CN103605930B - A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system - Google Patents

A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system Download PDF

Info

Publication number
CN103605930B
CN103605930B CN201310617088.7A CN201310617088A CN103605930B CN 103605930 B CN103605930 B CN 103605930B CN 201310617088 A CN201310617088 A CN 201310617088A CN 103605930 B CN103605930 B CN 103605930B
Authority
CN
China
Prior art keywords
file
hook
irp
module
application layer
Prior art date
Application number
CN201310617088.7A
Other languages
Chinese (zh)
Other versions
CN103605930A (en
Inventor
陈世强
金恺
邵楚育
Original Assignee
湖北民族学院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 湖北民族学院 filed Critical 湖北民族学院
Priority to CN201310617088.7A priority Critical patent/CN103605930B/en
Publication of CN103605930A publication Critical patent/CN103605930A/en
Application granted granted Critical
Publication of CN103605930B publication Critical patent/CN103605930B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2107File encryption

Abstract

The present invention relates to a kind of dualized file based on HOOK and filtration drive and prevent method of divulging a secret, filtering policy is sent to HOOK module and filter Driver on FSD module by application layer control module respectively, described HOOK module and filter Driver on FSD module do following anti-process of divulging a secret respectively according to filtering policy: in described HOOK module, HOOK.DLL is loaded in system cloud gray model process, use all system call functions of HOOK interception to clipbook in application layer, and monitor the data Replica of application layer; In filter Driver on FSD module, register IRP distribute function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.In the method for the invention; the method adopted is in application layer and drive layer duplicate protection fileinfo; mutually make up the issuable leak of divulging a secret of folk prescription; safety and stability is reliable; and do not need extra hardware and software support; cost is very low, is no matter individual or enterprises and institutions are all applicable to generally adopting.

Description

A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system

Technical field

The present invention relates to method and transparent guard system that a kind of computer file ciphering prevents divulging a secret, be specifically related to a kind of anti-method and system of divulging a secret of dualized file based on HOOK and filtration drive.

Background technology

At information security field, document protection is the emphasis, particularly document transparent encryption technology of research always, and its intention automatically completes the encryption and decryption to document under the prerequisite not changing user operation habits.Realizing stable, efficient, safe document guard system is a difficult problem, but it is in network security, information protection field extensive application.These technological difficulties are not only transparent protection, the more important thing is and prevent document from divulging a secret.The domestic and international method for the transparent protection of document mainly contains two kinds at present, and a kind of is the HOOK technology of tackling based on API, and another kind is the Driving technique based on IRP interception.HOOK technology, owing to realizing in application layer, causes inefficiency, and easily makes clear text file copy to take out of in the mode that file is reentried; Driving technique also can be divided into buffer memory and double buffering technology clearly, clear caching technology in efficiency lower than double buffering technology, current double buffering technology is only present in the middle of theoretical research, stability and practicality are difficult to ensure, the problem of file clean-up and cache synchronization difficulty is such as there is based on the double buffering technology of hierarchical file system (LayerFSD), clear caching technology is more reliable and more stable by contrast, and domestic a lot of business application is also adopt the program, and the present invention also adopts clear buffering scheme.But be only inadequate to the transparent protection of file, transparent protection can be made like this to lose meaning and meeting influential system efficiency, safety, stable anti-disclosure system should consider in driving layer and the issuable situation block outlet of divulging a secret of divulging a secret of application layer, file security is put in the first place, prevent significant data from leaking as much as possible, no matter be for enterprise or individual, it is all very serious that confidential information leaks the consequence caused.

Achievement in research current both at home and abroad realizes mainly for Windows file system, even some are known as the price of employing double buffering technology realization also costly, can only be theoretical research system, stability and practicality be difficult to ensure.Realize the scheme of transparent encryption based on Linux environment, the program needs more amendment Linux file system kernel source code and recompilates, and is not suitable for mainstream operation system.The scheme that most employing Windows filter Driver on FSD mode realizes all reduces document protection dynamics; more lay particular emphasis on transparent protection and fail more accurately actual consideration and to divulge a secret problem, such as amendment process name during transparent protection, clear text file are not encrypted, suffix saves as or the situation of data Replica.Some schemes have more or less blocked some of them approach, but are difficult to accomplish comprehensive and perfectly safe.Also there is no a kind of high-efficiency and economic, safety and stability so far, be suitable for the transparent anti-research approach of divulging a secret of the document of current mainstream operation system.

Summary of the invention

Technical matters to be solved by this invention is to provide the anti-method and system of divulging a secret of a kind of dualized file based on HOOK and filtration drive, and the method and system can protected file information safely and effectively.

