CN104102857A - Executable file full-life-cycle safety management system used under WINDOWS system - Google Patents

Executable file full-life-cycle safety management system used under WINDOWS system Download PDF

Info

Publication number
CN104102857A
CN104102857A CN201410340330.5A CN201410340330A CN104102857A CN 104102857 A CN104102857 A CN 104102857A CN 201410340330 A CN201410340330 A CN 201410340330A CN 104102857 A CN104102857 A CN 104102857A
Authority
CN
China
Prior art keywords
file
program
rule
control module
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410340330.5A
Other languages
Chinese (zh)
Other versions
CN104102857B (en
Inventor
邢希双
王超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201410340330.5A priority Critical patent/CN104102857B/en
Publication of CN104102857A publication Critical patent/CN104102857A/en
Application granted granted Critical
Publication of CN104102857B publication Critical patent/CN104102857B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention provides an executable file full-life-cycle safety management system used under a WINDOWS system. File access control, program starting intervention control and process inter-behavior intervention control are combined by using a file filtering control interface, a program starting informing interface and a process access behavior call-back interface which are provided by the windows operation system, so that the safety performance of executable files in the full life cycle can be comprehensively improved under the Windows operation system. The executable file full-life-cycle safety management system comprises a file system access control module (1), a program starting and controlling module (2), a program running and controlling module (3) and a rule configuration application program module (4). A flexible configuration rule mechanism is provided for improving the usability of the system, namely, all inner core driving modules can read a preset access control rule when initialized, and required access control rules can be optionally added, deleted and updated in a working period.

Description

Executable file Life cycle safety management system under a kind of WINDOWS system
Technical field
The present invention relates to safety of computer operating system field, be specifically related to the executable file Life cycle safety management system under a kind of WINDOWS system.
Background technology
Along with the development of the new techniques such as cloud computing, large data, more and more higher to the security requirement of resource in operating system.Executable file is most important resource in operating system, the pillar process of they or operating system continuous service, or the kernel program of upper-layer service system, so how effectively to ensure that the security of executable file in whole life cycle just becomes the technical matters of being badly in need of solution.Traditional solution or control in static file level, the program of so moving is just easy to be injected into or destroy; Control in dynamic process aspect, executable program image file out of service so is just easy to deleted or distorts, and like this in the time that this program is moved again, or do not existed, or its behavior is by unpredictable; In dynamic process switch process, do not intervened by static executable file in program, to such an extent as to some programs of being replaced or distorting by artificial or other means can easy to do operation.
Executable file Life cycle safety management system under the WINDOWS system that the present invention proposes can obviously promote the security of executable file, by file access control, program startup control and program operation are controlled and combined, effectively ensure that executable file is according to the logically true execution of developer's expection.
Summary of the invention
The object of this invention is to provide the executable file Life cycle safety management system under a kind of WINDOWS system.
The object of the invention is to realize in the following manner, by accessing behavior callback interface between the file filter control interface, program initiate notification interface and the process that use Windows operating system to provide, file access control, program are started to interbehavior intervention control between intervention control and process to combine, can strengthen the security of Windows operating system executable file Life cycle, system comprises comprehensively: (1) file system access control module; (2) program starts control module; (3) program operation control module; (4) rule configuration application program module, wherein:
(1) file system access control module: adopt the mode of file system filter kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, the rule of configuration access flexibly, comprise the rule of the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list, file system filter kernel-driven perception file access operation, comprise execution, rewrite, delete, rename, mobile, the accessing operation covering, inquiry file access control chained list, to any illegal access of executable file with distort all and will be protected, if system configuration the file of certain particular type under current operation system, can not carry out, so for the file of opening the type to carry out power and position, filter Driver on FSD is obtained the pathname of this file, after inquiry file access control chained list, directly refused, thereby the executable file state of the type cannot be converted to startup state from stopping state,
(2) program starts control module: adopt the mode of kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, configuration access rule flexibly, comprise the rule of the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list, register Windows operating system process creation notice simultaneously, in the time having any new process creation in operating system, operating system can advising process start control module, when program startup control module is notified, obtain the process image file path title that will create, query procedure creates controls chained list, for any illegal process creation, operation, this module is directly blocked, thereby corresponding executable file state cannot be converted to run mode from starting state,
(3) program operation control module: adopt the mode of kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, configuration access rule flexibly, the rule that comprises the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list.Accessing operation between program operation control module aware processes, comprise write address space internal memory, create remote thread, process relevant information is set, stop suspend process, the accessing operation of duplicating process handle, query procedure access control chained list, the any illegal injection of operating process and destruction all will be protected, if certain important program or serve extremely important in current operation system, larger harm will be caused once out of service, allow to forbid stopping rule to this program or service configuration, when program operation control module perceives the action that stops this program or service, obtain this program or serve corresponding executable file pathname, after query procedure access control chained list, directly refused, thereby corresponding executable file state cannot be converted to and stop state from run mode,
(4) rule configuration application program module: adopt the mode of window application to realize, be responsible for installation file system access control module, program startup control module and program operation control module, receive the rule of three modules of command configuration or from current operation system, unload three modules.
Object beneficial effect of the present invention is: the method has the feature of the dynamic process lifecycle management in the static executable file that can carry out in file system, program start-up course, internal memory, by accessing behavior callback interface between the file filter control interface, program initiate notification interface and the process that use Windows operating system to provide, file access control, program are started to interbehavior intervention control between intervention control and process and combine, can strengthen the security of Windows operating system executable file Life cycle comprehensively.
The present invention is proposing configuration rule mechanism flexibly aspect system ease for use, all kernel-driven modules can read the access control rule presetting in the time of initialization, can increase arbitrarily during operation, delete, upgrade the access control rule needing.
Brief description of the drawings
Fig. 1 is executable file Life cycle state transfer principle schematic diagram;
Fig. 2 is executable file Life cycle safety management module structural drawing;
Fig. 3 is rule configuration application flows figure.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is done further and described in detail.
Executable file Life cycle safety management system under a kind of WINDOWS system, by increase Kernel security module under existing Windows operating system, behavior control between file access operation, process initiation control and the process of intervention operation system, thereby improve the security of the whole life cycle of executable file, its principle as shown in Figure 1, its system forms as shown in Figure 2, and system comprises (1) kernel state file access control module; (2) kernel state program starts control module; (3) kernel state program operation control module; (4) user's state rule configuration application program.
Kernel state file access control module (1) is loaded into operating system nucleus (see figure 3) by user's state rule configuration application program.After loading successfully, user's state rule configuration application program is set up immediately with the communication of kernel state file access control module and is connected, and interpolation, the deletion of later all file access control rules, more (see figure 2) is carried out by this connection in new capital.
Kernel state program starts control module (2) and is loaded into operating system nucleus (see figure 3) by user's state rule configuration application program.After loading successfully, user's state rule configuration application program is set up immediately and is started the communication of control module with kernel state program and is connected, and interpolation, the deletion of later all programs startup control law, more (see figure 2) is carried out by this connection in new capital.
Kernel state program operation control module (3) is loaded into operating system nucleus (see figure 3) by user's state rule configuration application program.After loading successfully, user's state rule configuration application program is set up immediately with the communication of kernel state program operation control module and is connected, and interpolation, the deletion of later all programs operation control law, more (see figure 2) is carried out by this connection in new capital.
User's state rule configuration application program (4) is operation hinge and the uniform data entrance of the executable file Life cycle safety management under whole Windows system.When user's state rule configuration application program launching, first load above-mentioned three kernel modules, then from initial configuration file, obtain the initial rules of three modules, respectively three kinds of initial rules are submitted to three kernel modules, the initial rules of file Life cycle safety management is come into force.After more than finishing dealing with, user's state rule configuration application program has just started up, and then it is just in waiting for user command state.In the time that user's state rule configuration application program is received user command, whether the order that its judgement is received exits command, if exit command, it just unloads three kernel modules, and then oneself is also out of service; If not exiting command, this order must be rule configuration order, and it obtains type and the content of input rule from command parameter, then the content of input rule is submitted to corresponding kernel module, thus make corresponding in nuclear defence come into force.
Except the technical characterictic described in instructions, be the known technology of those skilled in the art.

Claims (1)

1. the executable file Life cycle safety management system under a WINDOWS system, it is characterized in that accessing behavior callback interface between file filter control interface, program initiate notification interface and the process by using Windows operating system to provide, file access control, program are started to interbehavior intervention control between intervention control and process to combine, to strengthen the security of Windows operating system executable file Life cycle comprehensively, system comprises: (1) file system access control module; (2) program starts control module; (3) program operation control module; (4) rule configuration application program module, wherein:
(1) file system access control module: adopt the mode of file system filter kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, the rule of configuration access flexibly, comprise the rule of the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list, file system filter kernel-driven perception file access operation, comprise execution, rewrite, delete, rename, mobile, the accessing operation covering, inquiry file access control chained list, to any illegal access of executable file with distort all and will be protected, if system configuration the file of certain particular type under current operation system, can not carry out, so for the file of opening the type to carry out power and position, filter Driver on FSD is obtained the pathname of this file, after inquiry file access control chained list, directly refused, thereby the executable file state of the type cannot be converted to startup state from stopping state,
(2) program starts control module: adopt the mode of kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, configuration access rule flexibly, comprise the rule of the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list, register Windows operating system process creation notice simultaneously, in the time having any new process creation in operating system, operating system can advising process start control module, when program startup control module is notified, obtain the process image file path title that will create, query procedure creates controls chained list, for any illegal process creation, operation, this module is directly blocked, thereby corresponding executable file state cannot be converted to run mode from starting state,
(3) program operation control module: adopt the mode of kernel-driven to realize, the all executable file situations related according to the application program in current operation system and system, configuration access rule flexibly, comprise the rule of the fuzzy file of supporting concrete file and contain asterisk wildcard, all access rules are deposited in this rule module chained list, accessing operation between program operation control module aware processes, comprise write address space internal memory, create remote thread, process relevant information is set, stop suspend process, the accessing operation of duplicating process handle, query procedure access control chained list, the any illegal injection of operating process and destruction all will be protected, if certain important program or serve extremely important in current operation system, larger harm will be caused once out of service, allow to forbid stopping rule to this program or service configuration, when program operation control module perceives the action that stops this program or service, obtain this program or serve corresponding executable file pathname, after query procedure access control chained list, directly refused, thereby corresponding executable file state cannot be converted to and stop state from run mode,
(4) rule configuration application program module: adopt the mode of window application to realize, be responsible for installation file system access control module, program startup control module and program operation control module, receive the rule of three modules of command configuration or from current operation system, unload three modules.
CN201410340330.5A 2014-07-17 2014-07-17 Executable file full-life-cycle safety management system used under WINDOWS system Active CN104102857B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410340330.5A CN104102857B (en) 2014-07-17 2014-07-17 Executable file full-life-cycle safety management system used under WINDOWS system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410340330.5A CN104102857B (en) 2014-07-17 2014-07-17 Executable file full-life-cycle safety management system used under WINDOWS system

Publications (2)

Publication Number Publication Date
CN104102857A true CN104102857A (en) 2014-10-15
CN104102857B CN104102857B (en) 2017-02-15

Family

ID=51671001

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410340330.5A Active CN104102857B (en) 2014-07-17 2014-07-17 Executable file full-life-cycle safety management system used under WINDOWS system

Country Status (1)

Country Link
CN (1) CN104102857B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110472412A (en) * 2019-08-21 2019-11-19 杭州安恒信息技术股份有限公司 The program self-protection method and device monopolized based on kernel
CN110826070A (en) * 2019-11-12 2020-02-21 深信服科技股份有限公司 Bait file hiding method and device, electronic equipment and storage medium
CN112464303A (en) * 2020-11-27 2021-03-09 苏州浪潮智能科技有限公司 Filter drive implementation method, system, equipment and medium
CN112596818A (en) * 2020-12-30 2021-04-02 上海众源网络有限公司 Application program control method, system and device
CN113688415A (en) * 2021-10-27 2021-11-23 湖南新云网科技有限公司 File management and control method, equipment and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101311924A (en) * 2007-05-24 2008-11-26 中兴通讯股份有限公司 Graphical user interface browsers system and method
CN102113334A (en) * 2009-05-19 2011-06-29 松下电器产业株式会社 Recording medium, reproducing device, encoding device, integrated circuit, and reproduction output device
CN102460393A (en) * 2009-05-01 2012-05-16 思杰系统有限公司 Systems and methods for establishing a cloud bridge between virtual storage resources
US20130339297A1 (en) * 2012-06-18 2013-12-19 Actifio, Inc. System and method for efficient database record replication using different replication strategies based on the database records

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101311924A (en) * 2007-05-24 2008-11-26 中兴通讯股份有限公司 Graphical user interface browsers system and method
CN102460393A (en) * 2009-05-01 2012-05-16 思杰系统有限公司 Systems and methods for establishing a cloud bridge between virtual storage resources
CN102113334A (en) * 2009-05-19 2011-06-29 松下电器产业株式会社 Recording medium, reproducing device, encoding device, integrated circuit, and reproduction output device
US20130339297A1 (en) * 2012-06-18 2013-12-19 Actifio, Inc. System and method for efficient database record replication using different replication strategies based on the database records

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110472412A (en) * 2019-08-21 2019-11-19 杭州安恒信息技术股份有限公司 The program self-protection method and device monopolized based on kernel
CN110826070A (en) * 2019-11-12 2020-02-21 深信服科技股份有限公司 Bait file hiding method and device, electronic equipment and storage medium
CN112464303A (en) * 2020-11-27 2021-03-09 苏州浪潮智能科技有限公司 Filter drive implementation method, system, equipment and medium
CN112596818A (en) * 2020-12-30 2021-04-02 上海众源网络有限公司 Application program control method, system and device
CN112596818B (en) * 2020-12-30 2023-12-05 上海众源网络有限公司 Application program control method, system and device
CN113688415A (en) * 2021-10-27 2021-11-23 湖南新云网科技有限公司 File management and control method, equipment and storage medium

Also Published As

Publication number Publication date
CN104102857B (en) 2017-02-15

Similar Documents

Publication Publication Date Title
US6434696B1 (en) Method for quickly booting a computer system
CN104102857A (en) Executable file full-life-cycle safety management system used under WINDOWS system
US9953189B2 (en) Managing configurations of computing terminals
CN107463369B (en) Access device control method and device for virtual desktop
US9361128B2 (en) Fast computer startup
EP2656271B1 (en) Providing a security boundary
US20180150306A1 (en) Systems and methods for eliminating reboot during initial machine configuration of operating systems
KR101781447B1 (en) System reset
JP5026494B2 (en) Computer that starts at high speed
US8543849B2 (en) Fast computer startup
DE102012100378A1 (en) System and method for accelerated boot performance
KR101673299B1 (en) Operating system recovery method and apparatus, and terminal device
JP4671418B2 (en) Method for managing secondary storage device in user terminal and user terminal
EP3115917A1 (en) Information processing apparatus, method, and program
US20160321057A1 (en) Electronic apparatus
US10606632B2 (en) Preventing interruption during virtual machine reboot
TWI576762B (en) A method and a system for executing an action request, and a non-transitory processor readable medium related to the same
EP3812898A2 (en) Container-based method for application startup
TW201537458A (en) Method of operating multiple operating systems and the electronic device thereof
CN112464182A (en) Safety management and control method, device, medium and equipment for mobile equipment management
US20110302399A1 (en) Rapid activation of service management processor subsystem for server device
US10776050B2 (en) Systems and methods for improved write filter operation with provision for monitoring and prediction to delay system reboot
CN113360251B (en) Intelligent contract execution and cross-contract calling method, device and storage medium
WO2009034316A2 (en) Boot loading
US20150019908A1 (en) Providing non-volatile memory for suspend-to-random access memory

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant