CN109117664B - Access control method and device for application program - Google Patents
Access control method and device for application program Download PDFInfo
- Publication number
- CN109117664B CN109117664B CN201810798889.0A CN201810798889A CN109117664B CN 109117664 B CN109117664 B CN 109117664B CN 201810798889 A CN201810798889 A CN 201810798889A CN 109117664 B CN109117664 B CN 109117664B
- Authority
- CN
- China
- Prior art keywords
- preset
- target
- function
- file
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides an access control method and device of an application program, wherein the method comprises the following steps: creating a virtual desktop; adding at least one application program in the original desktop to the virtual desktop; if any target application program in the virtual desktop is detected to be started, performing Inline Hook on preset functions in a function library of Windows, wherein the preset functions comprise a preset network access function, a preset clipboard operation function and a preset registry processing function; intercepting a call request of a target application program to a preset function; determining a target control strategy corresponding to the parameters and a preset function according to the pre-configured control strategy and the parameters in the calling request; if the target control strategy is allowed, responding to the calling request to call a preset function; if the target control strategy is rejection, rejecting the call request according to a preset rejection strategy of a preset function; and if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of a preset function.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method and an apparatus for controlling access to an application.
Background
In recent years, with the outbreak of various divulgence events, the divulgence events pose great threats to the security and long-term development of the country. For the financial industry related to the national civilization, the security protection system has higher security protection requirements and needs to prevent the occurrence of secret leakage events in time.
No matter which industry needs to prevent the occurrence of the divulgence event, in order to avoid the divulgence event, the security access control can be performed on the application programs in the employee computers of all the industries, so that the divulgence of the secrets through the application programs in the enterprise computers is avoided.
Therefore, one technical problem that needs to be urgently solved by those skilled in the art is: how to carry out multi-aspect access control on the application program of the terminal and ensure the safety of the terminal information.
Disclosure of Invention
The invention provides an access control method and device of an application program, and aims to solve the problem that the related technology cannot carry out multi-aspect access control on the application program of a terminal.
In order to solve the above problem, according to an aspect of the present invention, the present invention discloses an access control method for an application, applied to a terminal device, the method including:
creating a virtual desktop;
adding at least one application in an original desktop to the virtual desktop;
if any target application program in the virtual desktop is detected to be started, performing Inline Hook on a preset function in a function library of Windows, wherein the preset function comprises a preset network access function, a preset clipboard operation function and a preset registry processing function;
intercepting a call request of the target application program to the preset function;
determining a target control strategy corresponding to the parameter and the preset function according to a pre-configured control strategy and the parameter in the calling request;
if the target control strategy is allowed for the call request, calling the preset function in response to the call request;
if the target control strategy is to reject the call request, responding to the call request, rejecting the call request according to a preset rejection strategy of the preset function, and returning a rejection result;
if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of the preset function, and calling the preset function in response to the redirected call request.
Optionally, when the preset function includes a preset network access function, the parameter in the call request includes a target address field of a network address to be accessed;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
and determining a target control strategy corresponding to the target address field according to the corresponding relation between different address fields and different control strategies preset and configured aiming at a preset network access function.
Optionally, when the preset function includes a preset clipboard operation function, the parameter in the call request includes a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
judging whether the first desktop identifier and the second desktop identifier are the same;
if the two operation functions are the same, determining that the target control strategy is allowed for the call request according to a control strategy preset and configured for a preset clipboard operation function;
if the operation request is different from the calling request, determining that the target control strategy is refused to the calling request according to a control strategy preset and configured aiming at a preset clipboard operation function;
if the target control strategy is to reject the call request, responding to the call request, rejecting the call request according to a preset rejection strategy of the preset function, and returning a rejection result, wherein the rejecting result comprises:
and if the target control strategy is to reject the call request, responding to the call request, performing preset modification on the text to be pasted in the call request according to a preset rejection strategy of the preset clipboard operation function, and returning a modification result, wherein the preset modification comprises character clearing or character arrangement disordering.
Optionally, the preset registry processing function includes a registry writing function, and when the preset function includes the registry writing function, the parameter in the call request includes an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
determining a target control strategy corresponding to the parameter and the preset registry writing function as redirection of the call request according to a control strategy pre-configured for the preset registry writing function and the parameter in the call request;
if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of the preset function, and calling the preset function in response to the redirected call request, including:
if the target control strategy is to redirect the call request, creating a redirection registry in the subkeys of the target key of the original registry according to the original path;
modifying the original path in the calling request into a redirection path of the item to be written in the redirection registry;
and calling the preset registry writing function in response to the redirected calling request, and writing the target value into the value of the target key of the redirection path in the redirection registry.
Optionally, after the at least one application program in the original desktop is added to the virtual desktop, the method further includes:
if the preset micro-filter driver detects a file operation request of any started target application program in the virtual desktop, judging the file operation type according to the file operation request;
if the file operation type is an open file, determining a target file name in the file operation request and an original directory of the target file in an original desktop;
redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
copying a target file with the target file name in the original directory of the original desktop to the redirection directory of the virtual desktop;
in response to a file operation request, opening the target file at the redirect directory having the target file name.
Optionally, if the preset micro-filter driver detects a file operation request of any one started target application program in the virtual desktop, after determining a file operation type according to the file operation request, the method further includes:
if the file operation type is file write operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
copying a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
responding to a file operation request, and performing write operation on a target file at the redirection directory;
and encrypting the target file after the write operation according to a preset encryption algorithm.
Optionally, if the preset micro-filter driver detects a file operation request of any one started target application program in the virtual desktop, after determining a file operation type according to the file operation request, the method further includes:
if the file operation type is file reading operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
determining a redirection directory of the target file in the virtual desktop according to the original directory;
decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
and responding to the file operation request, performing read operation on the decrypted target file, and returning a read result.
Optionally, the method further comprises:
and if the virtual desktop is closed, removing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data cleaning strategy.
Optionally, after the at least one application program in the original desktop is added to the virtual desktop, the method further includes:
if the access request of any application program is detected, judging whether the application program is a target application program in the virtual desktop or not;
if not, the access request is rejected.
According to another aspect of the present invention, the present invention also discloses an access control device for an application, which is applied to a terminal device, and the device includes:
the creating module is used for creating a virtual desktop;
the adding module is used for adding at least one application program in the original desktop to the virtual desktop;
the Hook module is used for carrying out Inline Hook on a preset function in a function library of Windows if any target application program in the virtual desktop is detected to be started, wherein the preset function comprises a preset network access function, a preset clipboard operation function and a preset registry processing function;
the intercepting module is used for intercepting a calling request of the target application program to the preset function;
the first determining module is used for determining a target control strategy corresponding to the parameter and the preset function according to a pre-configured control strategy and the parameter in the calling request;
the first response module is used for responding to the calling request to call the preset function if the target control strategy is allowed to the calling request;
the second response module is used for responding to the calling request, rejecting the calling request according to a preset rejection strategy of the preset function and returning a rejection result if the target control strategy is rejecting the calling request;
and the third response module is used for redirecting the calling request according to a preset redirection strategy of the preset function if the target control strategy is to redirect the calling request, and calling the preset function in response to the redirected calling request.
Optionally, the first determining module includes:
and the first determining submodule is used for determining a target control strategy corresponding to the target address field according to the corresponding relation between different address fields and different control strategies preset and configured aiming at the preset network access function when the preset function comprises a preset network access function, wherein the parameter in the calling request comprises the target address field of the network address to be accessed.
Optionally, the first determining module includes:
the judgment sub-module is used for judging whether the first desktop identifier and the second desktop identifier are the same or not when the preset function comprises a preset clipboard operation function, wherein parameters in the calling request comprise a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
the second determining submodule is used for determining the target control strategy as the permission of the call request according to the control strategy preset and configured aiming at the preset clipboard operating function if the control strategies are the same;
a third determining sub-module, configured to determine, if the two are different, that the target control policy is a rejection to the call request according to a control policy preset and configured for a preset clipboard operation function;
the second response module comprises:
and the second response submodule is used for responding to the calling request, performing preset modification on the text to be pasted in the calling request according to a preset rejection strategy of the preset clipboard operation function and returning a modification result if the target control strategy is to reject the calling request, wherein the preset modification comprises character clearing or character arrangement disordering.
Optionally, the first determining module includes:
a fourth determining submodule, configured to, when the preset registry processing function includes a registry writing function, and the preset function includes the registry writing function, determine that a parameter in the call request includes an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key, and determine, according to a control policy preconfigured for the preset registry writing function and the parameter in the call request, that a target control policy corresponding to the parameter and the preset registry writing function is to redirect the call request;
the third response module comprises:
a creating submodule, configured to create a redirection registry in a sub-key of the target key of the original registry according to the original path if the target control policy is to redirect the call request;
a modification submodule, configured to modify the original path in the call request to a redirection path of the to-be-written item in the redirection registry;
and the third response submodule is used for responding to the redirected calling request to call the preset registry writing function and writing the target value into the value of the target key of the redirection path in the redirection registry.
Optionally, the apparatus further comprises:
the first judgment module is used for judging the file operation type according to the file operation request if the preset micro-filter driver detects the file operation request of any started target application program in the virtual desktop;
the second determining module is used for determining the name of the target file in the file operation request and an original directory of the target file in an original desktop if the file operation type is the open file;
the first redirection module is used for redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirection directory of the target file;
a first copying module, configured to copy a target file with the target file name in the original directory of the original desktop to the redirection directory of the virtual desktop;
a fourth response module, configured to open the target file with the target file name at the redirection directory in response to the file operation request.
Optionally, the apparatus further comprises:
a third determining module, configured to determine, if the file operation type is a file write operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
the second redirection module is used for redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
a second copying module, configured to copy a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
a fifth response module, configured to perform a write operation on the target file in the redirection directory in response to the file operation request;
and the encryption module is used for encrypting the target file after the write operation according to a preset encryption algorithm.
Optionally, the apparatus further comprises:
a fourth determining module, configured to determine, if the file operation type is a file read operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
a fifth determining module, configured to determine, according to the original directory, a redirection directory of the target file in the virtual desktop;
the decryption module is used for decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
and the sixth response module is used for responding to the file operation request, performing read operation on the decrypted target file and returning a read result.
Optionally, the apparatus further comprises:
and the clearing module is used for clearing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data clearing strategy if the virtual desktop is closed.
Optionally, the apparatus further comprises:
the second judgment module is used for judging whether the application program is a target application program in the virtual desktop or not if the access request of any application program is detected;
and the rejecting module is used for rejecting the access request if the second judging module determines that the application program is not the target application program in the virtual desktop.
Compared with the prior art, the invention has the following advantages:
thus, the embodiment of the present invention creates a virtual desktop, adds one or more application programs in the original desktop to the virtual desktop, and performs Inline Hook operation on a preset network access function, a preset clipboard operation function, and a preset registry processing function when any one target application program in the virtual desktop is started, so that when the target application program calls any one of the Inline Hook functions, the embodiment of the present invention can intercept the call request, and perform access control (including permission, rejection, and redirection) on the call request according to a pre-configured control policy, thereby performing access control on the application programs in the virtual desktop in various aspects, such as network, clipboard, registry, and the like, and ensuring the access security of information.
Drawings
FIG. 1 is a system architecture diagram of an embodiment of an access control system for an application of the present invention;
FIG. 2 is a flowchart illustrating the steps of an embodiment of a method for controlling access to an application program;
fig. 3 is a block diagram of an embodiment of an access control system for an application according to the present invention.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Referring to fig. 1, a system architecture diagram of an embodiment of an access control system for an application of the present invention is shown.
The access control system of the application program of the embodiment of the invention is based on a windows platform and is generally divided into three layers: respectively a desktop management layer, an access control layer and a file encryption layer.
The desktop management layer is responsible for managing a desktop security environment (namely, a virtual desktop), and mainly performs desktop security environment creation, environment inspection before creation, desktop exit from a working environment, environment cleaning after exit, and the like.
The access control layer is used for performing behavior control on the application program started in the desktop according to the strategy configured in the desktop working environment;
and the file encryption layer is in charge of redirecting and encrypting data generated in the desktop working environment.
As shown in fig. 1, the desktop management layer is located at the uppermost layer of the overall architecture and is composed of a desktop management module, a desktop work environment creation module, a pre-creation environment detection module, a desktop work environment quitting module, and a post-quitting environment cleaning module.
The desktop management module is used for providing visual desktop management operation for a user, such as calling the desktop working environment creating module to create a desktop working environment, calling the desktop working environment quitting module to quit the desktop working environment, switching the desktop working environment and the like;
and the desktop working environment creating module is used for calling the environment detecting module before creation, checking whether the current environment meets the condition of creating the desktop working environment, calling the windows api to create the desktop after the checking is passed, and starting the resource manager to enter the access control layer.
And the desktop quitting working environment module is responsible for destroying the created desktop working environment, calling the quitted environment cleaning module, and cleaning information related to the desktop working environment, such as a redirection directory, a file, a registry and the like.
And the environment cleaning module is used for cleaning the relevant information of the desktop working environment after quitting.
The access control layer is located in the middle layer of the overall architecture, is started from the top, is responsible for monitoring the application program started under the desktop working environment (namely the virtual desktop), can call the network, the clipboard control module and the registry redirection module to perform protection and control according to the configuration strategy of the desktop working environment, and transmits the application information started by the desktop working environment (specifically, the application information can include a PID (process identifier) of the application program started by the virtual desktop, the identification information of the virtual desktop and the control strategy of the virtual desktop) to the file encryption and decryption layer.
The access control layer comprises an in-desktop application protection module, a network clipboard control module and a registry redirection module, wherein the in-desktop application protection module is used for loading the network clipboard control module and the registry redirection module into a process address space of an application program under the condition that the started application program exists in the virtual desktop.
The file encryption and decryption layer is positioned at the lowest layer of the whole framework, is the core of file redirection and encryption, and is responsible for processing the file read-write operation of the application program in the desktop working environment, executing redirection operation on the file write-in of the application program, and encrypting the written file to ensure the safety of data.
The file encryption and decryption layer comprises a file processing module, a file redirection module and an encryption and decryption service module.
The file processing module is used for receiving a file operation request of an application program in the virtual desktop from the application protection module in the desktop, and calling the file redirection module and the encryption and decryption service module to respond to the file operation request.
The file redirection module is responsible for redirecting file access (including reading and writing) of the application program to a specified position;
and the encryption and decryption module is responsible for encrypting the written file data by using a specified algorithm and decrypting the read file data by using the specified algorithm.
As to the specific functions of each module in the three-layer architecture in fig. 1, which is described in detail with reference to the flowchart of steps of an embodiment of the method for controlling access to an application program of the present invention shown in fig. 2, the method may be applied to a terminal device, and specifically may include the following steps:
as shown in fig. 1, when a user selects to create a virtual desktop on a Windows original desktop, the desktop management module may call the create desktop working environment module to create a virtual desktop, and optionally, when the create desktop working environment module creates a virtual desktop, the create desktop working environment module may call the before-creation environment detection module to detect whether the Windows environment meets the condition for creating the virtual desktop.
The condition may be a self-defined condition, for example, Windows runs preset software at present; or the memory remaining is greater than the memory threshold.
The terminal device may be any device having a Windows operating system, such as a PC (personal computer), a notebook computer, a tablet computer, a mobile phone, and the like.
The original desktop is a self-contained original desktop of a Windows system, and is a known technology, and is not described herein again.
Then, when the environment of Windows satisfies the condition for creating the virtual desktop, the create desktop operating environment module may call the Windows api to create the virtual desktop, and specifically, may create the virtual desktop using a CreateDesktop function of the Windows system, where the virtual desktop is a container.
the creating desktop working environment module can also add at least one application program on the original desktop to the created virtual desktop according to at least one application program selected by the user on the Windows original desktop for the created virtual desktop. Then access control can be performed on these applications on the virtual desktop.
That is, the applications in the virtual desktop are all selected from the applications installed in the original desktop.
103, if any target application program in the virtual desktop is detected to be started, performing Inline Hook on a preset function in a function library of Windows;
the preset functions comprise a preset network access function, a preset clipboard operation function and a preset registry processing function;
when an application program (any APP, referred to as a target APP) is started in the virtual desktop, the in-desktop application protection module can inject the network, the clipboard control module and the registry redirection module into the process address space of the target APP. Thus, the network and clipboard control module can control the key functions of the network function library of Windows, i.e., a preset network access function such as a connect function (i.e., a network connection function), a Sendto function (i.e., a function of transmitting data to a specified destination), a recvfrom function (for receiving data and capturing an address of a data transmission source), a key function in a clipboard function library of Windows, i.e. a preset clipboard operation function (e.g. SetClipboardData function (i.e. a function that deposits data onto the clipboard), GetClipboardData function (i.e. a function that fetches data from the clipboard), OleSetClipboard function (i.e. a function that places an IDataObject interface pointer on the clipboard), OleGetClipboard function (i.e. a function that fetches an IDataObject interface pointer from the clipboard), etc.) performs Inline Hook operation, therefore, when the application program calls the function of the Inline Hook, the related network access operation and clipboard operation of the target APP can be intercepted; in addition, the registry redirection module may also perform an Inline Hook operation on a key function of the registry function library of Windows, that is, a preset registry processing function (e.g., ZwOpenKey function, ZwCreateKey function, ZwDeleteKey function, ZwQueryKey function, zwenumervaluekey function, etc.), so that the function called by the Inline Hook can be called in an application program to intercept the relevant registry operation of the target APP.
The registry processing functions are all known functions, and are not described in detail.
Among other things, the Hook mechanism allows applications to intercept and process Windows messages or specified events, etc.
when a target APP running in a virtual desktop calls a preset network access function or a preset clipboard operation function, a network and clipboard control module of the embodiment of the invention can intercept a call request of the target APP to the preset network access function or the preset clipboard operation function; when a target APP running in a virtual desktop calls a preset registry processing function, the registry redirection module of the embodiment of the present invention may intercept a call request of the target APP to the preset registry processing function.
105, determining a target control strategy corresponding to the parameter and the preset function according to a pre-configured control strategy and the parameter in the call request;
the method of the embodiment of the present invention may configure a control policy for the target APP running in the virtual desktop in advance, for example, what kind of call request of the preset function is allowed (i.e., passed), what kind of call request of the preset function is rejected, and what kind of call request of the preset function is redirected. Therefore, the target control policy corresponding to the parameter and the called preset function in the pre-configured control policies needs to be determined according to the parameter in the call request.
Namely, the target control strategy is adopted to process the intercepted call request of the preset function.
each preset function is pre-configured with a corresponding rejection strategy.
And 108, if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of the preset function, and calling the preset function in response to the redirected call request.
If any one of the three preset functions is configured with a redirection control policy in advance, the preset function is also configured with a redirection policy in advance, so that the call request of the preset function can be redirected according to the preset redirection policy of the preset function, and the redirection of the call request can be understood as modifying parameters in the call request, thereby achieving the effect of redirection.
Thus, the embodiment of the present invention creates a virtual desktop, adds one or more application programs in the original desktop to the virtual desktop, and performs Inline Hook operation on a preset network access function, a preset clipboard operation function, and a preset registry processing function when any one target application program in the virtual desktop is started, so that when the target application program calls any one of the Inline Hook functions, the embodiment of the present invention can intercept the call request, and perform access control (including permission, rejection, and redirection) on the call request according to a pre-configured control policy, thereby performing access control on the application programs in the virtual desktop in various aspects, such as network, clipboard, registry, and the like, and ensuring the access security of information.
Optionally, in an embodiment, when the preset function includes a preset network access function, the parameter in the call request includes a target address field of a network address to be accessed;
that is, when the user performs a network access operation on the target APP running in the virtual desktop, for example, requests to access the content of a link, step 104 may intercept a call request to the connect function (previously Inline Hook) of the network access, where the parameter in the call request includes the IP address field of the link (i.e., the network address) to be accessed.
Correspondingly, when step 105 is executed, the target control policy corresponding to the target address field may be determined according to the correspondence between different address fields and different control policies that are preset and configured for the preset network access function.
The preset network access function can comprise a plurality of key functions related to network access, and the embodiment of the invention can pre-configure the control strategy for each network access key function in advance.
For any one network-wide critical function, there may be different control strategies due to different parameters.
Then, taking the connect function here as an example, different control policies may be configured for different IP address segments of the linked network address. For example, when the link of the IP address field 1 is accessed by calling the connect function, the control policy is to allow access; when the link of the IP address section 2 is accessed by calling the connect function, the control strategy is to refuse the access; when the link of the IP address field 3 is accessed by calling the connect function, the control policy is redirection access (for example, parameters in the call request are adjusted so that the redirection call request can only access a part of the web page content in the web page of the IP address field 3, or the redirection call request can access the web page content in the web page of the IP address field 4).
Thus, the embodiment of the invention can control the network access of the target APP running in the virtual desktop.
Optionally, when the preset function includes a preset clipboard operation function, the parameter in the call request includes a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
that is to say, when a user performs a key operation of a clipboard on a target APP running in a virtual desktop, for example, copies a certain text content in the target APP and wants to paste to another desktop (which may be an original desktop or another virtual desktop), step 104 may intercept a call request for a clipboard paste function (which is Inline Hook in advance), where parameters in the call request include a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
wherein, during copy and paste operation or cut and paste operation, the copied/cut text to be pasted belongs to a source file. For example, the target APP in this embodiment runs in the virtual desktop 1, and the user copies/cuts content in a certain file (i.e., a source file) in the target APP in the virtual desktop 1, and wants to paste the content into another virtual desktop 2 or another file (i.e., a target file) of the original desktop. The system call request for the paste operation includes not only the cut/copied text to be pasted, but also the desktop id of virtual desktop 1 and the desktop id of virtual desktop 2/original desktop.
The clipboard is public, the data of the clipboard are shared, and by means of Hook on a preset clipboard operation function, the progress from which the information to be pasted is copied to the clipboard can be obtained, so that the data source and related desktop control information can be known, and control of the clipboard among different virtual desktops can be achieved.
Accordingly, when step 105 is performed, it can be implemented as follows:
judging whether the first desktop identifier and the second desktop identifier are the same;
if the two operation functions are the same, determining that the target control strategy is allowed for the call request according to a control strategy preset and configured for a preset clipboard operation function;
if the two files are the same, it means that when the user performs copy-paste/cut-paste operations on the content in a certain file in the target APP in the virtual desktop 1, only the clipboard operation in the same virtual desktop is performed, that is, the copied or cut content is to be pasted to the target file in the virtual desktop 1, where the target file may be in the target APP or another APP added to the virtual desktop 1. In addition, the source and destination files may also be the same.
Then the control policy for the call request may be determined to have passed since the copy/cut-paste operation was within the same virtual desktop. The system may call the pre-defined clipboard operation function to perform the copy/cut and paste operations of the text within the same virtual desktop.
The preset clipboard operation function may include a plurality of key functions related to clipboard operation. The control strategy pre-configured by the key functions is that if the clipboard operation in the same virtual desktop is performed, the clipboard operation is not processed; and if the operation is a clipboard operation between different virtual desktops, rejecting the call request.
If the operation request is different from the calling request, determining that the target control strategy is refused to the calling request according to a control strategy preset and configured aiming at a preset clipboard operation function;
if the difference is not the same, it indicates that when the user performs copy-paste/cut-paste operation on the content in a certain file in the target APP in the virtual desktop 1, the user wants to paste the text to be pasted into a target file in another desktop (which may be the original desktop or another virtual desktop), where the target file may be in the target APP.
Then the control policy for the call request may be determined to be a rejection thereof, since the copy/cut-and-paste operation is an operation between different desktops.
Then, in step 107, if the target control policy is to reject the call request, in response to the call request, performing preset modification on the text to be pasted in the call request according to a preset rejection policy of the preset clipboard operation function, and returning a modification result, where the preset modification includes clearing characters or disordering an arrangement order of the characters.
When a call request of a key function of a clipboard related operation is rejected, the rejection mode may be to modify a text to be pasted in the call request, for example, to modify the text to be pasted in a mode of clearing the text to be pasted or disordering the character arrangement order, and then, in response to the call request, return the modified text to be pasted to the pasted position. In this way, in the other desktop, the pasted content is the content which has been modified, and the information in the virtual desktop is ensured to be safe.
Optionally, the preset registry processing function includes a registry writing function, and when the preset function includes the registry writing function, the parameter in the call request includes an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key;
that is to say, when the user performs a registry writing operation on a target APP running in a virtual desktop, step 104 may intercept a call request to a write function (in advance Inline Hook) of the registry of the virtual desktop, where parameters in the call request include an original path of an item to be written in the original registry, a target key of the item to be written, and a target value of the target key;
the structure of the registry is a tree directory formed by various items, wherein each item has one or more keys, and each key can be assigned with a value.
Then, since the target APP requests to write into the registry in the virtual desktop, the call request carries the original path of the item to be written this time in the original registry, which key (i.e. target key) of the item to be written this time, and the value written to the key, i.e. target value.
Correspondingly, when step 105 is executed, according to the control policy preconfigured for the preset registry writing function and the parameter in the call request, determining that the target control policy corresponding to the parameter and the preset registry writing function is to redirect the call request;
in order to ensure that operations on the registry between different desktops are independent from each other, the embodiment of the present invention writes a control policy, which is configured in advance for a function, into the registry in advance, and redirects a call request for the function.
Accordingly, when step 108 is performed, it can be implemented as follows:
if the target control strategy is to redirect the call request, creating a redirection registry in the subkeys of the target key of the original registry according to the original path;
for illustration, the directory structure of the original registry is taken as a tree structure, wherein each item in the original registry is a tree trunk in the tree structure, the key of the item is a leaf of the tree trunk, the value of the key is the color of the leaf, in order to avoid that the APP in the virtual desktop directly modifies the value of the target key of the target item in the original registry if the color of the leaf 1 (target key) of the trunk 1 (target item) in the tree is modified to green (target value) in the current registry writing operation, in the embodiment of the present invention, a tree may be recreated according to the original path of the leaf 1 in the entire tree structure (of course, the tree does not have all the paths of the original registry, and only the original path of the leaf 1 is sketched out), and then the root of the recreated tree is created on the sub-leaf (i.e., sub-key) of the leaf 1. One tree that is recreated here is the redirection registry. Thus, there is also a trunk 1 (herein referred to as trunk 1 '), a leaf 1 (herein referred to as leaf 1') in the redirection registry.
Modifying the original path in the calling request into a redirection path of the item to be written in the redirection registry;
for example, when it is desired to modify the value of the color key in the color folder (target item) under the root directory, the original path is the color key in the color folder under the root directory, and the redirection path is the color key in the color folder under the root directory under the color key in the original path.
And calling the preset registry writing function in response to the redirected calling request, and writing the target value into the value of the target key of the redirection path in the redirection registry.
Here, the target value may be written into the numerical value of the color key in the color folder under the root directory under the color key in the original path.
The embodiment of the invention starts from the practical requirements and application angles, and can carry out omnibearing access control on the application program in the newly-built desktop working environment by using the HOOK technology (controlling clipboard, network, registry and the like) based on the multi-desktop safety working environment of the windows platform.
Optionally, when the registry redirection module intercepts a read operation on the registry, if a key of the target item to be read exists in the redirection registry, the key is directly read, and if the key does not exist, the key is read from the original registry, and the directory where the key is located is drawn in the redirection registry.
Optionally, after step 102, the method according to the embodiment of the present invention may further include:
if the preset micro-filter driver detects a file operation request of any started target application program in the virtual desktop, judging the file operation type according to the file operation request;
the embodiment of the present invention develops the preset micro-filter driver according to the embodiment of the present invention based on the micro-filter framework (Minifilter) of microsoft, wherein the preset micro-filter driver may be registered in advance with the microsoft system. Any file operation request in the virtual desktop can be read and written only after being filtered by the preset micro-filter driver.
Wherein the predetermined micro-filter driver is configured in the document processing module of FIG. 1.
If a user wants to open, read and write file data by using a started target APP in the virtual desktop, the file operation request is taken over by a file micro-filtering framework driver A of Microsoft after entering a kernel layer, then the micro-filtering framework driver A calls a micro-filtering driver B registered to the file operation request to process the file operation request, and the micro-filtering driver B judges whether the file operation type of the file operation request is file opening, file reading or file data writing.
Wherein, the file operation request carries an identifier indicating the type of the file operation. The micro-filter driver determines the file operation type of the file operation request through the identification.
If the file operation type is an open file, determining a target file name in the file operation request and an original directory of the target file in an original desktop;
if the file operation type is to open a file, that is, the target APP wants to open a file, the file operation request, that is, the file open request, will record the name of the file C (target file) to be opened and the original directory of the file C in the original desktop.
Redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
in this case, each time a virtual desktop is created, the embodiment of the present invention may allocate a separate empty storage space for the virtual desktop, and any file data generated by operating an application program in the virtual desktop is stored in the storage space.
In order to ensure the independence of operations on the same file between different desktops and avoid mutual interference, the embodiment of the present invention may redraw the structure in the storage space according to the structure of the file C in the original directory of the original desktop, so as to obtain the redirection directory of the file C in the virtual desktop.
Wherein the original directory and the redirected directory of the file C are completely identical in structure, but they are located in different storage spaces, respectively.
Copying a target file with the target file name in the original directory of the original desktop to the redirection directory of the virtual desktop;
since the redirected directory does not have specific file data yet, the target APP requests to open the file C, and therefore, the file C of the target file name needs to be read from the original directory of the original desktop, and the data of the file C needs to be copied to the redirected directory of the virtual desktop.
That is, the data of file C is actually stored at the redirection directory of the storage space.
In response to a file operation request, opening the target file at the redirect directory having the target file name.
Here, i.e., in response to a file open request, file C at the redirected directory in the storage space is opened, while file C under the original directory of the original desktop is not opened.
Therefore, the embodiment of the invention can realize access control on different application programs on different desktops, further can separate the sensitive application programs from the original desktop, realizes safe access of the application without increasing the cost, and prevents divulgence.
Optionally, if the preset micro-filter driver detects a file operation request of any one started target application program in the virtual desktop, after determining a file operation type according to the file operation request, the method according to the embodiment of the present invention may further include:
if the file operation type is file write operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
if the file operation type is a file write operation, that is, the target APP wants to write a file, the file operation request, that is, the file write request, records the name of a file C (target file) to be written and the original directory of the file C in the original desktop.
Redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
the specific implementation of this step is similar to the specific description of the previous file opening embodiment, and is not described here again.
Copying a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
the specific implementation of this step is similar to the specific description of the previous file opening embodiment, and is not described here again.
Responding to a file operation request, and performing write operation on a target file at the redirection directory;
the target file at the redirection directory of the virtual desktop can be subjected to data writing operation in response to a file writing request, wherein the data to be written is carried in the file writing request.
And encrypting the target file after the write operation according to a preset encryption algorithm.
After the write operation, the file processing module may further call the encryption and decryption service module to encrypt and store the target file (i.e., the entire content of the file) after the write operation at the redirection directory according to a preset encryption algorithm.
In this way, the embodiment of the present invention can separately store the file data generated by the application program operation in the virtual desktop in the specific area, and deny the data access to the specific area by the application programs in other desktops except the virtual desktop.
It can be understood that, when multiple virtual desktops are created in the embodiment of the present invention, even if each virtual desktop operates the same application program, each file data generated by the operation is separately stored in the storage space corresponding to each virtual desktop, and the original data of the application program on the original desktop is not changed, and the data generated by different virtual desktops can only be accessed by the application programs in the respective virtual desktops, and application access of other desktops is denied, which ensures that the original data of the original desktop is not modified at will, and moreover, access control of mutually independent application programs can be performed on different virtual desktops.
Optionally, if the preset micro-filter driver detects a file operation request of any one started target application program in the virtual desktop, after determining a file operation type according to the file operation request, the method according to the embodiment of the present invention may further include:
if the file operation type is file reading operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
if the file operation type is a file write operation, that is, the target APP wants to perform a read operation on a file, the file operation request, that is, the file read request, will record the name of the file C (target file) where the data to be read is located, and the original directory of the file C in the original desktop.
Determining a redirection directory of the target file in the virtual desktop according to the original directory;
here, it is default that the original directory of the file C has been redirected in the virtual desktop, so the redirected directory can be directly determined according to the original directory.
Of course, if in other embodiments, if file C is found not to be available through a lookup of the storage space of the virtual environment, the redirection directory of the target file may be drawn as in the embodiment of the write operation of target file C, and target file C may be stored at the redirection directory in an encrypted manner;
for specific description, reference is made to the above file writing operation embodiments, which are not described herein again.
Decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
because the files in the redirection directory in the virtual desktop are stored in an encrypted manner, the target file C can be decrypted by the encryption and decryption service module according to a preset decryption algorithm, and the plaintext of the file C is obtained.
The decryption operation can be executed in the memory, so that the file C in the redirection directory is also encrypted and stored after the file C is read this time.
And responding to the file operation request, performing read operation on the decrypted target file, and returning a read result.
The decrypted target file can be read in response to the file reading request, and the read file data plaintext is returned to the upper layer target APP.
By means of the technical scheme of the embodiment of the invention, when a plurality of virtual desktops are created, each virtual desktop operates the same application program, but each file data generated by operation is independently stored in the storage space corresponding to each virtual desktop, the original data of the application program on the original desktop cannot be changed, and the data generated by different virtual desktops can only be accessed by the application programs in the virtual desktops, so that the application access of other desktops is denied, the original data of the original desktop is ensured not to be modified randomly, and the access control of mutually independent application programs can be executed on different virtual desktops.
Optionally, the method according to the embodiment of the present invention may further include:
and if the virtual desktop is closed, removing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data cleaning strategy.
If the user closes the virtual desktop, the exit desktop operating environment module shown in fig. 1 may call the exit environment cleaning module to clean temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data cleaning policy.
The temporary data may be any or all of file data generated by operations such as file opening, file reading, file writing, and the like, and the redirection data may be any of the redirection data in the above embodiments.
And specifically, which data is to be cleaned is determined according to a pre-configured data cleaning strategy. The embodiment of the invention can preset a data cleaning strategy of the currently created virtual desktop according to the user requirements, for example, only cleaning redirection data; or only temporary data, etc.
Optionally, after step 102, the method according to the embodiment of the present invention may further include:
if the access request of any application program is detected, judging whether the application program is a target application program in the virtual desktop or not;
in the created virtual desktop, if an access request of any application program is detected, it needs to first determine whether the application program is an application program in the virtual desktop, which is referred to as a target application program herein.
If not, the access request is rejected.
Therefore, after the virtual desktop is created, the embodiment of the invention can only accept the program access in the desktop in the virtual desktop, but deny the application access in other desktops, thereby achieving the access control of different applications in different virtual desktops.
The virtual desktops created in the above embodiments may be multiple, and their working principles are similar, which are not described herein again.
By means of the technical scheme of the embodiment of the invention, based on the multi-desktop safe working environment of the windows platform, the HOOK technology is used for controlling a clipboard, a network, a registry and the like, file redirection and encryption and decryption operations are carried out on file data generated in the virtual desktop, and the working environment of the newly-built virtual desktop is protected in an all-round way.
After entering a certain virtual desktop, clipboard operation, registry processing and network operation of an application program in the virtual desktop are protected, generated file data are encrypted and stored in a specified area, and application access in a non-local virtual desktop environment is denied (for example, the directory of the file redirection in the local virtual desktop is position 1 of a C disk, and other programs in the virtual desktop cannot access the position).
In addition, the access range of the application program in each virtual desktop can be set independently, and data generated in each virtual desktop are isolated from each other and are not visible.
When any virtual desktop is exited, whether to retain data generated in the virtual desktop can be determined according to configuration (whether to retain a registry in advance, files in a redirection directory, and the like).
The virtual desktop created by the embodiment of the invention can carry out all-around control on the clipboard, the registry, the network, the file and the like on the application program on the premise of not changing the operation habit of the user on the application program, and even if the hard disk of the virtual desktop (the data in the virtual desktop is stored in the hard disk) is separated from the virtual desktop, the data in the hard disk is encrypted, so that the data generated in the desktop safe working environment can be protected, and unauthorized access is prevented.
In addition, the virtual desktop provided by the embodiment of the invention can realize different desktops to access different applications according to the requirements of users, and can separate sensitive applications from common desktops, thereby realizing the safe access of the applications without increasing the cost and preventing the occurrence of secret divulgence.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the illustrated order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments of the present invention. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred and that no particular act is required to implement the invention.
Corresponding to the method provided by the foregoing embodiment of the present invention, referring to fig. 3, a block diagram of an embodiment of an access control apparatus for an application program according to the present invention is shown, which is applied to a terminal device, and specifically includes the following modules:
a creation module 31 for creating a virtual desktop;
an adding module 32, configured to add at least one application in the original desktop to the virtual desktop;
the Hook module 33 is configured to perform Inline Hook on a preset function in a function library of Windows if it is detected that any one target application program in the virtual desktop is started, where the preset function includes a preset network access function, a preset clipboard operation function, and a preset registry processing function;
an intercepting module 34, configured to intercept a call request of the target application program to the preset function;
a first determining module 35, configured to determine, according to a pre-configured control policy and a parameter in the call request, a target control policy corresponding to the parameter and the preset function;
a first response module 36, configured to, if the target control policy is allowed for the call request, call the preset function in response to the call request;
a second response module 37, configured to respond to the call request if the target control policy is to reject the call request, reject the call request according to a preset rejection policy of the preset function, and return a rejection result;
a third response module 38, configured to, if the target control policy is to redirect the call request, redirect the call request according to a preset redirection policy of the preset function, and call the preset function in response to the redirected call request.
Optionally, the first determining module 35 includes:
and the first determining submodule is used for determining a target control strategy corresponding to the target address field according to the corresponding relation between different address fields and different control strategies preset and configured aiming at the preset network access function when the preset function comprises a preset network access function, wherein the parameter in the calling request comprises the target address field of the network address to be accessed.
Optionally, the first determining module 35 includes:
the judgment sub-module is used for judging whether the first desktop identifier and the second desktop identifier are the same or not when the preset function comprises a preset clipboard operation function, wherein parameters in the calling request comprise a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
the second determining submodule is used for determining the target control strategy as the permission of the call request according to the control strategy preset and configured aiming at the preset clipboard operating function if the control strategies are the same;
a third determining sub-module, configured to determine, if the two are different, that the target control policy is a rejection to the call request according to a control policy preset and configured for a preset clipboard operation function;
the second response module 37 includes:
and the second response submodule is used for responding to the calling request, performing preset modification on the text to be pasted in the calling request according to a preset rejection strategy of the preset clipboard operation function and returning a modification result if the target control strategy is to reject the calling request, wherein the preset modification comprises character clearing or character arrangement disordering.
Optionally, the first determining module 35 includes:
a fourth determining submodule, configured to, when the preset registry processing function includes a registry writing function, and the preset function includes the registry writing function, determine that a parameter in the call request includes an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key, and determine, according to a control policy preconfigured for the preset registry writing function and the parameter in the call request, that a target control policy corresponding to the parameter and the preset registry writing function is to redirect the call request;
the third response module 38 includes:
a creating submodule, configured to create a redirection registry in a sub-key of the target key of the original registry according to the original path if the target control policy is to redirect the call request;
a modification submodule, configured to modify the original path in the call request to a redirection path of the to-be-written item in the redirection registry;
and the third response submodule is used for responding to the redirected calling request to call the preset registry writing function and writing the target value into the value of the target key of the redirection path in the redirection registry.
Optionally, the apparatus further comprises:
the first judgment module is used for judging the file operation type according to the file operation request if the preset micro-filter driver detects the file operation request of any started target application program in the virtual desktop;
the second determining module is used for determining the name of the target file in the file operation request and an original directory of the target file in an original desktop if the file operation type is the open file;
the first redirection module is used for redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirection directory of the target file;
a first copying module, configured to copy a target file with the target file name in the original directory of the original desktop to the redirection directory of the virtual desktop;
a fourth response module, configured to open the target file with the target file name at the redirection directory in response to the file operation request.
Optionally, the apparatus further comprises:
a third determining module, configured to determine, if the file operation type is a file write operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
the second redirection module is used for redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
a second copying module, configured to copy a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
a fifth response module, configured to perform a write operation on the target file in the redirection directory in response to the file operation request;
and the encryption module is used for encrypting the target file after the write operation according to a preset encryption algorithm.
Optionally, the apparatus further comprises:
a fourth determining module, configured to determine, if the file operation type is a file read operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
a fifth determining module, configured to determine, according to the original directory, a redirection directory of the target file in the virtual desktop;
the decryption module is used for decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
and the sixth response module is used for responding to the file operation request, performing read operation on the decrypted target file and returning a read result.
Optionally, the apparatus further comprises:
and the clearing module is used for clearing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data clearing strategy if the virtual desktop is closed.
Optionally, the apparatus further comprises:
the second judgment module is used for judging whether the application program is a target application program in the virtual desktop or not if the access request of any application program is detected;
and the rejecting module is used for rejecting the access request if the second judging module determines that the application program is not the target application program in the virtual desktop.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the embodiments of the invention.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The foregoing detailed description is directed to an access control method for an application and an access control device for an application according to the present invention, and the principles and embodiments of the present invention are described herein by using specific examples, which are only used to help understand the method and the core idea of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.
Claims (14)
1. An access control method for an application program is applied to a terminal device, and the method comprises the following steps:
creating a virtual desktop, wherein creating the virtual desktop comprises using a creatededesktop function;
adding at least one application in an original desktop to the virtual desktop;
if any target application program in the virtual desktop is detected to be started, performing Inline Hook on a preset function in a function library of Windows, wherein the preset function comprises a preset network access function, a preset clipboard operation function and a preset registry processing function;
intercepting a call request of the target application program to the preset function;
determining a target control strategy corresponding to the parameter and the preset function according to a pre-configured control strategy and the parameter in the calling request;
if the target control strategy is allowed for the call request, calling the preset function in response to the call request;
if the target control strategy is to reject the call request, responding to the call request, rejecting the call request according to a preset rejection strategy of the preset function, and returning a rejection result;
if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of the preset function, and calling the preset function in response to the redirected call request.
2. The method according to claim 1, wherein when the preset function comprises a preset network access function, the parameter in the call request comprises a target address field of a network address to be accessed;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
and determining a target control strategy corresponding to the target address field according to the corresponding relation between different address fields and different control strategies preset and configured aiming at a preset network access function.
3. The method according to claim 1, wherein when the preset function includes a preset clipboard operation function, the parameters in the call request include a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
judging whether the first desktop identifier and the second desktop identifier are the same;
if the two operation functions are the same, determining that the target control strategy is allowed for the call request according to a control strategy preset and configured for a preset clipboard operation function;
if the operation request is different from the calling request, determining that the target control strategy is refused to the calling request according to a control strategy preset and configured aiming at a preset clipboard operation function;
if the target control strategy is to reject the call request, responding to the call request, rejecting the call request according to a preset rejection strategy of the preset function, and returning a rejection result, wherein the rejecting result comprises:
and if the target control strategy is to reject the call request, responding to the call request, performing preset modification on the text to be pasted in the call request according to a preset rejection strategy of the preset clipboard operation function, and returning a modification result, wherein the preset modification comprises character clearing or character arrangement disordering.
4. The method according to claim 1, wherein the preset registry processing function comprises a registry writing function, and when the preset function comprises the registry writing function, the parameters in the call request comprise an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key;
the determining a target control strategy corresponding to the parameter and the preset function according to the pre-configured control strategy and the parameter in the call request includes:
determining a target control strategy corresponding to the parameter and the preset registry writing function as redirection of the call request according to a control strategy pre-configured for the preset registry writing function and the parameter in the call request;
if the target control strategy is to redirect the call request, redirecting the call request according to a preset redirection strategy of the preset function, and calling the preset function in response to the redirected call request, including:
if the target control strategy is to redirect the call request, creating a redirection registry in the subkeys of the target key of the original registry according to the original path;
modifying the original path in the calling request into a redirection path of the item to be written in the redirection registry;
and calling the preset registry writing function in response to the redirected calling request, and writing the target value into the value of the target key of the redirection path in the redirection registry.
5. The method of claim 1, wherein after the at least one application in the original desktop is added to the virtual desktop, the method further comprises:
if the preset micro-filter driver detects a file operation request of any started target application program in the virtual desktop, judging the file operation type according to the file operation request;
if the file operation type is file write operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
copying a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
responding to a file operation request, and performing write operation on a target file at the redirection directory;
and encrypting the target file after the write operation according to a preset encryption algorithm.
6. The method according to claim 5, wherein if the preset micro-filter driver detects a file operation request of any one of the target application programs started in the virtual desktop, after determining a file operation type according to the file operation request, the method further comprises:
if the file operation type is file reading operation, determining a target file name in the file operation request and an original directory of a target file in an original desktop;
determining a redirection directory of the target file in the virtual desktop according to the original directory;
decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
and responding to the file operation request, performing read operation on the decrypted target file, and returning a read result.
7. The method of claim 1, further comprising:
if the virtual desktop is closed, removing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data cleaning strategy;
after at least one application program in the original desktop is added to the virtual desktop, if an access request of any application program is detected, whether the application program is a target application program in the virtual desktop is judged;
if not, the access request is rejected.
8. An access control device for an application program, applied to a terminal device, the device comprising:
the creating module is used for creating a virtual desktop, wherein the creating module is used for creating the virtual desktop by using a createDesktop function;
the adding module is used for adding at least one application program in the original desktop to the virtual desktop;
the Hook module is used for carrying out Inline Hook on a preset function in a function library of Windows if any target application program in the virtual desktop is detected to be started, wherein the preset function comprises a preset network access function, a preset clipboard operation function and a preset registry processing function;
the intercepting module is used for intercepting a calling request of the target application program to the preset function;
the first determining module is used for determining a target control strategy corresponding to the parameter and the preset function according to a pre-configured control strategy and the parameter in the calling request;
the first response module is used for responding to the calling request to call the preset function if the target control strategy is allowed to the calling request;
the second response module is used for responding to the calling request, rejecting the calling request according to a preset rejection strategy of the preset function and returning a rejection result if the target control strategy is rejecting the calling request;
and the third response module is used for redirecting the calling request according to a preset redirection strategy of the preset function if the target control strategy is to redirect the calling request, and calling the preset function in response to the redirected calling request.
9. The apparatus of claim 8, wherein the first determining module comprises:
and the first determining submodule is used for determining a target control strategy corresponding to the target address field according to the corresponding relation between different address fields and different control strategies preset and configured aiming at the preset network access function when the preset function comprises a preset network access function, wherein the parameter in the calling request comprises the target address field of the network address to be accessed.
10. The apparatus of claim 8,
the first determining module includes:
the judgment sub-module is used for judging whether the first desktop identifier and the second desktop identifier are the same or not when the preset function comprises a preset clipboard operation function, wherein parameters in the calling request comprise a text to be pasted, a first desktop identifier to which a source file corresponding to the text to be pasted belongs, and a second desktop identifier to which a target file corresponding to the text to be pasted belongs;
the second determining submodule is used for determining the target control strategy as the permission of the call request according to the control strategy preset and configured aiming at the preset clipboard operating function if the control strategies are the same;
a third determining sub-module, configured to determine, if the two are different, that the target control policy is a rejection to the call request according to a control policy preset and configured for a preset clipboard operation function;
the second response module comprises:
and the second response submodule is used for responding to the calling request, performing preset modification on the text to be pasted in the calling request according to a preset rejection strategy of the preset clipboard operation function and returning a modification result if the target control strategy is to reject the calling request, wherein the preset modification comprises character clearing or character arrangement disordering.
11. The apparatus of claim 8,
the first determining module includes:
a fourth determining submodule, configured to, when the preset registry processing function includes a registry writing function, and the preset function includes the registry writing function, determine that a parameter in the call request includes an original path of an item to be written in an original registry, a target key of the item to be written, and a target value of the target key, and determine, according to a control policy preconfigured for the preset registry writing function and the parameter in the call request, that a target control policy corresponding to the parameter and the preset registry writing function is to redirect the call request;
the third response module comprises:
a creating submodule, configured to create a redirection registry in a sub-key of the target key of the original registry according to the original path if the target control policy is to redirect the call request;
a modification submodule, configured to modify the original path in the call request to a redirection path of the to-be-written item in the redirection registry;
and the third response submodule is used for responding to the redirected calling request to call the preset registry writing function and writing the target value into the value of the target key of the redirection path in the redirection registry.
12. The apparatus of claim 8, further comprising:
the first judgment module is used for judging the file operation type according to the file operation request if the preset micro-filter driver detects the file operation request of any started target application program in the virtual desktop;
a third determining module, configured to determine, if the file operation type is a file write operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
the second redirection module is used for redirecting the original directory in a storage space corresponding to the virtual desktop according to the structure of the original directory to obtain a redirected directory of the target file;
a second copying module, configured to copy a target file in the original directory of the original desktop to the redirection directory of the virtual desktop;
a fifth response module, configured to perform a write operation on the target file in the redirection directory in response to the file operation request;
and the encryption module is used for encrypting the target file after the write operation according to a preset encryption algorithm.
13. The apparatus of claim 12, further comprising:
a fourth determining module, configured to determine, if the file operation type is a file read operation, a name of a target file in the file operation request and an original directory of the target file in an original desktop;
a fifth determining module, configured to determine, according to the original directory, a redirection directory of the target file in the virtual desktop;
the decryption module is used for decrypting the target file with the target file name at the redirection directory according to a preset decryption algorithm;
and the sixth response module is used for responding to the file operation request, performing read operation on the decrypted target file and returning a read result.
14. The apparatus of claim 8, further comprising:
the clearing module is used for clearing temporary data and/or redirection data generated in the virtual desktop according to a pre-configured data clearing strategy if the virtual desktop is closed;
the second judgment module is used for judging whether the application program is a target application program in the virtual desktop or not if the access request of any application program is detected;
and the rejecting module is used for rejecting the access request if the second judging module determines that the application program is not the target application program in the virtual desktop.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798889.0A CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798889.0A CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109117664A CN109117664A (en) | 2019-01-01 |
| CN109117664B true CN109117664B (en) | 2020-11-10 |
Family
ID=64863041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810798889.0A Active CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109117664B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096856B (en) * | 2019-04-19 | 2022-02-11 | 奇安信科技集团股份有限公司 | Access control method, system, electronic device and medium |
| CN110457925B (en) * | 2019-08-12 | 2023-05-09 | 深圳市网心科技有限公司 | Application data isolation method and device in internal and external storage, terminal and storage medium |
| CN113515389B (en) * | 2020-04-09 | 2024-03-01 | 奇安信安全技术(珠海)有限公司 | Method and device for calling intermediate interface, system, storage medium and electronic device |
| CN111539010B (en) * | 2020-06-16 | 2023-09-01 | 北京明朝万达科技股份有限公司 | Clipboard control method, device, electronic equipment and computer readable storage medium |
| CN112269986A (en) * | 2020-10-29 | 2021-01-26 | 深信服科技股份有限公司 | Process management method, device and storage medium |
| CN112685745B (en) * | 2020-12-31 | 2023-11-21 | 北京梆梆安全科技有限公司 | Firmware detection method, device, equipment and storage medium |
| CN112905260B (en) * | 2021-02-07 | 2024-02-23 | 深信服科技股份有限公司 | Application starting method and device, electronic equipment and storage medium |
| CN115543663B (en) * | 2022-12-01 | 2023-08-01 | 北京志翔科技股份有限公司 | Data processing method, device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| EP3118768A1 (en) * | 2015-07-17 | 2017-01-18 | Backes SRT GmbH | Method for forming a virtual environment in an operating system of a computer |
| CN106951775A (en) * | 2016-01-06 | 2017-07-14 | 梁洪亮 | A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology |
-
2018
- 2018-07-19 CN CN201810798889.0A patent/CN109117664B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| EP3118768A1 (en) * | 2015-07-17 | 2017-01-18 | Backes SRT GmbH | Method for forming a virtual environment in an operating system of a computer |
| CN106951775A (en) * | 2016-01-06 | 2017-07-14 | 梁洪亮 | A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109117664A (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109117664B (en) | Access control method and device for application program | |
| US9348984B2 (en) | Method and system for protecting confidential information | |
| US10268827B2 (en) | Method and system for securing data | |
| CN102043927B (en) | Data divulgence protection method for computer system | |
| JP6701097B2 (en) | Resolvable protection of sensitive data items | |
| CA2789309A1 (en) | Information protection using zones | |
| US10454933B2 (en) | System and methods for policy-based active data loss prevention | |
| US9027078B1 (en) | Systems and methods for enforcing data loss prevention policies on sandboxed applications | |
| US9418232B1 (en) | Providing data loss prevention for copying data to unauthorized media | |
| US20170329963A1 (en) | Method for data protection using isolated environment in mobile device | |
| EP3196798A1 (en) | Context-sensitive copy and paste block | |
| JP2010134935A (en) | Method and apparatus for performing file operation | |
| CN110807191B (en) | Safe operation method and device of application program | |
| US8108935B1 (en) | Methods and systems for protecting active copies of data | |
| CN112307528A (en) | Electronic document security processing method and device | |
| CN110807205B (en) | File security protection method and device | |
| CN105205412B (en) | Interprocess communication hold-up interception method and device | |
| EP3779747B1 (en) | Methods and systems to identify a compromised device through active testing | |
| Uchibayashi et al. | Toward a secure VM migration control mechanism using blockchain technique for cloud computing environment | |
| GB2555569B (en) | Enhanced computer objects security | |
| US9754086B1 (en) | Systems and methods for customizing privacy control systems | |
| CN112269986A (en) | Process management method, device and storage medium | |
| KR20050077664A (en) | Secure kernel system supporting encryption | |
| Viswanathan et al. | Dynamic monitoring of website content and alerting defacement using trusted platform module | |
| US11520748B2 (en) | Applying append-only policies for files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |