CN110084057A - Safety access method, device, equipment and the storage medium of vital document - Google Patents

Safety access method, device, equipment and the storage medium of vital document Download PDF

Info

Publication number
CN110084057A
CN110084057A CN201910189851.8A CN201910189851A CN110084057A CN 110084057 A CN110084057 A CN 110084057A CN 201910189851 A CN201910189851 A CN 201910189851A CN 110084057 A CN110084057 A CN 110084057A
Authority
CN
China
Prior art keywords
file
mark
current process
visited
protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910189851.8A
Other languages
Chinese (zh)
Inventor
赵树升
张军昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang Dahua Technology Co Ltd
Original Assignee
Zhejiang Dahua Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang Dahua Technology Co Ltd filed Critical Zhejiang Dahua Technology Co Ltd
Priority to CN201910189851.8A priority Critical patent/CN110084057A/en
Publication of CN110084057A publication Critical patent/CN110084057A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

This application involves a kind of safety access method of vital document, device, equipment and storage mediums.This method comprises: obtaining the mark of current process and the mark of file to be visited respectively;File to be visited is the current process file to be accessed;The mark of current process, the mark of file to be visited are matched with preset defencive function configuration relation; it is protection of goal file when matching result is file to be visited; and when the mark of current process identified for target process, refusal current process accesses file to be visited;It include the corresponding relationship between protection of goal file and target process in the defencive function configuration relation;The access includes any one of carrying out read operation, write operation to file to be visited and executing operation.This method can prevent non-targeted process from arbitrarily accessing to protection of goal file, effectively prevent the potential problem that the vital document in computer equipment is stolen, to ensure that the safety of computer equipment.

Description

Safety access method, device, equipment and the storage medium of vital document
Technical field
This application involves computer field, more particularly to a kind of safety access method of vital document, device, equipment and Storage medium.
Background technique
Currently, electronic equipment is widely used in each corner in life.For example, common embedded device has movement Phone, personal digital assistant, media player and other consumer electrical products etc..With the fieriness of market competition, such as The safety what improves electronic equipment becomes those skilled in the art's urgent problem to be solved.
In traditional technology, generallys use specific file system and the vital document in electronic equipment is encrypted, thus Guarantee the safety of electronic equipment.By taking electronic equipment is embedded device as an example, squashfs file system is generallyd use to protect Demonstrate,prove the safety of embedded device.
But traditional mode still can not be obtained effectively and be protected to the file on electronic equipment, it is stolen that there are still files The potential problem taken.
Summary of the invention
Based on this, it is necessary to still can not effectively obtain for traditional approach and be protected to the file on electronic equipment, still be deposited In the potential problem that file is stolen, safety access method, device, equipment and the storage medium of a kind of vital document are provided.
A kind of safety access method of vital document, comprising:
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour Any one of make and execute operation.
In one of the embodiments, it is described respectively obtain current process mark and file to be visited mark it Before, further includes:
Obtain the comspec of current process;
According to the comspec of the current process, determine whether the current process is transfer command;
When determining the current process is transfer command, the parameter of the current process is analyzed, parameter is obtained Analyze result;
When in the Parameter analysis result including the mark of protection of goal file, refuse the transfer behaviour of the current process Make.
In one of the embodiments, further include:
When determining the current process not is transfer command, the mark for obtaining current process respectively is executed and wait visit Ask the mark of file.
In one of the embodiments, further include:
When needing to shift to the memory information of the current process, and determine that being identified as the current process is described When the mark of target process, the transfer operation to the memory information of the current process is intercepted.
In one of the embodiments, further include:
When being in debugging mode, and when the mark for being identified as host process of the determining current process, work as described in display The memory information of preceding process, and intercept the transfer operation to the memory information of the current process;The host process is to execute master Process caused by program file.
In one of the embodiments, after the mark for obtaining current process respectively and file to be visited, also wrap It includes:
Obtain the mark of operating system master;
When determine the operating system master mark be equal to 0 or the current process mark be less than the operation When the mark of system main program, the current process is allowed to access the file to be visited.
In one of the embodiments, further include:
When determine the operating system master mark not equal to 0 and the current process mark be greater than or equal to institute When stating the mark of operating system master, execute it is described by the mark of the current process, the mark of the file to be visited with The step of preset defencive function configuration relation is matched.
A kind of secure access device of vital document, comprising:
Module is obtained, for obtaining the mark of current process and the mark of file to be visited respectively;The file to be visited For the current process file to be accessed;
Processing module, for by the mark of the mark of the current process, the file to be visited and preset protection function Can configuration relation matched, be protection of goal file when matching result is the file to be visited, and the current process When mark is not equal to the mark of target process, refuses the current process and access the file to be visited;The defencive function is matched It sets in relationship including the corresponding relationship between protection of goal file and target process;The access includes to the file to be visited Any one of carry out read operation, write operation and execute operation.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the processing Device performs the steps of when executing the computer program
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour Any one of make and execute operation.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor It is performed the steps of when row
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour Any one of make and execute operation.
Safety access method, device, equipment and the storage medium of vital document provided by the embodiments of the present application, are getting After the mark of current process and the mark of file to be visited, computer equipment is by the mark of current process, file to be visited Mark is matched with preset defencive function configuration relation, is file to be visited for protection of goal file in matching result, and When the mark for determining current process is not the mark of target process, refusal current process accesses file to be visited.Due to current When process will access to file to be visited, computer equipment can be by the mark of current process, the mark of file to be visited It is matched with preset defencive function configuration relation, whether is protection of goal file with determination file to be visited, and in determination When file to be visited is protection of goal file, the mesh identified whether to be able to access that file to be visited for determining current process is also needed The mark of mark process, and when the mark for determining current process is not the mark of target process, refusal current process is accessed wait visit It asks file, in this way, can prevent non-targeted process from arbitrarily accessing to protection of goal file, effectively prevents computer and set The potential problem that standby upper vital document is stolen, to ensure that the safety of computer equipment.
Detailed description of the invention
Fig. 1 is a kind of schematic diagram of internal structure of computer equipment provided by the embodiments of the present application;
Fig. 2 is the safety access method flow diagram for the vital document that an embodiment provides;
Fig. 3 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 4 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 5 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 6 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 7 is the secure access device structural schematic diagram for the vital document that an embodiment provides;
Fig. 8 is the secure access device structural schematic diagram for the vital document that another embodiment provides.
Specific embodiment
The safety access method of vital document provided by the embodiments of the present application can be adapted for computer as shown in Figure 1 Equipment.The computer equipment includes processor, the memory connected by system bus, is stored with computer journey in the memory Sequence, the step of following methods embodiment can be executed when processor executes the computer program.Optionally, the computer equipment is also It may include network interface, display screen and input unit.Wherein, the processor of the computer equipment is calculated and is controlled for providing Ability.The memory of the computer equipment includes non-volatile memory medium, built-in storage, non-volatile memory medium storage There are operating system and computer program.The built-in storage is operating system and computer program in non-volatile memory medium Operation provides environment.The network interface of the computer equipment is used to communicate with external terminal by network connection.Optionally, should Computer equipment can be embedded device, for example, personal computer (Personal Computer, PC), individual digital help Reason, tablet computer (Portable Android Device, PAD), mobile phone etc., can also be server, the embodiment of the present application Concrete form to computer equipment and without limitation.
The file in computer equipment is protected since traditional file protected mode still can not be obtained effectively, there are still The potential problem that file is stolen, for this purpose, the safety access method of vital document provided by the embodiments of the present application, device, equipment And storage medium aims to solve the problem that technical problem present in above-mentioned traditional technology.
It should be noted that the executing subject of following methods embodiment can be the secure access device of vital document, it should Device can be implemented as the part or complete of above-mentioned computer equipment by way of software, hardware or software and hardware combining Portion.Following methods embodiment is illustrated so that executing subject is computer equipment as an example.
Fig. 2 is the safety access method flow diagram for the vital document that an embodiment provides.The present embodiment what is involved is How computer equipment accesses the detailed process of file.As shown in Fig. 2, this method may include:
S101, the mark of current process and the mark of file to be visited are obtained respectively.
Specifically, current process is that computer equipment executes process caused by current a certain program.The mark of current process Know to be the comspec of current process, or operating system nucleus is the identity of current process distribution.Wait visit Ask the mark of file or the title of file to be visited, or the number of file to be visited can also be other use In the mark for distinguishing file to be visited.File to be visited is the current process file to be accessed, i.e. computer equipment is worked as in operation The file of required access when preceding process.For example, it is assumed that current process is the host process run in computer equipment, host process exists Need to access the algorithm file in configuration file and algorithms library in operational process, for this situation, host process is current process, Algorithm file in configuration file and algorithms library is file to be visited.
Computer equipment can be by calling the open function in kernel to capture the current process text to be visited to be accessed The mark of part, computer equipment can be by calling the do_execve function in kernel to obtain the mark of current process, can also be with The mark of current process is read directly from the home banking of pre-stored process, herein with no restrictions.
S102, the mark of the current process, the mark of the file to be visited and the configuration of preset defencive function are closed System is matched, and is protection of goal file when matching result is the file to be visited, and the mark of the current process is not When the mark of target process, refuses the current process and access the file to be visited;It is wrapped in the defencive function configuration relation Include the corresponding relationship between protection of goal file and target process;The access includes carrying out reading behaviour to the file to be visited Any one of work, write operation and execution operation.
Specifically, protection of goal file is to carry out being protected from the file that other people steal.Protection of goal file can be with For the various algorithm files etc. in configuration file and algorithms library needed for master program file, account files, main program operation.Target Process is the process for allowing access target to protect file, for example, when protection of goal file is configuration text needed for main program operation When various algorithm files in part and algorithms library, target process is generated host process when main program is run, and works as protection of goal When file is account files, target process is the order (passwd) of the operation account information in operating system, works as protection of goal When file is master program file, target process is operating system master (shell).Include in above-mentioned defencive function configuration relation Corresponding relationship between protection of goal file and target process.Optionally, defencive function configuration relation can be an allocation list, can Will need protection of goal file (i.e. vital document) to be protected and access target allowed to protect between the target process of file Corresponding relationship be stored in advance in allocation list, to realize secure access to protection of goal file.Certainly, defencive function configures The form of expression of relationship can be tabular form, be also possible to the form of corresponding line, can also be the form of index, only need energy Enough characterize the corresponding relationship between protection of goal file and target process.
In one embodiment, by taking Linux system as an example, protection of goal file, target process and permission target process The corresponding relationship between access operation carried out to protection of goal file can be as shown in table 1 below:
Table 1
Protection of goal file Target process The access operation of permission
Shadow file Passwd Read-write
Master program file Shell It executes
Configuration file Host process Read-write
Algorithms library Host process Read-write
Certainly, the environment that computer equipment is run is trusted context, and trusted context refers to that there is no accessible targets The phenomenon that program of protection file is forged, in addition, also having opened Selinux function, inject target process can not.
Computer equipment can be by calling the open function in kernel, to realize the monitoring to file.When computer is set When for accessing file to be visited by calling the open function in kernel to capture current process, by the mark of file to be visited It is matched with defencive function configuration relation, to judge whether file to be visited is the protection of goal file protected, When determining file to be visited is protection of goal file, also by the mark of current process and the progress of defencive function configuration relation Match, to judge the identifying whether to allow to access the mark of the target process of file to be visited of current process, is determining when advancing When the mark of journey is not the mark of target process, refusal current process accesses file to be visited.Wherein, current process is accessed wait visit Ask that file may include: that current process carries out read operation, current process to file to be visited progress write operation to file to be visited Or current process carries out execution operation to file to be visited.
When computer equipment determine file to be visited be protection of goal file, and determine current process be identified as target into When the mark of journey, current process is allowed to access file to be visited.
Illustratively, when computer equipment by call kernel in open function, capture what current process to be accessed When file to be visited is the algorithm file in algorithms library, computer equipment obtains the mark of current process, and continues to call kernel In open function, judge the mark of current process identified whether as host process, based on the mark for determining current process into When the mark of journey, current process is allowed to access file to be visited;When the mark for determining current process is not host process When mark, refusal current process accesses to file to be visited.
The safety access method of vital document provided in this embodiment, in the mark and text to be visited for getting current process After the mark of part, computer equipment configures the mark of current process, the mark of file to be visited and preset defencive function Relationship is matched, matching result be file to be visited be protection of goal file, and determine current process mark be not mesh When the mark of mark process, refusal current process accesses file to be visited.Due to be visited file to be visited in current process When asking, computer equipment can be by the mark of current process, the mark of file to be visited and preset defencive function configuration relation It is matched, whether is protection of goal file with determination file to be visited, and determining that file to be visited is protection of goal file When, the mark identified whether to be able to access that the target process of file to be visited for determining current process is also needed, and work as in determination When the mark of preceding process is not the mark of target process, refusal current process accesses file to be visited, in this way, can prevent non- Target process arbitrarily accesses to protection of goal file, effectively prevent the vital document in computer equipment be stolen it is hidden Suffer from problem, to ensure that the safety of computer equipment.
Above-described embodiment is to prevent the random access target protection file of non-targeted process, to prevent protection of goal file quilt The potential problem stolen.In practical applications, there is also user by some transfer commands (such as copied files order, export File command etc.) copy targeting protection file, the case where being stolen so as to cause protection of goal file, for this situation, calculate Machine equipment is referred to the access that following processes shown in Fig. 3 carry out file.It optionally, should as shown in figure 3, before S101 Method can also include:
S201, the comspec for obtaining current process.
Specifically, the comspec of current process can uniquely identify current process.By taking linux system as an example, opening When moving a process, system can at/proc one file named with process identification (PID) of creation, had under this document folder into The information of journey, including the file of an entitled exe, this document has recorded the absolute path of process.Computer equipment can be with By calling the do_execve function in kernel, the comspec of current process is obtained.
S202, according to the comspec of the current process, determine whether the current process is transfer command.
Specifically, transfer command is made when being copy, exporting any one file or file in computer equipment Order.By the system of computer equipment internal operation be Linux system for, transfer command can for cp order, can also Think cat order, can also be dd order, ftp order and devmem order etc..Wherein, cp order is the life of copied files Enable, cat order is the order of export, dd order be copied files folder order, ftp order be transmission file order, The order of devmem order copy kernel data.After computer equipment obtains the comspec of current process, computer equipment The comspec of current process is compared with the comspec of transfer command, and determines that current process is according to comparison result No is transfer command.When determining current process is transfer command, S203-S204 is continued to execute;Optionally, when determining when advance When Cheng Buwei transfer command, S101-S102 is executed.Meanwhile computer equipment is also by the comspec of current process and protection function Energy configuration relation is matched, if being matched to, the mark correspondence that kernel is current process distribution is stored in defencive function and is matched It sets in relationship.S203, when determine the current process be transfer command when, the parameter of the current process is analyzed, is obtained To Parameter analysis result.
Specifically, needing further when computer equipment determines that current process is transfer command according to comparison result to working as The parameter of preceding process is analyzed, so that it is determined that the parameter in current process whether include protection of goal file mark.To work as Preceding process is copied for for copied files order, computer equipment also needs further to analyze copied files order with determination In shellfish file command whether the mark containing protection of goal file, that is, determine copied files order copy file whether be target Protect file.
S204, when in the Parameter analysis result include protection of goal file mark when, refuse the current process Transfer operation.
Specifically, being shifted when computer equipment determines and in Parameter analysis result includes the mark of protection of goal file When the file of order transfer is protection of goal file, computer equipment refuses the transfer operation of current process.Continue when advance Journey be copied files order for, when computer equipment determine in copied files order include protection of goal file mark when, When determining that the copied files order file to be copied is protection of goal file, computer equipment refusal copied files order is copied Shellfish operation.
When computer equipment determines the mark for not including protection of goal file in Parameter analysis result, i.e. transfer command turns When the file of shifting is not protection of goal file, computer equipment can permit the transfer operation of current process.
Using the system run in computer equipment as Linux system, and transfer command is copied files order, export For order and copied files folder order, the above process is discussed in detail.Optionally, as shown in figure 4, before above-mentioned S101, This method can also include:
S301, the comspec for obtaining current process.
S302, the comspec according to current process judge whether current process is copied files order.
If so, S303-S304 is executed, if it is not, then executing S306.
S303, the parameter of copied files order is analyzed, obtains Parameter analysis result.
S304, judge in Parameter analysis result whether the mark containing protection of goal file.
If so, executing S305;If it is not, then executing S306.
S305, the copy function for refusing copied files order.
S306, judge whether current process is export order.
If so, executing S307-S308;If it is not, then executing S312.
S307, the parameter of export order is analyzed, obtains Parameter analysis result.
S308, judge in Parameter analysis result whether the mark containing protection of goal file.
If so, executing S309-S310;If it is not, then executing S312.
S309, Parameter analysis is carried out to export order again, obtains Parameter analysis result.
S310, whether judge in Parameter analysis result comprising export instruction.
If in Parameter analysis result comprising export instruction (export instruction be > or > >) when, execute S311;If it is not, then Execute S312.
S311, the export operation for refusing export order.
S312, judge whether current process is copied files folder order.
If so, executing S313-S314;If it is not, then executing S316.
S313, copied files are pressed from both sides with order progress Parameter analysis, obtains the Parameter analysis result of copied files folder order.
S314, judge copied files folder order Parameter analysis result in whether include protection of goal file mark.
Specifically, protection of goal file is to need file to be protected, existing in this document folder needs document to be protected Or data.If so, S315 is executed, if it is not, then executing S316.
The transfer operation for the transfer folder that S315, refusal copied files folder are ordered.
S316, the mark for saving current process, and obtain the mark of file to be visited.
The safety access method of vital document provided in this embodiment, since computer equipment can pass through current process Comspec determines whether current process is transfer command, and when determining current process is transfer command, can be by working as Preceding process carries out Parameter analysis, and when in determining Parameter analysis result including the mark of protection of goal file, and refusal is when advancing The transfer operation of journey.In this way, can prevent user from stealing protection of goal file by transfer command, calculating is further enhanced The safety of vital document on machine equipment.
In practical applications, the case where being stolen there is also a kind of vital document information passes through transfer current process Memory information, to steal protection of goal file.For this situation, optionally, when memory of the needs to the current process is believed Breath is shifted, and when the mark for being identified as the target process of the determining current process, is intercepted to the current process Memory information transfer operation.
Specifically, computer equipment is it needs to be determined that when advancing when needing the memory information to current process to shift The mark of journey identified whether as target process, in the mark for being identified as target process for determining current process, computer is set The standby transfer operation intercepted to the memory information of current process.Can by modify in advance in kernel /fs/proc/base.c Under proc_pid_readdir function, increase current process in proc_pid_readdir function and identify whether as target The judgement of the mark of process.In this way, computer equipment passes through calling when needing the memory information to current process to shift Proc_pid_readdir function in kernel, to determine the mark of current process identified whether as target process, in determination When the mark for being identified as target process of current process, computer equipment intercepts the transfer to the memory information of current process and grasps Make.
As an alternative embodiment, when being in debugging mode, and based on the mark of the determining current process When the mark of process, the memory information of the current process is shown, and intercept the transfer to the memory information of the current process Operation;The host process is to execute process caused by master program file.
Specifically, by taking current process is host process as an example, when being in debugging mode, it is desirable to not hide the interior of host process Information is deposited, can modify to proc_pid_readdir function in kernel, increase in proc_pid_readdir function The judgement for identifying whether the mark for target process of current process, and increase whether debugging mode is in current process Judgement.In this way, working as the mark (the as mark of target process) for being identified as host process of current process, and host process is in debugging When mode, computer equipment can show the memory information of host process, needed for debugging.Meanwhile computer equipment may be used also The memory information for shifting host process by transfer command is prevented, to avoid by calling the do_execve function in kernel The leakage of the file information.
The safety access method of vital document provided in this embodiment, due to turning in the memory information to current process When shifting, computer equipment can judge the mark of current process identified whether as target process, and determine current process When being identified as the mark of target process, the transfer operation to the memory information of current process is intercepted, in this way, can effectively prevent By shifting the memory information of process, causes the cleartext information of important procedure to be revealed, further improve in computer equipment The safety of vital document.In addition, computer equipment can show the memory information of current process in debugging mode, it is convenient for Debugging is gone on smoothly.
In practical applications, since computer equipment is under trusted context, in order to improve the operation effect of computer equipment Rate, optionally, as shown in figure 5, after above-mentioned S101, this method can also include:
S401, the mark for obtaining operating system master.
Specifically, computer equipment can obtain the mark of operating system master by calling do_execve function.
S402, when determine the operating system master mark be equal to 0 or the current process mark be less than institute When stating the mark of operating system master, the current process is allowed to access the file to be visited.
Specifically, after computer equipment gets the mark for making system main program, as a kind of mode, computer equipment Judge operating system master identifies whether that, equal to 0, when the mark for determining operating system master is equal to 0, permission is current Process accesses file to be visited.Alternatively, computer equipment judges that the operation that identifies whether to be less than of current process is The mark of system main program can be known when the mark for determining current process is less than the mark of operating system master when advance Journey is believable process, in this way, just current process is allowed to access file to be visited.
Optionally, when determining the mark of the operating system master not equal to 0 and the mark of the current process is greater than Or equal to the operating system master mark when, need to judge the credibility of current process, that is, continue to execute by The mark of current process, the mark of file to be visited are matched with preset defencive function configuration relation, when matching result is File to be visited is protection of goal file, and when the mark of current process identified for target process, refusal current process is visited Ask file to be visited.
The safety access method of vital document provided in this embodiment, since computer equipment can be according to current process Mark and the size relation between the mark of operating system master determine that can current process access text to be visited Part, the mark for determining operating system master be equal to 0 or the mark of current process be less than the operating system master When mark, directly permission current process accesses file to be visited, simplifies the process of file access, sets to improve computer Standby operational efficiency.
As an alternative embodiment, monitoring and working as by calling the open function in kernel in computer equipment When preceding process accesses file to be visited, computer equipment is referred to the access that process as shown in FIG. 6 carries out file, this method May include:
S501, the mark for obtaining current process and file to be visited.
S502, the mark identified whether as host process for judging current process.
If so, returning successfully, i.e. permission current process accesses file to be visited;If it is not, then executing S503.
S503, judge whether file to be visited is account files.
If so, executing S504;If it is not, then executing S505.
S504, judge current process identify whether for operate account files process mark.
If so, returning successfully;If it is not, then returning to failure, i.e. refusal current process accesses file to be visited.
S505, judge whether file to be visited is shielded configuration file.
If so, returning to failure, i.e. refusal current process accesses file to be visited.If it is not, then executing S506.
S506, judge whether file to be visited is shielded program file.
If so, returning to failure, i.e. refusal current process accesses file to be visited.If it is not, then returning to success, that is, allow to work as Preceding process accesses file to be visited.
In conclusion allow current process to access file to be visited when current process is host process, when current process not For host process, and current process is not when allowing to access the target process of file to be visited, and refusal current process access is to be visited File.
The safety access method of vital document provided in this embodiment, due to current process access file to be visited when, Computer equipment judges file to be visited when determining current process not is the mark of host process, to be visited with determination Whether file is protection of goal file, and when determining file to be visited is protection of goal file, and refusal current process treats visit The access of file is asked, so that the potential problem that the vital document in computer equipment is stolen is effectively prevented, to ensure that The safety of computer equipment.
Optionally, kernel is copied in order to prevent, and the operation for forbidding devmem can be set in trusted program control function.
It should be understood that although each step in the flow chart of Fig. 2-6 is successively shown according to the instruction of arrow, These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps Execution there is no stringent sequences to limit, these steps can execute in other order.Moreover, at least one in Fig. 2-6 Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps Completion is executed, but can be executed at different times, the execution sequence in these sub-steps or stage is also not necessarily successively It carries out, but can be at least part of the sub-step or stage of other steps or other steps in turn or alternately It executes.
Fig. 7 is the secure access device structural schematic diagram for the vital document that an embodiment provides.As shown in fig. 7, the device It may include: to obtain module 10 and processing module 11.
Specifically, obtaining module 10 for obtaining the mark of current process and the mark of file to be visited respectively;It is described to Access file is the current process file to be accessed;
Processing module 11 is used for the mark of the current process, the mark of the file to be visited and preset protection function Energy configuration relation is matched, and is protection of goal file when matching result is the file to be visited, and the current process is not When equal to target process, refuses the current process and access the file to be visited;Include in the defencive function configuration relation Corresponding relationship between protection of goal file and target process;The access include the file to be visited is carried out read operation, Any one of write operation and execution operation.
The secure access device of vital document provided in this embodiment can execute above method embodiment, realize former Reason is similar with technical effect, and details are not described herein.
Fig. 8 is the secure access device structural schematic diagram for the vital document that an embodiment provides.Optionally, in above-mentioned implementation On the basis of example, as shown in figure 8, the device can also comprise determining that module 12.
Specifically, obtain module 10 be also used to respectively obtain current process mark and file to be visited mark it Before, obtain the comspec of current process;
Determining module 12 be used for according to it is described acquisition module 10 obtain the current process comspec, determine described in Whether current process is transfer command;
Processing module 11 is also used to work as when the determining module 12 determines that the current process is transfer command to described The parameter of preceding process is analyzed, and Parameter analysis result is obtained;When including protection of goal file in the Parameter analysis result When mark, refuse the transfer operation of the current process.
Optionally, module 10 is obtained to be also used to determine that the current process is not transfer command when the determining module 12 When, the mark of current process and the mark of file to be visited are obtained respectively.
Optionally, processing module 11 is also used to shift the memory information of the current process when needs, and determines When the mark for being identified as the target process of the current process, intercepts the transfer to the memory information of the current process and grasp Make.
Optionally, processing module 11 is also used to when in debugging mode, and based on the mark of the determining current process When the mark of process, the memory information of the current process is shown, and intercept the transfer to the memory information of the current process Operation;The host process is to execute process caused by master program file.
Optionally, it obtains module 10 to be also used to after mark and the file to be visited for obtaining current process respectively, obtain The mark of operating system master;
Processing module 11 is also used to be equal to 0 or the current process when the mark that determines the operating system master When mark is less than the mark of the operating system master, the current process is allowed to access the file to be visited.
Optionally, processing module 11 is also used to when determining the mark of the operating system master not equal to 0 and described work as When the mark of preceding process is greater than or equal to the mark of the operating system master, execute the mark of the current process, institute State the step of mark of file to be visited is matched with preset defencive function configuration relation.
The secure access device of vital document provided in this embodiment can execute above method embodiment, realize former Reason is similar with technical effect, and details are not described herein.
The specific of secure access device about vital document limits the safety that may refer to above for vital document The restriction of access method, details are not described herein.Modules in the secure access device of above-mentioned vital document can whole or portion Divide and is realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of computer equipment In processor in, can also be stored in a software form in the memory in computer equipment, in order to processor calling hold The corresponding operation of the above modules of row.
In one embodiment, a kind of computer equipment is provided, internal structure chart can be as shown in Figure 1.The calculating Machine equipment may include processor, memory, network interface and the database connected by system bus.Wherein, the processor For providing calculating and control ability.The memory includes non-volatile memory medium, built-in storage.The non-volatile memories are situated between Matter is stored with operating system, computer program and database.The built-in storage is the operating system in non-volatile memory medium Operation with computer program provides environment.The database is used to store used number during the secure access of vital document According to.The network interface is used to communicate with external terminal by network connection.The computer program is executed by processor Shi Yishi A kind of safety access method of existing vital document.
It will be understood by those skilled in the art that structure shown in Fig. 1, only part relevant to application scheme is tied The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory Computer program, the processor perform the steps of when executing computer program
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour Any one of make and execute operation.
In one embodiment, it is also performed the steps of when processor executes computer program and obtains the complete of current process Pathname;According to the comspec of the current process, determine whether the current process is transfer command;Work as described in the determination When preceding process is transfer command, the parameter of the current process is analyzed, Parameter analysis result is obtained;When the parameter point When analysing the mark in result comprising protection of goal file, refuse the transfer operation of the current process.
In one embodiment, it is also performed the steps of when processor execution computer program described when advance when determining When Cheng Buwei transfer command, the mark of the mark for obtaining current process respectively and file to be visited is executed.
In one embodiment, it is also performed the steps of when processor executes computer program when needs are to described current The memory information of process is shifted, and when the mark for being identified as the target process of the determining current process, interception pair The transfer operation of the memory information of the current process.
In one embodiment, it is also performed the steps of when processor executes computer program when in debugging mode, And when determining the mark for being identified as host process of the current process, the memory information of the current process, and interception pair are shown The transfer operation of the memory information of the current process;The host process is to execute process caused by master program file.
In one embodiment, it is also performed the steps of when processor executes computer program and obtains the main journey of operating system The mark of sequence;When determine the operating system master mark be equal to 0 or the current process mark be less than the behaviour When making the mark of system main program, the current process is allowed to access the file to be visited.
In one embodiment, it is also performed the steps of when processor executes computer program when the determining operation system Identifying for main program of uniting is not equal to mark of the mark of 0 and the current process more than or equal to the operating system master When, it executes described by the mark of the current process, the mark of the file to be visited and preset defencive function configuration relation The step of being matched.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated Machine program performs the steps of when being executed by processor
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour Any one of make and execute operation.
In one embodiment, it is also performed the steps of when computer program is executed by processor and obtains current process Comspec;According to the comspec of the current process, determine whether the current process is transfer command;Described in determination When current process is transfer command, the parameter of the current process is analyzed, Parameter analysis result is obtained;When the parameter When analyzing the mark in result comprising protection of goal file, refuse the transfer operation of the current process.
In one embodiment, it is also performed the steps of when computer program is executed by processor described current when determining When process is not transfer command, the mark of the mark for obtaining current process respectively and file to be visited is executed.
In one embodiment, it is also performed the steps of when computer program is executed by processor when needs are worked as to described The memory information of preceding process is shifted, and when the mark for being identified as the target process of the determining current process, is intercepted Transfer operation to the memory information of the current process.
In one embodiment, it also performs the steps of when computer program is executed by processor when in debugging mode When, and when the mark for being identified as host process of the determining current process, show the memory information of the current process, and intercept Transfer operation to the memory information of the current process;The host process is to execute process caused by master program file.
In one embodiment, it is also performed the steps of when computer program is executed by processor and obtains operating system master The mark of program;When the mark for determining the operating system master be equal to 0 or the current process mark be less than it is described When the mark of operating system master, the current process is allowed to access the file to be visited.
In one embodiment, it is also performed the steps of when computer program is executed by processor when the determining operation The mark of system main program is not equal to 0 and the mark of the current process is greater than or equal to the mark of the operating system master When, it executes described by the mark of the current process, the mark of the file to be visited and preset defencive function configuration relation The step of being matched.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, To any reference of memory, storage, database or other media used in each embodiment provided herein, Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms, Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM (RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.

Claims (10)

1. a kind of safety access method of vital document characterized by comprising
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is that the current process will visit The file asked;
By the mark of the current process, the mark of the file to be visited and the progress of preset defencive function configuration relation Match, is protection of goal file when matching result is the file to be visited, and the mark of the current process is not target process Mark when, refuse the current process and access the file to be visited;It include that target is protected in the defencive function configuration relation Protect the corresponding relationship between file and target process;The access includes carrying out read operation, write operation to the file to be visited Any one of and execute operation.
2. the method according to claim 1, wherein in the mark of current process and to be visited of obtaining respectively Before the mark of file, further includes:
Obtain the comspec of current process;
According to the comspec of the current process, determine whether the current process is transfer command;
When determining the current process is transfer command, the parameter of the current process is analyzed, Parameter analysis is obtained As a result;
When in the Parameter analysis result including the mark of protection of goal file, refuse the transfer operation of the current process.
3. according to the method described in claim 2, it is characterized by further comprising:
When determining the current process not is transfer command, the mark for obtaining current process respectively and text to be visited are executed The mark of part.
4. the method according to claim 1, wherein further include:
When needing to shift to the memory information of the current process, and determine the current process is identified as the target When the mark of process, the transfer operation to the memory information of the current process is intercepted.
5. the method according to claim 1, wherein further include:
When being in debugging mode, and when the mark for being identified as host process of the determining current process, works as described in display and advance The memory information of journey, and intercept the transfer operation to the memory information of the current process;The host process is to execute main program Process caused by file.
6. the method according to claim 1, wherein in the mark of current process and to be visited of obtaining respectively After file, further includes:
Obtain the mark of operating system master;
When determine the operating system master mark be equal to 0 or the current process mark be less than the operating system When the mark of main program, the current process is allowed to access the file to be visited.
7. according to the method described in claim 6, it is characterized by further comprising:
When determine the operating system master mark not equal to 0 and the current process mark be greater than or equal to the behaviour When making the mark of system main program, execute described by the mark of the current process, the mark of the file to be visited and default Defencive function configuration relation the step of being matched.
8. a kind of secure access device of vital document characterized by comprising
Module is obtained, for obtaining the mark of current process and the mark of file to be visited respectively;The file to be visited is institute State the current process file to be accessed;
Processing module, for matching mark and the preset defencive function of the mark of the current process, the file to be visited The relationship of setting is matched, and is protection of goal file, and the mark of the current process when matching result is the file to be visited Not equal to target process mark when, refuse the current process and access the file to be visited;The defencive function configuration is closed It include the corresponding relationship between protection of goal file and target process in system;The access includes carrying out to the file to be visited Any one of read operation, write operation and execution operation.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists In the step of processor realizes any one of claims 1 to 7 the method when executing the computer program.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program The step of any one of claims 1 to 7 the method is realized when being executed by processor.
CN201910189851.8A 2019-03-13 2019-03-13 Safety access method, device, equipment and the storage medium of vital document Pending CN110084057A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910189851.8A CN110084057A (en) 2019-03-13 2019-03-13 Safety access method, device, equipment and the storage medium of vital document

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910189851.8A CN110084057A (en) 2019-03-13 2019-03-13 Safety access method, device, equipment and the storage medium of vital document

Publications (1)

Publication Number Publication Date
CN110084057A true CN110084057A (en) 2019-08-02

Family

ID=67412506

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910189851.8A Pending CN110084057A (en) 2019-03-13 2019-03-13 Safety access method, device, equipment and the storage medium of vital document

Country Status (1)

Country Link
CN (1) CN110084057A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625784A (en) * 2020-05-29 2020-09-04 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN115221524A (en) * 2022-09-20 2022-10-21 深圳市科力锐科技有限公司 Service data protection method, device, equipment and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101273366A (en) * 2005-11-02 2008-09-24 日立软件工程株式会社 Confidential file protection method
CN101324913A (en) * 2007-06-15 2008-12-17 杨湘渝 Method and apparatus for protecting computer file
CN101408919A (en) * 2008-12-09 2009-04-15 吕欣 Method and system for monitoring computer espionage behavior
CN102495982A (en) * 2011-11-30 2012-06-13 成都七巧软件有限责任公司 Process threading-based copy-protection system and copy-protection storage medium
CN102812473A (en) * 2010-02-11 2012-12-05 惠普发展公司,有限责任合伙企业 Executable Identity Based File Access
CN102819717A (en) * 2012-08-07 2012-12-12 北京奇虎科技有限公司 Method and device for carrying out protection processing on file
CN106503579A (en) * 2016-09-29 2017-03-15 维沃移动通信有限公司 A kind of method and device of access target file
CN106682504A (en) * 2015-11-06 2017-05-17 珠海市君天电子科技有限公司 Method and device for preventing file from being maliciously edited and electronic equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101273366A (en) * 2005-11-02 2008-09-24 日立软件工程株式会社 Confidential file protection method
CN101324913A (en) * 2007-06-15 2008-12-17 杨湘渝 Method and apparatus for protecting computer file
CN101408919A (en) * 2008-12-09 2009-04-15 吕欣 Method and system for monitoring computer espionage behavior
CN102812473A (en) * 2010-02-11 2012-12-05 惠普发展公司,有限责任合伙企业 Executable Identity Based File Access
CN102495982A (en) * 2011-11-30 2012-06-13 成都七巧软件有限责任公司 Process threading-based copy-protection system and copy-protection storage medium
CN102819717A (en) * 2012-08-07 2012-12-12 北京奇虎科技有限公司 Method and device for carrying out protection processing on file
CN106682504A (en) * 2015-11-06 2017-05-17 珠海市君天电子科技有限公司 Method and device for preventing file from being maliciously edited and electronic equipment
CN106503579A (en) * 2016-09-29 2017-03-15 维沃移动通信有限公司 A kind of method and device of access target file

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111625784A (en) * 2020-05-29 2020-09-04 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN111625784B (en) * 2020-05-29 2023-09-12 重庆小雨点小额贷款有限公司 Anti-debugging method of application, related device and storage medium
CN115221524A (en) * 2022-09-20 2022-10-21 深圳市科力锐科技有限公司 Service data protection method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN100465982C (en) Application execution device and application execution device application execution method
KR920005231B1 (en) Data processing system
US9286486B2 (en) System and method for copying files between encrypted and unencrypted data storage devices
CN102375948B (en) Security module and signal conditioning package
US8452740B2 (en) Method and system for security of file input and output of application programs
EP2891104B1 (en) Detecting a malware process
JPH07287655A (en) Information processor
CN102118512A (en) Method and system for preventing application program of mobile phone from being cracked
CN102254124A (en) Information security protecting system and method of mobile terminal
US20210089684A1 (en) Controlled access to data stored in a secure partition
CN107358114A (en) A kind of method and terminal for preventing user data loss
EP3436936A1 (en) Dynamic addition of code in shared libraries
CN109583190A (en) The method and apparatus of monitoring process
CN102722672A (en) Method and device for detecting authenticity of operating environment
CN105303074A (en) Method for protecting security of Web application
CN110084057A (en) Safety access method, device, equipment and the storage medium of vital document
CN103218573B (en) A kind of seamless access control method based on virtual disk protection and device
CN106096441A (en) Date storage method and data storage device
CN107092838A (en) A kind of safety access control method of hard disk and a kind of hard disk
CN108199827A (en) Client code integrity checking method, storage medium, electronic equipment and system
TW200945867A (en) Mobile phone accessing system and related storage device
CN109086597A (en) Cipher key access method, key management method, storage medium and computer equipment
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
CN108985096B (en) Security enhancement and security operation method and device for Android SQLite database
CN114398598A (en) Library file encryption method, decryption method and encryption device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190802

RJ01 Rejection of invention patent application after publication