KR101651392B1 - Additional authentication execution system through execution specialized module and method thereof - Google Patents
Additional authentication execution system through execution specialized module and method thereof Download PDFInfo
- Publication number
- KR101651392B1 KR101651392B1 KR1020160027478A KR20160027478A KR101651392B1 KR 101651392 B1 KR101651392 B1 KR 101651392B1 KR 1020160027478 A KR1020160027478 A KR 1020160027478A KR 20160027478 A KR20160027478 A KR 20160027478A KR 101651392 B1 KR101651392 B1 KR 101651392B1
- Authority
- KR
- South Korea
- Prior art keywords
- execution
- policy
- access
- name change
- file system
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/40—User authentication by quorum, i.e. whereby two or more security principals are required
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3228—One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to an authentication server, A policy database storing an execution control target for each user and an additional authentication method; And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request; A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the obtained execution request or name change request information does not exist in the policy DB, access to the file system is allowed, and if the execution request or name change request information is present in the policy DB, And a file system access control unit for allowing access to the file system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit. The present invention relates to a system and method for performing an additional authentication process.
According to the present invention, since access is permitted only through an executable module, which is a separate application that operates in the user mode, the privileged user is prevented from accessing the file system by mistake, This makes it possible to operate the system more safely.
Description
The present invention relates to a system and method for performing an additional authentication through an execution-only module, and more particularly, to a system and method for performing an additional authentication by executing only an execution-only module for enforcing additional authentication in order to prevent unauthorized execution in the operating system To a system and method for performing additional authentication through a dedicated module.
In the case of the existing technology, authentication is performed at the connection (login) step of the operating system, and then access control is performed based on the subject information in the generated session. This technology can block illegal program execution by unauthorized subjects, but there is no device to prevent the risk from the mistakes of allowed subjects.
For example, if a user who is authorized to reboot the system enters the command to reboot the server system, the system will be rebooted immediately because of the authorized use. In this case, a user who has been connected to the server system at the time to perform an important task causes a fatal problem in which important data that was being operated due to the reboot is lost.
In addition, malicious code, such as viruses or worms, could prevent unauthorized execution of major programs if the account was hijacked.
Registered Patent No. 10-0344977 (System call control method and dynamic kernel change method of Unix operating system) includes: (a) requesting a system call in the user process; (b) through the retrieval of the system call vector table, determining whether the requested system call is an intercept system call; (c) when the requested call is an intercept system call, requesting, by the alternative system call handler, the user's access right information on the system resource via the communication interface to the database; (d) retrieving the user's access rights to the system resources by the database and providing the result to the alternate system call processor; And (e) if the user has access rights to the system resources, the replacement system call handler performs the prototype system call, and if the user does not have access rights to the system resources, And a step of informing the user of the rejection.
Registration No. 10-0344977 discloses a method of intercepting a system call at the kernel level and then allowing the user to access the system resource if the user has access to the system resource, use.
According to Patent Registration No. 10-0344977, as described above, it is impossible to prevent the risk caused by a mistake of a permitted subject, and when the account is taken out due to a malicious code such as a virus or a worm, illegal execution of the main program is prevented Problems can not be solved.
SUMMARY OF THE INVENTION The present invention has been made in order to solve the above-mentioned problems, and it is an object of the present invention to provide an information processing apparatus, And a method for executing the additional authentication through an execution-only module which is executed after the authentication process is performed through the dedicated module.
According to an aspect of the present invention, A policy database storing an execution control target for each user and an additional authentication method; And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request; A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the obtained execution request or name change request information does not exist in the policy DB, access to the file system is allowed, and if the execution request or name change request information is present in the policy DB, And a file system access control unit that allows access to the file system and blocks access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit.
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication methods. The policy DB stores an execution control target list for each user, and may store an additional authentication method for each user or each execution control target list of a user.
When the execution control object stores a plurality of authentication methods among the additional authentication methods, the policy executing unit may sequentially perform a plurality of authentications in cooperation with the authentication server.
The policy execution unit inquires and outputs the execution control target list that can be executed by the logged-in user from the policy DB, and outputs a policy corresponding to the execution request selected by the user or the name change request target among the execution control target list, An executable-only module to import; And receiving a policy corresponding to the execution request or the name change request object selected by the user from the execution-only module, performing authentication in cooperation with the authentication server in the authentication method included in the policy, And an additional authentication module for determining whether to permit execution of the authentication module.
The execution-only module is an application operating in a user mode of a Windows-based operating system, and when executed by a logged-in user or executed through a separate command, displays a list of execution control objects executable by a user logged in through a separate user interface And when the user selects one of the execution control target lists outputted through the user interface, the execution request selected by the user or the policy corresponding to the name change request target can be transmitted to the additional authentication module.
The execution-only module is an application operating in a user mode of a Unix-based operating system, and outputs an execution control target list executable by a user logged in through a user interface when executed by a logged-in user through a separate command, The user can select one of the execution control target lists outputted through the user interface and transmit a policy corresponding to the execution request selected by the user or the name change request target to the additional authentication module.
Wherein the file system access control unit permits access to the file system if the execution request information received from the file system access detection unit does not exist in the policy DB, and if the policy request information exists in the policy DB, An execution control module which permits access to the file system when delivered, and blocks access to the file system when execution request information is not transmitted from the policy executing section; And if the name change request information received from the file system access detecting unit does not exist in the policy DB, the access control unit permits access to the file system, and if the name change request information is present in the policy DB, And a name change control module that allows access to the file system and blocks access to the file system when the name change request information is not transmitted from the policy execution unit.
The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system. Executable files stored in the policy DB are automatically designated to be subjected to name change control and stored in the policy database, The policy execution unit may also output a name change control target when outputting the execution control target list of the logged-in user.
Wherein the file system access control unit comprises an access blocking information providing unit for informing the access blocking information in a user mode after blocking access to the file system and operates in a user mode and receives access blocking information from the access blocking information providing unit , And a policy notifying unit for outputting a message indicating that an execution request or name change request is to be executed through the application after executing an application for inquiring and outputting an execution control target list that can be executed by the logged-in user from the policy DB can do.
According to another aspect of the present invention, there is provided a policy setting method comprising: a policy setting step of storing, in a policy DB, an execution control object and an additional authentication method for each user; An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ; Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected; A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system. If the execution request or the name change request information is present in the policy DB, And a file system access control step of allowing access to the file system when it is delivered through the authentication step and blocking access to the file system when the execution request or the name change request information is not transmitted through the additional authentication step do.
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication methods. The policy DB stores an execution control target list for each user, and may store an additional authentication method for each user or each execution control target list of a user.
When the execution control object stores a plurality of authentication methods among the additional authentication methods, the additional authentication step may sequentially perform a plurality of authentications in cooperation with the authentication server.
The execution control object output step outputs an execution control object list that can be executed by a user logged in through the user interface when executed by a logged-in user or through a separate instruction, , The policy corresponding to the execution request selected by the user or the name change request object may be transmitted to the additional authentication step.
Wherein the execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system, and the policy setting step automatically designates an execution file stored in the policy DB as a name change control target, DB, and the execution control target output step can also output the name change control target when outputting the execution control target list of the logged-in user.
Providing access blocking information indicating the access blocking information in a user mode after blocking access to the file system after the file system access control step; And a control unit configured to execute an application for inquiring and outputting a list of execution control objects executable by a logged-in user in the policy DB, and then transmitting an execution request or a name change request And a policy notification step of outputting the policy information.
According to the present invention having the above-described configuration, the following effects can be achieved.
First, since the present invention permits access only to an executable module, which is a separate application that operates in the user mode, with respect to the main functions having a great influence on the operating system, it is possible to prevent an authorized user from accidentally accessing the file system This makes it possible to operate the system more safely.
Also, for executable files that can be executed by the operating system, in order to prevent the user from changing the name to another name and executing the changed name, when the policy is set in the policy DB, the executable file stored in the policy DB So that it is possible to provide user convenience in policy setting.
1 is a block diagram showing a configuration of an additional authentication execution system through an execution-only module according to an embodiment of the present invention.
2 is a flowchart of a method for performing an additional authentication through an executable module according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating in greater detail a method for performing an additional authentication through an execution-only module according to an embodiment of the present invention.
BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and how to accomplish them, will become apparent by reference to the embodiments described in detail below with reference to the accompanying drawings.
However, the present invention is not limited to the embodiments described below, but may be embodied in various other forms.
The present embodiments are provided so that the disclosure of the present invention is thoroughly disclosed and that those skilled in the art will fully understand the scope of the present invention.
And the present invention is only defined by the scope of the claims.
Thus, in some embodiments, well known components, well known operations, and well-known techniques are not specifically described to avoid an undesirable interpretation of the present invention.
In addition, throughout the specification, like reference numerals refer to like elements, and the terms (mentioned) used herein are intended to illustrate the embodiments and not to limit the invention.
In this specification, the singular forms include plural forms unless the context clearly dictates otherwise, and the constituents and acts referred to as " comprising (or having) " do not exclude the presence or addition of one or more other constituents and actions .
Unless defined otherwise, all terms (including technical and scientific terms) used herein may be used in a sense commonly understood by one of ordinary skill in the art to which this invention belongs.
Also, commonly used predefined terms are not ideally or excessively interpreted unless they are defined.
Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings.
1 to 3, an additional
The
The
The
The
Execution control objects include executable files executable in the operating system, services provided by the operating system, and functions of the operating system. An executable file is an executable file having an extension of exe, com, or the like. The services provided by the operating system are user interface, communication service, resource management, process management, file management, memory management, and the functions of the operating system are log-off, system shutdown, and time change. The above is merely an example, but it is not necessarily limited thereto. Thus, execution control objects are important items that can affect the operating system.
The additional authentication method by the user's execution control target list includes at least one of an ARS (automatic response system), an OTP (one-time password), a PKI (public key infrastructure), and other authentication methods.
When the execution control object of the
Execution control objects are controlled by a file name (for example, a.exe), not a full path.
In addition, the executable file whose policy is set is rejected from the name change request. This is to prevent a circumvention method that can avoid the condition (file name) for judging the execution control object. For example, when the execution file 'a.exe' among the execution control objects of the logged-in user 'Kim Cheol-su' is set as a policy in the
Also, it is possible to block the attempt to change the name of the file (a.exe) such as 'rename a.exe b.exe' in the current folder for the file in which the policy is set. However, And rename it (for example, rename it) can not be blocked out of policy. In order to block such a detour method, it is necessary to block the reading of the file (a.exe) in which the policy is set. In order to solve this problem, if a user enters 'read a.exe' for a file (a.exe) with a policy setting, access is denied unless additional authentication is performed.
In other words, the name change request described in the present invention includes not only a rename for changing the actual name, but also a read operation for copying the file before the name change. This allows you to block not only the name change for the file where the policy is set, but also the ability to copy and move it to another location.
The policy setting unit (not shown) automatically designates an execution file stored in the
The
The
The
The execution-only
Specifically, the execution-only
In addition, the execution-only
When the
The file system
The file system
Specifically, the file system
The
The name
The access blocking
The
1 to 3, a description will be given of a method for executing an additional authentication through an execution-only module according to the present invention.
First, the policy setting unit (not shown) performs a policy setting step of storing the execution control object for each user and the additional authentication method in the policy DB 20 (S21, S311).
The policy setting unit (not shown) can automatically designate an executable file stored in the
The execution control object includes an executable file executable in the operating system, a service and an operating system provided by the operating system, and the additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes.
The
The execution-only
The execution-only
Specifically, the execution-only
The
The additional authentication method by the user's execution control target list includes at least one of an ARS (automatic response system), an OTP (one-time password), a PKI (public key infrastructure), and other authentication methods, The
The file system
The file system
However, if it is in the
As a result of the determination, if the information is transferred through the
The access blocking
Finally, when the
As described above, according to the present invention, since access is permitted only through an executable module, which is a separate application that operates in the user mode, the privileged user is prevented from accidentally accessing the file system The system can be operated more safely.
It will be apparent to those skilled in the art that many other modifications and applications are possible within the scope of the basic technical idea of the present invention.
10 ... authentication server
20 ... Policy DB
30 ... policy execution unit
31 ... Run-Only Modules
33 ... Additional authentication modules
40 ... file system access detection unit
50 ... File system access control unit
51 ... execution control module
53 ... Rename control module
55 ... access blocking information provider
60 ... policy notification section
70 ... file system
100 ... Additional authentication execution system via execution-only module
Claims (15)
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes,
Wherein the policy DB stores an execution control target list for each user and stores an additional authentication method for each user or each execution control target list of a user.
Wherein when the execution control object stores a plurality of authentication methods among the additional authentication methods, the policy executing unit sequentially performs a plurality of authentications in cooperation with the authentication server. .
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The policy execution unit
The execution control target list that can be executed by the logged-in user is inquired and output from the policy DB, and an execution request selected by the user from the execution control target list or a policy corresponding to the name change request target is obtained from the policy DB module; And
When receiving the execution request selected by the user or the policy corresponding to the name change request object from the execution-only module, the authentication is performed in cooperation with the authentication server included in the policy, Further comprising an additional authentication module for determining whether to permit execution of the additional authentication module.
The execution-only module is an application operating in a user mode of a Windows-based operating system, and when executed by a logged-in user or executed through a separate command, displays a list of execution control objects executable by a user logged in through a separate user interface And transmits a policy corresponding to the execution request selected by the user or the name change request object to the additional authentication module when the user selects one of the execution control object lists outputted through the user interface. Additional authentication enforcement systems through.
The execution-only module is an application operating in a user mode of a Unix-based operating system, and outputs an execution control target list executable by a user logged in through a user interface when executed by a logged-in user through a separate command, When the user selects one of the execution control target lists outputted through the execution control target module, the policy corresponding to the execution request selected by the user or the name change request target is transmitted to the additional authentication module. Execution system.
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The file system access control unit
If the execution request information received from the file system access detection unit does not exist in the policy DB, permits access to the file system; if the execution request information is present in the policy DB, An execution control module that blocks access to the file system when the execution request information is not transferred from the policy execution unit; And
If the name change request information received from the file system access detection unit does not exist in the policy DB, permits access to the file system; if the name change request information is present in the policy DB, And a name change control module for permitting access to the system and blocking access to the file system when the name change request information is not transferred from the policy execution unit. system.
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system,
An execution file stored in the policy DB is automatically designated as a name change control target and stored in a policy DB, and the policy execution unit outputs a name change control target when outputting a run control target list of a user logged in. Additional authentication enforcement system via run-only modules.
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
Wherein the file system access control unit includes an access blocking information providing unit for notifying access blocking information in a user mode after blocking access to the file system,
When the access blocking information providing unit receives the access blocking information from the access blocking information providing unit, executes an application that inquires and outputs the execution control target list that can be executed by the logged-in user from the policy DB, Further comprising a policy notifying unit for outputting a message indicating that the request or the name change request is to be performed.
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes,
Wherein the policy DB stores an execution control target list for each user and stores an additional authentication method for each user or each execution control target list of a user.
Wherein when the execution control object stores a plurality of authentication methods among the additional authentication methods, the additional authentication step sequentially performs a plurality of authentications in cooperation with an authentication server. Way.
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object output step outputs an execution control object list that can be executed by a user logged in through the user interface when executed by a logged-in user or through a separate instruction, , The policy corresponding to the execution request or the name change request target selected by the user is transmitted to the additional authentication step.
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system,
Wherein the policy setting step automatically designates an executable file stored in the policy DB as a name change control target and stores the executable file in the policy DB,
Wherein the execution control target output step also outputs a name change control target when outputting an execution control target list of a logged-in user.
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
After the file system access control step,
Providing access blocking information indicating the access blocking information in a user mode after blocking access to the file system; And
Upon receiving the access blocking information, a message indicating that an execution request or name change request is to be executed through the application after executing an application for inquiring and outputting an execution control target list that can be executed by the logged-in user in the policy DB Further comprising a policy notifying step of outputting the authentication result to the execution-only module.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160027478A KR101651392B1 (en) | 2016-03-08 | 2016-03-08 | Additional authentication execution system through execution specialized module and method thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160027478A KR101651392B1 (en) | 2016-03-08 | 2016-03-08 | Additional authentication execution system through execution specialized module and method thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101651392B1 true KR101651392B1 (en) | 2016-08-25 |
Family
ID=56884904
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160027478A KR101651392B1 (en) | 2016-03-08 | 2016-03-08 | Additional authentication execution system through execution specialized module and method thereof |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101651392B1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20200122014A (en) * | 2019-04-17 | 2020-10-27 | (주)나무소프트 | Data security method based on program protection |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100344977B1 (en) | 1999-11-22 | 2002-07-20 | 엘지정보통신주식회사 | Method for controlling a system call, and for changing kernel dynamically in an UNIX operating system |
KR20150144312A (en) * | 2014-04-15 | 2015-12-24 | (주)나무소프트 | Method and software product for controlling application program which access secure saving area |
-
2016
- 2016-03-08 KR KR1020160027478A patent/KR101651392B1/en active IP Right Grant
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100344977B1 (en) | 1999-11-22 | 2002-07-20 | 엘지정보통신주식회사 | Method for controlling a system call, and for changing kernel dynamically in an UNIX operating system |
KR20150144312A (en) * | 2014-04-15 | 2015-12-24 | (주)나무소프트 | Method and software product for controlling application program which access secure saving area |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20200122014A (en) * | 2019-04-17 | 2020-10-27 | (주)나무소프트 | Data security method based on program protection |
KR102227558B1 (en) * | 2019-04-17 | 2021-03-12 | (주)나무소프트 | Data security method based on program protection |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6484255B2 (en) | Host attestation, including trusted execution environment | |
US10375054B2 (en) | Securing user-accessed applications in a distributed computing environment | |
EP3014847B1 (en) | Secure hybrid file-sharing system | |
EP1745343B1 (en) | A generic framework for runtime interception and execution control of interpreted languages | |
US9332019B2 (en) | Establishment of a trust index to enable connections from unknown devices | |
US20120311696A1 (en) | Override for Policy Enforcement System | |
US20120167167A1 (en) | Enabling granular discretionary access control for data stored in a cloud computing environment | |
EP2267624A2 (en) | A generic framework for runtime interception and execution control of interpreted languages | |
US10929568B2 (en) | Application control | |
KR101565590B1 (en) | A system for expanding the security kernel with system for privilege flow prevention based on white list | |
US9521032B1 (en) | Server for authentication, authorization, and accounting | |
JP2017510013A (en) | Techniques for providing network security with just-in-time provisioned accounts | |
US10951657B2 (en) | Systems and methods for authenticating platform trust in a network function virtualization environment | |
KR101745843B1 (en) | Methods and devices for protecting private data | |
US10671730B2 (en) | Controlling configuration data storage | |
KR20130120893A (en) | System and method for providing cloud computing service using virtual machine | |
US10909516B2 (en) | Basic input/output system (BIOS) credential management | |
US11636219B2 (en) | System, method, and apparatus for enhanced whitelisting | |
US8601544B1 (en) | Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms | |
KR101651392B1 (en) | Additional authentication execution system through execution specialized module and method thereof | |
EP3759629B1 (en) | Method, entity and system for managing access to data through a late dynamic binding of its associated metadata | |
Birnstill et al. | Building blocks for identity management and protection for smart environments and interactive assistance systems | |
JP2016207144A (en) | Information processing apparatus, program, and authentication system | |
KR102357715B1 (en) | Method to management operating system image for security and internet server using the methods | |
US20150154395A1 (en) | Image output apparatus, image output system, and computer-readable recording medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |