WO2009088362A1 - Restriction d'acces a un fichier et a un dossier dans une memoire - Google Patents

Restriction d'acces a un fichier et a un dossier dans une memoire Download PDF

Info

Publication number
WO2009088362A1
WO2009088362A1 PCT/SG2008/000450 SG2008000450W WO2009088362A1 WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1 SG 2008000450 W SG2008000450 W SG 2008000450W WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
security
sfsd
folder
user
Prior art date
Application number
PCT/SG2008/000450
Other languages
English (en)
Inventor
Foh Lo Khiam
Jianlin Luo
Original Assignee
Dallab(S) Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dallab(S) Pte Ltd filed Critical Dallab(S) Pte Ltd
Publication of WO2009088362A1 publication Critical patent/WO2009088362A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the present invention relates to system and method of limiting unauthorized access to data file and folder on a storage device of an electronic device.
  • Computers such as notebooks, personal digital assistant (PDA) and some mobile telephones, are now relatively affordable and are used widely; one can retrieve and send emails while traveling; another can perform electronic banking or commerce wirelessly. Coupled with the propensity of losing one's portable electronic devices, data security in such devices is imperative, and access to confidential files and folder is desired to be restricted or limited to the owner; in other words, it is desirable to prevent unauthorized reading or copying of confidential or sensitive data on one's computing or communication devices, especially if one's device has relatively large data storage and is also used for business activities.
  • Confidentiality refers to the reversible transformation of data into a form which has little or no resemblance to the original data, thereby making the transformed data non-intelligible to those without the knowledge to reverse the transformation.
  • confidentiality is associated with cryptography or encryption and decryption of data.
  • Integrity of data refers to the assurance that data has not been tampered with. Integrity of data is often provided by digital signatures; a cryptographic checksum of the original data is calculated and stored somewhere; a verifier then calculates the checksum of the data and compares it with the stored pre-calculated checksum to ensure that the data is not tampered with.
  • FIG. 1 shows a simplified boot up process 1 of a conventional personal computer system.
  • BIOS basic input/output system
  • the BIOS boots up the computer, checks whether all the input/output (I/O) and peripheral devices are connected and operational, initializes 20 all the operable peripheral devices before the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
  • OS operating system
  • the kernel or core of the OS is loaded into the RAM.
  • the kernel then starts system initialization and configuration 40.
  • OS initialization a file system (FS) 42 is built up, as shown in FIG. 1.
  • a file filter system (FFS) 44 and its associated window file filter driver (FFD) 46 are then loaded into the RAM.
  • Loading of the OS then continues with loading 50 of all the required drivers and software applications predefined by the user.
  • the OS or computer is booted up 60, a directory of files and folders is created. The file directory can then be viewed by the user, and data files and folders can then be created, changed or removed by the user. Summary
  • the present invention provides a file security system operable at boot up in a portable computing device.
  • the file security system comprises: a file filter system and associated security file system driver (SFSD) to extend or replace functionality of a file system that is configurable with an original window operating system; wherein the file filter system is operable to interrupt the file system and the associated security file system driver (SFSD) is operable to boot up from a read-only memory (ROM).
  • SFSD security file system driver
  • the file security system further comprises a security interface driver.
  • the security interface driver generates a dialogue box for the user to create a confidential file or folder and to lock the file/folder to deny unauthorized access to confidential data or application stored therein.
  • the present invention provides a method for preventing unauthorized electronic file access in a computing device.
  • the method comprises: interrupting the file system during booting up of the computing device; replacing the file filter system that is configurable with an original window operating system with a modified file filter system; installing a security file system driver (SFSD) associated with the modified file filter system; and installing a security user interface driver, which generates a dialogue box to allow the user to create a confidential file or folder whilst loading user installable software and drivers, before completing the booting up process.
  • SFSD security file system driver
  • the SFSD in the above method further comprises a cryptographic engine.
  • the SFSD is loaded prior to loading of user data and the confidential file/folder thus created on a computing device remains secure until it is unlocked with a correct user verification.
  • the present invention also discloses a computer readable medium containing a file security system according to any one of claims 1-5 or containing a method of preventing unauthorized electronic file access according to any one of claims 6-10
  • FIG. 1 illustrates a boot up process of a conventional personal computer system
  • FIG. 2 illustrates a boot up process of a portable computing device according to one embodiment of the present invention.
  • FIG. 3A illustrates a security system for accessing a file according to another embodiment of the present invention
  • FIG. 3B illustrates a security system for accessing a folder according to yet another embodiment of the present invention.
  • FIG. 2 shows a boot up process 100 of a portable computing device according to one embodiment of the present invention.
  • a power up step 110 is followed by a basic hardware initialization step 120.
  • the basic hardware initialization step 120 involves passing control over to a basic input/output system (BIOS).
  • BIOS boots up the portable computing device, checks whether all the input/output (I/O) and peripheral devices are connected and operational, and initializes 120 all the operable peripheral devices.
  • Step 120 is followed by step 130.
  • the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
  • OS operating system
  • RAM random access memory
  • part of the OS initialization and configuration in step 140 involves building up a file system in step 142 and a file filter system in step 144, loading of a window filter driver in step 146 and loading of a security file system driver (SFSD) from a read-only memory (ROM) in step 148;
  • SFSD security file system driver
  • ROM read-only memory
  • FIG. 2 shows the step of loading a security file system driver (SFSD) in step 148.
  • SFSD security file system driver
  • the SFSD is loaded from a read-only memory (ROM). Such reading from a ROM may be reading from a protected disc during which read-write operation is denied by a separate disk filter system.
  • the booting up process reverts to step 140 to finalise the OS initialization and configuration prior to loading of user security or data registry.
  • the booting up process involves loading the user installed software and associated drivers into the RAM in step 150 and loading in step 152 of a security interface driver associated with the SFSD.
  • the security interface driver associated with the SFSD generates a dialogue box to allow a user to create a confidential file A for storing sensitive information; in another embodiment, the dialogue box allows a user to create a confidential folder B for storing files containing sensitive information or applications which the user can launch. In addition, the dialogue box also allows the user to lock or unlock the confidential file A or folder B.
  • step 160 the OS boot up process is completed in step 160.
  • the SFSD dialogue box can then be called out after the computing device has booted up to allow the user create additional confidential files or folders and to lock/unlock the confidential files/folders as and when required.
  • a user may lock a confidential file A/folder B before lending the computing device, such as a mobile phone or a PDA, to another user so that the other user can use the computing device without having access to the locked confidential file A/folder B; in addition, the user may lock selected applications, for example by storing email or short message (SMS) applications in the confidential folder B.
  • SMS short message
  • the user enters a password or passphrase; in another embodiment, the user signs in with a digital signature; in yet another embodiment, the user signs in with a biometric signature.
  • FIG. 3 A shows the system file's security process 200 according to the confidential file A embodiment of the present invention.
  • process box 210 illustrates execution of a window explorer or a third party software application. Execution of a request from the window explorer to open a locked file A sends a system call 215 to the file system 240 to obtain file A's information. The file information 245 is then sent to the SFSD 250. Within the SFSD, a search for file A in the storage disk is conducted in step 252. Following execution of step 252, a decision is made in step 254 whether the requested file A is locked or not.
  • step 254 If the decision in box 254 is no, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, in step 242, to the window explorer or requestor application. If the decision in box 254 is yes, the SFSD 250 proceeds to step 256. In step 256, the SFSD 250 prompts the user to enter a user verification.
  • the SFSD 250 checks, in step 258, whether the user verification is correct. If the user is correctly verified, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, also in step 242, to the window explorer or requestor application. If the decision in box 258 is no, the SFSD 250 informs the file system 240, which then sends a "no file" response in step 244 to the file explorer 210. The file explorer or requestor application 210 in turn informs the user that access to file A is denied.
