JP4342242B2 - Secure file sharing method and apparatus - Google Patents

Description

  The present invention relates to a file sharing method in a computer communication system that performs communication between computers via a communication line.

  Various methods such as NFS (Network File System) and samba have been developed as file sharing applications for sharing files that can be accessed via a communication line in a computer communication system that communicates between computers via a communication line. It has been widely used as an in-company file server and a collaboration file server. Conventionally, the file sharing method uses the access authority that each network user has and the access control list that enumerates resources such as accessible servers and files to perform access control at the application level. Although a form of ensuring confidentiality and integrity has been common (see, for example, Non-Patent Document 1), this method makes it possible to access all resources with root authority. The leakage and falsification of confidential information due to unauthorized intrusion attacks used has increased, and reliability has been demanded of file sharing systems.

  As an example of a conventional file sharing method, FIG. 8 shows a file sharing method based on application level access control using an access control list listing resources such as accessible files. In the figure, a user terminal device 11 is connected to an IP network 1 by a broadband access line 2. The user terminal device 12 is connected to the IP network 1 by a broadband access line 3. The user terminal device 13 is connected to the IP network 1 by the broadband access line 4. A file sharing apparatus 30 constituted by a normal OS is connected to the IP network 1 by a broadband access line 5. The file sharing apparatus 30 includes a shared file unit 31, an access control list 32, and a file share management unit 33. An example of the access control list 32 set from the file sharing management unit 33 is shown in Table 1.

In the method by application level access control using the access control list 32, when the user accesses the file sharing unit 31, the file sharing unit 31 makes an inquiry to the file sharing management unit 33, and the file sharing management unit 33 logs in the login information. To identify the group and user name in the access user system, query the access control list 32 held by the application for the group and user name and access resource permissions, and notify the shared file unit 31 of the result. By doing so, access control at the application level is realized. In the case of the access control list of Table 1, only yamada and kimura can be accessed with the read authority to the directory soumu, and only nakamura can be read and accessed with the write authority to the directory jinji.

Further, as a conventional computer system, there is a secure OS (see, for example, Non-Patent Document 2) capable of OS level access control. The secure OS introduces a forced access control mechanism and the like, and can prevent information leakage and unauthorized intrusion to a server caused by inappropriate security settings by a user or superuser. Secure OS is higher processes that are subject, with respect to resource to be objects, labels, compartments, etc. identifiers assigned consisting level, by setting precisely the security setting called a pre security policy permission information between identifier Security is realized, and even a root authority cannot access all resources. Creation of this security policy requires understanding of the operation of the application, the operation of the secure OS, and the description method of the security policy, and has been generated manually. Therefore, a security policy for file sharing corresponding to the above-mentioned file sharing application has been disclosed, but identification of processes in units of users and resources in units of users and sharing groups is not performed at the OS level. As a result, application level access control is used in the end, and the problem is not solved. In addition, if detailed access control is performed at the OS level, a security policy must be generated every time a shared group or member is added, so that operability is degraded, and shared resources are distributed to users and shared groups. Therefore, the convenience of the accessing user is also reduced.

  In the file sharing method by the conventional file sharing application described above, access control is performed at the application level. Therefore, when the root of the application is exploited and the root right is taken away by unauthorized intrusion, the access control function is bypassed. All information can be accessed, and confidential information is leaked and tampered. In addition, in a secure OS capable of OS level access control, operability is reduced due to generation of a security policy, and user convenience is reduced due to resource distribution.

  An object of the present invention is to provide a secure file sharing method and apparatus for realizing fine-grained OS level access control, ensuring operability by automatic generation of security policies, and ensuring user convenience by aggregating shared resources using virtual directories. Is to provide.

In order to achieve the above object, a secure file sharing method according to the present invention is a file sharing method by a file management unit of a secure OS for a file stored in a storage device, and an identifier different for each user in a subject process. grant process identifier including, grant resource identifier composed of the identifier of permission unit for user units and the shared group basis and allowed resource to be objects, set corresponding to the process identifier and process identifier was resource identifier A security policy including information is generated, and access control is performed based on the security policy .

In another secure file sharing method of the present invention , a process identifier that is a different identifier for each user is assigned to a process on the secure OS, and a directory and an identifier are generated for each user, each sharing group, and each permitted permission. Files with the same identifier as the directory are assigned to the files under the directory, a public virtual directory and identifier are generated for each share group, and the virtual directory identifier is retained and distributed in units of users and allowed permissions Are created under the virtual directory, access control information between the process identifier and the symbolic link at the time of user access is set in the security policy, and access control is performed based on the security policy .

Further, another secure file sharing method of the present invention provides a process identifier , which is a different identifier for each user, on a secure OS, so that a sub-shared group that allows only a limited member within the shared group to access is provided. It is possible to create multiple directories, assigning identifiers to user units, shared group units, sub-shared group units, and permitted permission units, and creating directories in user units, shared group units, sub-shared group units, and permitted permission units Then, give the files under the directory the same identifier that is assigned to the user, the shared group, the sub-shared group, and the permissible permission unit corresponding to the directory. share Generates sub virtual directory and identifier for the loop to generate a symbolic link files dispersed in the user unit and allowed to permission unit under sub virtual directory in the state of holding the identifier of the sub virtual directory, the process at the time of user access Access control information between the identifier and the symbolic link is set in the security policy, and access control is performed based on the security policy .

The file sharing apparatus of the present invention includes means for assigning a process identifier including a different identifier for each user to a process that is a subject on the secure OS, and each of a user unit, a sharing group unit, and an allowed permission unit for an object resource. Means for assigning a resource identifier consisting of an identifier, means for generating a security policy including information about a process identifier and a resource identifier set corresponding to the process identifier, and means for controlling access based on the security policy .

The file sharing apparatus of the present invention includes means for assigning a process identifier , which is a different identifier for each user, to the process on the secure OS, means for generating a directory and an identifier for each user, each sharing group, and each permitted permission, A means for assigning the same identifier as a directory to a file under the directory, a means for generating a virtual directory and identifier for public use for each shared group, and a permission unit for each user and permissible permission while holding the virtual directory identifier. means for generating a symbolic link distributed file under the virtual directory, and means for setting the access control information between the process identifier and symbolic links when user access to the security policy, accession based on the security policy And a means to be controlled.

The file sharing apparatus of the present invention generates a plurality of sub-sharing groups that allow a process identifier , which is a different identifier for each user, to be given to a process on the secure OS, and allows only a limited member within the sharing group to access. Means for assigning an identifier to a user unit, a shared group unit, a sub-shared group unit, and an allowed permission unit, and a means for creating a directory in a user unit, a shared group unit, a sub-shared group unit, and an allowed permission unit, Means for assigning an identifier identical to an identifier assigned to a user, a shared group unit, a sub-shared group unit, and an allowed permission unit corresponding to the directory to a file under the directory, and under the virtual directory of the shared group S Means for generating a sub virtual directory and identifiers for sharing group, means for generating under sub virtual directory symbolic link per user and acceptable file dispersed permission units while holding the identifier of the sub virtual directory, Means for setting access control information between a process identifier and a symbolic link at the time of user access in a security policy, and means for controlling access based on the security policy .

  According to the present invention, a file sharing system is constructed on a secure OS capable of OS-level access control, fine-grained OS-level access control is realized, operability is ensured by automatic generation of security policies, and sharing using a virtual directory is performed. It is possible to secure user convenience by concentrating resources.

  Next, embodiments of the present invention will be described with reference to the drawings.

  FIG. 1 shows a configuration example of a secure file sharing system according to an embodiment of the present invention. The user terminal device 11 is connected to the IP network 1 by a broadband access line 2. The user terminal device 12 is connected to the IP network 1 by a broadband access line 3. The user terminal device 13 is connected to the IP network 1 by the broadband access line 4. A secure file sharing apparatus 20 constituted by a secure OS is connected to the IP network 1 by a broadband access line 5. The secure file sharing apparatus 20 includes a shared file unit 21, a security policy 22, and a file share management unit 23. The shared file unit 21 is in the storage device. Yamada of the user terminal device 11 and kimura of the user terminal device 12 are members of the shared group soumu, and nakamura of the user terminal 13 is not a member of the shared group soumu. At this time, due to the access control by the identifier, only the yamada and kimura can access the shared file of the shared group soumu, and the nakamura cannot access.

  FIG. 2 shows a configuration example of the shared file unit 21 in FIG. The home directory 100 includes a virtual directory 200, a user directory 300, and a user directory 400. The virtual directory 200 includes a subdirectory 202, a subvirtual directory 210, and symbolic link groups 201, 203, and 211. The user directory 300 includes a shared group directory 310. The shared group directory 310 includes permission directories 311 and 312 and a sub-shared group directory 350. The permission directories 311 and 312 include subdirectories 315 and 316 and file groups 317, 318, 319, and 320, respectively. The sub-shared group directory 350 includes a permission directory 351 and a file group 352. The user directory 400 includes a shared group directory 410. The shared group directory 410 includes permission directories 411 and 412 and a sub-shared group directory 450. The permission directories 411 and 412 include subdirectories 415 and 416, and file groups 417, 418, 419, and 420, respectively. The sub-shared group directory 450 includes a permission directory 451 and a file group 452.

  FIG. 3 is a flowchart showing the flow of sharing group setting in the file sharing manager 23. First, the user issues a shared group creation instruction with the shared group name and allowable permissions as arguments (step 501). Permitted permission is to specify the type of permission to be given to a shared file. R (read only), ra (read, append), rw (read, write), rx (read, execute), rwx (read) , Writing, and execution) can be selected. Next, it is confirmed whether the shared group name is already used (step 502). If it is used, the acceptance is rejected and the process is terminated (step 506). If it is not used, it is confirmed whether there is a directory with the same name under each of the user directories 300 and 400 (step 503). If there is, the acceptance is rejected and the process is terminated (step 506). If not, a share group creation instruction is accepted, and the group name and allowable permissions are registered in the file share management unit 23 (step 504). Next, the shared file unit 21 is instructed, a virtual directory 200 with a shared group name is created in the home directory 100, and the shared group setting is completed (step 505). Users cannot create directories or files under the virtual directory.

  FIG. 4 is a flowchart showing the flow of adding a user to a share group in the file share manager 23. First, the user gives an instruction to add a user with a shared group name and a user name as arguments (step 601). The user confirms whether the corresponding shared group exists (step 602). (Step 609). If there is, it is confirmed whether or not the additional user is registered in another sharing group (step 603). If there is not, the setting for giving an identifier such as “share_user name” to the process at the time of access is managed as a file share. Set in the unit 23 (step 604). Next, the shared file unit 21 is instructed, the shared group directories 310 and 410 having the shared group name are set in the user directories 300 and 400 (step 605), and the permission directories 311 and 312 having the permitted permissions specified when the group is created in the shared directory. 411, 412 are created, and an identifier such as “user name_shared group name_permission” is assigned (step 606). Users cannot create directories or files under the shared group directory. Of course, it is possible to create under the permission directory. Next, the file sharing unit 21 is set to generate a symbolic link in the virtual directory 200 with the identifier held when a file is generated under the permission directories 311, 312, 411, 412 (step 607). Next, a security policy that allows the process identifier of each shared group member to access the symbolic link of each shared file identifier is automatically generated, set and reflected in the security policy 22, and the process ends (step 608).

  FIG. 5 is a flowchart showing the flow of sub-sharing group setting in the file sharing management unit 23. First, the user issues a sub-shared group creation instruction with the shared group name, sub-shared group name, and allowable permissions as arguments (step 701). Next, it is checked whether the sub-shared group name is already used in the shared group (step 702). If it is used, the acceptance is rejected and the process is terminated (step 706). If it is not used, it is checked whether there is a directory with the same name under each of the shared group directories 310 and 410 (step 703). If there is, the acceptance is rejected and the process is terminated (step 706). If not, a sub-sharing group creation instruction is accepted and the sub-group name and permissible permission are registered in the file sharing management unit 23 (step 704). Next, the shared file unit 21 is instructed, a sub virtual directory 210 having a sub shared group name is created in the virtual directory 200, and the shared group setting is completed (step 705). Users cannot create directories or files under sub-virtual directories.

  FIG. 6 is a flowchart showing a flow of adding a user to the sub-sharing group in the file sharing management unit 23. First, the user gives an instruction to add a user with the shared group name, sub-shared group name, and user name as arguments (step 801), and checks whether the corresponding sub-shared group exists (step 802). Is rejected and the process ends (step 808). If there is, it is confirmed whether the additional user is registered in the higher-level shared group (step 803). If not, the acceptance is rejected and the process ends (step 808). If there is, the shared file unit 21 is instructed, sub-shared group directories 350 and 450 of the sub-shared group name are set in the shared group directories 310 and 410 (step 804), and the sub-shared directory is specified when the sub-group is created. Permission directories 351 and 451 for permitted permissions are created, and an identifier such as “user name_shared group name_sub-shared group name_permission” is assigned (step 805). Users cannot create directories or files under the sub-shared group directory. Of course, it is possible to create under the permission directory. Next, the file sharing unit 21 is set to generate a symbolic link in the sub-virtual directory 210 with the identifier held when a file is generated under the permission directories 351 and 451 (step 806). Next, a security policy that allows the process identifier of each sub-shared group member to access the symbolic link of each shared file identifier is automatically generated, set and reflected in the security policy 22, and the process ends (step 807).

  FIG. 7 is a flowchart showing a flow of creating a subdirectory under the virtual directory 200 in the shared file unit 21. First, the user creates a subdirectory 315 in the permission directory 311 (step 901). Next, the shared file unit 21 includes all the permission directories 312, 411, 412 in the corresponding same shared group or sub-shared group and the corresponding sub-directories 316, 415, 416, 202 in the corresponding virtual directory 200 or sub-virtual directory. Is created (step 902), and an identifier of the upper directory is given. Next, when a file is generated under subdirectories 315, 316, 415, 416, a symbolic link is registered so as to be generated under the subdirectory 202 in the corresponding virtual directory or subvirtual directory with the identifier held. Then, the process ends (step 903).

  Table 2 shows an example of the security policy 22 that is automatically generated.

As shown in FIG. 2, the shared group “soumu” is set with the permitted permissions r and rw, the user group “yamada” and “kimura” are set in the shared group “soumu”, and the sub-shared group “kanri” is set in the shared group “soumu” with the permitted permission r. This is an example of a security policy that is automatically generated when users yamada and kimura are set in the sub-shared group kanri. The secure file sharing apparatus 20 performs access control based on this security policy. The subdirectory keiyaku does not affect the security policy. In addition, due to access control, a user nakamura who is not a member of the shared group cannot access a file of the shared group soumu.

  As an embodiment of the secure file sharing apparatus 20 shown in the present embodiment, there are a form that is implemented as an application and operates as a user mode, and a form that is operated as a built-in kernel mode in the kernel of the secure OS. It is the range assumed as an embodiment.

  The secure file sharing method of the present invention is recorded on a computer-readable recording medium, and a program for realizing the function is recorded on the recording medium, in addition to that realized by dedicated hardware. The program may be read into a computer system and executed. The computer-readable recording medium refers to a recording medium such as a floppy disk, a magneto-optical disk, a CD-ROM, or a storage device such as a hard disk device built in the computer system. Furthermore, a computer-readable recording medium is a server that dynamically holds a program (transmission medium or transmission wave) for a short time, such as when transmitting a program via the Internet, and a server in that case. Some of them hold programs for a certain period of time, such as volatile memory inside computer systems.

It is a block diagram which shows the secure file sharing apparatus of one Embodiment of this invention. It is a block diagram which shows the structure of a shared file part. 10 is a flowchart showing a flow of sharing group setting in the file sharing management unit 23. It is a flowchart which shows the flow of the user addition to the share group in a file share management part. It is a flowchart which shows the flow of the subshare group setting of the share group in a file share management part. It is a flowchart which shows the flow of a user addition to the subshare group in a file share management part. It is a flowchart which shows the flow which creates a subdirectory under the virtual directory in a shared file part. It is a block diagram which shows the conventional file sharing apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 IP network 2-5 Broadband line 11, 12, 13 User terminal 20 Secure file sharing apparatus 21 Shared file part 22 Security policy 23 File share management part 30 File share apparatus 31 Shared file part 32 Access control list 33 File share management part 100 Home directory 200 Virtual directory 201, 203, 211 Symbolic group 202 Subdirectory 210 Subvirtual directory 300 User directory 310 Shared group directory 311, 312 Permission directory 313, 314 Directory name 316 Subdirectory 317-320, 352 File group 350 Subshared Directory for group 400 User directory 410 Shared group directory 4 1, 412, 451 Permission directory 413, 414 Directory name 415, 416 Sub directory 417-420, 452 File group 450 Sub shared group directory 500 User directory 501-506, 601-609, 701-706, 801-808, 901 ~ 903 steps

Claims (8)

A file sharing method by a file management unit of a secure OS for a file stored in a storage device,
A process identifier including a different identifier for each user is assigned to the subject process,
A resource identifier consisting of identifiers of user units, shared group units, and permitted permission units is assigned to the resource that is the object ,
Generating a security policy including information on the process identifier and the resource identifier set corresponding to the process identifier;
Access control based on the security policy, a secure file sharing method. A file sharing method by a file management unit of a secure OS for a file stored in a storage device,
A process identifier, which is a different identifier for each user, is assigned to a process on the secure OS.
Create directories and identifiers for each user, each shared group, and each allowed permission.
Assign the same identifier as the directory to the files under the directory,
Create a public virtual directory and identifier for each sharing group,
Generate symbolic links of files distributed in user units and permissible permission units while holding the virtual directory identifier under the virtual directory,
Set the access control information between the process identifier and the symbolic link at the time of user access in the security policy,
A secure file sharing method for performing access control based on the security policy. A file sharing method by a file management unit of a secure OS for a file stored in a storage device,
A process identifier, which is a different identifier for each user, is assigned to a process on the secure OS.
It is possible to create multiple sub-sharing groups that are accessible only to more limited members within the sharing group,
Assign identifiers to user units, shared group units, sub-shared group units, and permitted permission units,
Create a directory for each user, shared group, sub-shared group, and allowed permissions,
A file under the directory is assigned the same identifier as that assigned to the user, the shared group unit, the sub-shared group unit, and the permitted permission unit corresponding to the directory,
Create a sub virtual directory and identifier for the sub shared group under the virtual directory of the shared group,
Generate symbolic links of files distributed in user units and permissible permission units while holding the sub virtual directory identifier under the sub virtual directory,
Set access control information between the process identifier and symbolic link during user access in the security policy,
A secure file sharing method for performing access control based on the security policy. The secure file sharing method according to claim 2 ,
The files under the directory of user unit, shared group unit and permissible permission unit are grouped into subdirectories,
Giving the identifier of the directory above the subdirectory to the file in the subdirectory;
Create a subdirectory under the virtual directory,
The same name in the sub-directory under all of the sub-directory and the virtual directory given in the same shared within the group,
A secure file sharing method , wherein a symbolic link of a file under the subdirectory to which the identifier is assigned is generated under a subdirectory under the virtual directory. A file sharing device,
Means for assigning a process identifier including a different identifier for each user to a process that is a subject on the secure OS;
Means for assigning a resource identifier consisting of identifiers of user units, shared group units and permissible permission units to the resource to be an object ;
Means for generating a security policy including information about the process identifier and the resource identifier set corresponding to the process identifier;
Means for controlling access based on the security policy ;
A secure file sharing apparatus. A file sharing device,
Means for assigning a process identifier, which is a different identifier for each user, to the process on the secure OS;
Means for generating directories and identifiers per user, shared group, and permissible permission;
Means for assigning the same identifier as the directory to a file under the directory;
Means for generating a public virtual directory and identifier for each sharing group;
Means for generating, under the virtual directory, a symbolic link of a file distributed in user units and permissible permission units while retaining the virtual directory identifier;
Means for setting access control information between the process identifier and the symbolic link at the time of user access in a security policy;
Means for controlling access based on the security policy;
A secure file sharing apparatus. A file sharing device,
Means for assigning a process identifier, which is a different identifier for each user, to the process on the secure OS;
Means for generating a plurality of sub-sharing groups that are accessible only to more limited members within the sharing group;
Means for assigning identifiers to user units, shared group units, sub-shared group units, and permitted permission units;
Means for creating a directory for each user, for each shared group, for each sub-shared group, and for each permitted permission;
Means for assigning an identifier identical to the identifier assigned to a user, a shared group, a sub-shared group, and a permissible permission unit corresponding to the directory to a file under the directory;
Means for generating a sub-virtual directory and identifier for the sub-shared group under the virtual directory of the shared group;
Means for generating, under the sub virtual directory, a symbolic link of a file distributed in units of users and permissible permissions while holding the sub virtual directory identifier;
Means for setting access control information between a process identifier and a symbolic link at the time of user access in a security policy;
Means for controlling access based on the security policy;
A secure file sharing apparatus. The file sharing apparatus according to claim 6 ,
Means for grouping files under a directory for each user, for each shared group, and for each permitted permission;
Means for assigning the identifier of a directory above the subdirectory to a file in the subdirectory;
Means for generating a subdirectory under the virtual directory;
It means for applying the same name to the sub-directory under all of the subdirectories and the virtual directory in the same sharing group,
Said identifier is assigned, it means for generating a symbolic link file under the subdirectory under a subdirectory under the virtual directory,
A secure file sharing apparatus further comprising :

Images