CN102542182A - Device and method for controlling mandatory access based on Windows platform - Google Patents
Device and method for controlling mandatory access based on Windows platform Download PDFInfo
- Publication number
- CN102542182A CN102542182A CN2010105875815A CN201010587581A CN102542182A CN 102542182 A CN102542182 A CN 102542182A CN 2010105875815 A CN2010105875815 A CN 2010105875815A CN 201010587581 A CN201010587581 A CN 201010587581A CN 102542182 A CN102542182 A CN 102542182A
- Authority
- CN
- China
- Prior art keywords
- file
- windows
- access control
- kernel
- security server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 126
- 238000012544 monitoring process Methods 0.000 claims abstract description 62
- 230000008569 process Effects 0.000 claims description 108
- 238000012217 deletion Methods 0.000 claims description 12
- 230000037430 deletion Effects 0.000 claims description 12
- 230000026676 system process Effects 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 abstract description 8
- 230000006870 function Effects 0.000 description 50
- 238000010586 diagram Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 2
- 230000007704 transition Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000004615 ingredient Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
- 238000000844 transformation Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a device and method for controlling mandatory access based on a Windows platform. The device comprises a monitoring module and is characterized in that access control on progresses, files and register lists can be realized on the Windows platform, access requests of a subject of the access control on an object are intercepted and provided for a core safety server to be used for safety judgment; and the core safety server carries out authority judgment according to safety rules of mandatory access control and returns a result to the monitoring module so that the mandatory access control is realized. According to the device and method for controlling the mandatory access based on the Windows platform, disclosed by the invention, an access control decision of a windows system does not depend on the subject, and whether access is allowed or not is determined by comparing safety identifiers of the subject and the object through a safety policy; and the device for controlling the mandatory access based on the Windows platform, disclosed by the invention, is compatible with a windows-self-attached discretionary access control mechanism and also has higher safety grade compared with the original mechanism.
Description
Technical field
the invention belongs to the SOS field; The security hardening method that relates to a kind of Windows system; Be specifically related to a kind of pressure access control system and control method, can realize pressure access control the Windows system based on windows platform.
Background technology
are one of widely used operating system now, a problem that institute is concerned about and worries that its security also becomes users.The autonomous access control function that Windows operating system carries is the core content of Windows system security assurance mechanism, and it comes the control that conducts interviews of system's sensitive resource through the secure subsystem key component.The basic thought of autonomous access control mechanisms be have the main body of object can be with the access control right that means other these objects of body portion pairing.This mechanism has great independence and dirigibility for subject user, but the security protection that provides is relatively low, therefore can't resist the attack of Trojan Horse and so on.Find through popular in the market safety product being carried out statistics and analysis; Special at present safety product such as fire wall and antivirus software to the Windows system; Mostly be to move with the application program of client layer; Can play the effect of defence to the environment of system peripherals, but very limited to the security effect of raising system self.So the Windows system has been monitored very important meaning from kernel state.
Summary of the invention
the object of the invention is to provide a kind of pressure access control system based on windows platform, has solved the not enough safety problem that is caused of the autonomous access control mechanisms control and monitoring of Windows operating system.
In order to solve these problems of the prior art, technical scheme provided by the invention is:
a kind of pressure access control apparatus based on windows platform; Comprise and be used to intercept and capture the monitoring module of window application through the request of system call visit Windows system kernel object and be used to judge request legitimacy whether core security server; It is characterized in that said monitoring module and core security server all are arranged on Windows system kernel layer; Monitoring module capturing operation system process is to the access request of kernel objects, and offers core security server and carry out strategy and judge; Core security server is carried out after authority judges, according to the judged result permits access Windows system kernel object requests of security server whether monitoring module if allow, then carries out original system call; If refusal then directly returns.
are preferred, and monitoring module request captured object is selected from any or two or more combination in any of window application through file object, process object, thread object or the registry objects of system call visit.
are preferred, and said monitoring module comprises the process monitoring submodule, file monitor submodule and registry monitoring submodule; Said process monitoring submodule is used for handling independently the control to process object or thread object visit, and said file monitor submodule and registry monitoring submodule all need the calling process monitoring submodule to accomplish the control to file object and registry objects visit.
are preferred; Said monitoring module is for adopting the kernel SSDT-HOOK module of kernel level Hook technology, the Hook collection of said process monitoring submodule is used to monitor the establishment process, opens process, the termination process, create thread, open thread, terminate thread; The Hook collection of said file monitor submodule is used to monitor to be created or opens file, opens file, deletion or Rename file, the extended attribute of file is set; The Hook collection of said registry monitoring submodule is used for that monitoring is created or opened registry entry, opens registry entry, the deletion registry entry, add or registry key, deletion registry key be set.
are preferred, and said core security server is used to manage the safe context of kernel objects, and treatment progress is forced the decision request of access control system and returned the result of decision-making.
are preferred, and said core security server is formed for the binary file of the strategy judgement of different objects according to the DTE security model according to the difference of access object.
The present invention also provides a kind of forced access control method based on windows platform, it is characterized in that said method by monitoring module that is provided with at Windows system kernel layer and core security server control, said method comprising the steps of:
(1) window application sends access request through system call to Windows system kernel object;
(2) monitoring module is intercepted and captured the access request of Windows operating system process to kernel objects, and offers core security server and carry out strategy judgement;
(3) core security server is carried out after authority judges, according to the judged result permits access object requests of security server whether monitoring module if allow, then carries out original system call, if refusal then directly returns.
are preferred; When the kernel objects of visit is process object or thread object; Monitoring module adds secure identifier to process object or thread object, and secure identifier is provided with according to the binary file of the rule creation of process object or thread object through reading core security server.
are preferred, and said monitoring module is used to monitor the access object in the life cycle for adopting the kernel SSDT-HOOK module of kernel level Hook technology.
the present invention forces the overall framework of access control apparatus as shown in Figure 1, comprises core security server and monitoring module.Overall execution flow process such as Fig. 2 are divided into three steps:
(1) user level process is sent access request through system call to the Windows kernel module;
(2) monitoring module capturing operation system process is to the access request of kernel objects, and offers core security server and carry out strategy and judge;
(3) core security server is carried out after authority judges, according to the judged result permits access object requests of security server whether monitoring module if allow, then carries out original system call, if refusal then directly returns.
The main task of
core security server is the safe context of management kernel objects, and treatment progress is forced the decision request of access control system and returned the result of decision-making.
monitoring module comprises three sub-module: the process monitoring submodule, file monitor submodule and registry monitoring submodule are accomplished respectively process, file, the pressure access control function of registry access.The process monitoring submodule can be handled the control to the process visit independently, and file monitor submodule and registry monitoring submodule then need the calling process monitoring submodule to accomplish the control to file and registry access.The realization of this three sub-module can be divided into the secure identifier of managing kernel objects and two parts of HOOK function monitoring kernel operations function are set to be accomplished.Core security server can form the binary file that strategy is judged according to the secure identifier of process object or thread object and give rule, territory transition rule and other rules of secure identifier; Core security server is confirmed the content of the secure identifier of registry objects according to the DTE security model.
The secure identifier of one management kernel objects
A. process object
(1) the secure identifier content confirms
secure identifier is one of main security feature in the access control mechanisms.Secure identifier is also referred to as security attribute, is the description to the security of system object.The content of secure identifier is that the strategy by DTE (Domain and Type Enforcement) model decides.The DTE model has given main body different territories (Domain), and the control that conducts interviews of the different type (Type) of object all needs the judgement of DTE strategy from another territory of domain browsing or from a different type of domain browsing.For process object, the content of secure identifier promptly is the content in territory, is to be represented by the nonnegative number of an integer.
Deposit the strategy of secure identifier or obtaining of file
The content of
secure identifier is to have the strategy of core security server CSS to decide, and the secure identifier of all Subjective and Objective objects also all provides a file to obtain by CSS.CSS is with the rule of giving of the secure identifier of process and secure identifier, and territory transition rule and other rule are write into a binary strategy file policy.db, and the process that offers is then forced access control system.When needs obtain this file; Process forces access control system can load the secure identifier that this binary strategy file policy.db obtains No. 0 process, and the secure identifier of each new process of creating all is to generate automatically according to the policing rule of this strategy file is next afterwards.
The description of secure identifier storage scheme is with definite
Secure identifier need be added to process object and thread object in
in the process monitoring submodule.In the Windows system; Thread is not only the actual thread of system; And be the operation of lightweight, all have same process context piece because belong to all threads of same process again, so thread object can be inherited the secure identifier of affiliated process fully.
Realize through safeguarding a doubly linked list the storage of the secure identifier of process
.
The node of
this doubly linked list is a self-defining data structure, and the name of secure identifier and corresponding process has been stored in the inside, and the corresponding relation that this data structure is used as secure identifier and process is articulated in the chained list.For the secure identifier of thread object, the secure identifier of thread is a secure identifier of having inherited affiliated process.
Secure identifier is provided with
are for process object; After each process (system process or consumer process) is created success, corresponding secure identifier just is set; All operations relevant afterwards with process, as open a process, stop a process; Or other are as long as be the operation of main body with the process, just can control according to the strategy of pressure access control mechanisms.The setting of the secure identifier of process promptly is to contain this process with one to be inserted in the doubly linked list of an overall situation with the secure identifier of correspondence and the data structure of other information.For the secure identifier of thread object, then do not need to be provided with, all threads that belong to a process also use the secure identifier of this process jointly.
The inquiry of secure identifier
because the secure identifier of process is to be stored in the doubly linked list, so just changed into the inquiry to doubly linked list for the inquiry of the secure identifier of process.The index of inquiry can be the handle PID of process or the name of process.But because the unfixed characteristics of PID, so be chosen to be the name of process.
The inquiry of the secure identifier of
thread need be found the pointer field _ EPROCESS of a process under this thread of sensing in the kernel data structure _ ETHREAD of thread; Just can obtain the secure identifier of process, that is to say the secure identifier of this thread according to _ EPROCESS afterwards.
The deletion of secure identifier
except stopping whole system resources that this process has, also need discharge the secure identifier of this process in the time of process of system closure.The process of deletion secure identifier is in doubly linked list, to travel through the node that finds the secure identifier that comprises this process according to index value (for the name of process), carries out the deletion action of chained list then.
can not influence the secure identifier of affiliated process to any operation of thread.After a process was terminated, all inner threads of this process also were terminated simultaneously, and the resource that has also all is released.
Other problem (like processing) to object that secure identifier is not set
for processes all in the system, the Windows system does not have compulsory safeguard measure, so all processes in the system can be added secure identifier.If process is before process forces access control system to start, just to be created, the secure identifier of this process need be set when referring to this process for the first time so, concrete method is identical with when creating, secure identifier being set.
File object
need the secure identifier of the file of pressure access control to be stored in the extended attribute of this document, have realized the support to new technology file system at present.
Registry objects
(1) the secure identifier content confirms
The confirming of the content of the secure identifier of
registration table decided by core security server CSS.Forcing in the mutual CSS system of access control system with process, employing be the DTE security model, be to confirm so the DTE model is given the secure identifier of which kind of type of object by concrete security strategy.In native system, the secure identifier of registration table is different from the integers secure identifier of process, but has adopted the type of a character string.
Deposit the strategy of secure identifier or obtaining of file
are because the content of the secure identifier of all Subjective and Objective objects all is a strategy by core security server CSS decides, so the secure identifier of all Subjective and Objective objects also all provides a file to obtain by CSS.The method of obtaining this strategy file with the process primary module is identical; After having loaded this strategy file for the first time, when needs are provided with secure identifier to registration table, will call registry module; Thereby read this strategy file, corresponding secure identifier is set to registration table.
The description of secure identifier storage scheme is with definite
are provided with the inner structure that secure identifier is to use operating system to registry entry.Under the level of the directory tree under the registry entry, set up a key assignments, as the storage space of secure identifier.
Secure identifier is provided with
adopted the method for traversal that corresponding secure identifier is set before supervisory system starts for the registry entry that can visit.For the registry entry of system protection, leave in the core security server and safeguard.
The inquiry of secure identifier
are left the secure identifier under the registry entry in the form of key assignments, can read key assignments through the api function that kernel provides, thereby obtain secure identifier.And, can only obtain the value of secure identifier through the request of sending for the secure identifier that leaves in the security server.
The deletion of secure identifier
are deleted when a registry entry, and this registry entry itself is added all key assignments (also comprising the key assignments of depositing secure identifier) that it comprises and all will be deleted so.
Two are provided with HOOK function monitoring kernel operations function
A. choosing by the function of Hook
Hook collection choose the whole life that need contain kernel objects, can not have influence on the stable of system simultaneously.
The Hook collection of
process monitoring submodule is opened process function for creating process function, stops process function, creates thread function, opens thread function and terminate thread function.
The Hook collection of
file monitor submodule is for creating or the function that opens file, and the function that opens file is deleted or the Rename file function, and the extended attribute function of file is set.
The Hook collection of
registry monitoring submodule is opened the registry entry function for creating or opening the registry entry function, and deletion registry entry function adds or registry key function, deletion registry key function be set.
Technology
adopt more stable, kernel level Hook technology SSDT-HOOK, and the system function call address of revising or replacing storage in the SSDT table realizes.
Description of drawings
Below in conjunction with accompanying drawing and embodiment the present invention is further described:
Fig. 1 is the system architecture diagram of the embodiment of the invention based on the pressure access control apparatus of windows platform;
Fig. 2 is the operational scheme synoptic diagram of the embodiment of the invention based on the pressure access control apparatus of windows platform;
Fig. 3 is the concrete control work flows journey synoptic diagram of the embodiment of the invention based on the pressure access control apparatus of windows platform.
Embodiment
further specify such scheme below in conjunction with specific embodiment.Should be understood that these embodiment are used to the present invention is described and are not limited to limit scope of the present invention.The implementation condition that adopts among the embodiment can be done further adjustment according to the condition of concrete producer, and not marked implementation condition is generally the condition in the normal experiment.
The pressure access control of embodiment Windows realizes
following examples have specifically realized the security hardening process based on windows platform, and its basic technical scheme that adopts comprises as stated: monitoring module and core security server, the frame diagram of control device is as shown in Figure 1.
are that form with driver realizes based on the pressure access control apparatus of windows platform; In a single day this driver is loaded success; Be similar to the notion of patch in the linux system; Driver just becomes the ingredient of Windows kernel, and the memory headroom in kernel is to be shared by all processes, also just can reach all purposes to the kernel objects access control of monitoring.
Creating process function with monitoring below is that example is introduced the monitoring to process:
process initiation module mainly is that two kernel function ZwCreateProcess that create process are carried out Hook with ZwCreateProcessEx, and the function HookedNtCreateProcess of realization and function that HookedNtCreateProcessEx come respectively replace this two system calls self-defined with our.Because the operating system version that ZwCreateProcess and ZwCreateProcessEx just exist is different, specifically the details of realization remains identical, thus following we will be that example carries out discussing carefully with ZwCreateProcess.
The SQL that
are used for replacing ZwCreateProcess is HookedNtCreateProcess.The HookedNtCreateProcess function has been accepted the input parameter of all parameters of ZwCreateProcess as oneself.Be the prototype of HookedNtCreateProcess function below:
NTSTATUS
NTAPI
HookedNtCreateProcess
(
OUT?PHANDLE ProcessHandle,
IN?ACCESS_MASK DesiredAccess,
IN?POBJECT_ATTRIBUTES?ObjectAttributes,
IN?HANDLE InheritFromProcessHandle,
IN?BOOLEAN InheritHandles,
IN?HANDLE SectionHandle?OPTIONAL,
IN?HANDLE DebugPort?OPTIONAL,
IN?HANDLE ExceptionPort?OPTIONAL,
);
first parameter is the pointer that process is created the handle that returns after the success, and what note representative here is not the handle value; The authority of second parameter representative visit does not generally process this parameter; The 4th parameter is exactly the handle that is created the parent process of process in fact, and this parameter is extremely important, because can obtain the secure identifier of main body through it; The 6th parameter is to have represented some key messages of the subprocess that is created, and we can get access to the complete trails of object object (that is to say the executable file of process) through it, just can inquire the secure identifier of object afterwards according to complete trails; Other parameter can be left intact.
After the prototype of having analyzed function, will introduce the whole execution flow process of function below:
(1) under user's attitude, open an executable file, the API of the automatic calling application layer of system is CreateProcess
After
(2) CreateProcess function calls request gets into kernel; Through int2e instruction or SYSENTER instruction request is forwarded to the SSDT table, purpose is from the SSDT table, to inquire the corresponding kernel function ZwCreateProcess of CreateProcess function.And on this opportunity; The address that process forces access control system will at first intercept and capture the ZwCreateProcess function through the SSDT-Hook technology; Come temporary transient this function address that stores with a global variable OriginalNtCreateProcess, then the address of self-defining function HookedNtCreateProcess is replaced the position of ZwCreateProcess in the SSDT table.System will call the execution of HookedNtCreateProcess function automatically like this.
