and firmware at this stage, breaking the secure running environment of the whole computer.
(2) Drive service execution phase
Executing device drivers, installing and initializing protocols related to devices, buses, services, etc. The driver services execution phase provides a protocol/service interface for subsequent operations, providing for firmware itself and operating system and application software calls.
The driver services execution phase is the core phase of firmware operation, which loads hardware drivers and applications. If the hardware comprising the firmware Trojan horse module is connected into the host computer, the Trojan horse module is loaded at the firmware layer at the stage. In this stage, the firmware can load and execute the file system driver, identify and analyze the hard disk partition and the file system, implant Trojan horse in the operating system into the operating system, and realize self-starting along with the operating system.
(3) Initiating a device selection phase
According to preset configuration rules in the system or the current selection of the user, searching equipment (such as USB equipment, hard disk, optical disk, network and the like) carrying the operating system and loading the operating system.
The startup device selection phase provides the functions of the UEFI SHELL running environment, UEFI drivers, and operating system loading. Thus, there are also attack vulnerabilities that are hijacked during the operating system loading process.
(4) Operating System run phase
The firmware formally hands over the control of the machine to the operating system. At this point, some firmware services/protocols are still available.
In this stage, if there is malicious code in the firmware that can be executed, the antivirus software in the operating system will be imperceptible.
Through analysis of the firmware operation process, it can be seen that firmware security is ensured to perform integrity verification on the firmware in a hardware initialization stage; second, the loaded hardware and firmware drivers need to be validated during the driver services execution phase, disabling the loading of the unacknowledged firmware drivers. These two security measures can prevent the loading and execution of firmware trojans to some extent.
The embodiment of the invention focuses on describing a safety protection method in a device selection starting stage. As described above, after the terminal device enters the UEFI mode, some necessary drivers of the terminal device are already loaded, so that threat detection can be performed on some critical data after the terminal device enters the UEFI mode. In order to realize threat detection on the key data, software codes for executing the security protection method can be integrated in the motherboard rom, so that the security protection method is independent of an operating system.
The manner in which the individual steps shown in fig. 1 are performed is described below.
For step 100:
After the terminal equipment enters the UEFI mode, a user can click a related interface button through a mouse to trigger detection instructions of some key data. For example, after clicking on the relevant interface button, the terminal device pops up a user interaction interface including interface buttons for UEFI firmware detection, interface buttons for EFI boot detection, and interface buttons for system critical location detection. At this time, the user may continuously click on the at least one interface button according to actual needs, so as to implement threat detection operation of the corresponding object to be detected.
For step 102:
After the detection instruction triggered by the user is obtained, the obtained detection instruction is further analyzed to obtain an object to be detected, namely the object to be detected comprises at least one of UEFI firmware, EFI bootstrap program and a key position of the system.
For step 104:
It will be appreciated that files of the UEFI firmware include UEFI applications and UEFI drivers, files of the EFI boot program may be, for example, an operating system provided loader, and system critical locations may be, for example, files of an operating system kernel, a system directory in a C-disk, a user directory, etc. In some embodiments, step 104 may utilize a local virus library, a virus detection model or other detection tools stored in the terminal device to perform threat detection on the file of the object to be detected, where the detection mechanism used is, for example, based on a file hash value, malicious code features, and the like, and the detection manner is not described herein.
The detection scheme based on the file hash value comprises the following two types:
The first technical scheme is as follows:
acquiring a first hash value carried by a file in an object to be detected of current terminal equipment;
carrying out hash calculation on the file in the object to be detected of the current terminal equipment by using a preset hash algorithm to obtain a second hash value;
And threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first hash value and the second hash value.
The second technical proposal is as follows:
acquiring a digital signature carried by a file in an object to be detected of the current terminal equipment; the digital signature is obtained by encrypting the hash value of the file;
decrypting the encrypted digital signature by using a preset key to obtain a first hash value;
carrying out hash calculation on the file in the object to be detected of the current terminal equipment by using a preset hash algorithm to obtain a second hash value;
And threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first hash value and the second hash value.
Specifically, if the first hash value is the same as the second hash value, the file in the object to be detected of the current terminal device is proved not to be tampered, otherwise, the file is tampered.
Compared with the first technical scheme, the second technical scheme is higher in confidentiality degree, namely whether the file is tampered or not can be judged accurately because the digital signature is obtained by encrypting the hash value of the file. In some implementations, step 104 may also utilize the following to perform threat detection:
Step S1, acquiring a file in an object to be detected after terminal equipment is started last time;
s2, extracting first data attribute information for representing a file in an object to be detected of the current terminal equipment and second data attribute information for representing the file in the object to be detected after the terminal equipment is started last time;
And step S3, threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first data attribute information and the second data attribute information.
Compared with the mode of acquiring the complete content of the data in the related art, the method provided by the embodiment of the invention can finish the preparation work of the safety protection of the terminal equipment only by acquiring the data attribute information, so that the safety protection efficiency of the terminal equipment is improved.
The method of extracting the data attribute information may be, for example, a method using a regular expression or another method of analyzing a static vector, and the method of extraction is not limited herein, as long as extraction of the data attribute information can be achieved.
In some embodiments, the first data attribute information and the second data attribute information each include at least one of:
data type, data size, creation time, last modification time, last open time, version information, signature information.
For example, the data type may be ". Exe", ". Docx", ". Dat", etc., and the signature information indicates whether there is a digital signature in the original data.
In other embodiments, step 104 may utilize a means of converting a file of the object to be detected into audio data for threat detection.
The threat detection manner of converting a file of an object to be detected into audio data is described with emphasis below.
In some embodiments, step S3 may include:
Step S31, respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
and step S32, threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first audio attribute information and the second audio attribute information.
In the embodiment, the threat detection is not required to be performed by adopting a special detection tool, and only the file in the object to be detected of the current terminal equipment and the file in the object to be detected after the terminal equipment is started last time are converted into the audio, so that the data can be indirectly checked by utilizing the mode of checking the audio, and the threat detection convenience is improved. The file in the object to be detected after the terminal equipment is started last time is regarded as an untampered file.
The data conversion may be understood as a preset data mapping rule, for example, the data mapping rule may map data attribute information into audio attribute information, so that further obtained audio data may be played by means of an audio decoder of the mobile terminal, thereby facilitating verification of files of two objects to be detected.
In some implementations, the first audio attribute information and the second audio attribute information each include at least one of:
musical instrument type, cycle time, tempo, spatial distance, direction change frequency, and sound effect.
For example, for mapping rules, for example, a data type may be mapped to a musical instrument type, a data size may be mapped to a period time, a creation time may be mapped to a rhythm, a last modification time may be mapped to a spatial distance, a last opening time may be mapped to a direction conversion frequency, version information may be mapped to harmony, and signature information may be mapped to sound effects, where a specific rule of data conversion is not limited, as long as data conversion can be completed.
In general, in the device selection stage, the main drive to be loaded is a USB device, a hard disk, an optical disk, a network, or the like. However, the threat detection method provided by the embodiment of the invention needs to use the sound card drive, so that the relevant loading items in the main board rom can be modified in advance, so that the sound card drive can also finish loading in the stage of starting the equipment selection.
In some embodiments, step S32 may include:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
playing the first audio data and the second audio data by using an audio decoder;
and carrying out threat detection on the file in the object to be detected of the current terminal equipment based on the playing result.
In this embodiment, the related art needs to use a special detection tool, and the terminal device has an audio encoder, so that rendering of audio data (i.e. obtaining audio data) can be completed by using the hardware (i.e. the audio encoder) of the related art, so that the audio data can be conveniently played (i.e. decoded) by using the audio decoder of the terminal device, and a user can perform threat detection on a file in an object to be detected of the current terminal device based on a playing result, thereby being beneficial to improving convenience of safety protection of the terminal device.
The following describes a related solution provided by an embodiment of the present invention when two audio data are compared to each other.
In general, tampering of data by lawbreakers is data attribute information of two kinds of data size and last modification time, while other data attribute information is not affected, and even if it is affected, audio attribute information obtained after mapping of the other data attribute information can be distinguished, for example, musical instrument types of two pieces of audio data are different, when playing the audio data, a human ear easily listens to the distinction of the two pieces of audio data, so that verification of files of two objects to be detected is easily completed.
However, when the data sizes of the files of the two objects to be detected differ less and the other data attribute information is the same, the cycle times of the two audio data corresponding thereto also differ less. At this time, when playing with the audio decoder, it is difficult for the human ear to distinguish the difference of the two audio data, so that it is difficult to complete verification of the files of the two objects to be detected.
In order to solve the technical problem, whether the spectrums of the two audio data are different or not can be judged by means of the audio decoder, so that the verification of the files of the two objects to be detected is completed rapidly.
In some embodiments, step S32 may include:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
judging whether the frequency spectrums of the first audio data and the second audio data are different or not by utilizing an audio decoder;
If not, outputting a result that the file in the object to be detected of the current terminal equipment is not tampered by using the audio decoder;
If yes, outputting a tampered result of the file in the object to be detected of the current terminal equipment by using the audio decoder.
In this embodiment, the audio decoder of the terminal device itself is used to analyze the spectrums of the two audio data, so that it can be quickly determined whether there is a difference between the spectrums of the two audio data, and the audio decoder can be further used to output the result of whether the file in the object to be detected of the current terminal device is tampered.
However, humans have a natural distrust to the machine, and people prefer to trust their own senses and judgment. In order to improve user experience, a mode of further playing audio data to assist a user in judging when a result that a file in an object to be detected of the current terminal device is tampered is output can be considered, so that user experience can be improved. However, if the rendered audio data is simply played according to the scheme, when the difference is small, the difference between the two is obviously indistinguishable by the human ear. Therefore, the difference of the audio attribute information can be further considered to be amplified, so that the user can distinguish the difference between the audio attribute information and the audio attribute information more easily, and the use experience of the user is improved.
In some embodiments, after outputting a result that a file in an object to be detected of the current terminal device has been tampered with using the audio decoder, further comprising:
determining, with an audio decoder, audio attribute information in which a difference exists in frequency spectrums of the first audio data and the second audio data;
Judging whether the audio attribute information with the difference is target audio attribute information or not; wherein the target audio attribute information includes a period time and a spatial distance;
If not, then execute: playing the first audio data and the second audio data by using an audio decoder; based on the playing result, further carrying out threat detection on the file in the object to be detected of the current terminal equipment;
If yes, then execute: amplifying the target audio attribute information in the first audio data and the target audio attribute information in the second audio data respectively to obtain third audio data and fourth audio data; playing the third audio data and the fourth audio data by using an audio decoder; and further detecting the threat to the file in the object to be detected of the current terminal equipment based on the playing result.
In the embodiment, the third audio data and the fourth audio data are obtained by amplifying the audio attribute information which is determined to be different and is the target audio attribute information, so that the user can assist in checking the files of the two objects to be detected according to the playing results of the third audio data and the fourth audio data, and the use experience of the user is improved.
For example, taking data attribute information as an example of data size, the corresponding audio attribute information is cycle time. The period time of the two audio data is assumed to be slightly different by the analysis of the audio decoder, and the total time length of the original two audio data is assumed to be 10s, and the period time of the two audio data is different between 5s and 5.1s, so that the human ears are difficult to distinguish through hearing. For this purpose, the total duration of the two audio data is amplified (i.e. the cycle time is also amplified), and the total duration is amplified to 100s (i.e. by a factor of 10). Thus, the difference is reflected in the 50s-51s, and the difference can be detected by the human ear. In conclusion, by utilizing the characteristic that UEFI firmware is started before an operating system is started, files are detected before the operating system is started, so that the difficult problem that firmware loopholes and BootKit types of virus files bypass the traditional antivirus software can be avoided, the safety protection capability of the operating system before loading can be effectively supplemented, and the traditional protection scheme is effectively supplemented.
Fig. 2 shows a flow chart of a method of securing a terminal device according to another embodiment. Referring to fig. 2, the method includes:
step 200: after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user;
step 202: analyzing the detection instruction to determine an object to be detected;
Step 204: acquiring a file in an object to be detected after the terminal equipment is started last time;
step 206: extracting first data attribute information for representing a file in an object to be detected of the current terminal equipment and second data attribute information for representing the file in the object to be detected after the terminal equipment is started last time;
Step 208: respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
step 210: respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
step 212: playing the first audio data and the second audio data by using an audio decoder;
step 214: and carrying out threat detection on the file in the object to be detected of the current terminal equipment based on the playing result.
Fig. 3 shows a flow chart of a method of securing a terminal device according to yet another embodiment. Referring to fig. 3, the method includes:
Step 300: after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user;
Step 302: analyzing the detection instruction to determine an object to be detected;
step 304: acquiring a file in an object to be detected after the terminal equipment is started last time;
Step 306: extracting first data attribute information of a file for representing a first object to be detected and second data attribute information of a file for representing a second object to be detected;
Step 308: respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
Step 310: respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
Step 312: judging whether the frequency spectrums of the first audio data and the second audio data are different or not by utilizing an audio decoder; if not, go to step 314, if yes, go to step 316;
Step 314: outputting a verification result of the same file of the first object to be detected and the file of the second object to be detected by using an audio decoder;
Step 316: outputting a verification result of the difference between the file of the first object to be detected and the file of the second object to be detected by using an audio decoder;
step 318: determining, with an audio decoder, audio attribute information in which a difference exists in frequency spectrums of the first audio data and the second audio data;
Step 320: judging whether the audio attribute information with the difference is target audio attribute information or not; if not, go to step 322, if yes, go to step 324;
Step 322: playing the first audio data and the second audio data by using an audio decoder; based on the playing result, further checking the file of the first object to be detected and the file of the second object to be detected;
Step 324: amplifying the target audio attribute information in the first audio data and the target audio attribute information in the second audio data respectively to obtain third audio data and fourth audio data; playing the third audio data and the fourth audio data by using an audio decoder; and further checking the file of the first object to be detected and the file of the second object to be detected based on the playing result.
As shown in fig. 4 and fig. 5, the embodiment of the invention provides a safety protection device for a terminal device. The apparatus embodiments may be implemented by software, or may be implemented by hardware or a combination of hardware and software. In terms of hardware, as shown in fig. 4, a hardware architecture diagram of an electronic device where a security protection apparatus for a terminal device provided in an embodiment of the present invention is located, in addition to a processor, a memory, a network interface, and a nonvolatile memory shown in fig. 4, the electronic device where the apparatus is located in an embodiment may generally include other hardware, such as a forwarding chip responsible for processing a packet, and so on. For example, as shown in fig. 5, the device in a logic sense is formed by reading a corresponding computer program in a nonvolatile memory into a memory by a CPU of an electronic device where the device is located.
As shown in fig. 5, a security protection apparatus for a terminal device provided in this embodiment includes:
The acquiring module 500 is configured to acquire a detection instruction triggered by a user after the terminal device enters a UEFI mode; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
the analyzing module 502 is configured to analyze the detection instruction and determine an object to be detected; the object to be detected comprises at least one of UEFI firmware, EFI bootstrap program and a system key position;
And the detection module 504 is used for detecting the threat to the file in the object to be detected of the current terminal equipment.
In an embodiment of the present invention, the obtaining module 500 may be used to perform the step 100 in the above method embodiment, the parsing module 502 may be used to perform the step 102 in the above method embodiment, and the detecting module 504 may be used to perform the step 104 in the above method embodiment.
In one embodiment of the present invention, the detection module 504 is configured to perform the following operations:
Acquiring a file in an object to be detected after the terminal equipment is started last time;
Extracting first data attribute information for representing a file in an object to be detected of the current terminal equipment and second data attribute information for representing the file in the object to be detected after the terminal equipment is started last time;
Threat detection is performed on files in the object to be detected of the current terminal equipment based on the first data attribute information and the second data attribute information.
In one embodiment of the present invention, the detection module 504 is configured to perform threat detection on a file in an object to be detected of a current terminal device based on the first data attribute information and the second data attribute information, where the threat detection is configured to perform the following operations:
Respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
and detecting the threat to the file in the object to be detected of the current terminal equipment based on the first audio attribute information and the second audio attribute information.
In one embodiment of the present invention, the first data attribute information and the second data attribute information each include at least one of:
Data type, data size, creation time, last modification time, last opening time, version information and signature information;
And/or the number of the groups of groups,
The first audio attribute information and the second audio attribute information each include at least one of:
musical instrument type, cycle time, tempo, spatial distance, direction change frequency, and sound effect.
In one embodiment of the present invention, the detection module 504 is configured to, when performing threat detection on a file in an object to be detected of a current terminal device based on the first audio attribute information and the second audio attribute information, perform the following operations:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
playing the first audio data and the second audio data by using an audio decoder;
and carrying out threat detection on the file in the object to be detected of the current terminal equipment based on the playing result.
In one embodiment of the present invention, the detection module 504 is configured to, when performing threat detection on a file in an object to be detected of a current terminal device based on the first audio attribute information and the second audio attribute information, perform the following operations:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
judging whether the frequency spectrums of the first audio data and the second audio data are different or not by utilizing an audio decoder;
If not, outputting a result that the file in the object to be detected of the current terminal equipment is not tampered by using the audio decoder;
If yes, outputting a tampered result of the file in the object to be detected of the current terminal equipment by using the audio decoder.
In one embodiment of the present invention, the detection module 504 is further configured to, when performing threat detection on a file in an object to be detected of the current terminal device based on the first audio attribute information and the second audio attribute information, perform the following operations:
determining, with an audio decoder, audio attribute information in which a difference exists in frequency spectrums of the first audio data and the second audio data;
Judging whether the audio attribute information with the difference is target audio attribute information or not; wherein the target audio attribute information includes a period time and a spatial distance;
If not, then execute: playing the first audio data and the second audio data by using an audio decoder; based on the playing result, further carrying out threat detection on the file in the object to be detected of the current terminal equipment;
If yes, then execute: amplifying the target audio attribute information in the first audio data and the target audio attribute information in the second audio data respectively to obtain third audio data and fourth audio data; playing the third audio data and the fourth audio data by using an audio decoder; and further detecting the threat to the file in the object to be detected of the current terminal equipment based on the playing result.
In one embodiment of the present invention, the detection module 504 is configured to perform the following operations:
acquiring a first hash value carried by a file in an object to be detected of current terminal equipment;
Carrying out hash calculation on the file in the object to be detected of the current terminal equipment to obtain a second hash value;
And threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first hash value and the second hash value.
In one embodiment of the present invention, the detection module 504 is configured to perform the following operations:
acquiring a first hash value carried by a file in an object to be detected of current terminal equipment;
Carrying out hash calculation on the file in the object to be detected of the current terminal equipment to obtain a second hash value;
And threat detection is carried out on the file in the object to be detected of the current terminal equipment based on the first hash value and the second hash value.
It will be appreciated that the structure illustrated in the embodiments of the present invention does not constitute a specific limitation on the safety protection device of a terminal device. In other embodiments of the invention, a security guard of a terminal device may include more or fewer components than shown, or may combine certain components, or may split certain components, or may have a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The content of information interaction and execution process between the modules in the device is based on the same conception as the embodiment of the method of the present invention, and specific content can be referred to the description in the embodiment of the method of the present invention, which is not repeated here.
The embodiment of the invention also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the safety protection method of the terminal equipment in any embodiment of the invention when executing the computer program.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program, and when the computer program is executed by a processor, the processor is caused to execute the security protection method of the terminal equipment in any embodiment of the invention.
Specifically, a system or apparatus provided with a storage medium on which a software program code realizing the functions of any of the above embodiments is stored, and a computer (or CPU or MPU) of the system or apparatus may be caused to read out and execute the program code stored in the storage medium.
In this case, the program code itself read from the storage medium may realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code form part of the present invention.
Examples of storage media for providing program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD+RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer by a communication network.
Further, it should be apparent that the functions of any of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform part or all of the actual operations based on the instructions of the program code.
Further, it is understood that the program code read out by the storage medium is written into a memory provided in an expansion board inserted into a computer or into a memory provided in an expansion module connected to the computer, and then a CPU or the like mounted on the expansion board or the expansion module is caused to perform part and all of actual operations based on instructions of the program code, thereby realizing the functions of any of the above embodiments.
In summary, the present invention provides a method, an apparatus, an electronic device, and a storage medium for protecting security of a terminal device, and the present invention has at least the following beneficial effects:
1. In one embodiment of the invention, after the terminal equipment enters the UEFI mode, a detection instruction triggered by a user is acquired, and then the detection instruction is analyzed to determine an object to be detected, so that threat detection can be performed on a file in the object to be detected of the current terminal equipment. The security protection method is carried out before the operating system is loaded, namely the terminal equipment has equipment access right and capacity after entering the UEFI mode, so that threat detection can be carried out on some key data, and the attack of firmware on the operating system by utilizing a class attack mode can be avoided, so that the security protection capacity of the terminal equipment is improved.
2. In one embodiment of the invention, the threat detection is carried out without adopting a special detection tool, and only the files in the object to be detected of the current terminal equipment and the files in the object to be detected after the terminal equipment is started last time are converted into the audio, so that the data can be indirectly checked by utilizing the mode of checking the audio, and the threat detection convenience is improved. The file in the object to be detected after the terminal equipment is started last time is regarded as an untampered file.
3. The related art needs to use a special detection tool, and the terminal equipment is provided with an audio encoder, so that the rendering of audio data (i.e. obtaining the audio data) can be completed by using the hardware (i.e. the audio encoder) of the terminal equipment, so that the audio data can be conveniently played (i.e. decoded) by using the audio decoder of the terminal equipment, and a user can perform threat detection on a file in an object to be detected of the current terminal equipment based on a playing result, thereby being beneficial to improving the convenience of safety protection of the terminal equipment.
4. In one embodiment of the invention, the frequency spectrums of the two audio data are analyzed by utilizing the audio decoder of the terminal equipment, so that whether the frequency spectrums of the two audio data have differences can be rapidly judged, and the result of whether the file in the object to be detected of the current terminal equipment is tampered can be further output by means of the audio decoder.
5. In one embodiment of the invention, the third audio data and the fourth audio data are obtained by amplifying the audio attribute information which is determined to be different and is the target audio attribute information, so that a user can assist in the verification of the files of the two objects to be detected according to the playing results of the third audio data and the fourth audio data, and the use experience of the user is improved.
It is noted that relational terms such as first and second, and the like, are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware related to program instructions, and the foregoing program may be stored in a computer readable storage medium, where the program, when executed, performs steps including the above method embodiments; and the aforementioned storage medium includes: various media in which program code may be stored, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (8)

1.A method for protecting security of a terminal device, comprising:
after the terminal equipment enters a UEFI mode, acquiring a detection instruction triggered by a user; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
Analyzing the detection instruction to determine an object to be detected; wherein the object to be detected comprises at least one of UEFI firmware, EFI boot program, and system critical location;
threat detection is carried out on files in the object to be detected of the terminal equipment at present;
the threat detection for the file in the object to be detected of the terminal equipment comprises the following steps:
Acquiring a file in an object to be detected after the terminal equipment is started last time;
Extracting first data attribute information for representing a file in an object to be detected of the terminal equipment and second data attribute information for representing a file in the object to be detected after the terminal equipment is started last time;
Threat detection is carried out on files in the object to be detected of the terminal equipment currently based on the first data attribute information and the second data attribute information;
The threat detection for the file in the object to be detected of the terminal equipment currently based on the first data attribute information and the second data attribute information comprises the following steps:
Respectively carrying out data conversion on the first data attribute information and the second data attribute information to obtain first audio attribute information and second audio attribute information;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first audio attribute information and the second audio attribute information.
2. The method of claim 1, wherein the first data attribute information and the second data attribute information each comprise at least one of:
Data type, data size, creation time, last modification time, last opening time, version information and signature information;
And/or the number of the groups of groups,
The first audio attribute information and the second audio attribute information each include at least one of:
musical instrument type, cycle time, tempo, spatial distance, direction change frequency, and sound effect.
3. The method according to claim 1 or 2, wherein threat detection of a file in an object to be detected of the terminal device at present based on the first audio attribute information and the second audio attribute information comprises:
respectively rendering the first audio attribute information and the second audio attribute information by using an audio encoder to obtain first audio data and second audio data;
Playing the first audio data and the second audio data with an audio decoder;
and based on the playing result, threat detection is carried out on the file in the object to be detected of the terminal equipment at present.
4. The method according to claim 1, wherein the threat detection of the file in the object to be detected of the terminal device at present comprises:
Acquiring a first hash value carried by a file in an object to be detected of the terminal equipment at present;
carrying out hash calculation on a file in an object to be detected of the terminal equipment to obtain a second hash value;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first hash value and the second hash value.
5. The method according to claim 1, wherein the threat detection of the file in the object to be detected of the terminal device at present comprises:
acquiring a digital signature carried by a file in an object to be detected of the terminal equipment at present; the digital signature is obtained by encrypting the hash value of the file;
decrypting the digital signature by using a preset secret key to obtain a first hash value;
carrying out hash calculation on a file in an object to be detected of the terminal equipment to obtain a second hash value;
And detecting the threat to the file in the object to be detected of the terminal equipment at present based on the first hash value and the second hash value.
6. A safety arrangement of a terminal device, characterized by comprising, based on the method according to any of claims 1-5:
The acquisition module is used for acquiring a detection instruction triggered by a user after the terminal equipment enters a UEFI mode; wherein the detection instructions include at least one of detection instructions for UEFI firmware, detection instructions for EFI boot programs, and detection instructions for system critical locations;
The analysis module is used for analyzing the detection instruction and determining an object to be detected; wherein the object to be detected comprises at least one of UEFI firmware, EFI boot program, and system critical location;
and the detection module is used for detecting the threat to the file in the object to be detected of the terminal equipment at present.
7. An electronic device comprising a memory and a processor, the memory having stored therein a computer program, the processor implementing the method of any of claims 1-5 when the computer program is executed.
8. A computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of any of claims 1-5.
CN202111602671.1A 2021-12-24 2021-12-24 Security protection method and device for terminal equipment, electronic equipment and storage medium Active CN114254331B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111602671.1A CN114254331B (en) 2021-12-24 2021-12-24 Security protection method and device for terminal equipment, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111602671.1A CN114254331B (en) 2021-12-24 2021-12-24 Security protection method and device for terminal equipment, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114254331A CN114254331A (en) 2022-03-29
CN114254331B true CN114254331B (en) 2024-09-24

Family

ID=80797607

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111602671.1A Active CN114254331B (en) 2021-12-24 2021-12-24 Security protection method and device for terminal equipment, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114254331B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114756863B (en) * 2022-03-31 2025-01-03 安天科技集团股份有限公司 File tampering detection method, device, electronic equipment and storage medium
CN115146281B (en) * 2022-06-29 2026-03-27 苏州元脑智能科技有限公司 A server boot protection method, device, electronic device, and storage medium
CN119903516B (en) * 2025-03-14 2025-10-17 北京邮电大学 Malware detection method, device, electronic device and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7325145B1 (en) * 2000-02-18 2008-01-29 Microsoft Corporation Verifying the presence of an original data storage medium
WO2021251950A1 (en) * 2020-06-08 2021-12-16 Hewlett-Packard Development Company, L.P. Secure boot up of computing devices

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113779652B (en) * 2020-06-09 2025-05-30 华为技术有限公司 Data integrity protection method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7325145B1 (en) * 2000-02-18 2008-01-29 Microsoft Corporation Verifying the presence of an original data storage medium
WO2021251950A1 (en) * 2020-06-08 2021-12-16 Hewlett-Packard Development Company, L.P. Secure boot up of computing devices

Also Published As

Publication number Publication date
CN114254331A (en) 2022-03-29

Similar Documents

Publication Publication Date Title
US9355246B1 (en) Tuning sandbox behavior based on static characteristics of malware
RU2589862C1 (en) Method of detecting malicious code in random-access memory
US7779472B1 (en) Application behavior based malware detection
RU2627107C2 (en) Code execution profiling
CN114254331B (en) Security protection method and device for terminal equipment, electronic equipment and storage medium
JP5512610B2 (en) Method, system, and machine-readable storage medium for permitting or blocking access to memory from non-firmware agent
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
CN100489728C (en) Method for establishing trustable operational environment in a computer
US8898775B2 (en) Method and apparatus for detecting the malicious behavior of computer program
EP3420489B1 (en) Cybersecurity systems and techniques
CN104008340B (en) Virus scanning and killing method and device
US20130117006A1 (en) Simulated boot process to detect introduction of unauthorized information
TW201020845A (en) Monitor device, monitor method and computer program product thereof for hardware
US20110277033A1 (en) Identifying Malicious Threads
CN102882875B (en) Active defense method and device
CN105408911A (en) Hardware and software execution profiling
CN112434286B (en) Dynamic library calling method and device, electronic device and storage medium
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN103827812B (en) The use of options read only memory
US11126721B2 (en) Methods, systems and apparatus to detect polymorphic malware
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
EP3887985B1 (en) Malicious code protection for computer systems based on system call table modification and runtime application patching
KR101013419B1 (en) System protection devices and methods
Kovah et al. How many million bioses would you like to infect?
Wang et al. Strider GhostBuster: Why it’sa bad idea for stealth software to hide files

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant