KR20130079004A - Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone - Google Patents
Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone Download PDFInfo
- Publication number
- KR20130079004A KR20130079004A KR1020120000231A KR20120000231A KR20130079004A KR 20130079004 A KR20130079004 A KR 20130079004A KR 1020120000231 A KR1020120000231 A KR 1020120000231A KR 20120000231 A KR20120000231 A KR 20120000231A KR 20130079004 A KR20130079004 A KR 20130079004A
- Authority
- KR
- South Korea
- Prior art keywords
- file
- virtual
- area
- general
- virtual area
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000002265 prevention Effects 0.000 title description 2
- 238000012545 processing Methods 0.000 claims abstract description 25
- 230000006870 function Effects 0.000 claims description 10
- 230000014759 maintenance of location Effects 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45504—Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Human Computer Interaction (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
- Telephone Function (AREA)
Abstract
Description
The present invention relates to an information protection system, and more particularly, to a mobile information protection system and a method for providing a virtual security environment that can protect important information when accessing a company network through a smart phone when viewing a task.
Recently, there have been increasing cases of using smartphones for work, including large corporations, securities firms, and insurance companies. The so-called Smart Office and Smart Work are launched, and each individual can access the company's network anytime and anywhere through the smartphone and view work as in the company.
Specifically, each individual can download and use the company's confidential information and personal information from the company's server through a business application (App) installed on the smartphone, can receive customer information and upload to the company's internal server, to the company's mail server You can access your business mail or send your business mail.
As such, while smartphones increase the efficiency of work, the probability of leaking a large amount of personal or confidential information stored therein is much higher than when working in-house. In other words, the smartphone is almost defenseless against the leakage of personal information and confidential information, security of the smartphone used for work is urgently needed.
However, the conventional smartphone security app is only a technology for the loss and virus attack, did not provide a means of safe use, storage, monitoring and control of personal information, confidential information associated with the company's business.
The present invention has been made in the technical background as described above, mobile information protection that can provide an encrypted virtual environment for the application running on the smart device in the work mode of accessing the company network using a smart device to view the work Its purpose is to provide a system and a virtual security environment providing method.
The present invention intercepts a file processing function of a Virtual File System (VFS) by BindFS, UnionFS, and CryptoFS libraries based on the Kernel layer's File System in Userspace (FUSE) in a work mode, and performs file processing. Another object of the present invention is to provide a mobile information protection system and a virtual security environment providing method that can be performed in an encrypted virtual area.
According to an aspect of the present invention, there is provided a mobile information protection system comprising: a memory including an encrypted virtual area and a general area; In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, the running application operates based on the general area, and is connected to the company network and the user is authenticated. A device manager to operate based on the virtual area; In the work mode, a file system in userspace (FUSE) intercepts file processing of a virtual file system (VFS) and processes the file processing based on the virtual area according to an instruction of the device manager; And a virtualization engine functioning as a bridge in communication between at least one of the application operating in the application layer and the device manager in the work mode and the FUSE operating in the kernel layer.
According to another aspect of the present invention, a method for providing a virtual security environment of a file system in user space (FUSE) according to an instruction of a mobile device management (MDM) is not connected to an internal network or is not authenticated by a user even when connected to the internal network. In a mode, when the user is connected to the corporate network and the user is authenticated and switched to a business mode, changing and setting an execution environment of an application from a general area to an encrypted virtual area; And in the work mode, in response to a command of the device manager, the FUSE intercepts file processing of a virtual file system (VFS) and performs the file processing based on the virtual area.
According to the present invention, a user who wants to access the corporate network can be strictly restricted through authentication, and when the authentication passes, all applications running on the smartphone are terminated and at the same time, the user switches to using the file system of the virtual security environment. Can be strictly distinguished from the general environment, and can control the execution of other unnecessary applications.
In addition, the present invention can limit the use of the network other than the work by limiting the IP band in the work mode, it is possible to block or allow the medium (Camera, Bluetooth, etc.) that can potentially leak information according to the policy.
In addition, the present invention can analyze the contents of the files stored in the file system of the general area and the virtual area to identify and monitor the status of possession of personal and confidential information in the smartphone, and limit information retention according to policy. have.
1 is a block diagram showing a mobile information protection system of the present invention.
2 is a diagram more specifically showing a mobile information protection system of the present invention.
3 is an example of providing a virtual security environment when a user has requested to open a file previously read by a user in a work mode, and the requested file is not present in the virtual area.
4 is an example of providing a virtual security environment when a write request is made after a file in a general area is opened read-only.
5 is an example of providing a virtual security environment when a file requested by a user to open in a work mode exists in a virtual area.
6 is an example of providing a virtual security environment when a new file is requested to be opened and written in the work mode.
Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, the terms " comprises, " and / or "comprising" refer to the presence or absence of one or more other components, steps, operations, and / Or additions.
The present invention intercepts file processing of a virtual file system (VFS) using a file system based on a file system in userspace (FUSE), and encrypts a file, not a general environment (common area) when communicating with an internal network. Private information (resident numbers, card numbers, account numbers, etc.) or confidential information can be protected. Here, the file system includes exet3, ext4, yaffs2, FAT, etc. existing in the Android platform of the smartphone.
Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. 1 is a diagram illustrating a mobile information protection system according to an embodiment of the present invention.
As shown in FIG. 1, the mobile
The
The
The
The
In this case, when the
In addition, the
On the other hand, even if the
The FUSE 300 actually intercepts the file processing of the virtual file system according to the command of the
In this case, the FUSE 300 is basically loaded from Linux kernel 2.6.15 and functions as a bridge of file system access control of the kernel layer. FUSE can be used by recompiling an operating system after modifying the kernel configuration of the operating system. Since FUSE is performed at the application layer, it can provide excellent performance in terms of security and stability. FUSE 300 can be used in operating systems such as Linux, Mac OS, Windows, and Solaris.
The FSV
Specifically, since the kernel environment of the operating system in the work mode is run on a virtual machine (User JAVA) that includes the
In summary, in normal mode, the application and
Hereinafter, a command and file input / output flow between a device manager and a file system in a work mode according to an embodiment of the present invention will be described with reference to FIG. 2. 2 is a diagram illustrating in more detail a mobile information protection system according to an embodiment of the present invention.
As shown in FIG. 2, in the work mode, the
The
The
In the work mode, the
The
If the
In the work mode, the
When processing a file for the
The
When
Meanwhile, in the above-described example, the
For example, when the
On the other hand, the mobile
Hereinafter, a method of providing a virtualization environment of each component of the
3 illustrates an example in which the user has requested to open a file previously read by the user in the work mode, but there is no file requested to open in the
When the user requests to open a file through the application, the
The
The
When the
The
Then, the application shows the open file to the user (S360).
4 illustrates an example in which a write request is made to a read-only file after the file in the
When the user confirms that the user requests to write the original file of the
The
The
When the
The
The
5 illustrates an example in which a file requested by a user to open in the work mode exists in the
When the user requests to open a file through the application, the
The
The
The
The
6 illustrates an example in which a new file that is not stored in the
When the user requests to open a new file through the application, the
The
The
The
Then, the application shows the generated new file to the user (S660).
The
The
Meanwhile, in the above-described processes of FIGS. 3 to 6, the
As such, the present invention can strictly limit users who want to access the corporate network through authentication, and when the authentication passes, it terminates all applications running on the smartphone and simultaneously switches to using the file system of the virtual security environment. You can strictly distinguish between the environment and the general environment, and control the execution of other unnecessary applications.
In addition, the present invention can limit the use of the network other than the work by limiting the IP band in the work mode, it is possible to block or allow the medium (Camera, Bluetooth, etc.) that can potentially leak information according to the policy.
In addition, the present invention can analyze the contents of the files stored in the file system of the general area and the virtual area to identify and monitor the status of possession of personal and confidential information in the smartphone, and limit information retention according to policy. have.
While the present invention has been described in detail with reference to the accompanying drawings, it is to be understood that the invention is not limited to the above-described embodiments. Those skilled in the art will appreciate that various modifications, Of course, this is possible. Accordingly, the scope of protection of the present invention should not be limited to the above-described embodiments, but should be determined by the description of the following claims.
Claims (11)
In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, the running application operates based on the general area, and is connected to the company network and the user is authenticated. A device manager to operate based on the virtual area;
A file system in userspace (FUSE) that intercepts file processing of a virtual file system (VFS) and performs the file processing based on the virtual area in the work mode; And
A virtualization engine that bridges the communication between at least one of the application and the device manager in the work mode and the FUSE in the kernel layer in the work mode.
Mobile information protection system that includes.
In the work mode, the application terminates if the application is not a work application, and restricts execution of other applications except the work application.
In the work mode, the mobile information protection system instructing the FUSE to manage the file in the general area as a read-only object, and manages the file in the virtual area as a read-write object through the virtualization engine.
In the work mode, limiting the available Internet Protocol (IP) band to limit the use of the network only for business purposes.
And in the work mode, restricting the use of the application itself or its functions that are likely to leak information, among the applications according to a predetermined policy.
If there is a file content created or changed in the virtual area, the mobile information protection system is encrypted with a predetermined key and stored in the virtual area.
The FUSE checks the holding status of personal information and confidential information in the virtual area and the general area,
The device manager, by reporting to the security server in the company network to support the function of checking the holding status by the user by the security server and the restriction of the retention of the personal information and the confidential information for each user. .
In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, when the user is connected to the company network and the user is authenticated and switched to the work mode, the application execution environment is encrypted in the general area. Setting to change to; And
Intercepting file processing of a virtual file system (VFS) in the work mode, and performing the file processing based on the virtual area
The virtual security environment providing method comprising a.
If the file processing is opening of a specific file, retrieving the specific file from the virtual area; And
If the specific file is in the virtual area, opening the specific file for reading and writing; And
If editing is requested for the specific file opened, editing the requested content and encrypting the changed content in a file system unit.
It will include a virtual security environment providing method.
If the specific file is not found in the virtual area, searching for the specific file in the general area; And
If the specific file is in the general area, opening the specific file in the general area as read only
The method further comprising a virtual security environment.
When the editing request for the specific file opened as read-only is confirmed, copying a specific file of the general area to the virtual area by using a copy on write (COW) function to generate the virtual file in the virtual area; And
Reflecting the content requested for editing in the generated file of the virtual area
Encrypting the generated file of the virtual area by the file system unit
The method further comprising a virtual security environment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120000231A KR20130079004A (en) | 2012-01-02 | 2012-01-02 | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020120000231A KR20130079004A (en) | 2012-01-02 | 2012-01-02 | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20130079004A true KR20130079004A (en) | 2013-07-10 |
Family
ID=48991841
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020120000231A KR20130079004A (en) | 2012-01-02 | 2012-01-02 | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20130079004A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105067924A (en) * | 2015-08-06 | 2015-11-18 | 哈尔滨工业大学 | Signal identification system and method based on Feature Selective Validation method |
CN111149337A (en) * | 2017-10-19 | 2020-05-12 | 国际商业机器公司 | Secure access management of tools within a secure environment |
CN112765633A (en) * | 2021-01-26 | 2021-05-07 | 上海蛮犀科技有限公司 | Reinforcing technology for virtualization of mobile application codes |
WO2024071529A1 (en) * | 2022-09-30 | 2024-04-04 | (주)나무소프트 | Local data protection system |
WO2024106794A1 (en) * | 2022-11-17 | 2024-05-23 | (주)리얼시큐 | Data protection method and device in linux-based operating system |
-
2012
- 2012-01-02 KR KR1020120000231A patent/KR20130079004A/en not_active Application Discontinuation
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105067924A (en) * | 2015-08-06 | 2015-11-18 | 哈尔滨工业大学 | Signal identification system and method based on Feature Selective Validation method |
CN111149337A (en) * | 2017-10-19 | 2020-05-12 | 国际商业机器公司 | Secure access management of tools within a secure environment |
US11799861B2 (en) | 2017-10-19 | 2023-10-24 | International Business Machines Corporation | Secure access management for tools within a secure environment |
CN112765633A (en) * | 2021-01-26 | 2021-05-07 | 上海蛮犀科技有限公司 | Reinforcing technology for virtualization of mobile application codes |
WO2024071529A1 (en) * | 2022-09-30 | 2024-04-04 | (주)나무소프트 | Local data protection system |
WO2024106794A1 (en) * | 2022-11-17 | 2024-05-23 | (주)리얼시큐 | Data protection method and device in linux-based operating system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101382222B1 (en) | System and method for mobile data loss prevention which uses file system virtualization | |
US10268827B2 (en) | Method and system for securing data | |
KR101705550B1 (en) | Method and software product for controlling application program which access secure saving area | |
EP1946238B1 (en) | Operating system independent data management | |
US9129138B1 (en) | Methods and systems for a portable data locker | |
JP6785967B2 (en) | Methods and systems to block phishing or ransomware attacks | |
WO2009110275A1 (en) | Classified information leakage prevention system and classified information leakage prevention method | |
JP5263169B2 (en) | Information providing method, relay method, information holding device, repeater | |
CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
TW201337631A (en) | Sensitive information leakage prevention system, sensitive information leakage prevention method, and computer-readable recording medium | |
KR20130079004A (en) | Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone | |
KR20090121712A (en) | Virtual system and method for restricting usage of contents in the virtual system | |
CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
KR100975133B1 (en) | Security management system for portable memory devices and security management method using the same | |
JP4044126B1 (en) | Information leakage prevention device, information leakage prevention program, information leakage prevention recording medium, and information leakage prevention system | |
KR20090128818A (en) | The management system and management method of a secure area | |
KR20160102915A (en) | Security platform management device for smart work based on mobile virtualization | |
JP2021174432A (en) | Electronic data management method, electronic data management device, and program and storage medium for the same | |
KR101028150B1 (en) | File managing device of client apparatus, method thereof and recorded medium recorded with program thereof | |
KR101028149B1 (en) | File managing device of client apparatus, method thereof and recorded medium recorded with program thereof | |
US20240171528A1 (en) | Information processing method and storage medium | |
KR20050077664A (en) | Secure kernel system supporting encryption | |
KR100901014B1 (en) | Apparatus and method for running application in virtual environment | |
US20200409573A1 (en) | System for providing hybrid worm disk | |
JP6395985B2 (en) | Security monitoring device, communication system, security monitoring method, and security monitoring program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A201 | Request for examination | ||
E902 | Notification of reason for refusal | ||
E601 | Decision to refuse application |