WO2009088362A1 - Restriction d'acces a un fichier et a un dossier dans une memoire - Google Patents
Restriction d'acces a un fichier et a un dossier dans une memoire Download PDFInfo
- Publication number
- WO2009088362A1 WO2009088362A1 PCT/SG2008/000450 SG2008000450W WO2009088362A1 WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1 SG 2008000450 W SG2008000450 W SG 2008000450W WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- security
- sfsd
- folder
- user
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Definitions
- the present invention relates to system and method of limiting unauthorized access to data file and folder on a storage device of an electronic device.
- Computers such as notebooks, personal digital assistant (PDA) and some mobile telephones, are now relatively affordable and are used widely; one can retrieve and send emails while traveling; another can perform electronic banking or commerce wirelessly. Coupled with the propensity of losing one's portable electronic devices, data security in such devices is imperative, and access to confidential files and folder is desired to be restricted or limited to the owner; in other words, it is desirable to prevent unauthorized reading or copying of confidential or sensitive data on one's computing or communication devices, especially if one's device has relatively large data storage and is also used for business activities.
- Confidentiality refers to the reversible transformation of data into a form which has little or no resemblance to the original data, thereby making the transformed data non-intelligible to those without the knowledge to reverse the transformation.
- confidentiality is associated with cryptography or encryption and decryption of data.
- Integrity of data refers to the assurance that data has not been tampered with. Integrity of data is often provided by digital signatures; a cryptographic checksum of the original data is calculated and stored somewhere; a verifier then calculates the checksum of the data and compares it with the stored pre-calculated checksum to ensure that the data is not tampered with.
- FIG. 1 shows a simplified boot up process 1 of a conventional personal computer system.
- BIOS basic input/output system
- the BIOS boots up the computer, checks whether all the input/output (I/O) and peripheral devices are connected and operational, initializes 20 all the operable peripheral devices before the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
- OS operating system
- the kernel or core of the OS is loaded into the RAM.
- the kernel then starts system initialization and configuration 40.
- OS initialization a file system (FS) 42 is built up, as shown in FIG. 1.
- a file filter system (FFS) 44 and its associated window file filter driver (FFD) 46 are then loaded into the RAM.
- Loading of the OS then continues with loading 50 of all the required drivers and software applications predefined by the user.
- the OS or computer is booted up 60, a directory of files and folders is created. The file directory can then be viewed by the user, and data files and folders can then be created, changed or removed by the user. Summary
- the present invention provides a file security system operable at boot up in a portable computing device.
- the file security system comprises: a file filter system and associated security file system driver (SFSD) to extend or replace functionality of a file system that is configurable with an original window operating system; wherein the file filter system is operable to interrupt the file system and the associated security file system driver (SFSD) is operable to boot up from a read-only memory (ROM).
- SFSD security file system driver
- the file security system further comprises a security interface driver.
- the security interface driver generates a dialogue box for the user to create a confidential file or folder and to lock the file/folder to deny unauthorized access to confidential data or application stored therein.
- the present invention provides a method for preventing unauthorized electronic file access in a computing device.
- the method comprises: interrupting the file system during booting up of the computing device; replacing the file filter system that is configurable with an original window operating system with a modified file filter system; installing a security file system driver (SFSD) associated with the modified file filter system; and installing a security user interface driver, which generates a dialogue box to allow the user to create a confidential file or folder whilst loading user installable software and drivers, before completing the booting up process.
- SFSD security file system driver
- the SFSD in the above method further comprises a cryptographic engine.
- the SFSD is loaded prior to loading of user data and the confidential file/folder thus created on a computing device remains secure until it is unlocked with a correct user verification.
- the present invention also discloses a computer readable medium containing a file security system according to any one of claims 1-5 or containing a method of preventing unauthorized electronic file access according to any one of claims 6-10
- FIG. 1 illustrates a boot up process of a conventional personal computer system
- FIG. 2 illustrates a boot up process of a portable computing device according to one embodiment of the present invention.
- FIG. 3A illustrates a security system for accessing a file according to another embodiment of the present invention
- FIG. 3B illustrates a security system for accessing a folder according to yet another embodiment of the present invention.
- FIG. 2 shows a boot up process 100 of a portable computing device according to one embodiment of the present invention.
- a power up step 110 is followed by a basic hardware initialization step 120.
- the basic hardware initialization step 120 involves passing control over to a basic input/output system (BIOS).
- BIOS boots up the portable computing device, checks whether all the input/output (I/O) and peripheral devices are connected and operational, and initializes 120 all the operable peripheral devices.
- Step 120 is followed by step 130.
- the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
- OS operating system
- RAM random access memory
- part of the OS initialization and configuration in step 140 involves building up a file system in step 142 and a file filter system in step 144, loading of a window filter driver in step 146 and loading of a security file system driver (SFSD) from a read-only memory (ROM) in step 148;
- SFSD security file system driver
- ROM read-only memory
- FIG. 2 shows the step of loading a security file system driver (SFSD) in step 148.
- SFSD security file system driver
- the SFSD is loaded from a read-only memory (ROM). Such reading from a ROM may be reading from a protected disc during which read-write operation is denied by a separate disk filter system.
- the booting up process reverts to step 140 to finalise the OS initialization and configuration prior to loading of user security or data registry.
- the booting up process involves loading the user installed software and associated drivers into the RAM in step 150 and loading in step 152 of a security interface driver associated with the SFSD.
- the security interface driver associated with the SFSD generates a dialogue box to allow a user to create a confidential file A for storing sensitive information; in another embodiment, the dialogue box allows a user to create a confidential folder B for storing files containing sensitive information or applications which the user can launch. In addition, the dialogue box also allows the user to lock or unlock the confidential file A or folder B.
- step 160 the OS boot up process is completed in step 160.
- the SFSD dialogue box can then be called out after the computing device has booted up to allow the user create additional confidential files or folders and to lock/unlock the confidential files/folders as and when required.
- a user may lock a confidential file A/folder B before lending the computing device, such as a mobile phone or a PDA, to another user so that the other user can use the computing device without having access to the locked confidential file A/folder B; in addition, the user may lock selected applications, for example by storing email or short message (SMS) applications in the confidential folder B.
- SMS short message
- the user enters a password or passphrase; in another embodiment, the user signs in with a digital signature; in yet another embodiment, the user signs in with a biometric signature.
- FIG. 3 A shows the system file's security process 200 according to the confidential file A embodiment of the present invention.
- process box 210 illustrates execution of a window explorer or a third party software application. Execution of a request from the window explorer to open a locked file A sends a system call 215 to the file system 240 to obtain file A's information. The file information 245 is then sent to the SFSD 250. Within the SFSD, a search for file A in the storage disk is conducted in step 252. Following execution of step 252, a decision is made in step 254 whether the requested file A is locked or not.
- step 254 If the decision in box 254 is no, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, in step 242, to the window explorer or requestor application. If the decision in box 254 is yes, the SFSD 250 proceeds to step 256. In step 256, the SFSD 250 prompts the user to enter a user verification.
- the SFSD 250 checks, in step 258, whether the user verification is correct. If the user is correctly verified, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, also in step 242, to the window explorer or requestor application. If the decision in box 258 is no, the SFSD 250 informs the file system 240, which then sends a "no file" response in step 244 to the file explorer 210. The file explorer or requestor application 210 in turn informs the user that access to file A is denied.
- FIG. 3B shows the system file's security process 300 according to the confidential folder B embodiment of the present invention.
- Security process 300 is similar to security process 200 in substantially the same manner.
- Execution of the file explorer 310 or requestor application sends a system call 315 to the file system 340 to obtain folder B's information.
- the folder B information 345 is then sent to the SFSD 350.
- a search for folder B in the storage disk is conducted in step 352.
- search step 352 a decision is made in step 354 whether the requested folder B is locked or not.
- step 354 If the decision in box 354 is no, the SFSD 350 passes control over to the file system 340 and the requested folder information is sent, in step 342, to the window explorer or requestor application. If the decision in box 354 is yes, the SFSD 350 proceeds to step 356. In step 356, the SFSD 350 prompts the user to enter a user verification.
- the SFSD 350 checks, in step 358, whether the user verification is correct. If the user is correctly verified, the SFSD 350 passes control over to the file system 340 and the requested folder B information is sent, also in step 342, to the window explorer or requestor application. If the decision in box 358 is no, the SFSD 350 informs the file system 240, which then sends a "no content" response in step 344 to the file explorer 310. The file explorer or requestor application 310 in turn informs the user that access to folder B is denied.
- the SFSD 250 includes an addition cryptographic engine 257 after step 256.
- the SFSD 350 includes an additional cryptographic engine 357 after step 356.
- the additional cryptographic engine 257,357 may employ a symmetric key algorithm, such as an Advanced Encryption System (AES).
- AES Advanced Encryption System
- the cryptographic engine 257,357 may be used to encrypt owner's verification, which is stored in the computing device.
- the cryptographic engine 257,357 may be used to decrypt the owner's verification which is stored in the computing device by comparing it with the user verification.
- the cryptographic engine 257,357 may be supplied to a user on a ROM, a protected ROM disk or on a separate processor.
- An advantage of the present system is that a confidential file/folder created on an electronic device with an operating system of the present invention remains secure until it is unlocked with a correct user verification.
- the SFSD of the present invention is loaded by the file system before the system file is fully initialized, Le,. before user data and any third party installable security software are loaded; in other words, the SFSD is executed prior to entry of user data or execution of any third party installable security software.
- the confidential file A/folder B is denied even when security setting data entered through the SFSD dialogue box is altered or removed, or even when the computing device undergoes a clean boot-up.
- the present invention provides data security to a computing device without much trouble to the user or with no difference from a third party installable application; a user need only to create the confidential file A or confidential folder B and to install/migrate all applications that contain confidential information into the confidential folder B.
- Another advantage is that a computing device incorporating the security process or processes 100,200,300 of the present invention can be used by another user with no access to the confidential file A or folder B or applications installed in the confidential folder B.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
L'invention concerne un système d'exploitation modifié (100) fonctionnant sur un dispositif informatique portable, tel qu'un téléphone mobile, un ordinateur portable, un agenda électronique et un dispositif de stockage de données. Le système d'exploitation modifié selon l'invention comprend un système de filtre de fichiers (146), un pilote de système de fichiers de sécurité (SFSD) associé (148) et une interface utilisateur de sécurité (152). Le SFSD est chargé avant l'initialisation/la configuration finale du système d'exploitation et le chargement d'un registre de sécurité/données utilisateur. L'interface utilisateur de sécurité (152) associée au SFSD génère ensuite une boîte de dialogue pour permettre à l'utilisateur de créer un fichier A ou un dossier B confidentiel ainsi que des options de verrouillage et/ou de cryptage. L'identité utilisateur est vérifiée (258,358) avec que l'accès au fichier/dossier soit autorisé ; le fichier A/dossier B reste sécurisé même lorsque des données de paramètres de sécurité crées par la boîte de dialogue du SFSD sont modifiées/supprimées après un amorçage sain du dispositif informatique.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
SG200800249-5A SG154348A1 (en) | 2008-01-09 | 2008-01-09 | Limiting access to file and folder on a storage device |
SG200800249-5 | 2008-01-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2009088362A1 true WO2009088362A1 (fr) | 2009-07-16 |
Family
ID=40853306
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/SG2008/000450 WO2009088362A1 (fr) | 2008-01-09 | 2008-11-27 | Restriction d'acces a un fichier et a un dossier dans une memoire |
Country Status (2)
Country | Link |
---|---|
SG (1) | SG154348A1 (fr) |
WO (1) | WO2009088362A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102662872A (zh) * | 2012-03-29 | 2012-09-12 | 山东超越数控电子有限公司 | 一种基于可信密码模块的用户虚拟磁盘镜像文件保护方法 |
WO2013066397A1 (fr) * | 2011-10-31 | 2013-05-10 | Hewlett-Packard Development Company, L.P. | Préservation de verrouillage de fichier |
US20220322054A1 (en) * | 2015-06-10 | 2022-10-06 | Honor Device Co., Ltd. | Short Message Processing Method and Apparatus, and Electronic Device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999014652A1 (fr) * | 1997-09-16 | 1999-03-25 | Microsoft Corporation | Procede et systeme de cryptage de fichiers |
US20030065875A1 (en) * | 2001-09-28 | 2003-04-03 | Van Cleve Robert E. | Reserved ROM space for storage of operating system drivers |
US7178165B2 (en) * | 2001-08-20 | 2007-02-13 | Lenovo (Signapore) Pte Ltd. | Additional layer in operating system to protect system from hacking |
US20070050620A1 (en) * | 2002-10-16 | 2007-03-01 | Duc Pham | Secure file system server architecture and methods |
-
2008
- 2008-01-09 SG SG200800249-5A patent/SG154348A1/en unknown
- 2008-11-27 WO PCT/SG2008/000450 patent/WO2009088362A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1999014652A1 (fr) * | 1997-09-16 | 1999-03-25 | Microsoft Corporation | Procede et systeme de cryptage de fichiers |
US7178165B2 (en) * | 2001-08-20 | 2007-02-13 | Lenovo (Signapore) Pte Ltd. | Additional layer in operating system to protect system from hacking |
US20030065875A1 (en) * | 2001-09-28 | 2003-04-03 | Van Cleve Robert E. | Reserved ROM space for storage of operating system drivers |
US20070050620A1 (en) * | 2002-10-16 | 2007-03-01 | Duc Pham | Secure file system server architecture and methods |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013066397A1 (fr) * | 2011-10-31 | 2013-05-10 | Hewlett-Packard Development Company, L.P. | Préservation de verrouillage de fichier |
CN102662872A (zh) * | 2012-03-29 | 2012-09-12 | 山东超越数控电子有限公司 | 一种基于可信密码模块的用户虚拟磁盘镜像文件保护方法 |
US20220322054A1 (en) * | 2015-06-10 | 2022-10-06 | Honor Device Co., Ltd. | Short Message Processing Method and Apparatus, and Electronic Device |
US11765557B2 (en) * | 2015-06-10 | 2023-09-19 | Honor Device Co. Ltd. | Short message processing method and apparatus, and electronic device |
Also Published As
Publication number | Publication date |
---|---|
SG154348A1 (en) | 2009-08-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1679632B1 (fr) | Systèmes et procédés de démarrage d'un ordinateur de façon sûre avec un module de traitement sécurisé | |
US9141815B2 (en) | System and method for intelligence based security | |
EP2583410B1 (fr) | Procédés d'authentification à usage unique pour accès à données chiffrées | |
EP1612666B1 (fr) | Système et procédé pour l'amorçage d'un système d'exploitation en utilisant une validation d'état | |
US7313705B2 (en) | Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory | |
US8909940B2 (en) | Extensible pre-boot authentication | |
US8930713B2 (en) | System and method for general purpose encryption of data | |
US20120254602A1 (en) | Methods, Systems, and Apparatuses for Managing a Hard Drive Security System | |
US20120011354A1 (en) | Boot loading of secure operating system from external device | |
US7840795B2 (en) | Method and apparatus for limiting access to sensitive data | |
KR20150048810A (ko) | 펌웨어의 도난 방지 | |
US20020073306A1 (en) | System and method for protecting information stored on a computer | |
WO2005088461A1 (fr) | Procede et dispositif pour la protection de donnees memorisees dans un dispositif informatique | |
US11200065B2 (en) | Boot authentication | |
US20190196981A1 (en) | Systems And Methods For Providing Connected Anti-Malware Backup Storage | |
US8181006B2 (en) | Method and device for securely configuring a terminal by means of a startup external data storage device | |
WO2009088362A1 (fr) | Restriction d'acces a un fichier et a un dossier dans une memoire | |
RU2748575C1 (ru) | Способ и устройство доверенной загрузки компьютера с контролем периферийных интерфейсов | |
CN117874773B (zh) | 基于安全等级管控策略的操作系统安全启动方法及装置 | |
CN117874773A (zh) | 基于安全等级管控策略的操作系统安全启动方法及装置 | |
DriveLock et al. | HP ProtectTools Firmware security features in HP Compaq business notebooks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 08869611 Country of ref document: EP Kind code of ref document: A1 |
|
DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: PI 2010003218 Country of ref document: MY |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 08869611 Country of ref document: EP Kind code of ref document: A1 |