CN113722736A - Access isolation method of application file, electronic device and readable storage medium - Google Patents
Access isolation method of application file, electronic device and readable storage medium Download PDFInfo
- Publication number
- CN113722736A CN113722736A CN202111021347.0A CN202111021347A CN113722736A CN 113722736 A CN113722736 A CN 113722736A CN 202111021347 A CN202111021347 A CN 202111021347A CN 113722736 A CN113722736 A CN 113722736A
- Authority
- CN
- China
- Prior art keywords
- application file
- encryption key
- access
- key
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 10
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000012545 processing Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 3
- 238000005336 cracking Methods 0.000 abstract description 4
- 230000015654 memory Effects 0.000 description 25
- 230000008569 process Effects 0.000 description 15
- 238000010586 diagram Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application provides an access isolation method for an application file, an electronic device and a readable storage medium, wherein the method comprises the following steps: when the electronic equipment installs the application file or starts the application file for the first time, deriving an encryption key for the application file and storing the encryption key in a safe storage space, wherein the encryption key is different from an encryption key of the existing application file; installing an encryption key in a system key ring of the electronic equipment, setting an owner of the encryption key as an application file, setting an access right of the encryption key as the owner, and setting a mandatory access control key label; setting an encryption strategy for the application file; and when receiving an operation of accessing the application file, searching an encryption key from the system key ring according to the encryption strategy, judging the access authority, and opening the application file when the access has the access authority. The method effectively improves the safety of application access, and increases the difficulty and cost of off-line cracking of the encrypted file system.
Description
Technical Field
The present application relates to the field of driving technologies, and in particular, to an access isolation method for an application file, an electronic device, and a readable storage medium.
Background
The file encryption is to change the original information data through an encryption algorithm, so that an unauthorized executor cannot acquire the file information, thereby protecting the safety of the file and having better stability, safety and convenience.
At present, in a file encryption mechanism, once an attacker obtains a file access right during system operation, an application data file of a user can be randomly opened, so that the safe use of the user file is influenced, and the safety is reduced.
Disclosure of Invention
In view of the above, the present application provides an access isolation method for an application file, an electronic device and a readable storage medium, which are used to solve the problem of low security mentioned in the background above.
Some embodiments of the present application provide an access isolation method for application files. The present application is described below in terms of several aspects, embodiments and advantages of which are mutually referenced.
In a first aspect, the present application provides an access isolation method for an application file, which is applied to an electronic device, and includes:
when the electronic equipment installs the application file or starts the application file for the first time, deriving an encryption key for the application file and storing the encryption key in a safe storage space, wherein the encryption key is different from an encryption key of the existing application file on the electronic equipment;
the electronic equipment installs the encryption key in a system key ring of the electronic equipment, sets the owner of the encryption key as an application file, sets the access authority of the encryption key as the owner, and sets a mandatory access control key label;
the electronic equipment is arranged on a system key ring, an owner, an access right and a mandatory access control key label based on an encryption key, and an encryption strategy is set for the application file;
when the electronic equipment receives an operation of accessing the application file, the electronic equipment searches an encryption key corresponding to the application file from a system key ring according to an encryption strategy, judges whether the access has an access right according to an owner of the encryption key, and opens the application file when the access has the access right.
As an embodiment of the first aspect of the present invention, when the system of the electronic device is started or logged in, the electronic device installs the already stored encryption key in the system key ring in a unified manner.
As an embodiment of the first aspect of the present invention, when the electronic device receives an operation of accessing an application file, the electronic device finds an encryption key corresponding to the application file from a system key ring according to an encryption policy, including: the electronic equipment searches the encryption key corresponding to the application file from the system key ring according to the encryption strategy, and records the owner of the access authority of the encryption key and the mandatory access control key label in the inode of the application file.
As an embodiment of the first aspect of the present invention, when the electronic device receives an operation to access an application file, the electronic device determines whether the access has an access right according to an access right of an encryption key recorded in the inode and a mandatory access control policy.
As an embodiment of the first aspect of the present invention, when the access does not have the access right, the application file is denied to be opened, and the system returns an opening failure notification to the application file layer of the electronic device.
As an embodiment of the first aspect of the present invention, an electronic device, which is installed in a system key ring, an owner, and an access right based on an encryption key, and sets an encryption policy for an application file based on a mandatory access control key tag, includes: the electronic equipment creates a data directory of the application file, and sets the encryption strategy in the extended attribute of the data directory.
As an embodiment of the first aspect of the invention, the method further comprises: when the electronic equipment receives the uninstalling operation of the application file, the electronic equipment responds to the operation, deletes the encryption key in the safe storage space and clears the encryption key information in the system key ring.
As an embodiment of the first aspect of the present invention, an electronic device finds an encryption key corresponding to an application file from a system key ring according to an encryption policy, including: the electronic device decrypts, based on the user identity, an encryption key associated with the user identity within the system key fob.
In a second aspect, the present application further provides an electronic device, comprising:
the generation module is used for deriving an encryption key for the application file when the application file is installed or started for the first time and storing the encryption key in the secure storage space, wherein the encryption key is different from the encryption key of the existing application file on the electronic equipment;
the device comprises a setting module, a mandatory access control key label and a management module, wherein the setting module is used for installing an encryption key in a system key ring of the electronic equipment, setting an owner of the encryption key as an application file, and setting the access authority of the encryption key as the owner;
the processing module is used for setting an encryption strategy for the application file based on the encryption key arranged in the system key ring, the owner, the access authority and the mandatory access control key label;
when the processing module receives an operation of accessing the application file, the processing module searches an encryption key corresponding to the application file from the system key ring according to the encryption strategy, judges whether the access has an access right according to an owner of the encryption key, and opens the application file when the access has the access right.
As an embodiment of the second aspect of the present invention, when the system is started or logged in, the setting module installs the already stored encryption key in the system key ring in a unified manner.
As an embodiment of the second aspect of the present invention, the processing module finds the corresponding encryption key of the application file from the system key ring according to the encryption policy, and records the owner of the access right of the encryption key and the mandatory access control key tag in the inode of the application file.
As an embodiment of the second aspect of the present invention, when the processing module receives an operation of accessing an application file, the processing module determines whether the access has an access right according to an access right of an encryption key and a mandatory access control policy recorded in the inode.
As an embodiment of the second aspect of the present invention, when the access does not have access rights, the processing module denies opening the application file and the system returns an open failure notification to the application file layer.
As an embodiment of the second aspect of the present invention, the setting module is further configured to: and creating a data directory of the application file, and setting the encryption strategy in the extended attribute of the data directory.
As an embodiment of the second aspect of the present invention, when the processing module receives an uninstall operation on the application file, the processing module is further configured to delete the encryption key in the secure storage space and clear the encryption key information in the system key ring in response to the uninstall operation.
As an embodiment of the second aspect of the present invention, the processing module is further configured to: based on the user identity, an encryption key associated with the user identity within the system key fob is decrypted.
In a third aspect, the present application further provides an electronic device, including:
a memory for storing instructions for execution by one or more processors of the device, an
A processor configured to perform the method of the first aspect.
In a fourth aspect, the present application further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, causes the processor to execute the method of the first aspect.
Drawings
FIG. 1 is a software architecture diagram of an exemplary electronic device of the present application;
FIG. 2 is a flow diagram of an application file encryption process according to one embodiment of the present application;
FIG. 3 is a flow diagram of a process for accessing application files according to one embodiment of the present application;
FIG. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
FIG. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application;
FIG. 6 is a block diagram of an apparatus of some embodiments of the present application;
fig. 7 is a block diagram of a system on a chip (SoC) in accordance with some embodiments of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application.
The Linux system supports file system level encryption, for example, supporting f2fs and ext4 file systems. The file encryption system of the Android system is also realized on the basis. In the Android system, the system allocates a file encryption key to each user, but all file data of the same user are encrypted by using the same file key, and any privileged service process or process with file access authority can randomly access the encrypted file or directory in the running state, so that the security is reduced.
Therefore, the invention can increase the difficulty and the cost of the off-line cracking of the encrypted file system by distributing the encryption key of the application file to each application. Meanwhile, the data file can be limited from being accessed by the privileged process and the application in a cross-application mode through the access authority control of the encryption key of the file. The security of the file encryption system during operation is increased.
Referring to fig. 1, fig. 1 schematically illustrates a software architecture of an electronic device. The software architecture may be a layered architecture, an event-driven architecture, a micro-core architecture, a micro-service architecture, or a cloud architecture. The embodiment of the invention takes an Android system with a layered architecture as an example, and exemplarily illustrates a software structure of an electronic device. As shown in fig. 1, the architecture diagram includes an application layer, a framework layer, a system library, and a kernel layer. In particular, the application layer may include a number of applications, such as video, picture, etc. applications. The framework layer includes key security storage services, notification management, and the like. When the electronic equipment downloads the application, the framework layer derives a file encryption key for the application through the key security storage service, and stores the file encryption key in a storage space of the service in a persistent mode, and the owner of the key is set to be the application so as to determine whether subsequent access has the right or not. The system library comprises a system key ring during android system operation. When the system is started or logged in, the encryption key stored in the key secure storage service space will be installed in the system keyring. The kernel layer includes various drivers such as audio drivers, display drivers, and the like. When a user wants to open a video application of an application layer, the video driver searches an encryption key of a specified video application file from a system key ring, and the system determines that the access of the video driver has the authority, and then allows the video driver to open the video application. The invention encrypts each application, and each application has different encryption keys, thereby increasing the difficulty and cost of offline cracking of the encrypted file system and improving the safety of each application.
The access isolation method for application files of the present application is described below with reference to specific embodiments.
Referring to fig. 2, fig. 2 is a flow chart illustrating an application file encryption process, as shown in fig. 2, including the following steps:
s210, the electronic equipment installs the application and creates the application data directory. For example, an APP is installed, and an APP application data directory is created for the APP, so that each application has a corresponding application data directory.
S220, the electronic device derives an encryption key for the application. The electronic equipment can generate the encryption key for the APP randomly through the key security storage service, and each encryption key is ensured to be different when the encryption key is set for the APP at each time, so that each application can be ensured to be opened through different keys before being opened, the difficulty and the cost of application password cracking are increased, and the security of each application can be ensured. In addition, the electronic device permanently stores the encryption key in a storage module of the key security storage service.
And S230, after the system is started, installing the stored encryption key into the system key ring, and setting an owner, an access right, a mandatory access control label and the like for the key. Specifically, the owner who sets the encryption key is the corresponding application, and only the application can access the encryption key. Thereby avoiding access by other applications. And by enforcing access control tags, it may be that other privileged applications or other privileged processes are allowed access in some cases. For example, as read down RD: reading the RU upwards by accessing the read operation allowed when the security level of the subject is higher than that of the application: access to read operations that are permitted by the subject's security level below that of the application, and so on.
S240, the electronic equipment sets a key strategy for the encryption key. The encryption key comprises a storage position of the key, namely the key ring stored in the system, a key setting owner, an access right and a mandatory access control label. When an access subject exists, the position of an encrypted key in a system key ring can be found through a key strategy, and the authority verification and the like are carried out.
S250, the electronic equipment sets the key strategy in the extended attribute of the application data directory. In order to obtain the key policy.
The present invention, according to the above method, can not only derive an encryption key for each application, but also store the key in the system, and can eliminate the need for user operation. And realizing access isolation of each application.
Referring to fig. 3, fig. 3 is a flow chart illustrating a process of accessing an application file, as shown in fig. 3, including the steps of:
the electronic device receives an instruction to open an application. The electronic equipment finds the corresponding index node inode according to the path of the application file. Wherein, the index node can store the parameter ref of the key. The ref of the key can be a ref of the key, which is obtained by searching a specified key from a system key ring keyring according to the file encryption policy when the electronic device opens an application file or a directory for the first time, checking the authority after finding the specified key, and recording the key in a file inode.
And when the electronic equipment judges that the file is the encrypted file, continuously judging whether the encryption information in the inode is empty or not.
If not, checking whether the current process has the authority to access the key, and opening the application when the access is authorized.
And if so, reading the encryption strategy from the extended attribute of the application data directory, and searching the matched key from the system keying according to the encryption strategy.
If no matched key is found, the access fails, and the message Enokey is returned to the application layer.
If the matched key is found, whether the current process has the right to access the key is further judged.
If the access is not authorized, the access is failed, and the message is returned to the application layer.
If the access is authorized, the key ref is recorded in the inode, and the application is opened.
According to the access method, the encrypted application can be effectively protected, and the application is prevented from being opened by any process. The safety of the application is improved.
In addition, when the user identity is added into the key strategy, encryption can be carried out according to the user identity, so that the same application is realized, and when different users use the encryption key is different. The safety of the application file is further improved.
With reference to fig. 4, the present application further provides an electronic device comprising:
the generating module 410 is configured to derive an encryption key for the application file when the application file is installed or started for the first time, and store the encryption key in the secure storage space, where the encryption key is different from an encryption key of an existing application file on the electronic device;
a setting module 420, configured to install an encryption key in a system key ring of an electronic device, set an owner of the encryption key as an application file, set an access right of the encryption key as the owner, and set a mandatory access control key tag;
the processing module 430 is configured to install the system key ring, the owner, the access authority and the mandatory access control key tag based on the encryption key, and set an encryption policy for the application file;
when the processing module 430 receives an operation of accessing an application file, the processing module 430 checks an encryption key corresponding to the application file from the system key ring according to an encryption policy, judges whether the access has an access right according to an owner of the encryption key, and opens the application file when the access has the access right.
According to one embodiment of the invention, the setup module 420 installs the stored encryption key in the system key ring when the system is started or logged in.
According to an embodiment of the present invention, the processing module 430 finds the corresponding encryption key of the application file from the system key ring according to the encryption policy, and records the owner of the access right of the encryption key and the mandatory access control key tag in the index node of the application file.
According to an embodiment of the present invention, when the processing module 430 receives an operation of accessing an application file, the processing module determines whether the access has an access right according to an access right of an encryption key recorded in the inode and a mandatory access control policy.
When the access does not have access rights, the processing module 430 denies the opening of the application file and the system returns an open failure notification to the application file layer, according to one embodiment of the invention.
According to an embodiment of the invention, the setup module 420 is further configured to: and creating a data directory of the application file, and setting the encryption strategy in the extended attribute of the data directory.
When the processing module 430 receives an uninstall operation for an application file, the processing module is further configured to delete the encryption key in the secure storage space and clear the encryption key information in the system key ring in response to the operation, according to an embodiment of the present invention.
According to an embodiment of the invention, the processing module 430 is further configured to: based on the user identity, an encryption key associated with the user identity within the system key fob is decrypted.
The working process and the function of each module of the electronic device of the present invention have been described in detail in the above embodiments, and refer to the description of the method in fig. 2 and fig. 3 in the above embodiments, which are not described herein again.
With reference to fig. 5, the present application further provides an electronic device comprising:
a memory 510 for storing instructions for execution by one or more processors of the device, an
A processor 520 for performing the methods shown in fig. 2 and 3 of the above embodiments.
The present application also provides a computer-readable storage medium, which stores a computer program, which, when executed by a processor, causes the processor to perform the method shown in fig. 2 and 3 of the above-described embodiments.
Referring now to FIG. 6, shown is a block diagram of an apparatus 1200 in accordance with one embodiment of the present application. The device 1200 may include one or more processors 1201 coupled to a controller hub 1203. For at least one embodiment, the controller hub 1203 communicates with the processor 1201 via a multi-drop Bus such as a Front Side Bus (FSB), a point-to-point interface such as a Quick Path Interconnect (QPI), or similar connection 1206. The processor 1201 executes instructions that control general types of data processing operations. In one embodiment, Controller Hub 1203 includes, but is not limited to, a Graphics Memory Controller Hub (GMCH) (not shown) and an Input/Output Hub (IOH) (which may be on separate chips) (not shown), where the GMCH includes a Memory and a Graphics Controller and is coupled to the IOH.
The device 1200 may also include a coprocessor 1202 and a memory 1204 coupled to the controller hub 1203. Alternatively, one or both of the memory and GMCH may be integrated within the processor (as described herein), with the memory 1204 and coprocessor 1202 being directly coupled to the processor 1201 and to the controller hub 1203, with the controller hub 1203 and IOH being in a single chip. The Memory 1204 may be, for example, a Dynamic Random Access Memory (DRAM), a Phase Change Memory (PCM), or a combination of the two. In one embodiment, coprocessor 1202 is a special-Purpose processor, such as, for example, a high-throughput MIC processor (MIC), a network or communication processor, compression engine, graphics processor, General Purpose Graphics Processor (GPGPU), embedded processor, or the like. The optional nature of coprocessor 1202 is represented in FIG. 6 by dashed lines.
In one embodiment, device 1200 may further include a Network Interface Controller (NIC) 1206. Network interface 1206 may include a transceiver to provide a radio interface for device 1200 to communicate with any other suitable device (e.g., front end module, antenna, etc.). In various embodiments, the network interface 1206 may be integrated with other components of the device 1200. The network interface 1206 may implement the functions of the communication unit in the above-described embodiments.
The device 1200 may further include an Input/Output (I/O) device 1205. I/O1205 may include: a user interface designed to enable a user to interact with the device 1200; the design of the peripheral component interface enables peripheral components to also interact with the device 1200; and/or sensors may be configured to determine environmental conditions and/or location information associated with device 1200.
It is noted that fig. 6 is merely exemplary. That is, although fig. 6 shows that the apparatus 1200 includes a plurality of devices, such as the processor 1201, the controller hub 1203, the memory 1204, etc., in practical applications, an apparatus using the methods of the present application may include only a part of the devices of the apparatus 1200, for example, only the processor 1201 and the NIC1206 may be included. The nature of the alternative device in fig. 6 is shown in dashed lines.
According to some embodiments of the present application, the memory 1204 serving as a computer-readable storage medium stores instructions, which when executed on a computer, enable the system 1200 to perform the calculation method according to the above embodiments, which may specifically refer to the methods shown in fig. 2 and fig. 3 in the above embodiments, and will not be described herein again.
Referring now to fig. 7, shown is a block diagram of a SoC (System on Chip) 1300 in accordance with an embodiment of the present application. In fig. 7, similar components have the same reference numerals. In addition, the dashed box is an optional feature of more advanced socs. In fig. 7, SoC1300 includes: an interconnect unit 1350 coupled to the application processor 1310; a system agent unit 1380; a bus controller unit 1390; an integrated memory controller unit 1340; a set or one or more coprocessors 1320 which may include integrated graphics logic, an image processor, an audio processor, and a video processor; a Static Random Access Memory (SRAM) unit 1330; a Direct Memory Access (DMA) unit 1360. In one embodiment, the coprocessor 1320 includes a special-purpose processor, such as, for example, a network or communication processor, compression engine, GPGPU, a high-throughput MIC processor, embedded processor, or the like.
Included in Static Random Access Memory (SRAM) unit 1330 may be one or more computer-readable media for storing data and/or instructions. A computer-readable storage medium may have stored therein instructions, in particular, temporary and permanent copies of the instructions. The instructions may include: when executed by at least one unit in the processor, the Soc1300 may execute the calculation method according to the foregoing embodiments, which may specifically refer to the methods shown in fig. 2 and fig. 3 in the foregoing embodiments, and details thereof are not repeated herein.
Embodiments of the mechanisms disclosed herein may be implemented in hardware, software, firmware, or a combination of these implementations. Embodiments of the application may be implemented as computer programs or program code executing on programmable systems comprising at least one processor, a storage system (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device.
Program code may be applied to input instructions to perform the functions described herein and generate output information. The output information may be applied to one or more output devices in a known manner. For purposes of this Application, a processing system includes any system having a Processor such as, for example, a Digital Signal Processor (DSP), a microcontroller, an Application Specific Integrated Circuit (ASIC), or a microprocessor.
The program code may be implemented in a high level procedural or object oriented programming language to communicate with a processing system. The program code can also be implemented in assembly or machine language, if desired. Indeed, the mechanisms described in this application are not limited in scope to any particular programming language. In any case, the language may be a compiled or interpreted language.
In some cases, the disclosed embodiments may be implemented in hardware, firmware, software, or any combination thereof. The disclosed embodiments may also be implemented as instructions carried by or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors. For example, the instructions may be distributed via a network or via other computer readable media. Thus, a machine-readable medium may include any mechanism for storing or transmitting information in a form readable by a machine (e.g., a computer), including, but not limited to, floppy diskettes, optical disks, Compact disk Read Only memories (CD-ROMs), magneto-optical disks, Read Only Memories (ROMs), Random Access Memories (RAMs), Erasable Programmable Read Only Memories (EPROMs), Electrically Erasable Programmable Read Only Memories (EEPROMs), magnetic or optical cards, flash Memory, or a tangible machine-readable Memory for transmitting information (e.g., carrier waves, infrared signals, digital signals, etc.) using the Internet in electrical, optical, acoustical or other forms of propagated signals. Thus, a machine-readable medium includes any type of machine-readable medium suitable for storing or transmitting electronic instructions or information in a form readable by a machine (e.g., a computer).
In the drawings, some features of the structures or methods may be shown in a particular arrangement and/or order. However, it is to be understood that such specific arrangement and/or ordering may not be required. Rather, in some embodiments, the features may be arranged in a manner and/or order different from that shown in the figures. In addition, the inclusion of a structural or methodical feature in a particular figure is not meant to imply that such feature is required in all embodiments, and in some embodiments, may not be included or may be combined with other features.
It should be noted that, in the embodiments of the apparatuses in the present application, each unit/module is a logical unit/module, and physically, one logical unit/module may be one physical unit/module, or may be a part of one physical unit/module, and may also be implemented by a combination of multiple physical units/modules, where the physical implementation manner of the logical unit/module itself is not the most important, and the combination of the functions implemented by the logical unit/module is the key to solve the technical problem provided by the present application. Furthermore, in order to highlight the innovative part of the present application, the above-mentioned device embodiments of the present application do not introduce units/modules which are not so closely related to solve the technical problems presented in the present application, which does not indicate that no other units/modules exist in the above-mentioned device embodiments.
It is noted that, in the examples and descriptions of this patent, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the use of the verb "comprise a" to define an element does not exclude the presence of another, same element in a process, method, article, or apparatus that comprises the element.
While the present application has been shown and described with reference to certain preferred embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present application.
Claims (17)
1. An access isolation method for application files, which is applied to an electronic device, is characterized in that the method comprises the following steps:
when the electronic equipment installs the application file or starts the application file for the first time, deriving an encryption key for the application file and storing the encryption key in a secure storage space, wherein the encryption key is different from an encryption key of the existing application file on the electronic equipment;
the electronic equipment installs the encryption key in a system key ring of the electronic equipment, sets an owner of the encryption key as the application file, sets an access right of the encryption key as the owner, and sets a mandatory access control key label;
the electronic equipment is arranged on the system key ring, the owner, the access authority and the mandatory access control key label based on the encryption key, and sets an encryption strategy for the application file;
when the electronic equipment receives the operation of accessing the application file, the electronic equipment searches the encryption key corresponding to the application file from the system key ring according to the encryption strategy, judges whether the access has the access right according to the owner of the encryption key, and opens the application file when the access has the access right.
2. The method of claim 1,
when the system of the electronic equipment is started or logged in, the electronic equipment uniformly installs the stored encryption key in the system key ring.
3. The method of claim 1, wherein when the electronic device receives an operation to access the application file, the electronic device finds the encryption key corresponding to the application file from the system key ring according to the encryption policy, and the method comprises:
and the electronic equipment searches the encryption key corresponding to the application file from the system key ring according to the encryption strategy, and records the owner of the access authority of the encryption key and a mandatory access control key label in the index node of the application file.
4. The method according to claim 3, wherein when the electronic device receives an operation of accessing the application file, the electronic device determines whether the access has an access right according to the access right of the encryption key recorded in the index node and a mandatory access control policy.
5. The method of claim 1, wherein when the access does not have access rights, opening the application file is denied and the system returns an open failure notification to an application file layer of the electronic device.
6. The method of claim 1, wherein the electronic device sets an encryption policy for an application file based on the encryption key installed in the system key ring, the owner and the access right and a mandatory access control key tag, comprising:
and the electronic equipment creates a data directory of the application file and sets the encryption strategy in the extended attribute of the data directory.
7. The method of claim 1, further comprising:
when the electronic equipment receives the uninstalling operation of the application file, the electronic equipment responds to the operation, deletes the encryption key in the safe storage space and clears the encryption key information in the system key ring.
8. The method of claim 1, wherein the electronic device retrieves the encryption key corresponding to the application file from the system key ring according to the encryption policy, comprising:
the electronic device decrypts, based on a user identity, the encryption key associated with the user identity within the system key fob.
9. An electronic device, comprising:
the generation module is used for deriving an encryption key for the application file when the application file is installed or started for the first time and storing the encryption key in a secure storage space, wherein the encryption key is different from the encryption key of the existing application file on the electronic equipment;
the setting module is used for installing the encryption key in a system key ring of the electronic equipment, setting an owner of the encryption key as the application file, setting the access authority of the encryption key as the owner, and setting a mandatory access control key label;
the processing module is used for setting an encryption strategy for the application file based on the encryption key which is arranged on the system key ring, the owner, the access authority and the mandatory access control key label;
when the processing module receives the operation of accessing the application file, the processing module searches the encryption key corresponding to the application file from the system key ring according to the encryption strategy, judges whether the access has the access right according to the owner of the encryption key, and opens the application file when the access has the access right.
10. The electronic device of claim 9,
when the system is started or logged in, the setting module uniformly installs the stored encryption key in the system key ring.
11. The electronic device of claim 9, wherein the processing module searches the encryption key corresponding to the application file from the system key ring according to the encryption policy, and records an owner of access right of the encryption key and a mandatory access control key tag in an index node of the application file.
12. The electronic device of claim 11, wherein when the processing module receives an operation to access the application file, the processing module determines whether the access has an access right according to an access right and a mandatory access control policy of the encryption key recorded in the index node.
13. The electronic device of claim 9, wherein when the access does not have access rights, the processing module denies opening of the application file and the system returns an open failure notification to an application file layer.
14. The electronic device of claim 9, wherein the setup module is further configured to: and creating a data directory of the application file, and setting the encryption strategy in the extended attribute of the data directory.
15. The electronic device of claim 9,
when the processing module receives an uninstalling operation of the application file, the processing module is further configured to delete the encryption key in the secure storage space and clear the encryption key information in the system key ring in response to the uninstalling operation.
16. The electronic device of claim 9, wherein the processing module is further configured to:
decrypting the encryption key associated with the user identity within the system key fob according to the user identity.
17. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, causes the processor to perform the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111021347.0A CN113722736A (en) | 2021-09-01 | 2021-09-01 | Access isolation method of application file, electronic device and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111021347.0A CN113722736A (en) | 2021-09-01 | 2021-09-01 | Access isolation method of application file, electronic device and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113722736A true CN113722736A (en) | 2021-11-30 |
Family
ID=78680579
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111021347.0A Pending CN113722736A (en) | 2021-09-01 | 2021-09-01 | Access isolation method of application file, electronic device and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113722736A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150237025A1 (en) * | 2014-02-14 | 2015-08-20 | Red Hat, Inc. | Storing a key to an encrypted file in kernel memory |
| CN105373744A (en) * | 2015-10-29 | 2016-03-02 | 成都卫士通信息产业股份有限公司 | Method for encrypting extended file system based on Linux |
| CN106855928A (en) * | 2015-12-09 | 2017-06-16 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for improving data safety |
| CN112199730A (en) * | 2020-11-17 | 2021-01-08 | 上海优扬新媒信息技术有限公司 | Method and device for processing application data on terminal and electronic equipment |
-
2021
- 2021-09-01 CN CN202111021347.0A patent/CN113722736A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150237025A1 (en) * | 2014-02-14 | 2015-08-20 | Red Hat, Inc. | Storing a key to an encrypted file in kernel memory |
| CN105373744A (en) * | 2015-10-29 | 2016-03-02 | 成都卫士通信息产业股份有限公司 | Method for encrypting extended file system based on Linux |
| CN106855928A (en) * | 2015-12-09 | 2017-06-16 | 阿里巴巴集团控股有限公司 | A kind of method and apparatus for improving data safety |
| CN112199730A (en) * | 2020-11-17 | 2021-01-08 | 上海优扬新媒信息技术有限公司 | Method and device for processing application data on terminal and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 朱建明 等: "《电子政务环境下电子公文流程分析与设计》", 军事科学出版社, pages: 357 - 368 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8788763B2 (en) | Protecting memory of a virtual guest | |
| US7698744B2 (en) | Secure system for allowing the execution of authorized computer program code | |
| JP5724118B2 (en) | Protection device management | |
| JP5021838B2 (en) | Enforcing the use of chipset key management services for encrypted storage devices | |
| RU2295834C2 (en) | Initialization, maintenance, renewal and restoration of protected mode of operation of integrated system, using device for controlling access to data | |
| US8782351B2 (en) | Protecting memory of a virtual guest | |
| JP6422059B2 (en) | Processing device, in-vehicle terminal device, processing device activation method, and processing device activation program | |
| EP3074907B1 (en) | Controlled storage device access | |
| US7712135B2 (en) | Pre-emptive anti-virus protection of computing systems | |
| US10979450B2 (en) | Method and system for blocking phishing or ransomware attack | |
| JP5346608B2 (en) | Information processing apparatus and file verification system | |
| WO2005081115A1 (en) | Application-based access control system and method using virtual disk | |
| US20080040613A1 (en) | Apparatus, system, and method for secure password reset | |
| JP2007034875A (en) | Use management method for peripheral, electronic system and constituent device therefor | |
| CN113268742A (en) | Data authorization method and device and electronic equipment | |
| CN101324913B (en) | Method and apparatus for protecting computer file | |
| EP4121881A1 (en) | Systems and methods for protecting a folder from unauthorized file modification | |
| US20110145596A1 (en) | Secure Data Handling In A Computer System | |
| CN113722736A (en) | Access isolation method of application file, electronic device and readable storage medium | |
| KR101290852B1 (en) | Apparatus and Method for Preventing Data Loss Using Virtual Machine | |
| JP4388040B2 (en) | Unauthorized connection prevention system, unauthorized connection prevention method, user terminal, and program for user terminal | |
| US10318766B2 (en) | Method for the secured recording of data, corresponding device and program | |
| JP2011192083A (en) | Information processing apparatus and method of preventing unauthorized use of software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |