CN100465983C - Method for controlling file access in operation system according to user's action history - Google Patents
Method for controlling file access in operation system according to user's action history Download PDFInfo
- Publication number
- CN100465983C CN100465983C CNB200610053551XA CN200610053551A CN100465983C CN 100465983 C CN100465983 C CN 100465983C CN B200610053551X A CNB200610053551X A CN B200610053551XA CN 200610053551 A CN200610053551 A CN 200610053551A CN 100465983 C CN100465983 C CN 100465983C
- Authority
- CN
- China
- Prior art keywords
- ace
- acl
- file
- access
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 190
- 230000008569 process Effects 0.000 claims abstract description 162
- 238000004886 process control Methods 0.000 claims abstract description 34
- 230000007246 mechanism Effects 0.000 claims abstract description 22
- 230000008901 benefit Effects 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 5
- 241000700605 Viruses Species 0.000 description 4
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 238000011835 investigation Methods 0.000 description 4
- 230000004913 activation Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000003542 behavioural effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000002950 deficient Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 101100334010 Drosophila melanogaster sotv gene Proteins 0.000 description 1
- 238000012369 In process control Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004061 bleaching Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 238000010965 in-process control Methods 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The method includes steps: setting up access control list (ACL) for files needed to protect; arranging access control item with attribute being as 'having executed' for each program needed to guard against in ACL; specific access right is prescribed in ACE, and ID of access is setup as program file name needed to guard against; when a process requests to access a file, operation system checks through each access control item of ACL of the file in sequence. For access control item with attribute being as 'having executed', operation system determines whether current process is executing ACE specified programs by looking at program names provided by 'process control block' in current process. Advantages are: ACL mechanism investigates behavior history of user in order to prevent baleful users from accessing target file inadequately through network so as to raise safety of operation system.
Description
Technical field
The present invention relates to a kind of user capture control method of computer operating system, mainly is a kind of method of coming the control documents visit in operating system according to user behavior history.
Background technology
Computer operating system is basic security mechanism for the visit protection of the file in the file system, catalogue and other system resource (for example " registration table ").If there is not such protection mechanism, so who can at random revise, increase, delete or executive system in any file, just more can scatter virus, worm, wooden horse or the like malicious code arbitrarily as for the hacker.Like that, system just has no security and can say.
For this reason, before 30 years, Unix operating system has just been taked measure, the computer user is divided into " file master (founder of file) ", " file master's people on the same group ", " (other) user " three classes, " visit " for file is divided into reading and writing, carries out three kinds of basic operations, and which can be carried out to it and plant operation, be called " access rights " to this file for each concrete file or catalogue (by the file master) provide each class user.The information of relevant all types of user access rights is being followed each concrete file " like the shadow following the person ", is stored in " directory entry " of each file, can not be changed easily.And which kind of concrete user belongs to, and then is determined with regard to (according to the user name and password password) in system in " login ".Like this, for example have certain user to harbor evil designs, want stealthily to revise certain " executable file " and make it to catch virus, just may because of neither the file master, again non-file master people on the same group and refused by operating system.This scheme of Unix is effectively under condition at that time, so one direct transferred, the operating system that comprises Windows has afterwards all been followed this mechanism of Unix basically.
, along with popularizing of computer utility, the user is divided into three classes just seems coarse.For example in bank, even possibility should all not have identical authority with file master people on the same group yet and will distinguish to some extent, and in fact may exist a lot of different groups, need give access rights respectively, sometimes even need give access rights independently at concrete people.So, should be expanded the method for dividing three classes to give the different access authority user, make each file or catalogue (or other resource) that " an access control list " all be arranged, detailed which group of row has access rights, which individual of what (read/write/execution and other) which type of access rights is arranged in the list, perhaps which type of visit whom which group do not allow with, what do not have on the list just mustn't visit, or only allows to read.This list is exactly ACL, and promptly " Access Control List " generally translates into " Access Control List (ACL) " or " access control list ".In the operating system that adopts this technology, ACL stores as the part of file; As long as file exists, its ACL just exists.ACL is changeable, mainly is made of a string " access control entry " ACE, and group of each ACE explanation or people be to the access rights of this file, and in fact just whether one allow the rule of visiting.
On the surface, this has just improved safety of files, but in fact this has also improved the security of total system, has particularly prevented the security of malicious code intrusion aspects such as virus.This be because, no matter be virus, wooden horse, or other malicious code, generally all need some information are write on the disk of invaded system, are in the file system, or the file that existed of modification, could " take root " like this.And kept a grip on the safety of file system (comprising file, catalogue or the like), even total system is invaded for the moment and also can not stayed any more the consequence that continues so, this has just improved the security of total system.Certainly, also will be in actual the use in conjunction with other safety practice.
The Unix operating system AIX (being mainly used in bank or the like) of IBM version has just realized ACL a long time ago, and other operating system was also all caught up with gradually afterwards.At present, two operating systems of Windows and Linux are all supported ACL, and ACL all is provided this mechanism in other words.Recent years, some researchers of mechanisms such as American South University of California have done further improvement to ACL again, make access rights can be with condition; For example stipulate someone certain file of time read/write that can be on duty, then only allow to read beyond the window between at this moment and do not allow to write.Such ACL is called " expanding ACL ", is EACL.
Traditional ACL only consider to attempt access file the people, be the user, and do not consider to visit by what software, in fact this point is often also very important.For example, for a bank account, perhaps the user only should visit by certain application software specific, that approve for the supvr, if not just very suspicious, just should refuse (and should report or place on record).This point does not have in traditional ACL, but has had in EACL.Which application software to visit some files (or catalogue, registration table or the like, below general designation " object "), a kind of behavioural characteristic of the person of being to use with; And whom the user is, belongs to which group, then is its identity characteristic.So in fact EACL has introduced ACL mechanism to behavioural characteristic, this obviously helps improving the security of system.
But, " a visiting " just behavior part, one o'clock one ground by what software.Light is considered the behavior of a part and is judged safe not enough in view of the above.Just as for the people, to see not only what it is currently doing, also to investigate its done in the past a little what, preferably to investigate its " all work and all historical ", this just can make reliable judgement.Be example still with above-mentioned visit for bank account, if the user is by visiting before the software of stipulating really, but further investigation finds that but this software is by the network operation remote activation, this is just very suspicious again even can predicate undesired basically (system of supposition bank does not allow the office worker to operate by network remote), and this moment certainly should denied access (and should report and place on record).Can do you so, know that this software is by the network operation remote activation?
In computer operating system, the main body of behavior is " process ".Generally speaking, process is exactly the operation of an application software.In the kernel of operating system, current each process of moving all has " process control block (PCB) " PCB to represent as it, and the information of many relevant these processes are being write down in the inside, just comprises that wherein which software what moved is.Above-mentioned handle is by visiting before which application software as a basis for estimation in EACL, and this information just can be obtained from process control block (PCB).On the other hand, a process can be created new process in addition again in the process of operation, be called " subprocess ", and allow it carry out other program.This moment, operating system will be distributed a process control block (PCB) for subprocess, and whom writes in process control block (PCB) is its " parent process ".Like this, (if parent process also " alive ") in ideal conditions is from any one process, just can find its parent process (its process control block (PCB)) by its process control block (PCB), find the parent process of parent process again, and so on, find out " ancestors " of its all direct lines always.If investigate all process control block (PCB)s, then can also summarize " family tree " of all these processes, it is inverted " process tree " of root with the original process in the system that this family tree generally is one.
Like this, be example still, if though find that requiring visitor's process of read/write file is the software that is putting rules into practice with aforementioned visit for bank account, but its parent process but is telnetd, this is that is just suspicious, thereby should be refused for long-range " login " software.Because this explanation user is earlier by the telnet Telnet, just start the software of carrying out defined then, ought and this start in this locality, why now but is remote activation? obviously, this is because investigated the doubtful point that the parent process of visitor's process is just found.Same reason can also be analogized, and can " look into the three generations " even review fartherly.It is to be noted: the set membership between the process, and grandparent and grandchild relation or the like, " class origin " of process seemingly on the surface of being reflected in fact but is the behavior of behavior, particularly user still.With regard to by telnetd, it starts any running software by long-range user's control.So, trace back " family's social standing " of this process that is drawn from a process, in fact reflected the operating process of user's macroscopic view or elaborately planned, be not to use person's behavior history in a word.
This shows, joining for this kind of user behavior historical investigation in the ACL mechanism of operating system, be very beneficial for the security that improves operating system., no matter present several operating systems are Windows or Linux, all do not have in ACL mechanism user's behavior history, be that " family's social standing " of visitor's process taken into account.
Should, in the protection mechanism of operating system, do not consider, do not investigate user's behavior history for objects such as files, be the defective of prior art, it has reduced the security of system to a certain extent.
Summary of the invention
Defective at prior art, the invention provides a kind of method of in operating system, coming the control documents visit according to user behavior history, its outstanding feature will be added to computer operating system in file system " access control list (the ACL) " mechanism for the user behavior historical investigation, improve the security of operating system.
The present invention solves the existing problem of above-mentioned original technical scheme.This method of coming control documents to visit according to user behavior history in operating system of the present invention is expansion and the improvement to original ACL mechanism.
" access control list " ACL comes down to be made of one group of " access control entry " ACE, and each ACE is exactly a rule.Three fields are arranged among the general AC E, are representing the content of three aspects:
1.ACE attribute.What the basis that this rule is described is, for example user, described group of user, or the like.
2. visitor's ID.When attribute is " user ", Here it is user number; When attribute is " group ", the affiliated group number of visitor that Here it is.
3. access right.When visitor's features such as identity conform to preceding two fields, allow visit (operation) kind to file destination under this ACL, generally comprise reading and writing, execution, also can for example comprise the operation of deleting, rename or the like.This field is a bitmap normally.Except that " allowing operation " bitmap, some ACL also may use " quiescing " bitmap.
For example, if the attribute of certain ACE is " group ", ID is 201, access right is " reading+carry out ", that is expression just: so long as not other regulation (for example to wherein certain several special user) is arranged, every user who belongs to 201 groups can read or carry out for file destination.If a visitor can not find any ACE that conforms in the ACL of certain file, that just illustrates and does not allow to visit this file.Traditional ACL generally has only " user " and " group " two kinds of attributes.
For realizing coming the control documents visit according to user behavior history, needing increases the ACE that a kind of attribute is " once carrying out ", and its ID then is program name rather than user's a identity.For example, if the ACE attribute is that " telnetd ", access right are 0 for " once carrying out ", ID, this rule is exactly so: in user's (no matter who) behavior in history, if once carried out telnetd, also promptly wherein a certain step is telnetd, that does not just allow the access destination file.So how, know whether and once carried out telnetd? as long as from current process (being visitor's process), progressively trace back, investigate each process control block (PCB) in this chain " program name " or " order line " field, whether telnetd gets final product to see its performed program.As long as that current process or its certain " ancestors " process are performed is telnetd, just conformed to, and the access right field of ACE is 0 must not represent and visit with this ACE.Otherwise if all do not carry out telnetd, that just continues to check the next ACE among the ACL.Generally, hundreds of even thousands of ACE can be arranged among the ACL of a file, promptly hundreds of even thousands of rules.
Like this, the supvr of system particularly sets the rule of ACE attribute for " once carrying out " as long as set ACL for some important files, just can prevent that others from visiting these files by network.For example, supposing on the computing machine has 5 programs (service processes) such as telnetd, firefox, foxmail, netmeeting and snmpd all might be subjected to remote access by network, that just all mixes the rule of an attribute for " once carrying out " separately for these 5 programs, does not allow visit (perhaps only allowing to read) those important files.Certainly, each file all should have an ACL.Notice that some network software under normal circumstances can not hatch a sinister plot, but may become the seed of trouble also because the leak that might exist buffer zone to overflow in the program, if victim find and utilize, just also may change into rogue program.So all should note taking precautions against for the network software of " concerning foreign affairs ".
Need to prove that said file in fact also comprises catalogue, do not allow a catalogue is carried out write operation, is exactly not allow to create file in this catalogue.Generally speaking, malicious user always will write certain catalogue to some malicious codes later in system of intrusion.If this road is blocked, malicious code has just been stopped over nowhere.
Normal network connects also the local file of visit possibly.When for example downloading a file, just must write on it in the local file system, sometimes also need for another example the annex of local file as Email sent from network.For this reason, can fixedly install several catalogues (file) and be specifically designed to this purpose in file system, the ACL of these several catalogues can be provided with very loosely, and other catalogue is then strictly taken precautions against.But the details in these practical applications is little with material relation of the present invention.
So, had to the expansion of ACL with for " family's social standing " of visitor's process and investigated (and comparison) so two key elements, just can realize having come the purpose of control documents visit according to user behavior history.Now the method specifically is presented below:
● in existing " access control list " ACL mechanism, increase a kind of access control entry (ACE), the attribute of this access control entry is " once carrying out ", content comprises a visitor's ID and for the regulation of access rights, when attribute was " once carrying out ", the id field content among the ACE was a program name character string; If require the user of access destination file once to carry out this program, require the current process of access destination file promptly to derive from, and be suitable for the access rights of this ACE defined by this program;
● system manager (or user) is the file configuration ACL that needs protection, prevents the subprocess that derived from by certain specific program access destination file inadequately with attribute for the ACE of " execution once ".Each program at the needs defence in ACL all is equipped with the ACE of an attribute for " once carrying out ", the concrete access rights of regulation in ACE, and visitor's ID is arranged to the program name of specific program (program filename);
● when file destination of needs visits, ACL mechanism starts anew to check one by one each the bar ACE among its " access control list " ACL, i.e. access control entry, and handle as follows:
1. check next the bar ACE among the ACL, if no longer include next bar ACE, denied access or press default privilege visit (for example read-only) then, and finish processing to ACL.
2. if this ACE is not that attribute is the access control entry of " once carry out ", just handle by the original mode of ACL mechanism, promptly reach a conclusion if condition conforms to, and end is to the processing of ACL, otherwise continues to check next bar ACE, get back to 2.
3. if the ACE attribute is " once carrying out ", just the program name character string that id field was provided with this ACE is the comparison target.And from current process, be that the process control block (PCB) of visitor's process begins comparison.
4. " program name " in the comparison process control block (PCB) or " order line " field are promptly reached a conclusion if conform to, and finish the processing to ACL.What the process control block (PCB) of some operating system provided is " program name ", and some then provides " order line ".By contrast, the information in " order line " is more comprehensive, just illustrates in " order line " that this process may be in the relevant program of execution as long as the program name character string that ACE provided appears at.Generally speaking, if process control block (PCB) provides is " program name ", operating system will provide means of obtaining complete " order line " so.For example Linux comes to this.
5. otherwise check the parent process field of current process, obtain the process number of parent process.If the process number of parent process equals the process number of original process, then, forward 7 to for the limit of tracing back of visitor's process " family's social standing ".
6. the process number according to parent process finds its process control block (PCB), forwards 4 to, continues comparison.
7. for the limit of tracing back of visitor's process " family's social standing ", do not find once to carry out the described program file of this AGE, forward 1 to, continue to check next the bar ACE among the ACL.
Further, as a kind of supplementary means of intrusion detection, in historical control documents visit, can note the attempt of unauthorized access as warning message, even give the alarm in real time according to user behavior.For example, find that certain process attempt visit is loaded with the file of sensitive information, and this process is to be derived from by telnetd or web browser process, then will refuse its unauthorized access requirement on the one hand, also will give the alarm on the other hand, network intrusions causes because this is likely.
The effect that the present invention is useful is: increase a kind of attribute and be " once carrying out " access control entry (ACE) in existing " access control list " ACL mechanism, including ACL mechanism in for user's behavior historical investigation, the supvr of system is as long as set ACL for some important files, particularly set the rule of ACE attribute for " once carrying out ", just can prevent the process that derives from by the program of needs defences such as telnetd or the like access destination file inadequately, thereby prevent that malicious user from passing through network access destination file inadequately, its effect is the security that has improved operating system.
Description of drawings
Accompanying drawing 1 is the synoptic diagram of " process tree " in the operating system of the present invention;
Embodiment
The invention will be further described below in conjunction with drawings and Examples:
Each square in the accompanying drawing 1 is all being represented a process control block (PCB), is promptly representing a process.No. 1 process wherein is the original process in the system, is the first ancestor of all other processes.In linux system, No. 1 the performed program of process is init.No. 6878 performed programs of process among the figure are evince, and this is a copy editor's program that is equivalent to the Word of Microsoft.This square has No. 6872 processes of individual arrow points, represents that its " parent process " is No. 6872 processes, and the rest may be inferred by analogy.That No. 6872 processes are carried out is firefox, and firefox is exactly a web browser.No. 6878 processes of this explanation by No. 6872 processes, be that the web browser process derives from (establishment) and comes out.Suppose the file that we have individual needs to keep secret, this file should not allow any visit of automatic network, is to forbid the ACE of any visit so individual attribute just should be arranged in its ACL for " once carrying out ", program firefox by name, access rights.The meaning is, so long as firefox or the process that directly or indirectly derived from by firefox are just forbidden this file of visit.
Like this, when No. 6878 processes, be that the attempt of evince process is when opening this file by " reading " or " writing " pattern, having implemented software of the present invention just takes the program name firefox of appointment among the ACE and the program name (evince) of No. 6878 processes to compare, because be not inconsistent, just pass up to its No. 6872 processes of parent process.Current comparison conforms to, and illustrates that the access rights of this ACE defined should come into force, so with regard to denied access, and can give the alarm.
If still be not inconsistent, just continue to trace back, up to No. 1 process with the comparison of No. 6872 processes.If all be not inconsistent, just illustrate that this ACE does not come into force, so just continue next the bar ACE among the examination ACL.
Process in " process tree " may be a lot, but begin to trace back from certain specific process, related just its " direct line " relatives.
At present the operating system of main flow is exactly two kinds of Windows and Linux, thus following be that example illustrates enforcement of the present invention with Linux, and the technical special character when pointing out in Windows operating system, to implement.
But as long as needs are arranged, the method for the invention also can be implemented in other operating system, and concrete enforcement (as the definition of program code and data structure) does not influence essence of the present invention.
Embodiment one, the enforcement in (SuSE) Linux OS
(SuSE) Linux OS is supported the file system that many kinds are different, but there is no too big difference with regard to the realization of ACL mechanism, thus following be the enforcement of example explanation this method with ext2.
1. to the expansion of ACL:
In the code of 2.6.14 version Linux, the data structure definition of ACE is:
struct?posix_acl_entry{
short e_tag;
unsigned?short e_perm;
unsigned?int e_id;
};
The e_tag here is exactly the attribute of ACE; E_id is exactly visitor ID in one aspect, the value of certain attribute just, for example Here it is when attribute is " user " user number; E_perm then is the access rights bitmap that allows.
And ACL then is exactly an ACE array basically, is the posix_acl_entry structural array:
struct?posix_acl{
atomic_t a_refcount;
unsigned?int a_count;
struct?posix_acl_entry a_entries[0];
};
Structural array a_entries[0] represent that its size is variable, the size of this array of numbers illustrated of field a_count.
ACE attribute originally has following several:
#define?ACL_USER_OBJ (0x01)
#define?ACL_USER (0x02)
#define?ACL_GROUP_OBJ?(0x04)
#define?ACL_GROUP (0x08)
#define?ACL_MASK (0x10)
#define?ACL_OTHER (0x20)
For implementing method of the present invention, to add a new attribute " execution once " now, so just increase a definition:
#define?ACL_EXECUTED (0x80)
Originally the value of e_id is user number or group number, so 32 integers are just much of that.And need be used for a given program name now, 32 integers are obviously not much of that, so will revise the definition of ACE data structure, e_id made into a Union, make it both can be 32 integers, can be character array as program name yet:
struct?posix_acl_entry{
short e_tag;
uns?igned?short e_perm;
union{
unsigned?int e_id;
char prog[16];
}u;
}:
Generally much of that with 16 characters as the length of program name.In fact, better way is not revise data structure, and 32 e_id is used as the character string pointer, and increases a character string array (two-dimentional character array) in original ACL back.But realizing details, this kind do not influence the essence of the method for the invention.
As for e_perm, i.e. access rights bitmap of Yun Xuing, generally be exactly reading and writing, execution, but also can add " asked again and read ", " asked again and write ", " asked again and carried out " or the like, on display screen, jump out earlier a window, tell the user which kind of operation which process attempt carries out to which file, select whether to allow by the user.
2. Gui Ze setting:
Linux is used for from the ACL of certain file destination of user's space read/write for setting and the processing of ACL provide some system calls.Wherein getxattr () is used to read, and setxattr () is used to write.Also have lgetxattr () and fgetxattr () in addition, and 1setxattr () and fsetxattr (), its basic function is identical with the former two, and the conditions and environment that only is to use is different.
The operand of system call getxattr () and setxattr () is whole ACL.With setxattr () is example, and application software should be ready to whole ACL in the buffer zone of user's space, and promptly the posix_acl data structure is called setxattr () then.
Program entry corresponding with it in the kernel is sys_setxattr ().Though ACL does as a whole read-write, but still can contact concrete ACE in the kernel, reason is the branch that the storage mode of integer has " Big Ending " and " Little Ending ", this makes that the form that uses in the formats stored and program on the disk is different, and kernel needs in addition conversion back and forth.There are three functions to relate to this conversion in the kernel, Here it is posix_acl_from_xattr (), posix_acl_valid (), ext2_acl_to_disk ().Be that the example explanation is in order to implement the modification that the present invention needs with ext2_acl_to_disk () below.
static?void?*?ext2_acl_to_disk(const?struct?posix_acl?*acl,size_t?*size)
{
......
for(n=0;n<acl->a_count;n++){
ext2_acl_entry?*entry=(ext2_acl_entry?*)e;
entry->e_tag=cpu_to_le16(acl->a_entries[n].e_tag);
entry->e_perm=cpu_to_le16(acl->a_entries[n].e_perm);
switch(acl->a_entries[n].e_tag){
case?ACL_USER:
case?ACL_GROUP:
entry->e_id=
cpu_to_le32(acl->a_entries[n].e_id);
e+=sizeof(ext2_acl_entry);
break;
......
default:
goto?fail;
}
}
return(char?*)ext_acl;
}
These codes are key components of ext2_acl_to_disk ().The pointer acl here points to an ACL data structure, is its buffer zone that pointer entry then points to an ACE in another ACL buffer zone, and the purpose of whole procedure is will generate one content is identical and copy that form is different.
For circulation in the program is operated each ACE among the ACL.At first by the form of cpu_to_le16 () conversion ACE attribute and two 16 integers of permission bitmap, this all is the same for all ACE.Below, if the ACE attribute is ACL_USER or ACL_GROUP, then change the numerical value of e_id, because the e_id of this moment is 32 integers by cpu_to_le32 ().But, several problems are arranged here:
● at first, because the definition of ACE data structure changes, the every place that will quote the e_id field all will make corresponding changes in the program, entry-for example〉e_id should transform entry-into〉u.e_id, acl-〉a_entries[n] .e_id should transform acl-into〉a_entries[n] .u.e_id, and so on.
● do not relate to the ACE attribute ACL_EXECUTED that increases newly in the case statement in the program, so should add.
● when attribute was ACL_EXECUTED, e_id was a character array, so do not need format conversion.But the character array can not be as integer assignment, and need do duplicating of character array.
So, need " the default: " front in the superincumbent code to insert following code:
case?ACL_EXECUTED:
strncpy(entry->u.prog,acl->a_entries[n].u.prog,16)
e?+=sizeof(ext2_acl_entry);
break;
Like this, be the ACE of " once carrying out " for attribute, just the character array that is used for program name has been duplicated over.The length of duplicating is 16, and this is that fix the front.
For the modification of other two functions similarly, can analogize.
As for the processing of user's space, promptly form an ACL (data structure) by man-machine interaction, that is just simple, and any one slightly experienced programmer can be realized like a dream.Concrete man-machine interaction mode can be menu mode, tabular, also can be command line mode, can also use the Web webpage.Formed after the ACL of a file, just can be set to it in the kernel and go by system call setxattr ().
Though relevant system call is established for whole ACL, also be easy to realize on this basis increasing and revising of individual event ACE, for example, increase an attribute in ACL is the ACE of " once carrying out ", just can operate like this:
Obtain the ACL of file destination earlier from kernel by system call getxattr ();
Obtain the ACE attribute and the program name of user's input by keyboard, form, the Web page or the like means and source;
Whether compare in ACL, seeing has the ACE that attribute is identical and program name is also identical to exist;
If exist, then remind the user, and whether inquiry needs to be modified as new access rights;
If not, with regard to end operation, do not write back ACL;
If just revise existing ACE;
If there is no, just enlarge the length of ACL, the information of importing according to the user increases an ACE in ACL;
By system call setxattr () whole ACL is write back kernel at last.
3. Gui Ze utilization:
2.6.14 in the version Linux code individual function permission () is arranged, whenever needs open a file or all will call this function earlier during catalogue, whether detection allows current process to open file destination by desired pattern (read/write/execution or the like).And permission () then calls the detection function that this document system provides for this reason according to the kind of file destination place file system, and for the ext2 file system, this detection function is ext2_permission ().It tosses about in bed again to call a Function e xt2_check_acl (), and Here it is has specifically watched the function of ACL.What at present the ext2 file system adopted is the access control of conventional P OSIX, compares each ACE among the ACL item by item so call posix_acl_permission () at last, and its false code is described below:
posix_acl_permission()
{
For each ACE among the ACL
{
If the ACE attribute is ACL_USER:
If the user under the current process conforms to the described user of ACE,
And desired access module conforms to the pattern that ACE is allowed, and just allows;
If the ACE attribute is ACL_GROUP:
If the user is in described group of ACE under the current process,
And desired access module conforms to the pattern that ACE is allowed, and just allows;
If ACE attribute ...:
......
}
Otherwise refusal;
}
Notice that these functions are all in the kernel of (SuSE) Linux OS.
To in the Ext2 file system, implement method of the present invention, as long as it is just passable to increase a condition in this function of posix_acl_permission ():
If the ACE attribute is ACL_EXECUTED:
If current process was not once carried out the described program of ACE,
And desired access module conforms to the pattern that ACE is allowed, and just allows;
Whether once carried out the described program of ACE for current process, and can write a function once_executed (), and made it return "Yes" or "No" according to testing result, its false code is described below:
boolean?once_executed(...)
{
With the current process is target process, finds its process control block (PCB);
While (target process is not original idle running process)
{
Check the program name in the process control block (PCB), compare with the program name among the ACE;
Just return "Yes" if finding conforms to,
Otherwise
{
From process control block (PCB), obtain the process number of parent process;
Finding the process control block (PCB) of parent process according to the process number of parent process, is target process with the parent process;
}
}
Return "No";
}
This function begins to trace back from current process, begin to check from current process, " first ancestor " process in passing up to system, the chain of processes that obtains therefrom is exactly the origin of current process, as long as that a certain step therein is upward performed is the described program of ACE (for example telnet), just this program was once carried out in explanation.In other words, current process is exactly in this program of execution, or directly or indirectly derive from by this program.
Attention is compared in above-mentioned algorithm is program name in the process control block (PCB), because the process control block (PCB) of Linux only provides program name.But Linux also provides the means of the complete order row that is used for obtaining a process, i.e. function proc_pid_cmdline () just can obtain the order line of appointment process by this function.If the comparison of utility command row, that is searched in order line exactly, sees the program name that appointment among the ACE whether occurs.As previously mentioned, the comparison of utility command row is more reliable.
More than narration has illustrated in (SuSE) Linux OS how to implement the present invention at the ext2 file system.
For other file system, though relevant function and code may be different, their logic is identical with essence, so this does not influence essence of the present invention.
Embodiment two, the enforcement in Windows operating system
The method of the invention also is applicable to Windows, in force can be with reference to above-mentioned Linux embodiment.
In the Windows system, each user has one " certificate (Token) ", and every process that belongs to this user is all used this certificate.And each shielded " object " then all have one " security descriptor (Security Descriptor) ", and ACL is exactly a part wherein.In fact allow each user that individual certificate is all arranged is not the notion that new meaning is arranged especially because the also information relevant just of additional clause information with identity, for example user name, affiliated group or the like, and not with behavior and historical not relevant information.Its benefit is that just user name for example can needn't can only use the user number of numerical value form with character string as in Linux.Though Linux does not have the notion of " certificate ", relevant information is recorded in the controll block of each process, and is in fact still the same.The ACL of Windows is called a DACL (also have a SACL, be used for various objectives), data structure of DACL or the like definition certainly with Linux in different, but basic principle all is the same with process, does not have what difference on the level of " method ".
But there is the factor of two exceptions to consider.
At first, in (SuSE) Linux OS, " parent process " put down in writing in the process control block (PCB) be this process " own father ", be the founder.Under this condition, tracing back resulting from a process is a process creation chain, and it has reflected user's's (till this process) behavior history or elaborately planned truly.But, " parent process " put down in writing in the process control block (PCB) of Windows operating system is different, that it is put down in writing is " foster father " of this process, and this process is inherited resource (for example opened file) from this parent process, but may not be that this process is created.This is because a process can be replaced another process creation subprocess in Windows operating system.Like this, feel that unpredictable process (software) A just can create a subprocess B, let it be does evil, but we were telling you this is the subprocess of another (upright) process C, then putting down in writing its parent process in the process control block (PCB) of B is C.So if trace back from this subprocess B, A does not just appear in its family's social standing, thus its family's social standing, be actually user's behavior history, just by " bleaching ".
Overcome this problem, need in the process control block (PCB) of Windows, increase a new field, for example " founder's process ".Then, when creating a new process, remove and keep " parent process " of appointment is documented in " parent process " field China and foreign countries in the process control block (PCB), also will be, be that current process is documented in " founder's process " field the founder.
On the other hand, Windows operating system the Concept Extension of " file " to comprising " object " of file, process, thread.Like this, be subjected to the target of " access control list " ACL mechanism protection also to obtain expansion.But process and thread have a metastable project in certain catalogue of file system unlike file, but are dynamically changing, so the ACL of a process passes to its as parameter in this process of establishment.So what a ACL the programmer will prepare for the process of being created when coding.For thread also is the same.
All the other just follow the enforcement in (SuSE) Linux OS the same.
Because the source code of underground its Windows operating system of Microsoft, in fact have only Microsoft oneself just might implement method of the present invention, but this does not influence the present invention as a kind of method, promptly according to user's the macroscopic behavior history control documents visit and the essence of object accesses.
Equally, for other operating system, the realization of its (file) access control name single-unit and management of process mechanism is more or less different, but their logic is identical with essence, so this does not influence the essence of the present invention according to the historical control documents visit of user's macroscopic behavior.
Note the security that effect of the present invention has just improved operating system to a certain extent. In the security of system field, there is not a kind of method passable Once and for all is dealt with problems, and does not also have a kind of method just can deal with problems separately. So each can make security of system increase Method and measure all are meaningful, valuable, then should the various useful methods of Integrated using and measure in actual the use.
Claims (5)
1, a kind of method of visiting according to the historical control documents of user behavior in computer operating system is characterized in that:
1.1) a kind of attribute of increase is the access control entry ACE of " once carrying out " in " access control list " ACL mechanism, the content of ACE comprises a program name and for the regulation of access rights, the meaning is if to require the user of access destination file once to carry out this program thereby require the current process of access destination file be to be derived from by this program, the access rights of just suitable this ACE defined;
1.2) system manager is that the file that needs protection is provided with ACL, each program at the needs defence in ACL all is equipped with an ACE, the concrete access rights of regulation in ACE;
1.3) when certain process requires file of visit, operating system checks that successively each ACE among this document " access control list " ACL is an access control entry, is not that the access control entry of " once carrying out " is handled by the original mode of ACL mechanism for attribute;
1.4) be the access control entry of " once carry out " for attribute, operating system determines by the program name that provides in " process control block (PCB) " of investigating current process whether current process is carrying out the specified program of this ACE, if just control the visit of current process to file by the access rights of this ACE defined, the visit that refusal is gone beyond one's commission;
1.5) be the access control entry of " once carry out " for attribute, operating system determines by the program name that provides in " process control block (PCB) " of investigating current process whether current process is carrying out the specified program of this ACE, if not just beginning to trace back from current process, progressively investigate the parent process of each related process according to " parent process " field in " process control block (PCB) ", determine according to the program name that provides in its " process control block (PCB) " whether this process is carrying out the specified program of concrete ACE, if just control the visit of current process to file by the access rights of this ACE defined, the visit that refusal is gone beyond one's commission.
2, method of visiting according to the historical control documents of user behavior in computer operating system according to claim 1 is characterized in that:
2.1) in the process control block (PCB) of Windows operating system, set up " founder's process " field of representing actual founder, be used for putting down in writing founder's process of this process;
2.2) be the access control entry of " once carry out " for attribute, operating system determines by the program name that provides in " process control block (PCB) " of investigating current process whether current process is carrying out the specified program of this ACE, if not just beginning to trace back from current process, progressively investigate founder's process of each related process according to " founder's process " field in " process control block (PCB) ", determine according to the program name that provides in its " process control block (PCB) " whether this process is carrying out the specified program of concrete ACE, if just control the visit of current process to file by the access rights of this ACE defined, the visit that refusal is gone beyond one's commission.
3, according to claim 1 in computer operating system according to the method for the historical control documents visit of user behavior, it is characterized in that " order line " that provide determine whether a process is carrying out the specified program of concrete ACE in " process control block (PCB) ".
4, method of in computer operating system, visiting according to claim 1 according to the historical control documents of user behavior, it is characterized in that obtaining " order line " of a process, and determine according to " order line " whether a process is carrying out the specified program of concrete ACE by the means that operating system provides.
5, method of visiting according to the historical control documents of user behavior in computer operating system according to claim 1 is characterized in that in the refusal unauthorized access attempt of this unauthorized access being noted as intrusion alarm information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610053551XA CN100465983C (en) | 2006-09-15 | 2006-09-15 | Method for controlling file access in operation system according to user's action history |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB200610053551XA CN100465983C (en) | 2006-09-15 | 2006-09-15 | Method for controlling file access in operation system according to user's action history |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1936915A CN1936915A (en) | 2007-03-28 |
| CN100465983C true CN100465983C (en) | 2009-03-04 |
Family
ID=37954412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610053551XA Active CN100465983C (en) | 2006-09-15 | 2006-09-15 | Method for controlling file access in operation system according to user's action history |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100465983C (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645118B (en) * | 2008-08-05 | 2012-10-10 | 董渝曦 | System and method for controlling to access contents of computer files |
| US20110239293A1 (en) * | 2010-03-24 | 2011-09-29 | Microsoft Corporation | Auditing access to data based on resource properties |
| CN102833267A (en) * | 2012-09-14 | 2012-12-19 | 山东中创软件商用中间件股份有限公司 | Method and device for protecting webpage security |
| CN106101149B (en) * | 2016-08-15 | 2019-05-17 | 深圳前海信息技术有限公司 | Process access control method and device based on accesses control list |
| CN106778350A (en) * | 2016-12-29 | 2017-05-31 | 郑州云海信息技术有限公司 | A file name-based rights management method and system |
| CN109829310B (en) * | 2018-05-04 | 2021-04-27 | 360企业安全技术(珠海)有限公司 | Similar attack defense method and device, system, storage medium, electronic device |
| CN108959867A (en) * | 2018-06-05 | 2018-12-07 | 浙江大学 | A kind of multi-user data asset jurisdiction safety access control method based on Hive Matedata |
| CN110837647B (en) * | 2018-08-16 | 2022-11-08 | 迈普通信技术股份有限公司 | Method and device for managing access control list |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1674531A (en) * | 2004-03-23 | 2005-09-28 | 株式会社Ntt都科摩 | Access control system and access control method |
| US20050278785A1 (en) * | 2004-06-09 | 2005-12-15 | Philip Lieberman | System for selective disablement and locking out of computer system objects |
-
2006
- 2006-09-15 CN CNB200610053551XA patent/CN100465983C/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1674531A (en) * | 2004-03-23 | 2005-09-28 | 株式会社Ntt都科摩 | Access control system and access control method |
| US20050278785A1 (en) * | 2004-06-09 | 2005-12-15 | Philip Lieberman | System for selective disablement and locking out of computer system objects |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1936915A (en) | 2007-03-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100465983C (en) | Method for controlling file access in operation system according to user's action history | |
| Ulusoy et al. | GuardMR: Fine-grained security policy enforcement for MapReduce systems | |
| Griffiths et al. | An authorization mechanism for a relational database system | |
| CN103959247B (en) | Security in virtualized computer programs | |
| Ulusoy et al. | Vigiles: Fine-grained access control for mapreduce systems | |
| US20110239293A1 (en) | Auditing access to data based on resource properties | |
| US8127413B2 (en) | System and method for preventing race condition vulnerability | |
| US20020162013A1 (en) | Method for adding external security to file system resources through symbolic link references | |
| Pernul | Database security | |
| Pernul | Information systems security: Scope, state-of-the-art, and evaluation of techniques | |
| Damiani et al. | A general approach to securely querying XML | |
| Pernul et al. | Modelling data secrecy and integrity | |
| Ge et al. | Secure databases: an analysis of Clark-Wilson model in a database environment | |
| Schell et al. | Integrity in trusted database systems | |
| CN116628654B (en) | Front-end page authority control method, device, equipment and storage medium | |
| Muthukumaran et al. | Producing hook placements to enforce expected access control policies | |
| Alghathbar et al. | Securing UML information flow using FlowUML | |
| US20080120723A1 (en) | Methods, systems and computer program products for authorizing access to features of software applications | |
| Ye et al. | Improving web service security and privacy | |
| Gong et al. | Enriching the expressive power of security labels | |
| Thuraisingham | Multilevel security for information retrieval systems | |
| Pernul et al. | Organizing MLS databases from a data modelling point of view | |
| Falk | A Frontend For Account Access Graphs | |
| Temiz et al. | An Inverse Approach to Windows' Resource-Based Permission Mechanism for Access Permission Vulnerability Detection | |
| Berkowitz et al. | A Static Over-Approximate Detection Tool for At-Risk DLLs |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |