CN116011010A - File protection method and device, electronic equipment and computer readable storage medium - Google Patents
File protection method and device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN116011010A CN116011010A CN202211721342.3A CN202211721342A CN116011010A CN 116011010 A CN116011010 A CN 116011010A CN 202211721342 A CN202211721342 A CN 202211721342A CN 116011010 A CN116011010 A CN 116011010A
- Authority
- CN
- China
- Prior art keywords
- file
- modification operation
- preset
- ebpf
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Storage Device Security (AREA)
Abstract
The application provides a file protection method and device, electronic equipment and a computer readable storage medium, wherein the method comprises the following steps: responding to a system to send out a file modification operation, and performing instrumentation on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, wherein the instrumentation is used for executing a preset file monitoring strategy; if the pile inserting is successful, acquiring the association information of the target file; monitoring whether the associated information meets a preset file protection condition; and if the associated information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation. According to the technical scheme, the eBPF of the Linux system is utilized to perform instrumentation aiming at each file modification operation of the system to monitor and protect the file modification operation of the kernel layer of the system, so that attacks from the kernel layer can be effectively intercepted.
Description
[ field of technology ]
The present disclosure relates to the field of information security technologies, and in particular, to a method and apparatus for protecting a file, an electronic device, and a computer readable storage medium.
[ background Art ]
Conventional file protection approaches tend to focus on protecting against attacks from the user layer, whereas for attacks against the kernel layer, such as rootkit or lkm kernel modules, the corresponding protection measures are lacking.
Therefore, how to effectively attack the kernel layer on the file becomes a technical problem to be solved at present.
[ invention ]
The embodiment of the application provides a file protection method and device, electronic equipment and a computer readable storage medium, and aims to solve the technical problem that the existing protection means for protecting against attacks from a user layer cannot meet the requirement for protecting against attacks from a kernel layer in the related art.
In a first aspect, an embodiment of the present application provides a file protection method, including: responding to a system to send out a file modification operation, and performing instrumentation on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, wherein the instrumentation is used for executing a preset file monitoring strategy; if the pile inserting is successful, acquiring the association information of the target file; monitoring whether the associated information meets a preset file protection condition; and if the associated information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation.
In one possible design, the instrumentation of the target file for the file modification operation in the kernel layer by using the eBPF method includes: verifying whether an intermediate file compiled by the bytecode of the eBPF meets a predetermined enabling rule in the system; and if the intermediate file meets the preset enabling rule, performing instrumentation of an eBPF executable program on the target file aimed at by the file modification operation at a kernel layer, wherein the eBPF executable program is used for reflecting a preset file monitoring policy.
In one possible design, the calling an eBPF assist function intercepts the file modification operation, comprising: and calling an eBPF auxiliary function to prevent the file modification operation from writing the file modification information of the buffer into the system memory.
In one possible design, the method further comprises: after intercepting the file modification operation, generating protection result feedback information; and covering the modification result feedback information aiming at the file modification operation in the system with the protection result feedback information.
In one possible design, the method further comprises: if the pile inserting fails, generating first alarm information; and if the protection result feedback information is covered with the modification result feedback information, generating second alarm information.
In one possible design, the obtaining the association information of the target file includes: acquiring a file path and a file type of the target file; the monitoring whether the associated information meets the preset file protection condition comprises the following steps: if the association information is not matched with the preset association information in the preset white list, and under the condition that the file modification operation exceeds the preset modification authority range of the target file, determining that the association information of the file modification operation meets the preset file protection condition.
In one possible design, the method further comprises: allowing the file modification operation to be performed if the association information matches the predetermined association information in the predetermined whitelist; and if the association information does not match the predetermined association information in the predetermined whitelist, allowing the file modification operation to be performed when the file modification operation is within the predetermined modification authority range of the target file.
In a second aspect, an embodiment of the present application provides a file protection device, including: the dynamic instrumentation unit is used for responding to the system to send out file modification operation, instrumentation is carried out on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, and the instrumentation is used for executing a preset file monitoring strategy; the association information acquisition unit is used for acquiring association information of the target file if the pile inserting is successful; the protection monitoring unit is used for monitoring whether the associated information meets the preset file protection conditions; and the modification operation interception unit is used for calling an eBPF auxiliary function to intercept the file modification operation if the association information of the file modification operation meets the preset file protection condition.
