GB2561862A - Computer device and method for handling files - Google Patents
Computer device and method for handling files Download PDFInfo
- Publication number
- GB2561862A GB2561862A GB1706567.3A GB201706567A GB2561862A GB 2561862 A GB2561862 A GB 2561862A GB 201706567 A GB201706567 A GB 201706567A GB 2561862 A GB2561862 A GB 2561862A
- Authority
- GB
- United Kingdom
- Prior art keywords
- file
- computer device
- tag
- particular file
- files
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
- G06F16/164—File meta data generation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/606—Protecting data by securing the transmission between two devices or processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Human Computer Interaction (AREA)
- Virology (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Intercepting a file access request S1001, wherein each file has a file type. The appropriate location to insert a tag, which is used to determine the trust status of a file, is looked up in the file S1003, the location being dependent on the file type of the file. A file tag is then inserted in this location S1004. This tag can then be maintained through transfer to heterogeneous file systems. The computer may look up a tag in a file S1012 and may be configured to provide a sandbox to isolate malicious code encountered S1005. The accessed file may be opened in the sandbox is it is untrusted which may be when it is marked with a file tag. The computer device may have an agent which hooks into an API to intercept the file request. The computer device has a first storage drive which may have a file system supporting an alternate data stream and a second tag may be inserted in the alternate data stream of the accessed file.
Description
(54) Title of the Invention: Computer device and method for handling files
Abstract Title: Away of maintaining file tags over a file transfer between heterogeneous file systems (57) Intercepting a file access request S1001, wherein each file has a file type. The appropriate location to insert a tag, which is used to determine the trust status of a file, is looked up in the file S1003, the location being dependent on the file type of the file. A file tag is then inserted in this location S1004. This tag can then be maintained through transfer to heterogeneous file systems. The computer may look up a tag in a file S1012 and may be configured to provide a sandbox to isolate malicious code encountered S1005. The accessed file may be opened in the sandbox is it is untrusted which may be when it is marked with a file tag. The computer device may have an agent which hooks into an API to intercept the file request. The computer device has a first storage drive which may have a file system supporting an alternate data stream and a second tag may be inserted in the alternate data stream of the accessed file.
Fig. 10
1/12
Fig. 1
2/12
Fig. 2
3/12
200
Fig. 3
4/12
Fig. 4
5/12
Fig. 5
6/12
Fig. 6
7/12
Fig. 7
8/12
Fig. 8
9/12
Fig.9
10/12
Fig. 10
11/12
S1100
S1107
Fig.11
12/12
Fig. 12
Application No. GB1706567.3
RTM
Date :6 October 2017
Intellectual
Property
Office
The following terms are registered trade marks and should be read as such wherever they occur in this document:
Microsoft Office
PowerPoint
Intellectual Property Office is an operating name of the Patent Office www.gov.uk/ipo
COMPUTER DEVICE AND METHOD FOR HANDLING FILES
BACKGROUND
Technical Field [01] The present application relates generally to the field of computers and computer devices. More particularly, the present application relates to a computer device and a method for controlling access to files and other such resources.
Description of Related Art [02] Organisations, such as businesses, rely on networked computer devices for communication, collaboration and sharing. Increasingly, computer resources, including computer hardware, distributed software and file storage, are provisioned transparently to the organisations by external providers, such as via cloud computing. However, malware may attempt to exploit vulnerabilities in the networks so as to gain illegitimate access into the organisations through the networked computer devices. A common vector of attack is enabled by users of these computer devices, who may inadvertently introduce or propagate the malware via their actions, such as copying, downloading, opening, saving or executing files from the networks. In this way, security ofthe computer devices may be compromised.
[03] Conventional isolation mechanisms may tag files with tags, such as tags included in Alternate Data Streams (ADS) associated with the files (i.e. ADS tags). Particularly, files that originate externally with respect to an organisation may be tagged with tags. Such tagged files are deemed untrusted and are isolated in a restricted environment, such as a sandbox, on a client computer device. However, these ADS tags are vulnerable to malicious and/or inadvertent modification, such as tampering or removal. Such modification of the ADS tags may afford viable attack vectors for malware, since untrusted files now lacking tags may be accessed outside of the restricted environment. Hence, there is still a need to control access to the files whilst robustly and effectively isolating malicious content.
[04] The example embodiments have been provided with a view to addressing at least some of the difficulties that are encountered in current computer devices and computer networks, whether those difficulties have been specifically mentioned above or will otherwise be appreciated from the discussion herein.
SUMMARY [05] According to the present application there is provided a computer device, a method and a computer-readable storage medium as set forth in the appended claims. Additional features of the application will be apparent from the dependent claims, and the description which follows.
[06] In general, the application provides an improved computer device and method for handling files transferred between heterogeneous file systems. The computer device intercepts a file access request to request access to a particular file amongst a plurality of files and inserts a tag in an appropriate location within the particular file. The appropriate location is specific to a file type (also known as file format) of the particular file. By inserting the tag in this appropriate location, transmission of the particular file across heterogeneous file systems, while maintaining the tag intact, is enabled. In this way, reliability of tagging and hence isolation of tagged files, for example, is improved since tags are maintained intact during such transmission.
[07] There now follows a summary of various aspects and advantages according to exemplary embodiments. This summary is provided as an introduction to assist those skilled in the art to more rapidly assimilate the detailed discussion herein and is not intended in any way to limit the scope of the claims that are appended hereto.
[08] Advantageously, the inventors have developed new technology that supersedes conventional mechanisms by robustly addressing the potential problems associated with tag modification, removal, corruption or impersonation. By recognising the requirement for reliably identifying untrusted files in a manner impervious to network heterogeneity, the inventors have reinforced computer device security without hindering usability or increasing workload. In contrast to the conventional isolation mechanisms, that employ tagging mechanisms specific to particular file systems, exemplary embodiments of this application instead embeds tags into untrusted files in a manner that is portable across different file systems. In this way, the thus tagged untrusted files may be communicated across the heterogeneous networks without file system induced tag modification.
[09] In one example, there is described a computer device for handling files transferred between heterogeneous file systems, the computer device comprising a processor circuit, a memory circuit and a first storage drive which is configured according to a first file system, wherein the computer device is configured to: intercept a file access request made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types; look up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and insert the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact.
[10] In one example, the computer device is configured to inspect the tag inserted into the appropriate location within the particular file.
[11] In one example, the computer device is configured to provide a sandbox arranged to isolate malicious code therein.
[12] In one example, the computer device is configured to cause the particular file to be accessed in the sandbox, if the particular file is untrusted.
[13] In one example, the computer device is configured to insert the tag in the appropriate location within the particular file, wherein the particular file is untrusted and wherein the tag indicates that the particular file is untrusted.
[14] In one example, the computer device is configured to insert the tag in the appropriate location within the particular file after the particular file is stored to the first storage drive configured according to the first file system.
[15] In one example, the computer device comprises an agent configured to intercept the file access request, wherein the agent is configured to hook an application programming interface.
[16] In one example, the first file system supports an alternate data stream and wherein the appropriate location within the particular file is in a main data stream of the particular file.
[17] In one example, the computer device is configured to insert a second tag in an alternate data stream of the particular file.
[18] In one example, there is described a method of handling files transferred between heterogeneous file systems on a computer device comprising a processor circuit, a memory circuit and a first storage drive which is configured according to a first file system, the method comprising: intercepting a file access request made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types; looking up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and inserting the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact.
[19] In one example, the method comprises inspecting the tag inserted into the appropriate location within the particular file.
[20] In one example, the method comprises providing a sandbox arranged to isolate malicious code therein.
[21] In one example, the method comprises causing the particular file to be accessed in the sandbox, if the particular file is untrusted.
[22] In one example, the method comprises inserting the tag in the appropriate location within the particular file, wherein the particular file is untrusted and wherein the tag indicates that the particular file is untrusted.
[23] In one example, the method comprises storing the particular file to the first storage drive configured according to the first file system before inserting the tag in the appropriate location within the particular file.
[24] In one example, the method comprises intercepting, by an agent, the file access request, by hooking an application programming interface.
[25] In one example, the method comprises inserting the tag in a main data stream of the particular file.
[26] In one example, the method comprises inserting a second tag in an alternate data stream of the particular file.
[27] In one example, there is described a computer device comprising a processor circuit, a memory circuit and a first storage drive, wherein the first storage drive is configured according to a first file system, wherein the computer device is configured to: intercept first file access requests to access a plurality of files of different file types, wherein the files each comprise a plurality of file components, whereupon in response to the intercepted first file access requests, identifying the respective file types of the files, selecting different target file components from the plurality of file components of the respective files for the different file types based thereon and inserting tags into these different target file components of the respective files, wherein the tags indicate trust statuses of the respective files; store the files to the first storage drive, configured according to the first file system, and retrieve the stored files therefrom; transmit the retrieved files to a network and receive the files therefrom; and intercept second file access requests to access the received files, whereupon in response to the intercepted second file access requests, identifying the respective file types of the files, selecting the different target file components from the plurality of file components of the respective files for the different file types based thereon, inspecting the inserted tags in the these different target file components and if a trust status of a file of the plurality of files is untrusted based on a tag inspected therein, satisfying the second file access request for the file by providing access to the file in a sandbox arranged to protect the first computer device from malicious attacks; wherein the different target file components from the plurality of file components of the respective files for the different file types based thereon are selected such that the tags inserted therein are maintained upon storage of the files to a second storage drive, configured according to a second file system, and retrieval therefrom.
[28] In one example, there is described a method of controlling access to content on a computer device; wherein the computer device comprises: a hardware layer including a processor circuit, a memory circuit and a first storage drive, wherein the first storage drive is configured according to a first file system; and an operating system which performs tasks using the hardware layer; wherein the method comprises: intercepting first file access requests to access a plurality of files of different file types, wherein the files each comprise a plurality of file components, whereupon in response to the intercepted first file access requests, identifying the respective file types of the files, selecting different target file components from the plurality of file components of the respective files for the different file types based thereon and inserting tags into these different target file components of the respective files, wherein the tags indicate trust statuses of the respective files; storing the files to the first storage drive, configured according to the first file system, and retrieving the stored files therefrom; transmitting the retrieved files to a network and receiving the files therefrom; and intercepting second file access requests to access the received files, whereupon in response to the intercepted second file access requests, identifying the respective file types of the files, selecting the different target file components from the plurality of file components of the respective files for the different file types based thereon, inspecting the inserted tags in the these different target file components and if a trust status of a file of the plurality of files is untrusted based on a tag inspected therein, satisfying the second file access request for the file by providing access to the file in a sandbox arranged to protect the first computer device from malicious attacks; wherein the different target file components from the plurality of file components of the respective files for the different file types based thereon are selected such that the tags inserted therein are maintained upon storage of the files to a second storage drive, configured according to a second file system, and retrieval therefrom.
[29] In one example, a tangible non-transient computer-readable storage medium is provided having recorded thereon instructions which, when implemented by a computer device, cause the computer device to be arranged as set forth herein and/or which cause the computer device to perform any of the methods as set forth herein.
BRIEF DESCRIPTION OF THE DRAWINGS [30] For a better understanding of the application, and to show how example embodiments may be carried into effect, reference will now be made to the accompanying drawings in which:
[31] Figure 1 is a schematic view of a computer network including an example computer device;
[32] Figure 2 is a schematic view of the example computer device of Figure 1, in more detail;
[33] Figure 3 is a schematic view of the example computer device of Figure 1, in more detail;
[34] Figure 4 is a schematic view of the example computer device of Figure 1, in more detail;
[35] Figure 5 is a schematic view of the example computer device of Figure 1, in more detail;
[36] Figure 6 is a schematic view of the example computer device of Figure 1, in more detail;
[37] Figure 7 is a schematic view of the example computer device of Figure 1, in more detail;
[38] Figure 8 is a schematic view of the example computer device of Figure 1, in more detail;
[39] Figure 9 is a flowchart of the example method of operating the computer device of Figure 1;
[40] Figure 10 is a flowchart of an example method of operating the computer device of Figure 1, in more detail;
[41] Figure 11 is a flowchart an example method of operating the computer device of Figure 1, in more detail; and [42] Figure 12 is a flowchart an example method of operating the computer device of Figure 1, in more detail.
DETAILED DESCRIPTION OF THE EXAMPLE EMBODIMENTS [43] At least some of the following example embodiments provide an improved mechanism for handling files transferred between heterogeneous file systems. The example mechanism is simple and convenient for a user, and is lightweight to implement. Further, the example embodiments uphold security of computer devices while allowing controlled access to the files. Many other advantages and improvements will be discussed in more detail herein.
Computer network [44] Figure 1 is a schematic overview of a part of a computer network 10 of a type which may be used in the example embodiments discussed herein, including a computer device 200 according to an example embodiment. The computer device 200 is coupled, via the network 10 such as a private network, a virtual private network, an intranet, a cloud, the Internet, to a different second computer device 20. Particularly, the network 10 is a heterogeneous network, connecting computers and other devices, such as the computer device 200 and the second computer device 20, having different operating systems (OS) and/or protocols, such as file systems. That is, the computer device 200 and the second computer device 20 have different storage drives configured according to different file systems. In practice, in organisations such as large-scale businesses or corporate environments, tens, hundreds or even thousands of individual computer devices 200 may be coupled to tens, hundreds or even thousands of individual another computer devices 20.
[45] The computer device 200 is configured to handle a plurality of files 51 transferred between computer devices having heterogeneous file systems, such as transferred to and/or from the second computer device 20. The plurality of files 51 shown in Figure 1 include three files 51a, 51b and 51 c. The computer device 200 may also be configured to handle the plurality of files 51 transferred between computer devices having homogeneous file systems, such as transferred to and/or from other computer devices 200. The files 51 may comprise, for example, documents, images, zipped files, folder, web pages or executables.
[46] Particularly, the computer device 200 is arranged to transmit the files 51 via path A to the second computer device 20. Similarly, the computer device 200 is arranged to receive the files 51 via path B from the second computer device 20. That is, the computer device 200 is arranged to transmit and receive the files 51 between heterogeneous file systems. In organisations such as the large-scale businesses or the corporate environments, the computer device 200 is arranged to transmit the files 51 to, and receive the files 51 from, a plurality of computer devices 20 having different OS and/or protocols, and/or a plurality of computer devices 200 having the same OS and/or protocols.
[47] The particular file 51a amongst the plurality of files 51 may be deemed trusted or untrusted. Notably, ‘untrusted’ does not mean that the particular file 51a is necessarily malicious. Instead, the untrusted particular file 51a simply has the possibility of introducing undesired effects to the computer device 200. For example, the particular file 51a created on the computer device 200 may be deemed trusted. In contrast, another particular file 51b received from the second computer device 20, for example via the path B, may be deemed untrusted. Whether or not these received files 51 may be trusted may depend, at least in part, on an origin of the files 51.
Computer device [48] Figure 2 is a schematic overview of the computer device 200 according to an exemplary embodiment of the application. The computer device 200 is configured to better protect the computer device 200 from malicious attacks that may be due to the files 51, by providing a mechanism whereby untrusted files may be identified, even after storage to and retrieval from heterogeneous file systems.
[49] The computer device 200 as herein described typically includes physical hardware (H/W) 201 such as a memory circuit, one or more processor circuits such as central processing units (CPUs), one or more input/output (I/O) interfaces (e.g. network cards, USB interfaces), a power supply and so on. The computer device 200 further comprises a first storage drive 203, configured according to a first file system. In use, the hardware 201 supports an operating system 202 to provide a runtime environment which supports execution of a plurality of user processes or productivity applications, such as client applications, according to the needs of the user or users of this particular computer device 200. The runtime environment provides resources such as installed software, system services, drivers, files and/or registry settings. Via the operating system 202, files may be stored (or written) to the first storage drive 203 and retrieved (or read) from the first storage drive 203.
[50] File systems, such as the first file system configuration of the first storage drive 203, are used to control how data are stored and retrieved. The file systems define the structure and logic rules to manage the data. File systems may be used on numerous different types of storage devices, such as the first storage drive 203, that use different kinds of media. Examples of the media include hard disk drives, flash memory, magnetic tapes, and optical discs. Some file systems are used on local data storage devices, while others provide file access via a network protocol. Some file systems may be virtual, meaning that the supplied ‘files’ (called virtual files) are computed on request or are merely a mapping into a different file system used as a backing store. While some operating systems include support for more than one file system, other operating systems may be inextricably linked to specific file systems or types of file system.
[51] Some of the example embodiments are discussed in detail in relation to computers and computer devices using the Windows (RTM) operating system as supplied by Microsoft Corporation of Redmond, Washington, USA, under the trade marks Windows NT, Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 10 or later versions, amongst others. However, the teachings, principles and techniques of the present application are also applicable in other practical embodiments. For example, the described embodiments are also applicable to other operating systems, such as UNIX (RTM), Linux (RTM), mac OS (RTM), iOS (RTM) and Android (RTM), and in particular those having a discretionary access control security model.
[52] The computer device 200 may take any suitable form factor, such as a server, a static desktop computer or a portable computing device (laptop, tablet, handhelds smart-phone, etc.). The computer device 200 may be provided to or for the user, for example by a business or corporation. Additionally and/or alternatively, the computer device 200 may be provided by the user and managed by the business or the corporation, such as a bring your own device (BYOD).
Tagging files [53] Figure 3 is a schematic overview of the computer device 200 in more detail. The computer device 200 is further configured to tag the particular file 51a amongst the plurality of files 51 by inserting a tag 52a in an appropriate location in the particular file 51a, such that the tag 52a is maintained intact during transmission of the particular file 51a across heterogeneous file systems, such as across the network 10. Generally, respective tags 52 may be inserted in one or more of the plurality of files 51. Such tag 52a may be termed a portable tag, being portable across different file systems. In contrast, ADS tags are limited to NTFS file systems, as discussed in more detail below.
[54] Particularly, the computer device 200 is configured to intercept a file access request 55 made on the computer device 200 to request access to the particular file 51a amongst the plurality of files 51, wherein each file of the plurality of files 51 has a certain file type amongst a plurality of different file types (also known as file formats).
[55] Generally, file access requests, such as the file access request 55, are sent from applications processing the files. Generally, the file access requests, such as the file access request 55, are satisfied by the operating system 202. The file access request 55 may be initiated by a user requesting to store and/or retrieve the particular file 51a. For example, the file access request 55 may be initiated by the user requesting to copy (i.e. store or write), download (i.e. store or write), open (i.e. retrieve or read), save (i.e. store or write) or execute (i.e. retrieve or read) the particular file 51a. Additionally and/or alternatively, the file access request 55 may be initiated programmatically, for example, by an application executing on the computer device 200. Since the file access request 55 to access the particular file 51a is intercepted, the file access request 55 may not be fulfilled directly and/or conventionally at this stage. For example, the file access request 55 may be denied and/or subsequently satisfied. In an example embodiment, the file access request 55 comprises a file close message, indicating that the particular file 51 a is available for tagging.
[56] The different file types may be differentiated, for example, by different filename extensions. For example, Microsoft Office files have different file types for Word documents, Excel spreadsheets and PowerPoint presentations. These Microsoft Office files may conform to a Compound File Binary Format (CFBF) or an OpenXML standard, depending on versioning of the Microsoft Office applications. Thus, Word documents may have .doc or docx filename extensions respectively for CFBF and OpenXML. Similarly, the Excel spreadsheets may have .xls or .xlsx filename extensions respectively, while the PowerPoint presentations may have .ppt or .pptx filename extensions respectively. As another example, Portable Document Format (PDF) is a file format used to present documents in a manner independent of application software, hardware, and operating systems, having a .pdf filename extension. As another example, Open Document Format (ODF) is an open, XML file format, having filename extensions that are application-dependent. For example, filename extensions .odt and .fodt are used for word processing (text) documents; .ods and .fods for spreadsheets; .odp and .fodp for presentations; .odg and .fodg for graphics; and .odt for formulae, mathematical equations. As yet another example, the Extensible Metadata Platform (XMP) is an ISO standard relating to embedding XMP information in image, video and document file formats, including TIFF, JPEG, JPEG 2000, PNG, GIF, PDF or in external .xmp sidecar files.
[57] The computer device 200 may be configured to determine or identify the certain file type of the particular file 51a, for example, based on a filename extension of the particular file 51a. The computer device 200 may be configured to determine or identify the certain file types of one or more of the different file types discussed above.
[58] The computer device 200 is configured look up an appropriate location, which may also be termed a target location, within the particular file 51a to insert the tag 52a relevant to the respective file type of the particular file 51a, the location within the particular file 51a being different amongst the plurality of different file types. For example, the computer device 200 may be configured to look up the appropriate location by querying a database according to the file type of the particular file 51a. One or more (i.e. a plurality of) appropriate locations may be identified for a given file type. In some instances, no appropriate locations may be identified for some file types. The computer device 200 may be configured to look up the appropriate location in response to intercepting the file access request.
[59] Appropriate locations may depend on the different file types, which may have different file structures. These different file structures may be made up of a plurality of file components, such that the files 51 each comprise a plurality of file components 53. For example, the files 51a, 51b and 51c comprise the plurality of files components 53a, 53b and 53c respectively. The plurality of file components 53 may be included in a single file, such as sections within the single file. For example, the particular file 51a may be a single file, having a header and a body. Additionally and/or alternatively, one or more of the file components 53 may be separate files. For example, the particular file 51a may be a zipped file, including multiple files as the file components 53a. For example, the particular file 51a may be a folder, including multiple files as the file components 53a. For example, CFBF files implement Component Object Model (COM) Structured Storage, comprising a plurality of sections or file components. OpenXML files are based on a zip file that contains a directory structure of extensible Markup Language (XML) files (i.e. a plurality of file components). For example, PDF files are 7-bit ASCII files (except for certain elements that may have binary content), having a header, one or more elements forming a body and a trailer (i.e. a plurality of file components). The appropriate location may be within one of the plurality of existing file components. Alternatively, the appropriate location may be within a newly-created file component. The computer device 200 may be configured to select different target file components from the plurality of file components 53 ofthe respective files 51 for the different file types based thereon. The appropriate locations may be defined sections of the files 51, according to their respective file types, reserved for custom metadata.
[60] The tag 52a may indicate a trust status ofthe particular file 51a. By way of example, the computer device 200 may be configured to tag the particular file 51a with the tag 52a, if the computer device 200 determines that particular file 51a is untrusted. In this way, the particular file 51a may be selectively tagged with the tag 52a. Thus, for example, only the files 51 received from other computer devices, such as the second computer device 20, may be tagged with tags 52a while files 51 created on the computer device 200 may be not tagged (i.e. untagged). Additionally and/or alternatively, untrusted files may be created on and/or originate from the computer device 200. The tag 52a may comprise metadata. The tag 52a may comprise and/or act as a Boolean flag, for example, such that a presence and/or a content of the tag 52a may indicate that the particular file 51a is untrusted. That is, the presence of the tag 52a may indicate that the particular file 51a is untrusted. In an example embodiment, the tag 52a comprises metadata inserted in defined sections ofthe particular file 51a, according to the respective file type, reserved for custom metadata.
[61] The computer device 200 is further configured to insert the tag 52a in the appropriate location in the particular file 51a, thereby enabling transmission ofthe particular file 51a across heterogeneous file systems while maintaining the tag 52a intact. Importantly, the appropriate locations for the different file types are selected such that tags 52a inserted therein are maintained intact even during transmission of the files 51 across the heterogeneous file systems.
[62] CFBF is employed for some Microsoft Office files and is an implementation of COM Structured Storage. This format allows the storage of multiple streams within the same file, in a similar way to FAT. This format is proprietary but the format specification is publically available.
[63] CFBF supports a COM interface, IPropertyStore and IPropertySetStorage, to access and modify custom properties (i.e. the appropriate location) within files according to this format. The custom properties data are accessible and editable even when the file is password protected and/or encrypted, as the stream that metadata are stored in is unencrypted. To tag files according to the CFBF format, the COM interfaces IPropertyStore and IPropertySetStorage may be employed, directly or indirectly.
[64] Office OpenXML (OOXML) tagging may be performed using the .NET libraries System.IO.Package and System.Xml. These are used to open up an OOXML file and then access get the required custom properties XML file docProps\custom.xml (i.e. the appropriate location). The XML in this file is parsed and XML nodes are added to or removed from this custom properties file.
[65] The PDF format supports two methods of adding metadata to a file: Document Information Dictionary and Extensible Metadata Platform (XMP). The Document Information Dictionary allows specification of key/value pairs, stored in a section of the PDF file as plain text in the format ‘/Key (value)’ (i.e. the appropriate location). XMP is specified as an ISO 166841:2012 standard. This standard uses an XML structure to define metadata in the file. To tag PDF documents, the Document Information Dictionary is preferred.
[66] The computer device 200 may be configured to inspect the particular file 51a for the tag 52a, for example, after transmission of the particular file 51a across heterogeneous file systems. For example, the computer device 200 may be configured to query the particular file 51a programmatically for the presence of the tag 52a. The computer device 200 may be configured to inspect the tag 52a by looking up the appropriate location within the particular file 51 a to read the tag 52a relevant to the respective file type of the particular file 51a, the location within the particular file 51a being different amongst the plurality of different file types. That is, the computer device 200 may be configured to look up the appropriate location in order to inspect the tag 52a in a manner analogous to looking up the appropriate location in order to insert the tag 52a.
[67] The transmission of the files 51 across the heterogeneous file systems may include storage to, and retrieval from, other storage drives configured according to different file systems. For example, the particular file 51a having the tag 52a inserted therein may be stored by the computer device 200 to the first storage drive 203 which is configured according to the first file system. Storage of the particular file 51a to the first storage drive 203 may precede insertion of the tag 52a by the computer device 200. Alternatively, the computer device 200 may insert the tag prior to storage of the particular file 51a to the first storage drive 203. Following and/or during transmission of the particular file 51a to the other second computer device 20, the particular file 51a may be stored to, and/or retrieved from, one or more other storage drives configured according to different file systems. For example, the other second computer device 20 may comprise a second storage drive configured according to a second file system, different from the first file system of the first storage drive 203 of the computer device 200. For example, transmission of the particular file 51a to the other second computer device 20 may be via a server, such that the particular file 51a is stored to, and retrieved from, a third storage drive configured according to a third file system.
[68] These different file systems, such as the first, second and/or third file systems, may include disk file systems, flash file systems, tape file systems, database file systems, transactional file systems, network file systems and/or shared file systems. Disk file systems include File Allocation Table (FAT) (FAT12, FAT16, FAT32), exFAT, New Technology File System (NTFS), Hierarchical File System (HFS) and HFS+ (also known as HFS Plus), HPFS, Apple File System (APFS), Unix File System (UFS), ext* (ext2, ext3, ext4), XFS, btrfs, ISO 9660, Files-11, Veritas File System, Virtual Machine File System (VMFS), ZFS, ReiserFS and Universal Disk Format (UDF) (also known as known as ISO/IEC 13346 or ECMA-167). Some of these may be specific to, or supported by, certain operating systems. For example, Unix and Unix-like operating systems create VMFS virtual file systems, which makes all the files on all the devices appear to exist in a single hierarchy. Linux supports numerous file systems including ext*, XFS, JFS, ReiserFS and btrfs. macOS uses HFS+ and supports UFS. Newer versions of macOS may store to and retrieve from FAT and/or retrieve from (but not necessarily store to) NTFS. Microsoft Windows makes use of FAT, NTFS, exFAT, Live File System and ReFS.
[69] Hence, storage and retrieval of the files 51 to and from, respectively, different storage drives of different computer devices may be according to different file systems, which may depend on the operating systems executed on these different computer devices. However, not all features implemented by a specific file system may be implemented by other file systems. For example, Alternate Data Streams (ADS) are a file attribute of NTFS. All files include one data stream while ADS allows for more than one data stream. However, storage of files including ADS to storage drives configured according to other file systems that do not support ADS, such as non-NTFS file systems, may result in modification and/or removal of the ADS and concomitantly, removal of data included in the ADS.
[70] In an example embodiment, the first storage drive 203 is configured according to the first file system, wherein the first file system supports ADS. In an example embodiment, the first storage drive 203 is configured according to the first file system, wherein the first file system is NTFS. In an example embodiment, the heterogeneous file system includes a second storage drive configured according to a second file system, wherein the second file system does not support ADS. In an example embodiment, the heterogeneous file system includes a second storage drive configured according to a second file system, wherein the second file system is non-NTFS.
[71] In an example embodiment, the appropriate location within the particular file 51a is in a main (also known as default or primary) data stream of the particular file 51a. That is, the appropriate location within the particular file 51a is not in an ADS of the particular file 51a.
[72] In an example embodiment, the computer device 200 is configured to insert a second tag in an ADS of the particular file 51a. Such a tag may be termed an ADS tag. This second tag may be similar to the tag 52a and may be used, for example, as a cross check. The tag 52a and the second tag may be inserted at different times, for example, according to a state of the particular file 51a. For example, the second tag may be inserted and/or modified while a main data stream ofthe particular file 51a is open on an NTFS volume. In an example embodiment, the computer device 200 is configured to compare the tag 52a and the second tag. In an example embodiment, the computer device 200 is configured to determine modification, such as tampering, interference or removal, ofthe tag 52a and/or the second tag, for example, from a result of comparing the tag 52a and the second tag. That is, the tag 52a and the second tag may work in tandem. Additionally and/or alternatively, modification ofthe second tag may result from exchange ofthe particular file 51a between a NTFS volume and a non-NTFS volumes, for example. If modification of the tag 52a and/or the second tag is determined, the computer device 200 may re-tag the particular file 51a appropriately so as to remedy any modification to the tags and/or synchronize the tags, such that the particular file 51a is subsequently handled correctly, according to the intended tagging.
[73] In an example embodiment, the computer device 200 is configured to insert a plurality of tags, such as the tag 52a, in appropriate locations within the particular file 51a. In this way, the plurality of tags may be cross-checked, so as to determine whether one ofthe tags, such as the tag 52a, has been modified, for example, maliciously or inadvertently tampered with or removed.
[74] The conventional isolation mechanisms tag files, by including tags in the ADS ofthe files. However, storage of these files to storage drives configured according to other file systems, that does not support ADS, results in removal ofthe tags. Hence, subsequent access to the files is permitted by the conventional isolation mechanisms outside of protective sandboxes, since the tags have been removed, thereby circumventing the sandboxes and potentially exposing the computer device to malicious content.
[75] In contrast, in this application, the tag 52a is inserted in the appropriate location in the particular file 51a, thereby enabling transmission ofthe particular file 51a across heterogeneous file systems while maintaining the tag intact. In this way, the tag 52a is portable across different file systems and thus the tag 52a is preserved during transmission ofthe particular file 51a across heterogeneous file systems. By persisting the tag 52a in this way in the particular file 51a, information contained in the tag 52a is similarly maintained intact. Hence, behaviour ofthe computer device 200 according to the tag 52a is consistent, even after transmission of the particular file 51a, including the tag 52a, across heterogeneous file systems. For example, if the tag 52a represents a trust status ofthe particular file 51a and the particular file 51a is deemed untrusted, the particular file 51a may still be accessed in a protective sandbox, even after transmission ofthe particular file 51a, including the tag 52a, across heterogeneous file systems. In this way, the trust status of the particular file 51a, as indicated by the tag 52a, may be maintained after storage to and retrieval from heterogeneous file systems such that subsequent access to the particular file 51a is isolated in the protective sandbox.
[76] The computer device 200 may be configured to determine protection and/or security attributes of the files 51. For example, the computer device 200 may be configured to determine if the particular file 51a has been marked as final and/or if editing of the particular file 51a is permitted. For example, the computer device 200 may be configured to determine if the particular file 51a is password-protected, such that insertion of the tag 52a may not be possible without a password. For example, the computer device 200 may be configured to determine if the particular file 51a is encrypted, such that insertion of the tag 52a may not be possible without a password. For example, the computer device 200 may be configured to determine if the particular file 51a includes a digital signature and/or authentication certificate, such that insertion of the tag 52a may change a hash of the particular file 51a, compared with a hash included in the digital signature and/or the authentication certificate. The computer device 200 may be configured to selectively insert the tag 52a, based on such determination. For example, the computer device 200 may be configured to insert the tag 52a if the particular file 51a has been marked as final and/or if editing of the particular file 51a is permitted. For example, the computer device 200 may be configured to not insert the tag 52a, if the particular file 51a is password-protected and/or the password is not available, since insertion of the tag 52a may not be possible. For example, the computer device 200 may be configured to not insert the tag 52a, if the particular file 51a is encrypted and/or the password is not available, since insertion of the tag 52a may not be possible. For example, the computer device 200 may be configured to not insert the tag 52a, if the particular file 51a includes the digital signature, since the changed hash, compared with the hash included in the digital signature, may invalidate the digital signature.
[77] CFBF and OpenXML provide four main features for document protection. Firstly, a file may be marked as final. This allows Microsoft Office, for example, to warn a user that a file has been marked final and should not be edited. However, it may still be possible to edit a custom properties section of the file, despite the fact that the file is marked as final. Secondly, editing of the file may be restricted, for example by specified users. However, it may still be possible to edit the custom properties section of the file, since this protection feature only restricts modification of core data or styling. Thirdly, the file may be encrypted with a password. However, while data in the file may be encrypted, metadata in CFBF files may be unencrypted and thus the tag 52a may be inserted as such metadata, despite encryption with the password. OpenXML files encrypted with a password do not include such unencrypted metadata and thus the tag 52a may not be inserted as for CFBF files. Fourthly, the file may include a digital signature, such as a digital certificate or digital ID, for validating authenticity of the file. The digital signature may include a hash of the file, such that inserting a tag would invalidate the digital signature. It is desirable to detect digital signatures in files to avoid corruption of the digital signatures by changing hash values of the documents due to insertion of the tags. If a digital signature is detected, the file should not be tagged.
[78] PDF supports password protection, restricting file permissions. Password protection may also be used for encrypting the file. Inserting the tag 52a may not be possible if such password protection and/or encryption is enabled. In addition, PDF supports certificate protection, for validating authenticity of the file, similar to the digital signature of CFBF and OpenXML described above.
User account [79] Figure 4 is a schematic overview of the computer device 200 in more detail. In this example, the operating system 202 applies a security model wherein access privileges are based on a user account. The operating system 202 may define privilege levels appropriate to different classes of users, or groups of users, and then apply the privileges of the relevant class or group to the particular logged-in user (e.g. ordinary user, super-user, local administrator, system administrator and so on). The user is authenticated such as by logging in to the computer device 200 with a user identity and password, and these user credentials may be validated locally or via a remote service such as a domain controller (e.g. an Active Directory domain controller). The user, via their previously prepared security account, thus acts as a security principal in the security model. The operating system 202 of the computer device 200 then grants appropriate privileges to processes or applications 220 which execute in the user’s security context, which is typically considered as a primary user account 210.
[80] The operating system 202 may include a security sub-system (not shown), which is provided to enforce security within the computer device 200. As one example, the security subsystem is provided by the Windows operating system. The security sub-system, also termed a security module or security manager, suitably enacts the Windows security model as described, for example, in “Windows Security Overview” published 10 June 2011 by Microsoft Corporation.
[81] In this example, the files 51 are accessed in the primary user account 210. The computer device 200 is configured to intercept the file access request 55 made on the computer device 200 in the primary user account 210 to request access to the particular file 51a amongst the plurality of files 51. The file access request 55 may be initiated by a user requesting to copy, download, open, save or execute the particular file 51a. For example, the user may have newly created the particular file 51a in the primary user account 210 and the computer device may intercept the file access request 55 to save the particular file 51a to a user-selected folder in the first storage drive 203. Additionally and/or alternatively, the file access request 55 may be initiated programmatically, for example, by an application executing on the computer device 200 automatically backing up the particular file to a temporary folder on the first storage drive 203. The computer device 200 is configured to look up the appropriate location within the particular file 51a to insert the tag 52a relevant to the respective file type of the particular file 51a, as described previously. The computer device 200 is further configured to insert the tag 52a in the appropriate location, for example, after the particular file 51a has been stored to the first storage drive 203. As described above, by inserting the tag 52a in the appropriate location in the particular file 51a, the tag 52a is maintained intact upon transmission of the particular file 51a across heterogeneous file systems, thereby upholding security of the computer device 200.
Sandbox [82] Figure 5 is a schematic overview of the computer device 200 in more detail. A sandbox 230 is provided to protect the computer device 200 from malicious attacks by isolating untrusted processes and/or untrusted content. The sandbox 230 may also be termed a ‘content isolation environment’ and is explained in more detail below.
[83] Typically, user interactions may cause the computer device 200 to perform tasks, at least some of which may be defined in advance as being ‘untrusted’ tasks. For example, untrusted tasks may include certain forms of Web browsing, viewing email files, starting an untrusted application program, or accessing a particular file in a storage medium. Generally, the untrusted tasks may involve non-executable content (data) and/or may include executable content (code) which, at least initially, is not trusted. That is, the untrusted tasks may be in relation to untrusted content (e.g. the files 51) or untrusted content may be accessible on the computer device 200. Hence, the computer device 200 is configured to provide the sandbox 230 which is used to isolate these untrusted tasks and/or this untrusted content, so that these tasks and/or content are inhibited from interfering with other tasks or components of the computer device 200. Isolation is advantageous to inhibit interference, whether caused intentionally or unintentionally. Notably, ‘untrusted’ does not mean that the respective task or content is necessarily malicious. Instead, the untrusted task or content simply has the possibility of introducing undesired effects and, at least initially, it is desired to isolate the untrusted task or content away from most of the other resources or components of the computer device 200.
[84] The computer device 200 may be arranged to provision the sandbox 230 by programmatically creating a secondary user account 210b. The computer device 200 may be configured to automatically create a new secondary user account 210b with rights and privileges which are derived from those of the primary user account 210 of the logged-in user. Typically, a secondary user identity and password are created programmatically and associated with the secondary user account 210b. Thus, the primary user account 210 and the secondary user account 210b are related but do not share the same user credentials.
[85] The primary user account 210 is based on the user as the security principal and an access token of the primary user account 210 is set accordingly. Meanwhile, the secondary user account 210b is derived from the primary user account 210 and will have a subset of the privileges of the primary user account 210. In this example, the security context of the secondary user account 210b is deliberately restricted to a minimal set of access rights as its privilege level.
Isolating untrusted files [86] Figure 6 is a schematic overview of the computer device 200 in more detail. Where the files 51 are deemed to be untrusted, the computer device 200 then causes access to the files 51 to be isolated within the programmatically created secondary user account 210b in the sandbox 230.
[87] The programmatically created secondary user account 210b is provided in the sandbox 230, arranged to protect the computer device 200 from malicious attacks by isolating untrusted processes and/or untrusted content, such as the untrusted files 51.
[88] In this example, the untrusted files 51 are accessed in the programmatically created secondary user account 210b, isolated in the sandbox 230. The computer device 200 is configured to intercept the file access request 55 made on the computer device 200 in the secondary user account 210b to request access to the particular untrusted file 51 a amongst the plurality of untrusted files 51. The file access request 55 may be initiated by a user requesting to store or retrieve the particular untrusted file 51a. For example, the user may have newly created the particular untrusted file 51a in the secondary user account 210b and the computer device may intercept the file access request 55 to save the particular untrusted file 51a to a userselected folder in the first storage drive 203. For example, the user may have downloaded the particular untrusted file 51a from the internet, such as from an untrusted website or from an untrusted sender, in the secondary user account 210b and the computer device may intercept the file access request 55 to download the particular untrusted file 51a. Additionally and/or alternatively, the file access request 55 may be initiated programmatically, for example, by an application executing on the computer device 200 automatically backing up the particular untrusted file 51 a to a temporary folder on the first storage drive 203. The computer device 200 is configured to look up the appropriate location within the particular untrusted file 51a to insert the tag 52a relevant to the respective file type of the particular untrusted file 51a, as described previously. The computer device 200 is further configured to insert the tag 52a in the appropriate location, for example, after the particular untrusted file 51a has been stored to the first storage drive 203.
[89] The computer device 200 may be configured to intercept all file access requests from the secondary user account 210b to store and/or retrieve the particular untrusted file 51a. The computer device 200 may be configured to intercept all file access requests from the secondary user account 210b to store and/or retrieve all the untrusted files 51. The computer device 200 may be configured to deem that the particular untrusted file 51a accessed in the secondary user account 210b is untrusted and to tag the particular untrusted file 51a accordingly, whereby the tag 52a indicates that the particular untrusted file 51a is untrusted. The computer device 200 may be configured to deem that all the untrusted files 51 accessed in the secondary user account 210b are untrusted and to tag all the untrusted files 51 accordingly, whereby the respective tags 52a indicate that the files 51 are untrusted. The computer device 200 may be configured to access the particular untrusted file 51a, having the tag 52a indicating that the particular untrusted file 51a is untrusted, in the secondary user account 210b. The computer device 200 may be configured to access all the untrusted files 51, having the tags 52a indicating that the respective files 51 are untrusted, in the secondary user account 210b. In this way, any untrusted files 51, such as those created in, or downloaded to, the secondary user account 210b, are isolated in the secondary user account 210b. By inserting the tag 52a, indicating that the particular file 51aab is untrusted, in the appropriate location in the particular untrusted file 51a, the tag 52a is maintained intact upon transmission of the particular untrusted file 51a across heterogeneous file systems. Hence, the particular untrusted file 51a is once again isolated in the secondary user account 210b upon receipt of the particular untrusted file 51a following transmission of the particular file 51 aa across heterogeneous file systems, thereby containing any malicious code in the particular untrusted file 51a in the sandbox 230. This contrasts with the conventional isolation mechanism described above, in which tags may be removed during transmission of files across heterogeneous file systems, such that the files may be incorrectly subsequently accessed in the primary user account 210 following such transmission, thereby potentially exposing the computer device 200 to malicious attacks.
[90] Since the computer device 200 is configured to cause access to the untrusted files 51 to be isolated within the programmatically created secondary user account 210b, based on whether the files are deemed to be untrusted, the computer device 200 is better protected from malicious attacks due to or originating from the untrusted files 51.
[91] Figure 7 is a schematic overview of the computer device 200 in more detail. Where some of files 51 are deemed to be trusted, the computer device 200 then causes access to the trusted files 51 to be within the primary user account 210b. Conversely, where some of the files 51 are deemed to be untrusted, the computer device 200 then causes access to the untrusted files 51 to be isolated within the programmatically created secondary user account 210b.
[92] In this example, the computer device 200 is configured to tag only the untrusted file 51a and to not tag the trusted files 51b and 51c. Hence, the untrusted file 51a includes the respective tag 52a inserted therein while the trusted files 51b and 51c are untagged.
[93] Since access to the trusted files 51 b and 51 c in the primary user account 210 is permitted by the computer device 200, usability of the computer device 200 is enhanced. By accessing only the untrusted file 51a in the secondary user account 210b, only other similarly untrusted files 51 in the secondary user account 210b are potentially exposed to a malicious attack due to any the untrusted file 51a. That is, since the trusted files 51b and 51c are accessed in the primary user account 210, these trusted files 51b and 51c are not also exposed to any such malicious attack. Hence, the potential malware footprint is restricted to only other untrusted files 51 and does not extend to the trusted files 51b and 51c.
[94] Thus, a workload associated with accessing only untrusted files 51 in the secondary user account 210b is reduced compared with accessing both trusted and untrusted files 51 in the secondary user account 210b, as may be provided by conventional isolation mechanisms.
[95] Furthermore, usability of the computer device 200 may be improved, since trusted files 51 may be accessed outside of the sandbox 230 while untrusted files 51 are accessed in the sandbox 230, thereby better protecting the computer device 200 from malicious attacks due to or originating from untrusted files 51.
[96] Figure 8 is a schematic overview of the computer device 200 in more detail. The computer device 200 further comprises an agent 700, configured to perform one or more of the tasks provided by the computer device 200 relating to the files 51. Further, the sandbox 230 may be provisioned, created and/or controlled by the agent 700, as will be explained in more detail below. In addition, the agent 700 may be configured to tag the files 51.
[97] The agent 700 may comprise one or more software and/or hardware modules, such as executables, dynamic link libraries (DLLs), plug-ins, add-ins, add-ons or extensions, that may be configured to operate in cooperation with an operating system 202 and/or applications executed on the computer device 200.
[98] The agent 700 may be configured to intercept the file access request 55 made on the computer device 200 to request access to the particular file 51 a amongst the plurality of files 51. For example, the agent 700 may be configured to hook relevant application programming interfaces (APIs). In this way, the agent 700 may intercept a request to store or retrieve the particular file 51a, such as copy, download, open, save or execute the particular file 51a.
[99] The agent 700 may be configured to look up the appropriate location within the particular file 51 a to insert the tag 52a relevant to the respective file type of the particular file 51a.
[100] The agent 700 may be configured to insert the tag 52a in the appropriate location in the particular file 51a. For example, the agent 700 may be configured to generate the tag 52a. For example, the agent 700 may be configured to set, modify and/or update properties of the particular file 51a that form the tag 52a. The agent 700 may be configured to tag the particular file 51a with the tag 52a upon saving the particular file 51a to the first storage drive 203 on the computer device 200. For example, upon opening or previewing, the particular file 51a may be temporarily saved on the computer device 200. During or as part of this saving step, the agent 700 may tag the particular file 51a with the tag 52a appropriately.
[101] The agent 700 may be configured to inspect the particular file 51a for the tag 52a. For example, the agent 700 may be configured to query the particular file 51a programmatically for the presence of the tag 52a. The agent 700 may be configured to inspect the tag 52a by looking up the appropriate location within the particular file 51a to read the tag 52a relevant to the respective file type of the particular file 51a, the location within the particular file 51a being different amongst the plurality of different file types. That is, the agent 700 may be configured to look up the appropriate location in order to inspect the tag 52a in a manner analogous to looking up the appropriate location in order to insert the tag 52a. As described above, the presence or absence of the tag 52a may indicate that the particular file 51a is trusted or untrusted. The tag 52a and/or the content of the tag 52a may be requested and/or retrieved, for example to determine, redetermine and/or confirm if the particular file 51a is trusted or untrusted. In this way, the trust status of the sender and hence of the file 51b may be confirmed, redetermined and/or reconfirmed, for example repeatedly and/or independently.
[102] Furthermore, the agent 700 may be configured to provision, create and/or control the sandbox 230. For example, the agent 700 may be configured to assign the particular file 51 a to an existing sandbox 230. Additionally and/or alternatively, the agent 700 may be configured to create a new sandbox 230, if the particular file 51 a is tagged with the tag 52a indicating that the particular file 51 ab is untrusted. That is, the agent 700 may be configured to dynamically assign and/or create the sandbox 230, as required, for example according to the tag 52a. The agent 700 may be arranged to provision the sandbox 230 by programmatically creating the secondary user account 210b. The agent 700 may be configured to automatically create the new secondary user account 210b with rights and privileges which are derived from those of the primary user account 210 of the logged-in user.
[103] Figure 9 is a flowchart of an example method of operating the computer device 200, including an example mechanism to tag the particular file 51a, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[104] At S901, the computer device 200 intercepts a file access request 55 made on the computer device 200 to request access to the particular file 51 a amongst the plurality of files 51, wherein each particular file 51a of the plurality of files 51 has a certain file type amongst a plurality of different file types.
[105] At S902, the computer device 200 looks up the appropriate location within the particular file 51a to insert the tag 52a relevant to the respective file type of the particular file 51a, the location within the particular file 51 a being different amongst the plurality of different file types.
[106] At S903, the computer device 200 inserts the tag 52a in the appropriate location, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[107] Since the particular file 51a is tagged with the tag 52a inserted in the appropriate location in the particular file 51a, the tag 52a may be persisted with the particular file 51a, even during and/or after transmission of the particular file 51a across heterogeneous file systems. In this way, a trust status of the particular file 51a may be maintained. Thus, a subsequent request to access the transmitted particular file 51a, for example, may be similarly intercepted and the request handled by the computer device 200 as described previously, thereby further better protecting the computer device 200.
[108] Figure 10 is a flowchart of an example method of operating the computer device 200, including an example mechanism to tag the particular file 51a, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[109] At S1001, the computer device 200 intercepts a file access request 55 made on the computer device 200 to request access to the particular file 51a amongst a plurality of files 51, wherein each particular file 51a of the plurality of files 51 has a certain file type amongst a plurality of different file types. The computer device 200 determines that the particular file 51 a is untrusted.
[110] At S1002, the computer device 200 stores the particular file 51a to the first storage drive 203 configured according to the first file system.
[111] At S1003, the computer device 200 looks up the appropriate location within the particular file 51a to insert the tag 52a relevant to the respective file type of the particular file 51a, the location within the particular file 51a being different amongst the plurality of different file types.
[112] At S1004, the computer device 200 inserts the tag 52a in the appropriate location, wherein the tag 52a indicates that the particular file 51a is untrusted, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[113] At S1005, the computer device 200 satisfies the file access request 55 to access the received particular file 51 a in the sandbox 230, since the particular file 51 a is untrusted.
[114] At S1006, the computer device 200 transmits the particular file 51a, having the tag 52a inserted therein, to the second computer device 20, whereupon the particular file 51a is stored to the second storage drive configured according to the second file system, different from the first file system.
[115] At S1007, the second computer device 20 stores the particular file 51a to the second storage drive 203 configured according to the second file system, different from the first file system.
[116] At S1008, the computer device 200 receives the particular file 51a, retrieved by the second computer device 20 from the second storage drive configured according to the second file system, different from the first file system, and transmitted by the second computer device 20 to the computer device 200.
[117] At S1009, the computer device 200 intercepts a subsequent file access request 55 made on the computer device 200 to request access to the particular file 51a, received from the second computer device 20.
[118] At S1010, the computer device 200 stores the received particular file 51a to the first storage drive 203 configured according to the first file system.
[119] At S1011, the computer device 200 looks up the appropriate location within the received particular file 51a to inspect the tag 52a relevant to the respective file type ofthe received particular file 51a.
[120] At S1012, the computer device 200 inspects the tag 52a in the appropriate location, wherein the tag 52a indicates that the received particular file 51a is untrusted.
[121] At S1013, the computer device 200 satisfies the subsequent file access request 55 to access the received particular file 51a in the sandbox 230, according to the tag 52a indicating that the particular file 51a is untrusted.
[122] Since the particular file 51a is tagged with the tag 52a inserted in the appropriate location in the particular file 51a, the tag 52a may be persisted with the particular file 51a, even during and/or after transmission ofthe particular file 51a across heterogeneous file systems, including storage to and retrieval from the second storage drive configured according to the second file system. In this way, the trust status of the particular file 51a may be maintained, even upon receipt. Thus, the subsequent file access request 55 to access the received particular file 51a is similarly intercepted and the request satisfied by the computer device 200 in the sandbox 230, thereby further better protecting the computer device 200.
[123] Described below is an example application of operating a computer device, such as the computer 200, including an example mechanism to better control access to files (i.e. the files 51). In this example application, the computer device is configured to intercept a file access request 55 made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types; look up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and insert the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact. The computer device further comprises an agent, such as the agent 700 described above. In this example, computer device uses the Windows operating system and the first storage drive is configured according to the NTFS file system.
[124] Figure 11 is a flowchart of part of an example method of operating the computer device 200, including an example mechanism to tag the particular file 51a, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[125] At SHOO, the method starts.
[126] At S1101, the computer device 200 tags the particular file 51a conventionally with a second tag, using ADS. This allows checking of the tag 52a against the second tag.
[127] At S1102, the computer device 200 checks that the particular file 51 a exists.
[128] At S1103, the computer device 200 checks a size of the particular file 51a. If the size of the particular file 51 a is zero, the method ends at S1110.
[129] At S1104, the computer device identifies a file type of the particular file 51a, if the size of the particular file 51 a is greater than 0.
[130] At S1105, the computer device 200 determines how to insert the tag 52a into the particular file 51a, based on the identified file type.
[131] At S1106, the computer device 200 inserts the tag 52a in the appropriate location for CFBF file types, if the identified file type is CFBF.
[132] At S1107, the computer device 200 inserts the tag 52a in the appropriate location for OpenXML file types, if the identified file type is OpenXML.
[133] At S1108, the computer device 200 checks if the particular file 51a is signed, if the identified file type is PDF.
[134] At S1109, the computer device 200 inserts the tag 52a in the appropriate location for PDF file types, if the identified file type is PDF and the particular file 51a is not signed. Otherwise, the method ends at S1110.
[135] At S1110, the method ends.
[136] Figure 12 is a flowchart of part of an example method of operating the computer device 200, including an example mechanism to tag the particular file 51a, thereby enabling transmission of the particular file 51a across heterogeneous file systems while maintaining the tag 52a intact.
[137] At S1201, the agent 700 intercepts a CloseHandle() message related to the particular file 51a, for example sent by a process or an application executing on the computer device 200.
[138] At S1202, the agent 700 hooks a NtClose() message, which indicates that the particular file 51a is no longer in user and that the tag 52a may be inserted therein. In this way, the tag 52a may be inserted into the particular file 51a if a user has newly created the particular file 51a in a sandbox or if the user has copied the particular file 51 a from a non-NTFS volume to a NTFS volume, such as the first storage drive 203 configured according to the first file system. The NtClose() message may be hooked for the process or the application executing on the computer device 200, such as Explorer or Microsoft Office applications.
[139] At S1203, the agent 700 sends a SendCheckFileTag() message. The agent 700 checks that a handle referenced in the CloseHandle() message relates to a real file stored on the first storage drive 203. The agent 700 checks (i.e. identifies) the file type of the particular file 51a, by checking the filename extension of the particular file 51a. By performing these checks, an amount of processing and/or number of messages sent may be reduced.
[140] At S1204, the agent 700 checks the tag 52a according to ProcessCheckFileTag().
[141] At S1205, the agent 700 checks a state of the tag 52a by sending a CheckTagStateAndHealth() message. This message informs the computer device 200 that a value of the inspected tag 52a and a value of a second tag, inserted in an ADS of the particular file 51a, should be the same.
[142] At S1206, the agent 700 inspects the tag 52a, according to GetFileTag(). The agent 700 compares the value of the inspected tag 52a with the value of a second tag, inserted in the ADS of the particular file 51a. According to the CheckTagStateAndHealth() message, the value of the inspected tag 52a and the value of the second tag, should be the same. If these values are different, this difference may indicate modification, such as tampering, interference or removal, of the tag 52a and/or the second tag. Additionally and/or alternatively, this difference may indicate exchange of the particular file 51a between a NTFS volume and a non-NTFS volumes, for example. If modification of the tag 52a and/or the second tag is determined, the computer device 200 may re-tag the particular file 51a appropriately so as to remedy any modification and/or synchronize the tags, such that the particular file 51a is subsequently handled correctly, according to the intended tagging.
[143] At S1207 - S1209, the method returns to the particular file 51a via the agent 700.
[144] Hence, according to this example application of operating the computer device, such as the computer 200, tags are inserted in the appropriate locations in particular files, thereby enabling transmission of the particular files across heterogeneous file systems while maintaining the tags embedded therein intact, and inspected thereafter. In this way, the tags are portable across different file systems and thus the tags are preserved during transmission of the particulars files across heterogeneous file systems. By persisting the tags in this way in the particular files, information contained in the tags is similarly maintained intact. Hence, behaviour of the computer device 200 according to the tags is consistent, even after transmission of the particular files, including the tags, across heterogeneous file systems in which the files are stored to and retrieved from storage drives configured according to different file systems.
[145] At least some of the example embodiments described herein may be constructed, partially or wholly, using dedicated special-purpose hardware. Terms such as ‘component’, ‘module’ or ‘unit’ used herein may include, but are not limited to, a hardware device, such as circuitry in the form of discrete or integrated components, a Field Programmable Gate Array (FPGA) or Application Specific Integrated Circuit (ASIC), which performs certain tasks or provides the associated functionality. In some embodiments, the described elements may be configured to reside on a tangible, persistent, addressable storage medium and may be configured to execute on one or more processor circuits. These functional elements may in some embodiments include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
[146] Although the example embodiments have been described with reference to the components, modules and units discussed herein, such functional elements may be combined into fewer elements or separated into additional elements. Various combinations of optional features have been described herein, and it will be appreciated that described features may be combined in any suitable combination. In particular, the features of any one example embodiment may be combined with features of any other embodiment, as appropriate, except where such combinations are mutually exclusive. Throughout this specification, the term “comprising” or “comprises” may mean including the component(s) specified but is not intended to exclude the presence of other components.
[147] Although a few example embodiments have been shown and described, it will be appreciated by those skilled in the art that various changes and modifications might be made without departing from the scope of the invention, as defined in the appended claims.
Claims (19)
1. A computer device for handling files transferred between heterogeneous file systems, the computer device comprising a processor circuit, a memory circuit and a first storage drive which is configured according to a first file system, wherein the computer device is configured to:
intercept a file access request made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types;
look up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and insert the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact.
2. The computer device according to claim 1, wherein the computer device is configured to inspect the tag inserted into the appropriate location within the particular file.
3. The computer device according to claim 1, wherein the computer device is configured to provide a sandbox arranged to isolate malicious code therein.
4. The computer device according to claim 3, wherein the computer device is configured to cause the particular file to be accessed in the sandbox, if the particular file is untrusted.
5. The computer device according to claim 4, wherein the computer device is configured to insert the tag in the appropriate location within the particular file, wherein the particular file is untrusted and wherein the tag indicates that the particular file is untrusted.
6. The computer device according to claim 1, wherein the computer device is configured to insert the tag in the appropriate location within the particular file after the particular file is stored to the first storage drive configured according to the first file system.
7. The computer device according to claim 1, wherein the computer device comprises an agent configured to intercept the file access request, wherein the agent is configured to hook an application programming interface.
8. The computer device according to claim 1, wherein the first file system supports an alternate data stream and wherein the appropriate location within the particular file is in a main data stream of the particular file.
9. The computer device according to claim 1, wherein the computer device is configured to insert a second tag in an alternate data stream of the particular file.
10. A method of handling files transferred between heterogeneous file systems on a computer device comprising a processor circuit, a memory circuit and a first storage drive which is configured according to a first file system, the method comprising:
intercepting a file access request made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types;
looking up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and inserting the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact.
11. The method according to claim 10, comprising inspecting the tag inserted into the appropriate location within the particular file.
12. The method according to claim 10, comprising providing a sandbox arranged to isolate malicious code therein.
13. The method according to claim 12, comprising causing the particular file to be accessed in the sandbox, if the particular file is untrusted.
14. The method according to claim 13, comprising inserting the tag in the appropriate location within the particular file, wherein the particular file is untrusted and wherein the tag indicates that the particular file is untrusted.
15. The method according to claim 10, comprising storing the particular file to the first storage drive configured according to the first file system before inserting the tag in the appropriate location within the particular file.
16. The method according to claim 10, comprising intercepting, by an agent, the file access request, by hooking an application programming interface.
17. The method according to claim 10, comprising inserting the tag in a main data stream of the particular file.
18. The method according to claim 10, comprising inserting a second tag in an alternate data stream of the particular file.
19. A tangible non-transient computer-readable storage medium having recorded thereon instructions which, when implemented by a computer device including a processor circuit and a memory circuit, cause the computer device to perform a method comprising:
intercepting a file access request made on the computer device to request access to a particular file amongst a plurality of files, wherein each file of the plurality of files has a certain file type amongst a plurality of different file types;
looking up an appropriate location within the particular file to insert a tag relevant to the respective file type of the particular file, the location within the particular file being different amongst the plurality of different file types; and inserting the tag in the appropriate location, thereby enabling transmission of the particular file across heterogeneous file systems while maintaining the tag intact.
Intellectual
Property
Office
Application No: GB1706567.3
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1706567.3A GB2561862A (en) | 2017-04-25 | 2017-04-25 | Computer device and method for handling files |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1706567.3A GB2561862A (en) | 2017-04-25 | 2017-04-25 | Computer device and method for handling files |
Publications (2)
Publication Number | Publication Date |
---|---|
GB201706567D0 GB201706567D0 (en) | 2017-06-07 |
GB2561862A true GB2561862A (en) | 2018-10-31 |
Family
ID=58795598
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GB1706567.3A Withdrawn GB2561862A (en) | 2017-04-25 | 2017-04-25 | Computer device and method for handling files |
Country Status (1)
Country | Link |
---|---|
GB (1) | GB2561862A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240135129A1 (en) * | 2022-10-21 | 2024-04-25 | Global Graphics Software Limited | Methods and systems for identifying and tagging barcodes in pdf files |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111723373A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Vulnerability exploitation file detection method and device of composite binary document |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100114977A1 (en) * | 2008-10-27 | 2010-05-06 | International Business Machines Corporation | Method, system, and computer program product for enabling file system tagging by applications |
US20130347115A1 (en) * | 2004-10-29 | 2013-12-26 | Microsoft Corporation | Tagging obtained content for white and black listing |
GB2519608A (en) * | 2013-10-23 | 2015-04-29 | Avecto Ltd | Computer device and method for isolating untrusted content |
-
2017
- 2017-04-25 GB GB1706567.3A patent/GB2561862A/en not_active Withdrawn
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130347115A1 (en) * | 2004-10-29 | 2013-12-26 | Microsoft Corporation | Tagging obtained content for white and black listing |
US20100114977A1 (en) * | 2008-10-27 | 2010-05-06 | International Business Machines Corporation | Method, system, and computer program product for enabling file system tagging by applications |
GB2519608A (en) * | 2013-10-23 | 2015-04-29 | Avecto Ltd | Computer device and method for isolating untrusted content |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20240135129A1 (en) * | 2022-10-21 | 2024-04-25 | Global Graphics Software Limited | Methods and systems for identifying and tagging barcodes in pdf files |
Also Published As
Publication number | Publication date |
---|---|
GB201706567D0 (en) | 2017-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11057355B2 (en) | Protecting documents using policies and encryption | |
US10614233B2 (en) | Managing access to documents with a file monitor | |
US11386230B2 (en) | On-demand code obfuscation of data in input path of object storage service | |
JP4931255B2 (en) | Virtualized file system | |
US11263220B2 (en) | On-demand execution of object transformation code in output path of object storage service | |
EP3866041B1 (en) | Secure group file sharing | |
CN114586010B (en) | On-demand execution of object filtering code in output path of object store service | |
US8898193B2 (en) | Method and apparatus for controlling replication processing of object | |
US20150347447A1 (en) | Method and architecture for synchronizing files | |
US20150121446A1 (en) | Accessing protected content for archiving | |
IL267241B2 (en) | System and methods for detection of cryptoware | |
US11023311B2 (en) | On-demand code execution in input path of data uploaded to storage service in multiple data portions | |
CN110555293A (en) | Method, apparatus, electronic device and computer readable medium for protecting data | |
US11475156B2 (en) | Dynamically adjusted timeout quarantined code scanning | |
CN114586020A (en) | On-demand code obfuscation of data in an input path of an object storage service | |
US9516031B2 (en) | Assignment of security contexts to define access permissions for file system objects | |
US8863304B1 (en) | Method and apparatus for remediating backup data to control access to sensitive data | |
CN107636667B (en) | System and method for creating multiple workspaces in a device | |
US9904602B1 (en) | Secure search | |
GB2561862A (en) | Computer device and method for handling files | |
US11914731B1 (en) | Cross-boundary data backup background | |
Owen et al. | PRISM: Program replication and integration for seamless MILS | |
GB2561861A (en) | Computer device and method for isolating untrusted content | |
Cho et al. | Potential privacy vulnerabilities in android data sharing between applications | |
JP2011198255A (en) | Content protection device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |