CN117034330B - macOS-based safety protection method, macOS-based safety protection equipment and storage medium - Google Patents
macOS-based safety protection method, macOS-based safety protection equipment and storage medium Download PDFInfo
- Publication number
- CN117034330B CN117034330B CN202311303595.3A CN202311303595A CN117034330B CN 117034330 B CN117034330 B CN 117034330B CN 202311303595 A CN202311303595 A CN 202311303595A CN 117034330 B CN117034330 B CN 117034330B
- Authority
- CN
- China
- Prior art keywords
- file
- specific
- user
- operation request
- file operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 56
- 238000012544 monitoring process Methods 0.000 claims abstract description 68
- 238000001514 detection method Methods 0.000 claims description 40
- 238000004891 communication Methods 0.000 claims description 17
- 230000009286 beneficial effect Effects 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 13
- 238000012545 processing Methods 0.000 description 12
- 230000005540 biological transmission Effects 0.000 description 11
- 230000008859 change Effects 0.000 description 10
- 238000002955 isolation Methods 0.000 description 10
- 238000011161 development Methods 0.000 description 9
- 244000035744 Hura crepitans Species 0.000 description 8
- 230000006399 behavior Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000013461 design Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 241000220225 Malus Species 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000002349 favourable effect Effects 0.000 description 3
- 230000002427 irreversible effect Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002441 reversible effect Effects 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 241001388118 Anisotremus taeniatus Species 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 235000021016 apples Nutrition 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000011282 treatment Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention relates to the technical field of data security, in particular to a macOS-based security protection method, macOS-based security protection equipment and a storage medium, wherein the method comprises the following steps: independently creating a specific user in a background space by utilizing a multi-user system aiming at the specific file; storing the specific file in a specific folder of the specific user; the monitoring module detects a file operation request sent by a front-end interface aiming at a target file and judges whether the file operation request accords with preset protection conditions or not; if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front-end interface according to the file operation request. The embodiment of the invention independently establishes the specific user aiming at the specific file, which is beneficial to ensuring the storage independence of the specific file; the monitoring module correspondingly sends the file operation interface of the background space aiming at the specific file to the front-end interface, so that the front-end interface does not directly operate the specific file, and the data security protection is good.
Description
Technical Field
The embodiment of the invention relates to the technical field of data security, in particular to a macOS-based security protection method, macOS-based security protection equipment and a storage medium.
Background
Most of the existing office computers adopt Windows or linux systems, security requirements are based on files, safe desktop or sandbox products for the Windows or linux systems exist in the prior art, and technologies such as inline hook, redirection, encryption and decryption are used for isolating and protecting desktops and data.
However, because the macOS system has special advantages in aspects of image design, video and audio processing, new media and the like, more and more companies need to use macOS to process work transactions, wherein due to different system sealing and architecture, the data security protection technology on windows and linux cannot be used on the macOS system, and the existing macOS has no mature and stable data security protection technology.
Accordingly, there is a need to provide a macOS-based security method, apparatus, and storage medium to overcome the above-mentioned problems.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide a macOS-based security protection method, device, and storage medium, which are used to solve the problems in the prior art.
According to a first aspect of an embodiment of the present invention, there is provided a macOS-based security protection method, including:
Independently creating a specific user in a background space by utilizing a multi-user system aiming at the specific file;
storing the specific file in a specific folder of the specific user;
the monitoring module detects a file operation request sent by a front-end interface aiming at a target file, and judges whether the file operation request accords with preset protection conditions or not, wherein the preset protection conditions are set according to the specific file;
and if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front-end interface according to the file operation request.
In some embodiments, the method further comprises:
and creating an encrypted virtual disk, and modifying the file path of the specific folder into the file path of the encrypted virtual disk.
In some embodiments, the file operation request carries a current user ID, the determining whether the file operation request meets a preset protection condition, and if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space for the specific file to the front end interface according to the file operation request, and further includes:
The monitoring module judges whether the target file is in the specific folder or not;
if the target file is in the specific folder, the monitoring module judges whether the current user ID is a specific user ID or not;
and if the monitoring module judges that the current user ID is the specific user ID, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front end interface according to the file operation request.
In some embodiments, the monitoring module includes an intermediate service module and a detection module set by a macOS-based expansion system, and the monitoring module detects a file operation request sent by a front-end interface for a target file, and determines whether the file operation request meets a preset protection condition, where the preset protection condition is set according to the specific file;
if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space for the specific file to the front-end interface according to the file operation request, and the method further comprises the following steps:
the detection module detects a file operation request sent by the front-end interface, and judges whether the file operation request accords with a preset protection condition or not, wherein the preset protection condition is set according to the specific file;
If the file operation request meets the preset protection condition, the detection module allows the corresponding file operation;
and the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
In some embodiments, the monitoring module includes an intermediate service module and a detection module set by a macOS-based expansion system, where the file operation request carries a file path and a current user ID, and the determining whether the file operation request meets a preset protection condition, if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space for the specific file to the front-end interface according to the file operation request, and further includes:
the detection module detects a file operation request sent by the front-end interface and judges whether the file path is in the specific folder or not;
if the detection module judges that the file path is in the specific folder, the detection module judges whether the current user ID is a specific user ID or not;
if the detection module judges that the current user ID is the specific user ID, the detection module allows the corresponding file operation;
And the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
In some embodiments, before the back space creates a particular user independently for a particular file using a multi-user system, the method comprises:
the identification module identifies whether the current file has a specific identification;
and if the current file has the specific identifier, taking the current file with the specific identifier as the specific file.
In some embodiments, the creating the specific user in the background space independently for the specific file using the multi-user system further comprises:
the creation module automatically creates the specific user by utilizing the multi-user system in the background space aiming at the specific file according to preset user creation conditions;
the storing the specific file in the specific folder of the specific user further comprises:
and the creation module stores the specific file in a specific folder of the specific user according to preset folder creation conditions.
In some embodiments, before the storing the particular file in the particular folder of the particular user, the method further comprises:
Judging whether the specific file is encrypted or not;
and if the specific file is not encrypted, setting the encryption of the specific file.
According to a second aspect of embodiments of the present invention, there is provided a computing device comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations of the macOS-based security method as set forth in any one of the preceding claims.
According to a third aspect of embodiments of the present invention, there is provided a computer-readable storage medium having stored therein at least one executable instruction that, when executed, performs the operations of the macOS-based security method as set forth in any one of the above.
The embodiment of the invention independently establishes the specific user aiming at the specific file, is favorable for correspondingly establishing the specific file through the specific user, ensures the storage independence of the specific file, thereby increasing the data security protection performance, and correspondingly establishes the specific folder when establishing the specific user so as to store the specific file in the specific folder, thereby enabling the data of the specific file to have independent storage space and be operated by the specific user, and storing the common file in other folders and be operated by other common users.
The method utilizes a specific user established by a multi-user system, so that the specific user and a common user form isolation and distinction, different user data are isolated from each other, programs and data of different users are isolated naturally by the system, compared with the traditional data isolation technology (file redirection and sandbox), the method does not need hook and does not need to change the operation behavior of a system file, is simple and stable, has high compatibility, does not change the operation habit of the user, has little influence on the system performance, and can reduce development difficulty and improve software development efficiency. In addition, the specific user is established in the background space and is isolated from the front end interface to form the front end and the rear end, so that the data security protection is further improved.
And the monitoring module detects the file operation request and judges whether the file operation request accords with a preset protection condition, if the file operation request accords with the preset protection condition, the file operation request is indicated to be in a safety protection range, the monitoring module correspondingly allows corresponding file operation and correspondingly sends a file operation interface of a background space aiming at a specific file to a front end interface, so that the front end interface can perform related operation on the specific file of the background space, but does not directly operate the specific file, and the safety protection of the specific file is better. Under the condition, the operator can conveniently prevent the operator from leaking the specific file under the monitoring of the monitoring module aiming at the operation of the specific file, the operator can normally use the specific file to work, the specific file is ensured to be stored in the background space, and the data security of the specific file is facilitated.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present invention can be more clearly understood, and the following specific embodiments of the present invention are given for clarity and understanding.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 shows a flow diagram of a macOS-based security protection method according to an embodiment of the present invention;
FIG. 2 illustrates a schematic diagram of a computing device provided by some embodiments of the invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein.
The inventor finds that the data security technology relates to the underlying technology of the system, but the underlying technology of macOS and Windows, linux is quite different and cannot be used generally, for example:
Closure: with respect to Linux, macOS is a closed operating system. This means that most of its source code is not exposed to the developer and only apple company can fully control and modify the macOS.
Kernel architecture: macOS uses an XNU kernel, whereas Linux uses a Linux kernel and Windows uses a Windows NT kernel. These cores differ in design and implementation, and therefore technology based on one core cannot be directly applied to another core.
System call interface: macOS uses a system call interface similar to POSIX, but differs from Linux and Windows.
The driver supports: macOS and Windows differ in terms of driver support. The driver must be written specifically for macOS and cannot directly use the driver on Windows or Linux.
Graphical interface: the macOS uses apple self-grinding Aqua graphical interface, linux uses X Window System, windows uses Windows Shell.
In addition to the above factors, there are some other differences, such as file systems, binary formats of programs, etc. These differences make Windows or Linux-specific data security techniques not directly applicable to macOS.
In addition, existing macOS security techniques are designed to prevent viruses or hackers from damaging and stealing machine data, such as:
encrypting a file: the macOS provides filecapability and may encrypt the entire system volume or the user's home directory. Therefore, the storage security of the data on the disk can be protected, and the data is not easy to access even if the physical equipment is stolen or lost.
A firewall: the macOS has a firewall function built in, and can limit access rights of network connection and incoming connection, thereby protecting the system from network attack.
Application sandbox: macOS provides an application sandbox mechanism that forces applications to run in a restricted environment, limiting their access to system resources and other applications. This helps prevent malicious applications from damaging the system and user data.
The macOS security protection technology cannot prevent an operator from actively sending files to other people through WeChat, USB flash disk and other means, and important data is easy to leak.
In addition, the inventor also found that the macOS is self-contained with a multi-user system, in which case different user data are isolated from each other, programs and data of different users are isolated naturally by the system, compared with the traditional data isolation technology (file redirection and sandbox), the macOS does not need hook and does not need to change the operation behavior of the system file, is simple and stable, has high compatibility, does not change the operation habit of the user, and has little influence on the system performance.
The inventor provides a safety protection method based on macOS, which uses a multi-user system to independently establish specific users for specific files, is favorable for correspondingly establishing the specific files through the specific users, and ensures the storage independence of the specific files, thereby increasing the safety protection performance of data, enabling the specific users to form isolation and distinction with common users, enabling different user data to be isolated from each other, enabling programs and data of different users to be isolated naturally by the system, and compared with the traditional data isolation technology (file redirection and sandbox), the method does not need hook and does not need to change the operation behavior of the system files, is simple and stable, has high compatibility, does not change the operation habit of the users, has little influence on the system performance, and can reduce development difficulty and improve software development efficiency. And the monitoring module detects the file operation request and judges whether the file operation request accords with the preset protection condition, if the file operation request accords with the preset protection condition, the file operation request is in a safety protection range, the monitoring module correspondingly allows corresponding file operation and correspondingly sends a file operation interface of the background space aiming at the specific file to the front end interface, so that the front end interface can perform related operation on the specific file of the background space, but does not directly operate the specific file, and the safety protection performance of the specific file is better. In this case, the operator can operate the specific file under the monitoring of the monitoring module, so that the operator can be prevented from leaking the specific file, the specific file can be ensured to be stored in the background space, and the data security of the specific file can be facilitated.
Fig. 1 illustrates a flowchart of a macOS-based security method provided by an embodiment of the invention, which is performed by a computing device, which may be a computing device comprising one or more processors, which may be central processing units, CPUs, or specific integrated circuits ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement an embodiment of the invention, without limitation. The one or more processors included by the computing device may be the same type of processor, such as one or more CPUs; but may be different types of processors such as, without limitation, one or more CPUs and one or more ASICs.
As shown in fig. 1, the method comprises the steps of:
step 110: independently creating a specific user in a background space by utilizing a multi-user system aiming at the specific file;
step 120: storing the specific file in a specific folder of the specific user;
step 130: the monitoring module detects a file operation request sent by a front-end interface aiming at a target file, and judges whether the file operation request accords with preset protection conditions or not, wherein the preset protection conditions are set according to the specific file;
Step 140: and if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front-end interface according to the file operation request.
In step 110 and step 120, the specific user is independently created for the specific file, which is beneficial to correspondingly establishing the specific file through the specific user, ensuring the storage independence of the specific file, thereby increasing the data security protection performance, and when the specific user is established, the specific folder is correspondingly established to store the specific file in the specific folder, so that the data of the specific file has independent storage space and can be operated by the specific user, and the common file is stored in other folders and is operated by other common users.
The method utilizes a specific user established by a multi-user system to form isolation and distinction with common users, different user data are isolated from each other, programs and data of different users are isolated naturally by the system, compared with the traditional data isolation technology (file redirection and sandbox), the method does not need hook and does not need to change the operation behavior of the system file, is simple and stable, has high compatibility, does not change the operation habit of the users, and has small influence on the system performance. In addition, the specific user is established in the background space and is isolated from the front end interface to form the front end and the rear end, so that the data security protection is further improved.
When the operation on the specific file is needed, the operator needs to log in the specific user account, and the operator can operate on the specific file. The operator can be a company staff or an outsourcing staff and other related operators.
Where a particular file is an important file, such as a company's confidential file, or other important file that the user personally believes is important.
In some implementations, a specific user may be established corresponding to each specific file, where each specific file is stored in a folder correspondingly; in some embodiments, a specific user may be set up to be dedicated to the operations on a plurality of specific files, where a plurality of specific files are stored in a specific folder.
In some embodiments, encryption settings may also be made on a particular file to increase the data security of the particular file. The encryption algorithm is not limited, and is set according to the requirement, and the specific file is preferably encrypted by an irreversible encryption algorithm.
In some embodiments, the encryption setting may also be performed on a specific folder, for example, creating an encrypted virtual disk to store a specific file in a file path of the encrypted virtual disk, or directly performing encryption calculation on the specific folder. The encryption algorithm is not limited, and is set according to the requirement, and the specific file is preferably encrypted by an irreversible encryption algorithm.
In some embodiments, step 110 and/or step 120 may be performed manually; in some embodiments, step 110 and/or step 120 may also be performed by a processor.
When step 110 and step 120 are performed by the processor, a specific identifier needs to be attached to a specific file for the processor to recognize, so that step 110 and step 120 are performed automatically. The identification module may be set to run at the front end or the back end, and then trigger the backend system to execute step 110 and step 120.
When the processor automatically performs step 110 and step 120, the naming of its specific users and specific folders is done according to preset naming conditions, wherein, for example, the preset naming conditions are set correspondingly according to specific file names, codes or other rules capable of distinguishing and representing different specific files.
In step 130 and step 140, the target file is a file of the front-end interface requesting related file operation, and may be a common file or a specific file according to needs. When the operation is required to be performed on the target file, an operator performs the operation on the front-end interface, for example, the operator performs related operation on the target file through each link operation or through file path operation, and accordingly, the front-end interface sends a file operation request of the corresponding file to the monitoring module according to the operation. The monitoring module detects the file operation request and judges whether the file operation request accords with a preset protection condition, if the file operation request accords with the preset protection condition, the file operation request is indicated to be in a safety protection range, the monitoring module correspondingly allows corresponding file operation and correspondingly sends a file operation interface of a background space aiming at a specific file to a front end interface, so that the front end interface can perform related operation on the specific file of the background space, but does not directly operate the specific file, and the safety protection of the specific file is better.
The macOS can only display an interface of a user at the same time, the specific user is logged in the background, the display is not visible on the interface of the specific user, only a front-end interface currently operated by an operator can be seen, when the operator operates, the operator operates in an input mode through a mouse and a keyboard and sends a related file operation request to the monitoring module, the monitoring module monitors the file operation request, forwards the file operation request meeting preset protection conditions to the specific user for related file operation, and then the monitoring module transmits the file operation interface corresponding to the specific user to the front-end interface, so that the front-end interface can see the interface of the specific user and control the specific user.
The file operation may be a file open event or a file copy event or a file paste event or a file modify event or a file transfer event, etc., which are not described herein, and the related file operations are performed as needed.
The monitoring module may be implemented in the same module or may be implemented by different modules, which are not limited herein and are set as needed.
The preset protection conditions are set based on the specific files, so that the monitoring module can accurately monitor file operation requests, false identification and omission are avoided, and the safety protection of the specific files is improved.
The preset protection conditions can be set as independent conditions, and accordingly, after the file operation request meets the corresponding preset protection conditions, the file operation request can be considered to meet the safety protection conditions, and the monitoring module allows the specific user to conduct corresponding file operation. For example, in some embodiments, the preset protection condition is set to be that the target file is in the specific folder, and the target file can be regarded as a specific file correspondingly; in some embodiments, the preset protection condition is set to set the file path of the target file as the file path of the specific file, and the target file can be considered as the specific file correspondingly; in some embodiments, the preset protection condition is set to be that the file identifier of the target file is the file identifier of the specific file, and the target file can be considered to be the specific file correspondingly. Or other preset protection conditions, not limited herein, are set as desired.
In some embodiments, to increase security protection against leakage or other security risks of a particular file, preset protection conditions are set for multiple sub-conditions. For example, in some embodiments, the preset protection condition is set to be that the target file is in the specific folder and the current user ID is the specific user ID, where the target file is a sub-condition in the specific folder, the current user ID is the specific user ID and is another sub-condition, and the current user ID is the user ID logged in at the front end interface or the user ID logged in when the file operation request for the specific file needs to be sent, in this case, only the operator side logging in the specific user can send the file operation request for the specific file, preventing other ordinary users from operating the file for the specific file, and improving the security protection. In some embodiments, three sub-conditions are set in the preset protection conditions, wherein the three sub-conditions are that the target file is in the specific folder, the current user ID is the specific user ID, and the file operation is not a file transmission event, and the specific file is prevented from being transmitted on the basis that an operator who logs in the specific user can send a file operation request for the specific file, so that the specific file is limited to the file operation of the current device for the specific file, and the specific file is forbidden to be transmitted to other devices or networks, thereby further improving the security protection of the specific file. Or in some embodiments, the sub-conditions of the preset guard condition are respectively set as the preset guard condition is set as the target file is in the specific folder, the current user ID is the specific user ID and the file operation is not a file modification event, so that modification of the specific file is prevented. Or in some embodiments, the sub-conditions of the preset protection condition are respectively set as that the target file is in the specific folder, the current user ID is the specific user ID, and the file operation authority is the preset operation authority, from which the preset operation authority may be a specific account number password, and when the file operation authority is the specific account number password, the monitoring module allows an operator to perform related file operations on the specific file, including file operations of a file modification event and a file transmission event, where the file transmission event may be file transmission performed by wired transmission and/or wireless transmission, for example, the specific file is transmitted to other devices by a local device in a wired transmission manner such as USB or network cable, or the specific file is transmitted to other devices by a local device in a wireless transmission manner such as WiFi or bluetooth, or the file transmission event may also be file transmission performed by a network transmission manner, so as to prevent the operator from sending the file to other people by means such as WeChat or USB. Or the preset protection condition is set in other ways, not limited herein, and set according to needs.
In steps 110 to 140, the specific user is independently created for the specific file, which is beneficial to correspondingly establishing the specific file through the specific user, ensuring the storage independence of the specific file, thereby increasing the data security protection performance, and when the specific user is established, the specific folder is correspondingly established to store the specific file in the specific folder, so that the data of the specific file has independent storage space and can be operated by the specific user, and the common file is stored in other folders and is operated by other common users.
The method utilizes a specific user established by a multi-user system, so that the specific user and a common user form isolation and distinction, different user data are isolated from each other, programs and data of different users are isolated naturally by the system, compared with the traditional data isolation technology (file redirection and sandbox), the method does not need hook and does not need to change the operation behavior of a system file, is simple and stable, has high compatibility, does not change the operation habit of the user, has little influence on the system performance, and can reduce development difficulty and improve software development efficiency. In addition, the specific user is established in the background space and is isolated from the front end interface to form the front end and the rear end, so that the data security protection is further improved.
And the monitoring module detects the file operation request and judges whether the file operation request accords with a preset protection condition, if the file operation request accords with the preset protection condition, the file operation request is indicated to be in a safety protection range, the monitoring module correspondingly allows corresponding file operation and correspondingly sends a file operation interface of a background space aiming at a specific file to a front end interface, so that the front end interface can perform related operation on the specific file of the background space, but does not directly operate the specific file, and the safety protection of the specific file is better. Under the condition, the operator can conveniently prevent the operator from leaking the specific file under the monitoring of the monitoring module aiming at the operation of the specific file, the operator can normally use the specific file to work, the specific file is ensured to be stored in the background space, and the data security of the specific file is facilitated.
In some embodiments, the method further comprises:
step 150: and creating an encrypted virtual disk, and modifying the file path of the specific folder into the file path of the encrypted virtual disk.
In step 150, the encryption virtual disk is created, so that the file path of the specific folder is an encrypted file path, which is beneficial to increasing confidentiality of the specific file and reducing security risk of the specific file. If an operator sends a file operation request for a specific file, after detecting that the corresponding file operation request meets the preset protection condition, the monitoring module triggers the related decryption module to decrypt the virtual disk first, and then the related execution system in the background space performs corresponding file operation on the specific file.
In some embodiments, the file operation request carries the current user ID, step 130 and step 140, further comprising:
step a01: the monitoring module judges whether the target file is in the specific folder or not;
step a02: if the target file is in the specific folder, the monitoring module judges whether the current user ID is a specific user ID or not;
step a03: and if the monitoring module judges that the current user ID is the specific user ID, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front end interface according to the file operation request.
In step a01 to step a03, based on whether the target file may be a normal file or a specific file, the monitoring module monitors whether the file requiring file operation is a specific file, so that the target file is a sub-condition in the specific folder, the current user ID is another sub-condition, so as to determine whether the target file is a specific file, and if so, further determine whether the current user ID is a specific user ID. The current user ID is a user ID logged in on the front end interface or a user ID logged in when a file operation request for a specific file needs to be sent, in this case, only an operator side logging in the specific user can send the file operation request for the specific file, so that file operations of other common users on the specific file are prevented, and safety protection is improved.
In some embodiments, the monitoring module includes an intermediate service module and a detection module of macOS-based deployment system settings, and steps 130 and 140 further include:
step b01: the detection module detects a file operation request sent by a front-end interface, and judges whether the file operation request accords with preset protection conditions or not, wherein the preset protection conditions are set according to the specific file;
step b02: if the file operation request meets the preset protection condition, the detection module allows the corresponding file operation;
step b03: and the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
In steps b01 to b03, since the monitoring module needs a larger data processing amount for detecting the file operation request and the related feedback action, the system operation and the computing capability of the processor are easily affected, the system stability problem is caused by the single monitoring module, the processing efficiency is affected, the program execution efficiency can be shortened by setting the monitoring module to be executed by different execution modules, and even if one execution module has a problem at the same time, the execution of the other module is not affected, thereby being beneficial to improving the processing efficiency and having better system stability. In addition, the detection calculation amount of the file operation request is large, and the calculation amount of judging the preset protection condition is large, so that the leakage behavior of the specific file is prevented, in this case, the corresponding monitoring module is easy to crash, and if the monitoring module is arranged in the kernel space, the system crash of the macOS is easy to cause. Therefore, by setting the monitoring module to include the intermediate service module and the detection module set by the macOS-based expansion system, the detection module executes the step b01 and the step b02, and the intermediate service module executes the step b03, wherein the detection module is set at the application layer and isolated from the kernel space, and even if the detection module crashes, the crash of the operating system in the kernel space is not affected, so that the normal and stable operation of the operating system is ensured.
The expansion system is a new mechanism introduced by the macOS 10.15 Catalina and higher version, is a safe and controlled way to expand the system functions, and provides access rights to specific functions, such as network expansion, drivers, file system expansion and the like. The expansion system can be distributed and updated through an App Store and is subjected to examination and limitation of apples.
The expanding system runs in the application layer (user space), compared with the kernel expansion running in the kernel layer (kernel space), has the following advantages:
safety: running the system extension at the application layer may provide better security. The processes of the application layer are isolated and protected by the operating system, so that the error or malicious behavior of the system extension generally cannot directly affect the core system and other processes. Such isolation may reduce the risk of system vulnerabilities and increase the stability of the system.
Error tolerance: the application layer processes are more prone to handle exceptions and errors because they can be restored to normal state by simply terminating or restarting. When an error occurs in the kernel layer, the entire system may crash or more complex and dangerous operations (such as reboot) may be required to solve the problem.
Development and debugging: development and debugging of the system extension at the application layer is relatively simpler. Developers can use standard application development tools and debuggers to more easily track and fix errors. In addition, development of the system extension at the application layer does not require special rights or privileges, and thus is easier to develop and test.
Compatibility and update: the system extension runs at the application layer more easily to remain compatible with upgrades and updates to the operating system. An upgrade of an operating system typically does not destroy or affect the interface of the application layer, thereby enabling the system extension to continue to run on a different version of the operating system without modification or recompilation.
Therefore, the detection module is based on the expanding system setting, is favorable for system stability, reduces development difficulty, has good compatibility and reduces development repeatability.
The application space refers to an area in the operating system where a user application program runs. In the application space, a user can write and execute various application programs, such as a text editor, a browser, a game, and the like. The application program runs in a User Mode (User Mode) and has lower authority and limitation of accessing system resources. The user application requests services and resources provided by the operating System from the kernel through a System Call (System Call).
Kernel space is the core part of the operating system, responsible for managing system resources and providing various system services. The Kernel runs in Kernel Mode (Kernel Mode) with the highest authority and full access to system resources. The kernel space includes various core modules of the operating system, such as process management, memory management, file systems, device drivers, and the like. The kernel space provides a system call interface that allows user applications to access kernel functions and system resources through system calls.
The intermediate service module is used for transferring the background interface to the front end interface and is usually arranged in the user space.
In this embodiment, the detection module registers a monitoring event and a feedback behavior related to a file operation to the macOS system based on the expansion system, for example, the macOS system notifies the detection module after detecting a file operation request such as file opening, modification or network access, and the detection module correspondingly determines whether the file operation request meets a corresponding preset protection condition based on the file operation request, and the detection module correspondingly returns an instruction for prohibiting or allowing the operation, and when the instruction is returned to prohibit, the macOS system correspondingly prohibits the file operation such as file opening, modification or network access.
Specifically, the macOS is a multi-user system, and can log in a plurality of users at the same time, but only the last logged-in or switched user can output an interface to a display and receive a mouse-keyboard message, so that an operator cannot directly view and operate a specific user. The detection module, the intermediate service module and the view control module are all embodied in a program form and stored in a memory to be executed by a processor.
The detection module monitors all file operation requests on the system, wherein the requests comprise operation types (opening, reading, writing and the like), file paths, operation programs and user IDs for starting the operation programs, if the file paths belong to a specific user directory, the user IDs are allowed for specific users, forbidden for other users, if the file paths do not belong to the specific user directory, the user IDs are allowed for other users, and the files can only be read and can not be written for the specific users, so that the purposes of preventing common users from accessing files of the specific users and enabling the specific users to write the files into non-specific user directories are achieved.
Communication and interaction are performed between the application space and the kernel space through system call. When a user application needs to perform a privileged operation or access a restricted resource, it will pass the request through a system call to the kernel space, which returns the result to the application after the request is completed. This separate design may improve the security and stability of the system while limiting direct access to system resources by user applications.
In some embodiments, the monitoring module includes an intermediate service module and a detection module based on a macOS's expansion system setting, the file operation request carries a file path and a current user ID, and steps 130 and 140 further include:
step b04: the detection module detects a file operation request sent by the front-end interface and judges whether the file path is in the specific folder or not;
step b05: if the detection module judges that the file path is in the specific folder, the detection module judges whether the current user ID is a specific user ID or not;
step b06: if the detection module judges that the current user ID is the specific user ID, the detection module allows the corresponding file operation;
Step b07: and the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
In step d04 to step d07, the preset protection conditions include that the file path is in the specific folder and the current user ID is the specific user ID, and the detection module judges whether the file path and the current user ID meet the corresponding preset protection conditions, so as to accurately determine a file operation request for the specific file and reduce the leakage risk of the specific file.
In some embodiments, prior to step 110, the method includes:
step c01: the identification module identifies whether the current file has a specific identification;
step c02: and if the current file has the specific identifier, taking the current file with the specific identifier as the specific file.
In step c01 and step 120, the identification module operates on the macOS, where the current file is a file in any format, and may be an externally input file or an original file of the current device, and the identification module correspondingly identifies whether the current file has a specific identifier, so as to correspondingly determine whether the current file is a specific file. If the current file has the specific identifier, and accordingly, the identification module determines that the current file is the specific file, in this case, the processor can automatically execute step 110 and step 120, so that labor is reduced, working efficiency and accuracy are improved, and leakage risk of the specific file can be reduced.
The specific identifier may be a text identifier indicating a secret file, an important file or an important level, or an identifier with an encrypted field, or a color identifier indicating an important level, or other specific identifiers, which are not limited herein, and are set according to needs.
In some embodiments, the particular file already has a particular identification when transferred to the current device,
in some embodiments, the specific identifier is an identifier indicating an importance level, and before step 120, different security treatments may be performed on the current file identified by different importance levels as needed. For example, in some cases, the specific identifier includes a primary identifier, a secondary identifier, and a tertiary identifier, the primary identifier is the highest importance level, the tertiary identifier is the lowest importance level, the importance level of the secondary identifier is located between the primary identifier and the tertiary identifier, the encryption module performs file encryption processing and file path encryption processing on the specific file of the primary identifier, performs file path encryption processing on the specific file of the secondary identifier, and does not perform related file encryption processing and file path encryption processing on the specific file of the tertiary identifier.
When the encryption module performs automatic encryption processing, the preset encryption conditions are set correspondingly according to preset encryption conditions, and the preset encryption conditions are set according to requirements and are not described herein. The encryption module is based on macOS settings.
In some embodiments, step 110 further comprises:
step 111: the creation module automatically creates the specific user by utilizing the multi-user system in the background space aiming at the specific file according to preset user creation conditions;
step 120 further comprises:
step 121: and the creation module stores the specific file in a specific folder of the specific user according to preset folder creation conditions.
In step 111, after the identification module determines the specific file based on the specific identifier, the macOS-based creation module is triggered to automatically create the specific user according to the preset user creation condition, so as to improve efficiency.
In some embodiments, the preset user creating condition may be a preset user naming condition, so as to name a specific user, for example, the preset user naming condition is set according to a preset name, a code number, time or other naming modes, where the preset name may be a specific file name or other names, and is not limited herein, and is set according to needs.
In step 121, after the specific user creates, the creating module is triggered to store the specific file in the specific folder according to the preset folder creating condition.
In some embodiments, the preset folder creation condition may be a preset folder naming condition to name a specific folder, for example, the preset folder naming condition is set correspondingly according to a specific file name, code, time or other rule capable of distinguishing and representing different specific files.
Through step 111 and step 121, the processor can automatically create a specific user and a specific folder to automatically place a specific file in the specific folder, so that the working efficiency is improved, the leakage risk of the specific file is reduced, and the safety protection capability is enhanced.
In some embodiments, prior to step 120, the method further comprises:
step d01: the encryption module judges whether the specific file is encrypted or not;
step d02: and if the specific file is not encrypted, setting the encryption of the specific file.
In step d01 and step d02, in order to further enhance the data security of the specific file, encryption setting is performed on the specific file. The encryption module judges whether the specific file is encrypted or not, if so, the encryption is not needed to be repeated so as to reduce the waste of computational resources, and if not, the encryption module encrypts the corresponding specific file, so that the specific file is more difficult to leak, and the data security protection of the specific file is improved.
The encryption algorithm may be a reversible algorithm, a non-reversible algorithm, or other encryption algorithms, which are not limited herein and are set as needed.
FIG. 2 illustrates a schematic diagram of a computing device according to an embodiment of the present invention, and the embodiment of the present invention is not limited to a specific implementation of the computing device.
As shown in fig. 2, the computing device may include: a processor 202, a communication interface (Communications Interface) 204, a memory 206, and a communication bus 208.
Wherein: processor 202, communication interface 204, and memory 206 communicate with each other via communication bus 208. A communication interface 204 for communicating with network elements of other devices, such as clients or other servers. Processor 202 is configured to execute program 210 and may specifically perform the relevant steps described above for the macOS-based security method embodiment.
In particular, program 210 may include program code comprising computer-executable instructions. The execution of the method steps of each module, such as the monitoring module, the creation module, the encryption module, etc., is implemented by the program 210.
The processor 202 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included by the computing device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
A memory 206 for storing a program 210. The memory 206 may comprise high-speed RAM memory or may further comprise non-volatile memory (non-volatile memory), such as at least one disk memory.
Embodiments of the present invention also provide a variety of computer-readable storage media having at least one executable instruction stored therein that, when executed, performs the operations of any of the macOS-based security methods described above.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component, and they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.
Claims (8)
1. A macOS-based security method, the method comprising:
independently creating a specific user in a background space by utilizing a multi-user system aiming at the specific file;
Storing the specific file in a specific folder of the specific user;
creating an encrypted virtual disk, and modifying the file path of the specific folder into the file path of the encrypted virtual disk;
the monitoring module detects a file operation request sent by a front-end interface aiming at a target file, and judges whether the file operation request accords with preset protection conditions or not, wherein the preset protection conditions are set according to the specific file;
if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front-end interface according to the file operation request;
the monitoring module comprises an intermediate service module and a detection module set by an expansion system based on a macOS, wherein the file operation request carries a file path and a current user ID, the judgment is carried out whether the file operation request accords with a preset protection condition, and if the file operation request accords with the preset protection condition, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front-end interface according to the file operation request, and the monitoring module further comprises:
The detection module detects a file operation request sent by the front-end interface and judges whether the file path is in the specific folder or not;
if the detection module judges that the file path is in the specific folder, the detection module judges whether the current user ID is a specific user ID or not;
if the detection module judges that the current user ID is the specific user ID, the detection module allows the corresponding file operation;
and the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
2. The macOS-based security protection method of claim 1, wherein the file operation request carries a current user ID, the determining whether the file operation request meets a preset protection condition, and if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space for the specific file to the front-end interface according to the file operation request, further comprising:
the monitoring module judges whether the target file is in the specific folder or not;
if the target file is in the specific folder, the monitoring module judges whether the current user ID is a specific user ID or not;
And if the monitoring module judges that the current user ID is the specific user ID, the monitoring module sends a file operation interface of the background space aiming at the specific file to the front end interface according to the file operation request.
3. The macOS-based security protection method according to claim 1, wherein the monitoring module comprises an intermediate service module and a detection module set by a macOS-based expansion system, the monitoring module detects a file operation request sent by a front-end interface for a target file, and judges whether the file operation request meets a preset protection condition, and the preset protection condition is set according to the specific file;
if the file operation request meets the preset protection condition, the monitoring module sends a file operation interface of the background space for the specific file to the front-end interface according to the file operation request, and the method further comprises the following steps:
the detection module detects a file operation request sent by the front-end interface, and judges whether the file operation request accords with a preset protection condition or not, wherein the preset protection condition is set according to the specific file;
if the file operation request meets the preset protection condition, the detection module allows the corresponding file operation;
And the intermediate service module sends the file operation interface aiming at the specific file to the front-end interface.
4. The macOS-based security method of claim 1, wherein before the background space creates a particular user independently for a particular file using a multi-user system, the method comprises:
the identification module identifies whether the current file has a specific identification;
and if the current file has the specific identifier, taking the current file with the specific identifier as the specific file.
5. The macOS-based security method of claim 4, wherein creating a particular user in the background space independently for a particular file using a multi-user system, further comprises:
the creation module automatically creates the specific user by utilizing the multi-user system in the background space aiming at the specific file according to preset user creation conditions;
the storing the specific file in the specific folder of the specific user further comprises:
and the creation module stores the specific file in a specific folder of the specific user according to preset folder creation conditions.
6. The macOS-based security method of claim 1 wherein prior to the storing the particular file in the particular folder of the particular user, the method further comprises:
judging whether the specific file is encrypted or not;
and if the specific file is not encrypted, setting the encryption of the specific file.
7. A computing device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to hold at least one executable instruction that causes the processor to perform the operations of the macOS-based security method of any one of claims 1-6.
8. A computer readable storage medium having stored therein at least one executable instruction that when executed performs the operations of the macOS-based security method of any one of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311303595.3A CN117034330B (en) | 2023-10-10 | 2023-10-10 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311303595.3A CN117034330B (en) | 2023-10-10 | 2023-10-10 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117034330A CN117034330A (en) | 2023-11-10 |
| CN117034330B true CN117034330B (en) | 2024-01-30 |
Family
ID=88643495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311303595.3A Active CN117034330B (en) | 2023-10-10 | 2023-10-10 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117034330B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102141893A (en) * | 2011-05-11 | 2011-08-03 | 清华大学 | Large-breadth interactive desktop-oriented multi-user window system |
| CN114357514A (en) * | 2021-12-31 | 2022-04-15 | 中易通科技股份有限公司 | Multi-user partition isolation method based on security chip |
| CN115455329A (en) * | 2022-08-29 | 2022-12-09 | 北财在线科技(北京)有限公司 | B/S architecture cross-platform cross-multi-terminal RPA designer system and implementation method |
-
2023
- 2023-10-10 CN CN202311303595.3A patent/CN117034330B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102141893A (en) * | 2011-05-11 | 2011-08-03 | 清华大学 | Large-breadth interactive desktop-oriented multi-user window system |
| CN114357514A (en) * | 2021-12-31 | 2022-04-15 | 中易通科技股份有限公司 | Multi-user partition isolation method based on security chip |
| CN115455329A (en) * | 2022-08-29 | 2022-12-09 | 北财在线科技(北京)有限公司 | B/S architecture cross-platform cross-multi-terminal RPA designer system and implementation method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117034330A (en) | 2023-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3610403B1 (en) | Isolated container event monitoring | |
| US10361998B2 (en) | Secure gateway communication systems and methods | |
| RU2679721C2 (en) | Attestation of host containing trusted execution environment | |
| KR102255767B1 (en) | Systems and methods for virtual machine auditing | |
| US9424430B2 (en) | Method and system for defending security application in a user's computer | |
| US20110239306A1 (en) | Data leak protection application | |
| US20050149726A1 (en) | Systems and methods for secure client applications | |
| KR20180097527A (en) | Dual Memory Introspection to Protect Multiple Network Endpoints | |
| CN113239329B (en) | System for realizing trusted execution environment of mobile terminal application program | |
| Singh et al. | Analysis of malicious behavior of android apps | |
| JP2022541796A (en) | Secure runtime system and method | |
| CN110874468A (en) | Application program safety protection method and related equipment | |
| US10250595B2 (en) | Embedded trusted network security perimeter in computing systems based on ARM processors | |
| US20150326611A1 (en) | Security control apparatus and method for cloud-based virtual desktop | |
| EP3178032B1 (en) | Embedding secret data in code | |
| JP2001318797A (en) | Automatic data processor | |
| EP3298534B1 (en) | Creating multiple workspaces in a device | |
| US20230074455A1 (en) | System and method for monitoring delivery of messages passed between processes from different operating systems | |
| CN117034330B (en) | macOS-based safety protection method, macOS-based safety protection equipment and storage medium | |
| KR20150055934A (en) | Multi-channel method and device for smartwork security framework based on mobile virtualization environment | |
| Nazar et al. | Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service | |
| KR20160102915A (en) | Security platform management device for smart work based on mobile virtualization | |
| EP4145318A1 (en) | System and method for monitoring delivery of messages passed between processes from different operating systems | |
| JP5835022B2 (en) | Distribution apparatus, distribution processing method and program, information processing apparatus, information processing method and program | |
| Sfyrakis et al. | Virtuscap: capability-based access control for unikernels |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |