CN102663321B

CN102663321B - For security enhancement system and the method for software

Info

Publication number: CN102663321B
Application number: CN201210123531.0A
Authority: CN
Inventors: 宾彬; 王屿
Original assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Current assignee: Beijing Baidu Netcom Science and Technology Co Ltd
Priority date: 2012-04-24
Filing date: 2012-04-24
Publication date: 2016-01-13
Anticipated expiration: 2032-04-24
Also published as: CN102663321A

Abstract

The invention discloses a security enhancement system for software, which includes: a configuration module used to configure the security attributes of the subject of the software and the object of the software; a filter module used for Filtering the subject's access to the object according to a predetermined policy and the security attribute; an access module, configured to call the object processed by the filtering module. The invention conforms to the principle of minimum authority, can ensure the possibility of enhancing software security, and has high versatility. The invention also discloses a safety enhancement method for software.

Description

Security enhancement system and method for software

技术领域 technical field

本发明涉及计算机网络技术领域，特别涉及一种用于软件的安全性增强系统及方法。The invention relates to the technical field of computer networks, in particular to a security enhancement system and method for software.

背景技术 Background technique

目前WindowsXp和IE仍然为大多数网民使用的主流操作系统和浏览器。WindowsXp本身的安全访问控制机制有其天然缺陷。对于普通用户的运行，很多功能又不可用甚至无法启动，所以大部分用户在使用WindowsXp系统时，以管理员最高权限运行，从而导致只要浏览器或其它软件中的代码或插件出现漏洞，那么整个系统将被病毒木马所控制。并且用户态的安全防护基本上是无意义的，因为很容易就被突破，比如hook技术在用户态很容易就被恢复了或者直接绕过。At present, WindowsXp and IE are still the mainstream operating systems and browsers used by most Internet users. The security access control mechanism of WindowsXp itself has its natural defects. For the operation of ordinary users, many functions are unavailable or even unable to start, so most users run with the highest administrator privileges when using the WindowsXp system, so that as long as the code or plug-in in the browser or other software has a loophole, the entire The system will be controlled by a Trojan horse. And the security protection of the user state is basically meaningless, because it is easy to be broken through. For example, the hook technology in the user state is easily restored or directly bypassed.

传统的Windows的安全访问控制机制可以认为是对WindowsXp本身的ACL(AccessControlList，访问控制列表)访问控制。在Windows的安全访问控制机制中，有两个对象：一个是主体，拥有一个描述它所具有的权限的访问令牌(token)；另一个是客体，拥有一个描述主体对它可操作权限的安全描述符(SECURITY_DESCRIPTOR)。表1示出了访问令牌(主体)的结构。The traditional Windows security access control mechanism can be considered as the ACL (AccessControlList, access control list) access control to WindowsXp itself. In the security access control mechanism of Windows, there are two objects: one is the subject, which has an access token (token) describing the permissions it has; the other is the object, which has a security token describing the subject's operational permissions. Descriptor (SECURITY_DESCRIPTOR). Table 1 shows the structure of the access token (subject).

令牌源 token source 模仿类型 imitation type 令牌ID Token ID 认证ID Authentication ID 修改ID Modify ID 过期时间 Expiration 默认的主组 default main group 默认的DACL default DACL 用户帐户SID user account SID 组1SID Group 1 SID ······ ······ 组n SID group n SID 受限的SID1 Restricted SID1 ······ ······ 受限的SIDn Restricted SIDn 特权1 Privilege 1 ······ ······ 特权n privilege n

表1Table 1

表2示出了安全描述符(客体)的结构。Table 2 shows the structure of the security descriptor (object).

表2Table 2

WindowsXp包括两种访问控制形式：自主访问控制和特权访问控制。WindowsXp includes two forms of access control: discretionary access control and privileged access control.

(1)自主访问控制：由客体对象(如文件)的所有者授权或者拒绝其他人访问这些对象。当用户登录到Windows系统中时，他们会得到一组安全凭证(访问令牌)。当他们试图访问对象的时候，系统会将他们的安全凭证与他们要访问的对象上的访问控制列表(DACL)进行比较，以确定是否允许该用户访问客体对象。其中，客体对象的安全属性即安全描述符可以由所属用户自由配置。(1) Discretionary access control: The owner of the object (such as a file) authorizes or denies others access to these objects. When users log into a Windows system, they are given a set of security credentials (access tokens). When they try to access an object, the system compares their security credentials with the access control list (DACL) on the object they want to access to determine whether the user is allowed to access the object object. Among them, the security attribute of the object object, that is, the security descriptor, can be freely configured by the user.

(2)特权访问控制：(2) Privileged access control:

特权是指一个账户执行某个与系统相关的操作的权限，比如，关闭计算机或者改变系统的时间。进程在运行过程中执行的许多操作是无法通过对象访问控制来授权控制的，因为这些操作并没有与一个特定的对象打交道。特权信息保存在主体(进程)安全凭证(访问令牌)中。不同的特权是由不同的组件来定义的，并且也由这些组件来强制使用。例如，调试特权是由进程管理器来检查的，它使得一个进程在利用WindowsAPI函数OpenProcess来打开另一进程的句柄时可以绕过安全检查(自主访问控制)。A privilege is an account's right to perform certain system-related operations, such as shutting down a computer or changing the system's time. Many operations performed by a process during running cannot be authorized and controlled through object access control, because these operations do not deal with a specific object. Privileged information is kept in principal (process) security credentials (access token). Different privileges are defined by and enforced by different components. For example, debugging privileges are checked by the process manager, which enables a process to bypass security checks (discretionary access control) when using the Windows API function OpenProcess to open a handle to another process.

此外，微软的强制访问控制机制MIC(MandatoryIntegrityControl)，虽然在很大程度上加强了Windows的安全性，但是这个机制只适用于Windowsvista之后的系统，而不适于应用普及更高的Windowsxp系统。In addition, although Microsoft's mandatory access control mechanism MIC (MandatoryIntegrityControl), although it has strengthened the security of Windows to a large extent, this mechanism is only applicable to systems after WindowsVista, not suitable for WindowsXp systems with higher popularity.

综上所述，Windowsxp本身的安全机制有很多局限性，主要有以下两点：To sum up, the security mechanism of Windows XP itself has many limitations, mainly in the following two points:

(1)权限的滥用(1) Abuse of authority

Windows用户进程通常是由用户创建的交互式进程。在身份认证通过后，LSA(本地安全权威子系统)为用户生成一个登陆会话和一个访问令牌，然后登陆进程为用户启动一个Shell，通常是Explorer.exe进程。这个进程拥有用户的令牌，将以该用户的身份执行所有工作。当用户调用CreateProcessAPI启动新进程时，该进程继承来自Explorer.exe进程的令牌。Windows user processes are typically interactive processes created by users. After the identity authentication is passed, LSA (Local Security Authority Subsystem) generates a login session and an access token for the user, and then the login process starts a Shell for the user, usually the Explorer.exe process. This process owns the user's token and will perform all work as that user. When a user calls CreateProcessAPI to start a new process, the process inherits the token from the Explorer.exe process.

因此，同一用户的大多数用户进程拥有的访问令牌，导致对同一客体对象都有相同的访问权限。对于功能明确且各不相同的用户进程，却拥有相同的访问权限，通常会导致权限被滥用。Therefore, most user processes of the same user have access tokens that result in the same access rights to the same subject object. Having the same access rights for user processes with well-defined and distinct functions often leads to abuse of rights.

(2)权限被非法提升(2) Permissions are illegally elevated

特权和特权进程的使用可以导致权限的非法提升，前面提到，特权是可以绕过自主访问控制的。如利用SeLoadDriverPrivilege特权可以加载驱动程序，而驱动程序是以System高权限帐户运行的，导致权限被提升；利用SeDebug特权可以打开系统中任意一个进程，进行远程线程的注入；利列表，获取客体对象的访问权。The use of privileges and privileged processes can lead to illegal elevation of privileges. As mentioned earlier, privileges can bypass discretionary access control. For example, the SeLoadDriverPrivilege privilege can be used to load the driver program, and the driver program runs as a System high-privilege account, resulting in the privilege being elevated; using the SeDebug privilege can open any process in the system to inject remote threads; use the list to obtain the object object access rights.

权限设置不当导致权限的非法提升。由于第三方软件和用户并非安全专家，所以经常会出现权限设置被扩大，这也会导致权限被提升。用SeTakeOwnership特权可以获取任意一个保护对象的所有权，进而可以修改自主访问控制。造成以上缺陷的原因是Windows的访问控制机制中，同一用户的不同进程拥有相同的访问令牌，即拥有相同的访问权限。在自主访问控制中，客体的安全属性完全由客体所有者决定，即可以任意修改客体的访问权限，而用户往往不能准确地设置客体安全属性。总而言之，目前Windows的访问控制机制并没有遵守权限最小化原则。对于Windowsvista以后出现的强制访问控制机制MIC，虽然说安全性以及易用性已经很强，但是只对于vista以后的系统有效，这对大部分还在使用windowsxp的用户来说，起不到任何作用。并且这个机制范围仍然过大，不能随意配置。Improper permission settings lead to illegal elevation of permissions. Because third-party software and users are not security experts, it is common for privilege settings to be expanded, which can also lead to elevated privileges. Use the SeTakeOwnership privilege to take ownership of any protected object, and then modify discretionary access control. The reason for the above defects is that in the Windows access control mechanism, different processes of the same user have the same access token, that is, have the same access rights. In discretionary access control, the security attribute of the object is completely determined by the object owner, that is, the access authority of the object can be modified arbitrarily, but the user often cannot accurately set the object security attribute. All in all, the current Windows access control mechanism does not abide by the principle of least privilege. For the mandatory access control mechanism MIC that appeared after Windows Vista, although the security and ease of use are already very strong, it is only effective for systems after Vista, which will not work for most users who are still using Windows XP . And the scope of this mechanism is still too large to be arbitrarily configured.

发明内容 Contents of the invention

本发明的目的旨在至少解决上述技术缺陷之一。The purpose of the present invention is to solve at least one of the above-mentioned technical drawbacks.

本发明的第一个目的在于提供一种用于软件的安全性增强系统，该系统符合最小化权限原则，可以确保增强软件安全的可能性，并且具有较高的通用性。本发明的第二个目的在于提供一种用于软件的安全性增强方法。The first object of the present invention is to provide a security enhancement system for software, which conforms to the principle of least authority, can ensure the possibility of enhancing software security, and has high versatility. A second object of the present invention is to provide a security enhancement method for software.

为达到上述目的，本发明第一方面的实施例提出一种用于软件的安全性增强系统，包括：配置模块，所述配置模块用于配置所述软件的主体以及所述软件的客体的安全属性；过滤模块，所述过滤模块用于根据预定策略以及所述安全属性过滤所述主体对所述客体的访问；访问模块，所述访问模块用于对经过所述过滤模块处理后的所述客体进行调用。In order to achieve the above object, the embodiment of the first aspect of the present invention proposes a security enhancement system for software, including: a configuration module, the configuration module is used to configure the security of the subject of the software and the object of the software attribute; a filtering module, which is used to filter the subject's access to the object according to a predetermined policy and the security attribute; an access module, which is used to process the object after being processed by the filtering module object to call.

根据本发明实施例的用于软件的安全性增强系统，可以确保系统的可行性和安全性，并且使用先进的系统架构，确保了系统的可移植性，更符合最小化权限原则，权限自上向下流动，有着严格的控制。并且，本发明在保证程序在正常工作的前提下，仍然能得到非常好的安全控制，控制粒度更细，安全性更强且具有很强的通用性。The security enhancement system for software according to the embodiment of the present invention can ensure the feasibility and security of the system, and use the advanced system architecture to ensure the portability of the system, which is more in line with the principle of minimum authority, and the authority is from the top Downward flow is strictly controlled. Moreover, under the premise of ensuring that the program works normally, the present invention can still obtain very good security control, with finer control granularity, stronger security and strong versatility.

本发明第二方面的实施例提供一种用于软件的安全性增强方法，包括如下步骤：The embodiment of the second aspect of the present invention provides a security enhancement method for software, including the following steps:

配置所述软件的主体以及客体的安全属性；configure the security attributes of the subject and object of the software;

根据预定策略以及所述安全属性过滤所述主体对所述客体的访问；以及filtering the subject's access to the object according to a predetermined policy and the security attributes; and

对过滤后的所述客体进行调用。A call is made to the filtered object.

根据本发明实施例的用于软件的安全性增强方法，可以确保系统的可行性和安全性，并且使用先进的系统架构，确保了系统的可移植性，更符合最小化权限原则，权限自上向下流动，有着严格的控制。并且，本发明在保证程序在正常工作的前提下，仍然能得到非常好的安全控制，控制粒度更细，安全性更强且具有很强的通用性。The security enhancement method for software according to the embodiment of the present invention can ensure the feasibility and security of the system, and use the advanced system architecture to ensure the portability of the system, which is more in line with the principle of minimum authority, and the authority is from the top Downward flow is strictly controlled. Moreover, under the premise of ensuring that the program works normally, the present invention can still obtain very good security control, with finer control granularity, stronger security and strong versatility.

本发明附加的方面和优点将在下面的描述中部分给出，部分将从下面的描述中变得明显，或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

附图说明 Description of drawings

本发明上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解，其中：The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

图1为根据本发明实施例的用于软件的安全性增强系统的示意图；1 is a schematic diagram of a security enhancement system for software according to an embodiment of the present invention;

图2为根据本发明实施例的用于软件的安全性增强系统的架构图；FIG. 2 is an architecture diagram of a security enhancement system for software according to an embodiment of the present invention;

图3为根据本发明实施例的用于软件的安全性增强方法的流程图；3 is a flowchart of a method for enhancing security of software according to an embodiment of the present invention;

图4为根据本发明实施例的用于软件的安全性增强方法的整体示意图；4 is an overall schematic diagram of a security enhancement method for software according to an embodiment of the present invention;

图5为根据本发明实施例的软件初次启动主进程的流程图；Fig. 5 is a flow chart of the software starting the main process for the first time according to an embodiment of the present invention;

图6为根据本发明实施例的主进程启动的流程图；FIG. 6 is a flow chart of starting a main process according to an embodiment of the present invention;

图7为根据本发明实施例的创建受限子进程的流程图；FIG. 7 is a flow chart of creating a restricted subprocess according to an embodiment of the present invention;

图8为根据本发明实施例的获取访问控制通知的流程图；FIG. 8 is a flowchart of obtaining an access control notification according to an embodiment of the present invention;

图9为根据本发明实施例的捕获子进程创建的流程图；以及Fig. 9 is the flow chart that captures subprocess creation according to the embodiment of the present invention; And

图10为根据本发明实施例的受控子进程控制流程图。Fig. 10 is a control flow chart of a controlled sub-process according to an embodiment of the present invention.

具体实施方式 detailed description

下面详细描述本发明的实施例，所述实施例的示例在附图中示出，其中自始至终相同或类似的标号表示相同或类似的元件或具有相同或类似功能的元件。下面通过参考附图描述的实施例是示例性的，仅用于解释本发明，而不能解释为对本发明的限制。Embodiments of the present invention are described in detail below, examples of which are shown in the drawings, wherein the same or similar reference numerals designate the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the figures are exemplary only for explaining the present invention and should not be construed as limiting the present invention.

下文的公开提供了许多不同的实施例或例子用来实现本发明的不同结构。为了简化本发明的公开，下文中对特定例子的部件和设置进行描述。当然，它们仅仅为示例，并且目的不在于限制本发明。此外，本发明可以在不同例子中重复参考数字和/或字母。这种重复是为了简化和清楚的目的，其本身不指示所讨论各种实施例和/或设置之间的关系。此外，本发明提供了的各种特定的工艺和材料的例子，但是本领域普通技术人员可以意识到其他工艺的可应用于性和/或其他材料的使用。另外，以下描述的第一特征在第二特征之“上”的结构可以包括第一和第二特征形成为直接接触的实施例，也可以包括另外的特征形成在第一和第二特征之间的实施例，这样第一和第二特征可能不是直接接触。The following disclosure provides many different embodiments or examples for implementing different structures of the present invention. To simplify the disclosure of the present invention, components and arrangements of specific examples are described below. Of course, they are merely examples and are not intended to limit the invention. Furthermore, the present invention may repeat reference numerals and/or letters in different instances. This repetition is for the purpose of simplicity and clarity and does not in itself indicate a relationship between the various embodiments and/or arrangements discussed. In addition, various specific process and material examples are provided herein, but one of ordinary skill in the art will recognize the applicability of other processes and/or the use of other materials. Additionally, configurations described below in which a first feature is "on" a second feature may include embodiments where the first and second features are formed in direct contact, and may include additional features formed between the first and second features. For example, such that the first and second features may not be in direct contact.

在本发明的描述中，需要说明的是，除非另有规定和限定，术语“安装”、“相连”、“连接”应做广义理解，例如，可以是机械连接或电连接，也可以是两个元件内部的连通，可以是直接相连，也可以通过中间媒介间接相连，对于本领域的普通技术人员而言，可以根据具体情况理解上述术语的具体含义。In the description of the present invention, it should be noted that unless otherwise specified and limited, the terms "installation", "connection" and "connection" should be understood in a broad sense, for example, it can be a mechanical connection or an electrical connection, or it can be two The internal communication of each element may be directly connected or indirectly connected through an intermediary. Those skilled in the art can understand the specific meanings of the above terms according to specific situations.

参照下面的描述和附图，将清楚本发明的实施例的这些和其他方面。在这些描述和附图中，具体公开了本发明的实施例中的一些特定实施方式，来表示实施本发明的实施例的原理的一些方式，但是应当理解，本发明的实施例的范围不受此限制。相反，本发明的实施例包括落入所附加权利要求书的精神和内涵范围内的所有变化、修改和等同物。These and other aspects of embodiments of the invention will become apparent with reference to the following description and drawings. In these descriptions and drawings, some specific implementations of the embodiments of the present invention are specifically disclosed to represent some ways of implementing the principles of the embodiments of the present invention, but it should be understood that the scope of the embodiments of the present invention is not limited by this limit. On the contrary, the embodiments of the present invention include all changes, modifications and equivalents coming within the spirit and scope of the appended claims.

下面参考图1和图2描述根据本发明实施例的用于软件的安全性增强系统。本发明实施例提供的安全性增强系统将强制完整性控制，强制访问控制与自主访问控制进行了适当的融合，引入到软件的安全控制过程中。在本发明的一个示例中，软件可以为浏览器或其他应用客户端。A security enhancement system for software according to an embodiment of the present invention will be described below with reference to FIGS. 1 and 2 . The security enhancement system provided by the embodiment of the present invention properly integrates mandatory integrity control, mandatory access control and autonomous access control, and introduces them into the software security control process. In one example of the present invention, the software may be a browser or other application client.

如图1所示，本发明实施例提供的用于软件的安全性增强系统1000，包括：配置模块100、过滤模块200和访问模块300。本发明实施例的用于软件的安全性增强系统适用于WindowsXp及WindowsVista、Windows7等操作系统。As shown in FIG. 1 , a security enhancement system 1000 for software provided by an embodiment of the present invention includes: a configuration module 100 , a filter module 200 and an access module 300 . The security enhancement system for software in the embodiment of the present invention is applicable to operating systems such as WindowsXp, WindowsVista, and Windows7.

配置模块100用于配置软件的主体以及软件的客体的安全属性。在本发明的一个实施例中，主体包括软件的主进程和线程、软件创建的受限子进程和线程、软件需要提权的子进程和线程，以及其他提权子进程和线程。客体包括软件需要调用的对象。The configuration module 100 is used to configure the security attributes of the subject of the software and the object of the software. In one embodiment of the present invention, the main body includes the main process and thread of the software, the restricted sub-processes and threads created by the software, the sub-processes and threads of the software that require privilege escalation, and other sub-processes and threads for privilege escalation. Objects include objects that the software needs to call.

在本发明的一个示例中，对象为被动接受访问的实体。其中，被动接受访问的实体可以包括文件、注册表、进程以及其他windows内核对象。In one example of the present invention, the object is an entity that is passively accessed. Wherein, the entities that passively accept access may include files, registry, processes and other windows kernel objects.

在本发明的又一个实施例中，客体的安全属性可以为客体的白名单，即配置模块100对客体的白名单进行配置。其中，白名单上记录的客体为可以绕过本发明的用于软件的安全性增强系统的ACL增强安全检查的客体，主体可以任意访问或创建白名单中客体。其中，根据主体的需要可以对客体的白名单进行调整。In yet another embodiment of the present invention, the security attribute of the object may be a whitelist of the object, that is, the configuration module 100 configures the whitelist of the object. Wherein, the objects recorded on the white list are objects that can bypass the ACL enhanced security check of the security enhancement system for software of the present invention, and the subject can arbitrarily access or create the objects in the white list. Wherein, the white list of the object can be adjusted according to the needs of the subject.

在本发明的实施例中，配置模块100可以通过DeviceIoControl命令重新加载配置项、添加新的客体或调整客体的安全属性来设置白名单。其中，白名单中的客体通过客体的安全属性进行标识。In the embodiment of the present invention, the configuration module 100 can set the whitelist by reloading configuration items, adding new objects, or adjusting security attributes of objects through the DeviceIoControl command. Wherein, the objects in the white list are identified by the security attributes of the objects.

过滤模块200用于根据预定策略以及安全属性过滤主体对客体的访问。具体地，过滤模块200将进程id与主题不匹配的进程进行过滤。在本发明的一个实施例中，过滤模块200可以为多个，分别对应主体对不同的客体的访问进行过滤。例如：ObjectHook过滤模块(ObjectHookFilter)，用于对主体对ObjectHook的访问进行过滤；注册表过滤模块(RegFilter)，用于对主体对注册表的访问进行过滤；文件过滤模块(FileFilter)，用于主体对文件的访问进行过滤。可以理解的是，上述多种类型的过滤模块仅出于示例的目的，而不是为了限制本发明。过滤模块200还可以包括其他类型的过滤模块以对主体对其他客体的访问进行过滤。The filtering module 200 is used to filter the subject's access to the object according to predetermined policies and security attributes. Specifically, the filtering module 200 filters processes whose process ids do not match the subject. In an embodiment of the present invention, there may be multiple filtering modules 200, each corresponding to the subject's access to different objects for filtering. For example: ObjectHook filter module (ObjectHookFilter), used to filter the subject's access to ObjectHook; registry filter module (RegFilter), used to filter subject's access to the registry; file filter module (FileFilter), used for subject Filter access to files. It can be understood that the various types of filtering modules mentioned above are only for the purpose of illustration, rather than limiting the present invention. The filtering module 200 may also include other types of filtering modules to filter the subject's access to other objects.

访问模块300用于对经过过滤模块200处理后的客体进行调用，即对过滤模块200过滤后的客体进行调用。具体地，访问模块300的接口可以被各个过滤模块200进行调用，通过角色等级检查和场景访问访问权限检查，进行主体对客体访问权限的最终决策。根据最终决策判断拒绝主体对客体访问或者同意主体对客体的访问。The access module 300 is used for invoking the object processed by the filtering module 200 , that is, invoking the object filtered by the filtering module 200 . Specifically, the interface of the access module 300 can be invoked by each filtering module 200, and the final decision on the subject's access right to the object is made through role level check and scene access right check. According to the final decision, deny the subject's access to the object or agree to the subject's access to the object.

在本发明的一个实施例中，如果客体位于白名单中，则访问模块300同意主体对客体的访问，否则根据主体和客体的安全属性决定主体是否可以访问客体。可以理解的是，配置模块100根据主体的需要可以对客体的白名单进行调整。In one embodiment of the present invention, if the object is in the white list, the access module 300 allows the subject to access the object, otherwise, it decides whether the subject can access the object according to the security attributes of the subject and the object. It can be understood that the configuration module 100 can adjust the white list of the object according to the needs of the subject.

如图2所示，本发明实施例提供的用于软件的安全性增强系统1000还包括主体管理器、客体管理器、配置管理器、过滤管理器、ACL管理器、访问控制异步通知模块、Ring0设备控制模块。其中，主体管理器用于对主体进行管理，客体管理器用于对客体进行管理。具体地，主体管理器可以对主体进行存储、查询、添加和删除。客体管理器可以对客体进行存储、查询、添加和删除。As shown in Figure 2, the security enhancement system 1000 for software provided by the embodiment of the present invention also includes a subject manager, an object manager, a configuration manager, a filter manager, an ACL manager, an access control asynchronous notification module, Ring0 Device control module. Among them, the subject manager is used to manage the subject, and the object manager is used to manage the object. Specifically, the subject manager can store, query, add and delete subjects. The object manager can store, query, add and delete objects.

过滤管理器用于设置过滤Windows对于对象的访问的方式，并且过滤管理器可以控制指定的过滤模块(Filter)的启用和停止，以及Filter的动态添加功能。在本发明的一个示例中，过滤管理器可以为单件。The filter manager is used to set the way to filter the access of Windows to the object, and the filter manager can control the enabling and stopping of the specified filter module (Filter), and the dynamic adding function of the Filter. In one example of the invention, a filter manager may be a singleton.

配置模块100通过调用客体管理器的接口，对客体进行重新添加。并且配置模块100可以在软件初次启动时，添加软件主进程主体的方法，该方法可以被过滤模块200对应的进程进行调用。The configuration module 100 re-adds the object by calling the interface of the object manager. And the configuration module 100 can add a method of the main process body of the software when the software starts for the first time, and the method can be called by the process corresponding to the filtering module 200 .

访问模块300的接口通过调用主体管理器和客体管理器的接口实现对主客体对象的安全属性的查询。The interface of the access module 300 implements the query of the security attributes of the subject and object objects by calling the interfaces of the subject manager and the object manager.

设备控制异步通知模块利用Windows异步重叠IO接口，将访问控制通知发送给软件的主进程，例如浏览器的主进程。软件的主进程获取访问控制通知。需要说明的是，软件主进程只能获得与自身相关的进程组的通知。The device control asynchronous notification module uses the Windows asynchronous overlapping IO interface to send the access control notification to the main process of the software, such as the main process of the browser. The main process of the software gets access control notifications. It should be noted that the main software process can only obtain notifications from process groups related to itself.

在本发明的一个实施例中，访问控制通知可以为异步通知队列。其中，该异步通知队列是与主进程相关的。换言之，每个软件的主进程均包括一个独立的异步通知队列。In one embodiment of the present invention, the access control notification may be an asynchronous notification queue. Wherein, the asynchronous notification queue is related to the main process. In other words, each software's main process includes an independent asynchronous notification queue.

ACL管理器用于提供内部使用的创建客体ACL功能，添加、删除和查询ACE(访问控制条目)以及SID(SecurityIdentifiers，安全标识符)的相关操作。The ACL manager is used to provide the function of creating an object ACL for internal use, adding, deleting and querying ACE (Access Control Entry) and SID (SecurityIdentifiers, security identifier) related operations.

Ring0设备控制模块可以实现大部分对外的系统接口，负责接收上述配置模块100、过滤模块200和访问模块300的控制、实现配置的重新加载、主体RoleLevel微调以及客体的添加。其中，配置模块100、过滤模块200和访问模块300对应Ring3ACL增强功能。其中，Ring0代表内核态，Ring3代表用户态。The Ring0 device control module can realize most of the external system interfaces, and is responsible for receiving the control of the above-mentioned configuration module 100, filter module 200 and access module 300, realizing configuration reloading, subject RoleLevel fine-tuning and object addition. Among them, the configuration module 100, the filter module 200 and the access module 300 correspond to the Ring3ACL enhancement function. Among them, Ring0 represents the kernel state, and Ring3 represents the user state.

下面结合图2对本发明实施例的用于软件的安全性增强系统1000的各个模块的功能进行描述。The function of each module of the security enhancement system 1000 for software according to the embodiment of the present invention will be described below with reference to FIG. 2 .

向Ring0设备控制模块发送DeviceIoControl控制码。Ring0设备控制模块在接收到收到“加载配置”控制码后，由Ring0设备控制模块调用配置模块100从内存或注册表读取配置。如果是文件配置，则配置模块100调用数据解密与完整性检查子模块对配置文件进行校验。由数据解密与完整性检查子模块读取配置文件。Send the DeviceIoControl control code to the Ring0 device control module. After the Ring0 device control module receives the "load configuration" control code, the Ring0 device control module calls the configuration module 100 to read the configuration from the memory or the registry. If it is a file configuration, the configuration module 100 calls the data decryption and integrity check submodule to verify the configuration file. The configuration file is read by the data decryption and integrity check submodule.

在本发明的一个实施例中，数据解密与完整性检查子模块可以采用MD5(MessageDigestAlgorithmMD5，消息摘要算法第五版)算法或Sha1(SecureHashAlgorithm，安全哈希算法)算法。In an embodiment of the present invention, the data decryption and integrity checking submodule may use MD5 (MessageDigestAlgorithm MD5, message digest algorithm fifth edition) algorithm or Sha1 (SecureHashAlgorithm, secure hash algorithm) algorithm.

在本发明的一个实施例中，数据解密与完整性检查子模块读取的配置文件为已加密的文件，包括主体的安全信息和客体的安全信息。In one embodiment of the present invention, the configuration file read by the data decryption and integrity checking submodule is an encrypted file, including the security information of the subject and the security information of the object.

配置模块100获取配置后，调用客体管理器接口，创建相关的客体，其中包括创建客体的安全属性，目前客体是无状态的。客体管理器调用ACL管理器的接口以初始化客体的安全属性。访问模块300通过客体管理器接口查询相关客体安全信息，并且访问模块300可以通过主体管理器接口查询相关主体安全信息。过滤管理器调用访问模块300进行相关决策。访问模块300通过调用访问控制异步通知的接口，产生访问控制异步通知。Ring0设备控制模块从访问控制异步通知模块获取访问控制异步通知。After obtaining the configuration, the configuration module 100 invokes the object manager interface to create related objects, including the security attributes of the created objects. Currently, the objects are stateless. The object manager calls the ACL manager's interface to initialize the object's security attributes. The access module 300 queries related object security information through the object manager interface, and the access module 300 can query related subject security information through the subject manager interface. The filtering manager calls the access module 300 to make related decisions. The access module 300 generates an asynchronous notification of access control by calling an interface of asynchronous notification of access control. The Ring0 device control module obtains the access control asynchronous notification from the access control asynchronous notification module.

在本发明的一个实施例中，本发明实施例的用于软件的安全性增强系统1000还包括辅助功能模块，用于生成日志信息等其他辅助功能。In one embodiment of the present invention, the security enhancement system 1000 for software in the embodiment of the present invention further includes an auxiliary function module for generating log information and other auxiliary functions.

根据本发明实施例的用于软件的安全性增强系统，实现一个内核驱动更加细致和精确的加强Windows的ACL安全访问检查机制。本发明可以应用于浏览器，在增强浏览器在使用过程中的安全性的同时，不影响用户的正常使用，并与用户态程序配合建立一个多层立体防御系统，提高防御恶意程序破坏的成功率，进一步降低安全漏洞的风险，弥补原有安全机制的不足。具体地，本发明实施例的用于软件的安全性增强系统具有以下特点：According to the security enhancement system for software in the embodiment of the present invention, a kernel driver is implemented to strengthen the ACL security access check mechanism of Windows more carefully and accurately. The present invention can be applied to browsers. While enhancing the security of browsers during use, it does not affect the normal use of users, and cooperates with user state programs to establish a multi-layer three-dimensional defense system to improve the success of defending against malicious program damage. rate, further reducing the risk of security breaches, and making up for the deficiencies of the original security mechanism. Specifically, the security enhancement system for software in the embodiment of the present invention has the following characteristics:

(1)采用较为成熟的安全理论和系统(访问控制，强制完整性控制)作为基础，确保了系统可行性。(1) Using relatively mature security theories and systems (access control, mandatory integrity control) as the basis to ensure the feasibility of the system.

(2)以WRK(Windows开源内核)为参考基础，确保系统的可靠性与稳定性。(2) Taking WRK (Windows Open Source Kernel) as a reference base to ensure the reliability and stability of the system.

(3)采用松散耦合的设计和系统相关度较低的数据结构，各个功能模块功能尽量单一，且具备复用性，便于插拔与配接，从而具备向高版本Windows或64位Windows操作系统移植的可能，确保了可移植性。(3) Loosely coupled design and data structure with low system correlation are adopted, and the functions of each functional module are as single as possible, and have reusability, which is easy to plug and connect, so that it can be compatible with higher version Windows or 64-bit Windows operating system The possibility of transplantation ensures portability.

(4)充分考虑系统资源访问的高频率性，采用了一系列技术手段，例如HASHTABLE、缓存后援池以及高效资源读写锁同步等，确保了系统的高性能。(4) Fully consider the high frequency of system resource access, and adopt a series of technical means, such as HASHTABLE, cache backup pool, and efficient resource read-write lock synchronization, etc., to ensure the high performance of the system.

(5)更符合最小化权限原则。具体地，资源的所有者也不能改变客体的安全属性，避免了Windows安全机制的缺陷(权限的滥用和权限的非法提升)，仅软件的主进程(高权限进程)可以调整主客体的安全属性。权限自上向下流动，有着严格的控制。(5) It is more in line with the principle of least privilege. Specifically, the owner of the resource cannot change the security attributes of the object, which avoids the defects of the Windows security mechanism (abuse of permissions and illegal promotion of permissions), and only the main process of the software (high-privilege process) can adjust the security attributes of the host and object. . Permissions flow from top to bottom with strict controls.

在保障第三方子进程(如Acrobatreader、Flashplayer等)正常工作的前提下，仍然可以使第三方子进程受控，防止第三方子进程漏洞被恶意利用。即Ring0ACL增强的控制粒度更细，安全性更强。由此，确保增强浏览器安全的可能性。Under the premise of ensuring the normal operation of third-party sub-processes (such as Acrobatreader, Flashplayer, etc.), the third-party sub-processes can still be controlled to prevent the third-party sub-process vulnerabilities from being maliciously exploited. That is, the enhanced control granularity of Ring0ACL is finer and the security is stronger. Thereby, the possibility of enhancing browser security is ensured.

(6)适用于多种客户端的安全模块，具较高的通用性。(6) A security module suitable for various clients, with high versatility.

下面参考图3至图10对本发明实施例的用于软件的安全性增强方法进行描述。本发明实施例的用于软件的安全性增强方法适用于WindowsXp及WindowsVista、Windows7等操作系统。The security enhancement method for software in the embodiment of the present invention will be described below with reference to FIG. 3 to FIG. 10 . The security enhancement method for software in the embodiment of the present invention is applicable to operating systems such as WindowsXp, WindowsVista, and Windows7.

如图3所示，本发明实施例的用于软件的安全性增强方法，包括如下步骤：As shown in Figure 3, the security enhancement method for software of the embodiment of the present invention includes the following steps:

S301：配置软件的主体以及客体的安全属性。S301: Configure the security attributes of the subject and object of the software.

在本发明的一个实施例中，主体包括软件的主进程和线程、软件创建的受限子进程和线程、软件需要提权的子进程和线程，以及其他提权子进程和线程。客体包括软件需要调用的对象。In one embodiment of the present invention, the main body includes the main process and thread of the software, the restricted sub-processes and threads created by the software, the sub-processes and threads of the software that require privilege escalation, and other sub-processes and threads for privilege escalation. Objects include objects that the software needs to call.

在本发明的实施例中，对象为被动接受访问的实体。其中，被动接受访问的实体可以包括文件、注册表、进程以及其他windows内核对象。In the embodiment of the present invention, the object is an entity that passively accepts access. Wherein, the entities that passively accept access may include files, registry, processes and other windows kernel objects.

在本发明的又一个实施例中，客体的安全属性可以为客体的白名单。其中，白名单上记录的客体为可以绕过本发明的用于软件的安全性增强方法检查的客体，主体可以任意访问或创建白名单中客体。In yet another embodiment of the present invention, the security attribute of the object may be a white list of the object. Wherein, the objects recorded on the white list are objects that can bypass the inspection of the security enhancement method for software of the present invention, and the subject can arbitrarily access or create the objects in the white list.

在本发明的实施例中，可以通过DeviceIoControl命令重新加载配置项、添加新的客体或调整客体的安全属性来设置白名单。其中，白名单中的客体通过客体的安全属性进行标识。In the embodiment of the present invention, the white list can be set by reloading configuration items, adding new objects, or adjusting security attributes of objects through the DeviceIoControl command. Wherein, the objects in the white list are identified by the security attributes of the objects.

S302：根据预定策略以及安全属性过滤主体对客体的访问。S302: Filter the subject's access to the object according to predetermined policies and security attributes.

具体地，根据预定策略以及安全属性过滤主体对客体的访问，包括将进程id与主题不匹配的进程进行过滤。可以根据客体的不同，分别对应主体对不同的客体的访问进行过滤。例如：ObjectHook过滤对应对主体对不同客体对象的访问进行过滤；注册表过滤对应对主体对注册表的访问进行过滤；文件过滤对应主体对文件的访问进行过滤。Specifically, the subject's access to the object is filtered according to predetermined policies and security attributes, including filtering processes whose process id does not match the subject. According to the different objects, the corresponding subject can filter the access to different objects. For example: ObjectHook filtering corresponds to filtering the subject's access to different object objects; registry filtering corresponds to filtering the subject's access to the registry; file filtering corresponds to the subject's access to files.

S303：对过滤后的客体进行调用。S303: Call the filtered object.

具体地，通过角色等级检查和场景访问访问权限检查，进行主体对客体访问权限的最终决策，根据最终决策对客体进行调用。如图4所示，根据最终决策判断拒绝主体对客体访问或者同意主体对客体的访问。Specifically, the final decision on the subject's access right to the object is made through the check of the role level and the scene access right, and the object is called according to the final decision. As shown in Figure 4, it is judged according to the final decision to deny the subject's access to the object or to agree to the subject's access to the object.

在本发明的一个实施例中，如果客体位于白名单中，则同意主体对客体的访问，否则根据主体和客体的安全属性决定主体是否可以访问客体。可以理解的是，根据主体的需要可以对客体的白名单进行调整。In one embodiment of the present invention, if the object is in the white list, the subject is allowed to access the object; otherwise, it is determined whether the subject can access the object according to the security attributes of the subject and the object. It can be understood that the white list of objects can be adjusted according to the needs of the subject.

下面参考图5对软件初次启动主进程的流程进行描述。其中，软件以浏览器为例进行说明。其中，本发明上述实施例步骤S301至步骤S303的安全性增强流程为内核驱动。因此，在软件(例如浏览器)首次启动时，需要加载该驱动以及配置项。Referring to FIG. 5 , the process of starting the main process for the first time by the software will be described below. Wherein, the software is described by taking a browser as an example. Wherein, the security enhancement process from step S301 to step S303 in the above embodiment of the present invention is a kernel driver. Therefore, when the software (such as a browser) starts for the first time, the driver and configuration items need to be loaded.

S501：用户登录浏览器主进程第一次启动。S501: The user logs in to the browser and starts the main process for the first time.

S502：启动ACL增强Ring0功能。S502: Enabling the ACL to enhance the Ring0 function.

S503：浏览器主进程通过DeviceIoControl调整自身主体的缺省安全属性。S503: The browser main process adjusts the default security attributes of its own subject through DeviceIoControl.

S504：浏览器主进程通过DeviceIoControl重新加载配置项，初始化客体的安全属性。S504: The browser main process reloads the configuration item through DeviceIoControl, and initializes the security attribute of the object.

在本发明的一个实施例中，初始化客体的安全属性包括初始化客体的全局白名单。In one embodiment of the present invention, the security attributes of the initialization object include a global whitelist of the initialization object.

S505：浏览器主进程调整客体的安全属性。S505: The browser main process adjusts the security attribute of the object.

在本发明的一个实施例中，浏览器主进程调整客体的安全属性包括自定义白名单。具体地，根据主体的需要调整白名单。In one embodiment of the present invention, the browser main process adjusts the security attributes of the object to include a custom white list. Specifically, adjust the whitelist according to the needs of the subject.

需要说明的是，步骤S505为可选步骤。如果浏览器主进程不需要调整客体的安全属性，则跳过该步骤。It should be noted that step S505 is an optional step. If the browser main process does not need to adjust the security attributes of the object, this step is skipped.

在软件初次启动后，关闭该软件，再次启动软件，则不需要加载上述驱动。因为该驱动为常驻的，初次加载即可。此时，软件的主进程只需要向驱动修改响应信息即可。下面参考图6对软件主进程启动的流程进行描述。After the software is started for the first time, close the software and start the software again, the above drivers do not need to be loaded. Because the driver is resident, it can be loaded for the first time. At this point, the main process of the software only needs to modify the response information to the driver. The flow of starting the software main process will be described below with reference to FIG. 6 .

S601：浏览器主进程启动。S601: The browser main process is started.

S602：浏览器主进程通过DeviceIoControl调整自身主体的缺省安全属性。S602: The browser main process adjusts the default security attribute of its own subject through DeviceIoControl.

S603：浏览器主进程调整子进程的安全属性。S603: The main browser process adjusts the security attributes of the child processes.

S604：浏览器主进程调整客体的安全属性。S604: The browser main process adjusts the security attribute of the object.

需要说明的是，步骤S603和S604为可选步骤。如果浏览器主进程不需要调整子进程和客体的安全属性，则跳过对应的步骤。It should be noted that steps S603 and S604 are optional steps. If the browser main process does not need to adjust the security attributes of the child process and the object, skip the corresponding steps.

上述实施例步骤S301至步骤S303的安全性增强流程需要根据进程做限制，因此受限子进程的创建需要通知驱动。下面参考图7对创建受限子进程的流程进行描述。The security enhancement process from step S301 to step S303 in the above embodiment needs to be restricted according to the process, so the creation of the restricted sub-process needs to notify the driver. The flow of creating a restricted sub-process will be described below with reference to FIG. 7 .

S701：浏览器主进程通过DeviceIoControl设置下一个被创建的主体子进程的缺省安全属性。S701: The browser main process sets the default security attribute of the next main subprocess to be created through DeviceIoControl.

S702：浏览器主进程创建受限的子进程或提权子进程。S702: The browser main process creates a restricted sub-process or a privilege-escalating sub-process.

S703：浏览器主进程调整子进程的安全属性。S703: The main browser process adjusts the security attributes of the child processes.

需要说明的是，步骤S703为可选步骤。如果浏览器主进程不需要调整子进程的安全属性，则跳过该步骤。It should be noted that step S703 is an optional step. If the main browser process does not need to adjust the security attributes of the child process, skip this step.

根据调试以及性能测试要求，需要获取访问控制的通知。下面参考图8对获取访问控制通知的流程进行描述。According to debugging and performance testing requirements, access control notifications need to be obtained. The flow of obtaining the access control notification will be described below with reference to FIG. 8 .

S801：浏览器主进程启动访问控制通知获取线程。S801: The browser main process starts an access control notification acquisition thread.

S802：访问控制通知获取线程通过异步IO读取访问控制通知。S802: The access control notification acquisition thread reads the access control notification through asynchronous IO.

S803：浏览器主进程显示访问控制通知。S803: The browser main process displays the access control notification.

在上述安全增强内核中，可以自动捕获子进程创建，从而决定是否允许创建以及设置缺省的安全属性。下面参考图9对捕获子进程创建的流程进行描述。In the above-mentioned security enhancement kernel, the child process creation can be caught automatically, so as to decide whether to allow the creation and set the default security attributes. Referring to FIG. 9, the flow of capturing subprocess creation will be described below.

S901：Filter进程捕获相关子进程的创建。S901: The Filter process captures creation of related sub-processes.

S902：查找该相关子进程的ID的关联主体。如果可以查找到，则进行相关的清理工作。S902: Search for an associated subject of the ID of the related subprocess. If it can be found, perform related cleaning work.

S903：根据客体白名单和主客体安全属性，判断该子进程是否可以创建。S903: Determine whether the child process can be created according to the object whitelist and the security attributes of the subject and object.

S904：如果可以，则Filter进程根据下一个子进程的缺省安全属性或白名单安全属性，设置当前可控子进程的安全属性。S904: If possible, the Filter process sets the security attribute of the current controllable sub-process according to the default security attribute or the whitelist security attribute of the next sub-process.

下面参考图10对受控子进程的控制流程进行描述。The control flow of the controlled sub-process will be described below with reference to FIG. 10 .

S1001：浏览器主体(受控子进程)在浏览Web时，访问客体资源。S1001: The browser main body (controlled sub-process) accesses object resources when browsing the Web.

S1002：Filter进程捕获到浏览器主体对客体的打开或创建访问。S1002: The Filter process captures the opening or creating access of the object by the browser subject.

S1003：首先查找客体白名单，如果该客体在白名单中，则允许主体访问。S1003: First look up the object whitelist, and if the object is in the whitelist, allow the subject to access.

如果该白名单客体为进程，则该客体创建后仍然可以成为受控的子进程。If the object in the whitelist is a process, the object can still become a controlled child process after it is created.

S1004：如果不为白名单客体，则根据主体和客体的安全属性判断主体是否可以访问客体。S1004: If it is not an object in the whitelist, judge whether the subject can access the object according to the security attributes of the subject and the object.

根据本发明实施例的用于软件的安全性增强方法，实现一个内核驱动更加细致和精确的加强Windows的ACL安全访问检查机制。本发明可以应用于浏览器，在增强浏览器在使用过程中的安全性的同时，不影响用户的正常使用，并与用户态程序配合建立一个多层立体防御系统，提高防御恶意程序破坏的成功率，进一步降低安全漏洞的风险，弥补原有安全机制的不足。具体地，本发明实施例的用于软件的安全性增强方法具有以下特点：According to the security enhancement method for software in the embodiment of the present invention, a kernel driver is implemented to strengthen the ACL security access check mechanism of Windows more carefully and accurately. The present invention can be applied to browsers. While enhancing the security of browsers during use, it does not affect the normal use of users, and cooperates with user state programs to establish a multi-layer three-dimensional defense system to improve the success of defending against malicious program damage. rate, further reducing the risk of security breaches, and making up for the deficiencies of the original security mechanism. Specifically, the security enhancement method for software in the embodiment of the present invention has the following characteristics:

流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为，表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分，并且本发明的优选实施方式的范围包括另外的实现，其中可以不按所示出或讨论的顺序，包括根据所涉及的功能按基本同时的方式或按相反的顺序，来执行功能，这应被本发明的实施例所属技术领域的技术人员所理解。Any process or method descriptions in flowcharts or otherwise described herein may be understood to represent modules, segments or portions of code comprising one or more executable instructions for implementing specific logical functions or steps of the process , and the scope of preferred embodiments of the invention includes alternative implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order depending on the functions involved, which shall It is understood by those skilled in the art to which the embodiments of the present invention pertain.

在流程图中表示或在此以其他方式描述的逻辑和/或步骤，例如，可以被认为是用于实现逻辑功能的可执行指令的定序列表，可以具体实现在任何计算机可读介质中，以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用，或结合这些指令执行系统、装置或设备而使用。就本说明书而言，″计算机可读介质″可以是任何可以包含、存储、通信、传播或传输程序以供指令执行系统、装置或设备或结合这些指令执行系统、装置或设备而使用的装置。计算机可读介质的更具体的示例(非穷尽性列表)包括以下：具有一个或多个布线的电连接部(电子装置)，便携式计算机盘盒(磁装置)，随机存取存储器(RAM)，只读存储器(ROM)，可擦除可编辑只读存储器(EPROM或闪速存储器)，光纤装置，以及便携式光盘只读存储器(CDROM)。另外，计算机可读介质甚至可以是可在其上打印所述程序的纸或其他合适的介质，因为可以例如通过对纸或其他介质进行光学扫描，接着进行编辑、解译或必要时以其他合适方式进行处理来以电子方式获得所述程序，然后将其存储在计算机存储器中。The logic and/or steps represented in the flowcharts or otherwise described herein, for example, can be considered as a sequenced listing of executable instructions for implementing logical functions, which can be embodied in any computer-readable medium, For use with instruction execution systems, devices, or devices (such as computer-based systems, systems including processors, or other systems that can fetch instructions from instruction execution systems, devices, or devices and execute instructions), or in conjunction with these instruction execution systems, devices or equipment for use. For purposes of this specification, a "computer-readable medium" may be any device that can contain, store, communicate, propagate or transmit a program for use in or in conjunction with an instruction execution system, device or device. More specific examples (non-exhaustive list) of computer-readable media include the following: electrical connection with one or more wires (electronic device), portable computer disk case (magnetic device), random access memory (RAM), Read Only Memory (ROM), Erasable and Editable Read Only Memory (EPROM or Flash Memory), Fiber Optic Devices, and Portable Compact Disc Read Only Memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable medium on which the program can be printed, since the program can be read, for example, by optically scanning the paper or other medium, followed by editing, interpretation or other suitable processing if necessary. The program is processed electronically and stored in computer memory.

应当理解，本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中，多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如，如果用硬件来实现，和在另一实施方式中一样，可用本领域公知的下列技术中的任一项或他们的组合来实现：具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路，具有合适的组合逻辑门电路的专用集成电路，可编程门阵列(PGA)，现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention can be realized by hardware, software, firmware or their combination. In the embodiments described above, various steps or methods may be implemented by software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques known in the art: Discrete logic circuits, ASICs with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.

本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成，所述的程序可以存储于一种计算机可读存储介质中，该程序在执行时，包括方法实施例的步骤之一或其组合。Those of ordinary skill in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium. During execution, one or a combination of the steps of the method embodiments is included.

此外，在本发明各个实施例中的各功能单元可以集成在一个处理模块中，也可以是各个单元单独物理存在，也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现，也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时，也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, each unit may exist separately physically, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules. If the integrated modules are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium.

上述提到的存储介质可以是只读存储器，磁盘或光盘等。The storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, and the like.

在本说明书的描述中，参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中，对上述术语的示意性表述不一定指的是相同的实施例或示例。而且，描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

尽管已经示出和描述了本发明的实施例，对于本领域的普通技术人员而言，可以理解在不脱离本发明的原理和精神的情况下可以对这些实施例进行多种变化、修改、替换和变型，本发明的范围由所附权利要求及其等同限定。Although the embodiments of the present invention have been shown and described, those skilled in the art can understand that various changes, modifications and substitutions can be made to these embodiments without departing from the principle and spirit of the present invention. and modifications, the scope of the invention is defined by the appended claims and their equivalents.

Claims

1. for a security enhancement system for software, it is characterized in that, comprising:

Configuration module, described configuration module is for the security attribute of the object of the main body and described software that configure described software, wherein, the security attribute of the main body and object that configure described software comprises the white list configuring described object, wherein, described main body comprises subprocess and the thread that the host process of described software and thread, the limited subprocess of described software creation and thread and described software need to put forward power, and described object comprises the object that described software needs call;

Filtering module, described filtering module is used for filtering the access of described main body to described object according to predetermined policy and described security attribute; And

Access modules, described access modules is used for calling the described object after described filtering module process, wherein, if described object is arranged in white list, then described access modules agrees to the access of described main body to described object, if described object is not arranged in white list, then according to the security attribute of described main body and described object, described access modules determines whether described main body can access described object.

2. system according to claim 1, is characterized in that, described object is passive entity of accepting the interview.

3. system according to claim 2, is characterized in that, described passive entity of accepting the interview comprises file, registration table and process.

4. system according to claim 1, is characterized in that, described access modules needs according to described main body the white list adjusting described object.

5. system according to claim 1, is characterized in that, process id and the unmatched process of described main body filter by described filtering module.

6., for a security Enhancement Method for software, it is characterized in that, comprise the following steps:

Configure the main body of described software and the security attribute of object, wherein, the security attribute of the main body and object that configure described software comprises the white list configuring described object, wherein, described main body comprises subprocess and the thread that the host process of described software and thread, the limited subprocess of described software creation and thread and described software need to put forward power, and described object comprises the object that described software needs call;

The access of described main body to described object is filtered according to predetermined policy and described security attribute; And

Described object after filtering is called, wherein, if described object is arranged in white list, then agree to the access of described main body to described object, if described object is not arranged in white list, then determine whether described main body can access described object according to the security attribute of described main body and described object.

7. method according to claim 6, is characterized in that, described object is passive entity of accepting the interview.

8. method according to claim 7, is characterized in that, described passive entity of accepting the interview comprises file, registration table and process.

9. method according to claim 6, is characterized in that, needs according to described main body the white list adjusting described object.

10. method according to claim 6, is characterized in that, filters the access of described main body to described object comprise and process id and the unmatched process of described main body being filtered according to predetermined policy and described security attribute.