KR101040765B1 - System for tracing process and file using extended security level - Google Patents

Abstract

The present invention is a process and file tracking system and process and file tracking method using an extended security label, intercepting a system call of a process in the middle, leaving a log record for the traced object and allowing its use. The process and file tracking system according to the present invention comprises: means for intercepting kernel calls of system files that a process executes for file input and output; Means for querying security label information of each process (subject) and file (object) involved in the kernel call; Means for examining whether the extended security label is set for tracking; Means for recording a history of operations of corresponding processes and files when tracing is set up; Means for comparing a security level set in a security label of each process and file; And means for granting the file input / output permission only to permit the kernel call when the comparison result of the security level is identical.

Description

Process and file tracing using extended security labels {System for tracing process and file using extended security level}

In the present invention, when a process generates file I / O in the Windows operating system, the tracking system compares the security label protection level of the process and the file to determine whether to permit the operation. The system uses extended security labels that set specific values for each security label in order to set processes and files for tracking. The job history of processes and files with specific values set in the extended security label is traced and leaves a job log.

Existing security products have limitations due to the nature of granular access control and logging of usage information for internal users. In this situation, secure and reliable computer systems, or security operating systems, are firmly established as next-generation security solutions. Since 1985, the United States recommends to introduce and operate a system that meets the characteristics of each institution by classifying the Trusted Computer System Evaluation Criteria into seven grades to disseminate computer systems that have proven security and reliability to the Department of Defense and government agencies. Doing.

TCSEC defines basic computer security requirements such as security policy, accountability, assurance and ongoing protection. In other words, the requirements provided by the secure computer system are divided into security policies, accountability such as identification and audit trail to support the security policy, and assurance and document parts to define the requirements for each class. The security operating system enforces mandatory access control by assigning security labels to subjects and objects and applying multi-level security policies.

Recently, researches on various kinds of system objects such as processes, threads, messages, waitable objects, keystrokes, file systems, disks, and networks have been conducted to track illegal activities of users. These tracking systems allow users to track their systems while protecting the confidentiality of their data. As the necessity of such a system increases, the variety of security logs rapidly increases. This necessitates the need for computer security log management, including the creation, transmission, storage, analysis and processing of computer security logs. Logs have been used to solve problems, but recently they are used as useful data to optimize the efficiency of a system or network, to record user behavior, or to investigate malicious behavior. Periodic log reviews and analysis can help identify and resolve security incidents, policy violations, fraudulent behavior and operational issues immediately after they occur. Logs can also be very useful in conducting audits or forensic analysis by supporting the organization's internal investigations, establishing the foundation, and identifying operational flows and long-term problems.

SUMMARY OF THE INVENTION The present invention has been made in view of the foregoing, and is a mandatory access control policy of multi-level security in which a modified BLP (Bell & LaPadula) model is applied to the Windows kernel to efficiently control access to resources in a Windows operating system. The purpose is to propose.

It also aims to extend the security label to set up the protection target, and to track and record the operation history of a specific file of the process to be protected.

The process and file tracking system using the extended security label according to the present invention for achieving the object as described above, controls the usage rights of the file resources of the process in the Windows operating system, and using the extended security label of the tracking target CLAIMS 1. A process and file tracking system for generating a log of the history of processes and files, comprising: means for intercepting kernel calls of system files that processes execute for file input and output; Means for querying security label information of each process (subject) and file (object) involved in the kernel call; Means for investigating whether the extension security label has been set as a tracking target; Means for recording a history of operations of corresponding processes and files when tracing is set up; Means for comparing a security level set in a security label of each process and file; And means for granting the kernel call by granting a file input / output permission only when the comparison result of the security level is matched, wherein the security label information includes a security level and a protection category based on a multi-level security policy. In addition, it is characterized by being defined as a structure that further includes a tracking security label is set whether or not to be tracked.

delete

Preferably, the log may include a fact of occurrence of a file input / output operation request before a kernel call of a system file, a comparison result of a security level, and a history of completion of the operation after a kernel call.

Further, the log may further include details of a user ID, a user IP address, a program name, a process name, a folder name, a file name, and a file I / O type.

Furthermore, the tracking system further includes means for providing a list of execution subjects (processes) and execution objects (files and folders), and for setting the tracking targets to corresponding extended security labels when the tracking target is selected by the user. Characterized in that.

On the other hand, the process and file tracking method using the extended security label according to the present invention, the Windows operating system controls the access rights to the file resources of the process, using the extended security label to track the operation history of the process and the file to be tracked A method for tracing a filter driver for generating a log, the method comprising: intercepting a kernel call of a system file executed by a process for file input / output; Querying security label information of each of a process (subject) and a file (object) related to the kernel call; (S14) means for investigating whether the extended security label has been set as a tracking target; (S15) means for recording the work history of the corresponding process and file in a log when tracking is set; (S16) comparing the security level set in each security label of the process and the file; And (S17) granting the kernel call by granting a file input / output permission only when the comparison result of the security level is matched, wherein the security label information includes a security level and a protection category based on a multi-level security policy. It is characterized in that it is further defined as a structure that further includes a tracking security label is set whether or not to be tracked.

According to the present invention, when a file I / O event occurs in the Windows operating system, the job history is recorded as log data using the extended security label of the execution subject and the execution object, and the permission of the operation is determined according to the access authority of the subject object. Maintain security of your files and computer system.

<1. Technology concept model>

1-5 illustrate a conceptual model of the present invention.

1 illustrates a technology implementation layer in accordance with the present invention.

The present invention is directed to a computer system on which the Windows operating system is installed. The computer system includes an application layer in which an application is installed, a service program layer provided by an operating system, an operating system layer in which an operating system is installed, various device programs for the operating system to use hardware resources, an operating system kernel layer in which system kernel functions exist, and a computer. It consists of hardware layers that correspond to the physical components of the system.

A user and a program correspond to an execution subject and are loaded into memory in the form of a process, and perform various controls, commands, and operations on hardware resources, which are execution objects. In this process, the process is controlled by the operating system, and the actual processing of the execution hardware resources is performed at the operating system kernel layer. To be precise, a process calls a kernel function in a Windows system, which performs the actual physical processing on hardware resources. Kernel functions are functions embedded in device programs of hardware that exist in the operating system kernel layer.

Here, the kernel system call (kernel function call) information of a process includes information about what subject (user, program, process, thread, etc.) is used to create a file operation (create, read, write, It contains information about whether or not to request delete.

Accordingly, the process and file tracking system and file tracking method of the present invention provide a filter driver which is a kind of kernel driver (device program) in order to analyze the aforementioned system call information. The filter driver intercepts requests for all file I / O events that occur on the recording media resources of a computer system, such as a disk, and then compares a) the log data of the job history and b) the operation rights. If allowed, the intercepted system call is forwarded to the corresponding device program in the operating system kernel layer.

2 illustrates the concept of a multi-grade security model used in the present invention.

In the present invention, the multi-level security applied to the file system is used. Multi-level security gives security levels and protection categories for subjects (files, directories, registries, etc.) and objects (files, directories, registries, etc.) and subjects of file I / O. It is a way of controlling access by comparing the security level of the object with the security level. The security level (O, n, 2, 1) refers to the parentage relationship, and the protection categories (A, B, and C) represent the inclusion relationship.

Multi-level security policy is a form of BLP (Bell & LaPadula) model that decides the relation between multi-level security scope of subject and multi-class security scope of object and then decides object access according to multi-class security of subject. The BLP model is a standardized security policy model that describes access control rules. It defines rule compliance rules for system security and the scope of access to subjects. One methodology for protecting confidential information stored in a computer is multi-level security, and the first mathematical model researched and developed for this is a BLP model.

Accordingly, the present invention provides a GUI (Graphic User Interface) that interacts with the filter driver to set and store the security level and the protection category for the subject and the object from the user (security officer). And when the subject wants to use the object, the filter driver performs the above-mentioned a) log data generation and b) task permission determination that the subject executes on the object.

Meanwhile, the present invention proposes a deformation model of the existing BLP model. In the existing BLP model, write operations are allowed even if the subject's security level is lower than that of the object. However, the possibility of writing to a higher class object by a lower class subject is a security problem, so it has been modified to restrict the write operation. That is, the above-described filter driver only permits reading and writing when the subject and the object have the same grade, and when the subject's security level is higher than the object, only the lower grade object is allowed to be read. File access is denied.

3 shows a data structure of a process information structure stored by the Windows operating system used in the present invention.

The process information structure is an EPROCESS structure that is loaded into kernel memory and contains information about the process. Here, "UniqueProcessId" is a process identifier, which is useful information for distinguishing a specific process from other processes in Windows.

Execution subject of the present invention refers to a running program, such as a process and a thread, and operates to process a user's request. The Windows system functions PsSetCreateProcessNotifyRoutine and PsSetCreateThreadNotifyRoutine are used to detect the creation and destruction of processes and threads in the Windows environment. This function extracts the principal's main information when processes and threads are created or destroyed. In the case of a process, the process identifier, process name, parent process identifier, parent process name, etc. are used as useful information in the tracking system. Here is the prototype of the above two functions:

NTSTATUS PsSetCreateProcessNotifyRoutine (IN PCREATE_PROCESS_NOTIFY_ROUTINE NotifyRoutine, IN BOOLEAN Remove);

NTSTATUS PsSetCreateThreadNotifyRoutine (IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine);

4 illustrates source code of a user function for obtaining process and thread information provided by the present invention.

The present invention collects process and thread information using the Windows system functions and system structures described above.

The filter driver of the present invention uses the ZwQuerySystemInformation Windows system function to get a list of existing processes and threads during startup. 4 shows source code for acquiring information on processes and threads running in a system using a ZwQuerySystemInformation function. Here is the prototype of this function:

unsigned long ZwQuerySystemInformation (IN ULONG tag, OUT VOID * buffer, IN ULONG bufferSize, OUT ULONG * returnedSize);

In the above function, "tag" of the parameter indicates what information is returned. Passing '5' to the tag variable extracts the process and thread information. The result of the function call is stored in the "buffer" variable, such as the SYSTEM_PROCESS_INFORMATION structure.

5 shows a data structure of a security label information structure according to the present invention.

The filter driver of the present invention defines security label information for an execution subject and an object, respectively.

The extended security label for a subject is described as follows. The filter driver collects process information and stores it in the process's security label information structure. The subject's security label information for mandatory access control must be securely registered by the user (security administrator) and maintained uniformly within the security kernel. 5 shows a process information structure configured inside a secure kernel to assign a security label to a process.

In the security label information, the "Clearance" and "Category" variables are declared to set the security level and the protection category of the process, respectively, and the "Trace" variable is the subject tracking security label declared to track the behavior of a specific process. In the present invention, the subject tracking security label is an extension of an existing security label. That is, the security manager is provided with a GUI that interacts with the filter driver, sets security level and protection category for users, programs, files, folders, and the like, and sets whether or not to be tracked in the security label information structure. Therefore, all working behavior of processes with the TRACE variable set to 'TRUE' are tracked and logged by the filter driver running in the kernel mode of the tracking system.

Meanwhile, security label information of an object is described as follows.

Objects created by the subject should be given appropriate security level and protection category according to the confidentiality of the information contained in the object. To do this, it is necessary to store a security label that can store and secure the security label information for each object. The security label for an object identifies each subject's security level and protection category when the process with the security level creates a new object and stores it in the extended file attribute structure in NTFS. In addition to the contents, objects in the NTFS file format have various meta-information such as access rights, creation time, date last modified, and so on. The extended file attribute is used to give meta information to a file arbitrarily in addition to basic metadata supported by an operating system.

In the present invention, the object tracking security label "Trace" is used in addition to the security label of the typical security level and the protection category of the multi-level security in order to collect data such as access to and tampering with an object such as a specific file, directory, or registry. Added. The object tracking security label in the present invention extends an existing security label together with the subject tracking security label described above. In other words, all the history of files and directories with the Trace variable set to 'TRUE' are traced and logged by the filter driver running in the kernel mode of the trace system.

As mentioned above, subject tracking security labels and object tracking security labels are key functions of the security model provided by the present invention. It is a preprocessing routine to filter the data before sending it to the file system, and a post processing routine to filter the time when the IRP (Io Request Packet) result processed by the file system is returned to the application. Process separately. When an application creates an IRP for accessing a specific object, it checks the security label of the subject and object in the preprocessing process, checks whether it is a process and file to be tracked, and logs the processing history.

According to the multi-level security mandatory access control rules implemented based on the modified BLP model, even if a process has acquired all the rights to a particular file, if the process's subject tracking security label is set to TRUE, the process history of that process. Are all traced and logged. In addition, all traces of the objects for which the object tracking security label is set are implemented. By logging the details of all actions that unauthorized users have accessed and worked with files illegally, they can be used as the basis for future digital forensics.

Hereinafter, with reference to the accompanying drawings looks at in detail the configuration of a preferred embodiment of the present invention.

<2. System configuration>

6 shows a schematic internal configuration of a process and file tracking system 1 according to an embodiment of the invention.

The tracking system 1 according to an embodiment of the present invention includes a kernel call hooking means 12 for intercepting a kernel call of a system file generated at the time of file input / output of a process, a process (subject) and a file (analyzed from the intercepted kernel call). Object) security label inquiry means (13) for inquiring each security label information; tracking object determination means (14) for investigating whether the subject or object is set for tracking in the inquired extended security label; File generation input and output only when the log generation means 15 for recording the operation history of the process or file, the security level comparison means 16 for comparing the security level set in the security label of each process and file, and the comparison result match. And means 17 for granting authority to allow kernel calls of system files.

Preferably, the tracking system 1 provides a user (security manager) with a list of execution subjects (processes) and execution objects (files and folders), and sets security levels and protection categories for the subjects and objects. Here, it is further configured to further include a tracking target setting means 11 for selecting whether or not to be a tracking target for generating a log during the file processing operation, and setting the tracking target in the extended security label corresponding to the selected subject or object.

The file tracking system 1 according to an exemplary embodiment of the present invention may be implemented as a computer system in which the above-described components 11 to 17 are programmed with a filter driver and a Windows operating system is mounted.

Detailed functions and operations of the individual components constituting the process and file tracking system 1 using the extended security label will be described through the process and file tracking method described below.

<3. Method composition>

7 illustrates a schematic sequence of a process and file tracking method according to an embodiment of the present invention.

Process and file tracking system and process and file tracking method using the extended security label according to an embodiment of the present invention can be preferably realized through the construction of the system (1) described above.

The tracking target setting means 11 of the tracking system 1 provides a screen interface to a user (security manager) to set whether or not to track the subject (process, thread, etc.) and objects (file, directory, registry, etc.). Received and stored (S11). Here, it is of course possible for the user to set the security level and the protection range for the subject and the object through the screen. The setting information of the user is stored in the extended security table structure of FIG. 5 defined in the present invention.

Then, in a Windows operating system environment, when a file I / O event occurs, the kernel call hooking means 12 intercepts a kernel call of a system file related to the file I / O event in the middle (S12). This process is declared to detect the creation and destruction of the subject in advance by using the system function described above, and the information of the detected process is inquired (see FIG. 4) and stored in the extended security table of FIG. 5.

If the function call is intercepted, the security label inquiry means 13 extracts the information of each of the corresponding process (subject) and file (object) from the intercepted information and then inquires the corresponding extended security label (S13).

The tracking target determination means 14 determines whether the "Trace" variable value is a "TRUE" value in the structure of the inquired extended security label (S14). Trace is a trace security label indicating whether to be traced provided by the present invention.

When the subject or the object is set as the tracking target, the log generating means 15 records and stores the job processing details on the process and the file as a log (S15).

Preferably, the log records the fact that a file input / output operation request has occurred, a result of comparing security levels, and the like, before intercepting a kernel call of a system file and passing it to a corresponding device program, and writing a kernel call to a device program (device drive). Record all the details of work completion after delivery. Here, the log data includes details such as a user ID, a user IP address, a program name, a process name, a folder name, a file name, a file I / O type (create, read, write, delete, etc.), a processing date and time.

On the other hand, the security level comparison means 16 compares the security level set in the extended security label for each process and file (S16). This means that the process compares the permission to work on the file.

Only when the comparison result of the security level is matched, the kernel call permission means 17 grants file input / output permission and transfers the intercepted kernel call to the system driver (S17). The system driver then receives the call to the built-in function and performs the actual processing (file I / O) on the hardware (disk).

For reference, in the present invention, the filter driver permits reading and writing only when the subject and the object have the same grade, and when the subject's security level is higher than the object, only the reading of the lower grade object is allowed and the grade is lower than the object. Does not allow any file access.

As described above, embodiments of a process and file tracking system and process and file tracking method using the extended security label in accordance with the present invention are constructed. While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments. It goes without saying that various modifications and variations are possible within the scope of equivalence of the scope.

The following drawings, which are attached to this specification, illustrate preferred embodiments of the present invention, and together with the detailed description of the present invention serve to further understand the technical spirit of the present invention. It should not be construed as limited to.

1 illustrates an implementation layer of a process and file tracking system in accordance with the present invention.

2 is a conceptual diagram of a multi-grade security model used in the present invention.

3 is a data structure diagram of a process information structure stored by the Windows operating system used in the present invention.

4 is a source code example for obtaining process and thread information in the present invention.

5 is a data structure diagram of a security label information structure according to the present invention;

6 is a schematic internal configuration diagram of a process and file tracking system according to an embodiment of the present invention.

7 is a schematic flowchart of a process and file tracking method according to an embodiment of the present invention.

Claims (10)

In the process and file tracking system that controls the access rights of the process's file resources in the Windows operating system, and using the extended security label to log the history of the process and the file to be tracked, Means for intercepting kernel calls of system files that a process executes for file input and output; Means for querying security label information of each process (subject) and file (object) involved in the kernel call; Means for investigating whether the extension security label has been set as a tracking target; Means for recording a history of operations of corresponding processes and files when tracing is set up; Means for comparing a security level set in a security label of each process and file; And Means for granting the file input / output permission only when the comparison result of the security level is matched to permit the kernel call, The security label information, A process and file tracking system, comprising a security level and protection category based on a multi-level security policy, further defined by a structure further comprising a trace security label for which a trace target is set. delete The method of claim 1, The log is, A process and file tracking system comprising the fact that a file input / output operation request occurred prior to a kernel call of a system file, a result of comparing security levels, and a history of completion of the operation after a kernel call. The method of claim 3, The log is, Process and file tracking system further comprises a description of the user ID, user IP address, program name, process name, folder name, file name, file I / O type. The method according to any one of claims 1, 3 and 4, Providing a list of execution subjects (processes) and execution objects (files and folders), and if the user selects a trace target, sets the trace target to a corresponding extended security label. Tracking system. In the filter driver tracking method of controlling the access rights of the process's file resources in the Windows operating system, and using the extended security label to log the operation history of the process and the file to be tracked, (S12) intercepting a kernel call of a system file executed by the process for file input / output; Querying security label information of each of a process (subject) and a file (object) related to the kernel call; (S14) means for investigating whether the extended security label has been set as a tracking target; (S15) means for recording the work history of the corresponding process and file in a log when tracking is set; (S16) comparing the security level set in each security label of the process and the file; And (S17) granting the file I / O permission only when the comparison result of the security level is matched, and permitting the kernel call, The security label information, A process and file tracking method, comprising a security level and a protection category based on a multi-level security policy, further defined by a structure further comprising a tracking security label for which a tracking target is set. delete The method of claim 6, The log is, A process and file tracking method comprising the fact that a file input / output operation request occurred before a kernel call of a system file, a comparison result of a security level, and a history of completion of the operation after a kernel call. The method of claim 8, The log is, Process of the user ID, user IP address, program name, process name, folder name, file name, file I / O type further comprising the process. The method according to any one of claims 6, 8 and 9, (S11) providing a list of execution subjects (processes) and execution objects (files and folders), and if a target to be tracked is selected by the user, setting the target to be tracked in a corresponding extended security label. How to track processes and files.

Images