Summary of the invention
Technical matters to be solved by this invention is to provide the anti-method and system of divulging a secret of a kind of dualized file based on HOOK and filtration drive, and the method and system be protected file information safely and effectively.
The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of anti-method of divulging a secret of dualized file based on HOOK and filtration drive, comprise the following steps,
S100: application layer control module is to service end transmitter owner identification authentication request;
S200: management end according to owner's ID authentication request of application layer control module configure with stores service end in encryption policy;
S300: service end is distributed to application layer control module by encryption policy;
S400: application layer control module sends to respectively HOOK module and filter Driver on FSD module by filtering policy, described HOOK module and filter Driver on FSD module are done respectively the following anti-processing of divulging a secret according to filtering policy:
In described HOOK module, HOOK.DLL is loaded in system operation process, in application layer, use all system call functions of HOOK interception to clipbook, and monitor the data Replica of application layer;
In filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.
On the basis of technique scheme, the present invention can also do following improvement.
Further, in application layer, use all system call functions of HOOK interception to clipbook, HOOK intercepts and captures the method for clipbook system call, comprises following sub-step,
S101: the mode with global hook in application layer control program loads HOOK.DLL in all processes of system, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address, if there is clipbook data Replica, enter step S102, if there are clipbook data, paste, enter step S103;
S102: while there is clipbook data Replica, judge that duplicating process is whether in secret process white list, if, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as true, if not, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as false;
S103: when clipbook data occurring pasting, judge that stickup process is whether in secret process white list, if stickup is in secret process white list, and during DLL shares, secret process replication field is false, clipbook is emptied, otherwise, the API being fallen by HOOK accordingly called.
Further, described shear plate comprises standard clipbook and OLE clipbook, if stickup process is to occur in OLE clipbook, does not need to empty clipbook.
Further, the communication between process adopts shared drive, and uses the access of name kernel objects notification process.
Further, register IRP distribution function in described filter Driver on FSD module, interception IO manager mails to the IRP request of file system, and processes according to filtering policy, comprises following sub-step,
S201: when filter Driver on FSD module intercepts an IRP bag, detect IPR bag and whether meet filtercondition, if meet filtercondition, directly mail to file system driver, if do not meet filtercondition, according to IRP bag type, do following processing: " request of opening " enters step S202, " read request " enters step S203, " write request " enters step S204, " turn-off request " enters step S205, " cleaning request " enters step S206, and " inquiry request " enters step S207;
S202: when " request of opening " processed, obtain document flow context,
If file is not to open first, add reference count, concurrent toward lower floor's driving, continue structure read request, IRP bag is with non-reentry mode file reading encryption identification, determine whether encrypt file, and document flow context is set, if encrypt file, be made as deciphering while reading, while writing, encrypt, and be set to encrypted state
If file is to open first, be made as while writing and encrypt, clear text file is set to not be modified state, and is set to unencrypted state;
S203: when " read request " processed, if buffering read request or document flow context do not arrange decrypted state while reading, directly mailing to lower floor drives, again apply for the user buffering exchange that internal memory and IRP bag provides, until after having read by the contents decryption in the buffer zone of application and copy to Bing Xiang upper strata, original buffer zone and complete IRP;
S204: when " write request " processed, if buffer write requests, directly mailing to lower floor drives, if the unencryption file write request that right and wrong are newly-built, modification state is set concurrent toward lower floor's driving, data Replica in the user buffering that IRP is provided, in the internal memory of application again, and is encrypted and is mail to lower floor after buffer data and drive , lower floor to drive after IRP when setting is read decrypted state and written data state and completed IRP to upper strata;
S205: when " turn-off request " processed,
If file reference count is not 0, IRP is mail to lower floor and drive,
If file reference count is 0, deciphering while judging whether to read, if read time deciphering, writing in files encryption identification, deciphering when reading, segmentation file reading encrypt after the encryption identification that finally writes of writing in files, finally toward upper strata, complete IRP;
S206: when " cleaning request " processed, remove file cache;
S207: when " inquiry request " processed, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
Further, the filtercondition in step S201 is: file do not write authority, volume context not, document flow context do not exist, current operation is catalogue file and current process and file type not in secret process white list.
The beneficial effect of the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive of the present invention is: in this technical program; the method adopting is in application layer and drive layer duplicate protection fileinfo; mutually make up the issuable leak of divulging a secret of folk prescription; safety and stability is reliable; and do not need extra hardware and software support; cost is very low, no matter be that individual or enterprises and institutions are all applicable to generally adopting.
Based on said method, the present invention also provides a kind of anti-disclosure system of transparent encryption and decryption, and this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.
A dualized file anti-disclosure system based on HOOK and filtration drive, comprise service end, management end, be positioned at application layer application layer control module, be positioned at application layer HOOK module, be positioned at the filter Driver on FSD module that drives layer,
Described service end is used for providing authentication and distributes encryption policy;
Described management end is for configuring the encryption policy with stores service end;
Described application layer control module is used for gathering service end encryption policy, and encryption policy is sent to HOOK module and filter Driver on FSD module;
Described HOOK module for the encryption policy monitoring clipbook that passes over according to policy module and prevent secret process by data Replica to non-secret process;
Described filter Driver on FSD module mails to the IRP of file system driver for the encryption policy interception passing over according to policy module, complete the automatic encryption and decryption to file read-write content.
Further, described filter Driver on FSD module adopts rc4 to file read-write content-encrypt algorithm, according to read-write length and off-set value, guarantees byte-aligned, dynamically enciphered data content.
Further, described a kind of dualized file anti-disclosure system based on HOOK and filtration drive is based on windows platform.
Further, described tactful acquisition module writes shared drive buffer zone by policy information by rule, and by the synchronous shared drive of mutual exclusion lock buffer zone, HOOK module is from this buffer zone fetch policy information, and filter Driver on FSD is by communication port and application layer communication.
The beneficial effect of a kind of dualized file anti-disclosure system based on HOOK and filtration drive of the present invention is: the technical program provides a kind of safe, stable anti-disclosure system, driving layer and application layer to block the outlet of divulging a secret, file security is guaranteed.
Embodiment
Below in conjunction with accompanying drawing, principle of the present invention and feature are described, example, only for explaining the present invention, is not intended to limit scope of the present invention.
A kind of anti-method of divulging a secret of dualized file based on HOOK and filtration drive, first application layer control module sends application (being host identities authentication) to service end, then management end according to owner's ID authentication request of application layer control module configure with stores service end in encryption policy, then service end is issued application layer control module by information, if the information spinner encryption policy here, last application layer control module is omited strategy by mistake and is sent to HOOK module and driver module, described HOOK module and filter Driver on FSD module are done respectively the following anti-processing of divulging a secret according to filtering policy: in described HOOK module, HOOK.DLL is loaded in system operation process, in application layer, use all system call functions of HOOK interception to clipbook, and monitor the data Replica of application layer, in filter Driver on FSD module, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.It should be noted that HOOK module and driver module are to be loaded and started by application layer control module, but moved by system process, when not transmitting encryption policy, also can carry out filtration (just filtering policy is for empty), All Files can not encrypted.
In HOOK module:
The mode that HOOK.DLL dynamic base is injected with hook is loaded into system operation process, and interception is to clipbook all system call functions of (comprising standard clipbook and OLE clipbook), and the data of monitoring application layer copy.In application layer, use all system call functions of HOOK interception to clipbook, the method that HOOK intercepts and captures clipbook system call is: the mode with global hook in application layer control program loads HOOK.DLL in all processes of system, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address; If there is clipbook data Replica, judge that duplicating process is whether in secret process white list, if, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as true, if not, in the mode of atomic operation, DLL is shared to secret process replication data Boolean in data segment and be made as false; If clipbook data occur pastes, judge that stickup process is whether in secret process white list, if pasting is in secret process white list, and during DLL shares, secret process replication field is false, clipbook is emptied, otherwise, call the API being fallen by HOOK accordingly, if occur in, in OLE clipbook, do not need to empty clipbook.For clipbook, data Replica is pasted to the situation of taking out of, the present invention proposes the mode that adopts APIHOOK in application layer, the API that soon shear plate action need will call replaces to the self-defining function of program and tackles appointment API, reaches the object of monitoring clipbook.The function that needs HOOK in the present embodiment is SetClipboardData, OleSetClipbroad, GetClipboardData, OleGetClipbroad, and wherein the first two is for copying the required API of calling, after two for pasting the required API that calls.In clipbook, copy data may have four kinds of situations, and secret process arrives non-secret process to non-secret process, non-secret process to secret process and non-secret process to secret process, secret process.Wherein only having secret process replication data is forbidden to non-secret process, and other situations can be allowed to.First HOOK.DLL is judged the whether secret process of current process and global variable g_bClassifyPs is set by the policy information reading in shared drive while loading, then the shared variable g_bCopyByClassifyPs in HOOK.DLL controls the whether secret process of duplicating process, and the operation calls InterlockedExchange of this variable is carried out with atomic way.When there is paste operation, by g_bClassifyPs and g_bCopyByClassifyPs, judge that whether data copy non-secret process to from secret process, if it is call EmptyClipboard function the content in clipbook is emptied, otherwise do not process.When processing HOOK function corresponding to OleGetClipboard, can clipbook not done to cleaning operation.
In filter Driver on FSD module:
In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and the detailed process of processing according to filtering rule is: when filter Driver on FSD intercepts an IRP bag, detect packet and whether meet filtercondition, if meet filtercondition, directly mail to file system driver, if do not meet filtercondition, according to IRP type, optionally do following processing: open request, read request, write request, turn-off request, cleaning request, inquiry request.
Open request: obtain document flow context, if not opening first, add the driving of the concurrent past lower floor of reference count.Continue structure read request IRP with non-reentry mode file reading encryption identification, judge whether encrypt file and document flow context is set, if being made as, encrypt file while separating secret writing while reading, encrypts and is set to encrypted state, if new files is made as while writing, encrypt, clear text file is set to not be modified state and is set to unencrypted state.When processing " request of opening ", can first call corresponding pre-service routine, in this routine, first by calling FltGetVolumeContext judgement, roll up whether device object is the volume equipment of binding, then according to filename, catalogue or equipment are done to filtration treatment, can call FltGetFileNameInformation and obtain file name information.Then judge that current process whether in secret process white list, if there is no filters this IRP, filter IRP and represent that the file IRP that imports this volume device object into does not do the encryption process, directly mail to lower floor's driving.After filtration completes, be current file application documents flow context, if applied for before, increase the reference count in document flow context, according to plaintext, ciphertext or new files, associated documents flow context information is set.The judgement of plaintext ciphertext is manually constructed to the mode of IRP with IoAllocateIRP, directly toward file system driver, send request, file reading encryption identification, relatively the GUID in encryption identification and encryption GUID, if the same represent that this document is encrypt file.
Read request: if buffering read request or document flow context do not arrange decrypted state while reading, directly mailing to lower floor drives, again apply for the user buffering exchange that internal memory and IRP provide, until after having read by the contents decryption in the buffer zone of application and copy Bing Xiang upper strata, original buffer zone to and complete IRP.When processing " read request ", first call the pre-service function that microfiltration drives registration, as shown in Figure 1, whether the volume context that obtains operation by filtering object is the context that needs encryption, otherwise directly IRP being delivered to lower floor drives, then by callback data structure (IRP in similar old filtering model), obtain document flow context, according to callback data structure and flow context correlation parameter, judge whether this IRP needs to filter, because the buffering that micro-filter provides file system only has read right, direct decrypted buffer, so must oneself apply for having the buffer zone of access limit to replace original buffer zone, aftertreatment readjustment context is finally set, continue to transmit IO request, processing function after registration can be called like this, enter after aftertreatment routine, now it should be noted that filtering manager has carried out automatic conversion by buffering, in the MDL buffer zone that the data that user need to read provide at oneself, directly exchange buffering is decrypted, read how many deciphering how many, just obtained the clear data that need to read, finally by the clear data direct copying in exchange buffering in original user buffering, continue to transmit IRP request toward lower floor.
Write request: drive if buffer write requests directly mails to lower floor, if the newly-built unencryption file of right and wrong arranges modification state concurrent toward lower floor's driving.Data in the user buffering that IRP is provided copy to again in the internal memory of application, and encrypt and mail to lower floor after buffer data and drive , lower floor to drive after IRP when setting is read decrypted state and written data state and completed IRP to upper strata.When processing " write request ", filter manager and first call the pre-service routine of registration before, as shown in Figure 2, by PFLT_CALLBACK_DATA and PCFLT_RELATED_OBJECTS readjustment structure, obtain correlation parameter equally ineligible IRP is filtered, then directly toward lower floor, drive and transmit.In this routine, for revising to encrypt, done special processing, if meet the whether modification parameter that the unencryption file of other conditions is revised flow context, in IRP_MJ_CLOSE, it is processed separately, for new files and encrypt file data writing all do the encryption process; File is fairly simple for the encryption of write request, behind the same good MDL of application buffer zone, data in user buffering district are copied in new buffer zone and done the encryption process, being directly delivered to lower floor drives, the data of encrypting so have just been write disk file, discharge buffer zone and the related context of application in aftertreatment.
Turn-off request: if file reference count is not 0, IRP is mail to lower floor and drive, otherwise deciphering while judging whether to read, is writing in files encryption identification, otherwise segmentation file reading encrypt after writing in files finally write encryption identification.Last past upper strata completes IRP.In to " turn-off request " processing procedure, after being done to corresponding filter operation, IRP mainly processes encrypt file, with file newly-built and written data, these two kinds of files have all been done encryption to data when processing write requests, only need last writing in files encryption identification here.Finally a kind of is exactly that unencrypted clear text file is still revised file data, this file does not do the encryption process when write request, therefore needing own manually structure IRP bag to obtain file content in the mode of non-reentry encrypts again, the length that reads here will be alignd with sector-size minute and read in a looping fashion, and then construct write request IRP bag by the data writing in files of encrypting, last writing in files encryption identification.When writing encryption identification, write together the hash value of encryption key, this inquires about decruption key to check early stage encrypted document or the management of document outgoing by the deciphering outlet that facilitates management end program from database.
Cleaning request: remove file cache.
Inquiry request: when inquiry request is processed, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
Wherein, described filtercondition is: file do not write authority, volume context not, document flow context do not exist, current operation is catalogue file and current process and file type not in secret process white list.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and in the scheme of processing according to filtering rule, encryption for clear text file, structure while reading IRP reading of content length must and sector alignment, after reading of content is encrypted, structure writes IRP by enciphered data writing in files, to avoid IRP to reentry.In filtration drive, register IRP distribution function, interception IO manager mails to the IRP request of file system, and in the technical scheme of processing according to filtering rule, secret process white list is deposited in single-track link table, the inside comprises secret process name and file filter suffix.Communication between process adopts shared drive, and uses the access of name kernel objects notification process.
Application layer control module mails to the anti-application layer HOOK.DLL hook program of divulging a secret of ground floor file and the anti-filter drive program of divulging a secret of second layer file by filtering policy, realizes the double filtration at application layer and driving layer.
Wherein, HOOK in application layer HOOK.DLL hook program and the principle of work of the fileflt in filter drive program are as shown in Figure 3, HOOK.DLL is injected into after system process, can tackle the API of appointment, such as traditional hook transparent encryption can be tackled some file operation functions as CreateFile, ReadFile etc., the API that these API provide for operating system kernel storehouse kerner32.DLL, the present invention can not tackle these API, it only need to tackle the function that clipbook is relevant, as GetClipbroadData etc., after HOOK interception, make and after some is revised, can call the API being replaced and continue to call toward lower floor, ntDLL.DLL is the core A PI storehouse that approaches kernel mode most, after arriving inner nuclear layer, can construct corresponding IRP data packet delivery to specifying driving by IO manager.Such as if a file operation, can construct the IRP that corresponding file is relevant and pass to file system driver (accurately saying the device object of file system driver), because filter Driver on FSD has created filter plant object binding (in device stack the superiors) on file system driver device object, so can first process this IRP by driver corresponding to filter plant object, thereby reach the effect of IRP interception.In driving, IRP transfer mode Wei Xiang lower floor drives and transmits IRP and toward upper strata, drive the completion status of returning to lower floor.IRP has the situation (be different from IRP and no longer transmit situation toward lower floor) of synchronous and asynchronous downwards when completing and returning, some IRP may be directly toward the synchronous return state in upper strata after completing, the processing after need to not completing after lower floor has driven, after having driven, the asynchronous Ze Shi of completing lower floor again obtains the control of IRP, processing after carrying out some and completing, while processing such as read request, need to after reading data, lower floor's driving do the encryption process again, write request has not needed aftertreatment, microfiltration driving in the present invention will complete routine and be called aftertreatment.Disk drive is that the read-write operation to physical disk is mainly responsible in the driving of more bottom.Macroscopic view; Figure 3 shows that: in filtration drive of the file system driver upper strata of subscriber's main station Windows operating system interpolation and in conjunction with application layer HOOK technology; interception application program is at the API Calls of application layer and the IRP packet of driving layer; mode protected file private information with double protection; the control module of user's space can manually be generated strategy to mail to and be driven and HOOK module simultaneously, realizes flexibly the transparency protected of file.
Core I RP of the present invention filters and buffer memory exchange is processed as follows:
After obtaining IRP bag in pre-service routine, detect IRP information, if IRP is filter Driver on FSD, need to filter, directly mail to lower floor's driver, filtercondition is as follows:
(1) calling the encrypted volume equipment whether volume equipment that kernel routine FltGetVolumeContext judgement receives IRP was bound, is not to filter;
(2) call kernel routine FltGetStreamContext and judge whether document flow context exists, do not exist and filter;
(3) judge that current process whether in secret process white list, is not to filter, obtain current process and can realize by call macro PsGetCurrentProcess;
(4) calling kernel macro definition FLT_IS_FASTIO_OPERATION and judge whether quick IO, is to filter;
(5) according to IRP sign, judging whether buffer requests of IRP, is to filter;
(6) according to document flow context determination current file clear text file whether, be to filter;
(7) judge that whether file reads length is 0, is to filter, otherwise aligns with sector-size.
The read-write buffer zone providing due to IRP does not have write permission, so read-write IRP needs to apply for kernel buffers and its exchange, wherein the exchange step of read request is as follows:
1), call ExAllocatePoolWithTag and distribute nonpagepool piece newBuf;
2), to call IoAllocateMdl be newBuf application descriptor memory symbol, uses MmBuildMdlForNonPagedPool to set up descriptor memory symbol newMdl;
3), call ExAllocateFromNPagedLookasideList and distribute fixed memory block p2pCtx from kernel Ponds chained list, this is for passing to the readjustment structure of aftertreatment routine, then in IRP read buffer zone and MDL is set to newBuf and newMdl, calling FltSetCallbackDataDirty notice buffer memory is modified, and newBuf is saved in to the SwappedBuffer in p2pCtx, IRP is mail to lower floor and drive.
4) in, aftertreatment routine, the buffering of revising is automatically exchanged, and from p2pCtx->SwappedBuffer, reading out data is deciphered, and obtains the original buffer zone origBuf of IRP, data decryption is copied in origBuf, and notice upper strata has driven.
Based on said method, the present invention also provides a kind of anti-disclosure system of transparent encryption and decryption, and this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.
A kind of dualized file anti-disclosure system based on HOOK and filtration drive, as shown in Figure 4, mainly comprise 3 submodules: the HOOK module of application layer, be positioned at the filter Driver on FSD module that drives layer, and the tactful acquisition module that is positioned at application layer, simultaneously, for this modular design, go out the inner anti-disclosure system that uses of applicable enterprises and institutions, newly increased management end (Manager) and service end (Server); Described management end is for configuration and storage encryption strategy; Management end configuration and storage encryption strategy, also provides strategy and certificate management between each group except being responsible for, and file decryption outlet function is also provided simultaneously.Described service end is used for each host information in dump subnet, and authenticates and distribute encryption policy for tactful acquisition module provides; Service end is responsible for each host information in dump subnet as the middleware program of communication, and authenticates and distribute encryption policy to client for client provides.Described tactful acquisition module is used for gathering encryption policy, and encryption policy information is sent to HOOK module and the filter Driver on FSD module of application layer.Described HOOK module for the encryption policy monitoring clipbook that passes over according to policy module and prevent secret process by data Replica to non-secret process.Described filter Driver on FSD module mails to the IRP of file system driver for the encryption policy interception passing over according to policy module, complete the automatic encryption and decryption to file read-write content.
The present invention is for the file transparent encrypting and deciphering system based on windows platform, and embodiment is described below:
Experiment one:
(1) experimental design
PC is configured to: CPU Core i5-2450M, 2600MHz (26x100), 4GB internal memory, Windows XP SP3 operating system, client operation main frame is installed Fileflt and is driven, service end does not need load driver program, and management end sets after grouping and corresponding strategy (experiment is made as notepad, Office Word, Office Excel and Office PPT trusted process and adds secret process white list) as group member distributes named policer and starts server processes.Client process derives the certificate file (the optional off-line type of client or online client host is authenticated, off-line type can be derived off-line data bag and not need server from management end) of own main frame from management end.Experiment adopts the mode of on-line authentication to import certificate running client.Experiment is tested system realization property and leak protection, comprises for the pressure of txt and Office document and encrypts, revises and encrypt, save as and copy situation and the deciphering outlet function that stickup may be divulged a secret.
(2) experimental result and assessment
Experiment one: start client-side program, respectively notepad and Office office document are done to following test:
1. new files data writing preserving with conventional suffix;
2. new files data writing saves as .dat(or other unconventional suffix);
3. open encrypt file and preserve and can normally open;
4. revising unencryption file preserves and again opens;
5. opening unencryption file does not revise directly and closes;
6. after opening file, data are copied to respectively and in browser and other secret processes, produce that can see normal replication;
7. encrypt file is copied to management end, can the deciphering outlet of use management end is checked declassified document.
The first round writes test file experiment after having tested and obtains one group of result, table 1 is the test result of secret process in first round test, for notepad and Office groupware effect, be identical, system is stable for the support of notepad and Office office software, according to table 1 result demonstration new files and amended clear text file, can force to encrypt, encrypt file can normally be accessed, and clear text file only checks not revise and can not force to encrypt, and test result is stable.Simultaneously 6. result show trusted process cannot copy data to untrusted process, other situations copy unrestrictedly, can effectively prevent the situation that shear plate data Replica is taken out of.7. result show encrypt file management end can be in need not load driver situation normal declassified document.
Table 1: file transparent encryption state under load driver condition
Experiment two:
Take the time of txt file as the different big or small File Opens of example analysis.Table 2 is performance evaluation during to File Open.System was tested for the different big or small File Open time of file, and test procedure be take txt file as example, has tested respectively 5MB and has read the time to the file between 30MB, and test data is as shown in table 2.Analysis shows transparency and encrypts driver and do not read and do not have a significant effect for file, and 20MB exists the processing consuming time of about 30ms left and right with interior file, do not affect user and use.
Table 2: different big or small File Open time performance tests
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.