CN1652056A - Implementing method for intensifying safety of operating system - Google Patents
Implementing method for intensifying safety of operating system Download PDFInfo
- Publication number
- CN1652056A CN1652056A CN 200410155226 CN200410155226A CN1652056A CN 1652056 A CN1652056 A CN 1652056A CN 200410155226 CN200410155226 CN 200410155226 CN 200410155226 A CN200410155226 A CN 200410155226A CN 1652056 A CN1652056 A CN 1652056A
- Authority
- CN
- China
- Prior art keywords
- operating system
- executable code
- implementation method
- strengthens
- security according
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The present invention provides a method for raising operation system safety. Said invention is characterized by that on the basis of changing executable code operating environment in the operation system and prooving the executable code when which requests operation said invention can control the authority of said executable code when which is operated so as to attain the goal of ensuring operation system safety.
Description
Technical field:
The present invention relates to the safety of operating system in the equipment of all installing operating systems and the machine, belong to the operating system security technical field.
Background technology:
The safety of operating system will be directly connected to country and individual's safety in the equipment of installing operating system and the machine in present and following long time.
Current computer, mobile phone etc. operating system equipment is installed and the machine popularity rate more and more higher, simultaneously, virus, hacker and can be by the loss that bug caused of malicious exploitation also along with rising, the suffered threat of user's data is increasing, and the safety of operating system is directly connected to computing machine, and mobile phone etc. are equipped with the safety of operating system equipment and machine, so at computing machine, the operating system that high safety is installed on equipment such as mobile phone and the machine has become the task of top priority.
Below be that example describes with the computing machine, operating system equipment is installed for other and machine has and the same or analogous one or more common ground of computing machine:
The source that at present operating system is threatened mainly is: 1. rogue program such as virus, 2. existing can be by the program of the leak of malicious exploitation, 3. human factor such as assault.Now threaten the shortcoming of the major technique that is adopted to describe at described each of present solution:
The technology that rogue programs such as virus are taken precautions against is mainly passed through: 1. pair virus signature is judged, 2. pair virus behavior is monitored..Above-mentioned two kinds of technology have played certain effect to virus prevention, but there is inevitable shortcoming: to described first kind of technology, promptly virus signature is judged, its consequence that causes is that the virus characteristic code data must be on the basis of original condition code, bring in constant renewal in and upgrading, there is the hidden danger that makes operating system load, in addition, as user's virus characteristic code data that do not upgrade in time, then this technology will allow virus do at will after operating system is poisoned, safety to operating system can not play no any effect, may make the user cause irretrievable loss; To described second kind of technology, promptly virus behavior is monitored, its consequence that causes is to reducing system performance, user institute working procedure is many more, big more to the system performance influence, and rogue program behaviors such as virus change various, may cause user data loss as misjudgment, the consequence that normal procedure can not move.
Existence can often be utilized to carry out malicious code by the program of the leak of malicious exploitation; usually can other code of regeneration in the performed malicious code stay on user's the operating system and form hidden danger; this type of threatens mainly and obtains the part solution by upgrading upgrade software or adding guard process, and powerless to the malicious code of staying on the custom system.The upgrade software or add guard process then this threat will exist always if do not upgrade in time equally.
Mainly still concentrate on rogue programs such as preventing from artificially system to be implanted virus as for the strick precaution to human factors such as assaults, the program that prevents to have leak is monitored with analysis artificial operation and is taken precautions against by malicious exploitation.Take precautions against the shortcoming of two kinds of technology that threaten before existing, described monitoring analysis behavior also will reduce system performance, and implement relatively difficulty.
As seen prior art does not ensure the safety of operating system well.
Summary of the invention:
For overcoming prior art to ensureing the deficiency of operating system security, the invention provides a kind of implementation method that strengthens operating system security, proposed a kind of based on by changing in the operating system executable code running environment and verifying when the executable code requirement moved, thereby the authority when executable code is moved is controlled malicious codes such as viruses, and existence can be reached the purpose that ensures operating system security by the strick precaution of human factors such as the program of the leak of malicious exploitation and assault.
Technical scheme provided by the invention comprises:
Setting to executable code running environment on the operating system is characterized in: on mounted operating system according to hardware information, software information, user profile, one or multinomial combination generate unique executable code running environment in the parameters such as random information.
Checking mandate to executable code on the operating system is characterized in: executable code is authorized according to the executable code running environment that generates.
Operation control to executable code on the operating system, be characterized in: when executable code requires operation, at first detect the checking whether this executable code has passed through system, then point out user rs authentication and authorize this code to specify the operation authority as not verifying, move this code according to the authority of having authorized as verifying then
For described method, described step also comprises in (1): the running environment of executable code is when customer requirements changes, whether prompting cancels the executable code that all have been verified, as cancelling then that the user need carry out the one-time authentication mandate again to all executable codes, system verifies mandate again to all executable codes of having verified automatically as not cancelling then
Described step also comprises in (2): the checking mandate alternative of executable code adds authorizes the time limit.
Described step also comprises in (2): the checking run user of executable code is verified mandate in the case of necessary again.
Described step also comprises in (2): normally move for the assurance program, prevent that subscriber authorisation is narrow or wide, can be provided with and point out mandate to the operation of crossing over the authority operation, or give tacit consent to and can carry out, or acquiescence can not be carried out the line item of going forward side by side.
The method of the invention also comprises:
What taken place in the recording operation system is unusual, points out the user to handle where necessary.
The resulting beneficial effect of the present invention includes but not limited to:
To virus prevention, when making the malicious codes such as virus that infect this machine from other media require to move,, viral propagation and destruction have been prevented on largely so the checking by the user can not be in the operation of this machine because of it; Can be to existing by the program of the leak of malicious exploitation, when being utilized its leak and moving other rogue program, so because of it can not move at this machine by user's checking, the propagation and the destruction that have prevented malicious code on largely; Strick precaution to human factors such as assaults, due to illness the poison and can have been obtained strick precaution by the program of the leak of malicious exploitation, its threat mainly is artificial operation, and system will prevent its malicious operation of being carried out to system when it carries out malicious operation that the user do not authorize.The present invention can ensure the safety of operating system preferably.
Description of drawings:
Fig. 1 is the schematic diagram of the enhancing operating system security that adopts of the present invention
Fig. 2 is the process flow diagram to executable code running environment setting on the operating system that the embodiment of the invention adopts
Fig. 3 be the embodiment of the invention adopt executable code on the operating system is verified the process flow diagram of mandate
Embodiment:
Below in conjunction with accompanying drawing technical characterictic of the present invention and function are further detailed and describe in detail, but it does not limit claim protection domain of the present invention.Below be that example describes with the computing machine, operating system equipment is installed for other and machine has and the same or analogous one or more common ground of computing machine.
Fig. 2 is the process flow diagram of in the embodiment of the invention setting and the checking of executable code running environment on the operating system being authorized.Implement to have three big steps according to Fig. 2, step 1 is the setting to executable code running environment on the operating system.For preventing that executable code running environment from being cracked by malice, can set an irreversible encryption function, with hardware information, software information, user profile, one or the multinomial unique executable code running environment of parameter generation that is combined as in the parameters such as random information.Concrete parameter is as the hard disk sequence number, operating system sequence number, user name, user cipher, the information of Sheng Chenging etc. at random.
Also comprise in the step 1: to installing operating system not, behind installing operating system, carry out the setting of executable code running environment at once; Do not determine whether situations such as being infected by the virus to installing operating system, the suggestion user moves the killing that antivirus software carries out virus and carries out the setting of executable code running environment again;
Also further comprise in the step 1: under multi-user environment, can authorize designated user that pair authority that executable code running environment is set is again just arranged.
Step 2 is that system file is verified mandate.Be to guarantee the normal operation of system, configure on the operating system after the executable code running environment, should carry out system file is verified mandate at once.Before carrying out that system file verified mandate, should guarantee that system does not have invaded at this moment and destroyed, so the suggestion of this step after finishing, operating system installation is just carried out.
Also comprise in the step 2: the checking mandate alternative of executable code adds authorizes the time limit.
Also further comprise in the step 2: the checking run user of executable code is verified mandate in the case of necessary again.Under multi-user environment, can authorize designated user just to have pair executable code to verify the authority of mandate again.
Step 3 is that other executable code is verified mandate.To the program file that the user has installed, can allow the user select the disposable mandate of all verifying.For exempting user error to executable code checking mandate, the authorization privilege reference to executable code commonly used of acquiescence can be provided, automatically executable code is verified mandate.
Also comprise in the step 3, during installation file, after carrying out installation procedure, can detect the executable code of generation and verify mandate after the user.
Further comprise in the step 3, system file and other executable code are verified when authorizing require the user that licencing key is provided.
Fig. 3 is the process flow diagram when executable code moves in the embodiment of the invention.It is as follows according to Fig. 3 implementation: when executable code requires operation, detect this executable code and whether verified mandate, as verify mandate then points out the user whether this executable code to be verified mandate, when cancelling, the user stops the operation of this executable code, after the user verified mandate to this executable code, this executable code was according to institute's authorization privilege operation; As verify mandate then this executable code according to the operation of institute authorization privilege.Normally move for the assurance program, prevent that subscriber authorisation is narrow or wide, can be provided with and point out mandate, or give tacit consent to and to carry out, or acquiescence can not be carried out the line item of going forward side by side the operation of crossing over the authority operation.
In concrete the enforcement, during authority when the operation of control executable code, can shield by returning null value in the time of can calling executable code that not checking authorizes for function to it.
Claims (10)
1. implementation method that strengthens operating system security is characterized in that comprising following treatment step:
A. executable code running environment on the operating system is set;
B. executable code on the operating system is verified mandate;
C. the operation of executable code on the operating system is controlled.
2. a kind of implementation method that strengthens operating system security according to claim 1 is characterized in that: can be applicable to computing machine, mobile device etc. require the field of installing operating system.
3. a kind of implementation method that strengthens operating system security according to claim 1, it is characterized in that: described steps A, the parameter that executable code running environment on the operating system is set comprises hardware information, software information, user profile, independent one generates or any multinomial combination generation in the parameters such as random information.
4. a kind of implementation method that strengthens operating system security according to claim 1, it is characterized in that: described steps A further comprises, the setting of the executable code running environment in the operating system can be set when following situation takes place: 1) during operating system installation, 2) during customer requirements, 3) other situation.
5. a kind of implementation method that strengthens operating system security according to claim 1, it is characterized in that: described step B includes but not limited to the authority of executable code mandate: create file, revised file, deleted file, call other executable files, access memory, access hardware resource, accesses network resource etc.
6. a kind of implementation method that strengthens operating system security according to claim 1 is characterized in that: described step B, do not authorize the prompting user to carry out this code verification mandate through checking as executable code on the operating system, or press the default privilege operation.
7. a kind of implementation method that strengthens operating system security according to claim 1, it is characterized in that: described step B further comprises, to executable code on the operating system verify mandate can point out or not point out the user input password and (or) the checking effective time limit of authorizing.
8. a kind of implementation method that strengthens operating system security according to claim 1, it is characterized in that: described step C, when executable code will require to move, when performed code match operation system running environment, according to its checking authorization message, authorize the specified permission operation, the executable code to not authorizing through checking returns execution in step B.
9. a kind of implementation method that strengthens operating system security according to claim 1 is characterized in that: described step C, in executable code when operation, require to exceed the authority operation, can stop the operation of this executable code at once.
10. a kind of implementation method that strengthens operating system security according to claim 1 is characterized in that: described step C further comprises, requires to exceed the authority operation during executable code operation, and record also prompting user is handled.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410155226 CN1652056A (en) | 2004-08-16 | 2004-08-16 | Implementing method for intensifying safety of operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410155226 CN1652056A (en) | 2004-08-16 | 2004-08-16 | Implementing method for intensifying safety of operating system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1652056A true CN1652056A (en) | 2005-08-10 |
Family
ID=34869722
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200410155226 Pending CN1652056A (en) | 2004-08-16 | 2004-08-16 | Implementing method for intensifying safety of operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1652056A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102486819A (en) * | 2010-12-01 | 2012-06-06 | 中铁信息工程集团有限公司 | Reinforcing system |
| WO2013029504A1 (en) * | 2011-08-29 | 2013-03-07 | 北京奇虎科技有限公司 | Method and system of defense of viruses or malicious programs |
| CN103440176A (en) * | 2013-09-13 | 2013-12-11 | 北京经纬恒润科技有限公司 | Protection method and device for memory in real-time operation system |
-
2004
- 2004-08-16 CN CN 200410155226 patent/CN1652056A/en active Pending
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102486819A (en) * | 2010-12-01 | 2012-06-06 | 中铁信息工程集团有限公司 | Reinforcing system |
| CN102486819B (en) * | 2010-12-01 | 2016-08-03 | 中铁信息工程集团有限公司 | A kind of hardened system |
| WO2013029504A1 (en) * | 2011-08-29 | 2013-03-07 | 北京奇虎科技有限公司 | Method and system of defense of viruses or malicious programs |
| CN103440176A (en) * | 2013-09-13 | 2013-12-11 | 北京经纬恒润科技有限公司 | Protection method and device for memory in real-time operation system |
| CN103440176B (en) * | 2013-09-13 | 2016-08-31 | 北京经纬恒润科技有限公司 | The guard method of internal memory and device in a kind of real time operating system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3208718B1 (en) | Security monitoring at operating system kernel level | |
| US9842203B2 (en) | Secure system for allowing the execution of authorized computer program code | |
| US7712143B2 (en) | Trusted enclave for a computer system | |
| US7673137B2 (en) | System and method for the managed security control of processes on a computer system | |
| EP2951955B1 (en) | Method and system for protecting web applications against web attacks | |
| Park et al. | {RGBDroid}: A Novel {Response-Based} Approach to Android Privilege Escalation Attacks | |
| CN116708210A (en) | Operation and maintenance processing method and terminal equipment | |
| KR101965213B1 (en) | System and method for controlling process execution using enterprise white list management | |
| KR100666562B1 (en) | Method for protecting kernel driver and process | |
| US10572670B2 (en) | Automated information technology substantive testing of security compliance within a user's context | |
| CN1652056A (en) | Implementing method for intensifying safety of operating system | |
| CN114510714A (en) | Kysec safety mechanism testing method and system | |
| Powers et al. | Whitelist malware defense for embedded control system devices | |
| CA2978831C (en) | Automated information technology substantive testing of security compliance within a user's context | |
| CN113259939B (en) | Terminal credibility authentication method and system based on electronic signature | |
| AU2017228541B2 (en) | Automated information technology substantive testing of security compliance within a user's context | |
| KR101368949B1 (en) | Exploit-code execution pre-protection method and device thereof | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment | |
| Gunawardena et al. | Countering automated exploits with system security captchas | |
| Duan et al. | Unified Protection Model of Application Files and User Files |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |