CN107403090A - A kind of sandbox redirecting structure of striding equipment deployment - Google Patents
A kind of sandbox redirecting structure of striding equipment deployment Download PDFInfo
- Publication number
- CN107403090A CN107403090A CN201710663566.6A CN201710663566A CN107403090A CN 107403090 A CN107403090 A CN 107403090A CN 201710663566 A CN201710663566 A CN 201710663566A CN 107403090 A CN107403090 A CN 107403090A
- Authority
- CN
- China
- Prior art keywords
- client
- service end
- sandbox
- program
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 244000035744 Hura crepitans Species 0.000 title claims abstract description 32
- 238000000034 method Methods 0.000 claims abstract description 21
- 230000008569 process Effects 0.000 claims abstract description 14
- 238000002955 isolation Methods 0.000 claims abstract description 8
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 239000000306 component Substances 0.000 claims description 2
- 239000008358 core component Substances 0.000 claims description 2
- 230000009466 transformation Effects 0.000 claims description 2
- 238000012795 verification Methods 0.000 claims description 2
- 238000005516 engineering process Methods 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The present invention devises a kind of sandbox redirecting structure of striding equipment deployment, realizes physical isolation in file and registration table aspect, and build transparent encryption in server end.System includes client and service end, and service end can be that the computer room of unit can also be special server, is actual stored area corresponding to each client is set in service end in client deployment sandbox redirector(Network disk or AES encryption virtual disk), then the message of FTP client FTP with process intercept and path redirection by being deployed in the sandbox redirector of client, the credible and judgement of untrusted is not carried out to process to identify, but directly by the file operation of client, registry operations and the true path of procedure operation all point in service end to should client actual stored area, so that the operation of client and be not written into FTP client FTP but the actual stored area at write service end, it is physically separated, the virtual disk of transparent encryption structure can be used to the actual stored area of service end, realize and the additional rights of consumer process are controlled.
Description
Technical field
The invention belongs to Computer and Network Security field.
Background technology
Current data leakage event takes place frequently, and is related to the various data types such as document, drawing, personal information and source code.
The confidential document of enterprises and institutions, research and develop the core technology confidential data such as source code, drawing, it is easy to which the active through interior employee is divulged a secret
Circulate to outside, or even fall in rival's hand.The current protectiving scheme of in the market mainly has three kinds, and 1)File encryption software;
2)SDC sandboxs;3)DSA data safeties are isolated;But from the point of view of technology is fed back with practice, DSA data safeties isolation user's ratio
It is more.
Traditional encryption influences to use, can divulge a secret after decryption, eliminate from the market substantially because speed is slow.
The isolation of DSA data safeties is one of effective means in current data Anticompromise Technique, is mainly used in soft and hardware and opens
The source code of hair enterprise or department is anti-to divulge a secret, and no matter source code is located in the server such as terminal or SVN, can protect.Pass through magnetic
The multiple isolation technology means such as disk, storage, network, build one or more source code places of safety on demand over multiple terminals.Source
For code using unrestricted in terminal security area, the use that can also normally be circulated between multiple places of safety does not influence day
Often work, only carries out necessary management and control when source code will depart from some place of safety.Because it does not have during whole protection
Gone out when being handled, therefore can fundamentally avoided using file encryption software encryption and protection source code in itself for source code
It is existing block, slowly, blue screen phenomena such as.
However, this is feasible as a kind of salvo, user's such as software work can be but caused in the use of reality
The situation that Cheng Shi divulges a secret.Under DSA management and control, once divulging a secret and can follow the trail of although software engineer occurs, it can prosecute, be difficult to
Retrieve the massive losses divulged a secret and brought.
This respect, sandbox can be with customer services, and sandbox does not influence to use, and is still in protecting in use, rather than just isolation
Preserve.The advantages of SDC sandboxs:
1)Using state-of-the-art third generation transparent encryption technology-kernel level depth defense framework in the world;
2)Land and encrypt during confidential data use on server;
3)All-transparent is encrypted, and does not influence staffing effectiveness and custom;
4)All Files form, including all document formats can be protected, all source code formats, drawing form, safety is surely
It is fixed, do not destroy file;
5)Mail, file to outgoing are audited, and confidential document can be encrypted automatically, outgoing result record;
6)Non-customer end can not access secret end, and the data at secret end can be operated and surfed the Net simultaneously;
7)For management end to the secret end in system, client carries out tactical management and organization and administration, and client log is collected, added
Close key management;The outgoing examination & verification authentication management of secret section;
8)SDC sandboxs are adapted to the use of all trades and professions;Example:Office, software company, game company, manufacturing industry and finance etc.,
It is in need to oneself secret secrecy unit;
9)Concerning security matters network internal is unobstructed, obstructs external PC, forms isolated island;
10)During non-concerning security matters online can effectively be controlled, confidential document content is can not to replicate stickup, and file uploads, mouse
Mark pulls, and the mode such as screen interception is used by non-concerning security matters program;
11)SDC systems provide plaintext outgoing, three kinds of sides of encryption outgoing and mail outgoing when confidential document is taken out concerning security matters environment
Formula, the effective circulation way for controlling file;
12)The confidential document of client is backed up from trend server;
13)Tyre pc client confidential document controls;
14)SDC sandbox softwares are difficult to crack, even the programmer to coomputerate;
15)Using extensively, the huge enterprise for having many is using SDC sandboxs software.
But past sandbox is mainly there is also some problems:1. traditional sandbox belief system safety, but sandbox
If machine control in high-tech employee's hand, due to its authentic document also on this machine, then by crack sandbox according to
Right possibility of divulging a secret;2. the authentic document of sandbox points to path and is once acquired control, file can be stolen;3. traditional sandbox effect
Rate is low, influences operating efficiency;Treated with a certain discrimination 4. can not be realized between pair concerning security matters program and non-concerning security matters program assembly.
The content of the invention
The present invention devises a kind of sandbox redirecting structure of striding equipment deployment, and physics is realized in file and registration table aspect
Isolation, and build transparent encryption in server end.Its specific implementation is as follows:First, it is assumed that system needs what is taken precautions against
Main body is the user of client machine(Such as employee's computer of research and development department of enterprises and institutions), the system that the present invention is directed to is comprising objective
Family end and service end, service end can be that the computer room of unit can also be special server, and journey is redirected in client deployment
Sequence(A kind of sandbox program of transformation), it is actual stored area corresponding to each client is set in service end(Network disk or void
Intend disk or file), then by being deployed in message and process of the sandbox redirector to FTP client FTP of client
Intercept and redirected with path, not carrying out the credible and judgement of untrusted to process identifies, but directly by the text of client
Part operation, the true path of registry operations and procedure operation all point in service end to should client actual stored area,
So that the operation of client and be not written into FTP client FTP but the actual stored area at write service end, carry out physics every
From, depend on whether it is necessary in the case of, transparent encryption can be carried out to the actual stored area of service end.The client redirection area of system
The virtual disk of one transparent encryption structure of service end is pointed in domain, and the virtual disk is also realized to consumer process by transparent encryption
Additional rights control.
Client does not use traditional hard disk as storage, but uses one to be shunted for program layer and file layers, pin
To the storage architecture system of concerning security matters operation and the operation shunting of non-concerning security matters, the framework includes such as lower part:A. program layer storage device,
And subdivision includes two fractions, a non-concerning security matters program layer, its running environment is local in client, has relatively high speed,
For running the program assembly such as windows system kernels, general application component etc. of not concerning security matters, a concerning security matters program
Layer, including browser rs cache, input method journal file, office daily records and core component etc., its true path run are actual
Point to service end;B. file layers storage device, can be marked by the keeper of whole safety-protection system, it is big still for capacity
The true path of service end can be then pointed to labeled as the storage file of not concerning security matters for the file of concerning security matters in local runtime.
The service end of system can be independently of the server for being dedicated as sandbox store path of the original computer room of office, with
Its multiple disk share as multiple network disks as corresponding to each client machine real storage or
Sandbox is created for computer in server Ramdisk and redirect region, and protected with AES encryption and transparent encryption.
As a specific implementation case, on the basis of above-mentioned basic framework, case study on implementation has also done following setting:
1. client also deploys screen monitor, webmaster can be carried out to the screen of client except redirecting;2. in order to anti-
Only memory overflow, interacting between the client's end memory and service end of system are encrypted;3. it set up strict self protect
Protection mechanism, the client sandbox process of system carry out self-protection, verify the defence program of Resident Process, once defence program is certainly
Inspection is abnormal with regard to locking computer.And this defence program can carry out the detection to debugging enironment, Rogue program etc., once finding
Mark is abnormal;4. for the needs of some foreign works, the concerning security matters content in all safety zones of system client will be sent outside
Go to non-concerning security matters region, it is necessary to which, by a transfer program, such as mailing system or instant communicating system, the transfer program is by examining
Core and there is more detailed logging record, be available for subsequent query, accountability.
Advantage of the invention is that present invention incorporates the advantages of sandbox and physical isolation and transparent encryption, one kind has been created
The redirection encryption sandbox system of striding equipment.
Details are referring to Figure of description 1 to 3.Figure of description explanation:
The deployment schematic diagram of figure one, the present invention.
Figure two, the present invention anti-copy divulge a secret function citing.
The attack protection function of figure three, the present invention.
Claims (10)
1. a kind of sandbox redirecting structure of striding equipment deployment, the system includes client and service end, in client deployment weight
Oriented program(A kind of sandbox program of transformation), it is actual stored area corresponding to each client is set in service end(Network magnetic
Disk or virtual disk or file), then by being deployed in message of the sandbox redirector to FTP client FTP of client
With process intercept and redirected with path, not carrying out the credible and judgement of untrusted to process identifies, but directly by client
The true path of the file operation at end, registry operations and concerning security matters procedure operation all point in service end to should client it is true
Real storage so that the operation of client and be not written into FTP client FTP but the actual stored area at write service end, enter
Row physical isolation.
2. according to a kind of system of claim 1, it is characterised in that client does not use traditional hard disk as storage, but
Shunted using one for program layer and file layers, operate the storage architecture system of shunting with non-concerning security matters for concerning security matters operation, should
Framework includes such as lower part:A. program layer storage device, and subdivision includes two fractions, a non-concerning security matters program layer, it runs
Environment is local in client, has relatively high speed, for running the program assembly such as windows system kernels of not concerning security matters,
General application component etc., a concerning security matters program layer, including browser rs cache, input method journal file, office daily records
With core component etc., its true path run is actually pointed to service end;B. file layers storage device, can be by whole security protection system
The keeper of system is marked, for capacity greatly but can be in local runtime, for relating to labeled as the storage file of not concerning security matters
Close file then points to the true path of service end.
3. according to a kind of system of claim 1, it is characterised in that the client of system redirects region and points to service end one
The virtual disk of individual transparent encryption structure, sandbox point to the file operation of client, registry operations and concerning security matters procedure operation
To the virtual disk, the virtual disk is also realized by transparent encryption and the additional rights of consumer process is controlled.
4. according to a kind of system of claim 1, it is characterised in that the service end of system is independently of the original computer room of office
The server of sandbox store path is dedicated as, is shared with its multiple disk as multiple network disks, for each client point
Carry is not connected, as the real storage corresponding to each client machine, while the network disk carries out transparent encryption
I/O is read and write with control so that different user process possesses different rights.
5. according to a kind of system of claim 1, it is characterised in that the client or service end of system are in internal memory virtual hard disk
Sandbox is created for computer redirect region in Ramdisk.
6. according to a kind of system of claim 1, it is characterised in that client device is not also using residing in client
External program, including but not limited to cloud program or external Virtual program, to strengthen security.
7. according to a kind of system of claim 1, it is characterised in that client except redirect, also deploy screen monitor,
Webmaster can be carried out to the screen of client.
8. according to a kind of system of claim 1, it is characterised in that interacting between the client's end memory and service end of system
Encrypted.
9. a kind of system according to claim 1, it is characterised in that the client sandbox process of system carries out self-protection, school
The defence program of Resident Process is tested, it is abnormal with regard to locking computer once defence program self-test.
A kind of 10. system according to claim 1, it is characterised in that the concerning security matters content in all safety zones of system client
Non- concerning security matters region is sent out outside, it is necessary to pass through a transfer program, such as mailing system or instant communicating system, carryover in this
Sequence is by examination & verification and has more detailed logging record, is available for subsequent query, accountability.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710663566.6A CN107403090A (en) | 2017-08-05 | 2017-08-05 | A kind of sandbox redirecting structure of striding equipment deployment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710663566.6A CN107403090A (en) | 2017-08-05 | 2017-08-05 | A kind of sandbox redirecting structure of striding equipment deployment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107403090A true CN107403090A (en) | 2017-11-28 |
Family
ID=60401985
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710663566.6A Pending CN107403090A (en) | 2017-08-05 | 2017-08-05 | A kind of sandbox redirecting structure of striding equipment deployment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107403090A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413189A (en) * | 2018-11-05 | 2019-03-01 | 张维加 | A kind of electronic trading system based on bottom translation |
| WO2020073877A1 (en) * | 2018-10-07 | 2020-04-16 | 张维加 | Distributed computing system deployed across devices |
| CN111079097A (en) * | 2018-10-22 | 2020-04-28 | 张维加 | Programming development system based on network |
-
2017
- 2017-08-05 CN CN201710663566.6A patent/CN107403090A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2020073877A1 (en) * | 2018-10-07 | 2020-04-16 | 张维加 | Distributed computing system deployed across devices |
| CN111079097A (en) * | 2018-10-22 | 2020-04-28 | 张维加 | Programming development system based on network |
| CN109413189A (en) * | 2018-11-05 | 2019-03-01 | 张维加 | A kind of electronic trading system based on bottom translation |
| WO2020094157A1 (en) * | 2018-11-05 | 2020-05-14 | 张维加 | Electronic trading system based on base layer translation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103530570B (en) | A kind of electronic document safety management system and method | |
| US8341756B2 (en) | Securing data in a networked environment | |
| CN101755269B (en) | Device with a secure virtual machine | |
| CN102999732B (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| CN101923678A (en) | Data security protection method of enterprise management software | |
| CN106022155A (en) | Method and server for security management in database | |
| CN103218575A (en) | Host file security monitoring method | |
| CN107403090A (en) | A kind of sandbox redirecting structure of striding equipment deployment | |
| CN109033824A (en) | Cloud disk safety access method based on virtual isolation mech isolation test | |
| Tse et al. | Emerging issues in cloud storage security: encryption, key management, data redundancy, trust mechanism | |
| US10339325B2 (en) | Multi-level security model for securing access to encrypted private data | |
| US10749880B2 (en) | Cloud tenant oriented method and system for protecting privacy data | |
| CN201805447U (en) | Electronic information management platform system of Intranet | |
| CN109388942A (en) | A kind of local area network accelerates the safe sandbox system of operation | |
| CN104753924B (en) | A kind of business data safeguarding of assets method based on dynamically transparent isolating and protecting | |
| CN113221139A (en) | Electronic information encryption method | |
| CN111079154A (en) | Kernel reinforcing system for protecting kernel of operating system from being damaged by external program | |
| Gupta et al. | Information security and cloud computing | |
| Saeed et al. | Analytical Approach for Security of Sensitive Business Cloud | |
| Yu et al. | Construction of Data Security System | |
| Robinson | Cloud systems with its security, privacy and trust claims to a sustainable solution | |
| Gottipati | A proposed cybersecurity model for cryptocurrency exchanges | |
| Reddy et al. | A Systematic Approach towards Security Concerns in Cloud | |
| CN102096641A (en) | Double-factor shadow password protection method for mobile storage medium data safety | |
| Fairuzullah et al. | A New Approach to Secure and Manage Load Balancing of the Distributed Database Using SQL Firewall |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20171128 |