In one possible design, the dynamic instrumentation unit is used to: verifying whether an intermediate file compiled by the bytecode of the eBPF meets a predetermined enabling rule in the system; and if the intermediate file meets the preset enabling rule, performing instrumentation of an eBPF executable program on the target file aimed at by the file modification operation at a kernel layer, wherein the eBPF executable program is used for reflecting a preset file monitoring policy.
In one possible design, the modification operation interception unit is configured to: and calling an eBPF auxiliary function to prevent the file modification operation from writing the file modification information of the buffer into the system memory.
In one possible design, the file guard further comprises: the feedback information generating unit is used for generating protection result feedback information after intercepting the file modification operation; and the feedback information covering unit is used for covering the modification result feedback information aiming at the file modification operation in the system with the protection result feedback information.
In one possible design, the file guard further comprises: the first alarm unit is used for generating first alarm information if the pile inserting fails; and the second alarm unit is used for generating second alarm information if the protection result feedback information is covered by the modification result feedback information and fails.
In one possible design, the association information acquiring unit is configured to: acquiring a file path and a file type of the target file; the protection monitoring unit is used for: if the association information is not matched with the preset association information in the preset white list, and under the condition that the file modification operation exceeds the preset modification authority range of the target file, determining that the association information of the file modification operation meets the preset file protection condition.
In one possible design, the file guard further comprises: a first execution unit, configured to allow the file modification operation to be executed if the association information matches the predetermined association information in the predetermined whitelist; and the second execution unit is used for allowing the file modification operation to be executed when the file modification operation is within the preset modification authority range of the target file if the association information is not matched with the preset association information in the preset white list.
In a third aspect, an embodiment of the present application provides an electronic device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of the first aspect described above.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions for performing the method flow described in the first aspect.
According to the technical scheme, aiming at the technical problem that the prior protection means for protecting the attack from the user layer cannot meet the requirement of protecting the attack from the kernel layer in the related technology, firstly, once a system sends out file modification operation to a file, instrumentation based on an eBPF mode is triggered. In this application, instrumentation specifically refers to introducing a predetermined file monitoring policy to a target file targeted by a file modification operation, where the introduced predetermined file monitoring policy is an executable program.
In other words, the instrumentation operation can be triggered in real time every time the file modification operation is detected, and the monitoring of the target file aimed at by the file modification operation can be realized through the instrumentation operation. Therefore, all file modification operations of the kernel layer of the dynamic monitoring system can be realized, and the attack of the kernel layer on the files can be handled.
And if the instrumentation is successful, executing a preset file monitoring strategy on the target file, wherein in the preset file monitoring strategy, the associated information of the target file is firstly acquired. The association information of the target file is used to reflect characteristics of the target file itself, and this characteristic can be used to determine whether it is necessary to guard the file modification operation for the target file.
And then, monitoring whether the associated information meets the preset file protection condition, and if the associated information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation.
The predetermined file protection condition refers to a requirement that the association information of the target file should reach when the file modification operation needs to be protected for the target file, if the association information of the file modification operation meets the predetermined file protection condition, the file protection can be implemented, otherwise, if the association information of the file modification operation does not meet the predetermined file protection condition, the file protection is not required to be implemented for the target file. The file protection is implemented by calling an eBPF auxiliary function to intercept the file modification operation, wherein the eBPF auxiliary function refers to a function used for interacting the content of the eBPF mode instrumentation with the kernel layer of the system, and the interaction of the content of the eBPF mode instrumentation with the kernel layer of the system is embodied as the file modification operation of intercepting the kernel layer.
According to the technical scheme, the eBPF of the Linux system is effectively utilized, the monitoring and the protection of the file modification operation of the kernel layer of the system are realized by inserting the file modification operation of the system each time, the attack from the kernel layer can be effectively intercepted, and the attack from the rootkit or lkm kernel module to the file can be effectively intercepted. Meanwhile, the eBPF is a Linux system and is self-contained, so that the normal operation of the system is not affected by the method for intercepting the kernel layer attack, and moreover, the eBPF is compatible with Linux systems of various versions, so that the method for intercepting the kernel layer attack has low cost and high compatibility. In conclusion, the technical scheme of the application can safely and effectively protect the file from being attacked by the kernel layer, so that the application range of file safety protection is improved, and the file safety is effectively improved.
[ description of the drawings ]
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow chart of a file protection method according to one embodiment of the present application;
FIG. 2 illustrates a block diagram of a file guard according to one embodiment of the present application;
fig. 3 shows a block diagram of an electronic device according to an embodiment of the present application.
[ detailed description ] of the invention
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
FIG. 1 illustrates a flow chart of a file protection method according to one embodiment of the present application.
As shown in fig. 1, a file protection method according to an embodiment of the present application includes:
and 102, in response to the system sending out the file modification operation, performing instrumentation on the target file aimed at by the file modification operation in a kernel layer in an eBPF mode, wherein the instrumentation is used for executing a preset file monitoring strategy.
Once the system issues a file modification operation to the file, instrumentation based on the eBPF scheme is triggered. The file modification operations described herein include, but are not limited to, copy, alter, delete, etc. operations for any file that the system is capable of contacting.
Among them, eBPF (ExtendedBerkeleyPacketFilter) is a kernel technology (starting from Linux4. X) in Linux systems, which allows programs to run without changing the kernel source code and without adding extra modules. In general, it can be considered a lightweight sandboxed virtual machine in the Linux system kernel, in which developers can utilize specific kernel resources by running BPF bytecodes. The eBPF is a part of the main line kernel, the eBPF mode is used for pile insertion, a third party module is not required to be introduced, and the eBPF is compatible with Linux systems of various versions and is convenient to apply to different business scenes.
The instrumentation refers to inserting an executable program at the instrumentation location, and in this application, specifically, introducing a predetermined file monitoring policy into a target file targeted by a file modification operation, where the introduced predetermined file monitoring policy is an executable program. In the technical scheme, the instrumentation operation can be triggered in real time every time the file modification operation is detected, and the monitoring of the target file aimed at by the file modification operation can be realized through the instrumentation operation. Therefore, all file modification operations of the kernel layer of the dynamic monitoring system can be realized, and the attack of the kernel layer on the files can be handled.
And 104, if the pile inserting is successful, acquiring the associated information of the target file.
And if the pile inserting is successful, executing a preset file monitoring strategy on the target file, wherein in the preset file monitoring strategy, the associated information of the target file is firstly acquired. The association information of the target file is used to reflect characteristics of the target file itself, and this characteristic can be used to determine whether it is necessary to guard the file modification operation for the target file.
Specifically, the association information of the target file includes a file path and a file type of the target file, and acquiring the association information of the target file is to acquire the file path and the file type of the target file. The file path of the target file refers to a path undergone by accessing the target file, and the file type of the target file can be selected as a suffix of the target file, such as xml.
And step 106, monitoring whether the associated information meets the preset file protection condition.
And step 108, if the association information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation.
The predetermined file protection condition refers to a requirement that the association information of the target file should reach when the file modification operation needs to be protected for the target file, if the association information of the file modification operation meets the predetermined file protection condition, the file protection can be implemented, otherwise, if the association information of the file modification operation does not meet the predetermined file protection condition, the file protection is not required to be implemented for the target file.
In one possible design, the predetermined file protection condition refers to simultaneously satisfying that the association information does not match the predetermined association information in the predetermined whitelist and that the file modification operation is beyond a predetermined modification authority range of the target file. Specifically, if the association information does not match with the predetermined association information in the predetermined white list, determining that the association information of the file modification operation meets the predetermined file protection condition under the condition that the file modification operation exceeds the predetermined modification authority range of the target file.
The predetermined white list stores association information corresponding to files which are higher in security and do not need to be subjected to file modification operation to be monitored, and if the association information is not matched with the predetermined association information in the predetermined white list, the fact that the target file is not a file related to the predetermined white list is indicated, and the need of the monitored file modification operation to ensure the security is still met.
Further, each file is provided with a predetermined modification authority range, and modification of the file within this predetermined modification authority range does not affect the security of the file. Therefore, in the case that it is verified that the target file has the monitored file modification operation necessary to ensure the security, if the file modification operation is beyond the predetermined modification authority range of the target file, it is indicated that the file modification operation belongs to an unsafe factor for the target file, and needs to be intercepted.
Therefore, the condition that the file modification operation of the kernel layer needs to be intercepted can be effectively identified, and the file security can be protected.
The file protection is implemented by calling an eBPF auxiliary function to intercept the file modification operation, wherein the eBPF auxiliary function refers to a function used for interacting the content of the eBPF mode instrumentation with the kernel layer of the system, and the interaction of the content of the eBPF mode instrumentation with the kernel layer of the system is embodied as the file modification operation of intercepting the kernel layer.
In one possible design, the specific way to invoke the eBPF assist function to intercept the file modification operation includes: and calling an eBPF auxiliary function to prevent the file modification operation from writing the file modification information of the buffer into the system memory.
That is, the eBPF auxiliary function is used to block the file modification operation from writing the file modification information of the buffer into the system memory. By blocking the file modification information of the buffer from being written into the system memory, the file is blocked from being modified, so that the interception of file modification operation is realized, and the security of the target file is improved.
In addition, after intercepting the file modification operation, protection result feedback information is generated; and covering the modification result feedback information aiming at the file modification operation in the system with the protection result feedback information. In the original logic of the system, after the file modification operation is executed, the feedback information of the modification result can be timely generated and fed back, and after the file modification operation is intercepted, the original logic of the system can be replaced by the feedback information of the generation and feedback protection result so as to timely reflect the protection result of the target file and timely display the current actual safety situation of the target file.
On the basis, if the protection result feedback information is covered with the modification result feedback information, second alarm information is generated. When the protection result feedback information cannot cover the modification result feedback information, the file modification operation is possibly not intercepted effectively, and the alarm should be timely given at this time so as to improve the attention of the target file, and the protection result feedback information has positive influence on the safety of the protection target file.
According to the technical scheme, the eBPF of the Linux system is effectively utilized, the monitoring and the protection of the file modification operation of the kernel layer of the system are realized by inserting the file modification operation of the system each time, the attack from the kernel layer can be effectively intercepted, and the attack from the rootkit or lkm kernel module to the file can be effectively intercepted. Meanwhile, the eBPF is a Linux system and is self-contained, so that the normal operation of the system is not affected by the method for intercepting the kernel layer attack, and moreover, the eBPF is compatible with Linux systems of various versions, so that the method for intercepting the kernel layer attack has low cost and high compatibility. In conclusion, the technical scheme of the application can safely and effectively protect the file from being attacked by the kernel layer, so that the application range of file safety protection is improved, and the file safety is effectively improved.
In one possible design, step 102 includes: verifying whether an intermediate file compiled by the bytecode of the eBPF meets a predetermined enabling rule in the system; and if the intermediate file meets the preset enabling rule, performing instrumentation of an eBPF executable program on the target file aimed at by the file modification operation at a kernel layer, wherein the eBPF executable program is used for reflecting a preset file monitoring policy.
Specifically, the nature of the eBPF technology is that BPF bytecodes (hereinafter referred to as bytecodes) are run to utilize specific kernel resources, and it is first verified for the system whether the bytecodes of the eBPF are safely available. Specifically, a predetermined enabling rule is set in the system as a verification standard for verifying whether the bytecode is safely available.
Further, the byte code can be compiled into an intermediate file which is convenient for the Linux system to read through the libBPF compiler, and the Linux system verifies whether the intermediate file meets the preset enabling rule.
The predetermined enabling rule includes, but is not limited to, that a source compiled object of a byte code corresponding to the intermediate file is in a specified compiled object white list, that a specific kernel resource non-disabled resource required to be utilized by the byte code corresponding to the intermediate file is required to be utilized, that a function non-disabled function called by the byte code corresponding to the intermediate file in a process of utilizing the specific kernel resource is utilized, and the like. Of course, the predetermined enabling rules may also be personalized according to the actual security requirements of the system, and are not limited to the examples described above.
Through above technical scheme, can effectively verify the security of stake pocket, avoid the system to be by maliciously stake pocket, promote the security of system.
In one possible design, if the instrumentation fails, first alarm information is generated to prompt the instrumentation failure, so as to timely reflect the situation that the system cannot dynamically monitor and protect file modification operations performed on the file.
It is to be added that if the association information matches the predetermined association information in the predetermined whitelist, the file modification operation is allowed to be executed; and if the association information does not match the predetermined association information in the predetermined whitelist, allowing the file modification operation to be performed when the file modification operation is within the predetermined modification authority range of the target file. If the association information is not matched with the predetermined association information in the predetermined white list, the target file still has the need of the monitored file modification operation to ensure the security, and further verification is performed. Next, if the file modification operation is within the predetermined modification rights of the target file, it is indicated that such file modification operation is sufficiently secure for the target file that the file modification operation may be allowed to be performed.
FIG. 2 illustrates a block diagram of a file guard according to one embodiment of the present application.
As shown in fig. 2, a document guard 200 according to one embodiment of the present application includes: the dynamic instrumentation unit 202 is configured to respond to a system to issue a file modification operation, and perform instrumentation on a target file targeted by the file modification operation in a kernel layer by adopting an eBPF mode, where the instrumentation is configured to execute a predetermined file monitoring policy; the association information obtaining unit 204 is configured to obtain association information of the target file if the instrumentation is successful; a protection monitoring unit 206, configured to monitor whether the association information meets a predetermined file protection condition; and a modifying operation intercepting unit 208, configured to invoke an eBPF auxiliary function to intercept the file modifying operation if the association information of the file modifying operation meets the predetermined file protection condition.
In one possible design, the dynamic instrumentation unit 202 is configured to: verifying whether an intermediate file compiled by the bytecode of the eBPF meets a predetermined enabling rule in the system; and if the intermediate file meets the preset enabling rule, performing instrumentation of an eBPF executable program on the target file aimed at by the file modification operation at a kernel layer, wherein the eBPF executable program is used for reflecting a preset file monitoring policy.
In one possible design, the modification operation interception unit 208 is configured to: and calling an eBPF auxiliary function to prevent the file modification operation from writing the file modification information of the buffer into the system memory.
In one possible design, the file guard 200 further comprises: the feedback information generating unit is used for generating protection result feedback information after intercepting the file modification operation; and the feedback information covering unit is used for covering the modification result feedback information aiming at the file modification operation in the system with the protection result feedback information.
In one possible design, the file guard 200 further comprises: the first alarm unit is used for generating first alarm information if the pile inserting fails; and the second alarm unit is used for generating second alarm information if the protection result feedback information is covered by the modification result feedback information and fails.
In one possible design, the association information acquiring unit 204 is configured to: acquiring a file path and a file type of the target file; the protection monitoring unit 206 is configured to: if the association information is not matched with the preset association information in the preset white list, and under the condition that the file modification operation exceeds the preset modification authority range of the target file, determining that the association information of the file modification operation meets the preset file protection condition.
In one possible design, the file guard 200 further comprises: a first execution unit, configured to allow the file modification operation to be executed if the association information matches the predetermined association information in the predetermined whitelist; and the second execution unit is used for allowing the file modification operation to be executed when the file modification operation is within the preset modification authority range of the target file if the association information is not matched with the preset association information in the preset white list.
The document protection device 200 uses the solution described in any of the above embodiments, and therefore, has all the technical effects described above, and will not be described herein.
Fig. 3 shows a block diagram of an electronic device according to an embodiment of the present application.
As shown in fig. 3, an electronic device 300 of an embodiment of the present application includes at least one memory 302; and a processor 304 communicatively coupled to the at least one memory 302; wherein the memory stores instructions executable by the at least one processor 304, the instructions being configured to perform the arrangements described in any of the embodiments above. Therefore, the electronic device 300 has the same technical effects as those of any of the above embodiments, and will not be described herein.
The electronic device of the embodiments of the present application exist in a variety of forms including, but not limited to:
(1) Mobile communication devices, which are characterized by mobile communication functionality and are aimed at providing voice, data communication. Such terminals include smart phones (e.g., iPhone), multimedia phones, functional phones, and low-end phones, among others.
(2) Ultra mobile personal computer equipment, which belongs to the category of personal computers, has the functions of calculation and processing and generally has the characteristic of mobile internet surfing. Such terminals include PDA, MID and UMPC devices, etc., such as iPad.
(3) Portable entertainment devices such devices can display and play multimedia content. Such devices include audio, video players (e.g., iPod), palm game consoles, electronic books, and smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture in that the server is provided with high-reliability services, and therefore, the server has high requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like.
(5) Other electronic devices with data interaction function.
In addition, embodiments of the present application provide a computer-readable storage medium storing computer-executable instructions for performing the steps of: responding to a system to send out a file modification operation, and performing instrumentation on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, wherein the instrumentation is used for executing a preset file monitoring strategy; if the pile inserting is successful, acquiring the association information of the target file; monitoring whether the associated information meets a preset file protection condition; and if the associated information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation.
It should be noted that, the functions or steps that can be implemented by the computer readable storage medium or the electronic device may correspond to the relevant descriptions in the foregoing method embodiments, and are not described herein for avoiding repetition.
The technical scheme of the application is explained in detail by combining the drawings, the eBPF of the Linux system is effectively utilized, the file modification operation of the system is monitored and protected by inserting piles according to each file modification operation of the system, and attacks from the kernel layer can be effectively intercepted. Meanwhile, the eBPF is a Linux system and is self-contained, so that the normal operation of the system is not affected by the method for intercepting the kernel layer attack, and moreover, the eBPF is compatible with Linux systems of various versions, so that the method for intercepting the kernel layer attack has low cost and high compatibility. In conclusion, the technical scheme of the application can safely and effectively protect the file from being attacked by the kernel layer, so that the application range of file safety protection is improved, and the file safety is effectively improved.
It should be understood that although the terms first, second, etc. may be used in embodiments of the present application to describe alert information, these alert information should not be limited to these terms. These terms are only used to distinguish alert information from each other. For example, the first alert information may also be referred to as second alert information, and similarly, the second alert information may also be referred to as first alert information, without departing from the scope of embodiments of the present application.
Depending on the context, the word "if" as used herein may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to detection". Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.
Claims (10)
1. A method of protecting a document, comprising:
responding to a system to send out a file modification operation, and performing instrumentation on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, wherein the instrumentation is used for executing a preset file monitoring strategy;
if the pile inserting is successful, acquiring the association information of the target file;
monitoring whether the associated information meets a preset file protection condition;
and if the associated information of the file modification operation meets the preset file protection condition, calling an eBPF auxiliary function to intercept the file modification operation.
2. The method for protecting a file according to claim 1, wherein the instrumentation of the target file for the file modification operation in the kernel layer by using the eBPF method includes:
verifying whether an intermediate file compiled by the bytecode of the eBPF meets a predetermined enabling rule in the system;
and if the intermediate file meets the preset enabling rule, performing instrumentation of an eBPF executable program on the target file aimed at by the file modification operation at a kernel layer, wherein the eBPF executable program is used for reflecting a preset file monitoring policy.
3. The method of claim 1, wherein the invoking the eBPF assist function intercepts the file modification operation, comprising:
and calling an eBPF auxiliary function to prevent the file modification operation from writing the file modification information of the buffer into the system memory.
4. The file protection method of claim 3, further comprising:
after intercepting the file modification operation, generating protection result feedback information;
and covering the modification result feedback information aiming at the file modification operation in the system with the protection result feedback information.
5. The file protection method of claim 4, further comprising:
if the pile inserting fails, generating first alarm information; and
and if the protection result feedback information is covered by the modification result feedback information, generating second alarm information.
6. The method according to any one of claims 1 to 5, wherein the obtaining the association information of the target file includes:
acquiring a file path and a file type of the target file;
the monitoring whether the associated information meets the preset file protection condition comprises the following steps:
if the association information is not matched with the preset association information in the preset white list, and under the condition that the file modification operation exceeds the preset modification authority range of the target file, determining that the association information of the file modification operation meets the preset file protection condition.
7. The file protection method of claim 6, further comprising:
allowing the file modification operation to be performed if the association information matches the predetermined association information in the predetermined whitelist; and
and if the association information is not matched with the preset association information in the preset white list, allowing the file modification operation to be executed when the file modification operation is within the preset modification authority range of the target file.
8. A document protection device, comprising:
the dynamic instrumentation unit is used for responding to the system to send out file modification operation, instrumentation is carried out on a target file aimed at by the file modification operation in a kernel layer in an eBPF mode, and the instrumentation is used for executing a preset file monitoring strategy;
the association information acquisition unit is used for acquiring association information of the target file if the pile inserting is successful;
the protection monitoring unit is used for monitoring whether the associated information meets the preset file protection conditions;
and the modification operation interception unit is used for calling an eBPF auxiliary function to intercept the file modification operation if the association information of the file modification operation meets the preset file protection condition.
9. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the instructions being arranged to perform the method of any of the preceding claims 1 to 7.
10. A computer readable storage medium having stored thereon computer executable instructions for performing the method flow of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211721342.3A CN116011010A (en) | 2022-12-30 | 2022-12-30 | File protection method and device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211721342.3A CN116011010A (en) | 2022-12-30 | 2022-12-30 | File protection method and device, electronic equipment and computer readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116011010A true CN116011010A (en) | 2023-04-25 |
Family
ID=86033178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211721342.3A Pending CN116011010A (en) | 2022-12-30 | 2022-12-30 | File protection method and device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116011010A (en) |
-
2022
- 2022-12-30 CN CN202211721342.3A patent/CN116011010A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8601579B2 (en) | System and method for preserving references in sandboxes | |
| US8510838B1 (en) | Malware protection using file input/output virtualization | |
| TWI607376B (en) | System and method for processing requests to alter system security databases and firmware stores in a unified extensible firmware interface-compliant computing device | |
| US9323927B2 (en) | Apparatus and method for guaranteeing safe execution of shell command in embedded system | |
| AU2012262867A1 (en) | System and method for preserving references in sandboxes | |
| US20130055335A1 (en) | Security enhancement methods and systems | |
| US8225189B2 (en) | Data error detection | |
| CN105426750A (en) | Startup method of embedded system, and embedded device | |
| CN112446033A (en) | Software trusted starting method and device, electronic equipment and storage medium | |
| US7596694B1 (en) | System and method for safely executing downloaded code on a computer system | |
| CN110941825B (en) | Application monitoring method and device | |
| US8205094B2 (en) | Tamper evident removable media storing executable code | |
| CN113779562A (en) | Zero trust based computer virus protection method, device, equipment and medium | |
| KR20200041639A (en) | In-vehicle software update system and method for controlling the same | |
| CN116011010A (en) | File protection method and device, electronic equipment and computer readable storage medium | |
| KR20180015723A (en) | Apparatus and method for transition between secure and sub-secure zones | |
| EP3440586A1 (en) | Method for write-protecting boot code if boot sequence integrity check fails | |
| CN115795432A (en) | Program integrity verification system and method suitable for read-only file system | |
| CN111046440B (en) | Tamper verification method and system for secure area content | |
| CN114238943A (en) | Application program protection method, device, equipment and storage medium | |
| KR102201218B1 (en) | Access control system and method to security engine of mobile terminal | |
| CN113507440A (en) | Zero rule XSS attack detection method based on web application operation | |
| US10452817B1 (en) | File input/output redirection in an API-proxy-based application emulator | |
| CN112507302A (en) | Calling party identity authentication method and device based on cryptographic module execution | |
| CN111741115A (en) | Service processing method, device and system and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |