Based on accessing the process access control method and device controlling list
Technical field
The present invention relates to the technical field of data safety, particularly to a kind of based on accessing the process access control controlling list
Method and device processed.
Background technology
In computer safety field, there is minimum right principle, i.e. require each of specific abstract layer in computing environment
Module such as process, user or computer program can only access necessary information or resource, protection data and merit instantly
It is avoided that and is destroyed by mistake or malicious act.
The process accessing data cannot be controlled by traditional access control technology based on user right or user's group,
To from the process being held as a hostage with by the attack shortage defensive ability/resistance ability of the program of malicious modification.
Summary of the invention
The main object of the present invention is for providing a kind of based on accessing the process access control method and device, base controlling list
Control the list access control model to program in accessing, be may have access to the black/white list of data by one program of definition, it is possible to
Realize the precise controlling to data access.
For achieving the above object, the present invention proposes a kind of based on accessing the process access control method controlling list, depends on
Secondary including authorizes S1, certification S2, permits S3 and audit S4 Four processes:
Authorize S1: first read access list of rules R={r of user setup1,r2,r3,...,rn};Rule in list
rkDescribe for controlled data Dk, specific program PkAccess license, rule rkComposition include Tk、Dk、Pk、PShell k、
PChildren k;To each access rule r in list of rules Rk, calculate relative program Pk, script performer PShell k, subprogram
PChildren kMD5 eigenvalue S, set up eigenvalue list PS={ [P1,S1],[P2,S2],[P3,S3],...,[Pn,Sn]};
Certification S2: when having process X to controlled data DxWhen proposing access request, obtain progress information Infox;Progress information
Comprise PIDxAnd Px;According to InfoxIn Px, eigenvalue list PS searches for Px;If it does not exist, then PxDo not accessing rule
Then list is mentioned, denied access, return Authx=DENY;If it does, the eigenvalue S of record in return listx', enter
Next step;For realizing the control to script type program, and the control of subroutine, system contains by the process of certification
Cache list PC={Info1,Info2,Info3,...,Infon};If the subprogram that X is another process Y/script performer,
The handling process of Y can carry out the certification of X, as X certification is passed through, its progress information InfoxCan be stored in PC;PC searches for
Infox, as existed, then return authentication passes through;If do not existed, enter next step;Calculate PxMD5 eigenvalue Sx, and and Sx' right
Ratio;If Sx=Sx', then certification is passed through, InfoxIt is stored in cache list PC, access admittance stage;Otherwise, then Auth is returnedx=
DENY, denied access;
License S3: in accessing list of rules R, search includes [Dx,Px] regular rx;Work as rxExist and X needs script to transport
Row device PShell x/ subprogram PChildren x, to PShell x/PChildren xCarry out S2 certification;As certification by or X need not PShell x/
PChildren x, obtain rxIn license type Tx, return allowed results Authx=TxIf, i.e. Tx=ALLOW, license accesses;If Tx
=DENY then denied access;Such as rxDo not exist, denied access, return Authx=DENY;
Audit S4: access record is stayed for accessing of each process X every time;Record comprises Infox、Dx、Authx。
As preferably, described TkBeing license type, license type is ALLOW/DENY, represents rkFor allowing or denied access.
As preferably, described DkIt is to define rkThe data being suitable for;PkIt is to define rkThe program being suitable for;PShell kIt is to work as PkIt is one
During script, definition runs PkScript performer be applicable to rk;PChildren kIt is to work as PkWhen needing call subroutine, definition is applicable to
rkSubprogram.
As preferably, described PIDxIt is the ID of X;PxIt it is the program that enabled of X.
Present invention also offers a kind of based on accessing the process access control apparatus controlling list, including:
Granted unit: first read access list of rules R={r of user setup1,r2,r3,...,rn};Rule in list
Then rkDescribe for controlled data Dk, specific program PkAccess license, rule rkComposition include Tk、Dk、Pk、PShell k、
PChildren k;To each access rule r in list of rules Rk, calculate relative program Pk, script performer PShell k, subprogram
PChildren kMD5 eigenvalue S, set up eigenvalue list PS={ [P1,S1],[P2,S2],[P3,S3],...,[Pn,Sn]};
Authentication ' unit: when having process X to controlled data DxWhen proposing access request, obtain progress information Infox;Process is believed
Breath comprises PIDxAnd Px;According to InfoxIn Px, at eigenvalue list PSMiddle search Px;If it does not exist, then PxDo not accessing
List of rules is mentioned, denied access, return Authx=DENY;If it does, the eigenvalue S of record in return listx', enter
Enter next step;For realizing the control to script type program, and the control of subroutine, system contains entering by certification
Cache list PC={Info of journey1,Info2,Info3,...,Infon};If the subprogram that X is another process Y/script runs
Device, can carry out the certification of X in the handling process of Y, as X certification is passed through, and its progress information InfoxCan be stored in PC;PC searches
Rope Infox, as existed, then return authentication passes through;If do not existed, enter next step;Calculate PxMD5 eigenvalue Sx, and and Sx'
Contrast;If Sx=Sx', then certification is passed through, InfoxIt is stored in cache list PC, access admittance stage;Otherwise, then Auth is returnedx=
DENY, denied access;
Licence units: search includes [D in accessing list of rules Rx,Px] regular rx;Work as rxExist and X needs foot
This performer PShell x/ subprogram PChildren x, to PShell x/PChildren xIt is authenticated;As certification by or X need not PShell x/
PChildren x, obtain rxIn license type Tx, return allowed results Authx=TxIf, i.e. Tx=ALLOW, license accesses;If Tx
=DENY then denied access;Such as rxDo not exist, denied access, return Authx=DENY;
Auditable unit: access record is stayed for accessing of each process X every time;Record comprises Infox、Dx、Authx。
As preferably, described TkBeing license type, license type is ALLOW/DENY, represents rkFor allowing or denied access.
As preferably, described DkIt is to define rkThe data being suitable for;PkIt is to define rkThe program being suitable for;PShell kIt is to work as PkIt is one
During script, definition runs PkScript performer be applicable to rk;PChildren kIt is to work as PkWhen needing call subroutine, definition is applicable to
rkSubprogram.
As preferably, described PIDxIt is the ID of X;PxIt it is the program that enabled of X.
The process access control method and the device that control list based on access provided in the present invention, controls row based on accessing
The table (Access Control List accesses and the controls list) access control model to program, can be visited by one program of definition
Ask the black/white list of data, it is possible to realize the precise controlling to data access.
Accompanying drawing explanation
Fig. 1 is the schematic flow sheet of authorisation step in the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of authenticating step in the embodiment of the present invention;
Fig. 3 is the schematic flow sheet processing in the embodiment of the present invention and accessing application.
The realization of the object of the invention, functional characteristics and advantage will in conjunction with the embodiments, are described further referring to the drawings.
Detailed description of the invention
Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
Refering to Fig. 1 to Fig. 3, the embodiment of the present invention provide a kind of based on accessing the process access controlling party controlling list
Method, includes authorizing S successively1, certification S2, license S3With audit S4Four processes.
Authorize S1: first read access list of rules R={r of user setup1,r2,r3,...,rn};Rule in list
rkDescribe for controlled data Dk, specific program PkAccess license, rule rkComposition include Tk、Dk、Pk、PShell k、
PChildren k;To each access rule r in list of rules Rk, calculate relative program Pk, script performer PShell k, subprogram
PChildren kMD5 eigenvalue S, set up eigenvalue list PS={ [P1,S1],[P2,S2],[P3,S3],...,[Pn,Sn]}。
Certification S2: when having process X to controlled data DxWhen proposing access request, obtain progress information Infox;Progress information
Comprise PIDxAnd Px;According to InfoxIn Px, eigenvalue list PS searches for Px;If it does not exist, then PxDo not accessing rule
Then list is mentioned, denied access, return Authx=DENY;If it does, the eigenvalue S of record in return listx', enter
Next step;For realizing the control to script type program, and the control of subroutine, system contains by the process of certification
Cache list PC={Info1,Info2,Info3,...,Infon};If the subprogram that X is another process Y/script performer,
The handling process of Y can carry out the certification of X, as X certification is passed through, its progress information InfoxCan be stored in PC;PC searches for
Infox, as existed, then return authentication passes through;If do not existed, enter next step;Calculate PxMD5 eigenvalue Sx, and and Sx' right
Ratio;If Sx=Sx', then certification is passed through, InfoxIt is stored in cache list PC, access admittance stage;Otherwise, then Auth is returnedx=
DENY, denied access.
License S3: in accessing list of rules R, search includes [Dx,Px] regular rx;Work as rxExist and X needs script to transport
Row device PShell x/ subprogram PChildren x, to PShell x/PChildren xCarry out S2 certification;As certification by or X need not PShell x/
PChildren x, obtain rxIn license type Tx, return allowed results Authx=TxIf, i.e. Tx=ALLOW, license accesses;If Tx
=DENY then denied access;Such as rxDo not exist, denied access, return Authx=DENY.
Audit S4: access record is stayed for accessing of each process X every time;Record comprises Infox、Dx、Authx.Institute
State TkBeing license type, license type is ALLOW/DENY, represents rkFor allowing or denied access.Described DkIt is to define rkIt is suitable for
Data;PkIt is to define rkThe program being suitable for;PShell kIt is to work as PkWhen being a script, definition runs PkScript performer be applicable to
rk;PChildren kIt is to work as PkWhen needing call subroutine, definition is applicable to rkSubprogram.Described PIDxIt is the ID of X;PxIt is that X is opened
Program.
The present embodiment accesses the existing rule allowing to access in control list, also has the rule of denied access;Definition
Blacklist is to access to control the list of denied access in list, and white list is to access the list controlling to allow to access in list.This
The process access control method controlling list based on access provided in inventive embodiments, this method controls list based on accessing
(Access Control List accesses and controls list) access control model to program, be may have access to by one program of definition
The black/white list of data, it is possible to realize the precise controlling to data access.
The embodiment of the present invention additionally provide a kind of based on accessing the process access control apparatus controlling list, including:
Granted unit: first read access list of rules R={r of user setup1,r2,r3,...,rn};Rule in list
Then rkDescribe for controlled data Dk, specific program PkAccess license, rule rkComposition include Tk、Dk、Pk、PShell k、
PChildren k;To each access rule r in list of rules Rk, calculate relative program Pk, script performer PShell k, subprogram
PChildren kMD5 eigenvalue S, set up eigenvalue list PS={ [P1,S1],[P2,S2],[P3,S3],...,[Pn,Sn]};
Authentication ' unit: when having process X to controlled data DxWhen proposing access request, obtain progress information Infox;Process is believed
Breath comprises PIDxAnd Px;According to InfoxIn Px, eigenvalue list PS searches for Px;If it does not exist, then PxDo not accessing
List of rules is mentioned, denied access, return Authx=DENY;If it does, the eigenvalue S of record in return listx', enter
Enter next step;For realizing the control to script type program, and the control of subroutine, system contains entering by certification
Cache list PC={Info of journey1,Info2,Info3,...,Infon};If the subprogram that X is another process Y/script runs
Device, can carry out the certification of X in the handling process of Y, as X certification is passed through, and its progress information InfoxCan be stored in PC;PC searches
Rope Infox, as existed, then return authentication passes through;If do not existed, enter next step;Calculate PxMD5 eigenvalue Sx, and and Sx'
Contrast;If Sx=Sx', then certification is passed through, InfoxIt is stored in cache list PC, access admittance stage;Otherwise, then Auth is returnedx=
DENY, denied access;
Licence units: search includes [D in accessing list of rules Rx,Px] regular rx;Work as rxExist and X needs foot
This performer PShell x/ subprogram PChildren x, to PShell x/PChildren xIt is authenticated;As certification by or X need not PShell x/
PChildren x, obtain rxIn license type Tx, return allowed results Authx=TxIf, i.e. Tx=ALLOW, license accesses;If Tx
=DENY then denied access;Such as rxDo not exist, denied access, return Authx=DENY;
Auditable unit: access record is stayed for accessing of each process X every time;Record comprises Infox、Dx、Authx。
Wherein, described TkBeing license type, license type is ALLOW/DENY, represents rkFor allowing or denied access;Described
DkIt is to define rkThe data being suitable for;PkIt is to define rkThe program being suitable for;PShell kIt is to work as PkWhen being a script, definition runs PkFoot
This performer is applicable to rk;PChildren kIt is to work as PkWhen needing call subroutine, definition is applicable to rkSubprogram;Described PIDxIt is
The ID of X;PxIt it is the program that enabled of X.
In sum, accessing in embodiments of the present invention controls the existing rule allowing to access in list, also has refusal
The rule accessed;Blacklist is to access to control the list of denied access in list, and white list controls to allow in list to visit for accessing
The list asked.The process access control method of list and device is controlled based on accessing for what the embodiment of the present invention provided, based on
Access the access control model controlling list (Access Control List accesses and controls list) to program, by definition one
Zhang Chengxu may have access to the black/white list of data, it is possible to realizes the precise controlling to data access.
The foregoing is only the preferred embodiments of the present invention, not thereby limit the scope of the claims of the present invention, every utilization
Equivalent structure or equivalence flow process that description of the invention and accompanying drawing content are made convert, or it is relevant to be directly or indirectly used in other
Technical field, be the most in like manner included in the scope of patent protection of the present invention.