CN103605930A - Double file anti-divulging method and system based on HOOK and filtering driving - Google Patents
Double file anti-divulging method and system based on HOOK and filtering driving Download PDFInfo
- Publication number
- CN103605930A CN103605930A CN201310617088.7A CN201310617088A CN103605930A CN 103605930 A CN103605930 A CN 103605930A CN 201310617088 A CN201310617088 A CN 201310617088A CN 103605930 A CN103605930 A CN 103605930A
- Authority
- CN
- China
- Prior art keywords
- file
- hook
- module
- irp
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The invention relates to a double file anti-divulging method based on HOOK and filtering driving. An application layer control module sends filtering strategies to a HOOK module and a file filtering driving module, the HOOK module and the file filtering driving module carry out following anti-divulging processing according to the filtering strategies, namely, in the HOOK module, HOOK. DLL is loaded into a system operation course, the HOOK is used for intercepting all of system calling functions for a clipboard in an application layer, data copying in the application layer is monitored; IRP distributing functions are registered in the file filtering driving module, an IRP request sent to a file system by an IO manager is intercepted, and processing is carried out according to the filtering strategies. According to the method, file information is protected in the application layer and a driving layer in a double mode, divulging loopholes which can be possibly generated by each other are compensated mutually, safety, stability and reliability are achieved, extra hardware and software support is of no need, cost is low, and the method and system are suitable for being widely used by an individual, an enterprise and a public institution.
Description
Technical field
The present invention relates to anti-method and the transparent guard system of divulging a secret of a kind of computer file ciphering, be specifically related to the anti-method and system of divulging a secret of a kind of dualized file based on HOOK and filtration drive.
Background technology
At information security field, document protection is the emphasis, particularly document transparent encryption technology of research always, and its intention automatically completes the encryption and decryption to document under the prerequisite that does not change user operation habits.Realizing stable, efficient, safe document guard system is a difficult problem, but it is in network security, information protection field extensive application.These technological difficulties are not only transparent protection, the more important thing is and prevent that document from divulging a secret.The domestic and international method for the transparent protection of document mainly contains two kinds at present, and a kind of is the HOOK technology of tackling based on API, and another kind is the Driving technique based on IRP interception.HOOK technology, owing to realizing in application layer, causes inefficiency, and the mode of reentrying with file easily makes clear text file copy to take out of; Driving technique also can be divided into buffer memory and double buffering technology clearly, clear caching technology in efficiency lower than double buffering technology, double buffering technology is only present in the middle of theoretical research at present, stability and practicality are difficult to guarantee, there is file clean-up and the synchronous difficult problem of buffer memory in the double buffering technology based on hierarchical file system (Layer FSD) for example, clear caching technology is more reliable and more stable by contrast, and domestic a lot of business application are also to adopt this scheme, and the present invention also adopts clear buffering scheme.But to the transparent protection of file, be only inadequate, can make so transparent protection lose meaning and can affect system effectiveness, safety, stable anti-disclosure system should consider and driving the issuable situation block the outlet of divulging a secret of divulging a secret of layer and application layer, file security is put in the first place, prevent that as much as possible significant data from leaking, no matter Shi Dui enterprise is still individual, and it is all very serious that confidential information is leaked the consequence causing.
Current achievement in research realizes mainly for Windows file system both at home and abroad, even some are known as, adopts the price of double buffering technology realization also more expensive, can only be theoretical research system, and stability and practicality are difficult to guarantee.Based on Linux environment, realize the scheme of transparent encryption, this scheme needs more modification Linux File System Kernel source code and recompilates, and is not suitable for mainstream operation system.The scheme that mostly adopts Windows filter Driver on FSD mode to realize has all reduced document protection dynamics; more lay particular emphasis on transparent protection and fail the more accurately actual consideration problem of divulging a secret, during such as transparent protection, revise that process name, clear text file are not encrypted, suffix saves as or the situation of data Replica.Some schemes have more or less been blocked some of them approach, but are difficult to accomplish comprehensive and perfectly safe.Also there is no so far a kind of high-efficiency and economic, safety and stability, be suitable for the transparent anti-research approach of divulging a secret of the document of current mainstream operation system.
Summary of the invention
Technical matters to be solved by this invention is to provide the anti-method and system of divulging a secret of a kind of dualized file based on HOOK and filtration drive, and the method and system be protected file information safely and effectively.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of anti-method of divulging a secret of dualized file based on HOOK and filtration drive, comprise the following steps,
S100: application layer control module is to service end transmitter owner identification authentication request;
S200: management end according to owner's ID authentication request of application layer control module configure with stores service end in encryption policy;
S300: service end is distributed to application layer control module by encryption policy;
S400: application layer control module sends to respectively HOOK module and filter Driver on FSD module by filtering policy, described HOOK module and filter Driver on FSD module are done respectively the following anti-processing of divulging a secret according to filtering policy:
In described HOOK module, HOOK.DLL is loaded in system operation process, in application layer, use all system call functions of HOOK interception to clipbook, and monitor the data Replica of application layer;
In filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.
On the basis of technique scheme, the present invention can also do following improvement.
Further, in application layer, use all system call functions of HOOK interception to clipbook, HOOK intercepts and captures the method for clipbook system call, comprises following sub-step,
S101: the mode with global hook in application layer control program loads HOOK.DLL in all processes of system, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address, if there is clipbook data Replica, enter step S102, if there are clipbook data, paste, enter step S103;
S102: while there is clipbook data Replica, judge that duplicating process is whether in secret process white list, if, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as true, if not, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as false;
S103: when clipbook data occurring pasting, judge that stickup process is whether in secret process white list, if stickup is in secret process white list, and during DLL shares, secret process replication field is false, clipbook is emptied, otherwise, the API being fallen by HOOK accordingly called.
Further, described shear plate comprises standard clipbook and OLE clipbook, if stickup process is to occur in OLE clipbook, does not need to empty clipbook.
Further, the communication between process adopts shared drive, and uses the access of name kernel objects notification process.
Further, register IRP distribution function in described filter Driver on FSD module, interception IO manager mails to the IRP request of file system, and processes according to filtering policy, comprises following sub-step,
S201: when filter Driver on FSD module intercepts an IRP bag, detect IPR bag and whether meet filtercondition, if meet filtercondition, directly mail to file system driver, if do not meet filtercondition, according to IRP bag type, do following processing: " request of opening " enters step S202, " read request " enters step S203, " write request " enters step S204, " turn-off request " enters step S205, " cleaning request " enters step S206, and " inquiry request " enters step S207;
S202: when " request of opening " processed, obtain document flow context,
If file is not to open first, add reference count, concurrent toward lower floor's driving, continue structure read request, IRP bag is with non-reentry mode file reading encryption identification, determine whether encrypt file, and document flow context is set, if encrypt file, be made as deciphering while reading, while writing, encrypt, and be set to encrypted state
If file is to open first, be made as while writing and encrypt, clear text file is set to not be modified state, and is set to unencrypted state;
S203: when " read request " processed, if buffering read request or document flow context do not arrange decrypted state while reading, directly mailing to lower floor drives, again apply for the user buffering exchange that internal memory and IRP bag provides, until after having read by the contents decryption in the buffer zone of application and copy to Bing Xiang upper strata, original buffer zone and complete IRP;
S204: when " write request " processed, if buffer write requests, directly mailing to lower floor drives, if the unencryption file write request that right and wrong are newly-built, modification state is set concurrent toward lower floor's driving, data Replica in the user buffering that IRP is provided, in the internal memory of application again, and is encrypted and is mail to lower floor after buffer data and drive , lower floor to drive after IRP when setting is read decrypted state and written data state and completed IRP to upper strata;
S205: when " turn-off request " processed,
If file reference count is not 0, IRP is mail to lower floor and drive,
If file reference count is 0, deciphering while judging whether to read, if read time deciphering, writing in files encryption identification, deciphering when reading, segmentation file reading encrypt after the encryption identification that finally writes of writing in files, finally toward upper strata, complete IRP;
S206: when " cleaning request " processed, remove file cache;
S207: when " inquiry request " processed, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
Further, the filtercondition in step S201 is: file do not write authority, volume context not, document flow context do not exist, current operation is catalogue file and current process and file type not in secret process white list.
The beneficial effect of the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive of the present invention is: in this technical program; the method adopting is in application layer and drive layer duplicate protection fileinfo; mutually make up the issuable leak of divulging a secret of folk prescription; safety and stability is reliable; and do not need extra hardware and software support; cost is very low, no matter be that individual or enterprises and institutions are all applicable to generally adopting.
Based on said method, the present invention also provides a kind of anti-disclosure system of transparent encryption and decryption, and this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.
A dualized file anti-disclosure system based on HOOK and filtration drive, comprise service end, management end, be positioned at application layer application layer control module, be positioned at application layer HOOK module, be positioned at the filter Driver on FSD module that drives layer,
Described service end is used for providing authentication and distributes encryption policy;
Described management end is for configuring the encryption policy with stores service end;
Described application layer control module is used for gathering service end encryption policy, and encryption policy is sent to HOOK module and filter Driver on FSD module;
Described HOOK module for the encryption policy monitoring clipbook that passes over according to policy module and prevent secret process by data Replica to non-secret process;
Described filter Driver on FSD module mails to the IRP of file system driver for the encryption policy interception passing over according to policy module, complete the automatic encryption and decryption to file read-write content.
Further, described filter Driver on FSD module adopts rc4 to file read-write content-encrypt algorithm, according to read-write length and off-set value, guarantees byte-aligned, dynamically enciphered data content.
Further, described a kind of dualized file anti-disclosure system based on HOOK and filtration drive is based on windows platform.
Further, described tactful acquisition module writes shared drive buffer zone by policy information by rule, and by the synchronous shared drive of mutual exclusion lock buffer zone, HOOK module is from this buffer zone fetch policy information, and filter Driver on FSD is by communication port and application layer communication.
The beneficial effect of a kind of dualized file anti-disclosure system based on HOOK and filtration drive of the present invention is: the technical program provides a kind of safe, stable anti-disclosure system, driving layer and application layer to block the outlet of divulging a secret, file security is guaranteed.
Accompanying drawing explanation
Fig. 1 is the process flow diagram that filtration drive " read request " IRP of the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive of the present invention processes;
Fig. 2 is the process flow diagram that filtration drive " write request " IRP of the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive of the present invention processes;
Fig. 3 is the model of the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive of the present invention;
Fig. 4 is the block diagram of a kind of dualized file anti-disclosure system based on HOOK and filtration drive of the present invention.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example, only for explaining the present invention, is not intended to limit scope of the present invention.
A kind of anti-method of divulging a secret of dualized file based on HOOK and filtration drive, first application layer control module sends application (being host identities authentication) to service end, then management end according to owner's ID authentication request of application layer control module configure with stores service end in encryption policy, then service end is issued application layer control module by information, if the information spinner encryption policy here, last application layer control module is omited strategy by mistake and is sent to HOOK module and driver module, described HOOK module and filter Driver on FSD module are done respectively the following anti-processing of divulging a secret according to filtering policy: in described HOOK module, HOOK.DLL is loaded in system operation process, in application layer, use all system call functions of HOOK interception to clipbook, and monitor the data Replica of application layer, in filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.It should be noted that HOOK module and driver module are to be loaded and started by application layer control module, but moved by system process, when not transmitting encryption policy, also can carry out filtration (just filtering policy is for empty), All Files can not encrypted.
In HOOK module:
The mode that HOOK.DLL dynamic base is injected with hook is loaded into system operation process, and interception is to clipbook all system call functions of (comprising standard clipbook and OLE clipbook), and the data of monitoring application layer copy.In application layer, use all system call functions of HOOK interception to clipbook, the method that HOOK intercepts and captures clipbook system call is: the mode with global hook in application layer control program loads HOOK.DLL in all processes of system, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address; If there is clipbook data Replica, judge that duplicating process is whether in secret process white list, if, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as true, if not, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as false; If clipbook data occur pastes, judge that stickup process is whether in secret process white list, if pasting is in secret process white list, and during DLL shares, secret process replication field is false, clipbook is emptied, otherwise, call the API being fallen by HOOK accordingly, if occur in, in OLE clipbook, do not need to empty clipbook.For clipbook, data Replica is pasted to the situation of taking out of, the present invention proposes the mode that adopts APIHOOK in application layer, the API that soon shear plate action need will call replaces to the self-defining function of program and tackles appointment API, reaches the object of monitoring clipbook.The function that needs HOOK in the present embodiment is SetClipboardData, OleSetClipbroad, GetClipboardData, OleGetClipbroad, and wherein the first two is for copying the required API of calling, after two for pasting the required API that calls.In clipbook, copy data may have four kinds of situations, and secret process arrives non-secret process to non-secret process, non-secret process to secret process and non-secret process to secret process, secret process.Wherein only having secret process replication data is forbidden to non-secret process, and other situations can be allowed to.First HOOK.DLL is judged the whether secret process of current process and global variable g_bClassifyPs is set by the policy information reading in shared drive while loading, then the shared variable g_bCopyByClassifyPs in HOOK.DLL controls the whether secret process of duplicating process, and the operation calls InterlockedExchange of this variable is carried out with atomic way.When there is paste operation, by g_bClassifyPs and g_bCopyByClassifyPs, judge that whether data copy non-secret process to from secret process, if it is call EmptyClipboard function the content in clipbook is emptied, otherwise do not process.When processing HOOK function corresponding to OleGetClipboard, can clipbook not done to cleaning operation.
In filter Driver on FSD module:
In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and the detailed process of processing according to filtering rule is: when filter Driver on FSD intercepts an IRP bag, detect packet and whether meet filtercondition, if meet filtercondition, directly mail to file system driver, if do not meet filtercondition, according to IRP type, optionally do following processing: open request, read request, write request, turn-off request, cleaning request, inquiry request.
Open request: obtain document flow context, if not opening first, add the driving of the concurrent past lower floor of reference count.Continue structure read request IRP with non-reentry mode file reading encryption identification, judge whether encrypt file and document flow context is set, if being made as, encrypt file while separating secret writing while reading, encrypts and is set to encrypted state, if new files is made as while writing, encrypt, clear text file is set to not be modified state and is set to unencrypted state.When processing " request of opening ", can first call corresponding pre-service routine, in this routine, first by calling FltGetVolumeContext judgement, roll up whether device object is the volume equipment of binding, then according to filename, catalogue or equipment are done to filtration treatment, can call FltGetFileNameInformation and obtain file name information.Then judge that current process whether in secret process white list, if there is no filters this IRP, filter IRP and represent that the file IRP that imports this volume device object into does not do the encryption process, directly mail to lower floor's driving.After filtration completes, be current file application documents flow context, if applied for before, increase the reference count in document flow context, according to plaintext, ciphertext or new files, associated documents flow context information is set.The judgement of plaintext ciphertext is manually constructed to the mode of IRP with IoAllocateIRP, directly toward file system driver, send request, file reading encryption identification, relatively the GUID in encryption identification and encryption GUID, if the same represent that this document is encrypt file.
Read request: if buffering read request or document flow context do not arrange decrypted state while reading, directly mailing to lower floor drives, again apply for the user buffering exchange that internal memory and IRP provide, until after having read by the contents decryption in the buffer zone of application and copy Bing Xiang upper strata, original buffer zone to and complete IRP.When processing " read request ", first call the pre-service function that microfiltration drives registration, as shown in Figure 1, whether the volume context that obtains operation by filtering object is the context that needs encryption, otherwise directly IRP being delivered to lower floor drives, then by callback data structure (IRP in similar old filtering model), obtain document flow context, according to callback data structure and flow context correlation parameter, judge whether this IRP needs to filter, because the buffering that micro-filter provides file system only has read right, direct decrypted buffer, so must oneself apply for having the buffer zone of access limit to replace original buffer zone, aftertreatment readjustment context is finally set, continue to transmit IO request, processing function after registration can be called like this, enter after aftertreatment routine, now it should be noted that filtering manager has carried out automatic conversion by buffering, in the MDL buffer zone that the data that user need to read provide at oneself, directly exchange buffering is decrypted, read how many deciphering how many, just obtained the clear data that need to read, finally by the clear data direct copying in exchange buffering in original user buffering, continue to transmit IRP request toward lower floor.
Write request: drive if buffer write requests directly mails to lower floor, if the newly-built unencryption file of right and wrong arranges modification state concurrent toward lower floor's driving.Data in the user buffering that IRP is provided copy to again in the internal memory of application, and encrypt and mail to lower floor after buffer data and drive , lower floor to drive after IRP when setting is read decrypted state and written data state and completed IRP to upper strata.When processing " write request ", filter manager and first call the pre-service routine of registration before, as shown in Figure 2, by PFLT_CALLBACK_DATA and PCFLT_RELATED_OBJECTS readjustment structure, obtain correlation parameter equally ineligible IRP is filtered, then directly toward lower floor, drive and transmit.In this routine, for revising to encrypt, done special processing, if meet the whether modification parameter that the unencryption file of other conditions is revised flow context, in IRP_MJ_CLOSE, it is processed separately, for new files and encrypt file data writing all do the encryption process; File is fairly simple for the encryption of write request, behind the same good MDL of application buffer zone, data in user buffering district are copied in new buffer zone and done the encryption process, being directly delivered to lower floor drives, the data of encrypting so have just been write disk file, discharge buffer zone and the related context of application in aftertreatment.
Turn-off request: if file reference count is not 0, IRP is mail to lower floor and drive, otherwise deciphering while judging whether to read, is writing in files encryption identification, otherwise segmentation file reading encrypt after writing in files finally write encryption identification.Last past upper strata completes IRP.In to " turn-off request " processing procedure, after being done to corresponding filter operation, IRP mainly processes encrypt file, with file newly-built and written data, these two kinds of files have all been done encryption to data when processing write requests, only need last writing in files encryption identification here.Finally a kind of is exactly that unencrypted clear text file is still revised file data, this file does not do the encryption process when write request, therefore needing own manually structure IRP bag to obtain file content in the mode of non-reentry encrypts again, the length that reads here will be alignd with sector-size minute and read in a looping fashion, and then construct write request IRP bag by the data writing in files of encrypting, last writing in files encryption identification.When writing encryption identification, write together the hash value of encryption key, this inquires about decruption key to check early stage encrypted document or the management of document outgoing by the deciphering outlet that facilitates management end program from database.
Cleaning request: remove file cache.
Inquiry request: when inquiry request is processed, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
Wherein, described filtercondition is: file do not write authority, volume context not, document flow context do not exist, current operation is catalogue file and current process and file type not in secret process white list.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and in the scheme of processing according to filtering rule, encryption for clear text file, structure while reading IRP reading of content length must and sector alignment, after reading of content is encrypted, structure writes IRP by enciphered data writing in files, to avoid IRP to reentry.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and in the technical scheme of processing according to filtering rule, secret process white list is deposited in single-track link table, the inside comprises secret process name and file filter suffix.Communication between process adopts shared drive, and uses the access of name kernel objects notification process.
Application layer control module mails to the anti-application layer HOOK.DLL hook program of divulging a secret of ground floor file and the anti-filter drive program of divulging a secret of second layer file by filtering policy, realizes the double filtration at application layer and driving layer.
Wherein, HOOK in application layer HOOK.DLL hook program and the principle of work of the fileflt in filter drive program are as shown in Figure 3, HOOK.DLL is injected into after system process, can tackle the API of appointment, such as traditional hook transparent encryption can be tackled some file operation functions as CreateFile, ReadFile etc., the API that these API provide for operating system kernel storehouse kerner32.DLL, the present invention can not tackle these API, it only need to tackle the function that clipbook is relevant, as GetClipbroadData etc., after HOOK interception, make and after some is revised, can call the API being replaced and continue to call toward lower floor, ntDLL.DLL is the core A PI storehouse that approaches kernel mode most, after arriving inner nuclear layer, can construct corresponding IRP data packet delivery to specifying driving by IO manager.Such as if a file operation, can construct the IRP that corresponding file is relevant and pass to file system driver (accurately saying the device object of file system driver), because filter Driver on FSD has created filter plant object binding (in device stack the superiors) on file system driver device object, so can first process this IRP by driver corresponding to filter plant object, thereby reach the effect of IRP interception.In driving, IRP transfer mode Wei Xiang lower floor drives and transmits IRP and toward upper strata, drive the completion status of returning to lower floor.IRP has the situation (be different from IRP and no longer transmit situation toward lower floor) of synchronous and asynchronous downwards when completing and returning, some IRP may be directly toward the synchronous return state in upper strata after completing, the processing after need to not completing after lower floor has driven, after having driven, the asynchronous Ze Shi of completing lower floor again obtains the control of IRP, processing after carrying out some and completing, while processing such as read request, need to after reading data, lower floor's driving do the encryption process again, write request has not needed aftertreatment, microfiltration driving in the present invention will complete routine and be called aftertreatment.Disk drive is that the read-write operation to physical disk is mainly responsible in the driving of more bottom.Macroscopic view; Figure 3 shows that: in filtration drive of the file system driver upper strata of subscriber's main station Windows operating system interpolation and in conjunction with application layer HOOK technology; interception application program is at the API Calls of application layer and the IRP packet of driving layer; mode protected file private information with double protection; the control module of user's space can manually be generated strategy to mail to and be driven and HOOK module simultaneously, realizes flexibly the transparency protected of file.
Core I RP of the present invention filters and buffer memory exchange is processed as follows:
After obtaining IRP bag in pre-service routine, detect IRP information, if IRP is filter Driver on FSD, need to filter, directly mail to lower floor's driver, filtercondition is as follows:
(1) calling the encrypted volume equipment whether volume equipment that kernel routine FltGetVolumeContext judgement receives IRP was bound, is not to filter;
(2) call kernel routine FltGetStreamContext and judge whether document flow context exists, do not exist and filter;
(3) judge that current process whether in secret process white list, is not to filter, obtain current process and can realize by call macro PsGetCurrentProcess;
(4) calling kernel macro definition FLT_IS_FASTIO_OPERATION and judge whether quick IO, is to filter;
(5) according to IRP sign, judging whether buffer requests of IRP, is to filter;
(6) according to document flow context determination current file clear text file whether, be to filter;
(7) judge that whether file reads length is 0, is to filter, otherwise aligns with sector-size.
The read-write buffer zone providing due to IRP does not have write permission, so read-write IRP needs to apply for kernel buffers and its exchange, wherein the exchange step of read request is as follows:
1), call ExAllocatePoolWithTag and distribute nonpagepool piece newBuf;
2), to call IoAllocateMdl be newBuf application descriptor memory symbol, uses MmBuildMdlForNonPagedPool to set up descriptor memory symbol newMdl;
3), call ExAllocateFromNPagedLookasideList and distribute fixed memory block p2pCtx from kernel Ponds chained list, this is for passing to the readjustment structure of aftertreatment routine, then in IRP read buffer zone and MDL is set to newBuf and newMdl, calling FltSetCallbackDataDirty notice buffer memory is modified, and newBuf is saved in to the SwappedBuffer in p2pCtx, IRP is mail to lower floor and drive.
4) in, aftertreatment routine, the buffering of revising is automatically exchanged, and from p2pCtx->SwappedBuffer, reading out data is deciphered, and obtains the original buffer zone origBuf of IRP, data decryption is copied in origBuf, and notice upper strata has driven.
Based on said method, the present invention also provides a kind of anti-disclosure system of transparent encryption and decryption, and this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.
A kind of dualized file anti-disclosure system based on HOOK and filtration drive, as shown in Figure 4, mainly comprise 3 submodules: the HOOK module of application layer, be positioned at the filter Driver on FSD module that drives layer, and the tactful acquisition module that is positioned at application layer, simultaneously, for this modular design, go out the inner anti-disclosure system that uses of applicable enterprises and institutions, newly increased management end (Manager) and service end (Server); Described management end is for configuration and storage encryption strategy; Management end configuration and storage encryption strategy, also provides strategy and certificate management between each group except being responsible for, and file decryption outlet function is also provided simultaneously.Described service end is used for each host information in dump subnet, and authenticates and distribute encryption policy for tactful acquisition module provides; Service end is responsible for each host information in dump subnet as the middleware program of communication, and authenticates and distribute encryption policy to client for client provides.Described tactful acquisition module is used for gathering encryption policy, and encryption policy information is sent to HOOK module and the filter Driver on FSD module of application layer.Described HOOK module for the encryption policy monitoring clipbook that passes over according to policy module and prevent secret process by data Replica to non-secret process.Described filter Driver on FSD module mails to the IRP of file system driver for the encryption policy interception passing over according to policy module, complete the automatic encryption and decryption to file read-write content.
The present invention is for the file transparent encrypting and deciphering system based on windows platform, and embodiment is described below:
Experiment one:
(1) experimental design
PC is configured to: CPU Core i5-2450M, 2600MHz (26x100), 4GB internal memory, Windows XP SP3 operating system, client operation main frame is installed Fileflt and is driven, service end does not need load driver program, and management end sets after grouping and corresponding strategy (experiment is made as notepad, Office Word, Office Excel and Office PPT trusted process and adds secret process white list) as group member distributes named policer and starts server processes.Client process derives the certificate file (the optional off-line type of client or online client host is authenticated, off-line type can be derived off-line data bag and not need server from management end) of own main frame from management end.Experiment adopts the mode of on-line authentication to import certificate running client.Experiment is tested system realization property and leak protection, comprises for the pressure of txt and Office document and encrypts, revises and encrypt, save as and copy situation and the deciphering outlet function that stickup may be divulged a secret.
(2) experimental result and assessment
Experiment one: start client-side program, respectively notepad and Office office document are done to following test:
1. new files data writing preserving with conventional suffix;
2. new files data writing saves as .dat(or other unconventional suffix);
3. open encrypt file and preserve and can normally open;
4. revising unencryption file preserves and again opens;
5. opening unencryption file does not revise directly and closes;
6. after opening file, data are copied to respectively and in browser and other secret processes, produce that can see normal replication;
7. encrypt file is copied to management end, can the deciphering outlet of use management end is checked declassified document.
The first round writes test file experiment after having tested and obtains one group of result, table 1 is the test result of secret process in first round test, for notepad and Office groupware effect, be identical, system is stable for the support of notepad and Office office software, according to table 1 result demonstration new files and amended clear text file, can force to encrypt, encrypt file can normally be accessed, and clear text file only checks not revise and can not force to encrypt, and test result is stable.Simultaneously 6. result show trusted process cannot copy data to untrusted process, other situations copy unrestrictedly, can effectively prevent the situation that shear plate data Replica is taken out of.7. result show encrypt file management end can be in need not load driver situation normal declassified document.
Table 1: file transparent encryption state under load driver condition
Experiment two:
Take the time of txt file as the different big or small File Opens of example analysis.Table 2 is performance evaluation during to File Open.System was tested for the different big or small File Open time of file, and test procedure be take txt file as example, has tested respectively 5MB and has read the time to the file between 30MB, and test data is as shown in table 2.Analysis shows transparency and encrypts driver and do not read and do not have a significant effect for file, and 20MB exists the processing consuming time of about 30ms left and right with interior file, do not affect user and use.
Table 2: different big or small File Open time performance tests
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.
Claims (10)
1. the dualized file based on HOOK and filtration drive is prevented the method for divulging a secret, and it is characterized in that: comprise the following steps,
S100: application layer control module is to service end transmitter owner identification authentication request;
S200: management end according to owner's ID authentication request of application layer control module configure with stores service end in encryption policy;
S300: service end is distributed to application layer control module by encryption policy;
S400: application layer control module sends to respectively HOOK module and filter Driver on FSD module by filtering policy, described HOOK module and filter Driver on FSD module are done respectively the following anti-processing of divulging a secret according to filtering policy:
In described HOOK module, HOOK.DLL is loaded in system operation process, in application layer, use all system call functions of HOOK interception to clipbook, and monitor the data Replica of application layer;
In filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.
2. a kind of dualized file based on HOOK and filtration drive according to claim 1 is prevented the method for divulging a secret, it is characterized in that: in application layer, use all system call functions of HOOK interception to clipbook, HOOK intercepts and captures the method for clipbook system call, comprises following sub-step
S101: the mode with global hook in application layer control program loads HOOK.DLL in all processes of system, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address, if there is clipbook data Replica, enter step S102, if there are clipbook data, paste, enter step S103;
S102: while there is shear plate data Replica, judge that duplicating process is whether in secret process white list, if, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as true, if not, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as false;
S103: when shear plate data occurring pasting, judge that stickup process is whether in secret process white list, if stickup is in secret process white list, and during DLL shares, secret process replication field is false, clipbook is emptied, otherwise, the API being fallen by HOOK accordingly called.
3. a kind of dualized file based on HOOK and filtration drive according to claim 2 is prevented the method for divulging a secret, it is characterized in that: described shear plate comprises standard clipbook and OLE clipbook, if stickup process is to occur in OLE clipbook, do not need to empty clipbook.
4. the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive according to claim 1 and 2, is characterized in that: the communication between process adopts shared drive, and uses the access of name kernel objects notification process.
5. a kind of dualized file based on HOOK and filtration drive according to claim 1 and 2 is prevented the method for divulging a secret, it is characterized in that: in described filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and process according to filtering policy, comprise following sub-step
S201: when filter Driver on FSD module intercepts an IRP bag, detect IPR bag and whether meet filtercondition, if meet filtercondition, directly mail to file system driver, if do not meet filtercondition, according to IRP bag type, do following processing: " request of opening " enters step S202, " read request " enters step S203, " write request " enters step S204, " turn-off request " enters step S205, " cleaning request " enters step S206, and " inquiry request " enters step S207;
S202: when " request of opening " processed, obtain document flow context,
If file is not to open first, add reference count, concurrent toward lower floor's driving, continue structure read request, IRP bag is with non-reentry mode file reading encryption identification, determine whether encrypt file, and document flow context is set, if encrypt file, be made as deciphering while reading, while writing, encrypt, and be set to encrypted state
If file is to open first, be made as while writing and encrypt, clear text file is set to not be modified state, and is set to unencrypted state;
S203: when " read request " processed, if buffering read request or document flow context do not arrange decrypted state while reading, directly mailing to lower floor drives, otherwise again apply for the user buffering exchange that internal memory and IRP bag provides, until after having read by the contents decryption in the buffer zone of application and copy to Bing Xiang upper strata, original buffer zone and complete IRP;
S204: when " write request " processed, if buffer write requests, directly mailing to lower floor drives, if the unencryption file write request that right and wrong are newly-built, modification state is set concurrent toward lower floor's driving, otherwise the data Replica in the user buffering that IRP is provided is in the internal memory of application again, and encrypts and mail to lower floor after buffer data and drive , lower floor to drive after IRP when setting is read decrypted state and written data state and completed IRP to upper strata;
S205: when " turn-off request " processed,
If file reference count is not 0, IRP is mail to lower floor and drive,
If file reference count is 0, deciphering while judging whether to read, if read time deciphering, writing in files encryption identification, deciphering when reading, segmentation file reading encrypt after the encryption identification that finally writes of writing in files, finally toward upper strata, complete IRP;
S206: when " cleaning request " processed, remove file cache;
S207: when " inquiry request " processed, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
6. the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive according to claim 5, is characterized in that: the filtercondition in step S201 is: file do not write authority, volume context not, document flow context do not exist, current operation is catalogue file and current process and file type not in secret process white list.
7. the dualized file anti-disclosure system based on HOOK and filtration drive, is characterized in that: comprise service end, management end, be positioned at application layer application layer control module, be positioned at application layer HOOK module, be positioned at the filter Driver on FSD module that drives layer,
Described service end is used for providing authentication and distributes encryption policy;
Described management end is for configuring the encryption policy with stores service end;
Described application layer control module is used for gathering service end encryption policy, and encryption policy is sent to HOOK module and filter Driver on FSD module;
Described HOOK module for the encryption policy monitoring clipbook that passes over according to policy module and prevent secret process by data Replica to non-secret process;
Described filter Driver on FSD module mails to the IRP of file system driver for the encryption policy interception passing over according to policy module, complete the automatic encryption and decryption to file read-write content.
8. according to a kind of dualized file anti-disclosure system based on HOOK and filtration drive according to claim 7, it is characterized in that: described filter Driver on FSD module adopts rc4 to file read-write content-encrypt algorithm, according to read-write length and off-set value, guarantee byte-aligned, dynamically enciphered data content.
9. according to a kind of dualized file anti-disclosure system based on HOOK and filtration drive described in claim 7 or 8, it is characterized in that: described a kind of dualized file anti-disclosure system based on HOOK and filtration drive is based on windows platform.
10. according to a kind of dualized file anti-disclosure system based on HOOK and filtration drive described in claim 7 or 8, it is characterized in that: described tactful acquisition module writes shared drive buffer zone by policy information by rule, by the synchronous shared drive of mutual exclusion lock buffer zone, HOOK module is from this buffer zone fetch policy information, and filter Driver on FSD is by communication port and application layer communication.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310617088.7A CN103605930B (en) | 2013-11-27 | 2013-11-27 | A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310617088.7A CN103605930B (en) | 2013-11-27 | 2013-11-27 | A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103605930A true CN103605930A (en) | 2014-02-26 |
| CN103605930B CN103605930B (en) | 2016-04-13 |
Family
ID=50124151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310617088.7A Active CN103605930B (en) | 2013-11-27 | 2013-11-27 | A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103605930B (en) |
Cited By (49)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN104021320A (en) * | 2014-06-20 | 2014-09-03 | 福建天晴数码有限公司 | Method, device and system for protecting copyrights of APK files |
| CN104346478A (en) * | 2014-11-25 | 2015-02-11 | 成都卫士通信息安全技术有限公司 | File transparent identification method based on application program file operation hook |
| CN104360991A (en) * | 2014-11-25 | 2015-02-18 | 成都卫士通信息安全技术有限公司 | Method of controlling clipboard based on transparent identifier of document |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN104834835A (en) * | 2015-05-13 | 2015-08-12 | 武汉大学 | Universal digital rights protection method under Windows platform |
| CN105103159A (en) * | 2013-04-10 | 2015-11-25 | 国际商业机器公司 | Spooling system call data to facilitate data transformation |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN105373727A (en) * | 2015-12-15 | 2016-03-02 | 福建实达电脑设备有限公司 | Virtual device redirection based device isolation method |
| CN105471956A (en) * | 2014-09-11 | 2016-04-06 | 中兴通讯股份有限公司 | User safety control method of social network, social application tool and terminal |
| CN105468992A (en) * | 2015-11-20 | 2016-04-06 | 贵州联科卫信科技有限公司 | Method related to limitation to content duplication of electronic medical record editor |
| CN105574443A (en) * | 2015-05-27 | 2016-05-11 | 上海宇尚信息科技有限公司 | Android system based encryption storage method |
| CN105787373A (en) * | 2016-05-17 | 2016-07-20 | 武汉大学 | Android terminal data leak-proof method in mobile office system |
| CN105956464A (en) * | 2016-04-25 | 2016-09-21 | 北京珊瑚灵御科技有限公司 | Android platform-based clipboard control system and method |
| CN106096458A (en) * | 2016-05-31 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | A kind of method and device protecting security of system |
| CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
| CN106203130A (en) * | 2016-06-26 | 2016-12-07 | 厦门天锐科技股份有限公司 | A kind of transparent encipher-decipher method driving layer based on Intelligent Dynamic |
| CN106897636A (en) * | 2017-02-28 | 2017-06-27 | 郑州云海信息技术有限公司 | A kind of mobile memory medium method for managing security based on API HOOK |
| CN107247907A (en) * | 2017-04-28 | 2017-10-13 | 国电南瑞科技股份有限公司 | A kind of electric automobile interconnects Information Security Defending System |
| CN107480538A (en) * | 2017-06-30 | 2017-12-15 | 武汉斗鱼网络科技有限公司 | File encrypting method, device, computer-readable recording medium and equipment |
| CN107609408A (en) * | 2017-08-18 | 2018-01-19 | 成都索贝数码科技股份有限公司 | A kind of method based on filtration drive control file operation behavior |
| CN107657180A (en) * | 2016-07-26 | 2018-02-02 | 阿里巴巴集团控股有限公司 | A kind of information processing client, server and method |
| CN108304695A (en) * | 2018-01-30 | 2018-07-20 | 云易天成(北京)安全科技开发有限公司 | Anti-data-leakage control method, the system of object oriented file outgoing |
| CN108733989A (en) * | 2017-04-19 | 2018-11-02 | 湖南鼎源蓝剑信息科技有限公司 | A kind of communication protocol encryption method for Android applications |
| CN108829708A (en) * | 2018-05-02 | 2018-11-16 | 广州金山安全管理系统技术有限公司 | File security judgment method and device |
| CN109033872A (en) * | 2018-07-18 | 2018-12-18 | 郑州信大捷安信息技术股份有限公司 | A kind of secure operating environment building method of identity-based |
| CN109117664A (en) * | 2018-07-19 | 2019-01-01 | 北京明朝万达科技股份有限公司 | The access control method and device of application program |
| CN109409098A (en) * | 2017-10-24 | 2019-03-01 | 浙江华途信息安全技术股份有限公司 | The method and apparatus for preventing shear plate leaking data |
| CN109784041A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
| CN109800576A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Monitoring method, device and the electronic device of unknown program exception request |
| CN110059004A (en) * | 2019-03-21 | 2019-07-26 | 深圳市腾讯信息技术有限公司 | A kind of method, apparatus, equipment and the medium of application test |
| CN111261200A (en) * | 2020-01-23 | 2020-06-09 | 奇安信科技集团股份有限公司 | Burning equipment control method and device based on kernel and electronic equipment |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN111858094A (en) * | 2020-07-14 | 2020-10-30 | 北京海泰方圆科技股份有限公司 | Data copying and pasting method and system and electronic equipment |
| CN112035832A (en) * | 2020-08-21 | 2020-12-04 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN112052477A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Isolation method and system based on portable operating system disk |
| CN112148296A (en) * | 2020-08-18 | 2020-12-29 | 华控清交信息科技(北京)有限公司 | Compiling and running method and device and compiling and running device |
| CN112463402A (en) * | 2020-11-03 | 2021-03-09 | 浙江华途信息安全技术股份有限公司 | Clipboard control method and system based on macOS operating system |
| CN112818341A (en) * | 2021-01-26 | 2021-05-18 | 山东方寸微电子科技有限公司 | External device control method and device based on operating system filter layer drive |
| CN112906000A (en) * | 2021-03-03 | 2021-06-04 | 深信服科技股份有限公司 | Program access method, device and equipment and readable storage medium |
| CN113328995A (en) * | 2021-05-06 | 2021-08-31 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
| CN113688415A (en) * | 2021-10-27 | 2021-11-23 | 湖南新云网科技有限公司 | File management and control method, equipment and storage medium |
| CN113806714A (en) * | 2020-06-14 | 2021-12-17 | 武汉斗鱼鱼乐网络科技有限公司 | Safe transmission method and device for white list information of application program |
| CN113835769A (en) * | 2021-11-29 | 2021-12-24 | 深圳雷柏科技股份有限公司 | Method, device and related assembly for cross-computer control and file sharing of HID (human interface device) |
| CN113934697A (en) * | 2021-10-21 | 2022-01-14 | 中孚安全技术有限公司 | Method and system for improving IO performance based on kernel file filtering driver |
| CN115168300A (en) * | 2022-09-05 | 2022-10-11 | 山东正中信息技术股份有限公司 | Portable mobile working method and system based on file system filtering |
| CN116484396A (en) * | 2023-03-13 | 2023-07-25 | 数影星球(杭州)科技有限公司 | Method and system for encrypting clipboard content based on browser |
| CN117113423A (en) * | 2023-10-24 | 2023-11-24 | 中电科网络安全科技股份有限公司 | Transparent encryption method, device, equipment and storage medium for database |
| CN117113423B (en) * | 2023-10-24 | 2024-04-12 | 中电科网络安全科技股份有限公司 | Transparent encryption method, device, equipment and storage medium for database |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| CN101916349A (en) * | 2010-07-30 | 2010-12-15 | 中山大学 | File access control method based on filter driving, system and filer manager |
| CN102567659A (en) * | 2010-12-28 | 2012-07-11 | 河南省躬行信息科技有限公司 | File security active protection method based on double-drive linkage |
| CN103218575A (en) * | 2013-04-17 | 2013-07-24 | 武汉元昊科技有限公司 | Host file security monitoring method |
-
2013
- 2013-11-27 CN CN201310617088.7A patent/CN103605930B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1983296A (en) * | 2005-12-12 | 2007-06-20 | 北京瑞星国际软件有限公司 | Method and device for preventing illegal programm from scavenging |
| CN101916349A (en) * | 2010-07-30 | 2010-12-15 | 中山大学 | File access control method based on filter driving, system and filer manager |
| CN102567659A (en) * | 2010-12-28 | 2012-07-11 | 河南省躬行信息科技有限公司 | File security active protection method based on double-drive linkage |
| CN103218575A (en) * | 2013-04-17 | 2013-07-24 | 武汉元昊科技有限公司 | Host file security monitoring method |
Cited By (72)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105103159B (en) * | 2013-04-10 | 2018-06-26 | 国际商业机器公司 | The method, apparatus and computer storage media called for processing system |
| CN105103159A (en) * | 2013-04-10 | 2015-11-25 | 国际商业机器公司 | Spooling system call data to facilitate data transformation |
| CN103995990A (en) * | 2014-05-14 | 2014-08-20 | 江苏敏捷科技股份有限公司 | Method for preventing electronic documents from divulging secrets |
| CN104021320A (en) * | 2014-06-20 | 2014-09-03 | 福建天晴数码有限公司 | Method, device and system for protecting copyrights of APK files |
| CN105471956A (en) * | 2014-09-11 | 2016-04-06 | 中兴通讯股份有限公司 | User safety control method of social network, social application tool and terminal |
| CN104346478A (en) * | 2014-11-25 | 2015-02-11 | 成都卫士通信息安全技术有限公司 | File transparent identification method based on application program file operation hook |
| CN104360991A (en) * | 2014-11-25 | 2015-02-18 | 成都卫士通信息安全技术有限公司 | Method of controlling clipboard based on transparent identifier of document |
| CN104680079A (en) * | 2015-02-04 | 2015-06-03 | 上海信息安全工程技术研究中心 | Electronic document security management system and electronic document security management method |
| CN104834835A (en) * | 2015-05-13 | 2015-08-12 | 武汉大学 | Universal digital rights protection method under Windows platform |
| CN104834835B (en) * | 2015-05-13 | 2017-09-22 | 武汉大学 | A kind of general digital rights protection method under windows platform |
| CN105574443B (en) * | 2015-05-27 | 2018-10-30 | 上海宇尚信息科技有限公司 | A kind of encryption storage method based on android system |
| CN105574443A (en) * | 2015-05-27 | 2016-05-11 | 上海宇尚信息科技有限公司 | Android system based encryption storage method |
| CN105224862A (en) * | 2015-09-25 | 2016-01-06 | 北京北信源软件股份有限公司 | A kind of hold-up interception method of office shear plate and device |
| CN105224862B (en) * | 2015-09-25 | 2018-03-27 | 北京北信源软件股份有限公司 | A kind of hold-up interception method and device of office shear plates |
| CN105468992A (en) * | 2015-11-20 | 2016-04-06 | 贵州联科卫信科技有限公司 | Method related to limitation to content duplication of electronic medical record editor |
| CN105468992B (en) * | 2015-11-20 | 2018-05-11 | 贵州联科卫信科技有限公司 | A kind of method replicated on the limitation of electronic health record editing machine content |
| CN105373727B (en) * | 2015-12-15 | 2018-04-20 | 福建实达电脑设备有限公司 | The equipment blocking method redirected based on virtual unit |
| CN105373727A (en) * | 2015-12-15 | 2016-03-02 | 福建实达电脑设备有限公司 | Virtual device redirection based device isolation method |
| CN105956464A (en) * | 2016-04-25 | 2016-09-21 | 北京珊瑚灵御科技有限公司 | Android platform-based clipboard control system and method |
| CN105787373B (en) * | 2016-05-17 | 2018-08-21 | 武汉大学 | Android terminal data leakage prevention method in a kind of mobile office system |
| CN105787373A (en) * | 2016-05-17 | 2016-07-20 | 武汉大学 | Android terminal data leak-proof method in mobile office system |
| CN106096458A (en) * | 2016-05-31 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | A kind of method and device protecting security of system |
| CN106203130B (en) * | 2016-06-26 | 2019-03-08 | 厦门天锐科技股份有限公司 | A kind of transparent encipher-decipher method based on Intelligent Dynamic driving layer |
| CN106203130A (en) * | 2016-06-26 | 2016-12-07 | 厦门天锐科技股份有限公司 | A kind of transparent encipher-decipher method driving layer based on Intelligent Dynamic |
| CN106156622A (en) * | 2016-07-04 | 2016-11-23 | 北京金山安全软件有限公司 | Service process registration method and device and terminal equipment |
| CN107657180A (en) * | 2016-07-26 | 2018-02-02 | 阿里巴巴集团控股有限公司 | A kind of information processing client, server and method |
| CN106897636A (en) * | 2017-02-28 | 2017-06-27 | 郑州云海信息技术有限公司 | A kind of mobile memory medium method for managing security based on API HOOK |
| CN108733989A (en) * | 2017-04-19 | 2018-11-02 | 湖南鼎源蓝剑信息科技有限公司 | A kind of communication protocol encryption method for Android applications |
| CN107247907A (en) * | 2017-04-28 | 2017-10-13 | 国电南瑞科技股份有限公司 | A kind of electric automobile interconnects Information Security Defending System |
| WO2018196383A1 (en) * | 2017-04-28 | 2018-11-01 | 国电南瑞科技股份有限公司 | Interconnected information security protection system for electric vehicles |
| CN107480538A (en) * | 2017-06-30 | 2017-12-15 | 武汉斗鱼网络科技有限公司 | File encrypting method, device, computer-readable recording medium and equipment |
| CN107609408B (en) * | 2017-08-18 | 2020-07-28 | 成都索贝数码科技股份有限公司 | Method for controlling file operation behavior based on filter driver |
| CN107609408A (en) * | 2017-08-18 | 2018-01-19 | 成都索贝数码科技股份有限公司 | A kind of method based on filtration drive control file operation behavior |
| CN109409098A (en) * | 2017-10-24 | 2019-03-01 | 浙江华途信息安全技术股份有限公司 | The method and apparatus for preventing shear plate leaking data |
| CN108304695A (en) * | 2018-01-30 | 2018-07-20 | 云易天成(北京)安全科技开发有限公司 | Anti-data-leakage control method, the system of object oriented file outgoing |
| CN108829708A (en) * | 2018-05-02 | 2018-11-16 | 广州金山安全管理系统技术有限公司 | File security judgment method and device |
| CN109033872A (en) * | 2018-07-18 | 2018-12-18 | 郑州信大捷安信息技术股份有限公司 | A kind of secure operating environment building method of identity-based |
| CN109117664A (en) * | 2018-07-19 | 2019-01-01 | 北京明朝万达科技股份有限公司 | The access control method and device of application program |
| CN109117664B (en) * | 2018-07-19 | 2020-11-10 | 北京明朝万达科技股份有限公司 | Access control method and device for application program |
| CN109800576B (en) * | 2018-12-29 | 2021-07-23 | 360企业安全技术(珠海)有限公司 | Monitoring method and device for unknown program exception request and electronic device |
| CN109784041A (en) * | 2018-12-29 | 2019-05-21 | 360企业安全技术(珠海)有限公司 | Event-handling method and device and storage medium and electronic device |
| CN109784041B (en) * | 2018-12-29 | 2020-10-16 | 360企业安全技术(珠海)有限公司 | Event processing method and device, storage medium and electronic device |
| CN109800576A (en) * | 2018-12-29 | 2019-05-24 | 360企业安全技术(珠海)有限公司 | Monitoring method, device and the electronic device of unknown program exception request |
| CN110059004A (en) * | 2019-03-21 | 2019-07-26 | 深圳市腾讯信息技术有限公司 | A kind of method, apparatus, equipment and the medium of application test |
| CN111261200A (en) * | 2020-01-23 | 2020-06-09 | 奇安信科技集团股份有限公司 | Burning equipment control method and device based on kernel and electronic equipment |
| CN111261200B (en) * | 2020-01-23 | 2021-08-20 | 奇安信科技集团股份有限公司 | Burning equipment control method and device based on kernel and electronic equipment |
| CN113806714A (en) * | 2020-06-14 | 2021-12-17 | 武汉斗鱼鱼乐网络科技有限公司 | Safe transmission method and device for white list information of application program |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN111539010B (en) * | 2020-06-16 | 2023-09-01 | 北京明朝万达科技股份有限公司 | Clipboard control method, device, electronic equipment and computer readable storage medium |
| CN111858094A (en) * | 2020-07-14 | 2020-10-30 | 北京海泰方圆科技股份有限公司 | Data copying and pasting method and system and electronic equipment |
| CN112148296A (en) * | 2020-08-18 | 2020-12-29 | 华控清交信息科技(北京)有限公司 | Compiling and running method and device and compiling and running device |
| CN112035832B (en) * | 2020-08-21 | 2022-02-11 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN112035832A (en) * | 2020-08-21 | 2020-12-04 | 郑州信大捷安信息技术股份有限公司 | Method and system for monitoring file activities |
| CN112052477B (en) * | 2020-08-31 | 2022-03-25 | 郑州信大捷安信息技术股份有限公司 | Isolation method and system based on portable operating system disk |
| CN112052477A (en) * | 2020-08-31 | 2020-12-08 | 郑州信大捷安信息技术股份有限公司 | Isolation method and system based on portable operating system disk |
| CN112463402A (en) * | 2020-11-03 | 2021-03-09 | 浙江华途信息安全技术股份有限公司 | Clipboard control method and system based on macOS operating system |
| CN112818341A (en) * | 2021-01-26 | 2021-05-18 | 山东方寸微电子科技有限公司 | External device control method and device based on operating system filter layer drive |
| CN112906000A (en) * | 2021-03-03 | 2021-06-04 | 深信服科技股份有限公司 | Program access method, device and equipment and readable storage medium |
| CN112906000B (en) * | 2021-03-03 | 2024-02-23 | 深信服科技股份有限公司 | Program access method, device, equipment and readable storage medium |
| CN113328995B (en) * | 2021-05-06 | 2023-03-24 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
| CN113328995A (en) * | 2021-05-06 | 2021-08-31 | 深圳市联软科技股份有限公司 | Flow proxy method and system for android |
| CN113934697B (en) * | 2021-10-21 | 2022-04-08 | 中孚安全技术有限公司 | Method and system for improving IO performance based on kernel file filtering driver |
| CN113934697A (en) * | 2021-10-21 | 2022-01-14 | 中孚安全技术有限公司 | Method and system for improving IO performance based on kernel file filtering driver |
| CN113688415A (en) * | 2021-10-27 | 2021-11-23 | 湖南新云网科技有限公司 | File management and control method, equipment and storage medium |
| CN113835769B (en) * | 2021-11-29 | 2022-02-22 | 深圳雷柏科技股份有限公司 | Method, device and related assembly for cross-computer control and file sharing of HID (human interface device) |
| CN113835769A (en) * | 2021-11-29 | 2021-12-24 | 深圳雷柏科技股份有限公司 | Method, device and related assembly for cross-computer control and file sharing of HID (human interface device) |
| CN115168300A (en) * | 2022-09-05 | 2022-10-11 | 山东正中信息技术股份有限公司 | Portable mobile working method and system based on file system filtering |
| CN115168300B (en) * | 2022-09-05 | 2022-12-09 | 山东正中信息技术股份有限公司 | Portable mobile working method and system based on file system filtering |
| CN116484396A (en) * | 2023-03-13 | 2023-07-25 | 数影星球(杭州)科技有限公司 | Method and system for encrypting clipboard content based on browser |
| CN116484396B (en) * | 2023-03-13 | 2023-10-31 | 数影星球(杭州)科技有限公司 | Method and system for encrypting clipboard content based on browser |
| CN117113423A (en) * | 2023-10-24 | 2023-11-24 | 中电科网络安全科技股份有限公司 | Transparent encryption method, device, equipment and storage medium for database |
| CN117113423B (en) * | 2023-10-24 | 2024-04-12 | 中电科网络安全科技股份有限公司 | Transparent encryption method, device, equipment and storage medium for database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103605930B (en) | 2016-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103605930B (en) | A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system | |
| CN101729550B (en) | Digital content safeguard system based on transparent encryption and decryption, and encryption and decryption method thereof | |
| US8850593B2 (en) | Data management using a virtual machine-data image | |
| US8990558B2 (en) | Securing information in a cloud computing system | |
| CN102394894B (en) | Network virtual disk file safety management method based on cloud computing | |
| CA2640804C (en) | Method and system for integrated securing and managing of virtual machines and virtual appliances | |
| CN100592313C (en) | Electric document anti-disclosure system and its implementing method | |
| US20210232546A1 (en) | Method and System for Managing and Securing Subsets of Data in a Large Distributed Data Store | |
| US9152813B2 (en) | Transparent real-time access to encrypted non-relational data | |
| US20220286448A1 (en) | Access to data stored in a cloud | |
| CN103530570A (en) | Electronic document safety management system and method | |
| US20090300712A1 (en) | System and method for dynamically enforcing security policies on electronic files | |
| US20070113078A1 (en) | System and method for encrypting data without regard to application | |
| WO2015050620A2 (en) | Method and system for backing up and restoring a virtual file system | |
| CN102708326A (en) | Protection method for confidential files | |
| CN201682524U (en) | Document transfer authority control system based on document filtering driver | |
| CN104834835B (en) | A kind of general digital rights protection method under windows platform | |
| CN107301544A (en) | A kind of safe Wallet System of block chain | |
| CN104077244A (en) | Process isolation and encryption mechanism based security disc model and generation method thereof | |
| CN104268484A (en) | Cloud environment data leakage prevention method based on virtual isolation mechanism | |
| CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
| WO2014150339A2 (en) | Method and system for enabling communications between unrelated applications | |
| US20210320947A1 (en) | Systems and methods for data privacy and security | |
| CN105072184A (en) | File sharing system suitable for medium-sized and small enterprises | |
| CN103413100A (en) | File security protection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 445000 Xueyuan Road, Enshi Tujia and Miao Autonomous Prefecture, Enshi, No. 39, China Patentee after: HUBEI MINZU University Address before: 445000 Enshi Tujia and Miao Autonomous Prefecture College No. 39, Hubei Province Patentee before: Hubei Institute For Nationalities |
|
| CP03 | Change of name, title or address | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201127 Address after: Room 208, 2 / F, East Wing building, Zhongguancun Dongsheng science and Technology Park, No. a 18, Xueqing Road, Haidian District, Beijing 100089 Patentee after: GRABLAN (BEIJING) SOFTWARE ENGINEERING Co.,Ltd. Address before: 445000 Xueyuan Road, Enshi Tujia and Miao Autonomous Prefecture, Enshi, No. 39, China Patentee before: HUBEI MINZU University |
|
| TR01 | Transfer of patent right |