CN105912945A - Safety reinforcing device and operation method of operating system - Google Patents

Abstract

The invention provides a safety reinforcing device and an operation method of an operating system. A device comprises a file access rule chain list used for storing an access rule between internally-configured files of a server operating system and a user, a file protection module, and a detection module. The file protection module is used for intercepting a business request of a target configuration file for a target user and sending a detection instruction to a detection module when the target user and the access rule of a target file are allowed access, forwarding the business request to a processing device when indication information is received such that the processing device is used for processing corresponding business of the target configuration file. The detection module is used for storing first characteristic value corresponding to each configuration file, calculating second characteristic value of the target configuration file and sending indication information to the file sending module when the first characteristic value and the second characteristic value of the target configuration file are the same. The indication information is described in that integrity of files representing object configuration files is not damaged. The technical scheme of the safety reinforcing device and the operation method of the operating system can help improve safety of a server.

Description

A kind of operating system security bracing means and operation method

Technical field

The present invention relates to field of computer technology, particularly to a kind of operating system security bracing means and fortune Row method.

Background technology

Along with the development of information technology, complete the peace that data process the server of business and operational data storage Full property is the most increasingly important.

At present, in order to prevent invader from invading server to steal or to destroy the business datum in server, Generally utilize server one shielded network of establishment, with the form of fire wall in server operation Corresponding security hardening software is installed in system, only anti-through authorizing the application protocol allowed to pass through Wall with flues, can forbid that NFS (Network File System, NFS) agreement turnover such as is protected In the network protected and refusal IP (Internet Protocol, the agreement of interconnection between network) option Source routing is attacked and ICMP (Internet Control Message Protocol, Internet Control Message Protocol) weight The message of the various attacks types such as orientation path attack, can notify firewall management time under attack in time Member.

But, in technique scheme, owing to the user of server OS possesses higher management Authority, once invader steals user account number and password, i.e. can obtain server operation with user identity The use right of configuration file in system, by the configuration literary composition of malicious modification or deletion server OS The technological means such as part threaten server security.

Summary of the invention

Embodiments provide a kind of operating system security bracing means and operation method, clothes can be improved Business device safety.

First aspect, the invention provides a kind of operating system security bracing means, including:

File access regulation linked, be used for storing in server OS at least one configuration file with extremely Access rule the most corresponding between a few user；

File protection module, for intercepting and capturing targeted customer's service request for target configuration file, inquiry Described file access regulation linked, when described targeted customer corresponding in described file access regulation linked and institute When stating the access rule of file destination for allowing to access, send corresponding target configuration file to detection module Detection instruction；After receiving the instruction information that detection module sends, the service request of intercepting and capturing is transmitted to External process devices so that external process devices carries out phase according to described service request to target configuration file The Business Processing answered；

Detection module, for storing the First Eigenvalue that each described configuration file is the most corresponding；Connecing After receiving the detection instruction of corresponding target configuration file, calculate the Second Eigenvalue of target configuration file, when When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, to described file protection module Send and characterize the instruction information that target configuration file integrity is not affected by destroying.

Further,

Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration File；

And/or,

Described eigenvalue, including: cryptographic Hash.

Further, also include: application rule chained list and application program protection module；

Described application rule chained list, for storing the executing rule of at least one application program；

Described application program protection module, for intercepting and capturing the request that performs for destination application, inquiry Described application rule chained list, when described destination application corresponding in described application rule chained list Executing rule for allow perform time, to detection module send corresponding described destination application detection refer to Order；After receiving the executable instruction that detection module sends, ask to be transmitted to outside by the execution of intercepting and capturing Processing means so that external process devices completes corresponding Business Processing according to described execution request；

Described detection module, is further used for storing the 3rd spy that each described application program is the most corresponding Value indicative；After the detection receiving corresponding described destination application instructs, calculate described intended application journey The fourth feature value of sequence, when the third feature value of described destination application is identical with fourth feature value Time, to described application program protection module send characterize destination application integrity be not affected by destroy can Perform instruction.

Further, also include: authorization module and customer protection module；

Described authorization module, at least one user's authorization user information, wherein, described user believes Breath includes user's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication；And, authorize each One or more in the following protection option that individual user is the most corresponding:

Add User information, deletion user profile and amendment user profile；

Described customer protection module, for intercepting and capturing the logging request of corresponding targeted customer, detects described login Whether the user profile carried of request is the user profile of described authorization module mandate, if it is, by institute State logging request and be transmitted to external process devices, so that external process devices allows described targeted customer to step on Record；Intercept and capture the operational order for targeted customer, detect at least one protection that described targeted customer is corresponding Whether option exists the protection option of corresponding described operational order, if it does not exist, then the behaviour that will intercept and capture It is transmitted to external process devices so that external process devices completes according to described operational order accordingly as instruction Business Processing.

Further, also include: process protection chained list and process protection module；

Described process protection chained list, for storing the identification information that at least one business process is the most corresponding；

Described process protection module, performs instruction for intercepting and capturing the termination for target service process, inquiry Described process protection chained list, when the mark that there is corresponding described target service process in described process protection chained list During knowledge information, described termination is performed instruction and is transmitted to external process devices, so that external process devices Terminate described target service process.

Second aspect, the invention provides a kind of operating system security as described in arbitrary in above-mentioned first aspect The operation method of bracing means, including:

S0: pre-set file access regulation linked, utilizes file access regulation linked to store at least one Access rule the most corresponding between configuration file with at least one user；

S1: utilize detection module to store the First Eigenvalue that each described configuration file is the most corresponding；

S2: utilize file protection module intercepting and capturing targeted customer for the service request of target configuration file, look into Ask described file access regulation linked, as described targeted customer corresponding in described file access regulation linked and When the access rule of described file destination is for allowing to access, send corresponding target configuration file to detection module Detection instruction；

S3: utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target The Second Eigenvalue of configuration file, when the First Eigenvalue and the complete phase of Second Eigenvalue of target configuration file Meanwhile, send, to described file protection module, the instruction that sign target configuration file integrity is not affected by destroying Information；

S4: utilize file protection module receive detection module send instruction information after, by intercept and capture Service request is transmitted to external process devices so that external process devices according to described service request to target Configuration file carries out corresponding Business Processing.

Further,

Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration File；

And/or,

Described eigenvalue, including: cryptographic Hash.

Further, also include:

Pre-set application rule chained list, utilize at least one application of application rule storage of linked list The executing rule of program；And, utilize detection module to store each described application program correspondence respectively Third feature value；

Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module；

Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described The fourth feature value of destination application, when third feature value and the fourth feature of described destination application When being worth identical, send sign destination application integrity to described application program protection module and be not subject to To the executable instruction destroyed；

Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture Execution request be transmitted to external process devices so that external process devices completes according to described execution request Corresponding Business Processing.

Further, also include:

Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes User's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication；And, authorize each user One or more in the most corresponding following protection option:

Add User information, deletion user profile and amendment user profile；

Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in；Cut Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order Process.

Further, also include:

Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively Corresponding identification information；

Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute State target service process.

Embodiments provide a kind of operating system security bracing means and operation method, utilize file Access regulation linked storage server OS interior between at least one configuration file and at least one user The most corresponding access rule, and utilize file protection module to intercept and capture targeted customer for target configuration literary composition The service request of part, it is achieved the accessed authority of configuration file is defined；And, determining target On the premise of user possesses access target configuration file, in addition it is also necessary to guarantee the integrity of target configuration file not Destroyed, the service request of intercepting and capturing could be transmitted to processing means, so that processing means is according to industry Business request carries out corresponding Business Processing to target configuration file；Visible, by technical scheme, Invader can be avoided with the configuration file of the identity malicious access server OS of targeted customer and evil Meaning accesses the configuration file distorted, and improves the safety of server.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to reality Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below, Accompanying drawing in description is some embodiments of the present invention, for those of ordinary skill in the art, not On the premise of paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is the structure chart of a kind of operating system security bracing means that one embodiment of the invention provides；

Fig. 2 is the structure chart of the another kind of operating system security bracing means that one embodiment of the invention provides；

Fig. 3 is the operation method stream of a kind of operating system security bracing means that one embodiment of the invention provides Cheng Tu.

Detailed description of the invention

For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with this Accompanying drawing in bright embodiment, is clearly and completely described the technical scheme in the embodiment of the present invention, Obviously, described embodiment is a part of embodiment of the present invention rather than whole embodiments, based on Embodiment in the present invention, those of ordinary skill in the art are institute on the premise of not making creative work The every other embodiment obtained, broadly falls into the scope of protection of the invention.

As it is shown in figure 1, embodiments provide a kind of operating system security bracing means, including:

File access regulation linked 101, is used for storing at least one configuration file in server OS The access rule the most corresponding with between at least one user；

File protection module 102, for intercepting and capturing targeted customer's service request for target configuration file, Inquire about described file access regulation linked 101, when corresponding described in described file access regulation linked 101 When the access rule of targeted customer and described file destination is for allowing to access, it is right to send to detection module 103 The detection answering target configuration file instructs；After receiving the instruction information that detection module 103 sends, will The service request intercepted and captured is transmitted to external process devices so that external process devices is according to described service request Target configuration file is carried out corresponding Business Processing；

Detection module 103, for storing the First Eigenvalue that each described configuration file is the most corresponding； After the detection instruction receiving corresponding target configuration file, calculate the Second Eigenvalue of target configuration file, When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, protect mould to described file Block 102 sends and characterizes the instruction information that target configuration file integrity is not affected by destroying.

In one embodiment of the invention, utilize file access regulation linked storage server OS at least Access rule the most corresponding between one configuration file and at least one user, and utilize file to protect Module intercepts and captures targeted customer's service request for target configuration file, it is achieved be accessed configuration file Authority is defined；And, on the premise of determining that targeted customer possesses access target configuration file, also It is necessary to ensure that the integrity of target configuration file is not affected by destroying, the service request of intercepting and capturing could be transmitted to Processing means, so that target configuration file is carried out at corresponding business by processing means according to service request Reason；Visible, by technical scheme, invader can be avoided to visit with the identity malice of targeted customer Ask the configuration file that the configuration file of server OS and malicious access have been distorted, improve clothes The safety of business device.

Specifically, in a preferred embodiment of the invention, Business Processing corresponding to described service request includes: Delete target configuration file or amendment target configuration file；

And/or,

Described eigenvalue, including: cryptographic Hash.

In one embodiment of the invention, can grasp by rebuilding server at the inner nuclear layer of server OS Make the authority Access Model of system, i.e. increase the operation described in the embodiment of the present invention at operating system nucleus layer Security of system bracing means, during operating system initialization, dynamic to file access regulation linked The access rule added or delete between each configuration file and at least one user, specifically, accesses Rule includes at least one user that each configuration file is the most corresponding, and each configuration file is No at least one user allowing correspondence accesses；So, it is achieved to server OS configuration file Accessed authority is defined, and guarantees that being accessed for configuration integrity is not affected by destroying, and prevents invasion simultaneously In person's malice calls configuration file and malice invoking server, integrity occurs the configuration file destroyed with prestige Side of body server security.

Further, in order to prevent invader by complete in loading malicious application and load server The application program that property has been destroyed, to steal or to destroy the business datum in server, as in figure 2 it is shown, In a preferred embodiment of the invention, also include: application rule chained list 201 and application program protection Module 202；

Described application rule chained list 201, for storing the executing rule of at least one application program；

Described application program protection module 202, performs request for intercepting and capturing for destination application, Inquire about described application rule chained list 201, when corresponding described in described application rule chained list 201 When the executing rule of destination application is for allowing to perform, send corresponding described target to detection module 103 The detection instruction of application program；After receiving the executable instruction that detection module 103 sends, will intercept and capture Execution request be transmitted to external process devices so that external process devices completes according to described execution request Corresponding Business Processing；

Described detection module 103, is further used for storing that each described application program is the most corresponding the Three eigenvalues；After the detection receiving corresponding described destination application instructs, calculating described target should By the fourth feature value of program, when third feature value and the fourth feature value of described destination application are complete Time identical, send sign destination application integrity to described application program protection module 202 and be not affected by The executable instruction destroyed.

Further, in order to improve the safety of user account number, as in figure 2 it is shown, the present invention one is preferred In embodiment, also include: authorization module 203 and customer protection module 204；

Described authorization module 203, at least one user's authorization user information, wherein, described use Family information includes user's name, cryptographic parameter and USB, and (Universal Serial Bus, general serial is total Line) parameters for authentication；And, authorize the one in the respectively corresponding following protection option of each user or Multiple:

Add User information, deletion user profile and amendment user profile；

Described customer protection module 204, for intercepting and capturing the logging request of corresponding targeted customer, detection is described Whether the user profile that logging request is carried is the user profile of described authorization module mandate, if it is, Described logging request is transmitted to external process devices, so that external process devices allows described target to use Family logs in；Intercept and capture for the operational order of targeted customer, detect corresponding at least one of described targeted customer Whether protection option exists the protection option of corresponding described operational order, if it does not exist, then will intercept and capture Operational order be transmitted to external process devices so that external process devices completes according to described operational order Corresponding Business Processing.

In one embodiment of the invention, add additional parameter (such as, USB certification ginseng by arranging cryptographic parameter Number) or the form of double code parameter, login user is carried out multiple authentication, prevents invader from stealing Direct login service device operating system after user cipher；Moreover, it is also possible to different user is arranged difference Protection option, prevent user profile by malicious modification.

Further, in order to prevent the business process being currently running from maliciously being terminated, as in figure 2 it is shown, this Invent in a preferred embodiment, also include: process protection chained list 206 and process protection module 205；

Described process protection chained list 206, for storing the mark letter that at least one business process is the most corresponding Breath；

Described process protection module 205, performs instruction for intercepting and capturing the termination for target service process, Inquire about described process protection chained list 206, when described process protection chained list 206 exists corresponding described target During the identification information of business process, terminate performing instruction be transmitted to external process devices by described, so that External process devices terminates described target service process.

In one embodiment of the invention, the identification information of business process can include the process of current business process Number.

It should be noted that relevant technical staff in the field it should be appreciated that customer protection module for The time of user login services device operating system is monitored and manages, and process protection module, file are anti- Protect module and application program protection module is required to guaranteeing that targeted customer has logged in current server operation and has been On the premise of system, just can carry out corresponding business, therefore, in one embodiment of the invention, as in figure 2 it is shown, Customer protection module should distinguish connection process protection module, file protection module, application program protection module And authorization module.

As it is shown on figure 3, embodiments provide a kind of operation as described in arbitrary in above-described embodiment The operation method of security of system bracing means, the method may include steps of:

S0: pre-set file access regulation linked, utilizes file access regulation linked to store at least one Access rule the most corresponding between configuration file with at least one user；

S1: utilize detection module to store the First Eigenvalue that each described configuration file is the most corresponding；

S2: utilize file protection module intercepting and capturing targeted customer for the service request of target configuration file, look into Ask described file access regulation linked, as described targeted customer corresponding in described file access regulation linked and When the access rule of described file destination is for allowing to access, send corresponding target configuration file to detection module Detection instruction；

S3: utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target The Second Eigenvalue of configuration file, when the First Eigenvalue and the complete phase of Second Eigenvalue of target configuration file Meanwhile, send, to described file protection module, the instruction that sign target configuration file integrity is not affected by destroying Information；

S4: utilize file protection module receive detection module send instruction information after, by intercept and capture Service request is transmitted to external process devices so that external process devices according to described service request to target Configuration file carries out corresponding Business Processing.

In one embodiment of the invention, can grasp by rebuilding server at the inner nuclear layer of server OS Make the authority Access Model of system, i.e. increase the operation described in the embodiment of the present invention at operating system nucleus layer Security of system bracing means, during operating system initialization, dynamic to file access regulation linked The access rule added or delete between each configuration file and at least one user, specifically, accesses Rule includes at least one user that each configuration file is the most corresponding, and each configuration file is No at least one user allowing correspondence accesses；So, it is achieved to server OS configuration file Accessed authority is defined, and guarantees that being accessed for configuration integrity is not affected by destroying, and prevents invasion simultaneously In person's malice calls configuration file and malice invoking server, integrity occurs the configuration file destroyed with prestige Side of body server security.

Further, in order to prevent invader by loading in malicious application or malice load server The application program that integrity has been destroyed, and then steal or destroy the business datum in server, this In a bright preferred embodiment, also include: pre-set application rule chained list, utilize application program Regulation linked stores the executing rule of at least one application program；And, utilize detection module storage each The third feature value that individual described application program is the most corresponding；

Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module；

Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described The fourth feature value of destination application, when third feature value and the fourth feature of described destination application When being worth identical, send sign destination application integrity to described application program protection module and be not subject to To the executable instruction destroyed；

Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture Execution request be transmitted to external process devices so that external process devices completes according to described execution request Corresponding Business Processing.

Further, in order to improve the safety of user account number, in a preferred embodiment of the invention, also Including:

Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes User's name, cryptographic parameter and USB parameters for authentication；And, authorize each user respectively corresponding as One or more in lower protection option:

Add User information, deletion user profile and amendment user profile；

Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in；Cut Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order Process.

Further, in order to prevent the business process being currently running from maliciously being terminated, the present invention one is preferred In embodiment, also include:

Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively Corresponding identification information；

Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute State target service process.

It should be noted that the eigenvalue described in the embodiment of the present invention can include cryptographic Hash, business please The business operation asking corresponding includes but not limited to delete target configuration file, amendment target configuration file.

Each embodiment of the present invention at least has the advantages that

1, utilize file access regulation linked storage server OS at least one configuration file with extremely Access rule the most corresponding between a few user, and utilize file protection module to intercept and capture targeted customer Service request for target configuration file, it is achieved the accessed authority of configuration file is defined；And And, on the premise of determining that targeted customer possesses access target configuration file, in addition it is also necessary to guarantee that target configures The integrity of file is not affected by destroying, and the service request of intercepting and capturing could be transmitted to processing means, so that Processing means carries out corresponding Business Processing according to service request to target configuration file；Visible, by this The technical scheme of invention, can avoid invader with the identity malicious access server OS of targeted customer Configuration file and the configuration file distorted of malicious access, improve the safety of server.

2, application rule chained list and application program protection module, the right of execution of defining application are utilized Limit, prevents invader from loading malicious application in the server, meanwhile, can perform authority to possessing Application program carries out integrity verification again, prevents invader's malice from performing integrity in server further The application program destroyed.

3, authorization module and customer protection module, authorized user's multiple-enciphered parameters for authentication or password is utilized to recognize Card parameter adds the additional parameters such as USB parameters for authentication, the log-on message of user is carried out multiple-authentication, prevents User is direct login service device operating system after stealing user login code；Accordingly, each is authorized At least one protection option that user is the most corresponding, it is to avoid user profile is by invader's malicious modification.

4, utilize process protection chained list and process protection module, carry out by force for needing business process to be protected System accesses and controls, and in process protection chained list, protected business process will not be terminated by invader's malice.

It should be noted that in this article, the relational terms of such as first and second etc be used merely to by One entity or operation separate with another entity or operating space, and not necessarily require or imply this Relation or the order of any this reality is there is between a little entities or operation.And, term " includes ", " comprise " or its any other variant is intended to comprising of nonexcludability, so that include that one is The process of row key element, method, article or equipment not only include those key elements, but also include the brightest Other key elements really listed, or also include intrinsic for this process, method, article or equipment Key element.In the case of there is no more restriction, statement " include a 〃 " and limit Key element, it is not excluded that there is also another in including the process of described key element, method, article or equipment Outer same factor.

One of ordinary skill in the art will appreciate that: realize all or part of step of said method embodiment Can be completed by the hardware that programmed instruction is relevant, aforesaid program can be stored in embodied on computer readable Storage medium in, this program upon execution, performs to include the step of said method embodiment；And it is aforementioned Storage medium include: various Jie that can store program code such as ROM, RAM, magnetic disc or CD In matter.

Last it should be understood that the foregoing is only presently preferred embodiments of the present invention, it is merely to illustrate this The technical scheme of invention, is not intended to limit protection scope of the present invention.All spirit in the present invention and former Any modification, equivalent substitution and improvement etc. done within then, are all contained in protection scope of the present invention.

Claims (10)

1. an operating system security bracing means, it is characterised in that including:

File access regulation linked, be used for storing in server OS at least one configuration file with extremely Access rule the most corresponding between a few user；

File protection module, for intercepting and capturing targeted customer's service request for target configuration file, inquiry Described file access regulation linked, when described targeted customer corresponding in described file access regulation linked and institute When stating the access rule of file destination for allowing to access, send corresponding target configuration file to detection module Detection instruction；After receiving the instruction information that detection module sends, the service request of intercepting and capturing is transmitted to External process devices so that external process devices carries out phase according to described service request to target configuration file The Business Processing answered；

Detection module, for storing the First Eigenvalue that each described configuration file is the most corresponding；Connecing After receiving the detection instruction of corresponding target configuration file, calculate the Second Eigenvalue of target configuration file, when When the First Eigenvalue of target configuration file is identical with Second Eigenvalue, to described file protection module Send and characterize the instruction information that target configuration file integrity is not affected by destroying.

Operating system security bracing means the most according to claim 1, it is characterised in that

Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration File；

And/or,

Described eigenvalue, including: cryptographic Hash.

Operating system security bracing means the most according to claim 1, it is characterised in that also include: Application rule chained list and application program protection module；

Described application rule chained list, for storing the executing rule of at least one application program；

Described application program protection module, for intercepting and capturing the request that performs for destination application, inquiry Described application rule chained list, when described destination application corresponding in described application rule chained list Executing rule for allow perform time, to detection module send corresponding described destination application detection refer to Order；After receiving the executable instruction that detection module sends, ask to be transmitted to outside by the execution of intercepting and capturing Processing means so that external process devices completes corresponding Business Processing according to described execution request；

Described detection module, is further used for storing the 3rd spy that each described application program is the most corresponding Value indicative；After the detection receiving corresponding described destination application instructs, calculate described intended application journey The fourth feature value of sequence, when the third feature value of described destination application is identical with fourth feature value Time, to described application program protection module send characterize destination application integrity be not affected by destroy can Perform instruction.

Operating system security bracing means the most according to claim 1, it is characterised in that also include: Authorization module and customer protection module；

Described authorization module, at least one user's authorization user information, wherein, described user believes Breath includes user's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication；And, authorize each One or more in the following protection option that individual user is the most corresponding:

Add User information, deletion user profile and amendment user profile；

Described customer protection module, for intercepting and capturing the logging request of corresponding targeted customer, detects described login Whether the user profile carried of request is the user profile of described authorization module mandate, if it is, by institute State logging request and be transmitted to external process devices, so that external process devices allows described targeted customer to step on Record；Intercept and capture the operational order for targeted customer, detect at least one protection that described targeted customer is corresponding Whether option exists the protection option of corresponding described operational order, if it does not exist, then the behaviour that will intercept and capture It is transmitted to external process devices so that external process devices completes according to described operational order accordingly as instruction Business Processing.

5., according to described operating system security bracing means arbitrary in Claims 1-4, its feature exists In, also include: process protection chained list and process protection module；

Described process protection chained list, for storing the identification information that at least one business process is the most corresponding；

Described process protection module, performs instruction for intercepting and capturing the termination for target service process, inquiry Described process protection chained list, when the mark that there is corresponding described target service process in described process protection chained list During knowledge information, described termination is performed instruction and is transmitted to external process devices, so that external process devices Terminate described target service process.

6. the operation of operating system security bracing means as described in arbitrary in the claims 1 to 5 Method, it is characterised in that including:

Pre-set file access regulation linked, utilize file access regulation linked to store at least one configuration Access rule the most corresponding between file with at least one user；

Detection module is utilized to store the First Eigenvalue that each described configuration file is the most corresponding；

Utilize file protection module to intercept and capture targeted customer's service request for target configuration file, inquire about institute State file access regulation linked, as described targeted customer corresponding in described file access regulation linked and described When the access rule of file destination is for allowing to access, send the inspection of corresponding target configuration file to detection module Survey instruction；

Utilize detection module after the detection instruction receiving corresponding target configuration file, calculate target configuration The Second Eigenvalue of file, when the First Eigenvalue of target configuration file is identical with Second Eigenvalue, Send to described file protection module and characterize the instruction information that target configuration file integrity is not affected by destroying；

Utilize file protection module receive detection module send instruction information after, will intercept and capture business Request is transmitted to external process devices so that target is configured by external process devices according to described service request File carries out corresponding Business Processing.

Method the most according to claim 6, it is characterised in that

Business Processing corresponding to described service request includes: delete target configuration file or amendment target configuration File；

And/or,

Described eigenvalue, including: cryptographic Hash.

Method the most according to claim 6, it is characterised in that also include:

Pre-set application rule chained list, utilize at least one application of application rule storage of linked list The executing rule of program；And, utilize detection module to store each described application program correspondence respectively Third feature value；

Utilizing application program protection module to intercept and capture the request that performs for destination application, inquiry is described should Use rules of order chained list, when the execution of described destination application corresponding in described application rule chained list When rule is for allowing to perform, send the detection instruction of corresponding described destination application to detection module；

Utilize detection module after the detection receiving corresponding described destination application instructs, calculate described The fourth feature value of destination application, when third feature value and the fourth feature of described destination application When being worth identical, send sign destination application integrity to described application program protection module and be not subject to To the executable instruction destroyed；

Utilize application program protection module after receiving the executable instruction that detection module sends, will intercept and capture Execution request be transmitted to external process devices so that external process devices completes according to described execution request Corresponding Business Processing.

Method the most according to claim 6, it is characterised in that also include:

Utilizing authorization module at least one user's authorization user information, wherein, described user profile includes User's name, cryptographic parameter and general-purpose serial bus USB parameters for authentication；And, authorize each user One or more in the most corresponding following protection option:

Add User information, deletion user profile and amendment user profile；

Utilize customer protection module to intercept and capture the logging request of corresponding targeted customer, detect described logging request and take Whether the user profile of band is the user profile of described authorization module mandate, if it is, by described login Request is transmitted to external process devices, so that external process devices allows described targeted customer to log in；Cut Obtain the operational order for targeted customer, detect at least one protection option that described targeted customer is corresponding Whether there is the protection option of corresponding described operational order, if it does not exist, then the operational order that will intercept and capture It is transmitted to external process devices so that external process devices completes corresponding business according to described operational order Process.

10. according to described method arbitrary in claim 6 to 9, it is characterised in that also include:

Pre-set process protective chain table, utilize at least one business process of process protection storage of linked list respectively Corresponding identification information；

Utilize process protection module to intercept and capture the termination for target service process and perform instruction, enter described in inquiry Journey protection chained list, when the identification information that there is corresponding described target service process in described process protection chained list Time, described termination is performed instruction and is transmitted to external process devices, so that external process devices terminates institute State target service process.