CN102495988A - Domain-based access control method and system - Google Patents
Domain-based access control method and system Download PDFInfo
- Publication number
- CN102495988A CN102495988A CN2011104266369A CN201110426636A CN102495988A CN 102495988 A CN102495988 A CN 102495988A CN 2011104266369 A CN2011104266369 A CN 2011104266369A CN 201110426636 A CN201110426636 A CN 201110426636A CN 102495988 A CN102495988 A CN 102495988A
- Authority
- CN
- China
- Prior art keywords
- access control
- territory
- module
- domain
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention relates to a domain-based access control method and system. The domain-based access control method comprises the following steps of: setting a domain label of each application and establishing a domain-based access control policy library on subject and object of each application in a system through aiming at different application domains according to requirements of a user on protection of the system; capturing an access request of the subject on the object in the system; submitting the access request to the domain-based access control policy library to perform domain label detection; and judging whether a current operation is allowed or not, accepting the current access request if the current operation is allowed, and refusing the current access request if the current operation is not allowed. The domain-based access control system comprises a capturing filtering module, an access control judging module, a domain database module, a domain information managing module and a safety journal querying module, wherein the capturing filtering module is used for capturing and filtering data access requests of application programs in the system, the access control judging module is used for judging whether a subject domain label and an object domain label are same or not and determining whether an access action is allowed or not, the domain database module is used for saving information of the access control policy library, the domain information managing module is used for modifying the information of the access control policy library and querying safety journals, and the safety journal querying module is used for storing dangerous operation information disobeying an access control policy. According to the domain-based access control method and system, disclosed by the invention, the application program can be effectively protected, and the safety of the application program and an operating system can be improved.
Description
Technical field
The present invention relates to a kind of operating system, relate in particular to a kind of access control method and system of operating system.
Background technology
The access control of existing operating system; Generally comprise autonomous access control model (Discretionary Access Control), Mandatory Access Control Model (Mandatory Access Control), based on role's access control (Role-Based Access Control) Bell-Lapadula model; And Biba model; Wherein
Autonomous access control model (Discretionary Access Control); The authority that main body can independently be authorized other main bodys the own access control right that has object or authorized from other main bodys withdrawals; With giving or a part of right of the authority that calls off a visit is left individual subscriber for; The keeper is difficult to confirm which user has access rights to which resource, is unfavorable for realizing unified global access control.In many tissues, the user can accessed resources not have entitlement to his institute, and tissue itself is only the real owner of resource in the system.Respectively organize the realization result who generally hopes access control and licensing scheme can be consistent, and, do not allow user's own ground to handle by administrative authority's unified implementation access control with the rules and regulations of organization internal.
Mandatory Access Control Model (Mandatory Access Control) then is to limit the visit of main object according to the permission level of the sensitivity level of object and main body, is used for multistage military systems more.
The Bell-lapadula the main consuming body, object, accessing operation (read, write, read/write) and these notions of level of security, when subject and object was positioned at the different security rank, just there was certain restrict access in main object.After realizing this model, it can guarantee information not visited by unauthorized main body.
The Biba model is developed after the Bell-lapadula model, and it is very similar with the Bell-lapadula model, is used to solve the integrity issue of application data.Bell-lapadula rank (top secret safe in utilization; Secret; Secrets etc.), these level of securitys are used to guarantee that a sensitive information authorized individual visits, and the Biba model is indifferent to the level of security of information privacy; Therefore its access control is not to be based upon on the level of security, but is based upon on the integrity grade.
In the face of current application safety problem; Above-mentioned access control model can not effectively solve to the security of using; Such as: based on role's access control (Role-Based Access Control), what mainly pay close attention to is power, the responsibility separation of system's different role; Autonomous access control (Discretionary Access Control) main body has whole controls to the program of object under it and operation, and what the operating system acquiescence of current main-stream provided is exactly this access control model, and security is very poor.
Summary of the invention
In order to solve the deficiency that prior art exists; The present invention provides a kind of access control Domain-Based Access Control based on the territory, and DBAC) method and system are divided into each application in the different territories; Each uses the visit to non-numeric field data restriction, and each application is isolated; Inner setting at each application domain is used the access rights to its data, only gives and uses minimum operation authority.