The technical scheme that the present invention solves the problems of the technologies described above is as follows: a kind of dualized file based on HOOK and filtration drive prevents method of divulging a secret, and comprises the following steps,

S100: application layer control module is to service end transmitter owner identification authentication request;

S200: management end configures and the encryption policy in stores service end according to owner's ID authentication request of application layer control module;

S300: encryption policy is distributed to application layer control module by service end;

S400: filtering policy is sent to HOOK module and filter Driver on FSD module by application layer control module respectively, described HOOK module and filter Driver on FSD module do following anti-process of divulging a secret respectively according to filtering policy:

In described HOOK module, HOOK.DLL is loaded in system cloud gray model process, uses all system call functions of HOOK interception to clipbook in application layer, and monitor the data Replica of application layer;

In filter Driver on FSD module, register IRP distribute function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy;

Use all system call functions of HOOK interception to clipbook in application layer, HOOK intercepts and captures the method for clipbook system call, comprises following sub-step,

S101: load HOOK.DLL in all processes of system in the mode of global hook in application layer control program, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address, if there is clipboard data to copy, then enter step S102, if clipboard data occurs paste, then enter step S103;

S102: when generation clipboard data copies, judge duplicating process whether in secret process white list, if, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to true, if not, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to false;

S103: clipboard data occurs when pasting, judge stickup process whether in secret process white list, if stickup is in secret process white list, and secret process replication field is false during DLL shares, then clipbook is emptied, otherwise, call accordingly by API that HOOK falls.

On the basis of technique scheme, the present invention can also do following improvement.

Further, described shear plate comprises standard clipbook and OLE clipbook, if stickup process occurs in OLE clipbook, then does not need to empty clipbook.

Further, the communication between process adopts shared drive, and uses the access of name kernel objects notification process.

Further, register IRP and distribute function in described filter Driver on FSD module, interception IO manager mails to the IRP request of file system, and processes according to filtering policy, comprises following sub-step,

S201: when filter Driver on FSD module intercepts an IRP bag, detect IPR bag and whether meet filtercondition, if meet filtercondition, then directly mail to file system driver, if do not meet filtercondition, then do following process according to IRP Packet type: " opening request " enters step S202, " read request " enters step S203, " write request " enters step S204, " turn-off request " enters step S205, " cleaning request " enters step S206, and " inquiry request " enters step S207;

S202: when " opening request " processes, obtains document flow context,

If file is not open first, then add reference count, concurrent toward lower floor's driving, continue structure read request, IRP bag is with non-reentry mode file reading encryption identification, determine whether encrypt file, and document flow context is set, if encrypt file, then be set to when reading and decipher, encrypt when writing, and be set to encrypted state

If file opens first, be then set to when writing and encrypt, clear text file is set to not be modified state, and is set to unencrypted state;

S203: when " read request " processes, if buffering read request or document flow context do not arrange decrypted state when reading, then directly mail to lower floor to drive, again apply for that internal memory and IRP wrap the user buffering provided and exchange, until the content in the buffer zone of application deciphered after having read and copy to original buffer district and complete IRP to upper strata;

S204: when " write request " processes, if buffer write requests, then directly mail to lower floor to drive, if the unencryption file write request that right and wrong are newly-built, it is concurrent toward lower floor's driving that amendment state is then set, data Replica in the user buffering provided by IRP in the internal memory again applied for, and mails to lower floor and drives after encrypted buffer district data, setting decrypted state and written data state complete IRP to upper strata when reading after lower floor has driven IRP;

S205: when " turn-off request " processes,

If file reference count is not 0, then IRP is mail to lower floor and drives,

If file reference count is 0, then decipher when judging whether to read, if deciphering when reading, then writing in files encryption identification, deciphers if not when reading, then the encryption identification that after the encryption of segmentation file reading, writing in files finally writes, and last past upper strata completes IRP;

S206: when " cleaning request " process, remove file cache;

S207: when " inquiry request " processes, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.

Further, the filtercondition in step S201 is: file do not write authority, volume context not, document flow context does not exist, current operation is catalogue file and current process and file type not in secret process white list.

A kind of dualized file based on HOOK and filtration drive of the present invention prevents that the beneficial effect of the method for divulging a secret is: in this technical program; the method adopted is in application layer and drive layer duplicate protection fileinfo; mutually make up the issuable leak of divulging a secret of folk prescription; safety and stability is reliable; and do not need extra hardware and software support; cost is very low, is no matter individual or enterprises and institutions are all applicable to generally adopting.

Based on said method, present invention also offers a kind of anti-disclosure system of transparent encryption and decryption, this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.

Based on a dualized file anti-disclosure system for HOOK and filtration drive, comprise service end, management end, be positioned at application layer application layer control module, be positioned at application layer HOOK module, be positioned at the filter Driver on FSD module driving layer,

Described service end is used for providing certification and distributing encryption policy;

Described management end is for configuring the encryption policy with stores service end;

Encryption policy for gathering service end encryption policy, and is sent to HOOK module and filter Driver on FSD module by described application layer control module;

The encryption policy that described HOOK module is used for passing over according to application layer control module is monitored clipbook and prevents secret process by data Replica to non-confidential process;

The IRP of file system driver is mail in the encryption policy interception that described filter Driver on FSD module is used for passing over according to application layer control module, completes the automatic encryption and decryption to file read-write content.

Further, described filter Driver on FSD module adopts rc4 to file read-write content encryption algorithm, ensures byte-aligned, dynamically encrypted digital content according to read-write length and off-set value.

Further, described a kind of dualized file anti-disclosure system based on HOOK and filtration drive is based on windows platform.

Further, encryption policy is regularly write shared drive buffer zone by described application layer control module, and by mutual exclusion lock synchronized shared memory buffer zone, HOOK module reads encryption policy from this buffer zone, and filter Driver on FSD is by communication port and application layer communication.

The beneficial effect of a kind of dualized file anti-disclosure system based on HOOK and filtration drive of the present invention is: the technical program provides a kind of safe, stable anti-disclosure system, blocks outlet of divulging a secret, file security is guaranteed at driving layer and application layer.

Accompanying drawing explanation

Fig. 1 is the process flow diagram that a kind of dualized file based on HOOK and filtration drive of the present invention prevents filtration drive " read request " the IRP process of the method for divulging a secret;

Fig. 2 is the process flow diagram that a kind of dualized file based on HOOK and filtration drive of the present invention prevents filtration drive " write request " the IRP process of the method for divulging a secret;

Fig. 3 is the model that a kind of dualized file based on HOOK and filtration drive of the present invention prevents the method for divulging a secret;

Fig. 4 is the block diagram of a kind of dualized file anti-disclosure system based on HOOK and filtration drive of the present invention.

Embodiment

Be described principle of the present invention and feature below in conjunction with accompanying drawing, example, only for explaining the present invention, is not intended to limit scope of the present invention.

A kind of dualized file based on HOOK and filtration drive prevents method of divulging a secret, first application layer control module sends application (i.e. host identities certification) to service end, then management end configures and the encryption policy in stores service end according to owner's ID authentication request of application layer control module, then information is issued application layer control module by service end, if information spinner encryption policy here, last application layer control module is sent to HOOK module and driver module by crossing slightly strategy, described HOOK module and filter Driver on FSD module do following anti-process of divulging a secret respectively according to filtering policy: in described HOOK module, HOOK.DLL is loaded in system cloud gray model process, the all system call functions of HOOK interception to clipbook are used in application layer, and monitor the data Replica of application layer, in filter Driver on FSD module, register IRP distribute function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.It should be noted that HOOK module and driver module are loaded by application layer control module to start, but run by system process, also can perform filtration (just filtering policy is for empty) when not transmitting encryption policy, All Files all can not be encrypted.

In HOOK module:

HOOK.DLL dynamic base is loaded into system cloud gray model process in the mode that hook injects, tackles all system call functions to clipbook (comprising standard clipbook and OLE clipbook), the data copy of monitoring application layer.The all system call functions of HOOK interception to clipbook are used in application layer, the method that HOOK intercepts and captures clipbook system call is: in application layer control program, load HOOK.DLL in all processes of system in the mode of global hook, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address; If there is clipboard data to copy, then judge duplicating process whether in secret process white list, if, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to true, if not, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to false; If there is clipboard data to paste, then judge stickup process whether in secret process white list, if pasting is in secret process white list, and secret process replication field is false during DLL shares, then clipbook is emptied, otherwise, call accordingly by the API that HOOK falls, then do not need to empty clipbook if occur in OLE clipbook.Data Replica is pasted by clipbook to the situation of taking out of, the present invention proposes the mode adopting APIHOOK in application layer, the API called by shear plate action need replaces to the self-defining function of program and tackles and specify API, reaches the object of monitoring clipbook.Need the function of HOOK to be SetClipboardData, OleSetClipbroad, GetClipboardData, OleGetClipbroad in the present embodiment, wherein the first two calls API needed for copying, after two for paste needed for call API.In clipbook, copy data may have four kinds of situations, secret process to secret process, secret process to non-confidential process, non-confidential process to secret process and non-confidential process to non-confidential process.Wherein only have secret process replication data to be forbidden to non-confidential process, other situations can be allowed to.First judge the whether secret process of current process by the encryption policy read in shared drive and global variable g_bClassifyPs is set when HOOK.DLL loads, then control the whether secret process of duplicating process by the shared variable g_bCopyByClassifyPs in HOOK.DLL, the operation calls InterlockedExchange of this variable is carried out in an atomic manner.When there is paste operation, judging whether data copy non-confidential process to from secret process by g_bClassifyPs and g_bCopyByClassifyPs, if it is calling EmptyClipboard function and the content in clipbook is emptied, otherwise do not process.Cleaning operation can not be done to clipbook when the HOOK function that process OleGetClipboard is corresponding.

In filter Driver on FSD module:

In filtration drive, register IRP distribute function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy.Register IRP in filtration drive and distribute function, interception IO manager mails to the IRP request of file system, and according to the detailed process that filtering rule carries out processing be: when filter Driver on FSD intercepts an IRP bag, detect packet and whether meet filtercondition, if meet filtercondition, then directly mail to file system driver, if do not meet filtercondition, then optionally do following process according to IRP type: open request, read request, write request, turn-off request, cleaning request, inquiry request.

Opening request: obtain document flow context, then adding the driving of reference count concurrent past lower floor if not opening first.Continue structure read request IRP with non-reentry mode file reading encryption identification, judge whether encrypt file and document flow context is set, if encrypt and be set to encrypted state when encrypt file is then set to solution secret writing when reading, encrypt if new files is then set to when writing, clear text file is set to not be modified state and is set to unencrypted state.When processing " opening request ", can first call corresponding preprocessing routine, first judge whether volume device object is the volume equipment bound by calling FltGetVolumeContext in this routine, then according to filename, filtration treatment is done to catalogue or equipment, FltGetFileNameInformation can be called to obtain file name information.Then judge current process whether in secret process white list, if there is no then filter this IRP, filter IRP and represent that the file IRP importing this volume device object into does not do the encryption process, directly mail to lower floor and drive.Be current file application documents flow context after filtration completes, if applied for before, increase the reference count in document flow context, associated documents flow context information is set according to plaintext, ciphertext or new files.IoAllocateIRP is used manually to construct the mode of IRP to the judgement of cleartext-ciphertext, directly send request toward file system driver, file reading encryption identification, compares the GUID in encryption identification and encryption GUID, if the same represents that this file is encrypt file.

Read request: if buffering read request or document flow context do not arrange decrypted state when reading, then directly mail to lower floor to drive, again apply for that the user buffering that internal memory and IRP provide exchanges, until the content in the buffer zone of application deciphered after having read and copy original buffer district to and complete IRP to upper strata.When processing " read request ", first call the preconditioned functions that microfiltration drives registration, as shown in Figure 1, whether the volume context being obtained operation by filtering object is the context needing encryption, otherwise directly IRP is delivered to lower floor to drive, then document flow context is obtained by callback data structure (IRP in similar old filtering model), judge that this IRP is the need of filtration according to callback data structure and flow context correlation parameter, because micro-filter only has read right to the buffering that file system provides, cannot direct decrypted buffer, so must oneself application have the buffer zone of access limit to replace original buffer zone, aftertreatment readjustment context is finally set, continue to transmit I/O request, process function after such registration can be called, after entering aftertreatment routine, now it should be noted that filtering manager has carried out automatic conversion by buffering, user needs the data read in the MDL buffer zone oneself provided, directly exchange buffering is decrypted, read how many deciphering how many, just obtain the clear data needing to read, finally the clear data in exchange buffering is copied directly in original user buffering, continue to transmit IRP request toward lower floor.

Write request: drive if buffer write requests then directly mails to lower floor, if the unencryption file that right and wrong are newly-built, arranges amendment state concurrent toward lower floor's driving.Data copy in the user buffering provided by IRP in the internal memory again applied for, and mails to lower floor and drives after encrypted buffer district data, setting decrypted state and written data state complete IRP to upper strata when reading after lower floor has driven IRP.When processing " write request ", filter the preprocessing routine of registration before manager first calls, as shown in Figure 2, obtain correlation parameter by PFLT_CALLBACK_DATA and PCFLT_RELATED_OBJECTS callback structure body equally to filter ineligible IRP, then directly drive toward lower floor and transmit.In this routine, special processing is done for amendment encryption, if the whether amendment parameter of flow context then revised by the unencryption file meeting other conditions, in IRP_MJ_CLOSE, it is processed separately, for new files and encrypt file write data all do the encryption process; File is fairly simple for the encryption of write request, behind the good MDL buffer zone of same application, data copy in user buffering district is done the encryption process in new buffer zone, be directly delivered to lower floor to drive, the data of such encryption have just write disk file, at buffer zone and the related context of aftertreatment release application.

Turn-off request: if file reference count is not 0, then IRP being mail to lower floor and drive, otherwise decipher when judging whether to read, is then writing in files encryption identification, otherwise after the encryption of segmentation file reading, writing in files finally writes encryption identification.Last past upper strata completes IRP.To in " turn-off request " processing procedure, encrypt file is mainly processed after corresponding filter operation is done to IRP, with the newly-built and file of written data, these two kinds of files have all done encryption when processing write requests to data, only need last writing in files encryption identification here.But last one is exactly unencrypted clear text file revises file data, this file does not do the encryption process when write request, therefore need oneself manual structure IRP bag to obtain file content in the mode of non-reentry to encrypt again, here reading length will to be alignd with sector-size point and to be read in a looping fashion, and then construct write request IRP bag by the data writing in files of encryption, last writing in files encryption identification.Be written with the hash value of encryption key together when writing encryption identification, this inquires about decruption key by facilitating the deciphering of management end program to export to check early stage encrypted document or the management of document outgoing from database.

Cleaning request: remove file cache.

Inquiry request: when inquiry request process, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.

Wherein, described filtercondition is: file do not write authority, volume context not, document flow context does not exist, current operation is catalogue file and current process and file type not in secret process white list.In filtration drive, register IRP distribute function, interception IO manager mails to the IRP request of file system, and carry out in the scheme processed according to filtering rule, for the encryption of clear text file, when structure reads IRP reading of content length must and sector alignment, structure write IRP after reading of content encryption, by enciphered data writing in files, is reentried to avoid IRP.In filtration drive, register IRP distribute function, interception IO manager mails to the IRP request of file system, and carrying out in the technical scheme processed according to filtering rule, secret process white list is deposited in single-track link table, and the inside comprises secret process name and file filter suffix.Communication between process adopts shared drive, and uses the access of name kernel objects notification process.

Filtering policy is mail to the filter drive program that application layer HOOK.DLL hook program that ground floor file prevents divulging a secret and second layer file are prevented divulging a secret by application layer control module, realizes in application layer and the double filtration driving layer.

Wherein, the principle of work of the HOOK in application layer HOOK.DLL hook program and the fileflt in filter drive program as shown in Figure 3, after HOOK.DLL is injected into system process, the API specified can be tackled, such as traditional hook transparent encryption can tackle some file manipulation function as CreateFile, ReadFile etc., the API that these API provide for operating system kernel storehouse kerner32.DLL, the present invention can not tackle these API, it only needs to tackle the relevant function of clipbook, as GetClipbroadData etc., the API be replaced can be called after making some amendment after HOOK interception continue to call toward lower floor, ntDLL.DLL is the core A PI storehouse closest to kernel mode, corresponding IRP data packet delivery can be constructed by IO manager after arriving inner nuclear layer to drive to specifying.Such as if a file operation, then can construct the relevant IRP of corresponding file and pass to the file system driver device object of file system driver (accurately say be), on file system driver device object, (the device stack the superiors are namely in) because filter Driver on FSD has created filter plant object binding, so first can process this IRP by the driver that filter plant object is corresponding, thus reach the effect of IRP interception.In driving, IRP transfer mode is drive to lower floor transmit IRP and drive the completion status returning lower floor toward upper strata.IRP has the situation (be different from IRP and no longer transmit situation toward lower floor) of synchronous and asynchronous downwards when completing and return, some IRP may in the completed directly toward the synchronous return state in upper strata, namely the process after completing after lower floor has driven is not needed, asynchronously completing, is the control again having obtained IRP after lower floor has driven, perform some complete after process, such as need during read request process to do the encryption process again after data are read in lower floor's driving, write request has not then needed aftertreatment, microfiltration driving in the present invention will complete routine and be called aftertreatment.Disk drive is then that the driving primary responsibility of more bottom is to the read-write operation of physical disk.From macroscopically; Figure 3 shows that: namely add a filtration drive on the file system driver upper strata of subscriber's main station Windows operating system and connected applications layer HOOK technology; the API Calls of interception application program in application layer and the IRP packet of driving layer; with the mode protected file private information of double protection; the control module of user's space manually can be generated strategy and be mail to driving and HOOK module simultaneously, realizes the transparency protected of file flexibly.

Core I RP of the present invention filters and buffer memory exchange processes as follows:

Detect IRP information after obtaining IRP bag in preprocessing routine, need to filter if IRP is filter Driver on FSD, directly mail to lower floor's driver, filtercondition is as follows:

(1) calling kernel routine FltGetVolumeContext and judge the encrypted volume equipment whether the volume equipment receiving IRP was bound, is not filter;

(2) call kernel routine FltGetStreamContext and judge whether document flow context exists, and does not exist, and filters;

(3) judging current process whether in secret process white list, is not filter, and obtaining current process can realize by call macro PsGetCurrentProcess;

(4) calling kernel macro definition FLT_IS_FASTIO_OPERATION and judge whether quick IO, is filter;

(5) judging IRP whether buffer requests according to IRP mark, is filter;

(6) according to document flow context determination current file whether clear text file, be filter;

(7) judge that file reads whether length is 0, is filter, otherwise aligns with sector-size.

The read-write buffer zone provided due to IRP does not have write permission, so read-write IRP needs application kernel buffers and its exchange, wherein the exchange step of read request is as follows:

1), call ExAllocatePoolWithTag and distribute nonpagepool block newBuf;

2), call IoAllocateMdl be newBuf apply for descriptor memory symbol, use MmBuildMdlForNonPagedPool set up descriptor memory symbol newMdl;

3), call ExAllocateFromNPagedLookasideList and distribute fixed memory block p2pCtx from kernel Ponds chained list, this is for passing to the callback structure body of aftertreatment routine, then by IRP read buffer zone and MDL is set to newBuf and newMdl, call FltSetCallbackDataDirty and notify that buffer memory is modified, and SwappedBuffer newBuf is saved in p2pCtx, IRP is mail to lower floor and drive.

4) in, aftertreatment routine, the buffering revised is automatically exchanged, reads data and deciphered from p2pCtx->SwappedBuffer, obtains IRP original buffer district origBuf, copied to by data decryption in origBuf, notice upper strata has driven.

Based on said method, present invention also offers a kind of anti-disclosure system of transparent encryption and decryption, this system is a kind of dualized file anti-disclosure system based on HOOK and filtration drive.

A kind of dualized file anti-disclosure system based on HOOK and filtration drive, as shown in Figure 4, mainly comprise 3 submodules: the HOOK module of application layer, be positioned at the filter Driver on FSD module driving layer, and be positioned at the application layer control module of application layer, simultaneously, go out applicable enterprises and institutions inside for this modular design and used anti-disclosure system, newly increase management end (Manager) and service end (Server); Described management end is used for configuration and storage encryption strategy; Management end, except responsible configuration and storage encryption strategy, also provides the strategy between each group and certificate management, additionally provides file decryption outlet function simultaneously.Described service end is used for each host information in dump subnet, and provides certification for application layer control module and distribute encryption policy; Service end is responsible for each host information in dump subnet as the middleware program of communication, and provides certification for client and distribute encryption policy to client.Encryption policy for gathering encryption policy, and is sent to HOOK module and the filter Driver on FSD module of application layer by described application layer control module.The encryption policy that described HOOK module is used for passing over according to application layer control module is monitored clipbook and prevents secret process by data Replica to non-confidential process.The IRP of file system driver is mail in the encryption policy interception that described filter Driver on FSD module is used for passing over according to application layer control module, completes the automatic encryption and decryption to file read-write content.

The present invention is used for the file transparent encrypting and deciphering system based on windows platform, and embodiment is described below:

Experiment one:

(1) experimental design

PC is configured to: CPUCorei5-2450M, 2600MHz (26x100), 4GB internal memory, WindowsXPSP3 operating system, client is run main frame and is installed Fileflt driving, service end does not need load driver program, and management end sets grouping and corresponding strategy (test and notepad, OfficeWord, OfficeExcel and OfficePPT are set to trusted process and add secret process white list) afterwards for group member distributes named policer and start server processes.Client process derives the certificate file (the optional off-line type of client or onlinely carry out certification to client host, off-line type can be derived off-line data bag from management end and not need server) of oneself main frame from management end.Experiment adopts the mode of on-line authentication to import certificate and running client.Experiment to system the protection of realisation and leak test, comprise and encrypt for the pressure of txt and Office document, revise encryption, save as and copy situation that stickup may divulge a secret and decipher outlet function.

(2) experimental result and assessment

Experiment one: start client-side program, respectively following test is done to notepad and Office office document:

1. new files writes data and preserves with conventional suffix;

2. new files write data save as .dat (or other unconventional suffix);

3. open encrypt file and preserve and can normally open;

4. revise unencryption file preserve and again open;

5. open unencryption file and do not revise direct closedown;

6. after opening file, data are copied to respectively in browser and other secret processes and produce that can see normal replication;

7. encrypt file is copied to management end, can the deciphering outlet of use management end is checked declassified document.

The first round tested after write test file experiment obtain one group of result, table 1 is the test result of secret process in first round test, identical for notepad and Office groupware effect, system is stablized for the support of notepad and Office office software, encryption can be forced according to table 1 result display new files and amended clear text file, encrypt file can normally be accessed, and clear text file is only checked and do not revised, and can not force encryption, and test result is stablized.6. result display trusted process cannot copy data to untrusted process simultaneously, and other situations copy unrestrictedly, effectively can prevent the situation that shear plate data Replica is taken out of.7. result display encrypt file can need not normal declassified document in load driver situation at management end.

Table 1: file transparent encryption state under load driver condition

Experiment two:

The time of different size File Open is analyzed for txt file.Table 2 is to performance evaluation during File Open.System was tested for the file different size File Open time, and test procedure is for txt file, and the file tested respectively between 5MB to 30MB reads the time, and test data is as shown in table 2.Analyze display transparent encryption driver not have a significant effect for file reading, there is the process consuming time of about about 30ms in the file within 20MB, does not affect user and use.

Table 2: different size File Open time performance test

The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (9)

1. the dualized file based on HOOK and filtration drive prevents a method of divulging a secret, and it is characterized in that: comprise the following steps,
S100: application layer control module is to service end transmitter owner identification authentication request;
S200: management end configures and the encryption policy in stores service end according to owner's ID authentication request of application layer control module;
S300: encryption policy is distributed to application layer control module by service end;
S400: filtering policy is sent to HOOK module and filter Driver on FSD module by application layer control module respectively, described HOOK module and filter Driver on FSD module do following anti-process of divulging a secret respectively according to filtering policy:
In described HOOK module, HOOK.DLL is loaded in system cloud gray model process, uses all system call functions of HOOK interception to clipbook in application layer, and monitor the data Replica of application layer;
In filter Driver on FSD module, register IRP distribute function, interception IO manager mails to the IRP request of file system, and processes according to filtering policy;
Use all system call functions of HOOK interception to clipbook in application layer, HOOK intercepts and captures the method for clipbook system call, comprises following sub-step,
S101: load HOOK.DLL in all processes of system in the mode of global hook in application layer control program, and in HOOK.DLL, the system call address of clipbook is replaced to self-defining function address, if there is clipboard data to copy, then enter step S102, if clipboard data occurs paste, then enter step S103;
S102: when there is shear plate data Replica, judge duplicating process whether in secret process white list, if, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to true, if not, then in the mode of atomic operation, DLL is shared secret process replication data Boolean in data segment and be set to false;
S103: shear plate data occur when pasting, judges stickup process whether in secret process white list, if stickup is in secret process white list, and secret process replication field is false during DLL shares, then clipbook is emptied, otherwise, call accordingly by API that HOOK falls.
2. a kind of dualized file based on HOOK and filtration drive according to claim 1 prevents method of divulging a secret, it is characterized in that: described shear plate comprises standard clipbook and OLE clipbook, if stickup process occurs in OLE clipbook, then do not need to empty clipbook.
3. a kind of dualized file based on HOOK and filtration drive according to claim 1 prevents method of divulging a secret, and it is characterized in that: the communication between process adopts shared drive, and uses the access of name kernel objects notification process.
4. a kind of dualized file based on HOOK and filtration drive according to claim 1 prevents method of divulging a secret, it is characterized in that: in described filter Driver on FSD module, register IRP distribute function, interception IO manager mails to the IRP request of file system, and process according to filtering policy, comprise following sub-step
S201: when filter Driver on FSD module intercepts an IRP bag, detect IPR bag and whether meet filtercondition, if meet filtercondition, then directly mail to file system driver, if do not meet filtercondition, then do following process according to IRP Packet type: " opening request " enters step S202, " read request " enters step S203, " write request " enters step S204, " turn-off request " enters step S205, " cleaning request " enters step S206, and " inquiry request " enters step S207;
S202: when " opening request " processes, obtains document flow context,
If file is not open first, then add reference count, concurrent toward lower floor's driving, continue structure read request, IRP bag is with non-reentry mode file reading encryption identification, determine whether encrypt file, and document flow context is set, if encrypt file, then be set to when reading and decipher, encrypt when writing, and be set to encrypted state
If file opens first, be then set to when writing and encrypt, clear text file is set to not be modified state, and is set to unencrypted state;
S203: when " read request " processes, if buffering read request or document flow context do not arrange decrypted state when reading, then directly mail to lower floor to drive, otherwise again apply for that internal memory and IRP wrap the user buffering provided and exchange, until the content in the buffer zone of application deciphered after having read and copy to original buffer district and complete IRP to upper strata;
S204: when " write request " processes, if buffer write requests, then directly mail to lower floor to drive, if the unencryption file write request that right and wrong are newly-built, it is concurrent toward lower floor's driving that amendment state is then set, otherwise the data Replica in the user buffering provided by IRP is in the internal memory again applied for, and mails to lower floor after encrypted buffer district data and drive, setting decrypted state and written data state complete IRP to upper strata when reading after lower floor has driven IRP;
S205: when " turn-off request " processes,
If file reference count is not 0, then IRP is mail to lower floor and drives,
If file reference count is 0, then decipher when judging whether to read, if deciphering when reading, then writing in files encryption identification, deciphers if not when reading, then the encryption identification that after the encryption of segmentation file reading, writing in files finally writes, and last past upper strata completes IRP;
S206: when " cleaning request " process, remove file cache;
S207: when " inquiry request " processes, the size of file is the valid data length without encryption identification, completes corresponding son request according to file size.
5. the anti-method of divulging a secret of a kind of dualized file based on HOOK and filtration drive according to claim 4, is characterized in that: the filtercondition in step S201 is: file do not write authority, volume context not, document flow context does not exist, current operation is catalogue file and current process and file type not in secret process white list.
6., based on a dualized file anti-disclosure system for HOOK and filtration drive, it is characterized in that: comprise service end, management end, be positioned at application layer application layer control module, be positioned at application layer HOOK module, be positioned at the filter Driver on FSD module driving layer,
Described service end is used for providing certification and distributing encryption policy;
Described management end is for configuring the encryption policy with stores service end;
Encryption policy for gathering service end encryption policy, and is sent to HOOK module and filter Driver on FSD module by described application layer control module;
The encryption policy that described HOOK module is used for passing over according to application layer control module is monitored clipbook and prevents secret process by data Replica to non-confidential process;
The IRP of file system driver is mail in the encryption policy interception that described filter Driver on FSD module is used for passing over according to application layer control module, completes the automatic encryption and decryption to file read-write content.
7. according to a kind of dualized file anti-disclosure system based on HOOK and filtration drive according to claim 6, it is characterized in that: described filter Driver on FSD module adopts rc4 to file read-write content encryption algorithm, byte-aligned, dynamically encrypted digital content is ensured according to read-write length and off-set value.
8. a kind of dualized file anti-disclosure system based on HOOK and filtration drive according to claim 6 or 7, is characterized in that: described a kind of dualized file anti-disclosure system based on HOOK and filtration drive is based on windows platform.
9. a kind of dualized file anti-disclosure system based on HOOK and filtration drive according to claim 6 or 7, it is characterized in that: encryption policy is regularly write shared drive buffer zone by described application layer control module, by mutual exclusion lock synchronized shared memory buffer zone, HOOK module reads encryption policy from this buffer zone, and filter Driver on FSD is by communication port and application layer communication.
CN201310617088.7A 2013-11-27 2013-11-27 A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system CN103605930B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310617088.7A CN103605930B (en) 2013-11-27 2013-11-27 A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310617088.7A CN103605930B (en) 2013-11-27 2013-11-27 A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system

Publications (2)

Publication Number Publication Date
CN103605930A CN103605930A (en) 2014-02-26
CN103605930B true CN103605930B (en) 2016-04-13

Family

ID=50124151

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310617088.7A CN103605930B (en) 2013-11-27 2013-11-27 A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system

Country Status (1)

Country Link
CN (1) CN103605930B (en)

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9069628B2 (en) * 2013-04-10 2015-06-30 International Business Machines Corporation Spooling system call data to facilitate data transformation
CN103995990A (en) * 2014-05-14 2014-08-20 江苏敏捷科技股份有限公司 Method for preventing electronic documents from divulging secrets
CN104021320A (en) * 2014-06-20 2014-09-03 福建天晴数码有限公司 Method, device and system for protecting copyrights of APK files
CN105471956A (en) * 2014-09-11 2016-04-06 中兴通讯股份有限公司 User safety control method of social network, social application tool and terminal
CN104346478A (en) * 2014-11-25 2015-02-11 成都卫士通信息安全技术有限公司 File transparent identification method based on application program file operation hook
CN104360991A (en) * 2014-11-25 2015-02-18 成都卫士通信息安全技术有限公司 Method of controlling clipboard based on transparent identifier of document
CN104680079A (en) * 2015-02-04 2015-06-03 上海信息安全工程技术研究中心 Electronic document security management system and electronic document security management method
CN104834835B (en) * 2015-05-13 2017-09-22 武汉大学 A kind of general digital rights protection method under windows platform
CN105574443B (en) * 2015-05-27 2018-10-30 上海宇尚信息科技有限公司 A kind of encryption storage method based on android system
CN105224862B (en) * 2015-09-25 2018-03-27 北京北信源软件股份有限公司 A kind of hold-up interception method and device of office shear plates
CN105468992B (en) * 2015-11-20 2018-05-11 贵州联科卫信科技有限公司 A kind of method replicated on the limitation of electronic health record editing machine content
CN105373727B (en) * 2015-12-15 2018-04-20 福建实达电脑设备有限公司 The equipment blocking method redirected based on virtual unit
CN105956464A (en) * 2016-04-25 2016-09-21 北京珊瑚灵御科技有限公司 Android platform-based clipboard control system and method
CN105787373B (en) * 2016-05-17 2018-08-21 武汉大学 Android terminal data leakage prevention method in a kind of mobile office system
CN106096458A (en) * 2016-05-31 2016-11-09 浪潮电子信息产业股份有限公司 A kind of method and device protecting security of system
CN106203130B (en) * 2016-06-26 2019-03-08 厦门天锐科技股份有限公司 A kind of transparent encipher-decipher method based on Intelligent Dynamic driving layer
CN106156622A (en) * 2016-07-04 2016-11-23 北京金山安全软件有限公司 Service processes register method, device and terminal unit
CN107657180A (en) * 2016-07-26 2018-02-02 阿里巴巴集团控股有限公司 A kind of information processing client, server and method
CN106897636A (en) * 2017-02-28 2017-06-27 郑州云海信息技术有限公司 A kind of mobile memory medium method for managing security based on API HOOK
CN107247907A (en) * 2017-04-28 2017-10-13 国电南瑞科技股份有限公司 A kind of electric automobile interconnects Information Security Defending System
CN107480538A (en) * 2017-06-30 2017-12-15 武汉斗鱼网络科技有限公司 File encrypting method, device, computer-readable recording medium and equipment
CN107609408A (en) * 2017-08-18 2018-01-19 成都索贝数码科技股份有限公司 A kind of method based on filtration drive control file operation behavior
CN109409098A (en) * 2017-10-24 2019-03-01 浙江华途信息安全技术股份有限公司 The method and apparatus for preventing shear plate leaking data
CN108304695A (en) * 2018-01-30 2018-07-20 云易天成(北京)安全科技开发有限公司 Anti-data-leakage control method, the system of object oriented file outgoing
CN109033872A (en) * 2018-07-18 2018-12-18 郑州信大捷安信息技术股份有限公司 A kind of secure operating environment building method of identity-based
CN109117664A (en) * 2018-07-19 2019-01-01 北京明朝万达科技股份有限公司 The access control method and device of application program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1983296A (en) * 2005-12-12 2007-06-20 北京瑞星国际软件有限公司 Method and device for preventing illegal programm from scavenging
CN101916349A (en) * 2010-07-30 2010-12-15 中山大学 File access control method based on filter driving, system and filer manager
CN102567659A (en) * 2010-12-28 2012-07-11 河南省躬行信息科技有限公司 File security active protection method based on double-drive linkage
CN103218575A (en) * 2013-04-17 2013-07-24 武汉元昊科技有限公司 Host file security monitoring method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1983296A (en) * 2005-12-12 2007-06-20 北京瑞星国际软件有限公司 Method and device for preventing illegal programm from scavenging
CN101916349A (en) * 2010-07-30 2010-12-15 中山大学 File access control method based on filter driving, system and filer manager
CN102567659A (en) * 2010-12-28 2012-07-11 河南省躬行信息科技有限公司 File security active protection method based on double-drive linkage
CN103218575A (en) * 2013-04-17 2013-07-24 武汉元昊科技有限公司 Host file security monitoring method

Also Published As

Publication number Publication date
CN103605930A (en) 2014-02-26

Similar Documents

Publication Publication Date Title
US9984006B2 (en) Data storage systems and methods
US10572453B2 (en) Virtual private cloud that provides enterprise grade functionality and compliance
US10505988B2 (en) System and method for secure synchronization of data across multiple computing devices
US20180067812A1 (en) System and method for secured backup of data
CN103595730B (en) A kind of ciphertext cloud storage method and system
US9424432B2 (en) Systems and methods for secure and persistent retention of sensitive information
CN104903910B (en) Control access of the mobile device to secure data
US20160277374A1 (en) System and method for securely storing and sharing information
US8996884B2 (en) High privacy of file synchronization with sharing functionality
US9916456B2 (en) Systems and methods for securing and restoring virtual machines
JP6609010B2 (en) Multiple permission data security and access
CN103609059B (en) The system and method shared for secure data
ES2584057T3 (en) System and method of secure remote data storage
CN102611693B (en) The system and method for network backup data deciphering in high delay-low bandwidth environment
AU2016203740B2 (en) Simultaneous state-based cryptographic splitting in a secure storage appliance
Abouelmehdi et al. Big data security and privacy in healthcare: A Review
US10268827B2 (en) Method and system for securing data
Blaze A cryptographic file system for UNIX
CN102075542B (en) Cloud computing data security supporting platform
US8335915B2 (en) Encryption based security system for network storage
CN102254124B (en) A kind of information of mobile terminal security protection system and method
CN101853363B (en) File protection method and system
US7792301B2 (en) Access control and encryption in multi-user systems
Derbeko et al. Security and privacy aspects in MapReduce on clouds: A survey
EP2513833B1 (en) Verifiable trust for data through wrapper composition

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant
C14 Grant of patent or utility model