HK1237470B - Access control system and access control method - Google Patents

Description

Access control system and access control method

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority based on Japanese Patent Application No. 2015-62999, filed on March 25, 2015, the entire contents of which are incorporated herein by reference.

Technical Field

The present invention relates to access control systems.

Background Art

Conventionally, terminals such as PCs that handle confidential information files have implemented technologies such as firewalls and file system access control to protect confidential information, thereby preventing unauthorized access by malicious users and leakage of confidential information files.

Japanese Patent Application Publication No. 2007-140798 serves as background technology for this technology. Japanese Patent Application Publication No. 2007-140798 describes a computer information leakage prevention system. When an application executing on a computer attempts to access information stored in a storage unit such as a hard disk, a determination unit determines whether pre-set access permission conditions are met. If the determination indicates unauthorized access, the information is prohibited from being passed to the application.

Summary of the Invention

Problems to be solved by the invention

On the other hand, comprehensive office software includes multiple applications such as word processors and spreadsheets, and it handles files of various formats. Therefore, when using comprehensive office software to edit confidential information files, the aforementioned conventional technology can focus on setting access control by extension. However, this requires understanding all the extensions handled by the application to configure all necessary settings.

Furthermore, when controlling network communications using a firewall, access control must be set for each communication destination and communication program.

An object of the present invention is to provide a system that simplifies the settings of access control for the above-mentioned file system and firewall.

Means for solving problems

A representative example of the invention disclosed in this application is as follows: an access control system comprising a computer having a processor for executing a process and a memory for storing the program, the access control system comprising: an initiator for initiating the process; an access control list (ACL) file defining control details for I/O requests issued by the process; a process discovery unit for tracing the parent of the process to determine whether the process was initiated by the initiator; and an access control unit for controlling I/O requests issued by the process initiated by the initiator in accordance with the details defined in the ACL file.

Effects of the Invention

According to a representative embodiment of the present invention, it is possible to simplify the setting of access control. Other problems, structures, and effects than those described above will become clear through the following description of the embodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a diagram showing the configuration of a system according to an embodiment of the present invention.

FIG2 is a block diagram showing the physical structure of a user terminal according to this embodiment.

FIG. 3 is a diagram illustrating a configuration example of an ACL table according to this embodiment.

FIG. 4 is a flowchart of a process for registering the I/O detection function of this embodiment to the filter manager.

FIG5 is a flow chart of the process exploration function of this embodiment.

FIG6 is a flow chart of the access control function of this embodiment.

DETAILED DESCRIPTION

Hereinafter, the embodiment of the present invention will be described in detail with reference to the accompanying drawings.

FIG1 is a diagram showing the configuration of a system according to an embodiment of the present invention.

In Figure 1, a user terminal 101 includes a storage device 102 and a network adapter 103. Furthermore, an operating system 107, a file system driver 105, and a network driver 106 are installed in the user terminal 101. Furthermore, within the operating system 107, the user terminal 101 includes a filter manager 108 that filters file I/O request packets 110 and network I/O request packets 111 generated by a process 109. An I/O detection function 113 is registered in the filter manager 108. The I/O detection function 113 includes a process discovery function 114 and an access control function 115. Furthermore, a launcher 112 and a configuration tool 116 are installed in the user terminal 101.

The launcher 112 launches an arbitrary process 109. The I/O detection function 113 receives file I/O request packets 110 and network I/O request packets 111 via the filter manager 108. The process discovery function 114 identifies the parent process of the source process 109 based on the request packets received by the I/O detection function 113. If the process discovery function 114 confirms that the parent process is the launcher 112, the access control function 115 performs access control based on the ACL file 117. The configuration tool 116 records, edits, and deletes access control settings in the ACL file 117.

When starting any process 109 such as a word processor, spreadsheet, or web browser, and wishing to apply the ACL file 117, the user starts the process 109 from the launcher 112. When the process 109 accesses a file or a network, the operating system 107 generates a packet including the access content and process information of the access source, and transmits the packet to the file system driver 105 or the network driver 106 via the filter manager 108.

The filter manager 108 calls the process discovery function 114 within the I/O detection function 113. The process discovery function 114 discovers the parent process and the parent-level processes of the process 109 and determines whether the origin of the process 109 is the launcher 112. If the process discovery function 114 determines that the origin of the process 109 is the launcher 112, the filter manager 108 calls the access control function 115.

The access control function 115 performs access control such as permission, rejection, and modification of the file I/O request packet 110 and the network I/O request packet 111 in accordance with the ACL file 117 .

As described above, the access control of the ACL file 117 can be applied to all child processes and grandchild processes originating from the launcher 112 .

FIG. 2 is a block diagram showing the physical structure of the user terminal 101 .

The user terminal 101 of the present embodiment is constituted by a computer including a processor (CPU) 1 , a memory 2 , an auxiliary storage device 3 , a communication interface 4 , an input interface 5 , and an output interface 8 .

Processor 1 executes programs stored in memory 2. Memory 2 includes ROM, a nonvolatile storage element, and RAM, a volatile storage element. ROM stores persistent programs (such as BIOS). RAM, a high-speed, volatile storage element like DRAM (Dynamic Random Access Memory), temporarily stores programs executed by processor 1 and data used during program execution.

The auxiliary storage device 3 is a large-capacity, non-volatile storage device such as a magnetic storage device (HDD, hard disk drive) or a flash memory (SSD, solid state drive), and constitutes the storage device 102. Furthermore, the auxiliary storage device 3 stores programs executed by the processor 1. Specifically, the programs are read from the auxiliary storage device 3, loaded into the memory 2, and executed by the processor 1.

The communication interface 4 is a network interface device that controls communications with other devices (such as a file server and a gateway) according to a predetermined protocol.

The input interface 5 is connected to a keyboard 6 and a mouse 7 and receives input from the operator. The output interface 8 is connected to a display device 9 and a printer and outputs the program execution results in a form visible to the operator.

The program executed by processor 1 is provided to user terminal 101 via removable media (CD-ROM, flash memory, etc.) or a network and stored in nonvolatile auxiliary storage device 3, which is a non-transitory storage medium. Therefore, user terminal 101 may have an interface for reading data from removable media.

The user terminal 101 is a computer system consisting of one physical computer or multiple logically or physically constructed computers. It can operate in separate threads on the same computer or on a virtual computer built on multiple physical computer resources.

FIG. 3 is a diagram illustrating a structural example of the ACL file 117 .

The ACL file 117 includes a network ACL 201 that defines rules for network access and a file ACL 202 that defines rules for file access.

The network ACL 201 holds a rule number 203 for uniquely identifying a rule, a communication source 204 , a communication destination 205 , and an access control definition 206 .

In the communication source 204, specify the IP address and network mask of the communication source's network information to which access control applies, "LOCAL" indicating the user, or "ANY" indicating all, etc. In the communication destination 205, specify the IP address and network mask of the communication destination's network information to which access control applies, "LOCAL" indicating the user, or "ANY" indicating all, etc. In the definition 206, specify whether to permit or deny communication if the rules are met. Furthermore, in the definition 206, it can be specified that the communication destination be changed to another address if the rules are met.

The file ACL 202 holds a rule number 207 for uniquely identifying a rule, an access path 208 indicating a file or directory to be accessed, and an access control definition 209 .

In access path 208, a character string specifies the file path or directory path to which access control applies. In definition 209, whether access to the file or directory is permitted or denied if the rules are met is specified. Furthermore, definition 209 can also specify that the access path be changed to another path if the rules are met.

FIG. 4 is a flowchart of a process for registering the I/O detection function 113 to the filter manager 108 .

The filter manager 108 is a function provided by the operating system 107. By issuing instructions to the operating system 107, the operator can pass the file I/O request packet 110 or network I/O request packet 111 processed by the operating system 107 to the I/O detection function 113 via the filter manager 108.

First, the filter manager 108 is configured to forward the file I/O request packet 110 to the I/O detection function 113 according to the operator's instructions (step 301). Furthermore, the filter manager 108 is configured to forward the network I/O request packet 111 to the I/O detection function 113 according to the operator's instructions (step 302).

FIG5 is a flow chart of the process discovery function 114 .

The process search function 114 performs processing to trace the parent process of the process that generated the file I/O request packet 110 and the network I/O request packet 111 .

When receiving the file I/O request packet 110 or the network I/O request packet 111 from the filter manager 108 via the I/O detection function 113 , the process search function 114 starts a parent process search process.

First, the process search function 114 obtains the process ID of the calling process 109 from the file I/O request packet 110 or the network I/O request packet 111 as a Check ID (step 401 ).

Next, it is determined whether the Check ID acquired in step 401 matches the process ID of the launcher 112 (step 402).

If it is determined in step 402 that the Check ID matches the process ID of the launcher 112 (YES in step 403 ), a message indicating that the process 109 has been launched by the launcher 112 is returned to the call source, and the processing ends (step 407 ).

On the other hand, when it is determined that the Check ID does not match the process ID of the launcher 112 (No in step 403), the process ID of the parent process of the Check ID is acquired (step 404).

If the process ID of the parent process cannot be obtained (No in step 405 ), a message indicating that the process 109 has not been started by the launcher 112 is returned to the call source (step 408 ), and the processing ends.

On the other hand, when the process ID of the parent process can be obtained ("Yes" in step 405), the process ID obtained in step 404 is newly set as the Check ID (step 406), and the process returns to step 402 to further search for the parent process.

FIG6 is a flow chart of the access control function 115. As shown in FIG6 , the access control function 115

The access control function 115 performs access control of a network or a file.

When the result of step 408 is that the calling source process 109 is a process started from the launcher 112, in order to process access control for the file I/O request packet 110 or the network I/O request packet 111, it is determined whether the I/O request packet is file I/O or network I/O (step 501).

When the I/O request packet is the file I/O request packet 110 , one rule is obtained from the file ACL 202 of the ACL file 117 (step 502 ).

On the other hand, when the I/O request packet is the network I/O request packet 111, one rule is obtained from the network ACL 201 of the ACL file 117 (step 503).

If the rules cannot be acquired in steps 502 and 503 (No in step 504), the access control process ends.

On the other hand, when the rules can be obtained in steps 502 and 503 ("Yes" in step 504), determine whether the content of the I/O request packet (communication source, communication target, access path, etc.) is consistent with the rules obtained in steps 502 and 503 (communication source 204, communication target 205, access path 208, etc.) (step 505).

As a result, if the content of the I/O request packet is consistent with the rule ("Yes" in step 506), the I/O request packet is updated according to the definitions 206 and 209 of the ACL file 117 (step 507), and the access control process ends.

On the other hand, when the content of the I/O request packet does not match the rule (No in step 506), the next rule is obtained from the ACL file 117 (step 508), and the process returns to step 504 to continue.

By using the above method, the access control set in the ACL file 117 can be applied to all processes 109 started from the launcher 112 by utilizing the parent-child relationship of the processes.

In addition, when multiple rules are matched, it is preferable to register the rules in the ACL file 117 in the order of priority of application. Alternatively, a priority order may be defined in the ACL file 117, and all rules matching the I/O request packet may be selected, and the access control definition may be applied to the I/O request packet in the defined priority order.

As described above, according to an embodiment of the present invention, since it has: a launcher 112 that is a process that starts a process; an ACL file 202 that defines the control content of I/O requests issued by the process; a process discovery function 114 that traces the parent of the started process and determines whether it is a process started with the launcher 112 as the origin; and an access control function 115 that controls the I/O requests issued by the process started with the launcher 112 as the origin based on the content defined in the ACL file 202, even if the user does not set access control for each process or each file, by setting access control in the filter manager 108 and starting the process to which security is desired to be applied from the launcher 112, it is possible to uniquely control access to the network or file system.

In addition, the process exploration function 114 obtains the identification information of the process that issued the I/O request. If the identification information of the process that started the process is the same as the identification information of the launcher 112, it is determined that the process that issued the I/O request is a process that was started with the launcher 112 as the origin. If the identification information of the process is different from the identification information of the above-mentioned launcher 112, the parent process is traced back to determine whether the identification information of the parent process is the same as the identification information of the launcher 112. In this way, the origin process of the process that started the process can be reliably determined.

In addition, the access control function 115 determines the type of I/O request. If the I/O request is a file I/O request, the file ACL 202 is referenced to determine the I/O control content based on the access target of the I/O request. If the I/O request is a network I/O request, the network ACL 201 is referenced to determine the I/O control content based on the communication source and communication target of the I/O request. In this way, different rules can be reliably applied according to the object of the I/O.

Furthermore, the present invention is not limited to the above-described embodiments, but encompasses various variations and equivalent structures within the spirit of the claims. For example, the above-described embodiments are described in detail to facilitate understanding of the present invention, and the present invention is not limited to all of the structures described. Furthermore, a portion of the structure of a particular embodiment may be replaced with a structure of another embodiment. Furthermore, a structure of another embodiment may be added to a structure of a particular embodiment. Furthermore, a portion of the structure of each embodiment may be supplemented with, deleted from, or replaced with another structure.

In addition, the above-mentioned structures, functions, processing units, processing mechanisms, etc. can also be implemented by hardware by designing part or all of them, such as using integrated circuits, or by software by having a processor interpret and execute programs that implement various functions.

Information such as programs, tables, and files that implement various functions can be stored in storage devices such as memories, hard disks, and SSDs (Solid State Drives), or in recording media such as IC cards, SD cards, and DVDs.

In addition, the control lines and information lines are shown for the purpose of explanation and do not necessarily represent all the control lines and information lines required for installation. In fact, it can also be considered that almost all the structures are connected to each other.

Claims (2)

1. An access control system comprising a processor having execution processes and a computer storing a program for executing the aforementioned processes, characterized in that it has: A launcher is a startup process that initiates the aforementioned processes. Access control list files, or ACL files, define the control content for input/output requests, i.e., I/O requests, issued by the aforementioned processes; The process exploration department traces the parent of the aforementioned processes to determine whether they were launched using the aforementioned launcher; and The access control unit, based on the contents defined in the aforementioned ACL file, controls the I/O requests issued by processes launched originating from the aforementioned initiator. The aforementioned process exploration department, Obtain the identification information of the process that issued the above I/O request; If the identification information of the process that issued the above I/O request is the same as the identification information of the above initiator, then it is determined that the process that issued the above I/O request is a process that was started by the above initiator. If the identification information of the process that issued the aforementioned I/O request differs from the identification information of the launcher, then the parent process of that process is traced to determine whether the identification information of the parent process is the same as the identification information of the launcher. The aforementioned ACL files include network ACLs that define rules for network access and file ACLs that define rules for file access. The aforementioned access control department, Determine the category of the above I/O request; If the above I/O request is a file I/O request, refer to the above file ACL and determine the I/O control content according to the access target of the above I/O request; When the aforementioned I/O request is a network I/O request, the control content of the I/O is determined based on the communication source and communication target of the aforementioned I/O request, referring to the aforementioned network ACL. 2. An access control method, comprising an access control method in a computer having a processor for executing a process and a memory storing a program for executing the process, characterized in that, The computer described above includes: a process initiator that starts processes using the processor, a process exploration unit that traces the parent of the process using the processor, and an access control unit that controls input/output requests, i.e., I/O requests using the processor. The aforementioned computer stores an Access Control List (ACL) file that defines the control content for the aforementioned I/O requests. In the above method, The aforementioned process exploration department traces the parent of the aforementioned process to determine whether it is a process that was launched originating from the aforementioned launcher; The access control unit, based on the contents defined in the aforementioned ACL file, controls the I/O requests issued by processes launched originating from the aforementioned initiator. The aforementioned process exploration department, Obtain the identification information of the process that issued the above I/O request; If the identification information of the process that issued the above I/O request is the same as the identification information of the above initiator, then it is determined that the process that issued the above I/O request is a process that was started by the above initiator. If the identification information of the process that issued the I/O request is different from the identification information of the initiator, then the parent process of the process that issued the I/O request is traced, and it is then determined whether the identification information of the parent process is the same as the identification information of the initiator. The aforementioned ACL files include network ACLs that define rules for network access and file ACLs that define rules for file access. The aforementioned access control department, Determine the category of the above I/O request; If the above I/O request is a file I/O request, refer to the above file ACL and determine the I/O control content according to the access target of the above I/O request; When the aforementioned I/O request is a network I/O request, the control content of the I/O is determined based on the communication source and communication target of the aforementioned I/O request, referring to the aforementioned network ACL.