CN110084057A - Safety access method, device, equipment and the storage medium of vital document - Google Patents
Safety access method, device, equipment and the storage medium of vital document Download PDFInfo
- Publication number
- CN110084057A CN110084057A CN201910189851.8A CN201910189851A CN110084057A CN 110084057 A CN110084057 A CN 110084057A CN 201910189851 A CN201910189851 A CN 201910189851A CN 110084057 A CN110084057 A CN 110084057A
- Authority
- CN
- China
- Prior art keywords
- file
- mark
- current process
- visited
- protection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
This application involves a kind of safety access method of vital document, device, equipment and storage mediums.This method comprises: obtaining the mark of current process and the mark of file to be visited respectively;File to be visited is the current process file to be accessed;The mark of current process, the mark of file to be visited are matched with preset defencive function configuration relation; it is protection of goal file when matching result is file to be visited; and when the mark of current process identified for target process, refusal current process accesses file to be visited;It include the corresponding relationship between protection of goal file and target process in the defencive function configuration relation;The access includes any one of carrying out read operation, write operation to file to be visited and executing operation.This method can prevent non-targeted process from arbitrarily accessing to protection of goal file, effectively prevent the potential problem that the vital document in computer equipment is stolen, to ensure that the safety of computer equipment.
Description
Technical field
This application involves computer field, more particularly to a kind of safety access method of vital document, device, equipment and
Storage medium.
Background technique
Currently, electronic equipment is widely used in each corner in life.For example, common embedded device has movement
Phone, personal digital assistant, media player and other consumer electrical products etc..With the fieriness of market competition, such as
The safety what improves electronic equipment becomes those skilled in the art's urgent problem to be solved.
In traditional technology, generallys use specific file system and the vital document in electronic equipment is encrypted, thus
Guarantee the safety of electronic equipment.By taking electronic equipment is embedded device as an example, squashfs file system is generallyd use to protect
Demonstrate,prove the safety of embedded device.
But traditional mode still can not be obtained effectively and be protected to the file on electronic equipment, it is stolen that there are still files
The potential problem taken.
Summary of the invention
Based on this, it is necessary to still can not effectively obtain for traditional approach and be protected to the file on electronic equipment, still be deposited
In the potential problem that file is stolen, safety access method, device, equipment and the storage medium of a kind of vital document are provided.
A kind of safety access method of vital document, comprising:
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process
The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out
Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into
When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour
Any one of make and execute operation.
In one of the embodiments, it is described respectively obtain current process mark and file to be visited mark it
Before, further includes:
Obtain the comspec of current process;
According to the comspec of the current process, determine whether the current process is transfer command;
When determining the current process is transfer command, the parameter of the current process is analyzed, parameter is obtained
Analyze result;
When in the Parameter analysis result including the mark of protection of goal file, refuse the transfer behaviour of the current process
Make.
In one of the embodiments, further include:
When determining the current process not is transfer command, the mark for obtaining current process respectively is executed and wait visit
Ask the mark of file.
In one of the embodiments, further include:
When needing to shift to the memory information of the current process, and determine that being identified as the current process is described
When the mark of target process, the transfer operation to the memory information of the current process is intercepted.
In one of the embodiments, further include:
When being in debugging mode, and when the mark for being identified as host process of the determining current process, work as described in display
The memory information of preceding process, and intercept the transfer operation to the memory information of the current process;The host process is to execute master
Process caused by program file.
In one of the embodiments, after the mark for obtaining current process respectively and file to be visited, also wrap
It includes:
Obtain the mark of operating system master;
When determine the operating system master mark be equal to 0 or the current process mark be less than the operation
When the mark of system main program, the current process is allowed to access the file to be visited.
In one of the embodiments, further include:
When determine the operating system master mark not equal to 0 and the current process mark be greater than or equal to institute
When stating the mark of operating system master, execute it is described by the mark of the current process, the mark of the file to be visited with
The step of preset defencive function configuration relation is matched.
A kind of secure access device of vital document, comprising:
Module is obtained, for obtaining the mark of current process and the mark of file to be visited respectively;The file to be visited
For the current process file to be accessed;
Processing module, for by the mark of the mark of the current process, the file to be visited and preset protection function
Can configuration relation matched, be protection of goal file when matching result is the file to be visited, and the current process
When mark is not equal to the mark of target process, refuses the current process and access the file to be visited;The defencive function is matched
It sets in relationship including the corresponding relationship between protection of goal file and target process;The access includes to the file to be visited
Any one of carry out read operation, write operation and execute operation.
A kind of computer equipment, including memory and processor, the memory are stored with computer program, the processing
Device performs the steps of when executing the computer program
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process
The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out
Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into
When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour
Any one of make and execute operation.
A kind of computer readable storage medium, is stored thereon with computer program, and the computer program is held by processor
It is performed the steps of when row
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process
The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out
Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into
When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour
Any one of make and execute operation.
Safety access method, device, equipment and the storage medium of vital document provided by the embodiments of the present application, are getting
After the mark of current process and the mark of file to be visited, computer equipment is by the mark of current process, file to be visited
Mark is matched with preset defencive function configuration relation, is file to be visited for protection of goal file in matching result, and
When the mark for determining current process is not the mark of target process, refusal current process accesses file to be visited.Due to current
When process will access to file to be visited, computer equipment can be by the mark of current process, the mark of file to be visited
It is matched with preset defencive function configuration relation, whether is protection of goal file with determination file to be visited, and in determination
When file to be visited is protection of goal file, the mesh identified whether to be able to access that file to be visited for determining current process is also needed
The mark of mark process, and when the mark for determining current process is not the mark of target process, refusal current process is accessed wait visit
It asks file, in this way, can prevent non-targeted process from arbitrarily accessing to protection of goal file, effectively prevents computer and set
The potential problem that standby upper vital document is stolen, to ensure that the safety of computer equipment.
Detailed description of the invention
Fig. 1 is a kind of schematic diagram of internal structure of computer equipment provided by the embodiments of the present application;
Fig. 2 is the safety access method flow diagram for the vital document that an embodiment provides;
Fig. 3 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 4 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 5 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 6 is the safety access method flow diagram for the vital document that another embodiment provides;
Fig. 7 is the secure access device structural schematic diagram for the vital document that an embodiment provides;
Fig. 8 is the secure access device structural schematic diagram for the vital document that another embodiment provides.
Specific embodiment
The safety access method of vital document provided by the embodiments of the present application can be adapted for computer as shown in Figure 1
Equipment.The computer equipment includes processor, the memory connected by system bus, is stored with computer journey in the memory
Sequence, the step of following methods embodiment can be executed when processor executes the computer program.Optionally, the computer equipment is also
It may include network interface, display screen and input unit.Wherein, the processor of the computer equipment is calculated and is controlled for providing
Ability.The memory of the computer equipment includes non-volatile memory medium, built-in storage, non-volatile memory medium storage
There are operating system and computer program.The built-in storage is operating system and computer program in non-volatile memory medium
Operation provides environment.The network interface of the computer equipment is used to communicate with external terminal by network connection.Optionally, should
Computer equipment can be embedded device, for example, personal computer (Personal Computer, PC), individual digital help
Reason, tablet computer (Portable Android Device, PAD), mobile phone etc., can also be server, the embodiment of the present application
Concrete form to computer equipment and without limitation.
The file in computer equipment is protected since traditional file protected mode still can not be obtained effectively, there are still
The potential problem that file is stolen, for this purpose, the safety access method of vital document provided by the embodiments of the present application, device, equipment
And storage medium aims to solve the problem that technical problem present in above-mentioned traditional technology.
It should be noted that the executing subject of following methods embodiment can be the secure access device of vital document, it should
Device can be implemented as the part or complete of above-mentioned computer equipment by way of software, hardware or software and hardware combining
Portion.Following methods embodiment is illustrated so that executing subject is computer equipment as an example.
Fig. 2 is the safety access method flow diagram for the vital document that an embodiment provides.The present embodiment what is involved is
How computer equipment accesses the detailed process of file.As shown in Fig. 2, this method may include:
S101, the mark of current process and the mark of file to be visited are obtained respectively.
Specifically, current process is that computer equipment executes process caused by current a certain program.The mark of current process
Know to be the comspec of current process, or operating system nucleus is the identity of current process distribution.Wait visit
Ask the mark of file or the title of file to be visited, or the number of file to be visited can also be other use
In the mark for distinguishing file to be visited.File to be visited is the current process file to be accessed, i.e. computer equipment is worked as in operation
The file of required access when preceding process.For example, it is assumed that current process is the host process run in computer equipment, host process exists
Need to access the algorithm file in configuration file and algorithms library in operational process, for this situation, host process is current process,
Algorithm file in configuration file and algorithms library is file to be visited.
Computer equipment can be by calling the open function in kernel to capture the current process text to be visited to be accessed
The mark of part, computer equipment can be by calling the do_execve function in kernel to obtain the mark of current process, can also be with
The mark of current process is read directly from the home banking of pre-stored process, herein with no restrictions.
S102, the mark of the current process, the mark of the file to be visited and the configuration of preset defencive function are closed
System is matched, and is protection of goal file when matching result is the file to be visited, and the mark of the current process is not
When the mark of target process, refuses the current process and access the file to be visited;It is wrapped in the defencive function configuration relation
Include the corresponding relationship between protection of goal file and target process;The access includes carrying out reading behaviour to the file to be visited
Any one of work, write operation and execution operation.
Specifically, protection of goal file is to carry out being protected from the file that other people steal.Protection of goal file can be with
For the various algorithm files etc. in configuration file and algorithms library needed for master program file, account files, main program operation.Target
Process is the process for allowing access target to protect file, for example, when protection of goal file is configuration text needed for main program operation
When various algorithm files in part and algorithms library, target process is generated host process when main program is run, and works as protection of goal
When file is account files, target process is the order (passwd) of the operation account information in operating system, works as protection of goal
When file is master program file, target process is operating system master (shell).Include in above-mentioned defencive function configuration relation
Corresponding relationship between protection of goal file and target process.Optionally, defencive function configuration relation can be an allocation list, can
Will need protection of goal file (i.e. vital document) to be protected and access target allowed to protect between the target process of file
Corresponding relationship be stored in advance in allocation list, to realize secure access to protection of goal file.Certainly, defencive function configures
The form of expression of relationship can be tabular form, be also possible to the form of corresponding line, can also be the form of index, only need energy
Enough characterize the corresponding relationship between protection of goal file and target process.
In one embodiment, by taking Linux system as an example, protection of goal file, target process and permission target process
The corresponding relationship between access operation carried out to protection of goal file can be as shown in table 1 below:
Table 1
Protection of goal file | Target process | The access operation of permission |
Shadow file | Passwd | Read-write |
Master program file | Shell | It executes |
Configuration file | Host process | Read-write |
Algorithms library | Host process | Read-write |
Certainly, the environment that computer equipment is run is trusted context, and trusted context refers to that there is no accessible targets
The phenomenon that program of protection file is forged, in addition, also having opened Selinux function, inject target process can not.
Computer equipment can be by calling the open function in kernel, to realize the monitoring to file.When computer is set
When for accessing file to be visited by calling the open function in kernel to capture current process, by the mark of file to be visited
It is matched with defencive function configuration relation, to judge whether file to be visited is the protection of goal file protected,
When determining file to be visited is protection of goal file, also by the mark of current process and the progress of defencive function configuration relation
Match, to judge the identifying whether to allow to access the mark of the target process of file to be visited of current process, is determining when advancing
When the mark of journey is not the mark of target process, refusal current process accesses file to be visited.Wherein, current process is accessed wait visit
Ask that file may include: that current process carries out read operation, current process to file to be visited progress write operation to file to be visited
Or current process carries out execution operation to file to be visited.
When computer equipment determine file to be visited be protection of goal file, and determine current process be identified as target into
When the mark of journey, current process is allowed to access file to be visited.
Illustratively, when computer equipment by call kernel in open function, capture what current process to be accessed
When file to be visited is the algorithm file in algorithms library, computer equipment obtains the mark of current process, and continues to call kernel
In open function, judge the mark of current process identified whether as host process, based on the mark for determining current process into
When the mark of journey, current process is allowed to access file to be visited;When the mark for determining current process is not host process
When mark, refusal current process accesses to file to be visited.
The safety access method of vital document provided in this embodiment, in the mark and text to be visited for getting current process
After the mark of part, computer equipment configures the mark of current process, the mark of file to be visited and preset defencive function
Relationship is matched, matching result be file to be visited be protection of goal file, and determine current process mark be not mesh
When the mark of mark process, refusal current process accesses file to be visited.Due to be visited file to be visited in current process
When asking, computer equipment can be by the mark of current process, the mark of file to be visited and preset defencive function configuration relation
It is matched, whether is protection of goal file with determination file to be visited, and determining that file to be visited is protection of goal file
When, the mark identified whether to be able to access that the target process of file to be visited for determining current process is also needed, and work as in determination
When the mark of preceding process is not the mark of target process, refusal current process accesses file to be visited, in this way, can prevent non-
Target process arbitrarily accesses to protection of goal file, effectively prevent the vital document in computer equipment be stolen it is hidden
Suffer from problem, to ensure that the safety of computer equipment.
Above-described embodiment is to prevent the random access target protection file of non-targeted process, to prevent protection of goal file quilt
The potential problem stolen.In practical applications, there is also user by some transfer commands (such as copied files order, export
File command etc.) copy targeting protection file, the case where being stolen so as to cause protection of goal file, for this situation, calculate
Machine equipment is referred to the access that following processes shown in Fig. 3 carry out file.It optionally, should as shown in figure 3, before S101
Method can also include:
S201, the comspec for obtaining current process.
Specifically, the comspec of current process can uniquely identify current process.By taking linux system as an example, opening
When moving a process, system can at/proc one file named with process identification (PID) of creation, had under this document folder into
The information of journey, including the file of an entitled exe, this document has recorded the absolute path of process.Computer equipment can be with
By calling the do_execve function in kernel, the comspec of current process is obtained.
S202, according to the comspec of the current process, determine whether the current process is transfer command.
Specifically, transfer command is made when being copy, exporting any one file or file in computer equipment
Order.By the system of computer equipment internal operation be Linux system for, transfer command can for cp order, can also
Think cat order, can also be dd order, ftp order and devmem order etc..Wherein, cp order is the life of copied files
Enable, cat order is the order of export, dd order be copied files folder order, ftp order be transmission file order,
The order of devmem order copy kernel data.After computer equipment obtains the comspec of current process, computer equipment
The comspec of current process is compared with the comspec of transfer command, and determines that current process is according to comparison result
No is transfer command.When determining current process is transfer command, S203-S204 is continued to execute;Optionally, when determining when advance
When Cheng Buwei transfer command, S101-S102 is executed.Meanwhile computer equipment is also by the comspec of current process and protection function
Energy configuration relation is matched, if being matched to, the mark correspondence that kernel is current process distribution is stored in defencive function and is matched
It sets in relationship.S203, when determine the current process be transfer command when, the parameter of the current process is analyzed, is obtained
To Parameter analysis result.
Specifically, needing further when computer equipment determines that current process is transfer command according to comparison result to working as
The parameter of preceding process is analyzed, so that it is determined that the parameter in current process whether include protection of goal file mark.To work as
Preceding process is copied for for copied files order, computer equipment also needs further to analyze copied files order with determination
In shellfish file command whether the mark containing protection of goal file, that is, determine copied files order copy file whether be target
Protect file.
S204, when in the Parameter analysis result include protection of goal file mark when, refuse the current process
Transfer operation.
Specifically, being shifted when computer equipment determines and in Parameter analysis result includes the mark of protection of goal file
When the file of order transfer is protection of goal file, computer equipment refuses the transfer operation of current process.Continue when advance
Journey be copied files order for, when computer equipment determine in copied files order include protection of goal file mark when,
When determining that the copied files order file to be copied is protection of goal file, computer equipment refusal copied files order is copied
Shellfish operation.
When computer equipment determines the mark for not including protection of goal file in Parameter analysis result, i.e. transfer command turns
When the file of shifting is not protection of goal file, computer equipment can permit the transfer operation of current process.
Using the system run in computer equipment as Linux system, and transfer command is copied files order, export
For order and copied files folder order, the above process is discussed in detail.Optionally, as shown in figure 4, before above-mentioned S101,
This method can also include:
S301, the comspec for obtaining current process.
S302, the comspec according to current process judge whether current process is copied files order.
If so, S303-S304 is executed, if it is not, then executing S306.
S303, the parameter of copied files order is analyzed, obtains Parameter analysis result.
S304, judge in Parameter analysis result whether the mark containing protection of goal file.
If so, executing S305;If it is not, then executing S306.
S305, the copy function for refusing copied files order.
S306, judge whether current process is export order.
If so, executing S307-S308;If it is not, then executing S312.
S307, the parameter of export order is analyzed, obtains Parameter analysis result.
S308, judge in Parameter analysis result whether the mark containing protection of goal file.
If so, executing S309-S310;If it is not, then executing S312.
S309, Parameter analysis is carried out to export order again, obtains Parameter analysis result.
S310, whether judge in Parameter analysis result comprising export instruction.
If in Parameter analysis result comprising export instruction (export instruction be > or > >) when, execute S311;If it is not, then
Execute S312.
S311, the export operation for refusing export order.
S312, judge whether current process is copied files folder order.
If so, executing S313-S314;If it is not, then executing S316.
S313, copied files are pressed from both sides with order progress Parameter analysis, obtains the Parameter analysis result of copied files folder order.
S314, judge copied files folder order Parameter analysis result in whether include protection of goal file mark.
Specifically, protection of goal file is to need file to be protected, existing in this document folder needs document to be protected
Or data.If so, S315 is executed, if it is not, then executing S316.
The transfer operation for the transfer folder that S315, refusal copied files folder are ordered.
S316, the mark for saving current process, and obtain the mark of file to be visited.
The safety access method of vital document provided in this embodiment, since computer equipment can pass through current process
Comspec determines whether current process is transfer command, and when determining current process is transfer command, can be by working as
Preceding process carries out Parameter analysis, and when in determining Parameter analysis result including the mark of protection of goal file, and refusal is when advancing
The transfer operation of journey.In this way, can prevent user from stealing protection of goal file by transfer command, calculating is further enhanced
The safety of vital document on machine equipment.
In practical applications, the case where being stolen there is also a kind of vital document information passes through transfer current process
Memory information, to steal protection of goal file.For this situation, optionally, when memory of the needs to the current process is believed
Breath is shifted, and when the mark for being identified as the target process of the determining current process, is intercepted to the current process
Memory information transfer operation.
Specifically, computer equipment is it needs to be determined that when advancing when needing the memory information to current process to shift
The mark of journey identified whether as target process, in the mark for being identified as target process for determining current process, computer is set
The standby transfer operation intercepted to the memory information of current process.Can by modify in advance in kernel /fs/proc/base.c
Under proc_pid_readdir function, increase current process in proc_pid_readdir function and identify whether as target
The judgement of the mark of process.In this way, computer equipment passes through calling when needing the memory information to current process to shift
Proc_pid_readdir function in kernel, to determine the mark of current process identified whether as target process, in determination
When the mark for being identified as target process of current process, computer equipment intercepts the transfer to the memory information of current process and grasps
Make.
As an alternative embodiment, when being in debugging mode, and based on the mark of the determining current process
When the mark of process, the memory information of the current process is shown, and intercept the transfer to the memory information of the current process
Operation;The host process is to execute process caused by master program file.
Specifically, by taking current process is host process as an example, when being in debugging mode, it is desirable to not hide the interior of host process
Information is deposited, can modify to proc_pid_readdir function in kernel, increase in proc_pid_readdir function
The judgement for identifying whether the mark for target process of current process, and increase whether debugging mode is in current process
Judgement.In this way, working as the mark (the as mark of target process) for being identified as host process of current process, and host process is in debugging
When mode, computer equipment can show the memory information of host process, needed for debugging.Meanwhile computer equipment may be used also
The memory information for shifting host process by transfer command is prevented, to avoid by calling the do_execve function in kernel
The leakage of the file information.
The safety access method of vital document provided in this embodiment, due to turning in the memory information to current process
When shifting, computer equipment can judge the mark of current process identified whether as target process, and determine current process
When being identified as the mark of target process, the transfer operation to the memory information of current process is intercepted, in this way, can effectively prevent
By shifting the memory information of process, causes the cleartext information of important procedure to be revealed, further improve in computer equipment
The safety of vital document.In addition, computer equipment can show the memory information of current process in debugging mode, it is convenient for
Debugging is gone on smoothly.
In practical applications, since computer equipment is under trusted context, in order to improve the operation effect of computer equipment
Rate, optionally, as shown in figure 5, after above-mentioned S101, this method can also include:
S401, the mark for obtaining operating system master.
Specifically, computer equipment can obtain the mark of operating system master by calling do_execve function.
S402, when determine the operating system master mark be equal to 0 or the current process mark be less than institute
When stating the mark of operating system master, the current process is allowed to access the file to be visited.
Specifically, after computer equipment gets the mark for making system main program, as a kind of mode, computer equipment
Judge operating system master identifies whether that, equal to 0, when the mark for determining operating system master is equal to 0, permission is current
Process accesses file to be visited.Alternatively, computer equipment judges that the operation that identifies whether to be less than of current process is
The mark of system main program can be known when the mark for determining current process is less than the mark of operating system master when advance
Journey is believable process, in this way, just current process is allowed to access file to be visited.
Optionally, when determining the mark of the operating system master not equal to 0 and the mark of the current process is greater than
Or equal to the operating system master mark when, need to judge the credibility of current process, that is, continue to execute by
The mark of current process, the mark of file to be visited are matched with preset defencive function configuration relation, when matching result is
File to be visited is protection of goal file, and when the mark of current process identified for target process, refusal current process is visited
Ask file to be visited.
The safety access method of vital document provided in this embodiment, since computer equipment can be according to current process
Mark and the size relation between the mark of operating system master determine that can current process access text to be visited
Part, the mark for determining operating system master be equal to 0 or the mark of current process be less than the operating system master
When mark, directly permission current process accesses file to be visited, simplifies the process of file access, sets to improve computer
Standby operational efficiency.
As an alternative embodiment, monitoring and working as by calling the open function in kernel in computer equipment
When preceding process accesses file to be visited, computer equipment is referred to the access that process as shown in FIG. 6 carries out file, this method
May include:
S501, the mark for obtaining current process and file to be visited.
S502, the mark identified whether as host process for judging current process.
If so, returning successfully, i.e. permission current process accesses file to be visited;If it is not, then executing S503.
S503, judge whether file to be visited is account files.
If so, executing S504;If it is not, then executing S505.
S504, judge current process identify whether for operate account files process mark.
If so, returning successfully;If it is not, then returning to failure, i.e. refusal current process accesses file to be visited.
S505, judge whether file to be visited is shielded configuration file.
If so, returning to failure, i.e. refusal current process accesses file to be visited.If it is not, then executing S506.
S506, judge whether file to be visited is shielded program file.
If so, returning to failure, i.e. refusal current process accesses file to be visited.If it is not, then returning to success, that is, allow to work as
Preceding process accesses file to be visited.
In conclusion allow current process to access file to be visited when current process is host process, when current process not
For host process, and current process is not when allowing to access the target process of file to be visited, and refusal current process access is to be visited
File.
The safety access method of vital document provided in this embodiment, due to current process access file to be visited when,
Computer equipment judges file to be visited when determining current process not is the mark of host process, to be visited with determination
Whether file is protection of goal file, and when determining file to be visited is protection of goal file, and refusal current process treats visit
The access of file is asked, so that the potential problem that the vital document in computer equipment is stolen is effectively prevented, to ensure that
The safety of computer equipment.
Optionally, kernel is copied in order to prevent, and the operation for forbidding devmem can be set in trusted program control function.
It should be understood that although each step in the flow chart of Fig. 2-6 is successively shown according to the instruction of arrow,
These steps are not that the inevitable sequence according to arrow instruction successively executes.Unless expressly stating otherwise herein, these steps
Execution there is no stringent sequences to limit, these steps can execute in other order.Moreover, at least one in Fig. 2-6
Part steps may include that perhaps these sub-steps of multiple stages or stage are not necessarily in synchronization to multiple sub-steps
Completion is executed, but can be executed at different times, the execution sequence in these sub-steps or stage is also not necessarily successively
It carries out, but can be at least part of the sub-step or stage of other steps or other steps in turn or alternately
It executes.
Fig. 7 is the secure access device structural schematic diagram for the vital document that an embodiment provides.As shown in fig. 7, the device
It may include: to obtain module 10 and processing module 11.
Specifically, obtaining module 10 for obtaining the mark of current process and the mark of file to be visited respectively;It is described to
Access file is the current process file to be accessed;
Processing module 11 is used for the mark of the current process, the mark of the file to be visited and preset protection function
Energy configuration relation is matched, and is protection of goal file when matching result is the file to be visited, and the current process is not
When equal to target process, refuses the current process and access the file to be visited;Include in the defencive function configuration relation
Corresponding relationship between protection of goal file and target process;The access include the file to be visited is carried out read operation,
Any one of write operation and execution operation.
The secure access device of vital document provided in this embodiment can execute above method embodiment, realize former
Reason is similar with technical effect, and details are not described herein.
Fig. 8 is the secure access device structural schematic diagram for the vital document that an embodiment provides.Optionally, in above-mentioned implementation
On the basis of example, as shown in figure 8, the device can also comprise determining that module 12.
Specifically, obtain module 10 be also used to respectively obtain current process mark and file to be visited mark it
Before, obtain the comspec of current process;
Determining module 12 be used for according to it is described acquisition module 10 obtain the current process comspec, determine described in
Whether current process is transfer command;
Processing module 11 is also used to work as when the determining module 12 determines that the current process is transfer command to described
The parameter of preceding process is analyzed, and Parameter analysis result is obtained;When including protection of goal file in the Parameter analysis result
When mark, refuse the transfer operation of the current process.
Optionally, module 10 is obtained to be also used to determine that the current process is not transfer command when the determining module 12
When, the mark of current process and the mark of file to be visited are obtained respectively.
Optionally, processing module 11 is also used to shift the memory information of the current process when needs, and determines
When the mark for being identified as the target process of the current process, intercepts the transfer to the memory information of the current process and grasp
Make.
Optionally, processing module 11 is also used to when in debugging mode, and based on the mark of the determining current process
When the mark of process, the memory information of the current process is shown, and intercept the transfer to the memory information of the current process
Operation;The host process is to execute process caused by master program file.
Optionally, it obtains module 10 to be also used to after mark and the file to be visited for obtaining current process respectively, obtain
The mark of operating system master;
Processing module 11 is also used to be equal to 0 or the current process when the mark that determines the operating system master
When mark is less than the mark of the operating system master, the current process is allowed to access the file to be visited.
Optionally, processing module 11 is also used to when determining the mark of the operating system master not equal to 0 and described work as
When the mark of preceding process is greater than or equal to the mark of the operating system master, execute the mark of the current process, institute
State the step of mark of file to be visited is matched with preset defencive function configuration relation.
The secure access device of vital document provided in this embodiment can execute above method embodiment, realize former
Reason is similar with technical effect, and details are not described herein.
The specific of secure access device about vital document limits the safety that may refer to above for vital document
The restriction of access method, details are not described herein.Modules in the secure access device of above-mentioned vital document can whole or portion
Divide and is realized by software, hardware and combinations thereof.Above-mentioned each module can be embedded in the form of hardware or independently of computer equipment
In processor in, can also be stored in a software form in the memory in computer equipment, in order to processor calling hold
The corresponding operation of the above modules of row.
In one embodiment, a kind of computer equipment is provided, internal structure chart can be as shown in Figure 1.The calculating
Machine equipment may include processor, memory, network interface and the database connected by system bus.Wherein, the processor
For providing calculating and control ability.The memory includes non-volatile memory medium, built-in storage.The non-volatile memories are situated between
Matter is stored with operating system, computer program and database.The built-in storage is the operating system in non-volatile memory medium
Operation with computer program provides environment.The database is used to store used number during the secure access of vital document
According to.The network interface is used to communicate with external terminal by network connection.The computer program is executed by processor Shi Yishi
A kind of safety access method of existing vital document.
It will be understood by those skilled in the art that structure shown in Fig. 1, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory
Computer program, the processor perform the steps of when executing computer program
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process
The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out
Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into
When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour
Any one of make and execute operation.
In one embodiment, it is also performed the steps of when processor executes computer program and obtains the complete of current process
Pathname;According to the comspec of the current process, determine whether the current process is transfer command;Work as described in the determination
When preceding process is transfer command, the parameter of the current process is analyzed, Parameter analysis result is obtained;When the parameter point
When analysing the mark in result comprising protection of goal file, refuse the transfer operation of the current process.
In one embodiment, it is also performed the steps of when processor execution computer program described when advance when determining
When Cheng Buwei transfer command, the mark of the mark for obtaining current process respectively and file to be visited is executed.
In one embodiment, it is also performed the steps of when processor executes computer program when needs are to described current
The memory information of process is shifted, and when the mark for being identified as the target process of the determining current process, interception pair
The transfer operation of the memory information of the current process.
In one embodiment, it is also performed the steps of when processor executes computer program when in debugging mode,
And when determining the mark for being identified as host process of the current process, the memory information of the current process, and interception pair are shown
The transfer operation of the memory information of the current process;The host process is to execute process caused by master program file.
In one embodiment, it is also performed the steps of when processor executes computer program and obtains the main journey of operating system
The mark of sequence;When determine the operating system master mark be equal to 0 or the current process mark be less than the behaviour
When making the mark of system main program, the current process is allowed to access the file to be visited.
In one embodiment, it is also performed the steps of when processor executes computer program when the determining operation system
Identifying for main program of uniting is not equal to mark of the mark of 0 and the current process more than or equal to the operating system master
When, it executes described by the mark of the current process, the mark of the file to be visited and preset defencive function configuration relation
The step of being matched.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated
Machine program performs the steps of when being executed by processor
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is the current process
The file to be accessed;
The mark of the current process, the mark of the file to be visited and preset defencive function configuration relation are carried out
Matching is protection of goal file when matching result is the file to be visited, and the mark of the current process be not target into
When the mark of journey, refuses the current process and access the file to be visited;It include target in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation to the file to be visited, writing behaviour
Any one of make and execute operation.
In one embodiment, it is also performed the steps of when computer program is executed by processor and obtains current process
Comspec;According to the comspec of the current process, determine whether the current process is transfer command;Described in determination
When current process is transfer command, the parameter of the current process is analyzed, Parameter analysis result is obtained;When the parameter
When analyzing the mark in result comprising protection of goal file, refuse the transfer operation of the current process.
In one embodiment, it is also performed the steps of when computer program is executed by processor described current when determining
When process is not transfer command, the mark of the mark for obtaining current process respectively and file to be visited is executed.
In one embodiment, it is also performed the steps of when computer program is executed by processor when needs are worked as to described
The memory information of preceding process is shifted, and when the mark for being identified as the target process of the determining current process, is intercepted
Transfer operation to the memory information of the current process.
In one embodiment, it also performs the steps of when computer program is executed by processor when in debugging mode
When, and when the mark for being identified as host process of the determining current process, show the memory information of the current process, and intercept
Transfer operation to the memory information of the current process;The host process is to execute process caused by master program file.
In one embodiment, it is also performed the steps of when computer program is executed by processor and obtains operating system master
The mark of program;When the mark for determining the operating system master be equal to 0 or the current process mark be less than it is described
When the mark of operating system master, the current process is allowed to access the file to be visited.
In one embodiment, it is also performed the steps of when computer program is executed by processor when the determining operation
The mark of system main program is not equal to 0 and the mark of the current process is greater than or equal to the mark of the operating system master
When, it executes described by the mark of the current process, the mark of the file to be visited and preset defencive function configuration relation
The step of being matched.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
The limitation to the application the scope of the patents therefore cannot be interpreted as.It should be pointed out that for those of ordinary skill in the art
For, without departing from the concept of this application, various modifications and improvements can be made, these belong to the guarantor of the application
Protect range.Therefore, the scope of protection shall be subject to the appended claims for the application patent.
Claims (10)
1. a kind of safety access method of vital document characterized by comprising
The mark of current process and the mark of file to be visited are obtained respectively;The file to be visited is that the current process will visit
The file asked;
By the mark of the current process, the mark of the file to be visited and the progress of preset defencive function configuration relation
Match, is protection of goal file when matching result is the file to be visited, and the mark of the current process is not target process
Mark when, refuse the current process and access the file to be visited;It include that target is protected in the defencive function configuration relation
Protect the corresponding relationship between file and target process;The access includes carrying out read operation, write operation to the file to be visited
Any one of and execute operation.
2. the method according to claim 1, wherein in the mark of current process and to be visited of obtaining respectively
Before the mark of file, further includes:
Obtain the comspec of current process;
According to the comspec of the current process, determine whether the current process is transfer command;
When determining the current process is transfer command, the parameter of the current process is analyzed, Parameter analysis is obtained
As a result;
When in the Parameter analysis result including the mark of protection of goal file, refuse the transfer operation of the current process.
3. according to the method described in claim 2, it is characterized by further comprising:
When determining the current process not is transfer command, the mark for obtaining current process respectively and text to be visited are executed
The mark of part.
4. the method according to claim 1, wherein further include:
When needing to shift to the memory information of the current process, and determine the current process is identified as the target
When the mark of process, the transfer operation to the memory information of the current process is intercepted.
5. the method according to claim 1, wherein further include:
When being in debugging mode, and when the mark for being identified as host process of the determining current process, works as described in display and advance
The memory information of journey, and intercept the transfer operation to the memory information of the current process;The host process is to execute main program
Process caused by file.
6. the method according to claim 1, wherein in the mark of current process and to be visited of obtaining respectively
After file, further includes:
Obtain the mark of operating system master;
When determine the operating system master mark be equal to 0 or the current process mark be less than the operating system
When the mark of main program, the current process is allowed to access the file to be visited.
7. according to the method described in claim 6, it is characterized by further comprising:
When determine the operating system master mark not equal to 0 and the current process mark be greater than or equal to the behaviour
When making the mark of system main program, execute described by the mark of the current process, the mark of the file to be visited and default
Defencive function configuration relation the step of being matched.
8. a kind of secure access device of vital document characterized by comprising
Module is obtained, for obtaining the mark of current process and the mark of file to be visited respectively;The file to be visited is institute
State the current process file to be accessed;
Processing module, for matching mark and the preset defencive function of the mark of the current process, the file to be visited
The relationship of setting is matched, and is protection of goal file, and the mark of the current process when matching result is the file to be visited
Not equal to target process mark when, refuse the current process and access the file to be visited;The defencive function configuration is closed
It include the corresponding relationship between protection of goal file and target process in system;The access includes carrying out to the file to be visited
Any one of read operation, write operation and execution operation.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists
In the step of processor realizes any one of claims 1 to 7 the method when executing the computer program.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of any one of claims 1 to 7 the method is realized when being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910189851.8A CN110084057A (en) | 2019-03-13 | 2019-03-13 | Safety access method, device, equipment and the storage medium of vital document |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910189851.8A CN110084057A (en) | 2019-03-13 | 2019-03-13 | Safety access method, device, equipment and the storage medium of vital document |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110084057A true CN110084057A (en) | 2019-08-02 |
Family
ID=67412506
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910189851.8A Pending CN110084057A (en) | 2019-03-13 | 2019-03-13 | Safety access method, device, equipment and the storage medium of vital document |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110084057A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111625784A (en) * | 2020-05-29 | 2020-09-04 | 重庆小雨点小额贷款有限公司 | Anti-debugging method of application, related device and storage medium |
CN115221524A (en) * | 2022-09-20 | 2022-10-21 | 深圳市科力锐科技有限公司 | Service data protection method, device, equipment and storage medium |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101273366A (en) * | 2005-11-02 | 2008-09-24 | 日立软件工程株式会社 | Confidential file protection method |
CN101324913A (en) * | 2007-06-15 | 2008-12-17 | 杨湘渝 | Method and apparatus for protecting computer file |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
CN102495982A (en) * | 2011-11-30 | 2012-06-13 | 成都七巧软件有限责任公司 | Process threading-based copy-protection system and copy-protection storage medium |
CN102812473A (en) * | 2010-02-11 | 2012-12-05 | 惠普发展公司,有限责任合伙企业 | Executable Identity Based File Access |
CN102819717A (en) * | 2012-08-07 | 2012-12-12 | 北京奇虎科技有限公司 | Method and device for carrying out protection processing on file |
CN106503579A (en) * | 2016-09-29 | 2017-03-15 | 维沃移动通信有限公司 | A kind of method and device of access target file |
CN106682504A (en) * | 2015-11-06 | 2017-05-17 | 珠海市君天电子科技有限公司 | Method and device for preventing file from being maliciously edited and electronic equipment |
-
2019
- 2019-03-13 CN CN201910189851.8A patent/CN110084057A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101273366A (en) * | 2005-11-02 | 2008-09-24 | 日立软件工程株式会社 | Confidential file protection method |
CN101324913A (en) * | 2007-06-15 | 2008-12-17 | 杨湘渝 | Method and apparatus for protecting computer file |
CN101408919A (en) * | 2008-12-09 | 2009-04-15 | 吕欣 | Method and system for monitoring computer espionage behavior |
CN102812473A (en) * | 2010-02-11 | 2012-12-05 | 惠普发展公司,有限责任合伙企业 | Executable Identity Based File Access |
CN102495982A (en) * | 2011-11-30 | 2012-06-13 | 成都七巧软件有限责任公司 | Process threading-based copy-protection system and copy-protection storage medium |
CN102819717A (en) * | 2012-08-07 | 2012-12-12 | 北京奇虎科技有限公司 | Method and device for carrying out protection processing on file |
CN106682504A (en) * | 2015-11-06 | 2017-05-17 | 珠海市君天电子科技有限公司 | Method and device for preventing file from being maliciously edited and electronic equipment |
CN106503579A (en) * | 2016-09-29 | 2017-03-15 | 维沃移动通信有限公司 | A kind of method and device of access target file |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111625784A (en) * | 2020-05-29 | 2020-09-04 | 重庆小雨点小额贷款有限公司 | Anti-debugging method of application, related device and storage medium |
CN111625784B (en) * | 2020-05-29 | 2023-09-12 | 重庆小雨点小额贷款有限公司 | Anti-debugging method of application, related device and storage medium |
CN115221524A (en) * | 2022-09-20 | 2022-10-21 | 深圳市科力锐科技有限公司 | Service data protection method, device, equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100465982C (en) | Application execution device and application execution device application execution method | |
KR920005231B1 (en) | Data processing system | |
US9286486B2 (en) | System and method for copying files between encrypted and unencrypted data storage devices | |
CN102375948B (en) | Security module and signal conditioning package | |
US8452740B2 (en) | Method and system for security of file input and output of application programs | |
EP2891104B1 (en) | Detecting a malware process | |
JPH07287655A (en) | Information processor | |
CN102118512A (en) | Method and system for preventing application program of mobile phone from being cracked | |
CN102254124A (en) | Information security protecting system and method of mobile terminal | |
US20210089684A1 (en) | Controlled access to data stored in a secure partition | |
CN107358114A (en) | A kind of method and terminal for preventing user data loss | |
EP3436936A1 (en) | Dynamic addition of code in shared libraries | |
CN109583190A (en) | The method and apparatus of monitoring process | |
CN102722672A (en) | Method and device for detecting authenticity of operating environment | |
CN105303074A (en) | Method for protecting security of Web application | |
CN110084057A (en) | Safety access method, device, equipment and the storage medium of vital document | |
CN103218573B (en) | A kind of seamless access control method based on virtual disk protection and device | |
CN106096441A (en) | Date storage method and data storage device | |
CN107092838A (en) | A kind of safety access control method of hard disk and a kind of hard disk | |
CN108199827A (en) | Client code integrity checking method, storage medium, electronic equipment and system | |
TW200945867A (en) | Mobile phone accessing system and related storage device | |
CN109086597A (en) | Cipher key access method, key management method, storage medium and computer equipment | |
CN108229190B (en) | Transparent encryption and decryption control method, device, program, storage medium and electronic equipment | |
CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
CN114398598A (en) | Library file encryption method, decryption method and encryption device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190802 |
|
RJ01 | Rejection of invention patent application after publication |