CN100465980C - Method for improving operation system safety through incompatiblity of process behavour - Google Patents
Method for improving operation system safety through incompatiblity of process behavour Download PDFInfo
- Publication number
- CN100465980C CN100465980C CNB2006101544658A CN200610154465A CN100465980C CN 100465980 C CN100465980 C CN 100465980C CN B2006101544658 A CNB2006101544658 A CN B2006101544658A CN 200610154465 A CN200610154465 A CN 200610154465A CN 100465980 C CN100465980 C CN 100465980C
- Authority
- CN
- China
- Prior art keywords
- incompatibility
- behavior
- file
- acl
- critical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
This invention relates to a method for improving the OS security through the incompatibility of process acts, and the major steps is as followed: 1.1) defining a group of key acts which is possible to have the incompatibility such as mutually exclusion, 1.2) each process has the rules of incompatibility in a certain way of recording, 1.3) each process records the occurred key acts according to a certain form, 1.4) the key acts must be checked for taboo before occurrence, and judgment is make according to the rules of incompatibility and the occurred key acts. If there is incompatibility in the occurred key acts, such as the mutually-exclusive acts have been occurred , the key acts is regard as the taboo behavior and not permitted its occurrence. The beneficial effect of the invention is that: incompatibility of process acts is introduced into the computer operating system, and according to the process, the occurred acts control the follow-up to improve the security of computer system.
Description
Technical field
The present invention relates to a kind of method that improves safety of computer operating system, mainly is a kind of method that improves operating system security by the incompatibility of process behavior.
Background technology
The security of operating system mainly is presented as the security of file system.For guaranteeing that concrete file and catalogue are not subjected to unsuitable visit, for example malice or unexpected reading and writing, modification, establishment, execution, the mechanism and the technology of " access control list (ACL) " have been played a kind of being called in the development of operating system field, for each file or catalogue (or other resource) all are equipped with one " access control list ", detailed row allow which type of access rights (read/write/execution and other) for who or group in the list, perhaps do not allow which type of visit; What do not have on the list just mustn't visit, or only allows to read.This list is exactly ACL, and promptly " Access Control List " also translates into " Access Control List (ACL) " or " access control list ".ACL has improved the security of operating system to a certain extent, thus in the mechanism of for example bank's one class, obtained application for a long time, present prevailing operating system, be Windows and Unix/Linux, also all support ACL.But ACL just controls the authority that it visits concrete file according to user's identity basically, and identity can be forged under certain conditions or seek loopholes and extracted, for example just always extract the identity of " power user " during assault, in case there has been the identity of " power user " without hindrance with regard to P Passable by every possible means.So particularly along with network technology and application and development, ACL more and more can not satisfy the requirement of security of system.
For this reason, people begin one's study and how to improve ACL, strengthen its function, and a kind of mechanism and technology based on " security strategy (Security Policy) " appearred in the result.Here so-called " strategy (Policy) " is the meaning of " rule " in fact.What is particularly worth mentioning is that the U.S. " national security agency (National Security Agency) " in this respect, be the still work done of its Flask project team of university of NSA and the U.S..On the basis that they worked, remember previous generation at the beginning of the end of the nineties and this generation note, formed expansion and improvement to (SuSE) Linux OS, be called SELinux, mean " Linux that has strengthened security ".From 2.6 editions of Linux, SELinux has become the part of linux kernel version.And Windows has in fact also realized similar mechanism in its enterprise version.Security strategy mechanism has been arranged, the access control of file system is controlled with regard to the behavior that has expanded to process to a certain extent, for example: the process of carrying out certain program can only be which executable file (being program) is created subprocess, or the like.But however, this security strategy mechanism is still static to the behavior of process control, and does not control its behavior on the other hand according to process agenda in one aspect.
Should, in the protection mechanism of operating system, do not consider, do not investigate user's behavior history for objects such as files, be the defective of prior art, it has reduced the security of system to a certain extent.
In the notion that a kind of being called " incompatibility " pharmaceutically arranged:, just can not allow it take another (or several) what medicine again if patient has taken certain medicine.Here it is in fact according to behavioral agent, and its follow-up behavior is on the other hand controlled in existing in one aspect behavior.So the security strategy mechanism of the notion of " incompatibility " introducing operating system, the behavior control that is used for process is of practical significance very much.For example: can connect network and be decided to be incompatibility for the visit of sensitive document.Like this,, require then to read the file F that certain has sensitive information, just should be refused if process P has set up the network connection; But, for same process, do not connect if set up network, then allow it to read file F.Conversely,, require to set up network then and connect, then should be stopped equally, anyway these two mutual exclusion and can not getting both if process P has read file F earlier.So incompatibility is actually for the explanation of mutual exclusion and requirement.In a word, in same process, if behavior A constitutes incompatibility with B, so wherein either party execution all never obtains being implemented as condition with the other side.
People are also usually carrying out incompatibility in social life in fact, and the people who for example is engaged in secret work must not migrate and go abroad, and has the people of " overseas relations " may also be not suitable for secret work, and so on.
In fact incompatibility is exactly " mutual exclusion (Mutual-Exclusive) ", for example allow network connect with certain catalogue under the file access mutual exclusion.Like this,, and extracted the identity of " power user ", but wanted the file under this catalogue is sent by the network connection, but cannot succeed even there is individual spyware to obtain operation.Obviously, therefore the security of operating system is improved.
Content of the present invention and characteristics are exactly: including the security mechanism that comprises ACL in for process behavior historical investigation, the behavior of process is controlled by predetermined incompatibility, thereby reached the purpose that improves security of system.
In this manual, " operation " is synonym with " behavior ", " incompatibility " with " mutual exclusion ", can exchange use.
Summary of the invention
At the defective of prior art, the invention provides a kind of behavior implementation incompatibility in computer operating system to process, make different behaviors realize mutual exclusion by predetermined rule, its effect is the security that has improved computer operating system.
This incompatibility of passing through the process behavior of the present invention improves the method for operating system security, and key step is as follows:
1.1) may there be incompatibility in one group of definition, promptly may requires the critical behavior of mutual exclusion;
1.2) each process all has the incompatibility rule by definite form record;
1.3) each process all notes the critical behavior that had taken place by certain form;
1.4) critical behavior must be through the taboo inspection before generation, judge with the critical behavior that had taken place according to incompatibility rule when the thing process, if have with its formation incompatibility in the critical behavior that had taken place, be that the critical behavior of mutual exclusion takes place, this critical behavior is considered as the taboo behavior and does not just allow its generation.
Wherein, above-mentioned one group may exist incompatibility, promptly may require " critical behavior " of mutual exclusion, include, but is not limited to file operation, network operation, interprocess communication, establishment subprocess or the like.Wherein file operation also can be subdivided into by concrete action type by reading mode and open file, opens file, opens file, mapped file, reads file, written document, execute file, changes file attributes etc. several by execution pattern by WriteMode.Have only and just can be defined as critical behavior by the operation that system call is finished.Incompatibility can only occur between the critical behavior.Specifically choosing of critical behavior is relevant with concrete operating system, because the mechanism that different operating system provides is also different with relevant system call; But critical behavior should comprise following operation:
The file operation class: for read to open file (comprising catalogue), open file for writing (catalogue), open file for carrying out, can also comprise actual file, written document, execute file, the mapped file read.
The network operation class: set up/open socket (Socket), wait for to receive the other side connection request (Listen), require to be connected to the other side (Connect), accept the other side connection request (Accept), or the like.
Interprocess communication: the inter-process communication mechanisms that refers between process, to transmit bulk information, comprise: create pipeline, establishment/connections/use named pipes, establishment/connection/use this locality (being equivalent to the Unix territory) socket, establishment/use message queue, establishment/use shared drive, the internal storage access of striding course etc. among the LPC among the establishment/use Windows, the Windows.
Management of process: create subprocess, carry out certain executable file.
System management: shutdown, restart, kernel module dynamically is installed, change the incompatibility rule.
But, specifically choosing of critical behavior do not change the present invention the behavior of process carried out incompatibility, made different behaviors realize the essence of mutual exclusion by predetermined rule.
This incompatibility of passing through the process behavior of the present invention improves the method for operating system security, can also further improve and replenish by following method.
1. ACL mechanism is expanded, makes concrete ACE that two kinds of information are provided when permission is opened file destination by designated mode:
Taboo behavior description piece: with other behavior of opening this file formation incompatibility by designated mode.
Incompatibility description block:, carry out the initial incompatibility that the process of this file is followed for executable file.
2. be equipped with " the incompatibility description block " of a critical behavior, " an existing behavior record piece " that is writing down existing critical behavior and one " taboo behavior description piece " for each process.Act on as follows:
The incompatibility description block:
Comprise some incompatibility description entrys, each incompatibility description entry provides the key operation (but the not mutual exclusion of operation in same group has a kind of operation at least in each group) of two groups of mutual exclusions, constitutes a pair of incompatibility.
Existing behavior record piece:
Writing down the key operation that this process had taken place by type.
Taboo behavior description piece:
Write down known taboo by type, promptly forbidding the key operation that takes place.For the key operation except that opening file, can extrapolate the taboo behavior according to incompatibility and the key operation that taken place.For open file operation, then the taboo behavior description piece that provides according to file destination ACL is dynamically expanded.
3. the original contents of the critical behavior incompatibility description block of each process can be from following source, and can dynamically be adjusted:
A) database of storing security strategy,
Given parameter when b) creating process,
C) the critical behavior incompatibility description block of system default,
D) in " access control list (ACL) " of institute's operating software (executable file) certain " access control entry (ACE) ",
E) the incompatibility description block of succession parent process,
F) will merge from the incompatibility description block of parent process and incompatibility description block from ACL.
4. for the critical behavior request in the operational process, just do not allow to take place if belonged to the taboo behavior.
One of 5. for the requirement that opens file in the operational process, if the corresponding ACE among the file destination ACL allows it to open, but the described taboo behavior of taboo behavior description piece among the ACE () took place already, just do not allow to open.
6. in the process of operation,, will work as the taboo behavior description piece of thing process to the description adjustment of avoiding behavior according to corresponding ACE item among the file destination ACL if get permission to open certain file.For example, suppose file operation and network operation not mutual exclusion originally in the incompatibility description block of thing process, but but opened the file of a requirement and network operation mutual exclusion, network operation will have been added in the taboo behavior description piece of thing process, from then on forbidden network operation.
7. the critical behavior (except that opening file) that takes place for reality is noted the generation of this kind behavior in working as " the existing behavior record piece " of thing process.And extrapolate the key operation that to forbid, corresponding adjustment taboo behavior description piece when the thing process according to the incompatibility description block.
8. in the premises, thereby the information that is provided by ACL and ACE among every ACL of being stored in and the ACE can make centralized stores in a Security Policy Database, provide (to this data base querying) by Security Policy Database when needing to use.
Further,, forbidding according to incompatibility when the critical behavior of thing process requires, can also note behavior attempt as warning message, even give the alarm in real time against incompatibility as a kind of supplementary means of intrusion detection.For example, find that certain process attempt visit is loaded with the file of sensitive information, and this kind behavior has been under an embargo because of incompatibility, then will refuse its behavior requirement on the one hand, also will give the alarm on the other hand, the invasion because this is likely causes.
Also should illustrate, no matter be ACL or Security Policy Database, all be the file security mechanism that provides by operating system, and " table " in the relational database is general all with the document form storage, so ACL and Security Policy Database also just become database security mechanism naturally.Though method of the present invention also can be independent of ACL and Security Policy Database, combining with ACL or Security Policy Database obviously is better, more effective selection.Since and combine with ACL or Security Policy Database, method of the present invention has just improved safeness of Data Bank naturally.
The effect that the present invention is useful is: computer operating system is introduced in the incompatibility of process behavior, and its follow-up behavior is controlled in existing behavior according to process, improves the security of computer operating system.
Embodiment
The invention will be further described below in conjunction with embodiment:
At present the operating system of main flow is exactly two kinds of Windows and Linux, thus following be that example illustrates enforcement of the present invention with Linux, and the technical special character when pointing out in Windows operating system, to implement.
But as long as needs are arranged, the method for the invention also can be implemented in other operating system, and concrete implementation detail (as definition of program code and data structure etc.) does not influence essence of the present invention.
Embodiment 1, the enforcement in (SuSE) Linux OS
As mentioned above, the original contents of incompatibility description block can be from Security Policy Database, also can be from the ACL of executable file, and further side information is then all from the ACL of concrete file.But, according to the difference of specific implementation, all information all from Security Policy Database or all from ACL, also there is no can not.Difference just Security Policy Database is centralized, and ACL then is distributed.Generally speaking, following this concrete file to be organized and store the rule relevant with each concrete file, is exactly ACL; And, just become Security Policy Database if concentrate tissue and storage.For the method that the incompatibility by the process behavior of the present invention improves operating system security, this is the difference of specific implementation, the two is unsubstantial difference also, does not also have much difference (from Security Policy Database even more simple) on difficulty.Present embodiment adopts is that the original contents of incompatibility description block is from ACL.
On the other hand, the realization of incompatibility description block, existing behavior record piece, taboo behavior description piece also can have different ways, and one of them is exactly the bitmap mode.In the bitmap mode, a kind of critical behavior correspondence a zone bit; And the incompatibility of behavior and whether taken place and prohibited is 1 or 0 expression with the state of corresponding zone bit all then.Generally speaking, a zone bit can only be represented behavior a kind of or a class, rather than a concrete behavior, can not represent the concrete object of behavior.For example " network operation " is a class behavior, and similar behavior may be carried out repeatedly repeatedly, and each object (IP address) also may be different.In actual applications, the multi-pass operations for same target there is no need to be distinguished; Do not distinguish concrete operand and then might cause " broadening the scope of attack ", but for security, this is better than leaking possible attack.Say again, be on the basis of bitmap further to operand detail also not difficult (hereinafter also will have related) in addition.
That describe below is an embodiment based on ACL, employing bitmap mode.
(SuSE) Linux OS is supported the file system that many kinds are different, but there is no much differences with regard to the realization of ACL mechanism, thus following be the enforcement of example explanation this method with the ext2 file system.
1. critical behavior type definition:
At first define key operation (behavior).Present embodiment is represented the set (for example prohibited the set of operation, and existing operation, the set promptly operated or the like) of all possible key operation with bitmap, and every kind of concrete operation is just represented with a zone bit.If certain zone bit in bitmap is 1, just represent that this operation is present in this concrete set, otherwise just not in this set.And incompatibility, then be two set, promptly two groups the operation between mutual exclusion.
So the definition of key operation is presented as the definition of zone bit:
#define OP_FORK_CREATE_PROC 0x00000001/* fork () or the process of establishment */
#define OP_CREATE_PIPE 0x00000002/* establishment common pipe */
#define OP_NAMED_PIPE 0x00000004/* create/open named pipes */
#define OP_MMAP 0x00000008/* create/open shared drive district */
#define OP_MSG 0x00000010/* establishment message queue */
/ * keep 0x00000020 to 0x00000080 be used for the distinctive operation of Windows */
#define OP_SOCKET 0x00000100/* create/open Socket*/
#define OP_CONNECT 0x00000200/* and the other side connect */
#define OP_LISTEN 0x00000400/* wait the other side's connection request */
#define OP_ACCEPT 0x00000800/* accept the other side's connection request */
#define OP_RECV 0x00001000/* reception message */
#define OP_SEND 0x00002000/* transmission message */
/ * keep 0x00004000 and 0x00008000 be used for other network operation */
#define OP_FILE_OPEN 0x00010000/* create/open file (or catalogue) */
#define OP_FILE_READ 0x00020000/* read file */
#define OP_FILE_WRITE 0x00040000/* written document */
#define OP_FILE_DELETE 0x00080000/* delete adopted part */
#define OP_FILE_MOVE 0x00100000/* move */
#define OP_FILE_MAPO 0x00200000/* mapped file */
#define OP_FILE_EXEC 0x00400000/* execute file (comprising script) */
#define OP_FILE_ACL 0x00800000/* be provided with ACL*/
#define OP_REG_QUERY 0x01000000/* inquiry and registration table */
#define OP_REG_UPDATE 0x02000000/* change registration table */
/ * keep 0x04000000 be used for other registry operations */
#define OP_RULE_SETUP 0x08000000/* be provided with the taboo regular */
#define OP_SHUTDOWN 0x10000000/* shutdown */
#define OP_REBOOT 0x20000000/* restart */
#define OP_INSMOD 0x40000000/* dynamically install kernel module */
/ * keeps 0x80000000 and is used for the peripheral hardware operation, for example visit USB flash disk or the like */
The definition of these zone bits is based on 32 bitmaps, so can define 32 kinds of key operations at most.Here actual definition be less than 32 kinds, also kept some zone bits and be used for expansion in the future.If 32 not enough, also can adopt 64 bitmap.
The zone bit of relevant document operation here is used for overall file operation, be equivalent to " master switch ", if for example the zone bit OP_FILE_OPEN in the taboo behavior description bitmap be 1 just the hereafter any file of expression all can not open, if 0 then needs further check the ACL of objectives file.
Can be made up on request for the key operation zone bit, for example:
#define?OP_NETWORK(OP_SOCKET|OP_CONNECT|OP_LISTEN|OP_ACCEPT|OP_RECV|OP_SEND)
Like this, constant OP_NETWORK, be 0x00003f00, just represented all network operations.
As previously mentioned, specifically define which key operation (behavior), how to define, that all is concrete realization details, just example given here.
2. data structure:
The type definition that critical behavior has been arranged also needs to define several data structures.
First kind is " critical behavior description entry ", is used for " taboo operation description entry " and " being subjected to prohibit the operation description block " and " the existing behavior record piece " of each process of each ACE inside of ACL.
struct?critical_op_entry{
unsigned?int?map;
};
As seen in fact this is exactly an operation bitmap, and relevant zone bit is defined in.
It is exactly " taboo operation description entry " that this data structure is used in ACE inside.Originally, so-called mutual exclusion or incompatibility were bilateral at least, but described just wherein the one side of taboo operation description entry, the one side of promptly being ostracised (can be multiple operation).Another side then implies, and Here it is to (by the designated mode) access right of objectives files or the file access of having implemented.
Except that being used for ACL, the key operation description entry also is used for concrete process " be subjected to prohibit operation description block " and " existing behavior record piece ", and for example the zone bit OP_MMAP in " existing behavior record piece " 1 just represents that this process once created or opened shared drive district (thereby this kind means of communication arranged with other process).Like this, if this process wants to open certain file, and the ACL of this file shows and the mutual exclusion of shared memory field just, will go whistle.On the other hand, if the zone bit OP_MMAP in " be subjected to prohibit operation description block " is 1, just expression is created or is opened the shared drive district and being under an embargo, and reason is that the operation of certain and its formation incompatibility took place already.
Here to point out: for general critical behavior, will be recorded in by form in " existing behavior record piece " as long as once take place with zone bit, but the visit (opening) for concrete file then is not recorded in " existing behavior record piece ", and just the operation of therefore being forbidden is added in " being subjected to prohibit the operation description block ".The purpose of doing like this is that the data structure and the processing of " existing behavior record piece " are simplified.
Second kind of data structure is " incompatibility description entry ", and Here it is has described the complete of mutual exclusion both sides:
struct?exclusive_entry{
unsigned?int?map1;
unsigned?int?map2;
};
Map1 here and map2 are the operation bitmaps, are representing the both sides of mutual exclusion.Its physical significance is: any among the bitmap map1 (zone bit is 1) operation all with map2 in any (zone bit be 1) operation mutual exclusion, promptly constitute incompatibility.For example, suppose that map1 is (OP_FILE_WRITE|OP_REG_UPDATE), and map2 is (OP_SOCKET|OP_FORK_CREATE_PROC), as long as just expression has network operation or created subprocess, just neither allows to write (any) file also do not allow to revise registration table (mean/below the etc file) in Linux.That is to say that these two groups operations constitute incompatibility.But notice that the operations in the same bitmap does not constitute incompatibility, for example written document among the map1 and the not mutual exclusion of modification registration table.On the other hand, no matter be that map1 or map2 must not be sky, it is 1 that a zone bit will be arranged separately at least.So one " incompatibility description entry " is exactly the rule of an incompatibility.
" incompatibility description entry " is the element that constitutes " incompatibility description block ", and the latter can comprise a plurality of " incompatibility description entrys ", be many incompatibility rules.
The third data structure is exactly " an incompatibility description block ", and an incompatibility description block can be made of a plurality of incompatibility description entrys, is used for writing down all incompatibility of a process.
struct?exclusive_desc{
int?total_size;
int?current_size;
struct?exclusive_entry?entries[0];
};
The total_size here illustrates the size of whole description block, and current_size illustrates that several effective description entrys are arranged in the present description block, array entries[] the physics size then depend on total_size.
" incompatibility description block " has two purposes:
● be used for describing the incompatibility of a process, just be present in the internal memory this moment, is subordinated to concrete process, becomes one of attribute of process.
● be used among the ACL of executable file, for carry out process that this file creates with this as its original incompatibility.As previously mentioned, ACL is stored on the disk together in company with its host's file.
Like this, when subprocess of establishment was carried out certain executable file, corresponding " the incompatibility description block " among this document ACL just became the initial incompatibility description block of subprocess.And, when directly carrying out certain executable file, then use corresponding " incompatibility description block " among this document ACL to replace its original incompatibility description block by a process that has existed if do not create subprocess.Certainly, if the implementer thinks that " merging " is better than " replacement ", that also is fine, and this is the variation of details.
3. to the expansion of ACL:
Each file can have an ACL, but also can not have, if just illustrate this file is not added special access control.If any, ACL always is stored on the disk with its " host " file.
In the code of 2.6.14 version Linux, the data structure definition of ACL is:
struct?posix_acl {
atomic_t a_refcount;
unsigned?int a_count;
struct?posix_acl_entry?a_entries[0];
};
Structural array a_entries[0] represent that its size is variable, the actual size of this array of numbers illustrated of field a_count.In the array each all is a posix_acl_entry data structure, Here it is ACE.So ACL is exactly one group of ACE.Each ACE is the access rights explanation for its host's file at certain concrete object (user, user's group).
The original data structure definition of ACE then is:
struct?posix_acl_entry{
short e_tag;
unsigned?short e_perm;
unsigned?int e_id;
};
The c_tag here is exactly the attribute of this ACE, just the physical significance of e_id.For example e_id is exactly a user number when e_tag is ACL_USER, and e_id is exactly user's group number when e_tag is ACL_GROUP.E_id is exactly visitor ID in one aspect, i.e. visitor's identity in a word; E_perm then is the access rights bitmap that allows.Some employing " security number ", be SID representative in the version of thing process identity, e_id also can be the SID when the thing process, should increase a kind of " label " ACL_SID for e_tag for this reason.
For incompatibility information is incorporated among the ACE, can in this data structure, increase a taboo operation description entry, and a pointer that points to the incompatibility description block, become:
struct?posix_acl_entry{
short e_tag;
unsigned?short e_perm;
unsigned?int e_id;
struct?exclusive_entry e_exclusive;
unsigned?int e_desc_offset;/*for?executable?only*/
};
Its meaning and acting as: for e_tag and the specified visitor (member of certain group or the user that certain is concrete) of e_id, give e_perm described access rights, but constitute incompatibility with the described operations of mutual exclusion description entry e_exclusive.In other words:, just no longer can implement the described operations of e_exclusive if this file has been used the described access rights of e_perm (for example reading and writing); And if implemented or several operations wherein before this, the authority that then e_perm gave is cancelled.Obviously, this is not simple conditional access.Another constituent e_desc_offset then only is used for executable file, and is nonsensical for ordinary file.
The ACE of executable file (Executable) is special, because will describe two kinds of taboos on the different meanings.At first be that process of start carrying out file destination, be parent process, the taboo that therefore is subjected to; Be the incompatibility of the subprocess of actual execution file destination on the other hand.Description for incompatibility is bilateral, and has more than one group.For example certain executable file has two assembly, 5 taboos: network operation is with the establishment process, and written document is with revising registration table, and these two assembly, 5 taboos can not merge, because the establishment process is followed written document and revised the two not mutual exclusion of registration table.So,, need provide an incompatibility description block (and not being an incompatibility description entry) for it, and the size of description block can't be scheduled to also for the execution of executable file.This description block obviously can only be placed on the outside of ACE array, and the position of corresponding incompatibility description block just is described with top constituent e_desc_offset this moment, promptly with respect to the displacement of ACL starting point.Certainly, general (the non-execution) file does not have the incompatibility description block, and this moment, e_desc_offset was 0.
Because the introducing of incompatibility can have more than one ACE for same user (or group) in the ACL of a file (or catalogue), each ACE has illustrated for a kind of authority regulation of or several access modules and corresponding taboo.For example, have an ACE about allowing read operation, another is carried out about allowing, and the taboo difference under two kinds of situations is so will be divided into two ACE.As previously mentioned, though these ACE be about file reading and writing, carry out or the like operation, but general all the inspection to ACL is placed on when opening file, because writing a file of opening by reading mode, attempt forbade with regard to being operated system that operating system nucleus had had the assurance of this respect originally.
Here the description to the taboo behavior is a bitmap form, and this can only show whether a certain behavior (operation) belongs to taboo, and does not relate to the concrete object of operation.For example zone bit OP_SOCKET is that 1 expression is repelled network service and concrete communication object (for example IP address) is not described.Equally, zone bit OP_FILE_OPEN is that 1 expression is repelled all opening file and concrete file is not described.
If the bitmap map among the e_exclusive is here had the index index of pointer character instead, allow it point to one and be similar to ACL such " taboo tabulation ", with the further in addition detailed explanation of the mode of tabular, that also is fine, and for example can copy the form of ACL and ACE to define such data structure:
struct?forbidden_list{
unsigned?short l_index;
unsigned?short l_length;
unsigned?int l_offset[32];
};
This is the head of taboo tabulation.L_index wherein is a call number, and is consistent with the call number that provides among the ACE; And l_length shows the length of whole taboo tabulation.Array l_offset[32] act on the bitmap that is similar to the front in logic, the actual then similar pointer of effect.An element in this array just is equivalent to a zone bit in the bitmap, and with the position of zone bit in bitmap as subscript, for example original OP_SOCKET is defined as 0x00000100, just is defined as 8 now.Like this, for example, if need to repel network operation, the list item that is designated as OP_SOCKET down be exactly the position at relevant therewith managing detailed catalogue place, promptly with respect to the displacement of taboo tabulation starting point (displacement be 0 just expression not at the row of taboo, being equivalent to zone bit is 0), the data structure of managing detailed catalogue then is:
struct?forbidden_item{
unsigned?short i_op;
unsigned?short i_perm;
unsigned?short i_num;
unsigned?int i_id[1];
};
The i_op here is exactly the code of being prohibited operation, for example OP_SOCKET.Second component i _ perm represent the listed detail in back to as if to belong to " comprising (INCLUDE) " still be " except (EXCEPT) ".For example, when being subjected to prohibit when being operating as OP_SOCKET the array i_id[of back] in be a string IP address.But the meaning of i_perm when " comprising " is " forbid the network operation to these IP addresses, other (IP address) can "; I_perm for " except " time meaning then be " except that these IP addresses, other all is under an embargo ".Obviously, array i_id[] content different because of concrete critical behavior, and i_num has illustrated the actual size of array.
The taboo of file operation is described similarly, just array i_id[] in all be the character string pointer, point to actual filename or directory name.In addition, array i_id[] in also can use " the i-node number " of filename or catalogue.Corresponding therewith, in i_perm, can represent array i_id[with a zone bit] content be character string pointer or i-node number.
4. algorithm
Because present embodiment adopts bitmap, aforesaid three description blocks have just become bitmap.Like this, each process all has three data structures that come down to bitmap:
Incompatibility description block-its main body is an incompatibility description entry structural array, each element wherein, is that each description entry all comprises a pair of bitmap, and two groups of operations that constitute incompatibility have been described.The variable size of array, minimum are 0, promptly do not have incompatibility.Initial incompatibility, if any, from the ACL of executable program file.The size of array may change (generally being only to expand not dwindle) in the process of operation.
The record of the existing behavior of existing behavior bitmap-process be empty in the time of at the beginning, in servicely just the corresponding zone bit in the existing behavior bitmap is set to 1 when the generation critical behavior.Simultaneously, also to describe and find out therefore and the operation that needs are forbidden, and these operations that need forbid are added in the taboo behavior bitmap, exactly the relevant zone bit in the taboo behavior bitmap all are set to 1 according to incompatibility.But for the operation of file is an exception, the operation of concrete file be need not to be recorded in the existing behavior bitmap, and just the taboo of ACL defined is added in the taboo behavior bitmap.
Taboo behavior bitmap-show the under ban operation of this process.Its content is from two aspects, and a part can calculate out that another part is then because of the ACL of file access (opening file) from each file destination according to incompatibility description and existing behavior bitmap.Be in operation, the content of taboo behavior bitmap may accumulate gradually.
Corresponding therewith, in the process control block (PCB) data structure, to increase by three pointers, point to this three data structures respectively.
Owing to adopt bitmap, inspection for zone bit is very simple in operation/computing, for example to check whether a certain key operation is under an embargo, as long as the constant (for example OP_MMAP) that just will represent corresponding zone bit with taboo behavior bitmap with, the result is that the corresponding zone bit in the 0 expression bitmap is 0, promptly is not under an embargo, and the result is 1, promptly is under an embargo for the corresponding zone bit in non-0 expression bitmap.On the other hand, the merging of two bitmaps is also very simple, for example to merge to bitmap S among the bitmap D, just as long as two bitmaps mutually or, and with mutually or the result to replace among the D original content just passable.
For enforcement of the present invention, following several function/processes are critical:
Key operation application-before carrying out key operation, to file an application by this function earlier can be carried out if return " permission ", and must make corresponding adjustment to be subjected to taboo operation bitmap and existing behavior bitmap when the thing process.
Check that ACL-will check the ACL of file destination before opening file,, and must make corresponding adjustment the taboo operation bitmap that is subjected to when the thing process if allow to open and to carry out by desired pattern.If open executable file by " execution " pattern, then ACL also may provide initial incompatibility description block.
Creating subprocess-establishment subprocess, allow subprocess carry out the executable file of appointment, is the key operation of more complicated.
The execution file destination-by the executable file of carrying out appointment when thing process oneself, also be the key operation of more complicated.
Opening file-opening file is most important key operation, and in fact safety practice in the past is the center to open file all basically.On the other hand, this also is the key operation of more complicated.
Other key operation-comparatively speaking, other key operation except that creating subprocess, execution file destination and opening file is just fairly simple.
These functions/process constitutes the main body of present embodiment, and remaining details and additional operations just need not to be illustrated.
Be arthmetic statement below for these processes:
The key operation application (input parameter: process control block (PCB), action type,
The ACL of file destination, the pattern of opening of requirement,
Blank incompatibility description block;
Return: " permission " or " refusal ")
/ * explanation:
● the ACL of file destination and to open pattern only meaningful for the time ability of opening file in action type,
● blank incompatibility description block is only just meaningful when the pattern of opening comprises execution.
*/
1. find the incompatibility description block when the thing process, existing behavior description piece and taboo behavior description piece according to three pointers in the process control block (PCB);
2. check taboo behavior description piece, see whether desired operation has belonged to taboo, if just return " refusal ";
3. if desired operation is to open file:
3.1) call and check ACL (), with process control block (PCB), the pattern of opening of the ACL of file destination, requirement, when the taboo behavior description piece and the blank incompatibility description block of thing process be parameter.Whether purpose is to check the ACL of file destination, see to allow to open by desired access module, if do not allow just to return " refusal ", finishes;
3.2) stipulated behavior taboo (be exactly in fact and open the behavior that file destination constitutes incompatibility) among the relevant ACE of file destination ACL?
3.3) if, just check existing behavior description piece when the thing process, see the operation whether incompatibility of (opening file destination by given pattern) formation had taken place therewith when the thing process;
3.4), just return " refusal " if took place, finish;
3.5) as not taking place, just the behavior taboo of stipulating among the ACE is incorporated into taboo behavior description piece when the thing process;
3.6) return " permission ", finish;
/ * explanation: if comprise execution in the pattern that opens file, then the content * of existing initial incompatibility description block from ACL in blank incompatibility description block this moment/
4. if desired operation does not open file:
4.1) information that this generic operation will take place writes existing behavior description piece;
4.2) in the incompatibility description block, find all operations that incompatibility is arranged with this operation, these operations are merged in the taboo behavior description piece of thing process;
4.3) return " permission ", finish.
Inspection ACL (input parameter: process control block (PCB), the ACL of file destination, the pattern of opening of requirement,
Taboo behavior description piece, blank incompatibility description block;
Return: " permission " or " refusal ")
/ * explanation: blank incompatibility description block is only just meaningful when the pattern of opening comprises execution.*/
For each ACE among the ACL, following process is carried out in circulation, until advancing to next ACE or returning:
1. the applicable object (as user number, group number, SID etc.) of checking ACE with whether conform to described in the process control block (PCB);
2. if do not conform to then advance to next ACE, if result's (be generally " refusal ", but also could be " permissions ", specifically depend on the setting of system) that all ACE do not conform to and just return acquiescence, end;
3. if conform to:
3.1) the desired pattern of opening is compared with the regulation among the ACE;
3.2) if be not allowed to just return " refusal " by the regulation among the ACE, finish;
3.3) check whether have taboo to describe, if having in the taboo behavior description piece that just merges to as parameter;
3.4) be pattern of opening " execution "? if not just returning " permission ", finish;
4. whether comprise " execution " if open in the pattern, checking among the ACE provides the incompatibility description block for subprocess;
4.1) if there is not the incompatibility description block just to return " permission " (the blank incompatibility description block as parameter still is blank), finish;
4.2) if the incompatibility description block is arranged, just on the indicated position of ACE, find the incompatibility description block, and it is copied in the blank incompatibility description block as parameter (after creating subprocess the incompatibility description block pointer in the process control block (PCB) of subprocess being arranged to point to this description block);
4.3) return " permission ", finish.
Create subprocess (input parameter: the path of file destination and filename)/* by subprocess carry out file destination */
1. path and the filename according to file destination obtains its ACL;
2. the incompatibility description block that distributes a blank for subprocess;
3. call critical operations application (), with when process control block (PCB), the action type of thing process be open file, the ACL of file destination, the pattern of opening read, shine upon and carry out and the incompatibility description block of subprocess is a parameter;
4., finish if return results returns for " refusal " just makes mistakes;
5. otherwise the establishment subprocess of allocating conventional operation;
6. make the incompatibility description block that the 2nd step of incompatibility description block pointed in the process control block (PCB) of subprocess distributed, this is the initial incompatibility description block (the initial incompatibility description block that the 3rd step provided ACL copies in this description block) that is provided for subprocess by ACL;
6a. according to the setting of system, can select the incompatibility description block of parent process is copied in the incompatibility description block of subprocess, allow subprocess inherit the incompatibility description block (the initial incompatibility description block that provides by ACL is provided) of parent process;
6b., can select incompatibility description block with parent process to merge in the initial incompatibility description block that provides for subprocess by ACL according to the setting of system;
7. be that subprocess distributes the existing behavior record piece of a blank and the taboo behavior description piece of a blank, and make existing behavior record block pointer and taboo behavior description block pointer in the process control block (PCB) of subprocess point to this two data structures respectively;
8. return the result in the 5th step, finish.
Carry out file destination (input parameter: the path of file destination and filename)/* by this process carry out file destination */
1. path and the filename according to file destination obtains its ACL;
2. the incompatibility description block that distributes a blank;
3. call critical operations application (), with when process control block (PCB), the action type of thing process be open file, the ACL of file destination, the pattern of opening be for reading, shine upon and carry out and blank incompatibility description block being a parameter;
4., finish if return results returns for " refusal " just makes mistakes;
5. otherwise the execution file destination of allocating conventional operation;
6. the incompatibility description block pointer in the process control block (PCB) is pointed to the 2nd instead and go on foot the incompatibility description block that is distributed, this is the initial incompatibility description block that is provided for subprocess by ACL;
6a., can select original incompatibility description block is merged in the initial incompatibility description block that is provided by ACL according to the setting of system;
7. the taboo behavior description piece that will work as the thing process becomes blank clearly with existing behavior record piece;
8. return the result in the 5th step, finish.
Open file (input parameter: the path of file destination and filename, open pattern)/* open pattern do not contain carry out */
1. path and the filename according to file destination obtains its ACL;
2. call critical operations application (), being to open file, the ACL of file destination, open pattern and NULL (expression does not have blank incompatibility description block) is a parameter when process control block (PCB), the action type of thing process;
3., finish if return results returns for " refusal " just makes mistakes;
4. otherwise the open file operation of allocating conventional;
5. return the result in the 4th step, finish.
Other key operations (input parameter: action type)
1. calling critical operations application (), is parameter with process control block (PCB), action type, NULL (expression does not have ACL), 0 (it is meaningless to open pattern) and NULL (not having blank incompatibility description block) when the thing process;
2., finish if return results returns for " refusal " just makes mistakes;
3. otherwise the allocating conventional key operation;
4. return the result in the 3rd step, finish.
/ * explanation: if this operation relates to incompatibility, then with all operations type of this operation mutual exclusion merged to * in the taboo behavior description piece of thing process/
For helping to understand, the sight by several hypothesis illustrates enforcement of the present invention here.
Supposing has individual process, and its process number is 1001, and performed executable file is some-work.The ACL of file some-work and place catalogue thereof does not stipulate any incompatibility, so initial incompatibility description block and the taboo behavior description piece of this process is blank.
Be in operation, this process requires earlier by the reading mode file1 that opens a file.The ACL of file f ile1 shows that No. 1001 processes (according to the authority of user under it) can open this file by reading mode, but incompatibility is arranged, and concrete what repel is network operation.Because this moment, any network outlet (Socket) is not opened or set up to No. 1001 processes as yet, so allow it to open file, but the network outlet zone bit in the taboo behavior description piece is arranged to 1, represents that this kind operation is not allowing generation because of relating to incompatibility now.
Then, after a while after, No. 1001 processes require to open a network outlet.Because the network outlet zone bit in the taboo behavior description piece is 1, illustrates and repel the network outlet operation, so just refusal is opened network outlet.The content that like this, has just prevented file f ile1 leaks by network operation.So, why not be to allow it to open network outlet, limit concrete file read/write operation then? like that certainly, also be fine, it equally also is a kind of realization of incompatibility method of the present invention, but the inspection that each reading and writing of files all carries out incompatibility influences efficient rather, the inspection of incompatibility is placed on then to influence when opening file be unlikely to too big.On the other hand, in case after opening a file, visit to this file also not necessarily must just can be carried out by system calls such as reading and writing, for example later on just can be as this file of read/write internal memory accessing File mapping to a memory field by mmap ().Certainly, also can be stopped by regulation File mapping and network operation mutual exclusion (incompatibility), but the inspection of incompatibility is placed on when opening file obviously simpler, more natural, in addition check that when opening file its ACL is also more convenient.But the difference of this details does not influence the essence of this method.
Turn back now, suppose that No. 1001 processes just required to open network outlet earlier before the file1 that opens file.It still is blank avoiding the behavior description piece this moment, and the network outlet zone bit is 0, so allow it to open network outlet.But the operation to network outlet belongs to critical behavior, so the corresponding zone bit in the existing behavior record piece is arranged to 1.Then, after a while after, No. 1001 processes require to open file file1.According to the ACL of file1, No. 1001 process allows to open this file, still incompatibility is arranged, and one of taboo is exactly a network operation.And the network outlet zone bit in the existing behavior record piece is 1, illustrates to open network outlet, so just refuse to open file file1.The content that like this, has equally also prevented file f ile1 leaks by network operation.
Supposing the behavior incompatibility of having stipulated in the ACL of executable file some-work for the establishment subprocess again, specifically is the mutual exclusion between network operation and subprocess are created.Like this, in the initial incompatibility description block of process some-work, on one side the network outlet zone bit be 1 and the subprocess of another side to create zone bit be 1.Supposing that subprocess is in operation earlier requires to open network outlet, because the network outlet zone bit that avoid in the behavior description piece this moment is 0, so obtain to allow.But the network outlet zone bit in the existing behavior record piece is set to 1, simultaneously extrapolate subprocess and create and be subjected to prohibit (because with network operation mutual exclusion), also be arranged to 1 so the subprocess in the taboo behavior description piece is created a zone bit according to the incompatibility description block.Then, when requiring to create subprocess, be 1 because the subprocess in the taboo behavior description piece is created zone bit, just refusal is created.Conversely, the order of supposing operation becomes and requires to create subprocess earlier, and the back requires to open network outlet, then allows to create subprocess and refuse to open network outlet, and concrete process is identical, is that handled zone bit has become.
5. Gui Ze setting:
Linux is used for from the ACL of certain file destination of user's space read/write for setting and the processing of ACL provide some system calls.Can utilize these system calls for incompatibility description block among the ACL and being provided with of taboo behavior bitmap.
In addition, can obtain and revise the data structures such as incompatibility description block of concrete process by the operation that articulation point is arranged under system call ioctl () or the right/proc catalogue, specifically can be with reference to the setting of filtering policy among the firewall software iptables.There is the programmer of device driver development Experience can not feel difficulty to this slightly.
As for the processing of user's space, promptly form an ACL (data structure) by man-machine interaction, that is just simple, and any one slightly experienced programmer can be realized like a dream.Concrete man-machine interaction mode can be menu mode, tabular, also can be command line mode, can also use the Web webpage.Formed after the ACL of a file, just can be set to it in the kernel and go by system call setxattr () or ioctl ().
6. the realization of algorithm and utilization:
2.6.14 in the version Linux code individual function permission () is arranged, whenever needs open a file or all will call this function earlier during catalogue, whether detection allows current process to open file destination by desired pattern (read/write/execution or the like).And permission () then calls the detection function that this document system provides for this reason according to the kind of file destination place file system, and for the ext2 file system, this detection function is ext2_permission ().It tosses about in bed again to call a Function e xt2_check_acl (), and Here it is has specifically watched the function of ACL.In addition, for each system call corresponding with it special purpose function is arranged all in the Linux code,, a corresponding special purpose function sys_connect () is just arranged in the kernel for example for system call connect ().Can be incorporated in these functions above-mentioned just calling of process such as " key operation applications ".To this, there is the programmer of kernel development ability to have any problem.
In kernel, each system call is all had the corresponding function, in the c program storehouse of user's space, corresponding program entry is arranged also, so also can implement the present invention, just need set up a data structure (being similar to the PEB in the Windows system) for it, as the expansion of process control block (PCB) at user's space at the user's space of each process at user's space.
Embodiment recited above is based on ACL's.If so in fact the employing Security Policy Database is exactly at a lane database the ACL centralized stores of All Files.As another embodiment, can set up a relational database that has only two tables, one is " user right table ", another is " a branch group permission table ".The former structure is:
Filename (path+filename fully),
User name,
Access rights,
The taboo operation is described,
The initial incompatibility description block of subprocess.
The structure of another table is basic identical therewith, just user name is made into group name.
When needing access file (just general when opening file), earlier according to file destination name and user name inquiry " user right table ", with obtain corresponding access rights, the taboo operation is described and the initial incompatibility description block of subprocess.If in " user right table ", can not find out just further inquiry " branch group permission table ".If all can not find out in two tables, that is exactly to have stipulated, can handle (for example denied access) by the mode of acquiescence this moment according to system configuration.
Certainly, for general non-executable file, the initial incompatibility description block of the subprocess in the database is blank.
If operating system adopts " security number ", is SID mechanism, then also can be merged into one to two tables, and make into to inquire about according to file destination name and SID.
Remaining states based on the embodiment of ACL the same with regard to the front.Obviously, for the programmer that the operating system development ability is arranged, realize that so simple database has no difficulty, also exist the code of increasing income to utilize still more as MySQL one class.
Embodiment 2, the enforcement in Windows operating system
The method of the invention also is applicable to Windows, in force can be with reference to above-mentioned Linux embodiment.
In the Windows system, each user has one " certificate (Token) ", and every process that belongs to this user is all used this certificate.And each shielded " object " then all have one " security descriptor (Security Descriptor) ", and ACL is exactly a part wherein.In fact allow each user that individual certificate is all arranged is not the notion that new meaning is arranged especially because the also information relevant just of additional clause information with identity, for example user name, affiliated group or the like, and not with behavior and historical not relevant information.Its benefit is that just user name for example can needn't can only use the user number of numerical value form with character string as in Linux.Though Linux does not have the notion of " certificate ", relevant information is recorded in the controll block of each process, and is in fact still the same.The ACL of Windows is called a DACL (also have a SACL, be used for various objectives), data structure of DACL or the like definition certainly with Linux in different, but basic principle all is the same with process, does not have what difference on the level of " method ".
Because in fact the source code of underground its Windows operating system of Microsoft has only Microsoft oneself just might implement method of the present invention, but this does not influence the present invention as a kind of method, promptly according to the essence of incompatibility control process behavior.
Equally, for other operating system, the realization of its (file) access control name single-unit and management of process mechanism is more or less different, but their logic is identical with essence, so this does not influence the essence of the present invention according to the behavior of incompatibility control process.
Note
The security that effect of the present invention has just improved operating system to a certain extent.In the security of system field, there is not a kind of method once and for all to deal with problems, there is not a kind of method just can guarantee safety separately yet.So each method and measure that security of system is increased all is meaningful, valuable, then should comprehensively use various beneficial method and measure in actual the use.
Claims (8)
1, a kind of incompatibility of passing through the process behavior improves the method for safety of computer operating system, it is characterized in that:
1.1) may there be incompatibility in one group of definition, promptly may requires the critical behavior of mutual exclusion;
1.2) each process all has the incompatibility rule by definite form record;
1.3) each process all notes the critical behavior that had taken place by certain form;
1.4) critical behavior must be through the taboo inspection before generation, judge with the critical behavior that had taken place according to incompatibility rule when the thing process, if have with its formation incompatibility in the critical behavior that had taken place, be that the critical behavior of mutual exclusion takes place, this critical behavior promptly is considered as the taboo behavior and does not allow its generation.
2, the incompatibility of passing through the process behavior according to claim 1 improves the method for safety of computer operating system, it is characterized in that:
2.1) control list, be that ACL mechanism combines with file access;
2.2) will be because of having opened specific file and caused that the critical behavior of being prohibited is documented among the access control list ACL of this document by given pattern;
2.3) critical behavior must check through taboo before generation, as belong to as described in 2.2 because of opened the critical behavior that specific file prohibited by given pattern and just do not allow it to take place.
3, the incompatibility of passing through the process behavior according to claim 1 and 2 improves the method for safety of computer operating system, and it is characterized in that: subprocess is inherited its incompatibility rule from parent process, as the initial incompatibility rule of subprocess.
4, the incompatibility by the process behavior according to claim 2 improves the method for safety of computer operating system, it is characterized in that: by the access control list ACL of executable file is that subprocess is provided at the initial incompatibility rule when carrying out this document.
5, the method that improves safety of computer operating system by the incompatibility of process behavior according to claim 4, it is characterized in that: access control list the ACL initial incompatibility rule that is provided and the incompatibility rule of inheriting from parent process of executable file are provided subprocess, as the initial incompatibility rule of subprocess.
6, the incompatibility of passing through the process behavior according to claim 1 and 2 improves the method for safety of computer operating system, it is characterized in that: realize having taken place for the incompatibility rule, the description that critical behavior was noted down and prohibited to critical behavior with bitmap form.
7, the incompatibility of passing through the process behavior according to claim 1 and 2 improves the method for safety of computer operating system, it is characterized in that: realize having taken place for the incompatibility rule, the description that critical behavior was noted down and prohibited to critical behavior with tabular form.
8, the incompatibility of passing through the process behavior according to claim 1 and 2 improves the method for safety of computer operating system, and it is characterized in that: the requirement that will carry out this critical behavior when refusal is prohibited critical behavior is noted by predetermined way as intrusion alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101544658A CN100465980C (en) | 2006-10-30 | 2006-10-30 | Method for improving operation system safety through incompatiblity of process behavour |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101544658A CN100465980C (en) | 2006-10-30 | 2006-10-30 | Method for improving operation system safety through incompatiblity of process behavour |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1945590A CN1945590A (en) | 2007-04-11 |
| CN100465980C true CN100465980C (en) | 2009-03-04 |
Family
ID=38044989
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101544658A Active CN100465980C (en) | 2006-10-30 | 2006-10-30 | Method for improving operation system safety through incompatiblity of process behavour |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100465980C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109284608B (en) * | 2017-07-19 | 2022-10-18 | 阿里巴巴集团控股有限公司 | Method, device and equipment for identifying Legionella software and safety processing method |
| CN110428315B (en) * | 2019-07-15 | 2022-03-22 | 中国人民银行清算总中心 | Data transmission method and device in asynchronous calling process of summary check subsystem |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050010765A1 (en) * | 2003-06-06 | 2005-01-13 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
| CN1766845A (en) * | 2005-11-30 | 2006-05-03 | 吴晓栋 | Method for realizing high security and recoverable file system |
-
2006
- 2006-10-30 CN CNB2006101544658A patent/CN100465980C/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050010765A1 (en) * | 2003-06-06 | 2005-01-13 | Microsoft Corporation | Method and framework for integrating a plurality of network policies |
| CN1766845A (en) * | 2005-11-30 | 2006-05-03 | 吴晓栋 | Method for realizing high security and recoverable file system |
Non-Patent Citations (4)
| Title |
|---|
| 一种基于LINUX操作系统的安全增强实现思路. 王亚辉,衷克定,于鷃.计算机应用与软件,第22卷第4期. 2005 |
| 一种基于LINUX操作系统的安全增强实现思路. 王亚辉,衷克定,于鷃.计算机应用与软件,第22卷第4期. 2005 * |
| 包过滤防火墙的设计与实现. 苏静,刘跃军.安阳师范学院学报,第2003卷. 2003 |
| 包过滤防火墙的设计与实现. 苏静,刘跃军.安阳师范学院学报,第2003卷. 2003 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1945590A (en) | 2007-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11328089B2 (en) | Built-in legal framework file management | |
| CN101351774B (en) | Method, device and system for coloring page of memory and page associated pages with programs | |
| US8402269B2 (en) | System and method for controlling exit of saved data from security zone | |
| CN100587700C (en) | Tamper protection method and device for software agents operating in virtual environment | |
| JP5722337B2 (en) | Resource access control based on resource properties | |
| US5892944A (en) | Program execution and operation right management system suitable for single virtual memory scheme | |
| JP7304359B2 (en) | Apparatus and method for storing bounded pointers | |
| Ulusoy et al. | GuardMR: Fine-grained security policy enforcement for MapReduce systems | |
| US8452740B2 (en) | Method and system for security of file input and output of application programs | |
| US8887150B2 (en) | Methods for dynamic mobile application behavior modification subject to a behavior policy | |
| US20080222397A1 (en) | Hard Object: Hardware Protection for Software Objects | |
| US11327665B2 (en) | Managing data on volumes | |
| KR101806499B1 (en) | Method for managing files and apparatus using the same | |
| CN1606011A (en) | Method and system for processing a file request | |
| US11321488B2 (en) | Policy driven data movement | |
| US11106813B2 (en) | Credentials for consent based file access | |
| US10579805B2 (en) | Enabling classification and IRM in software applications | |
| US11443056B2 (en) | File access restrictions enforcement | |
| CN100465980C (en) | Method for improving operation system safety through incompatiblity of process behavour | |
| Jones | Protection mechanisms and the enforcement of security policies | |
| EP2535832B1 (en) | A method for operating a virtual machine over a file system | |
| US11188680B2 (en) | Creating research study corpus | |
| JP5632753B2 (en) | File storage control system and method and program | |
| US11625365B2 (en) | Method for managing virtual file, apparatus for the same, computer program for the same, and recording medium storing computer program thereof | |
| US11983288B1 (en) | Operating system enhancements to prevent surreptitious access to user data files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20170906 Address after: Hangzhou City, Zhejiang province Xihu District 310030 Park Road, No. 18, Insigma Software Park building 15 floor A Patentee after: Insigma Technology Co., Ltd. Address before: 310007, Zhejiang Province, Hangzhou World Trade Center office building C block 12, Zhejiang University Network New Technology Co., Ltd., Zhejiang Patentee before: Mao Decao |