KR20130079004A - Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone - Google Patents

Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone Download PDF

Info

Publication number
KR20130079004A
KR20130079004A KR1020120000231A KR20120000231A KR20130079004A KR 20130079004 A KR20130079004 A KR 20130079004A KR 1020120000231 A KR1020120000231 A KR 1020120000231A KR 20120000231 A KR20120000231 A KR 20120000231A KR 20130079004 A KR20130079004 A KR 20130079004A
Authority
KR
South Korea
Prior art keywords
file
virtual
area
general
virtual area
Prior art date
Application number
KR1020120000231A
Other languages
Korean (ko)
Inventor
류승태
백승태
김태완
Original Assignee
(주)소만사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)소만사 filed Critical (주)소만사
Priority to KR1020120000231A priority Critical patent/KR20130079004A/en
Publication of KR20130079004A publication Critical patent/KR20130079004A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Human Computer Interaction (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)

Abstract

PURPOSE: A mobile information security system using file system virtualization in a smart phone and a method for providing virtual security environment are provided to classify business environment and general environment strictly, by restricting users to access intranet through authentication, and terminating all applications operating in the smart phone in case of authentication pass, and converting to use a file system of virtual security environment. CONSTITUTION: A memory (400) includes encrypted virtual region (410) and general region (420). A device management part (100) operates an application based on the general region, which is not connected to the intranet or is operating in the general mode without user authentication even though it is connected to the intranet. The device management part operates the application on the basis of the virtual region in the user-authenticated business mode by being connected to the intranet. A file system in user space (FUSE) (300) snatches file processing of a virtual file system (VFS) according to the instruction of the device management part in the business mode, and performs file processing on the basis of the virtual region. [Reference numerals] (100) Device management part; (200) FSV engine; (410) Virtual region; (420) General region

Description

Mobile Data Loss Prevention System and Method for Providing Virtual Security Environment using File System Virtualization on Smart Phone}

The present invention relates to an information protection system, and more particularly, to a mobile information protection system and a method for providing a virtual security environment that can protect important information when accessing a company network through a smart phone when viewing a task.

Recently, there have been increasing cases of using smartphones for work, including large corporations, securities firms, and insurance companies. The so-called Smart Office and Smart Work are launched, and each individual can access the company's network anytime and anywhere through the smartphone and view work as in the company.

Specifically, each individual can download and use the company's confidential information and personal information from the company's server through a business application (App) installed on the smartphone, can receive customer information and upload to the company's internal server, to the company's mail server You can access your business mail or send your business mail.

As such, while smartphones increase the efficiency of work, the probability of leaking a large amount of personal or confidential information stored therein is much higher than when working in-house. In other words, the smartphone is almost defenseless against the leakage of personal information and confidential information, security of the smartphone used for work is urgently needed.

However, the conventional smartphone security app is only a technology for the loss and virus attack, did not provide a means of safe use, storage, monitoring and control of personal information, confidential information associated with the company's business.

The present invention has been made in the technical background as described above, mobile information protection that can provide an encrypted virtual environment for the application running on the smart device in the work mode of accessing the company network using a smart device to view the work Its purpose is to provide a system and a virtual security environment providing method.

The present invention intercepts a file processing function of a Virtual File System (VFS) by BindFS, UnionFS, and CryptoFS libraries based on the Kernel layer's File System in Userspace (FUSE) in a work mode, and performs file processing. Another object of the present invention is to provide a mobile information protection system and a virtual security environment providing method that can be performed in an encrypted virtual area.

According to an aspect of the present invention, there is provided a mobile information protection system comprising: a memory including an encrypted virtual area and a general area; In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, the running application operates based on the general area, and is connected to the company network and the user is authenticated. A device manager to operate based on the virtual area; In the work mode, a file system in userspace (FUSE) intercepts file processing of a virtual file system (VFS) and processes the file processing based on the virtual area according to an instruction of the device manager; And a virtualization engine functioning as a bridge in communication between at least one of the application operating in the application layer and the device manager in the work mode and the FUSE operating in the kernel layer.

According to another aspect of the present invention, a method for providing a virtual security environment of a file system in user space (FUSE) according to an instruction of a mobile device management (MDM) is not connected to an internal network or is not authenticated by a user even when connected to the internal network. In a mode, when the user is connected to the corporate network and the user is authenticated and switched to a business mode, changing and setting an execution environment of an application from a general area to an encrypted virtual area; And in the work mode, in response to a command of the device manager, the FUSE intercepts file processing of a virtual file system (VFS) and performs the file processing based on the virtual area.

According to the present invention, a user who wants to access the corporate network can be strictly restricted through authentication, and when the authentication passes, all applications running on the smartphone are terminated and at the same time, the user switches to using the file system of the virtual security environment. Can be strictly distinguished from the general environment, and can control the execution of other unnecessary applications.

In addition, the present invention can limit the use of the network other than the work by limiting the IP band in the work mode, it is possible to block or allow the medium (Camera, Bluetooth, etc.) that can potentially leak information according to the policy.

In addition, the present invention can analyze the contents of the files stored in the file system of the general area and the virtual area to identify and monitor the status of possession of personal and confidential information in the smartphone, and limit information retention according to policy. have.

1 is a block diagram showing a mobile information protection system of the present invention.
2 is a diagram more specifically showing a mobile information protection system of the present invention.
3 is an example of providing a virtual security environment when a user has requested to open a file previously read by a user in a work mode, and the requested file is not present in the virtual area.
4 is an example of providing a virtual security environment when a write request is made after a file in a general area is opened read-only.
5 is an example of providing a virtual security environment when a file requested by a user to open in a work mode exists in a virtual area.
6 is an example of providing a virtual security environment when a new file is requested to be opened and written in the work mode.

Advantages and features of the present invention and methods for achieving them will be apparent with reference to the embodiments described below in detail with the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Is provided to fully convey the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. It is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. In the present specification, the singular form includes plural forms unless otherwise specified in the specification. As used herein, the terms " comprises, " and / or "comprising" refer to the presence or absence of one or more other components, steps, operations, and / Or additions.

The present invention intercepts file processing of a virtual file system (VFS) using a file system based on a file system in userspace (FUSE), and encrypts a file, not a general environment (common area) when communicating with an internal network. Private information (resident numbers, card numbers, account numbers, etc.) or confidential information can be protected. Here, the file system includes exet3, ext4, yaffs2, FAT, etc. existing in the Android platform of the smartphone.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. 1 is a diagram illustrating a mobile information protection system according to an embodiment of the present invention.

As shown in FIG. 1, the mobile information protection system 10 according to an embodiment of the present invention uses a memory 400, a device manager 100, a file system virtualization (FSV) engine 200, and a FUSE 300. Include. In this case, the mobile information protection system 10 may be provided in a portable information terminal such as a smart phone and a smart pad.

The memory 400 includes a virtual area 410 and a general area 420, which are spaces of the memory that are separated from each other.

The virtual area 410 accesses the corporate network through the business application, encrypted with a predetermined key, to provide an execution environment of the application upon successful user authentication (in business mode). At this time, the work application may be an application that provides a work environment that seems to work in a company that can download the desired information from the in-house network or upload the inputted information to the in-house network through authentication after accessing the in-house network.

The general area 420 provides an execution environment of applications in the general mode, in which the user cannot communicate with the company network because the user authentication fails because the user cannot access the company network or the company network.

The device manager 100 checks whether the user authentication is successful (ie, work mode) by accessing the internal network through the work application (Log-in), and in the work mode, each application executes the virtual area 410. To operate.

In this case, when the device manager 100 is switched from the normal mode to the work mode, the device manager 100 terminates all running applications except the work application and uses the file system of the virtual area 410 to strictly distinguish the work environment from the general environment. For example, you can control the execution of unnecessary applications in work mode.

In addition, the device manager 100 may limit the use of the network outside the work by limiting the IP (Internet Protocol) band available in the work mode, and may be a medium (Camera, Bluetooth, etc.) or the like that may leak information in accordance with the policy , Function, etc. can be blocked or allowed.

On the other hand, even if the device manager 100 fails to authenticate the user even when accessing the corporate network through a business application, or is logged out from the corporate network, and is switched from the business mode to the normal mode, each application is a general area. 420 is used as the execution environment.

The FUSE 300 actually intercepts the file processing of the virtual file system according to the command of the device manager 100 so that the file processing is performed based on the virtual area 410, and includes RedirFS, UnionFS, and CryptoFS.

In this case, the FUSE 300 is basically loaded from Linux kernel 2.6.15 and functions as a bridge of file system access control of the kernel layer. FUSE can be used by recompiling an operating system after modifying the kernel configuration of the operating system. Since FUSE is performed at the application layer, it can provide excellent performance in terms of security and stability. FUSE 300 can be used in operating systems such as Linux, Mac OS, Windows, and Solaris.

The FSV engine 200 functions as a bridge in communication between the application and device manager 100 operating in the application layer in the work mode and the FUSE 300 in the kernel layer. In this case, the FSV engine 200 may be driven as a daemon in the form of a pure C service, which is written in a pure C language.

Specifically, since the kernel environment of the operating system in the work mode is run on a virtual machine (User JAVA) that includes the device management unit 100, that is, the application can directly access the kernel environment with permission restrictions It requires a bridge called the FSV engine 200 that connects the application layer and the kernel layer.

In summary, in normal mode, the application and device manager 100 instructs the virtual file system (VFS) to process the file, accesses the file system by the virtual file system, and processes the file based on the general area 420. Can be. However, since the general area 420 is not an area that is encrypted and protected and is commonly used by a plurality of applications, there is a risk of information leakage. In order to prevent this, in the present invention, the application and device manager 100 intercepts the file processing of the virtual file system through the FUSE 300 and processes the file based on the encrypted virtual area 410. The risk of spillage can be lowered.

Hereinafter, a command and file input / output flow between a device manager and a file system in a work mode according to an embodiment of the present invention will be described with reference to FIG. 2. 2 is a diagram illustrating in more detail a mobile information protection system according to an embodiment of the present invention.

As shown in FIG. 2, in the work mode, the device manager 100 transmits a control command to the FSV engine 200 through the FSV Java API, and the FSV engine 200 transmits the received control command to the rFS API or CryptoFS. It delivers to RedirFS 310, UnionFS (File System Unionization) 320, and CryptoFS 330 in FUSE 300 through the API. Similarly, the status report is made from the FUSE 300 to the device manager 100 through the reverse process.

The FUSE 300 opens the RedirFS 310 and the general area 420 read-only, which sets up an access path to at least one of the general area 420 and the virtual area 410, and reads the virtual area 410. Open for writable editing, UnionFS 320 for editing files in virtual area 410 and CryptoFS 330 for identifying files in virtual area 410 and encrypting changes.

The device manager 100 is a mobile device management (MDM), which operates in an application layer and manages an application including a work application installed in a mobile.

In the work mode, the device manager 100 transmits a control command such as an open command, a read command, or a write command to a file selected by the user to the FSV engine 200 through the FSV Java API.

The FSV engine 200 transmits a control command to the RedirFS 310 through the RedirFS API in the work mode to perform a file access function of the virtual file system using system hooking by the RedirFS 310. It intercepts the file processing to be executed based on the virtual area 410, and reports the processing result from the UnionFS 320. Hereinafter, the RedirFS 310, UnionFS 320, and CryptoFS 330 of the FUSE 300 will be described.

If the RedirFS 310 confirms that the work mode, the path of the file processing in the work mode to the virtual area 410, and confirms that the processing of the file failed in the virtual area 410, the general area 420 Is specified as the file processing path.

In the work mode, the UnionFS 320 opens a file in the general area 420 in a read only state, opens a file in the virtual area 410 in a read / write state, and writes a content requested for writing.

When processing a file for the virtual area 410, the CryptoFS 330 decrypts a file encrypted with a predetermined key and delivers it to the UnionFS 320, and encrypts and stores the generated or changed file. Hereinafter, the interaction between the RedirFS 310, the UnionFS 320, and the CryptoFS 330 will be described in more detail.

The RedirFS 310 checks the contents of the file processing and requests the CryptoFS 330 to search for the file in the work mode. The CryptoFS 330 searches for the file in the virtual area 410 based on a predetermined key, and if the file exists in the virtual area 410, decrypts the file and forwards it to the UnionFS 320, and sends it to the virtual area 410. If the file does not exist, RedirFS 310 notifies the search of failure. The UnionFS 320 delivers the file received from the CryptoFS 330 to the device manager 100 or an application that requests file processing, and edits the file according to a user's write request.

When RedirFS 310 confirms that the file failed to be retrieved from the virtual area 410, the RedirFS 310 retrieves the file from the general area 420, passes the path of the retrieved file to UnionFS 320, and UnionFS 320 delivers the file. The received file is transferred to the device manager 100 or the application. In this case, the user may request editing of a file opened for read-only, in which case RedirFS 310 instructs UnionFS 320 to apply a copy on write (COW) function to the file system of the general area 420. . Then, the UnionFS 320 copies the file requested for writing according to the COW (Copy On Write) function from the general area 420 and creates the virtual area 410 in the virtual mode 410. The file is edited at 410.

Meanwhile, in the above-described example, the RedirFS 310, UnionFS 320, and CryptoFS 330 are mainly operated. However, at least one file among the RedirFS 310, UnionFS 320, and CryptoFS 330 is opened. Of course, the TM device, file search, path designation and the like are performed according to the control command of the device manager 100.

For example, when the device manager 100 confirms creation or change of a file in the virtual area 410 according to a file storage command, the device manager 100 transmits an encryption command to the FSV engine 200 through the FSV Java API, and the FSV engine 200. Instructs CryptoFS 330 via the CryptoFS API to store changes in the encrypted virtual region 410.

On the other hand, the mobile information protection system 10 may analyze whether the personal information is included from the files stored in the virtual area 410 and the general area 420, grasp the current status of personal information and transfer it to the company network. Then, the security server of the company network can grasp the current status of holding personal information for each mobile user, and instruct the mobile information protection system 10 to limit the retention of personal information according to a preset security policy. In this case, the mobile information protection system 10 instructed to restrict the retention of personal information may delete or permanently delete the corresponding personal information.

Hereinafter, a method of providing a virtualization environment of each component of the FUSE 300 according to a file read request and a file write request of an application in the work mode will be described with reference to FIGS. 3 to 6.

3 illustrates an example in which the user has requested to open a file previously read by the user in the work mode, but there is no file requested to open in the virtual area 410.

When the user requests to open a file through the application, the device manager 100 transmits a file open command to the RedirFS 310 through the FSV engine 200 (S310).

The RedirFS 310 determines whether the work mode is successful by logging in to the corporate network, and if the work mode is selected, the CryptoFS 330 based on the mount point of the file system of the virtual area 410 set for the work mode. In step S320, a file opening request corresponding to a file opening command is requested.

The CryptoFS 330 checks whether a file requested to open a file exists in the virtual area 410, and notifies the RedirFS 310 if it does not exist (S330).

When the RedirFS 310 determines that the file requested to be opened does not exist in the virtual area 410, the RedirFS 310 accesses the original file of the general area 420 (S340).

The UnionFS 320 opens the original file of the general area 420 in a read-only manner and notifies the application of the file being opened to the application through the FSV engine 200 and the device manager 100 (S350).

Then, the application shows the open file to the user (S360).

4 illustrates an example in which a write request is made to a read-only file after the file in the general area 420 is opened for read-only, as shown in FIG. 3.

When the user confirms that the user requests to write the original file of the general area 420 through the application, the device manager 100 transmits a write command to the RedirFS 310 (S410).

The RedirFS 310 determines whether the work mode is successful by logging in to the corporate network, and if the work mode is selected, the CrirtoFS 330 determines the file for the file based on the mount point of the file system of the virtual zone 410. Request to write (S420).

The CryptoFS 330 checks whether the write request file exists in the virtual area 410 and notifies the RedirFS 310 if it does not exist (S430).

When the RedirFS 310 determines that the write requested file does not exist in the virtual area 410, the RedirFS 310 requests the UnionFS 320 to copy the original file of the general area 420 and generate the virtual file 410 in the virtual area 410 ( S440). At this time, the RedirFS 310 designates the path of the original file of the general area 420 to the UnionFS 320.

The UnionFS 320 copies the original file of the general area 420 to the virtual area 410, creates the same file as the corresponding file in the virtual area 410, and writes the content requested to be written by the user (S450).

The CryptoFS 330 encrypts the changed file according to the file system unit according to the write request contents (S460).

5 illustrates an example in which a file requested by a user to open in the work mode exists in the virtual area 410.

When the user requests to open a file through the application, the device manager 100 transmits a file open command to the RedirFS 310 (S510).

The RedirFS 310 determines whether the work mode is successful by logging in to the corporate network, and if the work mode is requested, the CrirtoFS 330 is requested based on the mount point of the file system of the virtual area 410. Request to open the file (S520).

The CryptoFS 330 checks whether a file requested to be opened exists in the virtual area 410, and if not present, informs the unionFS 320 of the file path (S530).

The UnionFS 320 opens the file for editing (Open) and informs the device manager 100 (S540).

The device manager 100 shows the file opened through the application to the user (S550).

6 illustrates an example in which a new file that is not stored in the general area 420 and the virtual area 410 is requested to be opened and written in the work mode.

When the user requests to open a new file through the application, the device manager 100 transmits a new file open command to the RedirFS 310 (S610).

The RedirFS 310 checks whether it is currently in work mode, and if it is in work mode, requests the CryptoFS 330 to check whether a new file (eg, unknown.doc) exists (S620).

The CryptoFS 330 checks whether a new file exists in the virtual area 410, and notifies the RedirFS 310 if it does not exist (S630).

The RedirFS 310 checks whether a new file exists in the general area 420, and if it does not exist, the RedirFS 310 requests the UnionFS 320 to create a new file (S640).

UnionFS 320 generates a new file that can be read / write to the virtual area 410, and informs the application (S650).

Then, the application shows the generated new file to the user (S660).

The UnionFS 320 notifies the CryptoFS 330 when the user confirms the change by editing a new open file (S670).

The CryptoFS 330 encrypts and stores the changed content on a file system basis (S680).

 Meanwhile, in the above-described processes of FIGS. 3 to 6, the RedirFS 310, the UnionFS 320, and the CryptoFS 330 operate in accordance with one instruction of the device manager 100 as an example. The communication with the device manager 100 for each, and may operate according to the instructions of the device manager 100, of course.

As such, the present invention can strictly limit users who want to access the corporate network through authentication, and when the authentication passes, it terminates all applications running on the smartphone and simultaneously switches to using the file system of the virtual security environment. You can strictly distinguish between the environment and the general environment, and control the execution of other unnecessary applications.

In addition, the present invention can limit the use of the network other than the work by limiting the IP band in the work mode, it is possible to block or allow the medium (Camera, Bluetooth, etc.) that can potentially leak information according to the policy.

In addition, the present invention can analyze the contents of the files stored in the file system of the general area and the virtual area to identify and monitor the status of possession of personal and confidential information in the smartphone, and limit information retention according to policy. have.

While the present invention has been described in detail with reference to the accompanying drawings, it is to be understood that the invention is not limited to the above-described embodiments. Those skilled in the art will appreciate that various modifications, Of course, this is possible. Accordingly, the scope of protection of the present invention should not be limited to the above-described embodiments, but should be determined by the description of the following claims.

Claims (11)

A memory including an encrypted virtual area and a general area;
In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, the running application operates based on the general area, and is connected to the company network and the user is authenticated. A device manager to operate based on the virtual area;
A file system in userspace (FUSE) that intercepts file processing of a virtual file system (VFS) and performs the file processing based on the virtual area in the work mode; And
A virtualization engine that bridges the communication between at least one of the application and the device manager in the work mode and the FUSE in the kernel layer in the work mode.
Mobile information protection system that includes. The device of claim 1, wherein the device manager comprises:
In the work mode, the application terminates if the application is not a work application, and restricts execution of other applications except the work application. The device of claim 1, wherein the device manager comprises:
In the work mode, the mobile information protection system instructing the FUSE to manage the file in the general area as a read-only object, and manages the file in the virtual area as a read-write object through the virtualization engine. The device of claim 1, wherein the device manager comprises:
In the work mode, limiting the available Internet Protocol (IP) band to limit the use of the network only for business purposes. The device of claim 1, wherein the device manager comprises:
And in the work mode, restricting the use of the application itself or its functions that are likely to leak information, among the applications according to a predetermined policy. The method of claim 1, wherein the FUSE,
If there is a file content created or changed in the virtual area, the mobile information protection system is encrypted with a predetermined key and stored in the virtual area. The method of claim 1,
The FUSE checks the holding status of personal information and confidential information in the virtual area and the general area,
The device manager, by reporting to the security server in the company network to support the function of checking the holding status by the user by the security server and the restriction of the retention of the personal information and the confidential information for each user. . As a method of providing a virtual security environment of FUSE (File System in Userspace) according to the instruction of MDM (Mobile Device Management),
In a general mode that is not connected to the company network or is not authenticated by the user even when connected to the company network, when the user is connected to the company network and the user is authenticated and switched to the work mode, the application execution environment is encrypted in the general area. Setting to change to; And
Intercepting file processing of a virtual file system (VFS) in the work mode, and performing the file processing based on the virtual area
The virtual security environment providing method comprising a. The method of claim 8, wherein the performing of:
If the file processing is opening of a specific file, retrieving the specific file from the virtual area; And
If the specific file is in the virtual area, opening the specific file for reading and writing; And
If editing is requested for the specific file opened, editing the requested content and encrypting the changed content in a file system unit.
It will include a virtual security environment providing method. The method of claim 9, wherein the performing of:
If the specific file is not found in the virtual area, searching for the specific file in the general area; And
If the specific file is in the general area, opening the specific file in the general area as read only
The method further comprising a virtual security environment. 11. The method of claim 10,
When the editing request for the specific file opened as read-only is confirmed, copying a specific file of the general area to the virtual area by using a copy on write (COW) function to generate the virtual file in the virtual area; And
Reflecting the content requested for editing in the generated file of the virtual area
Encrypting the generated file of the virtual area by the file system unit
The method further comprising a virtual security environment.
KR1020120000231A 2012-01-02 2012-01-02 Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone KR20130079004A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020120000231A KR20130079004A (en) 2012-01-02 2012-01-02 Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020120000231A KR20130079004A (en) 2012-01-02 2012-01-02 Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone

Publications (1)

Publication Number Publication Date
KR20130079004A true KR20130079004A (en) 2013-07-10

Family

ID=48991841

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020120000231A KR20130079004A (en) 2012-01-02 2012-01-02 Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone

Country Status (1)

Country Link
KR (1) KR20130079004A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105067924A (en) * 2015-08-06 2015-11-18 哈尔滨工业大学 Signal identification system and method based on Feature Selective Validation method
CN111149337A (en) * 2017-10-19 2020-05-12 国际商业机器公司 Secure access management of tools within a secure environment
CN112765633A (en) * 2021-01-26 2021-05-07 上海蛮犀科技有限公司 Reinforcing technology for virtualization of mobile application codes
WO2024071529A1 (en) * 2022-09-30 2024-04-04 (주)나무소프트 Local data protection system
WO2024106794A1 (en) * 2022-11-17 2024-05-23 (주)리얼시큐 Data protection method and device in linux-based operating system

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105067924A (en) * 2015-08-06 2015-11-18 哈尔滨工业大学 Signal identification system and method based on Feature Selective Validation method
CN111149337A (en) * 2017-10-19 2020-05-12 国际商业机器公司 Secure access management of tools within a secure environment
US11799861B2 (en) 2017-10-19 2023-10-24 International Business Machines Corporation Secure access management for tools within a secure environment
CN112765633A (en) * 2021-01-26 2021-05-07 上海蛮犀科技有限公司 Reinforcing technology for virtualization of mobile application codes
WO2024071529A1 (en) * 2022-09-30 2024-04-04 (주)나무소프트 Local data protection system
WO2024106794A1 (en) * 2022-11-17 2024-05-23 (주)리얼시큐 Data protection method and device in linux-based operating system

Similar Documents

Publication Publication Date Title
KR101382222B1 (en) System and method for mobile data loss prevention which uses file system virtualization
US10268827B2 (en) Method and system for securing data
KR101705550B1 (en) Method and software product for controlling application program which access secure saving area
EP1946238B1 (en) Operating system independent data management
US9129138B1 (en) Methods and systems for a portable data locker
JP6785967B2 (en) Methods and systems to block phishing or ransomware attacks
WO2009110275A1 (en) Classified information leakage prevention system and classified information leakage prevention method
JP5263169B2 (en) Information providing method, relay method, information holding device, repeater
CN105528553A (en) A method and a device for secure sharing of data and a terminal
TW201337631A (en) Sensitive information leakage prevention system, sensitive information leakage prevention method, and computer-readable recording medium
KR20130079004A (en) Mobile data loss prevention system and method for providing virtual security environment using file system virtualization on smart phone
KR20090121712A (en) Virtual system and method for restricting usage of contents in the virtual system
CN110543775B (en) Data security protection method and system based on super-fusion concept
KR100975133B1 (en) Security management system for portable memory devices and security management method using the same
JP4044126B1 (en) Information leakage prevention device, information leakage prevention program, information leakage prevention recording medium, and information leakage prevention system
KR20090128818A (en) The management system and management method of a secure area
KR20160102915A (en) Security platform management device for smart work based on mobile virtualization
JP2021174432A (en) Electronic data management method, electronic data management device, and program and storage medium for the same
KR101028150B1 (en) File managing device of client apparatus, method thereof and recorded medium recorded with program thereof
KR101028149B1 (en) File managing device of client apparatus, method thereof and recorded medium recorded with program thereof
US20240171528A1 (en) Information processing method and storage medium
KR20050077664A (en) Secure kernel system supporting encryption
KR100901014B1 (en) Apparatus and method for running application in virtual environment
US20200409573A1 (en) System for providing hybrid worm disk
JP6395985B2 (en) Security monitoring device, communication system, security monitoring method, and security monitoring program

Legal Events

Date Code Title Description
A201 Request for examination
E902 Notification of reason for refusal
E601 Decision to refuse application