Be the realization above-mentioned purpose, the access control method based on the territory provided by the invention, this method may further comprise the steps:
1) according to the demand of user to system protection, to the territory of different application, set list of access rights, and in system, on each subject and object of using, set the territory label that each is used, set up access control policy storehouse based on the territory;
2) access request of main object in the intercepting system;
3) main body of request visit being carried out the territory label detects;
4) judge whether to allow current operation, if allow, the current request of then letting pass, otherwise refusal request.
Wherein, said step 1) is set each territory label of using on object, further comprise: set the access rights of this object in the current field, the same area main body only allows this object is carried out the operation that authority allows in the territory.
What wherein, said step 2) the Intercept Interview request was adopted is: in the HOOK subsystem call table, to the kernel calls of object operation.
Wherein, the main body that said step 3) is visited request is carried out territory label detection and is meant, the list of access rights that main body, the object of the access request of utilization interception goes to queried access control strategy storehouse finds the back that the label of Subjective and Objective is compared.
Wherein, said step 4) further may further comprise the steps:
Do not have the territory label if judge the request object, then allow current operation;
If judge that territory label main, object is different, then refuse current operation;
If judge that territory label main, object is identical, and the concrete operations behavior allows in the territory then to allow current operation in the authority; Otherwise refuse current operation.
For realizing above-mentioned purpose, the present invention also provides a kind of access control system based on the territory, comprises interception filtering module, access control judge module, domain information library module, and the domain information administration module, it is characterized in that,
Said interception filtering module connects said access control judge module, is used for tackling, the filtering system application program is to the access request of data;
Said access control judge module, respectively said connection interception filtering module, said domain information library module be used to judge whether Subjective and Objective territory label is identical, and whether definite visit behavior are allowed to;
Said domain information library module connects said access control judge module and said domain information administration module respectively, is used to preserve the access control policy library information;
Said domain information administration module connects said domain information library module and said security log enquiry module respectively, is used to revise the access control policy library information.
Wherein, said access control system also comprises the security log enquiry module, and said security log enquiry module connects said access control judge module and said domain information administration module respectively, is used to store the risky operation information of violating access control policy.
Access control method and system based on the territory of the present invention to the problem of the current existence of application safety, use isolation through the territory with each, set up a virtual safe operation environment for each application, each is used be independent of each other.Even certain application starts a leak, also can its harm be limited in its oneself the territory, can not endanger operating system and other application; Inner in each territory, through setting the access rights of each object, only provide normal operation needed least privilege to the main body of using, start a leak even use, also can't carry out the malicious operation beyond the normal behaviour; To application system very strong applicability and ease for use are arranged.
Other features and advantages of the present invention will be set forth in instructions subsequently, and, partly from instructions, become obvious, perhaps understand through embodiment of the present invention.
Description of drawings
Accompanying drawing is used to provide further understanding of the present invention, and constitutes the part of instructions, and with content of the present invention and embodiment, is used to explain the present invention, is not construed as limiting the invention.In the accompanying drawings:
Fig. 1 is according to the access control method process flow diagram based on the territory of the present invention;
Fig. 2 is according to the access control system theory diagram based on the territory of the present invention.
Embodiment
Below in conjunction with accompanying drawing the preferred embodiments of the present invention are described, should be appreciated that embodiment described herein only is used for explanation and explains the present invention, and be not used in qualification the present invention.
Fig. 1 is according to the access control method process flow diagram based on the territory of the present invention, below with reference to Fig. 1, the access control method based on the territory of the present invention is described in detail:
At first, in step 101, according to the demand of user to system protection; Set up a DBAC policy library; The safety officer defines a series of territories to different application, sets list of access rights, on subject and object of in system, respectively using then; Set the territory label that each is used, set up access control policy storehouse based on the territory; When setting the territory label to object, also can set the access rights of this object in the current field, the same area main body only allows this object is carried out the fair operation of telling of authority in the territory.
If:
L D=Domain=territory, the running environment of an application;
L S=Subject=intrasystem main body (operation promoter);
L O=Object=intrasystem object (Action Target);
L P=Permissions=operating right (S can carry out those operations to O);
The S of l A=Action=in an operation is to the concrete operations behavior of O.
Create a territory that is used to protect the web application; Domain name is called: web_d; Add the host process of apache web server to territory: among the web_d, the data that again apache web server need be visited are added in the web_d territory, and rational access rights are set.
Following access rights are set: the web object is the web page files of web; Access rights are r
Behind access control (DBAC) territory based on the territory more than having disposed, the httpd process will be read-only to the web page files of web, and other main body can not the accessed web page file.
In step 102, intrasystem main body is sent the access request that comprises the concrete operations behavior to object, and this operation behavior is expressed as: A1:S1-O1
The content of access request comprises: main body (S): user UID+ process PID; Object (O): object full name; Operation (A): requested operation.
In step 103, the access request of main object in the intercepting system;
What the Intercept Interview request was adopted is: in the HOOK subsystem call table, to the kernel calls of object operation.
The purpose of interception: obtain the access request data of main object in the system, and stop its accessing operation when needed.
In step 104, the main body of request visit is carried out the territory label detect, there is not the territory label if judge this object, then forward step 107 to, otherwise get into next step;
Territory label detection method is following: DBAC is implemented in and has safeguarded a list of access rights (employing Adelson-Velskii-Landis tree) in the system kernel; Wherein each represent a main body that the territory had been set or object; When receiving the request of interception; DBAC will be with request body, and object goes to inquire about this list of access rights, finds the back that the label of Subjective and Objective is compared.
In step 105, judge whether the territory label of main body is identical with the territory label of target object, if the territory label is identical, then carry out next step; If the territory label is different, then forward step 108 to;
In step 106; Whether the concrete operations behavior of judging the principal access request is included in the interior permission of the target domain of object authority; If be included in and allow in the target domain of object in the authority [(DS1=DO1) & (A1 ∈ PO1)] | (DO1=NULL); Then carry out next step, otherwise forward the step 108 (& of DS1 ≠ DO1) (DO1 ≠ NULL) to;
In step 107, allow operation, main object is carried out concrete operations;
In step 108, the refusal operation is sent failure information to request body.
Fig. 2 is according to the access control system theory diagram based on the territory of the present invention; As shown in Figure 2; Access control system based on the territory of the present invention; Comprise interception filtering module 201, access control judge module 202, domain information library module 203, security log enquiry module 204, and domain information administration module 205
Access control judge module 202; Connect interception filtering module 201, domain information library module 203 respectively; And security log enquiry module 204; Receive the accessing request information of interception filtering module 201 transmissions and territory label and the list of access rights that domain information library module 203 sends; Be used to judge that Subjective and Objective territory label separately is whether identical confirms whether the visit behavior is allowed to, if visit can be allowed to when object does not have the territory label, if Subjective and Objective territory label not visit simultaneously can be under an embargo; If through allowing authority to judge access rights confirm whether the visit behavior is allowed in the territory in the territory, the access request response message is sent to interception filtering module 201 when Subjective and Objective territory label is identical.The access request response message comprises permission access response information and denied access response message; The risky operation information of violating the DBAC strategy is sent to security log enquiry module 204.
Domain information library module 203; Judge module 202 and domain information administration module 205 are controlled in connected reference respectively; Be used to preserve DBAC policy library information; The access authority information of object in IncFlds division information and each territory in this DBAC policy library, for example territory label and list of access rights, the keeper can be through the access authority information of object in domain information administration module 205 modification territory division information and each territory.
Security log enquiry module 204, connected reference control judge module 202 and domain information administration module 205 are used to store the risky operation information of violating the DBAC strategy respectively, supply the keeper to inquire about through domain information administration module 205.
Domain information administration module 205; Difference link field information bank module 203 and security log enquiry module 204; The access interface that provides to the keeper to whole DBAC system; Be used for revising the DBAC policy library information (territory label and list of access rights) of domain information library module 203, and the security log in the query safe log query module 204.
Access control method and system based on the territory of the present invention use isolation through the territory with each, set up a virtual safe operation environment for each application, each is used be independent of each other.Even certain application starts a leak, also can its harm be limited in its oneself the territory, can not endanger operating system and other application; Inner in each territory, through setting the access rights of each object, only provide normal operation needed least privilege to the main body of using, start a leak even use, also can't carry out the malicious operation beyond the normal behaviour; A security model that designs to the safety problem of the characteristics of application system and current existence is so have very strong applicability and ease for use to application system.
One of ordinary skill in the art will appreciate that: the above is merely the preferred embodiments of the present invention; Be not limited to the present invention; Although the present invention has been carried out detailed explanation with reference to previous embodiment; For a person skilled in the art, it still can be made amendment to the technical scheme of aforementioned each embodiment record, perhaps part technical characterictic wherein is equal to replacement.All within spirit of the present invention and principle, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (9)
1. access control method based on the territory, this method may further comprise the steps:
1) according to the demand of user to system protection, to the territory of different application, set list of access rights, and in system, on each subject and object of using, set the territory label that each is used, set up access control policy storehouse based on the territory;
2) access request of main object in the intercepting system;
3) main body of request visit being carried out the territory label detects;
4) judge whether to allow current operation, if allow, the current request of then letting pass, otherwise refusal request.
2. the access control method based on the territory according to claim 1; It is characterized in that; Said step 1) is set each territory label of using on object; Further comprise: set the access rights of this object in the current field, the same area main body only allows this object is carried out the operation that authority allows in the territory.
3. the access control method based on the territory according to claim 1 is characterized in that, said step 2) the Intercept Interview request adopt be: in the HOOK subsystem call table, to the kernel calls of object operation.
4. the access control method based on the territory according to claim 1; It is characterized in that; Said step 3) is carried out territory label detection to the main body of request visit and is meant; The list of access rights that main body, the object of the access request of utilization interception goes to queried access control strategy storehouse, whether the master, the object that detect the request visit have the territory label.
5. the access control method based on the territory according to claim 1 is characterized in that, said step 4) further may further comprise the steps:
Do not have the territory label if judge the request object, then allow current operation;
If judge that territory label main, object is different, then refuse current operation;
If judge that territory label main, object is identical, and the concrete operations behavior allows in the territory then to allow current operation in the authority; Otherwise refuse current operation.
6. the access control system based on the territory comprises interception filtering module, access control judge module, domain information library module, and the domain information administration module, it is characterized in that,
Said interception filtering module connects said access control judge module, is used for tackling, the filtering system application program is to the access request of data;
Said access control judge module connects said interception filtering module, said domain information library module respectively, be used to judge whether Subjective and Objective territory label is identical, and whether definite visit behavior is allowed to;
Said domain information library module connects said access control judge module and said domain information administration module respectively, is used to preserve the access control policy library information;
Said domain information administration module connects said domain information library module, is used to revise the access control policy library information.
7. the access control system based on the territory according to claim 6; It is characterized in that; Said access control system also comprises the security log enquiry module; Said security log enquiry module connects said access control judge module and said domain information administration module respectively, is used to store the risky operation information of violating access control policy.
8. according to claim 6 based on the territory access control system; It is characterized in that; Said interception filtering module; Adopt in the HOOK subsystem call table, the kernel calls of object operation is obtained the access request data of main object in the system, and accessing request information is sent to said access control judge module; Receive the access request response message that said access control judge module sends, the access request of refusal or permission main body.
9. the access control system based on the territory according to claim 6; It is characterized in that; Said access control judge module; Receive the accessing request information that said interception filtering module sends, the visit behavior of main body and target object is judged, and the access request response message is sent to said interception filtering module; The risky operation information of the access control policy of violating the territory is sent to the security log enquiry module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104266369A CN102495988A (en) | 2011-12-19 | 2011-12-19 | Domain-based access control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011104266369A CN102495988A (en) | 2011-12-19 | 2011-12-19 | Domain-based access control method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102495988A true CN102495988A (en) | 2012-06-13 |
Family
ID=46187813
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011104266369A Pending CN102495988A (en) | 2011-12-19 | 2011-12-19 | Domain-based access control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102495988A (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495989A (en) * | 2011-12-21 | 2012-06-13 | 北京诺思恒信科技有限公司 | Subject-label-based access control method and system |
| CN104601580A (en) * | 2015-01-20 | 2015-05-06 | 浪潮电子信息产业股份有限公司 | Policy container design method based on mandatory access control |
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN104995598A (en) * | 2013-01-22 | 2015-10-21 | 亚马逊技术有限公司 | Use of freeform metadata for access control |
| CN105279183A (en) * | 2014-07-15 | 2016-01-27 | 中国移动通信集团公司 | Application domain management method and apparatus as well as user behavior reminding method and apparatus |
| CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
| CN106650497A (en) * | 2016-12-19 | 2017-05-10 | 浙大网新科技股份有限公司 | Method of implementation of security classification management of computer files |
| WO2017118330A1 (en) * | 2016-01-07 | 2017-07-13 | 阿里巴巴集团控股有限公司 | Application program data access isolation method and device |
| CN107273754A (en) * | 2016-04-08 | 2017-10-20 | 中兴通讯股份有限公司 | A kind of data access control method and device |
| CN107480530A (en) * | 2017-08-23 | 2017-12-15 | 北京奇虎科技有限公司 | Method, apparatus, system and the server of safety detection |
| CN108021827A (en) * | 2017-12-07 | 2018-05-11 | 中科开元信息技术(北京)有限公司 | A kind of method and system based on area mechanism structure security system |
| CN109948360A (en) * | 2019-02-26 | 2019-06-28 | 维正知识产权服务有限公司 | A kind of more control domain security kernel construction methods and system for complex scene |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| CN112953950A (en) * | 2021-03-02 | 2021-06-11 | 北京明略昭辉科技有限公司 | Improved role-based access control method and system |
| CN112989429A (en) * | 2021-05-18 | 2021-06-18 | 长扬科技(北京)有限公司 | Method and device for controlling forced access |
| CN113343282A (en) * | 2021-07-29 | 2021-09-03 | 深圳市永达电子信息股份有限公司 | File security monitoring method and system for mandatory access control and storage medium |
| US11363053B2 (en) * | 2017-04-27 | 2022-06-14 | Datasign Inc. | Device for managing utilized service |
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101387882A (en) * | 2007-09-10 | 2009-03-18 | 费舍-柔斯芒特系统股份有限公司 | Location dependent control access in a process control system |
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
| WO2011065708A2 (en) * | 2009-11-26 | 2011-06-03 | 삼성에스디에스 주식회사 | System and method for managing ipv6 address and access policy |
-
2011
- 2011-12-19 CN CN2011104266369A patent/CN102495988A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101387882A (en) * | 2007-09-10 | 2009-03-18 | 费舍-柔斯芒特系统股份有限公司 | Location dependent control access in a process control system |
| CN101452397A (en) * | 2008-11-27 | 2009-06-10 | 上海交通大学 | Forced access control method and apparatus in virtual environment |
| WO2011065708A2 (en) * | 2009-11-26 | 2011-06-03 | 삼성에스디에스 주식회사 | System and method for managing ipv6 address and access policy |
| CN101727555A (en) * | 2009-12-04 | 2010-06-09 | 苏州昂信科技有限公司 | Access control method for operation system and implementation platform thereof |
| CN101997912A (en) * | 2010-10-27 | 2011-03-30 | 苏州凌霄科技有限公司 | Mandatory access control device based on Android platform and control method thereof |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102495989A (en) * | 2011-12-21 | 2012-06-13 | 北京诺思恒信科技有限公司 | Subject-label-based access control method and system |
| CN104995598A (en) * | 2013-01-22 | 2015-10-21 | 亚马逊技术有限公司 | Use of freeform metadata for access control |
| CN105279183A (en) * | 2014-07-15 | 2016-01-27 | 中国移动通信集团公司 | Application domain management method and apparatus as well as user behavior reminding method and apparatus |
| CN104601580A (en) * | 2015-01-20 | 2015-05-06 | 浪潮电子信息产业股份有限公司 | Policy container design method based on mandatory access control |
| CN104951708A (en) * | 2015-06-11 | 2015-09-30 | 浪潮电子信息产业股份有限公司 | File measurement and protection method and device |
| CN106951795A (en) * | 2016-01-07 | 2017-07-14 | 阿里巴巴集团控股有限公司 | A kind of application data access partition method and device |
| WO2017118330A1 (en) * | 2016-01-07 | 2017-07-13 | 阿里巴巴集团控股有限公司 | Application program data access isolation method and device |
| US10831915B2 (en) | 2016-01-07 | 2020-11-10 | Alibaba Group Holding Limited | Method and system for isolating application data access |
| CN106951795B (en) * | 2016-01-07 | 2020-07-21 | 阿里巴巴集团控股有限公司 | Application data access isolation method and device |
| CN107273754A (en) * | 2016-04-08 | 2017-10-20 | 中兴通讯股份有限公司 | A kind of data access control method and device |
| CN105827645B (en) * | 2016-05-17 | 2020-09-22 | 北京优炫软件股份有限公司 | Method, equipment and system for access control |
| CN105827645A (en) * | 2016-05-17 | 2016-08-03 | 北京优炫软件股份有限公司 | Method, device and system for access control |
| CN106650497A (en) * | 2016-12-19 | 2017-05-10 | 浙大网新科技股份有限公司 | Method of implementation of security classification management of computer files |
| CN106650497B (en) * | 2016-12-19 | 2019-08-30 | 浙大网新科技股份有限公司 | Implement the method for Encryption management to computer documents |
| US11363053B2 (en) * | 2017-04-27 | 2022-06-14 | Datasign Inc. | Device for managing utilized service |
| CN107480530A (en) * | 2017-08-23 | 2017-12-15 | 北京奇虎科技有限公司 | Method, apparatus, system and the server of safety detection |
| CN108021827A (en) * | 2017-12-07 | 2018-05-11 | 中科开元信息技术(北京)有限公司 | A kind of method and system based on area mechanism structure security system |
| CN109948360A (en) * | 2019-02-26 | 2019-06-28 | 维正知识产权服务有限公司 | A kind of more control domain security kernel construction methods and system for complex scene |
| CN109948360B (en) * | 2019-02-26 | 2023-04-07 | 维正知识产权科技有限公司 | Multi-control-domain security kernel construction method and system for complex scene |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN110457925B (en) * | 2019-08-12 | 2023-05-09 | 深圳市网心科技有限公司 | Application data isolation method and device in internal and external storage, terminal and storage medium |
| CN111339507A (en) * | 2020-02-24 | 2020-06-26 | 杭州数梦工场科技有限公司 | Method, system, equipment and readable storage medium for processing access request |
| CN112953950A (en) * | 2021-03-02 | 2021-06-11 | 北京明略昭辉科技有限公司 | Improved role-based access control method and system |
| CN112953950B (en) * | 2021-03-02 | 2023-04-07 | 北京明略昭辉科技有限公司 | Improved role-based access control method and system |
| CN112989429A (en) * | 2021-05-18 | 2021-06-18 | 长扬科技(北京)有限公司 | Method and device for controlling forced access |
| CN112989429B (en) * | 2021-05-18 | 2021-08-17 | 长扬科技(北京)有限公司 | Method and device for controlling forced access |
| CN113343282A (en) * | 2021-07-29 | 2021-09-03 | 深圳市永达电子信息股份有限公司 | File security monitoring method and system for mandatory access control and storage medium |
| CN115065529A (en) * | 2022-06-13 | 2022-09-16 | 北京寰宇天穹信息技术有限公司 | Access control method based on credible label fusing host and object key information |
| CN115065529B (en) * | 2022-06-13 | 2023-11-03 | 北京寰宇天穹信息技术有限公司 | Access control method based on trusted tag fusing key information of host and guest |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102495988A (en) | Domain-based access control method and system | |
| CN102495989A (en) | Subject-label-based access control method and system | |
| CN103065100B (en) | Container-based method of users to protect private data | |
| CN104683336B (en) | A kind of Android private data guard method and system based on security domain | |
| US5347578A (en) | Computer system security | |
| CN104735091B (en) | A kind of user access control method and apparatus based on linux system | |
| CN102202062B (en) | Method and apparatus for realizing access control | |
| CN106326699A (en) | Method for reinforcing server based on file access control and progress access control | |
| US8087065B2 (en) | Method and system for implementing mandatory file access control in native discretionary access control environments | |
| CN103890772A (en) | Sandboxing technology for webruntime system | |
| CN104751050A (en) | Client application program management method | |
| CN104680079A (en) | Electronic document security management system and electronic document security management method | |
| CN104732147A (en) | Application program processing method | |
| CN102156844A (en) | Implementation method of electronic document on-line/off-line safety management system | |
| CN102254123B (en) | Method and device for enhancing security of application software | |
| CN103268438A (en) | Android authority management method and system based on calling chain | |
| CN101635018A (en) | Method of safety ferriage of USB flash disk data | |
| CN104601580A (en) | Policy container design method based on mandatory access control | |
| CN106295355A (en) | A kind of active safety support method towards Linux server | |
| CN105049445B (en) | A kind of access control method and free-standing access controller | |
| US20140230012A1 (en) | Systems, methods, and media for policy-based monitoring and controlling of applications | |
| CN104318176A (en) | Terminal and data management method and device thereof | |
| CN104732140A (en) | Program data processing method | |
| CN103049707B (en) | A kind of interception of the gps data based on Android platform control method | |
| CN104915597A (en) | Physical isolation type USB port protection system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120613 |