RU2572385C2 - System for restricting access to file extensions - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention relates to means for protection from unauthorised information accessing. An access restricting system comprises a first decision unit, a second decision unit, a third decision, a fourth decision unit, a file object access rights storage unit, wherein the first input of the first decision unit is connected to the first input of the system, the first input of the second decision unit, the first input of the third decision unit, the second input is connected to the first output of the file object access rights storage unit, the first output is connected to the first input of the file object access rights storage unit, the second input of the file object access rights storage unit is connected to the second input of the system, the second output of the first decision unit is connected to the third input of the fourth decision unit, the second input of which is connected to the second output of the second decision unit, the first input is connected to the second output of the third decision unit, the output is connected to the output of the system, the first output of the second decision unit is connected to the third input of the file object access rights storage unit, the second input is connected to the second output of the file object access rights storage unit, the third output of which is connected to the second input of the third decision unit, the first output of which is connected to the fourth input of the file object access rights storage unit.

EFFECT: restricting access to file extensions.

2 dwg

Description

The invention relates to the field of computer technology, and in particular to the field of protection against unauthorized access (unauthorized access) to information created and stored in computer systems (CS).

The most important feature of a file in Microsoft Windows is its extension. It is the file extension that determines its type, for example, the executable file has the extensions ".exe", ".com", ".bat", ".sys", etc., script files: ".vbs" and ".vbe "(VBScript)," .js "and" .jse "(JavaScript)," .sept "(AppleScript), etc. The same applies to test and other files processed in the CS.

As a result, the file extension can be used as an access object in the delineation policy, in order to implement the delineation of access to file types.

When implementing such a differentiating policy, it becomes possible to solve many of the most important tasks of protecting information processing in the CS.

Consider only a few of these tasks and the possibility of solving them, by restricting access to file extensions.

1. Protection against downloading to the COP and the launch of malware. This problem is solved as follows:

- It is allowed to execute files only with specific (specified) extensions. An empirically determined list of executable file extensions that must be allowed to run for the operating system to work correctly is ".exe", ".bat", ".config", ".dll", ".manifest", ".drv", " .fon "," .ttf, ".sys" (files with these extensions in the COP are allowed to read and execute);

- The ability to delete and modify files authorized for execution (files with specified extensions) is prevented;

- Prevents the possibility of creating new authorized files for execution in the CS (files with specified extensions);

- Prevents the ability to rename files allowed for execution (files with specified extensions)

- Prevents the possibility of renaming other files to files that are allowed for execution (to files with specified extensions).

As a result, only authorized executable files can be executed in the CS - executable malware files (with the given extensions) cannot be installed in the CS and then executed.

Comment. Similar rules can be set for all users (including system users), but you can only allow the administrator to install executable files in the CS.

2. Protection against unauthorized modification of system files (executable files and OS and application settings files).

The possibility of unauthorized deletion / modification, renaming of files with the corresponding extensions is prevented.

Comment. Similar rules can be set for all interactive users, but you can only allow the administrator to modify system files in the CS.

3. Protection against downloading malicious script files to the CS.

When reading such a file, the corresponding application (for example, an Internet browser, Java machine is endowed with malicious properties.

It prevents the possibility of unauthorized deletion / modification, renaming script files installed in the CS (by their extensions), creating new script files in the CS, renaming the file created in the CS to the script file.

Comment. Similar rules can be set for all interactive users, but you can only allow the administrator to modify system files in the CS. By setting delimitations for the access subject (process) - in the delimiting policy it is specified by the full-path name of its executable file, types (by extensions) of script files to which read access to a specific application will be allowed can be localized.

4. Restriction of the user’s work only with certain types of files (by extension), including executable ones.

For example, you can prevent the user from working with files that have the extensions ".http", ".avi", etc.

Comment. Here, the user acts as the subject of access in the delineation policy.

5. Restriction of the application only with certain types of files (by extension), including executable ones.

For example, you can prevent the Internet browser from accessing files intended for storing confidential information in the CS, for example, files with the extension ".doc", etc.

Comment. Here, the process acts as the subject of access in the delineation policy.

These are just examples of tasks to be solved, the list of which can be significantly expanded. Important here is the formation of requirements for a system for restricting access by file extensions:

- the access object must be specified by the file extension;

- the subject of access in the general case should be defined by two entities — the user, the process;

- Access rules should be set (read, write, delete, execute, rename, etc.) to files specified by extensions;

- Access rules for creating files with specified extensions must be set;

- Access rules must be set for renaming files to files with specified extensions.

An analysis of the literature and descriptions of the operation of modern OS and applications allows us to note the following. Despite the wide possibilities provided by the delimiting policy of access to files, by their extensions, in modern OS and applications, similar principles of access control, in particular, fulfilling the formulated requirements for a system of differentiating access to files by their extensions, are not implemented.

Currently, various systems for restricting access to file objects are known.

So, for example, in the system of access control for resources, Patent No. 2207619 (G06F 13/00), it is possible to set access control for both users and processes. However, this does not allow to implement access control for files by their extensions.

EPO application N 0192243 (CL G06F 12/14, 1986) describes a method for protecting system files in which information defining the access rights of system users remains all the time in a secure processor. This does not allow to implement access control for files by their extensions.

Patent No. 2134931 (class H04L 9/32, G06F 12/14) describes a method for providing access to objects in the operating system based on the assignment of security labels to subjects and access objects, while for each object of the operating system they are formed in advance and then stored in memory object label signal, i.e. access rights to objects assigned in the form of security labels must again be assigned by the administrator to static objects (folders). This does not allow to implement access control for files by their extensions.

Closest to the technical solution and chosen by the authors for the prototype is a system for restricting access to file objects, implemented in Microsoft Windows [M. Russinovich, D. Solomon. Microsoft Windows internal device. - St. Petersburg: Peter, 2005 - 992 p. (Chapter 8, Fig. 8.5. An example of checking access rights)].

The system is presented in figure 1. The access control system for file objects contains a deciding unit 1, a storage unit for access rights to file objects 2, the first input of a deciding unit connected to the first input of the system 3, the second input with the output of the storage unit for access rights to file objects 2, the first output with the first input of the storage unit for access rights to file objects 2, the second output with the output of the system 4, the second input of the storage unit for access rights to file objects 2 is connected to the second input of the system 5.

The system works as follows. The administrator from the second input of system 5 (from the input of setting access rights to file objects) to the storage unit for access rights to file objects 2 sets access rights to file objects of subjects (for example, this block can store the access matrix as a separate file), in which for The file object indicates which entities have access rights to it and which access rights are allowed to it (read, write, execute, rename, delete, etc.). When requesting access, which contains the name of the subject (the name of the user (account) and the name of the process requesting access, as well as the requested access rights - read, write, etc.) to the file object, access request from the first input of the system 3 (from the input of the access request) arrives at the decisive block 1. To process the access request, the decisive block from the first output requests the storage unit for access rights to file objects 2 attributes of the object to which access is requested, receives them at the second input and compares the requested access rights to a file object with permitted (forbidden) access rights to this object specified in the file attributes. As a result of the comparison, the decisive unit issues a control signal to the output of system 4 (to the control output of the access permission / deny), allowing (if the request does not contradict the permissions) or rejecting the access requested from the system from the first input of system 3.

The prototype, which implements access control to file objects, does not allow to implement access control to files by their extensions, because an access object to which access rights are differentiated is uniquely identified by its full path name - it is not possible to set the access object with the file extension (type), i.e. It’s a kind of mask, by which the task of the access object in the delineation policy defines not one specific file, but all files of a certain type (falling under this mask).

The present invention solves the problem of expanding the functionality of the system for restricting access to file objects by implementing access control for file extensions.

To achieve a technical result, a system for restricting access to file objects containing a first decision block, a storage block for access rights to file objects, the first input of the first decision block is connected to the first input of the system, the second input is to the first output of the block for access rights to file objects , the first output is with the first input of the file objects access rights storage unit, the second input of the file objects access rights storage unit is connected to the second system input, the second, third and fourth decision blocks, the second output of the first decision block being connected to the third input of the fourth decision block, the second input of which is the second output of the second decision block, the first input is the second output of the third decision block, the output is the system output, the first input of the first decision block connected to the first input of the third crucial unit, with the first input of the second critical unit, the first output of which is with the third input of the storage unit for access rights to file objects, the second input is with the second output of the storage unit of rights a step to file objects, the third output of which is with the second input of the third decision block, the first output of which is with the fourth input of the storage block of access rights to file objects.

New in the present invention is the provision of a system for restricting access to file objects with second, third and fourth decision blocks, and their relationships.

As a result of the analysis of the prior art by the applicant, including a search by patent and scientific and technical sources of information and identification of sources containing information about analogues of the claimed technical solution, no source was found characterized by features identical to all the essential features of the claimed technical solution. The determination from the list of identified analogues of the prototype as the closest analogue in terms of the totality of features made it possible to establish the set of distinguishing features essential to the applicant’s technical result of the claimed system of session control of access to file objects. Therefore, the claimed technical solution meets the criterion of "novelty."

An additional search conducted by the applicant did not reveal known solutions containing features that match the distinctive features of the claimed system for restricting access by file extensions. The claimed technical solution does not follow for the specialist explicitly from the prior art and is not based on a change in quantitative characteristics. Therefore, the claimed technical solution meets the criterion of "inventive step".

The set of essential features in the present invention made it possible to expand the functionality of the system for restricting access to file objects by implementing access control for file extensions.

As a result, we can conclude that:

- the proposed technical solution has an inventive step, because it does not explicitly follow from the prior art;

- the invention is new, since the prior art on available sources of information did not reveal analogues with a similar set of features;

- the invention is industrially applicable, as it can be used in all areas where implementation of access control (access rights delimitation) to file objects is required.

The invention is illustrated by the drawing shown in Fig.2.

The inventive access control system for file extensions comprises a first decision block 1, a second decision block 2, a third decision block 3, a fourth decision block 4, a storage unit for access rights to file objects 5, the first input of the first decision block 1 being connected to the first input of the system 6 , with the first input of the second critical unit 2, with the first input of the third critical unit 3, the second input - with the first output of the storage unit for access rights to file objects 5, the first output - with the first input of the storage unit for access rights to file objects 5, w The second input of the storage block for access rights to file objects 5 is connected to the second input of the system 7, the second output of the first decision block 1 is connected to the third input of the fourth decision block 4, the second input of which is with the second output of the second decision block 2, the first input is with the second output the third decision block 3, the output - with the output of the system 8, the first output of the second decision block 2 - with the third input of the storage unit for access rights to file objects 5, the second input - with the second output of the storage unit for access rights to file objects 5, the third exit to orogo - to a second input of the third deciding unit 3 whose first output - to a fourth input of the storage unit of access rights to file objects 5.

Consider the work of access control system for file extensions.

A delimiting access policy is set by the administrator from system input 7 in block 5, which is a repository of administrator-defined access rules for entities to objects, for example, a separate file, registry object, etc. File attributes are not used in this case, since the access object is specified by the file extension, i.e. one access object in a delimiting policy, for example, “.exe”, can simultaneously describe several files with the same extension. So, the access object is specified by the file extension, for example, “.exe”, while masks can be used, for example, “.vbs” and “.vbe” can be set by the mask “.vb *”. An access subject is generally defined by a pair of entities: the user (identified by SID), the process (identified by the full path name of the process executable). When defining access subjects, masks and environment variables can be used, for example, the mask * (All) can be used to set rules for any (all) users, for any (all) processes, which allows implementing a differentiating access policy for separate entities that specify the access subject (only for users or only for processes), and for their combination (which user is allowed / denied access to the object by which process). Masks can also be used to specify processes in the access subject, for example file: // C: / Program Files \ * (all processes launched from the file: // C: / Program Files directory). The fundamental difference in setting the rules for accessing objects identified by the file extension is that not only the allowed / forbidden rules for accessing the object are set (read, execute, delete, rename, etc.), but also the rule for allowing / prohibiting the creation of the object ( for example, for the .exe object, creation or creation of new similar objects is allowed or prohibited - creation of files with the extension .exe) and the rule of allowing / prohibiting renaming to an object (for example, for the .exe object, renaming in The desired object is renaming any file to a file with the extension .exe, in fact, renaming the file extension). In this way, both renaming "from" (renaming an object having a given extension) and renaming "to" (renaming to an object having a given extension) are controlled.

The request for access of the subject to the object comes in the first 1, second 2 and third 3 decision blocks from the input 6 of the system. From the access request, these blocks identify the subject of access - which user which processes requested access. The decisive blocks 1, 2, 3 are determined from the request and various information is processed. The first decision block 1 analyzes the action requested by the subject on the file, with the exception of renaming (read, write, execute, delete, etc.). In this case, block 1 determines from the access request the full path name of the file to which access is requested and the action requested by the subject on this file. From the full path name of the file received from the request, block 1 selects its extension (the access object is defined in the delimiting policy). Then, upon request from the first exit, the first decisive block 1 to the second input from block 5 receives the allowed (or forbidden if a prohibitive delimiting access policy is implemented) access rules of the subject (the subject was isolated from the request) to the object. The first decision block 1 analyzes the access request for consistency by the rules specified by the administrator for consistency, as a result of which it generates and transmits to the fourth decision block 4 a control signal for allowing or denying access.

The second decision block 2 similarly processes the request to create a file. If a request to create a file is received at input 6 of the system, it is identified by the second decisive block 2. This block allocates its extension from the full path name of the created file, determined from the access request (the access object is defined in the delimiting policy). Then, upon request from the first exit, by the second decisive block 2 to the second input from block 5, the allowed (or forbidden if a prohibitive delimiting access policy is implemented) rules for creating files (the subject was isolated from the request) are obtained. The second decision block 2 analyzes the access request for consistency by the administrator-defined rules for creating files with certain extensions by the subjects, as a result of which it generates and transmits to the fourth decision block 4 a control signal to enable or disable the requested access to create the file.

The third decision block 3 similarly processes the request to rename the file. In the event that a request to rename a file is received at input 6 of the system, it is identified by the third decisive block 3. This block from the full path name of the renamed file and from the full path name to which the original file is determined, which is determined from the access request, their extensions are selected (access objects are defined in demarcation policy). Then, upon request from the first exit, by the third decision block 3 to the second entrance from block 5, the allowed (or forbidden if the prohibitive delimiting access policy is implemented) rules for renaming files by the subject (the subject was isolated from the request) are obtained. The third decision block 3 analyzes for consistency the access request specified by the administrator for the rules for renaming files with certain extensions by the subjects, as a result of which it generates and transmits to the fourth decision block 4 a control signal to enable or disable the requested access to rename the file. In this case, block 3 analyzes two rules regarding two access objects. It is analyzed whether it is possible to rename the original object (rename the file with the corresponding extension) and whether it is possible to rename the requested object (rename the file with the corresponding extension).

The fourth decision block 4 generates a control signal to enable or disable the requested access to the output 8 of the system. If at least one of the decision blocks 1, 2, 3 in the fourth decision block 4 has been issued a control signal to prohibit the requested access, block 4 to the output 8 of the system generates a control signal to prohibit the requested access.

Let us evaluate the achievement of the goal - the solution to the problem of expanding the functionality of the system for restricting access to file objects, by implementing access control for file extensions. We see that the requirements for the access control system for file extensions are fully implemented:

- the access object must be specified by the file extension;

- the subject of access in the general case should be defined by two entities - the user, the process;

- Access rules should be set (read, write, delete, execute, rename, etc.) to files specified by extensions;

- Access rules for creating files with specified extensions must be set;

- Access rules must be set for renaming files to files with specified extensions.

This allows you to fully solve the problems of information security.

The invention is industrially applicable in terms of the possibility of technical implementation of the blocks included in the system.

The technical implementation of all system blocks is based on standard solutions for storing and processing data (including their selection and analysis), for processing requests for access to file objects. All used blocks are technically feasible, and their implementation is achieved by standard means.

This decision was tested by the applicant when building a prototype of a means of protecting computer information.

Thus, in the present invention, the tasks of expanding the functionality of the system for restricting access to file objects by implementing access control for file extensions are solved.

Given the current level of development of computer technology, it is technically feasible.

Claims (1)

A system for restricting access to file objects, comprising a first decision block, a block for storing access rights to file objects, the first input of the first decision block being connected to the first input of the system, the second input to the first output of the block for storing access rights to file objects, the first output from the first input of the storage unit for access rights to file objects, the second input of a storage unit for access rights to file objects is connected to the second input of the system, characterized in that a second, third and fourth solution are additionally introduced into it and the second output of the first crucial unit is connected to the third input of the fourth critical unit, the second input of which is with the second output of the second critical unit, the first input is with the second output of the third critical unit, the output is with the system output, the first input of the first critical unit is connected with the first input of the third crucial unit, with the first input of the second critical unit, the first output of which is with the third input of the file permissions storage unit, the second input is with the second output of the file permissions storage unit m objects, the third output of which - to the second input of the third deciding unit, a first output of which - a fourth input of the storage access rights to file objects.

Images