CN104320409A - Method for controlling access to cloud disk on basis of Hook technology - Google Patents
Method for controlling access to cloud disk on basis of Hook technology Download PDFInfo
- Publication number
- CN104320409A CN104320409A CN201410628420.4A CN201410628420A CN104320409A CN 104320409 A CN104320409 A CN 104320409A CN 201410628420 A CN201410628420 A CN 201410628420A CN 104320409 A CN104320409 A CN 104320409A
- Authority
- CN
- China
- Prior art keywords
- access control
- cloud dish
- cloud
- drive
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention discloses a method for controlling access to a cloud disk on the basis of the Hook technology. The method comprises the steps that an access control policy allocation module is in charge of collecting cloud disk access control strategies allocated by an administrator, and issuing the cloud disk access control strategies to an access control protection module of each client side; after a cloud disc mounting disc drive informing module is mounted on a cloud disk client side, and the access control protection module is informed of the mounted disc drive name; the access control protection module controls file operations carried out in the corresponding cloud disc drive according to the received cloud disc access control strategies and the received drive name. The method for controlling access to the cloud disk on the basis of the Hook technology has the advantages that protection is carried out on files in the specific cloud disc drive through the Hook technology, the operation processes such as reading, copying, moving and renaming of the files are protected by allocating credible processes and credible expanded names in a combination mode, and the grounding safety problem of cloud terminal files is solved; meanwhile, logs are kept for operations in the cloud disc drive, post audit can be carried out conveniently.
Description
Technical field
The invention belongs to secure cloud field of storage, be specifically related to a kind of cloud dish access control method based on Hook technology.
Background technology
Hook (hook) is a platform of windows messaging treatment mechanism.It is actually the program segment of a processing messages, pass through system call, it is linked into system, whenever specific message sends, before not arriving object window, hook program just first catches this message, that is Hook Function first obtains control, at this moment namely Hook Function can process process (change) this message, also can not deal with and continue to transmit this message, can also force the transmission of end.
Hook principle: each Hook has a pointer list associated therewith, is referred to as hook chained list, is safeguarded by system.That the pointed of this list is specified, application program definition, to be called by the sub-journey of Hook call back function, each of namely this hook processes sub-journey.When the message with the Hook type association of specifying occurs, system just this Message Transmission to the sub-journey of Hook.The sub-journey of some Hook only can monitor message, or amendment message, or stops the advance of message, avoids these Message Transmission to the sub-journey of next Hook or object window.The hook of nearest installation is placed on the beginning of chain, and the hook installed the earliest is placed on finally, the first acquisition control namely added afterwards.
Windows does not require that the sequence of unloading of the sub-journey of hook must be contrary with erection sequence.Whenever having, a hook is unloaded, and Windows just discharges its internal memory taken, and upgrades whole Hook chained list.If program has installed hook, but just finished before not yet unloading hook, so system can automatically for it does the operation of unloading hook.
The sub-journey of hook is the call back function (CALLBACK Function) of an application program definition, can not be defined as the member function of certain class, can only be defined as common C function.In order to the event of surveillance or a certain particular type, these events can associate with a certain particular thread, also can be the events of all threads in system.
Summary of the invention
In order to overcome the above-mentioned shortcoming of prior art; the invention provides a kind of cloud dish access control method based on Hook technology; realize protecting file in appointment cloud dish drive by Hook technology; by the reading of the join protection file of configuration trusted process, trusted-extension name, copy, mobile and rename operating process; solve the safety problem of landing of cloud dish terminal document; operation all logs simultaneously in cloud dish drive, facilitate postaudit.
The technical solution adopted for the present invention to solve the technical problems is: a kind of cloud dish access control method based on Hook technology, comprises access control policy configuration module, cloud dish carry drive notification module and access control protection module, wherein:
Described access control policy configuration module is responsible for the cloud dish access control policy of acquisition management person's configuration, and cloud dish access control policy is issued to the access control protection module in each client;
The drive title of carry, after cloud dish client carry, is notified access control protection module by described cloud dish carry drive notification module;
Described access control protection module, according to the cloud dish access control policy received and drive title, is implemented to control to the file operation carried out in corresponding cloud dish drive;
Whether described cloud dish access control policy comprises: allow acquiescence PE executable file not need through monitoring, allow trusted process freely to copy; Configuration trusted process, only has trusted process just to allow access read-write cloud dish data; Configuration special extension, allows trusted process, in special circumstances, such extension name file copy is gone out cloud dish;
Described access control protection module comprises the control that the file operation carried out in cloud dish drive is implemented: tackle and resolve document creation on cloud dish drive, copy, move, to delete and rename operates, then judge whether the process performing these operations is trusted process, not that refusing operation, is judge further: cloud dish the corresponding interface is then called for the establishment of trusted process, deletion action; For the copying of trusted process, move operation, then determine whether trusted-extension name, be not, refuse, be, call cloud dish the corresponding interface; Rename for trusted process operates, and only allows trusted-extension name RNTO untrusted extension name, otherwise then refuses.
Compared with prior art, good effect of the present invention is:
1) only interception monitoring is carried out, the not operation of other drive of influential system to the cloud dish drive operation of carry in FTP client FTP;
2) only run trusted process operation cloud dish file, prevent trojan horse program from copying and mobile cloud dish data to this locality or network;
3) even if trusted process, if do not configure credible suffix, still data cannot be copied from cloud dish;
4) configurable strategy, convenient, flexible;
5) centralized policy management, the configuration of keeper's single-point can notify all clients;
6) protect important documents, prevent lawless person from stealing enterprise or state secret;
7) record access daily record, facilitates postaudit.
Embodiment
Based on a cloud dish access control method for Hook technology, comprise access control policy configuration module, cloud dish carry drive notification module and access control protection module, wherein:
Access control policy configuration module is responsible for gathering and issuing trusted process strategy and trusted-extension name strategy.Access control policy configuration module receiving management person configures the strategy of cloud dish access control, and is issued in each client.Specifically have, whether administrator configurations allows acquiescence PE executable file not need through monitoring, allows trusted process freely to copy; Configuration trusted process, only has trusted process just to allow access read-write cloud dish data; Configuration special extension, allows trusted process to copy such extension name file copy in special circumstances and goes out cloud dish; After collocation strategy completes, access control policy configuration module automatically by policy distribution to the access control protection module in each client.
Cloud dish carry drive notification module notice access control protection module needs the cloud dish drive of protection.After cloud dish client carry, need the drive title notifying access control protection module carry.
Access control protection module adopts Hook technology, implements to control, prevent illegal process from walking from cloud dish inediting copies data, realize the safety of landing of cloud dish data the file operation carried out in cloud dish drive.Access control protection module receives the drive title of the cloud dish client carry that cloud dish carry drive notification module sends, and the policy information that reception access control policy configuration module issues; Access control protection module tackle and resolve document creation on cloud dish drive, copy, move, the operation such as deletion, then judge whether the process performing these operations is trusted process, not that refusing operation, is judge further: cloud dish the corresponding interface is then called for the establishment of trusted process, deletion action; For the copying of trusted process, move operation, then determine whether trusted-extension name, be not, refuse, be, call cloud dish the corresponding interface; Rename for trusted process operates, and only allows trusted-extension name RNTO untrusted extension name, otherwise then refuses.
Operation principle of the present invention is:
Process communication technology notice access control protection module based on shared drive needs the drive of monitoring, and access control protection module only controls the drive of notice, does not affect the access read-write operation that operating system carries drive.
Realize the access control of cloud dish drive based on Hook technology, comprise document creation, copy, delete and the control of movement.Call CreateRemoteThread function and adopt threading far away, Hook Dll is implanted in each process, by Hook " contact " to the api function entrance point needing amendment, take over the various operations of each process to file.
The details of access control comprises:
1) strategy: only have trusted process can read and write arbitrarily cloud dish data at virtual disk; And except the file that strategy allows, this process does not allow cloud dish alternative document to copy, move to this domain; The operation in handwritten copy domains such as saving as wouldn't be controlled;
2) trusted process controls acquiescence control: allow PE formatted file to copy, move to this domain local; And log;
3) each trusted process control strategy: allow appointment extension name file copy, move to this domain local; And log;
4) program started in cloud dish, the process identical with trusted program;
5) not allowing the file designation of untrusted extension name is trusted-extension name file, prevents to copy, move to this domain local after file rename.
When implementing of the present invention:
1 service end
1.1 keepers log in access control policy configuring application program, configuration trusted process and the manipulable extension name of trusted process.After having configured, automatic distributing policy is to access control module.
2 clients
2.1 initiated access control module reception server distributing policies;
2.2 start cloud dish client, the drive title of notice access control module carry;
2.3 a certain process operation attempt read-write cloud dish data, and access control module judges whether this process is trusted process, is not refuse, is, judge further: then call cloud dish the corresponding interface for the establishment of trusted process, deletion action; For the copying of trusted process, move operation, then determine whether trusted-extension name, be not, refuse, be, call cloud dish the corresponding interface; Rename for trusted process operates, and only allows trusted-extension name RNTO untrusted extension name, otherwise then refuses.
Claims (3)
1. based on a cloud dish access control method for Hook technology, it is characterized in that: comprise access control policy configuration module, cloud dish carry drive notification module and access control protection module, wherein:
Described access control policy configuration module is responsible for the cloud dish access control policy of acquisition management person's configuration, and cloud dish access control policy is issued to the access control protection module in each client;
The drive title of carry, after cloud dish client carry, is notified access control protection module by described cloud dish carry drive notification module;
Described access control protection module, according to the cloud dish access control policy received and drive title, is implemented to control to the file operation carried out in corresponding cloud dish drive.
2. whether the cloud dish access control method based on Hook technology according to claim 1, is characterized in that: described cloud dish access control policy comprises: allow acquiescence PE executable file not need through monitoring, allow trusted process freely to copy; Configuration trusted process, only has trusted process just to allow access read-write cloud dish data; Configuration special extension, allows trusted process, in special circumstances, such extension name file copy is gone out cloud dish.
3. the cloud dish access control method based on Hook technology according to claim 2, it is characterized in that: described access control protection module comprises the control that the file operation carried out in cloud dish drive is implemented: tackle and resolve document creation on cloud dish drive, copy, move, to delete and rename operates, then judge whether the process performing these operations is trusted process, not that refusing operation, is judge further: cloud dish the corresponding interface is then called for the establishment of trusted process, deletion action; For the copying of trusted process, move operation, then determine whether trusted-extension name, be not, refuse, be, call cloud dish the corresponding interface; Rename for trusted process operates, and only allows trusted-extension name RNTO untrusted extension name, otherwise then refuses.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410628420.4A CN104320409B (en) | 2014-11-10 | 2014-11-10 | Cloud disk access control method based on Hook technologies |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410628420.4A CN104320409B (en) | 2014-11-10 | 2014-11-10 | Cloud disk access control method based on Hook technologies |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104320409A true CN104320409A (en) | 2015-01-28 |
| CN104320409B CN104320409B (en) | 2018-11-02 |
Family
ID=52375579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410628420.4A Active CN104320409B (en) | 2014-11-10 | 2014-11-10 | Cloud disk access control method based on Hook technologies |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104320409B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105550593A (en) * | 2015-12-11 | 2016-05-04 | 北京奇虎科技有限公司 | Cloud disk file monitoring method and device based on local area network |
| CN107547658A (en) * | 2017-09-27 | 2018-01-05 | 国云科技股份有限公司 | A kind of centralized cloud storage platform distributes the method with being connected cloud disk automatically |
| WO2021124465A1 (en) * | 2019-12-17 | 2021-06-24 | 富士通株式会社 | Information processing system, information processing terminal, and data access control program |
| CN114816646A (en) * | 2022-06-30 | 2022-07-29 | 天津联想协同科技有限公司 | Shortcut operation method, device, terminal and storage medium suitable for network disk drive letter |
| CN115150189A (en) * | 2022-07-28 | 2022-10-04 | 深圳市瑞云科技有限公司 | Method for automatically intercepting outgoing files based on enterprise private cloud disk |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7035850B2 (en) * | 2000-03-22 | 2006-04-25 | Hitachi, Ltd. | Access control system |
| CN103632080A (en) * | 2013-11-06 | 2014-03-12 | 国家电网公司 | Mobile data application safety protection system and mobile data application safety protection method based on USBKey |
| CN103761482A (en) * | 2014-01-23 | 2014-04-30 | 珠海市君天电子科技有限公司 | Method for detecting virus program and virus program detecting device |
| CN104077244A (en) * | 2014-07-20 | 2014-10-01 | 湖南蓝途方鼎科技有限公司 | Process isolation and encryption mechanism based security disc model and generation method thereof |
-
2014
- 2014-11-10 CN CN201410628420.4A patent/CN104320409B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7035850B2 (en) * | 2000-03-22 | 2006-04-25 | Hitachi, Ltd. | Access control system |
| CN103632080A (en) * | 2013-11-06 | 2014-03-12 | 国家电网公司 | Mobile data application safety protection system and mobile data application safety protection method based on USBKey |
| CN103761482A (en) * | 2014-01-23 | 2014-04-30 | 珠海市君天电子科技有限公司 | Method for detecting virus program and virus program detecting device |
| CN104077244A (en) * | 2014-07-20 | 2014-10-01 | 湖南蓝途方鼎科技有限公司 | Process isolation and encryption mechanism based security disc model and generation method thereof |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105550593A (en) * | 2015-12-11 | 2016-05-04 | 北京奇虎科技有限公司 | Cloud disk file monitoring method and device based on local area network |
| CN107547658A (en) * | 2017-09-27 | 2018-01-05 | 国云科技股份有限公司 | A kind of centralized cloud storage platform distributes the method with being connected cloud disk automatically |
| WO2021124465A1 (en) * | 2019-12-17 | 2021-06-24 | 富士通株式会社 | Information processing system, information processing terminal, and data access control program |
| CN114816646A (en) * | 2022-06-30 | 2022-07-29 | 天津联想协同科技有限公司 | Shortcut operation method, device, terminal and storage medium suitable for network disk drive letter |
| CN114816646B (en) * | 2022-06-30 | 2022-11-11 | 天津联想协同科技有限公司 | Shortcut operation method, device, terminal and storage medium suitable for network disk drive letter |
| CN115150189A (en) * | 2022-07-28 | 2022-10-04 | 深圳市瑞云科技有限公司 | Method for automatically intercepting outgoing files based on enterprise private cloud disk |
| CN115150189B (en) * | 2022-07-28 | 2023-11-07 | 深圳市瑞云科技有限公司 | Method for automatically intercepting file outgoing based on enterprise private cloud disk |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104320409B (en) | 2018-11-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104320409A (en) | Method for controlling access to cloud disk on basis of Hook technology | |
| EP3404948B1 (en) | Centralized selective application approval for mobile devices | |
| US10747719B2 (en) | File system point-in-time restore using recycle bin and version history | |
| US10326841B2 (en) | Remote data securement on mobile devices | |
| CN102902909B (en) | A kind of system and method preventing file to be tampered | |
| CA2617204C (en) | Network security systems and methods | |
| US9536083B2 (en) | Securing data on untrusted devices | |
| CN102202062B (en) | Method and apparatus for realizing access control | |
| US9959283B2 (en) | Records declaration filesystem monitoring | |
| US11768933B2 (en) | System and method for protecting against ransomware without the use of signatures or updates | |
| US8321860B2 (en) | Local collector | |
| RU2004135454A (en) | SECURITY-related SOFTWARE INTERFACE | |
| US11868495B2 (en) | Cybersecurity active defense in a data storage system | |
| CN104573530A (en) | Security reinforcing system for server | |
| US10503920B2 (en) | Methods and systems for management of data stored in discrete data containers | |
| US20120185444A1 (en) | Clock Monitoring in a Data-Retention Storage System | |
| US20170235965A1 (en) | Prevention of a predetermined action regarding data | |
| US20080301713A1 (en) | Systems and methods for electronic evidence management with service control points and agents | |
| US9552491B1 (en) | Systems and methods for securing data | |
| CN105631357A (en) | System and method for protecting information security of mobile terminals | |
| CN103051608B (en) | A kind of method and apparatus of movable equipment access monitoring | |
| JP2008102702A (en) | Security management system | |
| US20220121620A1 (en) | Hardening system clock for retention lock compliance enabled systems | |
| US9779237B2 (en) | Detection of non-volatile changes to a resource | |
| US11250150B2 (en) | File synchronization and centralization system, and file synchronization and centralization method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: No. 333, Yunhua Road, Chengdu hi tech Zone, China (Sichuan) pilot Free Trade Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP03 | Change of name, title or address |