  • FIG. 3B shows the system file's security process 300 according to the confidential folder B embodiment of the present invention.
  • Security process 300 is similar to security process 200 in substantially the same manner.
  • Execution of the file explorer 310 or requestor application sends a system call 315 to the file system 340 to obtain folder B's information.
  • the folder B information 345 is then sent to the SFSD 350.
  • a search for folder B in the storage disk is conducted in step 352.
  • search step 352 a decision is made in step 354 whether the requested folder B is locked or not.
  • step 354 If the decision in box 354 is no, the SFSD 350 passes control over to the file system 340 and the requested folder information is sent, in step 342, to the window explorer or requestor application. If the decision in box 354 is yes, the SFSD 350 proceeds to step 356. In step 356, the SFSD 350 prompts the user to enter a user verification.
  • the SFSD 350 checks, in step 358, whether the user verification is correct. If the user is correctly verified, the SFSD 350 passes control over to the file system 340 and the requested folder B information is sent, also in step 342, to the window explorer or requestor application. If the decision in box 358 is no, the SFSD 350 informs the file system 240, which then sends a "no content" response in step 344 to the file explorer 310. The file explorer or requestor application 310 in turn informs the user that access to folder B is denied.
  • the SFSD 250 includes an addition cryptographic engine 257 after step 256.
  • the SFSD 350 includes an additional cryptographic engine 357 after step 356.
  • the additional cryptographic engine 257,357 may employ a symmetric key algorithm, such as an Advanced Encryption System (AES).
  • AES Advanced Encryption System
  • the cryptographic engine 257,357 may be used to encrypt owner's verification, which is stored in the computing device.
  • the cryptographic engine 257,357 may be used to decrypt the owner's verification which is stored in the computing device by comparing it with the user verification.
  • the cryptographic engine 257,357 may be supplied to a user on a ROM, a protected ROM disk or on a separate processor.
  • An advantage of the present system is that a confidential file/folder created on an electronic device with an operating system of the present invention remains secure until it is unlocked with a correct user verification.
  • the SFSD of the present invention is loaded by the file system before the system file is fully initialized, Le,. before user data and any third party installable security software are loaded; in other words, the SFSD is executed prior to entry of user data or execution of any third party installable security software.
  • the confidential file A/folder B is denied even when security setting data entered through the SFSD dialogue box is altered or removed, or even when the computing device undergoes a clean boot-up.
  • the present invention provides data security to a computing device without much trouble to the user or with no difference from a third party installable application; a user need only to create the confidential file A or confidential folder B and to install/migrate all applications that contain confidential information into the confidential folder B.
  • Another advantage is that a computing device incorporating the security process or processes 100,200,300 of the present invention can be used by another user with no access to the confidential file A or folder B or applications installed in the confidential folder B.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un système d'exploitation modifié (100) fonctionnant sur un dispositif informatique portable, tel qu'un téléphone mobile, un ordinateur portable, un agenda électronique et un dispositif de stockage de données. Le système d'exploitation modifié selon l'invention comprend un système de filtre de fichiers (146), un pilote de système de fichiers de sécurité (SFSD) associé (148) et une interface utilisateur de sécurité (152). Le SFSD est chargé avant l'initialisation/la configuration finale du système d'exploitation et le chargement d'un registre de sécurité/données utilisateur. L'interface utilisateur de sécurité (152) associée au SFSD génère ensuite une boîte de dialogue pour permettre à l'utilisateur de créer un fichier A ou un dossier B confidentiel ainsi que des options de verrouillage et/ou de cryptage. L'identité utilisateur est vérifiée (258,358) avec que l'accès au fichier/dossier soit autorisé ; le fichier A/dossier B reste sécurisé même lorsque des données de paramètres de sécurité crées par la boîte de dialogue du SFSD sont modifiées/supprimées après un amorçage sain du dispositif informatique.
PCT/SG2008/000450 2008-01-09 2008-11-27 Restriction d'acces a un fichier et a un dossier dans une memoire WO2009088362A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG200800249-5A SG154348A1 (en) 2008-01-09 2008-01-09 Limiting access to file and folder on a storage device
SG200800249-5 2008-01-09

Publications (1)

Publication Number Publication Date
WO2009088362A1 true WO2009088362A1 (fr) 2009-07-16

Family

ID=40853306

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2008/000450 WO2009088362A1 (fr) 2008-01-09 2008-11-27 Restriction d'acces a un fichier et a un dossier dans une memoire

Country Status (2)

Country Link
SG (1) SG154348A1 (fr)
WO (1) WO2009088362A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102662872A (zh) * 2012-03-29 2012-09-12 山东超越数控电子有限公司 一种基于可信密码模块的用户虚拟磁盘镜像文件保护方法
WO2013066397A1 (fr) * 2011-10-31 2013-05-10 Hewlett-Packard Development Company, L.P. Préservation de verrouillage de fichier
US20220322054A1 (en) * 2015-06-10 2022-10-06 Honor Device Co., Ltd. Short Message Processing Method and Apparatus, and Electronic Device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999014652A1 (fr) * 1997-09-16 1999-03-25 Microsoft Corporation Procede et systeme de cryptage de fichiers
US20030065875A1 (en) * 2001-09-28 2003-04-03 Van Cleve Robert E. Reserved ROM space for storage of operating system drivers
US7178165B2 (en) * 2001-08-20 2007-02-13 Lenovo (Signapore) Pte Ltd. Additional layer in operating system to protect system from hacking
US20070050620A1 (en) * 2002-10-16 2007-03-01 Duc Pham Secure file system server architecture and methods

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999014652A1 (fr) * 1997-09-16 1999-03-25 Microsoft Corporation Procede et systeme de cryptage de fichiers
US7178165B2 (en) * 2001-08-20 2007-02-13 Lenovo (Signapore) Pte Ltd. Additional layer in operating system to protect system from hacking
US20030065875A1 (en) * 2001-09-28 2003-04-03 Van Cleve Robert E. Reserved ROM space for storage of operating system drivers
US20070050620A1 (en) * 2002-10-16 2007-03-01 Duc Pham Secure file system server architecture and methods

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013066397A1 (fr) * 2011-10-31 2013-05-10 Hewlett-Packard Development Company, L.P. Préservation de verrouillage de fichier
CN102662872A (zh) * 2012-03-29 2012-09-12 山东超越数控电子有限公司 一种基于可信密码模块的用户虚拟磁盘镜像文件保护方法
US20220322054A1 (en) * 2015-06-10 2022-10-06 Honor Device Co., Ltd. Short Message Processing Method and Apparatus, and Electronic Device
US11765557B2 (en) * 2015-06-10 2023-09-19 Honor Device Co. Ltd. Short message processing method and apparatus, and electronic device

Also Published As

Publication number Publication date
SG154348A1 (en) 2009-08-28

Similar Documents

Publication Publication Date Title
EP1679632B1 (fr) Systèmes et procédés de démarrage d'un ordinateur de façon sûre avec un module de traitement sécurisé
US9141815B2 (en) System and method for intelligence based security
EP2583410B1 (fr) Procédés d'authentification à usage unique pour accès à données chiffrées
EP1612666B1 (fr) Système et procédé pour l'amorçage d'un système d'exploitation en utilisant une validation d'état
US7313705B2 (en) Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
US8909940B2 (en) Extensible pre-boot authentication
US8930713B2 (en) System and method for general purpose encryption of data
US20120254602A1 (en) Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
US20120011354A1 (en) Boot loading of secure operating system from external device
US7840795B2 (en) Method and apparatus for limiting access to sensitive data
KR20150048810A (ko) 펌웨어의 도난 방지
US20020073306A1 (en) System and method for protecting information stored on a computer
WO2005088461A1 (fr) Procede et dispositif pour la protection de donnees memorisees dans un dispositif informatique
US11200065B2 (en) Boot authentication
US20190196981A1 (en) Systems And Methods For Providing Connected Anti-Malware Backup Storage
US8181006B2 (en) Method and device for securely configuring a terminal by means of a startup external data storage device
WO2009088362A1 (fr) Restriction d'acces a un fichier et a un dossier dans une memoire
RU2748575C1 (ru) Способ и устройство доверенной загрузки компьютера с контролем периферийных интерфейсов
CN117874773B (zh) 基于安全等级管控策略的操作系统安全启动方法及装置
CN117874773A (zh) 基于安全等级管控策略的操作系统安全启动方法及装置
DriveLock et al. HP ProtectTools Firmware security features in HP Compaq business notebooks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08869611

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: PI 2010003218

Country of ref document: MY

122 Ep: pct application non-entry in european phase

Ref document number: 08869611

Country of ref document: EP

Kind code of ref document: A1