TWI736012B - Bitlocker disc process identification management system and method - Google Patents

Abstract

The present invention proposes a novel bitlocker disc process identification management system and method, the system operation is controlled via processing modules, the system structure comprises: access authority module, comprising client unit for creating virtual client, making the different confidential documents could corresponding to different process identifier (PID); bitlocker disc protection module, coupling to the access authority module to certify the access authority; bitlocker disc management module, providing the management of the bitlocker discs setting; bitlocker disc drive module, coupling to the bitlocker disc management module, driving the operation of bitlocker disc, wherein the bitlocker disc drive module further comprising: process identifier unit, assigning the PID code to the client, program, and confidential documents according to the access authority; and, Hook unit, hooking up the unauthorized process and connecting the authorized process to the application programming interface (API).

Description

Bit lock magnetic disk processing program management system and method

The present invention provides a disk processing program management system and method. More specifically, it is a bit-locked disk processing program management system and method, which solves the problem that the program identification code (PID) may be caused in the operating system when the application program is executed. The following conflicting issues.

With the development of computer technology, modern people use computers or various terminals as operating tools in work, study, scientific research or other applications, especially in enterprises, government units, financial institutions, and military units. Electronic archives. However, in the information age, as long as it involves important electronic files with significant value regardless of business, strategy, military, intelligent creation, etc., there is a possibility of leakage due to inadvertent internal management of the organization, or the possibility of external attacks. For example, from the organization's internal illegal backup, destroying electronic files, or physically entraining storage devices containing electronic files to the outside, and then attacking or stealing from external terminals through the network, and then making the enterprise or organization bear the benefits On the loss. In addition, because the operating system of modern computers can accommodate multiple user accounts or sharing on a network server, it is necessary to distinguish between various confidential documents with different levels of confidentiality when multiple users are sharing at the same time.

Regarding the above-mentioned file classification method, the current practice is usually based on the business nature of each user in the organization or enterprise, and the relative access rights are planned. For example, specific users can print, preview, and read specific confidential documents. Access rights to access, copy, execute, and edit, but the less relevant business is given lower access rights, only preview and read can be performed, not copy, edit, so that the organization or enterprise Confidential documents can be managed separately. Therefore, in order to achieve the above objectives, one of the methods is to introduce a sandbox mechanism (SandBox) in the system of the organization or enterprise. The confidential documents, software, or settings that can be accessed are limited to the resources provided by the operating system. And cannot exceed, so that multiple users are separated It provides different levels of protection between them to control virus and malicious program attacks. More importantly, it can prevent the leakage of confidential documents of the enterprise or organization from the inside to the outside. For example: Bring out the code to a competing company, or a business company to bring out confidential business documents.

Traditionally, when an error occurs in a certain program, the only option to restart the operating system is to restart the operating system. The aforementioned sandbox mechanism usually uses the process identification code (Process Identifier, PID), as the basis for the management of access rights of confidential files. The so-called program identification code is a value used to identify confidential files at the core of most UNIX-like operating systems. This value can be used as a parameter of many function calls to adjust program priority and delete ( Kill) program, or program control such as program access control.

Although the program ID has the above advantages, for some specific applications (such as Microsoft Excel), using the program ID as the permission management of confidential documents may encounter difficulties in that when there are multiple confidential documents in When running under the same specific application, the operating system will assign the same process identification code to these applications. This will cause the sandbox mechanism to be unable to distinguish which access permissions correspond to different confidential documents. Causes an error in the processing program. As shown in Figure 1, it shows the user (301), application program (303), program identification code (305), confidential document (307), and program interface (309) errors. Among them, when the actual user (301A) opens the first document (307A) and the second document (307C) in the confidential document (307) by running the application (303) (such as the above-mentioned Microsoft Excel), because the first document (307A) and the second file (307C) both correspond to the first program identification code (305A). As a result, in the sandbox mechanism (111), it is impossible to distinguish between the first file (307A) and the second file (307C) for actual users. What is the access authority of (301A)?

Therefore, in the current known technology, the above-mentioned system and method for managing the access rights of confidential documents through the program identification code in the sandbox mechanism still needs further improvement to avoid the access rights in the sandbox mechanism. For certain applications, errors may occur, which prevents the user's access rights to different confidential documents from being effectively used, and may affect the stability of the operating system.

In view of this, the present invention proposes a bit-locked disk processing program management system to solve the problem of opening multiple confidential documents through the same application (such as Microsoft Excel, Word, and Power Point), which will correspond to the same program identification code. (Process Identifier, PID) problem.

The system of the present invention allocates the computing resources of the system components through the processing module, and coordinates with the processing program. The system architecture of the present invention includes an access authority module, which sets the access authority of the bit-lock disk, including processing procedures such as writing, reading, previewing, copying, deleting, or printing; the bit-lock disk protection module Group, coupled to the access authority module, to authenticate the access authority of the bit-lock disk to the user. The authentication method can be the authentication method based on the bit lock (BitLocker); the bit lock management module manages Confidential documents stored in the bit-lock disk, and the creation and quantity of the bit-lock disk; the bit-lock disk drive module, coupled to the above-mentioned bit-lock disk management module, drives the bit-lock disk The operation of the disk, where the above-mentioned bit-lock disk drive module further includes: a program identification code unit, which gives users, applications, and confidential documents specific program identification based on the access permissions set by the access permission module Code (PID); and, the hook unit (Hook), based on the program identification code, intercepts the processing program whose access authority is not allowed, and connects the processing program whose access authority is allowed to the application programming interface (API).

According to the content of the present invention, different files of the same application program will correspond to different program identification codes (PID), that is, the first program ID corresponding to the first file and the second program ID corresponding to the second file The codes are not the same.

According to the content of the present invention, the system architecture of the access authority module further includes a user unit to create a required number of virtual users according to the need for multiple confidential documents to be executed under the same application, so that different confidential documents can correspond to different According to a preferred embodiment of the present invention, the above-mentioned method of creating a virtual user is executed through a program interface (API).

According to the content of the present invention, the system architecture of the access authority module further includes a library unit, a function that records the program identification code of a specific user, application, and confidential document, wherein the function format in the library unit , Can be a dynamic-link library (Dynamic-Link Library, DLL).

The present invention provides a method for managing a bit-locked disk processing program. The method includes the following List steps: the processing module determines whether the first file has been activated before the application program is executed; if the above determination is no, the program identification code unit creates a first identifier corresponding to the first file; if the above determination is true , The user unit creates a virtual user in the environment of the actual user according to the needs of the application; and, in the environment of the same application, the program identification code unit creates a second file corresponding to the second file for the virtual user mentioned above. The program identification code, when the second file is closed, you can choose to delete the aforementioned virtual user after a predetermined period of time, or not to delete the virtual user.

According to the content of the present invention, the above-mentioned bit-locked disk processing program management method further includes a processing module to activate an application program in an actual user environment; and a hook unit (Hook) intercepts all processing programs (Process).

According to the content of the present invention, the above-mentioned bit-lock disk processing program management method further includes the blocking management unit intercepting the disallowed processing program in the first file according to the access authority, and linking the permitted processing program to the program interface.

According to the content of the present invention, the blocking management unit intercepts the processing program in the second file according to the access authority, and after the virtual user is created, the permitted processing program is linked to the program interface.

According to the content of the present invention, the above-mentioned bit-locked disk processing program management method further includes a processing module, which executes the first file permitted by the access authority under the operating system environment of the actual user.

According to the content of the present invention, the above-mentioned bit-locked disk processing program management method further includes a processing module, through the runas program, in a virtual user environment, the application program executes the second file permitted by the access authority.

According to the content of the present invention, the above-mentioned bit-locked disk processing program management method further includes setting the access permission of each user with an access permission module and storing it in the user unit.

The above descriptions are used to illustrate the purpose, technical means, and achievable effects of the present invention. Those familiar with this technology in the relevant field can use the following examples of demonstrations and accompanying drawings to illustrate And the scope of patent application makes the invention clearer.

111‧‧‧Sandbox mechanism

200‧‧‧Bit Lock Disk Processing Management System

201‧‧‧Processing Module

203‧‧‧Bit Lock Disk Management Module

205‧‧‧Bit Lock Disk Drive Module

205A‧‧‧Program identification code unit

205C‧‧‧Barrier Unit

207‧‧‧Bit Lock Disk Protection Module

209‧‧‧Access Permission Module

209A‧‧‧User Unit

209C‧‧‧Library Unit

301‧‧‧User

301A‧‧‧Actual user

301C‧‧‧Virtual User

303‧‧‧Application

305‧‧‧Program ID

305A‧‧‧First program identification code

305C‧‧‧Second program identification code

307‧‧‧Confidential Documents

307A‧‧‧First Document

307C‧‧‧Second Document

309‧‧‧Program interface

400‧‧‧Bit lock disk processing program management method

S1-S11‧‧‧Method steps

The detailed description of the present invention and the schematic diagrams of the embodiments described below should make the present invention more fully understood; however, it should be understood that this is only used as a reference for understanding the application of the present invention, and does not limit the present invention to a specific implementation. In the case.

Figure 1 illustrates the problems that may be encountered when setting a user's access authority to applications or confidential documents based on the process identification code (PID) under the conventional sandbox mechanism.

Figure 2 illustrates the system architecture of the bit-locked disk processing program management system.

FIG. 3 shows how several confidential files with different access rights in the present invention are executed in the processing module under the environment of the actual user.

Fig. 4 shows the steps of the method for managing a bit-locked disk processing program.

Fig. 5 shows the step flow of the method for managing a disk-locked disk processing program in bit position.

The present invention will be described in detail with preferred embodiments and viewpoints. The following description provides specific implementation details of the present invention, so that the reader can thoroughly understand the implementation of these embodiments. However, those skilled in the field must understand that the present invention can also be implemented without these details. In addition, the present invention can also be applied and implemented by other specific embodiments. The details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention. . The present invention will be described in terms of preferred embodiments and viewpoints. Such description is to explain the structure of the present invention, and is only for illustration and not to limit the scope of patent application of the present invention. The terms used in the following description will be interpreted in the broadest reasonable manner, even if they are used in conjunction with the detailed description of a specific embodiment of the present invention.

The purpose of the present invention is to provide a bit-locked disk processing program management system and method In the past sandbox mechanism, when a user’s access authority to an application or confidential document is set by using a program identification code (PID), when certain specific applications open different confidential documents, they will The processing procedures are merged into a same procedure identification code, and it is impossible to add modified parameters to separate the procedure identification codes for these specific applications. For example, in an environment where the actual user is Lisa, if two confidential files are opened with Excel, their program identification codes will be merged into the same one, such as 2010 (the number is only an example), instead of Two program identification codes represent two confidential files (such as 1020, 1030). In the sandbox mechanism, this phenomenon may affect the stability of the sandbox mechanism and cause possible loopholes in the protection of confidential files. The solution provided by the present invention is to use the program interface to create a required number of virtual users in the actual user environment based on the number of open confidential documents, and to use the runas program to make the above-mentioned several confidential documents It can be executed on different virtual users, so that these specific applications can assign different program identification codes to the above-mentioned confidential documents according to different users, so that different confidential documents can be accessed differently. Permissions, and avoid program errors, to achieve the purpose of improving system stability and operating convenience. Among them, the sandbox mechanism of the present invention is BitLocker. The technical means for the specific implementation of the present invention will be described in detail later.

In the present invention, the processing module (201) usually includes a processing chip, memory, temporary memory, display device, network communication module, operating system and application programs, etc., in a commonly known manner Interconnect, perform calculation, temporary storage, display and data transmission, and provide functions such as the operation and management coordination of the bit-locked disk processing program management system (200). Based on the above-mentioned system, it is a commonly known architecture, so I will not repeat it here. . In addition, in the present invention, the access authority includes processing procedures such as writing, reading, previewing, copying, deleting, or printing, and the user (301), application (303), and program The identification code (305) and confidential documents (307) can be created or executed according to the needs of the application, such as the first identification code (305A), the second identification code (305C), the Nth identification code, or It is the first file (307A), the second file (307C), the Nth file, etc. After reading this specification, those skilled in the art can easily understand them, and they are described here first.

2 and 3, in order to achieve the purpose of the present invention, the present invention provides a bit-locked disk processing program management system (200), the implementation of the system needs to be executed through the above-mentioned processing module (201), the processing module The group (201) allocates computing resources of system components and coordinates with processing programs.

In the present invention, the architecture of the bit-lock disk processing program management system (200) includes: an access authority module (209), which sets the access permissions of the bit-lock disk, including writing, reading, previewing, copying, Processing procedures such as deletion or printing, where the access authority module (209) includes a user unit (209A) to use the program according to the need for multiple confidential documents (307) to be executed under the same application (303) Interface (309), create the required number of virtual users, so that different confidential files (307) can correspond to different program identification codes (305); bit-lock disk protection module (207), coupled with access authority modules The group (209) authenticates the access authority of the bit-lock disk to the user (301), and its authentication method can be an authentication method based on the bit-lock (BitLocker); the bit-lock management module (203), Manage the confidential documents (307) stored in bit-lock disks, and the creation and quantity of bit-lock disks.

In the present invention, the bit-lock disk processing program management system (200) further includes: a bit-lock disk drive module (205), coupled to the above-mentioned bit-lock disk management module (203), and the drive bit The operation of the meta-lock disk, wherein the above-mentioned bit-lock disk drive module (205) further includes: a program identification code unit (205A), which gives User (301), application (303), and confidential document (307) specific program identification code (305); and, the blocking management unit (205C), based on the program identification code (305), intercepts the access permission does not allow The processing program is connected to the program interface (309).

It should be noted that in the context of the present invention, the above-mentioned actual user (301A) and virtual user (301C) correspond to the same user (301), that is, the actual user (301A) and the virtual user (301C). For the application (303), they have the same access rights, but for the first file (307A) and the second file (307C), due to the different nature of the business in the organization or enterprise, they may have different Therefore, in order to make the first file (307A) and the second file (307C) have different program identification codes (305), the bit-lock disk processing program management system (200) needs to add the second file ( 307C) is executed in the virtual user (301C). In the embodiment of the present invention, the above-mentioned first file (307A) and the second file (307C) can be executed on the same or different screens in the processing module (201).

Please refer to FIG. 3, which shows the execution mode of the bit-lock disk processing program management system (200) in the processing module (201). In the embodiment of the present invention, when the actual user (301A), such as Lisa, executes the first document (307A) through the application program (303) in the execution environment of the bit lock, the program identification code The unit (205A) assigns a first identification code (305A) to the first file (307A). In one embodiment, the blocking unit (205C) uses the first program identification code (305A) to identify the permitted and disallowed access permissions set by the actual user (301A) in the access permission module (209) . For example, it includes whether the content of the first file (307A) can be previewed, and whether the content of the first file (307A) can be written, copied, deleted, or printed. After confirming the access authority, the blocking management unit (205C) connects the permitted processing program to the program interface (API) (309), and blocks the disallowed processing program.

In view of the above, when an actual user (301A), such as Lisa, executes the second file (307C) through the same application (303) as described above, the system creates a virtual user (301A) with the same access rights as the actual user (301A). 301C), and in the virtual user (301C), a random number is used to generate a virtual name. For example, in the Dean environment, the program identification code unit (205A) assigns the second file (307C) to the second identification code (305C) at this time, It is beneficial to execute the second file (307C) to achieve that the present invention generates different program identification codes (305) for the same user (301) corresponding to the same application (303), one of which is to generate a virtual user (301C) The corresponding program identification code (305). Therefore, the same user can use the same application (303) to open different confidential documents (307), and one of the corresponding users of this confidential document (307) is a virtual user, so it is assigned a different process ID ( 305), it is helpful for the same user to open different documents with different process identification codes (305) and belonging to the same application (303). For example, the second Excel confidential file (307) is executed under the virtual user (301C), and the program identification code (305) is different from the previous Excel confidential file (307). Among them, it should be noted that the above-mentioned Excel is only an example. It can also be applied to the application (303) in which the two confidential documents (307) will merge the program identification code (305) according to the actual usage of the application (303). ), such as Word or Power Point.

According to an embodiment of the present invention, the system architecture of the access authority module (209) further includes a library unit (209C) that records the program identification of a specific user (301), application program (303), and confidential document (307) The function format of the code (305), wherein the function format in the library unit (209C) can be a dynamic-link library (DLL). Among them, according to one aspect of the present invention, the program identification code (305) of the confidential file (307) can be set by the access authority module (209) according to the needs of the application, or it can be set by the program identification code unit (205A). Granted to adapt to the conditions of different applications (303) and improve the compatibility of the bit-locked disk processing program management system (200).

According to an embodiment of the present invention, the protection key contained in the bit-lock disk protection module (207) can be set for different access permissions in the corresponding access permission module (209), and the protection key The form can be, but is not limited to, a trusted platform module (Trusted Platform Module, TPM), a client identification code (PIN Code), a mobile device key, or a combination of the above. In one aspect of the present invention, the mobile device key can be a key stored in a USB flash drive, so that the access rights are based on the nature of the user's business corresponding to the user (301), corresponding to different key protection forms .

4 and 5, the present invention proposes a bit-lock disk processing program management method (400): the method includes the following steps: in step (S2), the processing module (201) in a user (301) ), start the application (303); when step (S4) is executed, the processing module (201) judges whether an application (303) has activated the first file (307A) beforehand; then in step (S5) If the judgment of step (S4) is no, the program identification code unit (205A) establishes the first program identification code (305A) corresponding to the first file (307A); when step (S8) is executed, if step (S4) If the judgment is yes, the system creates a virtual user (301C) in the environment of the user (301) according to the needs of the application, which is generated by random numbers; in step (S10), the program identification code unit (205A) is established The second program identification code (305C) corresponding to the second file (307C) of the application program (303); wherein, the first identification code (305A) is different from the second identification code (305C).

According to the content of the present invention, the above-mentioned bit-lock disk processing program management method (400) further includes the step (S2). The processing module (201) starts the application program (303) in the environment of the actual user (301A); step (S3), the interception unit (205C) intercepts all processing programs (Process).

According to the content of the present invention, the above-mentioned bit-lock disk processing program management method (400) further includes step (S6), in which the blocking management unit (205C) intercepts the first file (307A) according to the access authority, which is not allowed Processing procedures and linking permitted processing procedures to the program interface (309).

According to an embodiment of the present invention, the above method steps further include step (S7). The processing module (201) executes the first file (307A) allowed by the access authority under the environment of the actual user (301A), wherein, The control unit (205C) links the permitted processing program to the program interface (309) according to the access authority.

According to the content of the present invention, it further includes the step (S9), the interception unit (205C) intercepts the second document The processing procedure in the file (307C).

According to an embodiment of the present invention, the above method steps further include step (S11). The blocking unit (205C) will link the permitted processing program to the program interface (309) according to the access authority, and the processing module (201) will be connected to the program interface (309). The second file (307C) of the application (303) is executed under the environment of the virtual user (301C). Wherein, in an embodiment of the present invention, after the second file (307C) is closed by the actual user (301A), the user unit (209A) can choose to delete or not delete the virtual user (301C) after a predetermined time. . In one aspect of the present invention, considering the execution time required for the establishment of the virtual user (301C), when the second file (307C) is closed, the virtual user (301C) can be selected to be retained, so that the subsequent second file ( 307C), or other confidential documents (307) corresponding to the application (303) can be executed at a faster speed when activated.

According to an embodiment of the present invention, the above method steps further include the step (S1). The access authority module (209) sets the access authority of each user (301), and stores the content of the access authority in In the user unit (209A), the file format of the access authority may be an access authority matrix (Access Control Matrix).

The above description is the preferred embodiment of the present invention. Those skilled in this field should understand that it is used to explain the present invention rather than to limit the scope of the patent rights claimed by the present invention. The scope of its patent protection shall be determined by the attached scope of patent application and its equivalent fields. Anyone who is familiar with the art in this field, without departing from the spirit or scope of this patent, makes changes or modifications that are equivalent changes or designs completed under the spirit of the present invention, and should be included in the scope of the following patent applications Inside.

200‧‧‧Bit Lock Disk Processing Management System

201‧‧‧Processing Module

203‧‧‧Bit Lock Disk Management Module

205‧‧‧Bit Lock Disk Drive Module

205A‧‧‧Program identification code unit

205C‧‧‧Barrier Unit

207‧‧‧Bit Lock Disk Protection Module

209‧‧‧Access Permission Module

209A‧‧‧User Unit

209C‧‧‧Library Unit

Claims (11)

A bit-locked disk processing program management system, which allocates computing resources by processing modules, includes: an access authority module for setting an access authority, wherein the access authority module includes: a user unit, Create the required number of virtual users, corresponding to different program identification codes (PID); a bit-lock disk protection module, coupled to the access permission module, to authenticate the bit-lock disk for the user's access Permission; a bit-lock management module to manage the creation of the bit-lock disk; and, a hook unit, which intercepts disallowed processing procedures based on the program identification code, and connects the permitted processing procedures to Program interface. The bit-lock disk processing program management system of claim 1, further comprising: a bit-lock disk drive module, coupled to the bit-lock disk management module, and drive the bit-lock disk to operate Wherein, the bit-lock disk drive module includes: a program identification code unit, according to the access authority, a confidential file program identification code (PID) is given, wherein different confidential files correspond to different program identification codes. The bit-lock disk processing program management system according to claim 1, wherein the client unit creates a virtual user through a program interface. The bit-lock disk processing program management system according to claim 1, wherein when the confidential file under the virtual user is closed, the user unit chooses to delete or not to delete the virtual user. As described in claim 1, the bit-locked disk processing program management system further includes a function library unit that records the function of the program identification code, wherein the function format in the function library unit can be a dynamic Link library. For the bit-lock disk processing program management system described in claim 1, the form of the protection key of the bit-lock disk protection module is a trusted platform module, a client ID, a mobile device key, or A combination of the above. A bit-locked disk processing program management method, including the following steps: a user activates an application; judging whether there is a first document opened by the application; if it is true, a user unit generates a virtual user; a program identification The code unit creates a second identification code corresponding to the second file of the virtual user, wherein the second identification code is different from a first identification code corresponding to the first file; and, by a hook unit (Hook ) Intercept all processing procedures, and identify the allowed and disallowed access rights of the actual user through the program identification code. According to the method for managing a bit-locked disk processing program in claim 7, the steps further include selecting to delete or not to delete the virtual user after the second file is closed. According to the method for managing a bit-lock disk processing program according to claim 7, the first identification code and the confidential file format corresponding to the second identification code are in an Excel format. The bit-lock disk processing program management method according to claim 7, wherein the steps further include: an access permission module sets the access permission of each user, and the content contained in the access permission is set, Stored in the user unit. According to the bit-lock disk processing program management method of claim 7, the user unit creates the virtual user through a program interface.

Images