In the HookedNtCreateProcess function, need to accomplish earlier the following step:
at first, need obtain the secure identifier of main body.According to the 4th parameter acquiring parent process of function _ pointer of EPROCESS, be the secure identifier of parent process in the search index doubly linked list then with this pointer, preserve with an integers sSid;
secondly need obtain the secure identifier of object.According to the complete trails of the executable file of the 6th parameter acquiring subprocess, can inquire the secure identifier of executable file through complete trails.Because the secure identifier of file is a character string STRING type, so need twice inquiry to accomplish.The size of query safe identifier for the first time, dynamically allocation space is stored this secure identifier then, formally comes the query safe identifier and puts into the space of preparation for the second time.So far, the secure identifier of Subjective and Objective all obtains.
The problem that
this step should be noted that is, if carry out the system call of establishment process earlier, wait subprocess to create successfully after, inquire about the secure identifier of subprocess again, return the result of refusal as if security server, just stop this subprocess.This scheme be process also as the object object, rather than executable file as the object object, this method of afterwards handling is obviously not as the scheme of advance preventing.Executable file is first object that need visit of creating a process, and can gain the initiative more more the opportunity of monitoring, also just can more effective prevention.
are last, send into the secure identifier of Subjective and Objective in the security server through function call SEWindowsProcessCreate, and security server can return the variable ecbatic of a NTSTATUS type.If refusal then no longer calls the ZwCreateProcess function, directly return failure.If the result then changes ZwCreateProcess () function over to for allowing, call the ZwCreateProcess function through the global variable OriginalNtCreateProcess that stores ZwCreateProcess () function, accomplish establishment to subprocess.
were then returned the result of failure again if the subprocess in a last step is created failure; If create successfully, then need carry out the operation that the subprocess territory is shifted.The territory transfer need be called the interface function pfac_transition_sid of security server, and input parameter is the secure identifier of subject process and object executable file, and output parameter is the new secure identifier of subprocess.
next need this is newly-generated the secure identifier of process deposit in the doubly linked list, in order to later use.The interface function SetProcessSid that calls secure identifier is provided with the secure identifier of subprocess.
Whether successful whether
inquired about this secure identifier through query function QueryProcessSid and correctly added for the setting of test safety identifier.So far, the HookedNtCreateProcess function is complete.
concrete execution is flowed like Fig. 3.
above-mentioned instance only is explanation technical conceive of the present invention and characteristics, and its purpose is to let the people who is familiar with this technology can understand content of the present invention and enforcement according to this, can not limit protection scope of the present invention with this.All equivalent transformations that spirit is done according to the present invention or modification all should be encompassed within protection scope of the present invention.
Claims (9)
1. pressure access control apparatus based on windows platform; Comprise and be used to intercept and capture the monitoring module of window application through the request of system call visit Windows system kernel object and be used to judge request legitimacy whether core security server; It is characterized in that said monitoring module and core security server all are arranged on Windows system kernel layer; Monitoring module capturing operation system process is to the access request of kernel objects, and offers core security server and carry out strategy and judge; Core security server is carried out after authority judges, according to the judged result permits access Windows system kernel object requests of security server whether monitoring module if allow, then carries out original system call; If refusal then directly returns.
2. the pressure access control apparatus based on windows platform according to claim 1 is characterized in that monitoring module request captured object is selected from any or two or more combination in any of window application through file object, process object, thread object or the registry objects of system call visit.
3. the pressure access control apparatus based on windows platform according to claim 1 is characterized in that said monitoring module comprises the process monitoring submodule, file monitor submodule and registry monitoring submodule; Said process monitoring submodule is used for handling independently the control to process object or thread object visit, and said file monitor submodule and registry monitoring submodule all need the calling process monitoring submodule to accomplish the control to file object and registry objects visit.
4. the pressure access control apparatus based on windows platform according to claim 3; It is characterized in that said monitoring module for adopting the kernel SSDT-HOOK module of kernel level Hook technology, the Hook collection of said process monitoring submodule is used to monitor the establishment process, opens process, the termination process, create thread, open thread, terminate thread; The Hook collection of said file monitor submodule is used to monitor to be created or opens file, opens file, deletion or Rename file, the extended attribute of file is set; The Hook collection of said registry monitoring submodule is used for that monitoring is created or opened registry entry, opens registry entry, the deletion registry entry, add or registry key, deletion registry key be set.
5. the pressure access control apparatus based on windows platform according to claim 1; It is characterized in that said core security server is used to manage the safe context of kernel objects, treatment progress is forced the decision request of access control system and is returned the result of decision-making.
6. the pressure access control apparatus based on windows platform according to claim 1 is characterized in that said core security server is formed for the binary file of the strategy judgement of different objects according to the DTE security model according to the difference of access object.
7. forced access control method based on windows platform is characterized in that said method controlled by monitoring module that is provided with at Windows system kernel layer and core security server, said method comprising the steps of:
(1) window application sends access request through system call to Windows system kernel object;
(2) monitoring module is intercepted and captured the access request of Windows operating system process to kernel objects, and offers core security server and carry out strategy judgement;
(3) core security server is carried out after authority judges, according to the judged result permits access object requests of security server whether monitoring module if allow, then carries out original system call, if refusal then directly returns.
8. method according to claim 7; It is characterized in that when the kernel objects of visit is process object or thread object; Monitoring module adds secure identifier to process object or thread object, and secure identifier is provided with according to the binary file of the rule creation of process object or thread object through reading core security server.
9. method according to claim 7 is characterized in that said monitoring module for adopting the kernel SSDT-HOOK module of kernel level Hook technology, is used to monitor the access object in the life cycle.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105875815A CN102542182A (en) | 2010-12-15 | 2010-12-15 | Device and method for controlling mandatory access based on Windows platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105875815A CN102542182A (en) | 2010-12-15 | 2010-12-15 | Device and method for controlling mandatory access based on Windows platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102542182A true CN102542182A (en) | 2012-07-04 |
Family
ID=46349052
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105875815A Pending CN102542182A (en) | 2010-12-15 | 2010-12-15 | Device and method for controlling mandatory access based on Windows platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102542182A (en) |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102904889A (en) * | 2012-10-12 | 2013-01-30 | 北京可信华泰信息技术有限公司 | Cross-platform-unified-management-supported mandatory access controlling system and method |
| WO2014059885A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Apparatus and method for preventing a virus file from illegally manipulating a device |
| CN103778006A (en) * | 2014-02-12 | 2014-05-07 | 成都卫士通信息安全技术有限公司 | Method for controlling progress of operating system |
| CN104133726A (en) * | 2014-08-13 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Process context mandatory access control method |
| CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
| CN104508676A (en) * | 2012-08-03 | 2015-04-08 | 阿尔卡特朗讯公司 | Mandatory protection control in virtual machines |
| CN104881291A (en) * | 2015-06-03 | 2015-09-02 | 北京金山安全软件有限公司 | Control method and device of default browser and terminal |
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
| CN106778208A (en) * | 2016-12-01 | 2017-05-31 | 深圳Tcl新技术有限公司 | The access processing method and device of application program |
| CN106778298A (en) * | 2016-12-01 | 2017-05-31 | 电子科技大学 | A kind of forced access control method and device towards real time operating system |
| CN107547520A (en) * | 2017-07-31 | 2018-01-05 | 中国科学院信息工程研究所 | Flask security modules, construction method and mobile Web system |
| CN108287779A (en) * | 2018-01-24 | 2018-07-17 | 郑州云海信息技术有限公司 | A kind of Windows startup items monitoring method and system |
| CN108536448A (en) * | 2018-03-21 | 2018-09-14 | 江苏长顺江波软件科技发展有限公司 | A method of modification windows operating systems SID |
| WO2019051948A1 (en) * | 2017-09-15 | 2019-03-21 | 平安科技(深圳)有限公司 | Method, apparatus, server, and storage medium for processing monitoring data |
| CN109740310A (en) * | 2018-12-29 | 2019-05-10 | 北京嘉楠捷思信息技术有限公司 | Kernel object access method and device for embedded operating system |
| CN109831420A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The determination method and device of kernel process permission |
| CN110348234A (en) * | 2019-07-01 | 2019-10-18 | 电子科技大学 | Pressure access safety strategy implementation method and management method in MILS framework |
| CN110472412A (en) * | 2019-08-21 | 2019-11-19 | 杭州安恒信息技术股份有限公司 | The program self-protection method and device monopolized based on kernel |
| CN110532798A (en) * | 2019-07-26 | 2019-12-03 | 苏州浪潮智能科技有限公司 | A kind of file forced access control method and device |
| CN111259348A (en) * | 2020-02-20 | 2020-06-09 | 国网信息通信产业集团有限公司 | Method and system for safely running executable file |
| CN112597492A (en) * | 2020-12-24 | 2021-04-02 | 浙大网新科技股份有限公司 | Binary executable file change monitoring method based on Windows kernel |
| WO2024078348A1 (en) * | 2022-10-13 | 2024-04-18 | 中科方德软件有限公司 | Method and apparatus for processing registry operation in application porting environment, and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020166052A1 (en) * | 2001-05-04 | 2002-11-07 | Microsoft Corporation | System and methods for caching in connection with authorization in a computer system |
| CN101729550A (en) * | 2009-11-09 | 2010-06-09 | 西北大学 | Digital content safeguard system based on transparent encryption and decryption method thereof |
-
2010
- 2010-12-15 CN CN2010105875815A patent/CN102542182A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020166052A1 (en) * | 2001-05-04 | 2002-11-07 | Microsoft Corporation | System and methods for caching in connection with authorization in a computer system |
| CN101729550A (en) * | 2009-11-09 | 2010-06-09 | 西北大学 | Digital content safeguard system based on transparent encryption and decryption method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 李奇: "Windows访问控制实施框架研究、设计与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (34)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104508676B (en) * | 2012-08-03 | 2017-12-01 | 阿尔卡特朗讯公司 | Mandatory protection control in virtual machine |
| CN104508676A (en) * | 2012-08-03 | 2015-04-08 | 阿尔卡特朗讯公司 | Mandatory protection control in virtual machines |
| CN102904889B (en) * | 2012-10-12 | 2016-09-07 | 北京可信华泰信息技术有限公司 | Support the forced symmetric centralization system and method for cross-platform unified management |
| CN102904889A (en) * | 2012-10-12 | 2013-01-30 | 北京可信华泰信息技术有限公司 | Cross-platform-unified-management-supported mandatory access controlling system and method |
| WO2014059885A1 (en) * | 2012-10-17 | 2014-04-24 | Tencent Technology (Shenzhen) Company Limited | Apparatus and method for preventing a virus file from illegally manipulating a device |
| CN103778006A (en) * | 2014-02-12 | 2014-05-07 | 成都卫士通信息安全技术有限公司 | Method for controlling progress of operating system |
| CN103778006B (en) * | 2014-02-12 | 2017-02-08 | 成都卫士通信息安全技术有限公司 | Method for controlling progress of operating system |
| CN104133726A (en) * | 2014-08-13 | 2014-11-05 | 浪潮电子信息产业股份有限公司 | Process context mandatory access control method |
| CN104394175A (en) * | 2014-12-17 | 2015-03-04 | 中国人民解放军国防科学技术大学 | Message access control method based on network marking |
| CN104881291A (en) * | 2015-06-03 | 2015-09-02 | 北京金山安全软件有限公司 | Control method and device of default browser and terminal |
| CN104881291B (en) * | 2015-06-03 | 2018-05-25 | 北京金山安全软件有限公司 | Control method and device of default browser and terminal |
| CN106156610A (en) * | 2016-06-29 | 2016-11-23 | 北京金山安全软件有限公司 | Process path acquisition method and device and electronic equipment |
| CN106156610B (en) * | 2016-06-29 | 2019-02-12 | 珠海豹趣科技有限公司 | A kind of process path acquisition methods, device and electronic equipment |
| CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
| CN106778298A (en) * | 2016-12-01 | 2017-05-31 | 电子科技大学 | A kind of forced access control method and device towards real time operating system |
| CN106778208A (en) * | 2016-12-01 | 2017-05-31 | 深圳Tcl新技术有限公司 | The access processing method and device of application program |
| CN107547520A (en) * | 2017-07-31 | 2018-01-05 | 中国科学院信息工程研究所 | Flask security modules, construction method and mobile Web system |
| WO2019051948A1 (en) * | 2017-09-15 | 2019-03-21 | 平安科技(深圳)有限公司 | Method, apparatus, server, and storage medium for processing monitoring data |
| CN108287779A (en) * | 2018-01-24 | 2018-07-17 | 郑州云海信息技术有限公司 | A kind of Windows startup items monitoring method and system |
| CN108287779B (en) * | 2018-01-24 | 2021-07-27 | 郑州云海信息技术有限公司 | A kind of Windows startup item monitoring method and system |
| CN108536448A (en) * | 2018-03-21 | 2018-09-14 | 江苏长顺江波软件科技发展有限公司 | A method of modification windows operating systems SID |
| CN109831420A (en) * | 2018-05-04 | 2019-05-31 | 360企业安全技术(珠海)有限公司 | The determination method and device of kernel process permission |
| CN109831420B (en) * | 2018-05-04 | 2021-10-22 | 360企业安全技术(珠海)有限公司 | Method and device for determining kernel process authority |
| CN109740310A (en) * | 2018-12-29 | 2019-05-10 | 北京嘉楠捷思信息技术有限公司 | Kernel object access method and device for embedded operating system |
| CN109740310B (en) * | 2018-12-29 | 2024-06-07 | 嘉楠明芯(北京)科技有限公司 | Kernel object access method and device for embedded operating system |
| CN110348234A (en) * | 2019-07-01 | 2019-10-18 | 电子科技大学 | Pressure access safety strategy implementation method and management method in MILS framework |
| CN110532798B (en) * | 2019-07-26 | 2021-07-27 | 苏州浪潮智能科技有限公司 | A kind of file mandatory access control method and device |
| CN110532798A (en) * | 2019-07-26 | 2019-12-03 | 苏州浪潮智能科技有限公司 | A kind of file forced access control method and device |
| CN110472412A (en) * | 2019-08-21 | 2019-11-19 | 杭州安恒信息技术股份有限公司 | The program self-protection method and device monopolized based on kernel |
| CN111259348A (en) * | 2020-02-20 | 2020-06-09 | 国网信息通信产业集团有限公司 | Method and system for safely running executable file |
| CN111259348B (en) * | 2020-02-20 | 2023-03-07 | 国网信息通信产业集团有限公司 | Method and system for safely running executable file |
| CN112597492A (en) * | 2020-12-24 | 2021-04-02 | 浙大网新科技股份有限公司 | Binary executable file change monitoring method based on Windows kernel |
| CN112597492B (en) * | 2020-12-24 | 2023-09-19 | 浙大网新科技股份有限公司 | Binary executable file modification monitoring method based on Windows kernel |
| WO2024078348A1 (en) * | 2022-10-13 | 2024-04-18 | 中科方德软件有限公司 | Method and apparatus for processing registry operation in application porting environment, and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102542182A (en) | Device and method for controlling mandatory access based on Windows platform | |
| US8321932B2 (en) | Program-based authorization | |
| TWI333614B (en) | Method, system, and program for processing a file request | |
| US10417179B2 (en) | Method for managing files and apparatus using the same | |
| US7386885B1 (en) | Constraint-based and attribute-based security system for controlling software component interaction | |
| CN104732147A (en) | Application program processing method | |
| US7580933B2 (en) | Resource handling for taking permissions | |
| CN104751050A (en) | Client application program management method | |
| JP2021535475A (en) | Access control policy placement methods, devices, systems and storage media | |
| CN109923547B (en) | Program behavior monitoring device, distributed object generation management device, storage medium, and program behavior monitoring system | |
| CN115917539A (en) | Method for securing system calls, method for enforcing associated security policies, and device for executing said methods | |
| EP3779747B1 (en) | Methods and systems to identify a compromised device through active testing | |
| JP2020502699A (en) | Architecture, method and apparatus for implementing collection and display of computer file metadata | |
| US20200274753A1 (en) | Method for creating and managing permissions for accessing yang data in yang-based datastores | |
| JP2004303242A (en) | Security attributes in trusted computing systems | |
| US20230214248A1 (en) | Controlling Container Commands Issued In A Distributed Computing Environment | |
| JP2008152519A (en) | Computer and its basic software | |
| CN109784041B (en) | Event processing method and device, storage medium and electronic device | |
| Lovat et al. | Data-centric multi-layer usage control enforcement: A social network example | |
| KR101956725B1 (en) | A system for server access control using permitted execution files and dynamic library files | |
| US11954203B2 (en) | Methods and systems for identifying a compromised device through its unmanaged profile | |
| US11343258B2 (en) | Methods and systems for identifying a compromised device through its managed profile | |
| US11645402B2 (en) | Methods and systems for identifying compromised devices from file tree structure | |
| CN115270101A (en) | Application control method executed on the client side | |
| CN107944297B (en) | A control method and device for accessing files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120704 |