KR101651392B1 - Additional authentication execution system through execution specialized module and method thereof - Google Patents

Additional authentication execution system through execution specialized module and method thereof Download PDF

Info

Publication number
KR101651392B1
KR101651392B1 KR1020160027478A KR20160027478A KR101651392B1 KR 101651392 B1 KR101651392 B1 KR 101651392B1 KR 1020160027478 A KR1020160027478 A KR 1020160027478A KR 20160027478 A KR20160027478 A KR 20160027478A KR 101651392 B1 KR101651392 B1 KR 101651392B1
Authority
KR
South Korea
Prior art keywords
execution
policy
access
name change
file system
Prior art date
Application number
KR1020160027478A
Other languages
Korean (ko)
Inventor
손주양
황인완
김윤성
Original Assignee
주식회사 시큐브
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 시큐브 filed Critical 주식회사 시큐브
Priority to KR1020160027478A priority Critical patent/KR101651392B1/en
Application granted granted Critical
Publication of KR101651392B1 publication Critical patent/KR101651392B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/40User authentication by quorum, i.e. whereby two or more security principals are required
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/082Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an authentication server, A policy database storing an execution control target for each user and an additional authentication method; And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request; A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the obtained execution request or name change request information does not exist in the policy DB, access to the file system is allowed, and if the execution request or name change request information is present in the policy DB, And a file system access control unit for allowing access to the file system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit. The present invention relates to a system and method for performing an additional authentication process.
According to the present invention, since access is permitted only through an executable module, which is a separate application that operates in the user mode, the privileged user is prevented from accessing the file system by mistake, This makes it possible to operate the system more safely.

Description

{ADDITIONAL AUTHENTICATION EXECUTION SYSTEM THROUGH EXECUTION SPECIALIZED MODULE AND METHOD THEREOF}

The present invention relates to a system and method for performing an additional authentication through an execution-only module, and more particularly, to a system and method for performing an additional authentication by executing only an execution-only module for enforcing additional authentication in order to prevent unauthorized execution in the operating system To a system and method for performing additional authentication through a dedicated module.

In the case of the existing technology, authentication is performed at the connection (login) step of the operating system, and then access control is performed based on the subject information in the generated session. This technology can block illegal program execution by unauthorized subjects, but there is no device to prevent the risk from the mistakes of allowed subjects.

For example, if a user who is authorized to reboot the system enters the command to reboot the server system, the system will be rebooted immediately because of the authorized use. In this case, a user who has been connected to the server system at the time to perform an important task causes a fatal problem in which important data that was being operated due to the reboot is lost.

In addition, malicious code, such as viruses or worms, could prevent unauthorized execution of major programs if the account was hijacked.

Registered Patent No. 10-0344977 (System call control method and dynamic kernel change method of Unix operating system) includes: (a) requesting a system call in the user process; (b) through the retrieval of the system call vector table, determining whether the requested system call is an intercept system call; (c) when the requested call is an intercept system call, requesting, by the alternative system call handler, the user's access right information on the system resource via the communication interface to the database; (d) retrieving the user's access rights to the system resources by the database and providing the result to the alternate system call processor; And (e) if the user has access rights to the system resources, the replacement system call handler performs the prototype system call, and if the user does not have access rights to the system resources, And a step of informing the user of the rejection.

Registration No. 10-0344977 discloses a method of intercepting a system call at the kernel level and then allowing the user to access the system resource if the user has access to the system resource, use.

According to Patent Registration No. 10-0344977, as described above, it is impossible to prevent the risk caused by a mistake of a permitted subject, and when the account is taken out due to a malicious code such as a virus or a worm, illegal execution of the main program is prevented Problems can not be solved.

Registration No. 10-0344977 (System call control method and dynamic kernel change method of Unix operating system)

SUMMARY OF THE INVENTION The present invention has been made in order to solve the above-mentioned problems, and it is an object of the present invention to provide an information processing apparatus, And a method for executing the additional authentication through an execution-only module which is executed after the authentication process is performed through the dedicated module.

According to an aspect of the present invention, A policy database storing an execution control target for each user and an additional authentication method; And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request; A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the obtained execution request or name change request information does not exist in the policy DB, access to the file system is allowed, and if the execution request or name change request information is present in the policy DB, And a file system access control unit that allows access to the file system and blocks access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit.

The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication methods. The policy DB stores an execution control target list for each user, and may store an additional authentication method for each user or each execution control target list of a user.

When the execution control object stores a plurality of authentication methods among the additional authentication methods, the policy executing unit may sequentially perform a plurality of authentications in cooperation with the authentication server.

The policy execution unit inquires and outputs the execution control target list that can be executed by the logged-in user from the policy DB, and outputs a policy corresponding to the execution request selected by the user or the name change request target among the execution control target list, An executable-only module to import; And receiving a policy corresponding to the execution request or the name change request object selected by the user from the execution-only module, performing authentication in cooperation with the authentication server in the authentication method included in the policy, And an additional authentication module for determining whether to permit execution of the authentication module.

The execution-only module is an application operating in a user mode of a Windows-based operating system, and when executed by a logged-in user or executed through a separate command, displays a list of execution control objects executable by a user logged in through a separate user interface And when the user selects one of the execution control target lists outputted through the user interface, the execution request selected by the user or the policy corresponding to the name change request target can be transmitted to the additional authentication module.

The execution-only module is an application operating in a user mode of a Unix-based operating system, and outputs an execution control target list executable by a user logged in through a user interface when executed by a logged-in user through a separate command, The user can select one of the execution control target lists outputted through the user interface and transmit a policy corresponding to the execution request selected by the user or the name change request target to the additional authentication module.

Wherein the file system access control unit permits access to the file system if the execution request information received from the file system access detection unit does not exist in the policy DB, and if the policy request information exists in the policy DB, An execution control module which permits access to the file system when delivered, and blocks access to the file system when execution request information is not transmitted from the policy executing section; And if the name change request information received from the file system access detecting unit does not exist in the policy DB, the access control unit permits access to the file system, and if the name change request information is present in the policy DB, And a name change control module that allows access to the file system and blocks access to the file system when the name change request information is not transmitted from the policy execution unit.

The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system. Executable files stored in the policy DB are automatically designated to be subjected to name change control and stored in the policy database, The policy execution unit may also output a name change control target when outputting the execution control target list of the logged-in user.

Wherein the file system access control unit comprises an access blocking information providing unit for informing the access blocking information in a user mode after blocking access to the file system and operates in a user mode and receives access blocking information from the access blocking information providing unit , And a policy notifying unit for outputting a message indicating that an execution request or name change request is to be executed through the application after executing an application for inquiring and outputting an execution control target list that can be executed by the logged-in user from the policy DB can do.

According to another aspect of the present invention, there is provided a policy setting method comprising: a policy setting step of storing, in a policy DB, an execution control object and an additional authentication method for each user; An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ; Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected; A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And if the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system. If the execution request or the name change request information is present in the policy DB, And a file system access control step of allowing access to the file system when it is delivered through the authentication step and blocking access to the file system when the execution request or the name change request information is not transmitted through the additional authentication step do.

The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication methods. The policy DB stores an execution control target list for each user, and may store an additional authentication method for each user or each execution control target list of a user.

When the execution control object stores a plurality of authentication methods among the additional authentication methods, the additional authentication step may sequentially perform a plurality of authentications in cooperation with the authentication server.

The execution control object output step outputs an execution control object list that can be executed by a user logged in through the user interface when executed by a logged-in user or through a separate instruction, , The policy corresponding to the execution request selected by the user or the name change request object may be transmitted to the additional authentication step.

Wherein the execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system, and the policy setting step automatically designates an execution file stored in the policy DB as a name change control target, DB, and the execution control target output step can also output the name change control target when outputting the execution control target list of the logged-in user.

Providing access blocking information indicating the access blocking information in a user mode after blocking access to the file system after the file system access control step; And a control unit configured to execute an application for inquiring and outputting a list of execution control objects executable by a logged-in user in the policy DB, and then transmitting an execution request or a name change request And a policy notification step of outputting the policy information.

According to the present invention having the above-described configuration, the following effects can be achieved.

First, since the present invention permits access only to an executable module, which is a separate application that operates in the user mode, with respect to the main functions having a great influence on the operating system, it is possible to prevent an authorized user from accidentally accessing the file system This makes it possible to operate the system more safely.

Also, for executable files that can be executed by the operating system, in order to prevent the user from changing the name to another name and executing the changed name, when the policy is set in the policy DB, the executable file stored in the policy DB So that it is possible to provide user convenience in policy setting.

1 is a block diagram showing a configuration of an additional authentication execution system through an execution-only module according to an embodiment of the present invention.
2 is a flowchart of a method for performing an additional authentication through an executable module according to an embodiment of the present invention.
FIG. 3 is a flowchart illustrating in greater detail a method for performing an additional authentication through an execution-only module according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention, and how to accomplish them, will become apparent by reference to the embodiments described in detail below with reference to the accompanying drawings.

However, the present invention is not limited to the embodiments described below, but may be embodied in various other forms.

The present embodiments are provided so that the disclosure of the present invention is thoroughly disclosed and that those skilled in the art will fully understand the scope of the present invention.

And the present invention is only defined by the scope of the claims.

Thus, in some embodiments, well known components, well known operations, and well-known techniques are not specifically described to avoid an undesirable interpretation of the present invention.

In addition, throughout the specification, like reference numerals refer to like elements, and the terms (mentioned) used herein are intended to illustrate the embodiments and not to limit the invention.

In this specification, the singular forms include plural forms unless the context clearly dictates otherwise, and the constituents and acts referred to as " comprising (or having) " do not exclude the presence or addition of one or more other constituents and actions .

Unless defined otherwise, all terms (including technical and scientific terms) used herein may be used in a sense commonly understood by one of ordinary skill in the art to which this invention belongs.

Also, commonly used predefined terms are not ideally or excessively interpreted unless they are defined.

Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings.

1 to 3, an additional authentication execution system 100 through an execution-only module according to the present invention includes an authentication server 10, a policy DB 20, a policy execution unit 30, a file system access detection unit 40 And a file system access control unit 50. In addition, a policy notification unit 60 may be further included.

The policy execution unit 30 includes an execution-only module 31 and an additional authentication module 33. The file system access control unit 50 includes an execution control module 51, a name change control module 53, And may include a provisioning unit 55.

The authentication server 10 performs additional authentication with the logged-in user in cooperation with the additional authentication module 33 of the policy executing unit 30. [ The additional authentication method includes an ARS (automatic response system) authentication, a OTP (one-time password) authentication using a one-time password, and a login In addition to digital signature authentication of a public key infrastructure (PKI) for authenticating a document received by the user's public key included in the certificate of the authentication server 10 after signing with the private key, . The above authentication method is well known to those skilled in the art, so a detailed description thereof will be omitted.

The policy DB 20 stores an execution control target list for each user and additional authentication methods such as ARS (automatic response system), OTP (one-time password), PKI (public key infrastructure) and other authentication methods. Other authentication methods include RFID card authentication using the user's name, employee number and card number information, fingerprint authentication using fingerprint information of the user, iris authentication using the user's iris information, face authentication for recognizing the user's face, And voice authentication using a voice.

The policy DB 20 may store an additional authentication method for each user or for each user's execution control target list. The execution control target list may be different for each user, and the same authentication method may be assigned to all the execution control target list of the user, or different authentication methods may be assigned to each individual execution control target list of the user.

Execution control objects include executable files executable in the operating system, services provided by the operating system, and functions of the operating system. An executable file is an executable file having an extension of exe, com, or the like. The services provided by the operating system are user interface, communication service, resource management, process management, file management, memory management, and the functions of the operating system are log-off, system shutdown, and time change. The above is merely an example, but it is not necessarily limited thereto. Thus, execution control objects are important items that can affect the operating system.

The additional authentication method by the user's execution control target list includes at least one of an ARS (automatic response system), an OTP (one-time password), a PKI (public key infrastructure), and other authentication methods.

When the execution control object of the policy DB 20 stores a plurality of authentication methods among these additional authentication methods, the policy executing unit 30 sequentially performs a plurality of authentications in cooperation with the authentication server 10. For example, if ARS and OTP are assigned as an additional authentication method to an executable file called 'a.exe' among the execution control target list of user 'Kim Cheol-su', 'Kim Cheol Soo' The authentication of the branch is sequentially performed, and all the authentication is performed successfully, so that the authentication process is completed.

Execution control objects are controlled by a file name (for example, a.exe), not a full path.

In addition, the executable file whose policy is set is rejected from the name change request. This is to prevent a circumvention method that can avoid the condition (file name) for judging the execution control object. For example, when the execution file 'a.exe' among the execution control objects of the logged-in user 'Kim Cheol-su' is set as a policy in the policy DB 20, 'a.exe' is changed to 'b.exe' Is also set as a policy, and the name change is not permitted unless further authentication is performed. In other words, if the user types 'rename a.exe b.exe' as a command, it will be rejected unless additional authentication is performed.

Also, it is possible to block the attempt to change the name of the file (a.exe) such as 'rename a.exe b.exe' in the current folder for the file in which the policy is set. However, And rename it (for example, rename it) can not be blocked out of policy. In order to block such a detour method, it is necessary to block the reading of the file (a.exe) in which the policy is set. In order to solve this problem, if a user enters 'read a.exe' for a file (a.exe) with a policy setting, access is denied unless additional authentication is performed.

In other words, the name change request described in the present invention includes not only a rename for changing the actual name, but also a read operation for copying the file before the name change. This allows you to block not only the name change for the file where the policy is set, but also the ability to copy and move it to another location.

The policy setting unit (not shown) automatically designates an execution file stored in the policy DB 20 as a name change control target and stores it in the policy DB 20. To prevent unauthorized changes to the filename of the executable file for which the policy is set. The policy execution unit 30 also outputs the name change control target when outputting the execution control target list of the user logged in from the policy DB 20. [

The policy DB 20 may include additional information such as an account, natural person information (employee information, etc.), a connection IP address, a file execution permission time, and a file execution permission day. In addition to the additional authentication method, this additional information can be used to perform authentication.

The policy execution unit 30 operates in the user mode and outputs the execution control target list of the logged in user based on the policy DB 20. The policy execution unit 30 receives the execution request selected by the user or the name change request If the authentication result of the execution request or the name change request is permitted by interlocking with the authentication server 10 in the additional authentication method corresponding to the target, the execution request or the name change request is transmitted to the kernel layer. .

The policy executing section 30 includes an execution-only module 31 and an additional authentication module 33. [

The execution-only module 31 inquires and outputs the execution control target list that can be executed by the logged-in user from the policy DB 20, and executes a policy corresponding to the execution request selected by the user or the name change request target From the policy DB 20. 1 shows a case in which 'a.exe' is selected and executed among the execution control target list that can be executed by the logged-in user, and '2' is a name of 'rename a. exe b.exe 'or' read a.exe 'is executed. Other commands and services such as 'shutdown' and 'reboot' that may affect the operating system may be included. ① and ② can occur independently of each other.

Specifically, the execution-only module 31 is an application operating in a user mode of a Windows-based operating system. When the execution-only module 31 is executed by a logged-in user or through a separate command, a user who is logged in through a separate user interface such as a pop- When the user selects one of the execution control target lists outputted through the user interface, the policy corresponding to the execution request selected by the user or the name change request target is transmitted to the additional authentication module 33 ).

In addition, the execution-only module 31 may be an application operating in a user mode of a Unix-based operating system. A list of execution control objects that can be executed by a user logged in through a user interface when executed by a logged-in user through a separate command, and a user selects one of the execution control target lists outputted through the user interface When the user inputs any one corresponding to the list output after outputting the execution control target list and transmits the policy to the additional authentication module 33, the policy corresponding to the execution request or the name change request target selected by the user. In Fig. 1, (1) represents an execution request and (2) represents a name change request. Can occur independently of each other.

When the additional authentication module 33 receives the policy corresponding to the ① request for execution or the name change request object selected by the user from the execution-only module 31, the additional authentication module 33 interlocks with the authentication server 10 in the authentication method included in the policy By performing the authentication, it is determined whether or not execution of the execution request or the name change request object is permitted. If the result of the authentication is permission, the execution request or the name change request is forwarded to the kernel layer. If the authentication result is rejected, execution is blocked. Since the method of performing the authentication in cooperation with the authentication server 10 has been described in detail above, a detailed description will be omitted.

The file system access detecting unit 40 obtains an execution request or name change request information which is an attempt to access the file system from the user mode application when the access is detected. The file system access detection unit 40 monitors whether an access to the file system is generated by the application and acquires an execution request or name change request information that is attempted to access the file system access control unit 50, System minifilter driver.

The file system access control unit 50 permits access to the file system 70 if the execution request or name change request information acquired by the file system access detection unit 40 is not present in the policy DB 20, The policy execution unit 30 permits access to the file system 70 when an execution request or name change request information is received from the policy execution unit 30, The access to the file system 70 is blocked.

Specifically, the file system access control unit 50 includes an execution control module 51 and a name change control module 53. [

The execution control module 51 permits access to the file system 70 if the execution request information received from the file system access detection unit 40 does not exist in the policy DB 20, The policy execution unit 30 permits access to the file system 70 when the execution request information is transferred from the policy execution unit 30 and permits access to the file system 70 when the execution request information is not transferred from the policy execution unit 30. [ Block access.

The name change control module 53 permits access to the file system 70 if the name change request information received from the file system access detection unit 40 does not exist in the policy DB 20, The policy execution unit 30 permits access to the file system 70 when the name change request information is delivered from the policy execution unit 30. If the name change request information is not transferred from the policy execution unit 30, 70).

The access blocking information providing unit 55 informs the access blocking information in the user mode after the file system access control unit 50 blocks access to the file system 70.

The policy notification unit 60 operates in the user mode. When the access blocking information providing unit 55 receives the access blocking information, the policy notification unit 60 inquires of the policy DB 20 about the execution control target list executable by the logged- And then outputs a message to the effect that the execution request or the name change request is to be executed through the application. Even if the logged-in user has the authority to execute the executable file 'a.exe', the access is blocked if 'a.exe' is executed without going through the executable-only module 31, ), Executes the execution-only module 31 and then executes the additional authentication process.

1 to 3, a description will be given of a method for executing an additional authentication through an execution-only module according to the present invention.

First, the policy setting unit (not shown) performs a policy setting step of storing the execution control object for each user and the additional authentication method in the policy DB 20 (S21, S311).

The policy setting unit (not shown) can automatically designate an executable file stored in the policy DB 20 as a name change control target and store it in the policy DB 20.

The execution control object includes an executable file executable in the operating system, a service and an operating system provided by the operating system, and the additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes.

The policy DB 20 stores an execution control target list for each user and can store an additional authentication method for each user or for each user's execution control target list.

The execution-only module 31 inquires and outputs the execution control target list of the logged-in user from the policy DB 20 (S312), and executes a policy corresponding to the execution request selected by the user or the name change request target From the policy DB 20 (S313) (S22).

The execution-only module 31 can also output the name change control object when outputting the execution control object list of the logged-in user.

Specifically, the execution-only module 31 outputs an execution control target list that can be executed by a user logged in through the user interface when clicked by the logged-in user or executed through a separate command (S312) When the user selects one of the output lists, the policy DB 20 loads the execution request selected by the user or the name change request target from the policy DB 20 and transfers the policy to the additional authentication module 33 (S313 ).

The additional authentication module 33 receives the execution request selected by the user or the policy corresponding to the name change request target and performs authentication by interlocking with the authentication server 10 in the additional authentication method included in the policy at step S314, If the authentication result (S315) is permission, the execution request or the name change request is transmitted to the kernel level (S317). If the authentication result (S315) is denied, the additional authentication step is performed (S316).

The additional authentication method by the user's execution control target list includes at least one of an ARS (automatic response system), an OTP (one-time password), a PKI (public key infrastructure), and other authentication methods, The additional authentication module 33 can sequentially perform a plurality of authentications in cooperation with the authentication server 10. [

The file system access detection unit 40 performs a file system access detection step of obtaining an execution request or name change request information which is attempted to access the file system 70 from the user mode application at the time of access detection (S24 and S318) .

The file system access control unit 50 determines whether the obtained execution request or name change request information exists in the policy DB 20 in step S319 and if the policy request does not exist in the policy DB 20, (S320).

However, if it is in the policy DB 20, it is determined whether the execution request or the name change request information is transmitted through the additional authentication module 33 performing the additional authentication step S23 (S321).

As a result of the determination, if the information is transferred through the additional authentication module 33, the access to the file system 70 is permitted (S322), and the execution request or the name change request information is transmitted to the additional authentication module (S23) 33), the access to the file system 70 is blocked (S323) (S25).

The access blocking information providing unit 55 performs an access blocking information providing step of notifying the access blocking information to the user mode after blocking access to the file system 70 in the file system access control step S25 (S26, S324 ).

Finally, when the policy notification unit 60 receives the access blocking information from the access blocking information providing unit 55, the policy notifying unit 60 searches the policy DB 20 for an execution control target list executable by the logged-in user, And executes a policy notification step (S27, S325) for outputting a message indicating that an execution request or a name change request is to be executed through the application.

As described above, according to the present invention, since access is permitted only through an executable module, which is a separate application that operates in the user mode, the privileged user is prevented from accidentally accessing the file system The system can be operated more safely.

It will be apparent to those skilled in the art that many other modifications and applications are possible within the scope of the basic technical idea of the present invention.

10 ... authentication server
20 ... Policy DB
30 ... policy execution unit
31 ... Run-Only Modules
33 ... Additional authentication modules
40 ... file system access detection unit
50 ... File system access control unit
51 ... execution control module
53 ... Rename control module
55 ... access blocking information provider
60 ... policy notification section
70 ... file system
100 ... Additional authentication execution system via execution-only module

Claims (15)

An authentication server;
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes,
Wherein the policy DB stores an execution control target list for each user and stores an additional authentication method for each user or each execution control target list of a user.
delete The method according to claim 1,
Wherein when the execution control object stores a plurality of authentication methods among the additional authentication methods, the policy executing unit sequentially performs a plurality of authentications in cooperation with the authentication server. .
An authentication server;
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The policy execution unit
The execution control target list that can be executed by the logged-in user is inquired and output from the policy DB, and an execution request selected by the user from the execution control target list or a policy corresponding to the name change request target is obtained from the policy DB module; And
When receiving the execution request selected by the user or the policy corresponding to the name change request object from the execution-only module, the authentication is performed in cooperation with the authentication server included in the policy, Further comprising an additional authentication module for determining whether to permit execution of the additional authentication module.
The method of claim 4,
The execution-only module is an application operating in a user mode of a Windows-based operating system, and when executed by a logged-in user or executed through a separate command, displays a list of execution control objects executable by a user logged in through a separate user interface And transmits a policy corresponding to the execution request selected by the user or the name change request object to the additional authentication module when the user selects one of the execution control object lists outputted through the user interface. Additional authentication enforcement systems through.
The method of claim 4,
The execution-only module is an application operating in a user mode of a Unix-based operating system, and outputs an execution control target list executable by a user logged in through a user interface when executed by a logged-in user through a separate command, When the user selects one of the execution control target lists outputted through the execution control target module, the policy corresponding to the execution request selected by the user or the name change request target is transmitted to the additional authentication module. Execution system.
An authentication server;
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The file system access control unit
If the execution request information received from the file system access detection unit does not exist in the policy DB, permits access to the file system; if the execution request information is present in the policy DB, An execution control module that blocks access to the file system when the execution request information is not transferred from the policy execution unit; And
If the name change request information received from the file system access detection unit does not exist in the policy DB, permits access to the file system; if the name change request information is present in the policy DB, And a name change control module for permitting access to the system and blocking access to the file system when the name change request information is not transferred from the policy execution unit. system.
An authentication server;
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system,
An execution file stored in the policy DB is automatically designated as a name change control target and stored in a policy DB, and the policy execution unit outputs a name change control target when outputting a run control target list of a user logged in. Additional authentication enforcement system via run-only modules.
An authentication server;
A policy database storing an execution control target for each user and an additional authentication method;
And outputting the execution control target list of the logged-in user on the basis of the policy DB, and outputting the execution control target list to the execution control target list, A policy execution unit operable to interoperate with the authentication server to forward an execution request or a name change request when the execution result of the execution request or the name change request is permission, and to reject the execution request or the name change request;
A file system access detection unit for obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the obtained execution request or name change request information does not exist in the policy DB, access to the file system is permitted. If the execution request or name change request information is delivered from the policy execution unit, And a file system access control unit for allowing access to the system and blocking access to the file system when the execution request or the name change request information is not transmitted from the policy execution unit,
Wherein the file system access control unit includes an access blocking information providing unit for notifying access blocking information in a user mode after blocking access to the file system,
When the access blocking information providing unit receives the access blocking information from the access blocking information providing unit, executes an application that inquires and outputs the execution control target list that can be executed by the logged-in user from the policy DB, Further comprising a policy notifying unit for outputting a message indicating that the request or the name change request is to be performed.
A policy setting step of storing an execution control target for each user and an additional authentication method in a policy DB;
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object includes an executable file executable by the operating system, a service provided by the operating system, and a function of an operating system. The additional authentication method includes an ARS (automatic response system), an OTP (one-time password), a PKI And other authentication schemes,
Wherein the policy DB stores an execution control target list for each user and stores an additional authentication method for each user or each execution control target list of a user.
delete The method of claim 10,
Wherein when the execution control object stores a plurality of authentication methods among the additional authentication methods, the additional authentication step sequentially performs a plurality of authentications in cooperation with an authentication server. Way.
A policy setting step of storing an execution control target for each user and an additional authentication method in a policy DB;
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object output step outputs an execution control object list that can be executed by a user logged in through the user interface when executed by a logged-in user or through a separate instruction, , The policy corresponding to the execution request or the name change request target selected by the user is transmitted to the additional authentication step.
A policy setting step of storing an execution control target for each user and an additional authentication method in a policy DB;
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
The execution control object includes executable files executable in the operating system, services provided by the operating system, and functions of the operating system,
Wherein the policy setting step automatically designates an executable file stored in the policy DB as a name change control target and stores the executable file in the policy DB,
Wherein the execution control target output step also outputs a name change control target when outputting an execution control target list of a logged-in user.
A policy setting step of storing an execution control target for each user and an additional authentication method in a policy DB;
An execution control target output step of retrieving from the policy DB a policy corresponding to an execution request selected by the user or a name change request target among the execution control target list, ;
Receives the policy corresponding to the execution request selected by the user or the name change request target, performs authentication by interlocking with the authentication server in the additional authentication method included in the policy, and executes the execution request or the name change request To the kernel level, and to block it if it is rejected;
A file system access detection step of obtaining an execution request or name change request information which is attempted to access when detecting an access to a file system from an application in a user mode; And
If the execution request or the name change request information acquired in the file system access detection step is not present in the policy DB, permits access to the file system, and if the execution request or name change request information exists in the policy DB, A file system access control step of allowing access to the file system when it is delivered through the step and blocking access to the file system when execution request or name change request information is not transmitted through the additional authentication step, ,
After the file system access control step,
Providing access blocking information indicating the access blocking information in a user mode after blocking access to the file system; And
Upon receiving the access blocking information, a message indicating that an execution request or name change request is to be executed through the application after executing an application for inquiring and outputting an execution control target list that can be executed by the logged-in user in the policy DB Further comprising a policy notifying step of outputting the authentication result to the execution-only module.
KR1020160027478A 2016-03-08 2016-03-08 Additional authentication execution system through execution specialized module and method thereof KR101651392B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020160027478A KR101651392B1 (en) 2016-03-08 2016-03-08 Additional authentication execution system through execution specialized module and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020160027478A KR101651392B1 (en) 2016-03-08 2016-03-08 Additional authentication execution system through execution specialized module and method thereof

Publications (1)

Publication Number Publication Date
KR101651392B1 true KR101651392B1 (en) 2016-08-25

Family

ID=56884904

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020160027478A KR101651392B1 (en) 2016-03-08 2016-03-08 Additional authentication execution system through execution specialized module and method thereof

Country Status (1)

Country Link
KR (1) KR101651392B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200122014A (en) * 2019-04-17 2020-10-27 (주)나무소프트 Data security method based on program protection

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100344977B1 (en) 1999-11-22 2002-07-20 엘지정보통신주식회사 Method for controlling a system call, and for changing kernel dynamically in an UNIX operating system
KR20150144312A (en) * 2014-04-15 2015-12-24 (주)나무소프트 Method and software product for controlling application program which access secure saving area

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100344977B1 (en) 1999-11-22 2002-07-20 엘지정보통신주식회사 Method for controlling a system call, and for changing kernel dynamically in an UNIX operating system
KR20150144312A (en) * 2014-04-15 2015-12-24 (주)나무소프트 Method and software product for controlling application program which access secure saving area

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20200122014A (en) * 2019-04-17 2020-10-27 (주)나무소프트 Data security method based on program protection
KR102227558B1 (en) * 2019-04-17 2021-03-12 (주)나무소프트 Data security method based on program protection

Similar Documents

Publication Publication Date Title
JP6484255B2 (en) Host attestation, including trusted execution environment
US10375054B2 (en) Securing user-accessed applications in a distributed computing environment
EP3014847B1 (en) Secure hybrid file-sharing system
EP1745343B1 (en) A generic framework for runtime interception and execution control of interpreted languages
US9332019B2 (en) Establishment of a trust index to enable connections from unknown devices
US20120311696A1 (en) Override for Policy Enforcement System
US20120167167A1 (en) Enabling granular discretionary access control for data stored in a cloud computing environment
EP2267624A2 (en) A generic framework for runtime interception and execution control of interpreted languages
US10929568B2 (en) Application control
KR101565590B1 (en) A system for expanding the security kernel with system for privilege flow prevention based on white list
US9521032B1 (en) Server for authentication, authorization, and accounting
JP2017510013A (en) Techniques for providing network security with just-in-time provisioned accounts
US10951657B2 (en) Systems and methods for authenticating platform trust in a network function virtualization environment
KR101745843B1 (en) Methods and devices for protecting private data
US10671730B2 (en) Controlling configuration data storage
KR20130120893A (en) System and method for providing cloud computing service using virtual machine
US10909516B2 (en) Basic input/output system (BIOS) credential management
US11636219B2 (en) System, method, and apparatus for enhanced whitelisting
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
KR101651392B1 (en) Additional authentication execution system through execution specialized module and method thereof
EP3759629B1 (en) Method, entity and system for managing access to data through a late dynamic binding of its associated metadata
Birnstill et al. Building blocks for identity management and protection for smart environments and interactive assistance systems
JP2016207144A (en) Information processing apparatus, program, and authentication system
KR102357715B1 (en) Method to management operating system image for security and internet server using the methods
US20150154395A1 (en) Image output apparatus, image output system, and computer-readable recording medium

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant