WO2015160118A1 - 보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 - Google Patents
보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 Download PDFInfo
- Publication number
- WO2015160118A1 WO2015160118A1 PCT/KR2015/003258 KR2015003258W WO2015160118A1 WO 2015160118 A1 WO2015160118 A1 WO 2015160118A1 KR 2015003258 W KR2015003258 W KR 2015003258W WO 2015160118 A1 WO2015160118 A1 WO 2015160118A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- program
- file
- storage area
- secure storage
- access
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 230000008569 process Effects 0.000 claims description 57
- 238000012544 monitoring process Methods 0.000 claims description 15
- 238000009434 installation Methods 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000004083 survival effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000008485 antagonism Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
Definitions
- the present invention relates to a technology that can be managed by dividing the work documents and other general documents (or personal documents) to be securely managed in a general PC work environment in which data generated from a terminal such as a PC is divided into work data and personal data. .
- the program itself becomes more specialized and larger, accompanied by a number of subprocesses depending on the user's complicated task request, and also creates a temporary file to handle the complex computational process.
- specialized programs check whether there are necessary configuration files or license files before starting them, and there are cases where temporary files are created in various paths to manage stable execution and intermediate operations.
- the license file may be renewed during the driving process or termination.
- the work files generated during the work of members are read, created, and edited only in a secure storage area. It is intended to provide a method and apparatus for allowing personal documents, other than work, to be deleted, to be freely viewed, created, and edited in an unsecured area by using the same application program on the same terminal.
- the present invention also provides a temporary work file (cache file) used by a designated application, while having a security that a document managed by a company is viewed, created, copied, moved, or deleted by a predetermined program only in a secure storage area of the terminal. It is intended to provide a method and apparatus for preventing a second leak through the system and allowing a designated program to run normally in an insecure environment when security is released.
- cache file temporary work file
- a computer-implemented method for executing access control of an application program to a secure storage area comprising: executing a security agent for security at a user terminal according to user authentication; Copying a file or a folder of an original path required for driving for each application that is allowed to access the secure storage area for business security to a predetermined path in the secure storage area; And converting a driving path of the application program from the original path to a path according to the copied folder in the secure storage area for each application that is permitted to access the secure storage area.
- the method may further include extracting a policy.
- the security policy includes file or folder information to be restored to the original drive path from the folder of the switched drive path at the end of execution of the security agent,
- the method may further include extracting the file or folder to be restored for each application that is allowed to access the secure storage area from the security policy and recopying or updating the original path.
- the access allowable program or process In the case of the access allowable program or process according to the determination result, allowing access to the secure storage area by the access attempted program or process, and recognizing the program or process allowing the access as a monitoring process. It may further include.
- a body copy event on a file in the secure storage area by the monitoring process or a body pasting event to another process is attempted, execution according to the corresponding event only when the other process is a monitoring process. It may further comprise the step of allowing.
- the monitoring process may further include blocking the execution of the file storage when the monitoring process attempts to store the file in a storage area other than the secure storage area.
- the method may further include initializing at least one of a file system cache, a clipboard, and a registry value supported by an operating system when the execution of the security agent ends.
- the unconfirmed application by referring to at least one of the property information of the application, the registered registry value, the hash value of the binary file of the drive file, the file system event information when the program is running, the version information about the unidentified application, the program Checking file or folder information required for driving, file or folder information required to be restored or updated, and information on an original installation path of the corresponding program; And adding the unconfirmed application to the security target program by reflecting the result of the check in the security policy.
- the work-created document and the personally generated document it is possible to separate the work-created document and the personally generated document, the work file generated in the process of performing the work of the members to be viewed, created, edited, deleted only in the secure storage area, Personal documents outside of work can be freely viewed, created and edited in the non-secure area using the same application on the same terminal.
- FIG. 1 is a view showing each component constituting an apparatus for controlling access of an application program according to an embodiment of the present invention.
- FIG. 2 is a flowchart illustrating a method for controlling access of an application program according to an embodiment of the present invention.
- FIG. 3 illustrates an error screen that occurs when a driving path of an application program does not match.
- FIG. 4 is an embodiment showing a difference between a recent file list in a secure area of a Photoshop program and a recent file list in an unsecured area;
- 5 is an embodiment in which the license file is broken and malfunctions after the CAD program operated in the secure area is terminated to control access to the secure storage area.
- FIG. 6 is a configuration diagram of an example of switching a driving environment so that a file in a secure area is opened using a minifilter drive even if the Notepad program opens a file in a non-secure area.
- FIG. 7 is an embodiment in which the Editorplus program is blocked while attempting to access a file in a secure area.
- 8 is an embodiment in which the file storage is blocked when the Notepad program attempts to save the file to the non-secure area by opening the file in the secure area.
- 9 is an event that prevents data copy or mouse drag and drop events between programs when the same program is driven by two processes while one process is a secure process and the other process is a non-secure process.
- unit that processes at least one function or operation, which means that it may be implemented by one or more pieces of hardware or software or a combination of hardware and software.
- FIG. 1 is a diagram illustrating each component constituting an apparatus for controlling access of an application program according to an embodiment of the present invention.
- 2 is a flowchart of a method for controlling access of an application program according to an embodiment of the present invention (in FIG. 2, this is referred to as a security agent).
- a security agent this is referred to as a security agent.
- an apparatus for controlling access of an application program includes a user authenticator 100, a secure storage area controller 200, and a PC driving controller 300.
- the user authentication unit 100 is a general component that authenticates the user ID and password.
- the user authentication unit 100 may be connected to another computer system or an external server through a network (not shown) to perform user authentication.
- the security storage area control unit 200 may include a security storage area policy control unit 210, a security policy storage unit 220, a security program driving path copying unit 230, a security program driving path switching unit 240, and a security program diary control unit. 250, the secure program write control unit 260, the secure storage area encryption / decryption unit 270, the secure storage area display control unit 280, and the security program event control unit 290 may be included.
- the secure storage area control unit 200 may include a file export control unit 2AA, a survival period control unit 2BB, a printer spool control unit 2CC, a system cache initialization unit 2DD, and a program driving learning unit 2EE. It may further include.
- the security storage area policy control unit 210 instructs the security program driving path copying unit 230 to copy the file set for each program by referring to the user security policy stored in the security policy storage unit 220 (S210 of FIG. 2). And S220]. Accordingly, when the copy is completed, the security storage area policy control unit 210 issues a command to switch the security program drive path switching unit 240 to recognize the drive path of the corresponding program as the secure storage area (see S230 of FIG. 2). . In addition, the secure storage policy control unit 210 allows the access attempt program regarding the secure storage area detected by the secure program read control unit 250 to view the document when the access attempt program corresponds to the security program according to the security policy.
- the control unit When attempting to store data through the secure program write control unit 260, the control unit is configured to store only the secure storage area.
- the security program refers to a program that is pre-designated to allow access to a secure storage area according to a security policy among application programs.
- the security policy storage unit 220 may include a program name authorized for use in a secure storage area for each user, a unique value for each program, a file or folder path value that should be copied in advance when the corresponding program is driven, and a secure storage area control unit ( It is a component that stores a file or folder path value to be restored when 200 is terminated, an encryption / decryption key value of a secure storage area, and a value of a folder or drives constituting the secure storage area.
- the method of storing the security policy for each user may be stored in an encrypted file form or by receiving a value from a server.
- the security policy storage unit 220 when setting the program access control for the secure storage area according to the program characteristics, provides information about which path or file of the folder should be copied to the secure storage area in advance when the program is run. Save it. In addition, the security policy storage unit 220 of the program that must be renewed in order to run normally in the general area (that is, non-security area) of the license or temporary work file used when the security storage area control unit 200 is terminated. License files, working files, folder path values, etc. can be stored (see S280 and S290 in FIG. 2).
- programs such as Notepad do not read configuration data needed for startup or use the cache folder, so only the process name can access the secure storage area.
- the program operates differently according to the temporary work information, such as a Photoshop program
- only the driving path may be changed to separate the work information in the secure storage area and the work information in the non-security area.
- the Photoshop embodiment of FIG. 4 it can be seen that the list of recently viewed documents is displayed differently when working in the secure storage area and when working in the non-secure area.
- the license file is updated at the start and end of the license file, such as an AutoCAD or SolidWorks program (that is, a 2D or 3D CAD program), the license file is placed in a temporary file and a folder that existed at the time of installation.
- the storage area control unit 200 terminates, it is necessary to copy the license file last referenced in the secure storage area to the original path.
- the license file of the program is broken and reinstalled or a new license key is issued as shown in FIG. 5. Personal use outside of work may be blocked.
- the security policy storage unit 220 may hold a unique value together with a program name that can access the secure storage area to determine whether the corresponding program is actually the same program.
- the unique value may be configured as a hash value of the driving binary file in addition to additional information such as manufacturer, version, and product name, which are corresponding program attribute information.
- the security policy storage unit 220 may store an output policy regarding whether a program accessed from a secure storage area may perform document output using a printer spool along with a program allow list for each user.
- the security program driving path copying unit 230 is a component that copies a license file, a temporary work file, and a temporary work folder to be read or used when a program set to access the secure storage area to a designated space in the secure storage area.
- the folder structure in the secure folder where the copy is made may be configured by copying the absolute path used by the actual path of the corresponding program to the subfolder in the secure storage area.
- the actual temporary working folder is C: ⁇ DocumentandSetting ⁇ ApllicationCash
- the example when copied to a secure folder, the example will be copied to S: ⁇ _ Secure ⁇ C ⁇ DocumentandSetting ⁇ ApplicationCash, and depending on the policy, only the path may be copied. It could even be a full copy of my subdata.
- the security program driving path copying unit 230 may be configured to not be exposed to the user in the secure storage area by creating a hidden file and a folder to be copied when copying the file and folder.
- the security program driving path copying unit 230 may recopy the license file or the required file from the secure storage area to the original storage area according to a program setting policy for each user when the secure storage area control unit 200 terminates.
- the security program drive path switching unit 240 displays the path of the license file, temporary work file, and temporary work folder that the program should refer to when the program is run so that the data can be viewed and created in the secure storage area. It is a component that can be recognized as a secure working area copied in the secure storage area.
- the relevant files and folders can be converted into a secure storage area.
- the file system can be implemented by implementing the minifilter drive at the filter drive or minifilter drive level in the file system.
- the request for can be turned into a workspace in a secure storage area.
- Notepad.exe calls CreateFile to create the file c: ⁇ temp ⁇ 1.txt.
- the second event calls APIs in case of file deletion, renaming, etc.
- the request is sent to the kernel level from Kernel32.dll to ntdll.dll.
- the IO manager creates an IRP to c: ⁇ temp ⁇ 1.txt and passes it to the driver stack.
- the IRP is delivered to the Mini filter manager.
- the IRP is a request for c: ⁇ temp ⁇ 1.txt.
- the Mini filter manager sends the packet data to the mini filter driver's pre callback function, and the mini filter driver's callback function sends a request to "c: ⁇ temp ⁇ 1.txt" to "d: ⁇ _ sec ⁇ temp ⁇ 1". .txt "and return IO_REPARSE.
- the minifilter manager checks IO_REPARSE and asks the IO manager to recreate the IRP.
- the IO manager recreates the IRP directed to "d: ⁇ _ sec ⁇ temp ⁇ 1.txt”.
- the newly created packet descends the driver stack and is delivered to the minifilter manager.
- Tenth it enters the minifilter, but no redirect occurs because the file is in a secure folder.
- an IRP directed to "d: ⁇ _ sec ⁇ temp ⁇ 1.txt" is passed to the filesystem driver.
- the file system driver creates the "d: ⁇ _ sec ⁇ temp ⁇ 1.txt" file.
- the security program read control unit 250 may access process information about the secure storage area recorded in the security policy storage unit 220 and the corresponding program. Determine if it matches. If the determination result is matched, the security program read control unit 250 allows the corresponding process to view the file in the secure storage area. At this time, the security program read control unit 250 is recognized as being switched to the monitoring process from the process of allowing access to the secure storage area as soon as the process is accessed to the secure storage area (see S240 of FIG. 2).
- the security program read control unit 250 may be configured to determine the access of the process only to file system events occurring in the secure storage area, and may be configured to allow the reading of files stored outside the secure storage area. In some cases, files other than the secure storage area may not be read.
- Embodiments of the read control on the secure storage area may be implemented at various levels, such as filter drives, mini filter drives, or dialog hooking at the Win32 level.
- levels such as filter drives, mini filter drives, or dialog hooking at the Win32 level.
- FIG. 7 an embodiment of blocking or allowing access while monitoring a file system event in a secure storage area using a minifilter drive technology will be described with reference to FIG. 7. Referring to the exemplary embodiment of FIG. 7, an event log and a user screen are shown which are blocked from being read by the security program read control unit 250 while attempting to read log.ext in the secure storage area using a program called EditorPlus. have.
- the security program write control unit 260 refers to a file system event when a surveillance program or a surveillance process that has viewed a file in the secure storage area attempts to save the file, and stores the file storage event when the file storage event occurs in the secure storage area. Is allowed, and is configured to prohibit storage when attempting to save in other areas (see S260 and S270 of FIG. 2).
- the operation method of FIG. 8 will be described using a minifilter drive.
- notepad.exe is granted access while monitoring file system events in the secure storage area, the process is allowed because it is an allowed process, and at the same time, it changes to a monitoring process and allows reading. Subsequently, if an attempt is made to store a file that is allowed to be viewed in a space other than the secure storage area, the process ID of the notepade stops trying to save it as shown in the event log of columns 36 to 39 of FIG. 8.
- the secure storage area encryption / decryption unit 270 is a component that decrypts or encrypts a read / write event of a file system occurring in the storage space when a file is stored in the secure storage area.
- a file system event occurs, the data can be decrypted using a mini filter drive or a file system filter drive to hook and read events.
- the secure storage area display control unit 280 may set and display the secure storage area as a folder under a specific volume, or may configure and display the secure storage area as a drive volume.
- the security storage area can be controlled to not be displayed before user authentication so that the security storage area is displayed only after user authentication.
- the security program event controller 290 selects, copies, and pastes a data area for each process, or selects a data area and drags and drops it with a mouse to copy data. Such copying is possible with a process that accesses the secure storage area, but it is controlled to be impossible with the process of the general area in the secure process (see S250 of FIG. 2).
- the secure storage area controller 200 may include a file export controller 2AA, a survival period controller 2BB, a printer spool controller 2CC,
- the system cache initialization unit 2DD and the program driving learning unit 2EE may be further configured.
- the file export control section 2AA is a component that allows files in the secure storage area to be decrypted and copied to a place other than the secure storage area.
- the export may be performed by transmitting a document to a server accessible by a user authorized to export through the security policy storage unit 220, and the file to be exported in the secure storage area may be previously defined. You can copy it to your PC's desktop, My document, or mounted USB drive, or transfer it to a server designated for recording exports, depending on your policy permissions. That is, the file export control unit 2AA determines (controls) whether or not the file stored in the secure storage area can be copied (exported) to the non-secure area according to an approval procedure through the network or a user security policy.
- the survival control part 2BB is set in the policy based on the file time (creation time, modification time, access time, etc.) or metadata management time on the file system in order to prevent the file from being stored for a long time when it is created in the secure storage area. This component is forcibly deleted or hidden from the user if it exceeds the time. This is effective in encouraging the user to keep the file as long as possible and to move the file to a specified server before the file's lifespan expires.
- the survival period control unit 2BB may include a function of notifying the user of a list of files for which the survival period approaches.
- the printer spool control unit 2CC controls the program according to the security policy (i.e., whether or not the user can access the printer spool by program) recorded on the printer spool recorded in the security policy storage unit 220. It is a component that controls whether or not to output the document through. That is, the printer spool control unit 2CC determines (controls) whether or not a program that accesses the secure storage area can transmit a document to the printer spool.
- the security policy i.e., whether or not the user can access the printer spool by program
- the system cache initializer 2DD is a component that initializes various data cache spaces provided by the operating system (OS).
- OS operating system
- decrypted file data remains on a file system buffer and a recently opened file is called by driving a program capable of reading the file data after access control on the secure storage area is terminated.
- the decrypted data can be read in the corresponding program using the file system buffer provided by the file system without accessing the file system in which the recently opened file is encrypted.
- a body string of a file stored in a secure storage area such as a clipboard is loaded in addition to the file system, the data of the clipboard is restarted by restarting the same program after the access control for the secure storage area is terminated. You can try to leak.
- a program stores a specific data value (eg, a recently used file name) in the registry, the program may attempt to leak a string corresponding to a security in a secure storage area such as a clipboard.
- the system cache initialization unit 2DD may use a file system cache or a clipboard according to the type of operating system. You can also initialize registry values used by the monitoring process. In some cases, when the operating system does not support file system or clipboard cache initialization, the system cache initialization unit 2DD may forcibly log out the user session or force the computer to reboot.
- the program-driven learning unit 2EE cannot confirm the program and the version of the program installed on the user PC, and thus, if the secure storage area controller 200 cannot apply the security policy, the program-driven learning unit 2EE may be allowed to access the secure storage area.
- the program driving learning unit 2EE derives the attribute information of the program or the registered registry value or the hash value of the binary file of the driving file of the program, and transmits it to the server or the version of the corresponding program through the data file received from the server. You can check the information.
- the program driving learning unit 2EE may register the version information of the checked program in the security policy storage unit 220 or transmit the information to the server through the network.
- the program driving learner 2EE may grasp folders and files necessary for driving the corresponding program by referring to a file system event generated when the program is driven. Through this, the program driving learning unit 2EE may have a file or folder path value that should be copied to the secure storage area before the program is driven, and a file or folder path value to be restored when the secure storage area control unit 200 is terminated. Etc., and if necessary, the information may be sent to the security policy storage unit 220 or transmitted to a server through a network.
- the PC drive control unit 300 may be further configured in addition to the secure storage area control unit 200 to enhance access control of the program regarding the secure storage area.
- the PC driving control unit 300 may include a PC driving policy control unit 310, a driving policy storage unit 320, a program driving control unit 330, a network driving control unit 340, and a USB driving control unit 350.
- the PC driving policy controller 310 controls the program driving controller 330, the network driving controller 340, and the USB driving controller 350 driven by the PC by referring to the PC driving policy stored in the driving policy storage 320. Perform the function.
- the driving policy storage unit 320 is a list of programs that can be run on a user-specific PC, a network domain, an IP, a port list to be accessed or blocked from the PC, and a read / write disable of the USB used in the PC, read-only, read / Information about the PC running policy, such as the writable value, may be stored.
- the PC running policy may be stored in an encrypted file form or may be received after user authentication from a specific designated server.
- the program driving controller 330 is a component that controls a program driven by a PC to be driven within a program range set for each user in the driving policy storage 320. Accordingly, the program driving control unit 330 blocks driving of a program not recorded in the driving policy storage unit 320. In addition, the program driving controller 330 may also perform a function of preventing a malicious user from running a program to attack or disable the secure storage area controller 200 on the PC.
- the network driving controller 340 is a component that restricts accessable network servers and services so that network access is allowed only within a range set for each user in the driving policy storage 320. Accordingly, the network driving control unit 340 blocks the network access to the network that is not recorded in the driving policy storage unit 320. Through this, external hackers can block access to infiltrate the secure storage area, and even internal users can transfer files in the secure storage area to authorized network servers and services.
- the USB drive controller 340 is a component that restricts read / write operations on the USB drive so that the USB read / write operation can be performed only within a range set for each user in the drive policy storage 320. Accordingly, the USB driving controller 340 may selectively block the read / write operation of the USB based on the policy recorded in the driving policy storage 320. Through this, when an internal user tries to copy a file in the secure storage area to an external USB by using the file export control unit (2AA), the user is allowed to copy the file to the USB or vice versa according to the range set for each user. can do.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Entrepreneurship & Innovation (AREA)
- Strategic Management (AREA)
- Human Resources & Organizations (AREA)
- Quality & Reliability (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Economics (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Automation & Control Theory (AREA)
Abstract
Description
Claims (8)
- 보안 저장 영역에 대한 응용 프로그램의 접근 제어를 실행하는 컴퓨터 구현 방법으로서,사용자 인증에 따라 사용자 단말에서 업무 보안을 위한 보안 에이전트가 실행되는 단계;업무 보안을 위한 상기 보안 저장 영역에 접근이 허용된 응용 프로그램 별로 구동을 위해 필요한 파일 또는 원래 경로의 폴더를 보안 저장 영역 내의 미리 지정된 경로에 복사하는 단계; 및상기 보안 저장 영역에 접근이 허용된 응용 프로그램 별로 해당 응용 프로그램의 구동 경로를 상기 원래 경로로부터 상기 보안 저장 영역 내의 상기 복사된 폴더에 따른 경로로 전환시키는 단계를 포함하는 응용 프로그램의 접근 제어 방법.
- 제1항에 있어서,상기 보안 에이전트가 실행되는 경우,상기 인증된 사용자에 상응하여, 상기 보안 저장 영역으로의 접근이 허용되는 접근 허용 프로그램 또는 프로세스 정보, 접근 허용 프로그램의 구동 전에 복사되어야 할 파일 또는 폴더 정보, 접근 허용 프로그램의 구동 경로 전환 정보에 관한 보안 정책을 추출하는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
- 제2항에 있어서,상기 보안 정책에는 상기 보안 에이전트의 실행 종료시 상기 전환된 구동 경로의 폴더로부터 원래 구동 경로로 복원되어야 할 파일 또는 폴더 정보가 포함되고,상기 보안 에이전트의 실행 종료시, 상기 보안 정책으로부터 상기 보안 저장 영역에 접근이 허용된 응용 프로그램 별로 상기 복원되어야 할 파일 또는 폴더를 추출하여 원래 경로로 재복사 또는 갱신시키는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
- 제2항에 있어서,상기 보안 저장 영역에 접근을 시도하는 응용 프로그램 또는 프로세스가 존재하는 경우, 상기 접근을 시도하는 프로그램 또는 프로세스가 상기 보안 정책에 따른 접근 허용 프로그램 또는 프로세스에 해당하는지 여부를 판단하는 단계; 및상기 판단 결과에 따라 상기 접근 허용 프로그램 또는 프로세스에 해당하는 경우, 상기 접근 시도 프로그램 또는 프로세스에 의한 상기 보안 저장 영역으로의 접근을 허용하고, 접근을 허용한 프로그램 또는 프로세스를 감시 프로세스로 인식하는 단계를 더 포함하는 응용 프로그램의 접근 제어 방법.
- 제4항에 있어서,상기 감시 프로세스에 의한 상기 보안 저장 영역 내의 파일에 관한 본문 복사 이벤트 또는 타 프로세스로의 본문 붙여넣기 이벤트가 시도된 경우, 상기 타 프로세스가 감시 프로세스인 경우에 한하여 해당 이벤트에 따른 실행을 허용하는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
- 제4항에 있어서,상기 감시 프로세스가 상기 보안 저장 영역 이외의 저장 영역에 파일 저장을 시도하는 경우 해당 파일 저장의 실행을 차단하는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
- 제3항에 있어서,상기 보안 에이전트의 실행 종료시, 운영체제가 지원하는 파일 시스템 캐쉬, 클립보드, 레지스트리 값 중 적어도 하나를 초기화시키는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
- 제3항에 있어서,응용 프로그램의 속성 정보, 등록된 레지스트리 값, 구동 파일의 바이너리 파일의 해쉬값, 프로그램 구동시의 파일 시스템 이벤트 정보 중 적어도 하나를 참조하여, 미확인 응용 프로그램에 관한 버전 정보, 해당 프로그램 구동에 필요한 파일 또는 폴더 정보, 복원 또는 갱신이 필요한 파일 또는 폴더 정보, 해당 프로그램의 원래 설치 경로에 관한 정보를 확인하는 단계; 및상기 확인 결과를 상기 보안 정책에 반영하여 상기 미확인 응용 프로그램을 보안 대상 프로그램에 추가하는 단계를 더 포함하는, 응용 프로그램의 접근 제어 방법.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020157023652A KR101705550B1 (ko) | 2014-04-15 | 2015-04-01 | 보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 |
US15/304,191 US10289860B2 (en) | 2014-04-15 | 2015-04-01 | Method and apparatus for access control of application program for secure storage area |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR10-2014-0045070 | 2014-04-15 | ||
KR20140045070 | 2014-04-15 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015160118A1 true WO2015160118A1 (ko) | 2015-10-22 |
Family
ID=54324264
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/KR2015/003258 WO2015160118A1 (ko) | 2014-04-15 | 2015-04-01 | 보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 |
Country Status (3)
Country | Link |
---|---|
US (1) | US10289860B2 (ko) |
KR (1) | KR101705550B1 (ko) |
WO (1) | WO2015160118A1 (ko) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3525127A4 (en) * | 2016-08-08 | 2020-05-20 | Namusoft Co., Ltd. | METHOD AND SYSTEM FOR BLOCKING A PHISHING OR RANÇONGICIEL ATTACK |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10032041B2 (en) * | 2015-05-30 | 2018-07-24 | Apple Inc. | Storage volume protection using restricted resource classes |
KR101651392B1 (ko) * | 2016-03-08 | 2016-08-25 | 주식회사 시큐브 | 실행 전용 모듈을 통한 추가 인증 실행 시스템 및 그 방법 |
KR101995015B1 (ko) * | 2017-04-18 | 2019-07-02 | (주)나무소프트 | 문서의 저장 위치를 제어하기 위한 방법 |
KR101844534B1 (ko) * | 2017-10-26 | 2018-04-02 | (주)지란지교소프트 | 전자 파일에 대한 보안 적용 방법 |
US11106491B2 (en) * | 2018-04-06 | 2021-08-31 | Beijing Didi Infinity Technology And Development Co., Ltd. | Method and system for kernel routine callbacks |
KR102227558B1 (ko) * | 2019-04-17 | 2021-03-12 | (주)나무소프트 | 프로그램 보호를 기반으로 한 데이터 보안 방법 |
US20220092193A1 (en) * | 2020-09-22 | 2022-03-24 | Keyavi Data Corp. | Encrypted file control |
CN112286706B (zh) * | 2020-12-25 | 2021-05-18 | 北京邮电大学 | 安卓应用的应用信息远程快速获取方法及相关设备 |
KR102525655B1 (ko) * | 2020-12-31 | 2023-04-25 | (주)나무소프트 | 문서 저장 제어 방법 |
KR20240031214A (ko) * | 2021-07-30 | 2024-03-07 | (주)기원테크 | 폴더 보호 기능을 제공하는 보안 장비 시스템의 구동 장치 및 그 동작 방법 |
KR102522217B1 (ko) | 2021-09-01 | 2023-04-17 | 주식회사 시큐웨어 | 보안 저장 영역의 데이터를 백업하고 시간 정보를 포함하는 백업된 데이터에 기초하여 복원을 수행하는 장치 |
CN113835933B (zh) * | 2021-11-26 | 2022-03-15 | 北京指掌易科技有限公司 | 数据管理方法、装置、介质及电子设备 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009020624A (ja) * | 2007-07-10 | 2009-01-29 | Canon Software Inc | 管理サーバおよび管理サーバの制御方法およびプログラムおよび記録媒体 |
US20090038017A1 (en) * | 2007-08-02 | 2009-02-05 | David Durham | Secure vault service for software components within an execution environment |
KR101098947B1 (ko) * | 2009-02-03 | 2011-12-28 | 김상범 | 데이터 보안 장치 및 데이터 보안 방법, 그리고 데이터 보안 방법을 실행하기 위한 프로그램을 저장한 기록매체 |
KR101299051B1 (ko) * | 2011-09-07 | 2013-09-16 | 소프트캠프(주) | 사용자 계정에 따라 작업환경을 분리하는 정보 처리환경 조성장치와 방법 |
KR101373542B1 (ko) * | 2012-08-06 | 2014-03-12 | (주)소만사 | 가상화 기반 논리적 망 분리 기법을 이용한 개인정보 보호 시스템 |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101078546B1 (ko) | 2011-06-27 | 2011-11-01 | 박주혁 | 범용 저장장치의 식별정보를 기반으로 하는 보안 데이터 파일 암호화 및 복호화 장치, 그를 이용한 전자 서명 시스템 |
KR101371031B1 (ko) * | 2012-06-07 | 2014-03-10 | 주식회사 더존정보보호서비스 | 드라이브 기반 파일 보안 시스템 |
US8954387B2 (en) * | 2012-06-07 | 2015-02-10 | Vmware, Inc. | Tracking changes that affect performance of deployed applications |
-
2015
- 2015-04-01 US US15/304,191 patent/US10289860B2/en active Active
- 2015-04-01 WO PCT/KR2015/003258 patent/WO2015160118A1/ko active Application Filing
- 2015-04-01 KR KR1020157023652A patent/KR101705550B1/ko active IP Right Grant
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009020624A (ja) * | 2007-07-10 | 2009-01-29 | Canon Software Inc | 管理サーバおよび管理サーバの制御方法およびプログラムおよび記録媒体 |
US20090038017A1 (en) * | 2007-08-02 | 2009-02-05 | David Durham | Secure vault service for software components within an execution environment |
KR101098947B1 (ko) * | 2009-02-03 | 2011-12-28 | 김상범 | 데이터 보안 장치 및 데이터 보안 방법, 그리고 데이터 보안 방법을 실행하기 위한 프로그램을 저장한 기록매체 |
KR101299051B1 (ko) * | 2011-09-07 | 2013-09-16 | 소프트캠프(주) | 사용자 계정에 따라 작업환경을 분리하는 정보 처리환경 조성장치와 방법 |
KR101373542B1 (ko) * | 2012-08-06 | 2014-03-12 | (주)소만사 | 가상화 기반 논리적 망 분리 기법을 이용한 개인정보 보호 시스템 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3525127A4 (en) * | 2016-08-08 | 2020-05-20 | Namusoft Co., Ltd. | METHOD AND SYSTEM FOR BLOCKING A PHISHING OR RANÇONGICIEL ATTACK |
Also Published As
Publication number | Publication date |
---|---|
KR101705550B1 (ko) | 2017-02-10 |
KR20150144312A (ko) | 2015-12-24 |
US10289860B2 (en) | 2019-05-14 |
US20170039383A1 (en) | 2017-02-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2015160118A1 (ko) | 보안 저장 영역에 대한 응용 프로그램의 접근 제어 방법 및 장치 | |
US10356086B1 (en) | Methods and apparatuses for securely operating shared host computers with portable apparatuses | |
US7971232B2 (en) | Setting group policy by device ownership | |
US8166515B2 (en) | Group policy for unique class identifier devices | |
US8745386B2 (en) | Single-use authentication methods for accessing encrypted data | |
KR100596135B1 (ko) | 가상 디스크를 이용한 응용 프로그램 별 접근통제시스템과 그 통제방법 | |
WO2018030667A1 (ko) | 피싱 또는 랜섬웨어 공격을 차단하는 방법 및 시스템 | |
CN109508224B (zh) | 一种基于kvm虚拟机的用户数据隔离防护***及方法 | |
WO2011031093A2 (ko) | 가상화 기술을 이용한 디지털 저작권 관리 장치 및 방법 | |
US10650158B2 (en) | System and method for secure file access of derivative works | |
WO2009110275A1 (ja) | 機密情報漏洩防止システム及び機密情報漏洩防止方法 | |
WO2018212474A1 (ko) | 독립된 복원영역을 갖는 보조기억장치 및 이를 적용한 기기 | |
CN104361291B (zh) | 数据处理方法和装置 | |
Scarfone et al. | Guide to storage encryption technologies for end user devices | |
WO2021107177A1 (ko) | 랜섬웨어 또는 피싱 공격 차단 방법 및 시스템 | |
KR101227187B1 (ko) | 보안영역 데이터의 반출 제어시스템과 그 제어방법 | |
KR20130027288A (ko) | 사용자 계정에 따라 작업환경을 분리하는 정보 처리환경 조성장치와 방법 | |
KR101552688B1 (ko) | 엔드포인트 단의 사용자 정책 설정에 따른 데이터 보안 방법 및 시스템 | |
JP2021174432A (ja) | 電子データ管理方法、電子データ管理装置、そのためのプログラム及び記録媒体 | |
JP6957311B2 (ja) | 情報漏洩防止装置、及び情報漏洩防止プログラム | |
JP2008083886A (ja) | 機密情報漏洩防止方法及びシステム | |
CN112434285B (zh) | 文件管理方法、装置、电子设备及存储介质 | |
JP2011039716A (ja) | 情報記憶媒体、情報システム | |
WO2024071529A1 (ko) | 로컬 데이터 보호 시스템 | |
TWI783189B (zh) | 位元鎖磁碟管理系統 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 20157023652 Country of ref document: KR Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15780218 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15304191 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15780218 Country of ref document: EP Kind code of ref document: A1 |