CN105844151B - File storage protection implementation method and system - Google Patents
File storage protection implementation method and system Download PDFInfo
- Publication number
- CN105844151B CN105844151B CN201610157970.1A CN201610157970A CN105844151B CN 105844151 B CN105844151 B CN 105844151B CN 201610157970 A CN201610157970 A CN 201610157970A CN 105844151 B CN105844151 B CN 105844151B
- Authority
- CN
- China
- Prior art keywords
- directory
- sandbox
- file
- application program
- registry
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 244000035744 Hura crepitans Species 0.000 claims abstract description 142
- 238000013507 mapping Methods 0.000 claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 15
- 230000008569 process Effects 0.000 claims description 35
- 238000012986 modification Methods 0.000 claims description 7
- 230000004048 modification Effects 0.000 claims description 7
- 101000666896 Homo sapiens V-type immunoglobulin domain-containing suppressor of T-cell activation Proteins 0.000 description 5
- 102100038282 V-type immunoglobulin domain-containing suppressor of T-cell activation Human genes 0.000 description 5
- IJJVMEJXYNJXOJ-UHFFFAOYSA-N fluquinconazole Chemical compound C=1C=C(Cl)C=C(Cl)C=1N1C(=O)C2=CC(F)=CC=C2N=C1N1C=NC=N1 IJJVMEJXYNJXOJ-UHFFFAOYSA-N 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 3
- 101150093240 Brd2 gene Proteins 0.000 description 2
- 208000032826 Ring chromosome 3 syndrome Diseases 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for realizing file storage protection, wherein the method comprises the following steps: 1) setting a sandbox file directory, and mapping the sandbox file directory and the system sensitive directory; 2) monitoring access of the sandboxed application to the file storage directory; 3) when the sandbox application program needs to write the file into the system sensitive directory, the mapping relation between the sandbox file directory and the system sensitive directory is obtained, and the position of the sandbox file directory is returned to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory.
Description
Technical Field
The invention belongs to the field of computers, and relates to a method and a system for realizing file storage protection.
Background
The sandbox technology is a novel Data Leakage Prevention (DLP) technology which is popular in recent two years, and the basic idea of the sandbox is isolation: a logical sandbox area and a non-sandbox area are formed in a host terminal, the sandbox area is provided with an independent storage and a group of process environments, files generated in the sandbox environment can only be stored in the sandbox storage, and if the files are stored in the non-sandbox storage in a certain way, the files are written and directed to the sandbox storage by using file redirection to be solved, and then the files are isolated.
However, it is still avoided as much as possible that the user directly saves the file in the non-sandbox storage, and most of the existing methods are to prohibit the user from selecting the desktop and my document when opening the save-as dialog box, and prohibit the user from manually inputting a path, etc., and to continuously monitor whether the file is saved as an action in the program, and the flow is as follows:
the prior art solves the problem that a user directly stores files to an original desktop (or non-sandboxed storage such as my document) to a certain extent, but the solution is not thorough and brings a considerable cost:
1. the polling detection consumes the CPU even if the user has no other action to wait for the operation.
2. Not all the additional storage is intercepted, such as CAD and other software, and the additional storage is not a standard window provided by WINDOWS, so the existing scheme can not be directly solved, needs adaptation (and the adaptation can not be solved), has a large amount of non-standard additional storage as behaviors, and has a large adaptation amount.
3. The user's behavior is directly interfered from the interface, and the user experience is influenced.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method and an apparatus for implementing file storage protection, so as to overcome the above problems in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
a file storage protection implementation method comprises the following steps:
1) setting a sandbox file directory, and mapping the sandbox file directory and the system sensitive directory;
2) monitoring access of the sandboxed application to the file storage directory;
3) when the sandbox application program needs to write the file into the system sensitive directory, the mapping relation between the sandbox file directory and the system sensitive directory is obtained, and the position of the sandbox file directory is returned to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory.
Further, preferably, in step 1), the sandbox file directory is mapped with the system sensitive directory in a manner of registry filtering (Register Filter) based on the operating system, where the system sensitive directory is a user shell directory (USF) in the operating system.
Further, preferably, in step 3), the method specifically includes:
and acquiring information that the sandbox application program needs to write the file into the system sensitive directory, modifying the access position value of the system sensitive directory in a system kernel, and returning the modified access position value of the sandbox file directory to the sandbox application program.
Further, it is preferable that step 1) specifically includes the following sub-steps:
11) acquiring a registry Filter (Register Filter) mode adopted by a current system; 12) making a user shell directory (USF) mapping strategy, and indicating the association relationship between the original value and the mapped new value so as to associate the user shell directory and the sandbox file directory;
in the step 2), all sandbox application program processes are HOOK to a registry, and access to a file storage directory is monitored based on a mode of passively monitoring registry reading;
in the step 3), the method specifically comprises the following substeps:
determining whether a modified value should be returned to the sandboxed application, wherein the modified value is returned according to the policy formulated in sub-step 12) if it should be modified.
Further, preferably, in step 3), the method specifically further includes:
and dividing the sandbox application program process into a sandbox process and a non-sandbox process according to whether the sandbox application program accesses the system sensitive directory or not, and directly releasing the non-sandbox process.
Preferably, the method further comprises the following steps: step 4) when the sandbox application program needs to read the files in the system sensitive directory;
the location of the sandbox file directory is returned to the sandbox application so that the sandbox application can directly read the files in the sandbox file directory.
Further, it is preferable that the current sandbox application is determined to write the file into the system sensitive directory based on whether the sandbox application exists as a dialog box, whether the sandbox application determines a keyvalueinformationallclass value is equal to keyvaluepratialinformation, and whether the data type is REG _ SZ or REG _ expandjsz.
A file storage protection implementation system, comprising:
the sandbox file directory setting unit is used for setting a sandbox file directory and mapping the sandbox file directory and the system sensitive directory;
the process monitoring unit is used for monitoring the access of the sandbox application program to the file storage directory;
and the file directory turning unit is used for acquiring the mapping relation between the sandbox file directory and the system sensitive directory when the sandbox application program needs to write the file into the system sensitive directory, and returning the position of the sandbox file directory to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory.
Further, preferably, the sandbox file directory setting unit further maps the sandbox file directory with the system sensitive directory in a manner of registry filtering (Register Filter) based on the operating system, where the system sensitive directory is a user shell directory (USF) in the operating system.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The present invention will be described in detail below with reference to the accompanying drawings so that the above advantages of the present invention will be more apparent. Wherein the content of the first and second substances,
FIG. 1 is a flow chart illustrating a method for implementing file storage protection according to the present invention;
FIG. 2 is a flowchart illustrating a method for implementing file storage protection according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a method for implementing file storage protection according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a file storage protection implementation system of the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
First, the english abbreviation related to the present invention is explained as follows:
and (3) USF: user Shell Folder, User Shell directory, non-standard path directories such as "my documents" and "desktop" directories that are displayed directly in an open, save-as-you-go dialog.
Register Filter registry operations on a registry are filtered by upper layer applications (Ring3) at the kernel layer (Ring 0).
The first embodiment is as follows:
as shown in fig. 1 and 3, a method for implementing file storage protection includes:
1) setting a sandbox file directory, and mapping the sandbox file directory and the system sensitive directory;
2) monitoring access of the sandboxed application to the file storage directory;
3) when the sandbox application program needs to write the file into the system sensitive directory, the mapping relation between the sandbox file directory and the system sensitive directory is obtained, and the position of the sandbox file directory is returned to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory.
In an embodiment, the sandbox file directory is mapped with the system sensitive directory in a registry Filter (Register Filter) manner based on an operating system, where the system sensitive directory is a user shell directory (USF) in the operating system.
When reading, the following step 4) is also provided:
when the sandboxed application is to read a file in the system sensitive directory;
the location of the sandbox file directory is returned to the sandbox application so that the sandbox application can directly read the files in the sandbox file directory.
The method carries out USF mapping based on Register Filter, and in an operating system, because all USFs are defined in a registry, the original USF value is modified in a kernel when an upper layer application acquires a USF directory, so that the purpose of changing the USF directory by the upper layer application can be achieved, and if a program returns D: (desktop) to the program when the program reads the desktop value, the upper layer application can consider the D: (desktop) to be the desktop.
That is, unlike the prior art, the invention does not block the access of the user to the USF directory (such as a desktop), but allows the upper layer application to direct the USF directory into the sandbox file directory and store the USF directory when accessing the USF directory, thereby realizing higher-level security protection.
Example two:
specifically, the first embodiment is explained, wherein, in the step 3), specifically including:
and acquiring information that the sandbox application program needs to write the file into the system sensitive directory, modifying the access position value of the system sensitive directory in a system kernel, and returning the modified access position value of the sandbox file directory to the sandbox application program.
And, step 1), specifically comprising the following substeps:
11) acquiring a registry Filter (Register Filter) mode adopted by a current system; 12) making a user shell directory (USF) mapping strategy, and indicating the association relationship between the original value and the mapped new value so as to associate the user shell directory and the sandbox file directory;
in the step 2), all sandbox application program processes are HOOK to a registry, and access to a file storage directory is monitored based on a mode of passively monitoring registry reading;
in the step 3), the method specifically comprises the following substeps:
determining whether a modified value should be returned to the sandboxed application, wherein the modified value is returned according to the policy formulated in sub-step 12) if it should be modified.
In addition, in a detailed embodiment, step 3) specifically includes:
and dividing the sandbox application program process into a sandbox process and a non-sandbox process according to whether the sandbox application program accesses the system sensitive directory or not, and directly releasing the non-sandbox process.
Specifically, as shown in fig. 2, it determines that the current sandbox application is to write a file into the system-sensitive directory based on whether the sandbox application exists as a dialog box, whether the sandbox application's determination of registry access is equal to the keyvaluepristrialinformation, and whether the data type is REG _ SZ or REG _ expandjsz.
Example three:
the present invention is described below with reference to an embodiment, wherein the embodiment is mainly described based on windows system of microsoft corporation, but the present invention is not limited thereto.
In the initial step 1), different Register Filter modes are selected according to different system versions.
The XP and the following systems use SSDT HOOK kernel API ZwQueryValueKey, and the platform above VISTA uses CmRegisterCallback registry operation callback.
Step 2) the USF mapping policy is formulated by the Ring3 layer to indicate which value should map why the new value.
And 3) passively monitoring registry reading all the time, judging whether the return value should be modified or not after the original reading is finished, and modifying the return value according to the strategy formulated in the step 2 if the return value should be modified.
The strategy is simple to make, the IOCTL is used for the communication of Ring3Ring0, and the structure of a single strategy is as follows:
the key point of the present invention is to modify the return value of the system, and the following description is made for the processing flows of XP (and below) and VISTA (and above), respectively:
modification on XP:
XP relies on SSDK HOOK ZwQueryValueKey to implement, and the function prototype is as follows:
wherein, 1) calling original ZwQueryValueKey in HOOK processing, if failing, returning original value directly.
2) It is determined whether it is a release process, i.e., if it is not a sandbox process, then it should be released. Because the behavior in the kernel is in effect for all processes, both sandboxed and non-sandboxed processes are subject to a HOOK-to-registry read behavior, where the non-sandboxed processes are passed directly.
3) Judging whether the KeyValueInformationClass value is equal to KeyValuePartiallinformation, wherein the value means that the data is really read; and determines whether the data type is REG _ SZ or REG _ expanded _ SZ because the USF directory is stored in the registry only in these two types.
4) And finding out whether the strategy has a corresponding value from the strategies, and if not, releasing the strategy if the strategy does not need to be changed. 5) And directly copying the system in the strategy to the original buffer area to finish the modification of the value.
Modifications on VISTA:
the VISTA registers a registry operation callback with CmRegisterCallback because SSDT HOOK is not easily used on 64 bits, which is more robust and efficient. The callback is divided into pre-operation callback and post-operation callback (i.e., pre-operation registry and post-operation registry), and the callback function prototype is as follows:
1) and judging whether the process is a release process (namely, a non-sandbox process), and if so, directly releasing.
2) It is determined whether the value of Argulment 1 is equal to RegNtPostQueryValueKey, which is equal to a statement that is a post-operation callback, because we do not care before the operation (have not yet read the true value) and only care after the read of the original value.
3) And judging whether the operation is successful or not, and if the operation is failed, directly returning.
4) Judging whether the KeyValueInformationClass value is equal to KeyValuePartiallinformation, wherein the value means that the data is really read; and determines whether the data type is REG _ SZ or REG _ expanded _ SZ because the USF directory is stored in the registry only in these two types.
5) And finding out whether the strategy has a corresponding value from the strategies, and if not, releasing the strategy if the strategy does not need to be changed.
6) And directly copying the system in the strategy to the original buffer area to finish the modification of the value.
Thus, it can be seen that the last three steps of VISTA and XP are the same, with only a difference at the entry, which increases the reusability of the code.
Example four:
in a specific example, the same program is respectively opened on an original desktop and a sandbox desktop at the same time, and is respectively recorded as a process A and a process B, the process A edits and saves a file, and a desktop is selected and saved on the original desktop; process B does the same action, saving to D: \ desktop, which is completely transparent to the user. Even if process B is opened again in the sandbox desktop, the contents in the D: \ desktop directory can be seen in the open dialog box, while the file A process that process B saved to the desktop cannot be seen from the desktop.
Compared with the prior art, the invention has the following advantages:
1. the user experience is not influenced, and the user can still normally store the file in directories such as a desktop, a My document and the like.
2. Perfect software compatibility does not need to consider how a dialog box is realized by storing some software, namely, the dialog box is not adapted for a program any more, and all applications are directly compatible.
Example five:
corresponding to the above method embodiment, the present invention provides a file storage protection implementation system, including: the sandbox file directory setting unit is used for setting a sandbox file directory and mapping the sandbox file directory and the system sensitive directory;
the process monitoring unit is used for monitoring the access of the sandbox application program to the file storage directory;
and the file directory turning unit is used for acquiring the mapping relation between the sandbox file directory and the system sensitive directory when the sandbox application program needs to write the file into the system sensitive directory, and returning the position of the sandbox file directory to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory.
The sandbox file directory setting unit further maps the sandbox file directory and the system sensitive directory in a registry filtering (register filter) mode of an operating system, wherein the system sensitive directory is a user shell directory (USF) in the operating system.
The method has the same effect as the method embodiment, namely the method does not block the access of the user to the USF directory (such as a desktop), but leads the upper layer application to be directed to the sandbox file directory and store the USF directory when accessing the USF directory, thereby realizing the higher-level safety protection.
It should be noted that for simplicity of description, the above method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (8)
1. A file storage protection implementation method is characterized by comprising the following steps:
1) setting a sandbox file directory, and mapping the sandbox file directory and the system sensitive directory;
2) monitoring access of the sandboxed application to the file storage directory;
3) when the sandbox application program needs to write the file into the system sensitive directory, acquiring a mapping relation between the sandbox file directory and the system sensitive directory, and returning the position of the sandbox file directory to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory;
step 1), specifically comprising the following substeps:
11) acquiring a registry Filter (Register Filter) mode adopted by a current system; 12) making a user shell directory (USF) mapping strategy, and indicating the association relationship between the original value and the mapped new value so as to associate the user shell directory and the sandbox file directory;
in the step 2), all sandbox application program processes are HOOK to a registry, and access to a file storage directory is monitored based on a mode of passively monitoring registry reading;
in the step 3), the method specifically comprises the following substeps:
determining whether a modified value should be returned to the sandboxed application, wherein the modified value is returned according to the policy formulated in sub-step 12) if it should be modified.
2. The method for implementing file storage protection according to claim 1, wherein in step 1), the sandbox file directory is mapped with the system sensitive directory based on a registry Filter (Register Filter) of an operating system, wherein the system sensitive directory is a user shell directory (USF) in the operating system.
3. The method for implementing file storage protection according to claim 2, wherein step 3) specifically includes:
and acquiring information that the sandbox application program needs to write the file into the system sensitive directory, modifying the access position value of the system sensitive directory in a system kernel, and returning the modified access position value of the sandbox file directory to the sandbox application program.
4. The method for implementing file storage protection according to claim 1, wherein in step 3), the method specifically further comprises:
and dividing the sandbox application program process into a sandbox process and a non-sandbox process according to whether the sandbox application program accesses the system sensitive directory or not, and directly releasing the non-sandbox process.
5. The file storage protection implementation method according to claim 1, further comprising: step 4) when the sandbox application program needs to read the files in the system sensitive directory;
the location of the sandbox file directory is returned to the sandbox application so that the sandbox application can directly read the files in the sandbox file directory.
6. The method of claim 1, wherein the current sandbox application is determined to write the file into the system-sensitive directory based on whether the sandbox application has another storage as a dialog box or whether the sandbox application determines that the KeyValueInformationClass value is equal to KeyValuePartialInformation and whether the data type is REG _ SZ or REG _ EXPAND _ SZ for registry access.
7. A file storage protection implementation system, comprising:
the sandbox file directory setting unit is used for setting a sandbox file directory and mapping the sandbox file directory and the system sensitive directory;
the method specifically comprises the following steps: acquiring a registry Filter (Register Filter) mode adopted by a current system; making a user shell directory (USF) mapping strategy, and indicating the association relationship between the original value and the mapped new value so as to associate the user shell directory and the sandbox file directory;
the process monitoring unit is used for monitoring the access of the sandbox application program to the file storage directory;
the method specifically comprises the following steps: all sandbox application processes are HOOK to a registry, and access to a file storage directory is monitored based on a passive monitoring registry reading mode;
the file directory turning unit is configured to, when the sandbox application program is to write a file into the system sensitive directory, obtain a mapping relationship between the sandbox file directory and the system sensitive directory, and return a location of the sandbox file directory to the sandbox application program, so that the sandbox application program directly writes the file into the sandbox file directory, and specifically includes: determining whether a modification value should be returned to the sandboxed application, wherein if the modification value should be returned according to a policy formulated in a user shell directory (USF) mapping policy.
8. The system according to claim 7, wherein the sandbox directory setting unit further maps the sandbox directory with the system sensitive directory based on a registry Filter (Register Filter) of an operating system, wherein the system sensitive directory is a user shell directory (USF) in the operating system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610157970.1A CN105844151B (en) | 2016-03-18 | 2016-03-18 | File storage protection implementation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610157970.1A CN105844151B (en) | 2016-03-18 | 2016-03-18 | File storage protection implementation method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105844151A CN105844151A (en) | 2016-08-10 |
| CN105844151B true CN105844151B (en) | 2020-01-21 |
Family
ID=56587461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610157970.1A Active CN105844151B (en) | 2016-03-18 | 2016-03-18 | File storage protection implementation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105844151B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115114235A (en) * | 2021-03-17 | 2022-09-27 | 华为技术有限公司 | File access method, communication system and electronic equipment |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102222292B (en) * | 2011-05-27 | 2013-08-14 | 北京洋浦伟业科技发展有限公司 | Mobile phone payment protection method |
| US8601579B2 (en) * | 2011-06-03 | 2013-12-03 | Apple Inc. | System and method for preserving references in sandboxes |
| CN102314373B (en) * | 2011-07-07 | 2013-12-18 | 胡建斌 | Method for realizing safe working environment based on virtualization technology |
| CN102708335A (en) * | 2012-05-05 | 2012-10-03 | 南京赛孚科技有限公司 | Confidential file protection method |
| CN103971051A (en) * | 2013-01-28 | 2014-08-06 | 腾讯科技(深圳)有限公司 | Document isolation method, device and system |
-
2016
- 2016-03-18 CN CN201610157970.1A patent/CN105844151B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN105844151A (en) | 2016-08-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10157268B2 (en) | Return flow guard using control stack identified by processor register | |
| US8806514B2 (en) | Data control device, data control method, and computer-readable medium | |
| CN109753347B (en) | System and method for realizing driving | |
| CN101283332A (en) | Information processing device, information processing method, and program | |
| WO2016155282A1 (en) | Storage partition method and terminal | |
| WO2017174030A1 (en) | Data access control method and device | |
| CN101458754A (en) | Method and apparatus for monitoring application program action | |
| CN104932972A (en) | Method and apparatus for preventing application from dynamic debugging | |
| KR101551206B1 (en) | A vehicle data control system and a control method | |
| US11997132B2 (en) | System and method for protecting network resources | |
| US8645667B2 (en) | Operating system management of address-translation-related data structures and hardware lookasides | |
| JPWO2006103752A1 (en) | How to control document copying | |
| CN106484779B (en) | File operation method and device | |
| CN102567081B (en) | Based on overall method to set up and the system of multi-process | |
| CN105844151B (en) | File storage protection implementation method and system | |
| WO2024078348A1 (en) | Method and apparatus for processing registry operation in application porting environment, and medium | |
| US8788785B1 (en) | Systems and methods for preventing heap-spray attacks | |
| US8549273B1 (en) | Method and apparatus to present a unique background image on a personal computer display when the computer system is booted from an external drive | |
| CN113946522A (en) | Memory control method and device, electronic equipment and storage medium | |
| WO2013117142A1 (en) | File processing method and system | |
| KR101460091B1 (en) | Apparatus and method for changing icon of secure folder | |
| CN114756180B (en) | Method and device for distributing coverage writing data blocks, computer equipment and storage medium | |
| WO2022088711A1 (en) | Program execution method, program processing method, and related device | |
| US20070168568A1 (en) | Computer system and communication method thereof with peripheral device | |
| US20120110314A1 (en) | Booting access method and memory device of embedded system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20231113 Granted publication date: 20200121 |
|
| PP01 | Preservation of patent right |