CN109117664A - The access control method and device of application program - Google Patents
The access control method and device of application program Download PDFInfo
- Publication number
- CN109117664A CN109117664A CN201810798889.0A CN201810798889A CN109117664A CN 109117664 A CN109117664 A CN 109117664A CN 201810798889 A CN201810798889 A CN 201810798889A CN 109117664 A CN109117664 A CN 109117664A
- Authority
- CN
- China
- Prior art keywords
- call request
- function
- file
- default
- desktop
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention provides a kind of access control method of application program and devices, this method comprises: creation virtual desktop;At least one application program in original desktop is added to virtual desktop;If detecting any one destination application starting in virtual desktop, Inline Hook is carried out to the preset function in the function library of Windows, preset function includes default network access function, default clipbook handling function, default registration list processing function;Intercept and capture call request of the destination application to preset function;According to the parameter in preconfigured control strategy and call request, target control strategy corresponding with parameter and preset function is determined;If target control strategy is to allow, preset function is called in response to call request;If target control strategy is refusal, call request is refused according to the default refusal strategy of preset function;If target control strategy is to redirect to call request, call request is redirected according to the default redirection strategy of preset function.
Description
Technical field
The present invention relates to technical field of data security, more particularly to the access control method and dress of a kind of application program
It sets.
Background technique
In recent years, with the burst of the various leakages of a state or party secret, the leakage of a state or party secret all constitutes nation's security and long term growth
Great threat.For the financial industry for being related to national economy, then there is higher security protection demand, with greater need for timely
Prevent the generation of the leakage of a state or party secret.
Whether which industry requires to prevent the leakage of a state or party secret, can be with then in order to avoid the generation of the leakage of a state or party secret
Safe access control is carried out to the application program in employee's computer of every profession and trade, so that the personnel of divulging a secret be avoided to pass through in enterprise computer
Application program divulge a secret.
Therefore, a technical problem that needs to be urgently solved by technical personnel in the field at present is exactly: how to answer terminal
Various access controls are carried out with program, it is ensured that the safety of end message.
Summary of the invention
The present invention provides a kind of access control method of application program and devices, can not be to terminal to solve the relevant technologies
Application program carry out various access controls the problem of.
To solve the above-mentioned problems, according to an aspect of the present invention, the invention discloses a kind of access of application program
Control method is applied to terminal device, which comprises
Create virtual desktop;
At least one application program in original desktop is added to the virtual desktop;
If any one destination application starting in the virtual desktop is detected, in the function library of Windows
Preset function carry out Inline Hook, wherein the preset function includes default network access function, default clipbook behaviour
Make function, default registration list processing function;
Intercept and capture call request of the destination application to the preset function;
It is determining with the parameter and described pre- according to the parameter in preconfigured control strategy and the call request
If the corresponding target control strategy of function;
If the target control strategy is to allow the call request, called in response to the call request described pre-
If function;
If the target control strategy is to refuse the call request, in response to the call request, according to described
The default refusal strategy of preset function refuses the call request, returns to refusal result;
If the target control strategy is to redirect to the call request, default according to the preset function is reset
The call request is redirected to strategy, the preset function is called in the call request in response to redirection.
Optionally, when the preset function includes default network access function, the parameter in the call request includes
The destination address section of network address to be visited;
The parameter according in preconfigured control strategy and the call request, determining and the parameter and institute
State the corresponding target control strategy of preset function, comprising:
According to the different address section and the corresponding relationship of different control strategies for default network access function preset configuration,
Determine the corresponding target control strategy of the destination address section.
Optionally, the parameter packet when the preset function includes default clipbook handling function, in the call request
It is corresponding to include the first desktop mark belonging to text to be pasted, the corresponding source file of the text to be pasted, the text to be pasted
File destination belonging to the second desktop mark;
The parameter according in preconfigured control strategy and the call request, determining and the parameter and institute
State the corresponding target control strategy of preset function, comprising:
It is identical to judge that the first desktop mark and second desktop identify whether;
If they are the same, then target control plan is determined according to the control strategy for default clipbook handling function preset configuration
Slightly the call request is allowed;
If it is different, then determining target control plan according to the control strategy for default clipbook handling function preset configuration
Slightly the call request is refused;
If the target control strategy is to refuse the call request, in response to the call request, according to
The default refusal strategy of the preset function refuses the call request, returns to refusal result, comprising:
If the target control strategy is to refuse the call request, in response to the call request, according to described
The default refusal strategy of default clipbook handling function carries out default modification to the text to be pasted in the call request,
Return to modification result, wherein the default modification includes that character empties or upset character arrangements sequence.
Optionally, the default registration list processing function includes registration table write-in function, when the preset function includes institute
When stating registration table write-in function, the parameter in the call request includes original road of the project to be written in original licensed table
Diameter, the object key of the project to be written, the target value of the object key;
The parameter according in preconfigured control strategy and the call request, determining and the parameter and institute
State the corresponding target control strategy of preset function, comprising:
According to for the ginseng in the default registration table write-in preconfigured control strategy of function and the call request
Number, determining target control strategy corresponding with the parameter and the default registration table write-in function is to the call request
It redirects;
If the target control strategy is to redirect to the call request, according to the default of the preset function
It redirects strategy to redirect the call request, the preset function, packet are called in the call request in response to redirection
It includes:
If the target control strategy is to redirect to the call request, according to the original path described original
Creation redirects registration table in the sub-key of the object key of registration table;
The original path in the call request is revised as the project to be written in the redirection registration table
In redirected path;
Call request in response to redirection calls the default registration table that function is written, and the target value is written to institute
State the value for redirecting the object key of the redirected path in registration table.
Optionally, it is described after described at least one application program by original desktop is added to the virtual desktop
Method further include:
If default microfiltration driving detects the file of the destination application of any one starting in the virtual desktop
Operation requests judge file operation type then according to the file operation requests;
If file operation type is to open file, it is determined that file destination title and mesh in the file operation requests
Mark original directory of the file in original desktop;
According to the structure of the original directory in the corresponding memory space of the virtual desktop to the original directory into
Row redirects, and obtains the redirection catalogue of the file destination;
The file destination with the file destination title in the original directory of the original desktop is copied to
At the redirection catalogue of the virtual desktop;
In response to file operation requests, the mesh with the file destination title redirected at catalogue is opened
Mark file.
Optionally, if the default microfiltration driving detects the target application of any one starting in the virtual desktop
The file operation requests of program, then according to the file operation requests, after judging file operation type, the method is also wrapped
It includes:
If file operation type is file write operation, it is determined that the file destination title in the file operation requests, with
And original directory of the file destination in original desktop;
According to the structure of the original directory in the corresponding memory space of the virtual desktop to the original directory into
Row redirects, and obtains the redirection catalogue of the file destination;
File destination in the original directory of the original desktop is copied to described in the virtual desktop and is reset
To at catalogue;
In response to file operation requests, write operation is carried out to the file destination at the redirection catalogue;
The file destination after write operation is encrypted according to predetermined encryption algorithm.
Optionally, if the default microfiltration driving detects the target application of any one starting in the virtual desktop
The file operation requests of program, then according to the file operation requests, after judging file operation type, the method is also wrapped
It includes:
If file operation type is file read operation, it is determined that the file destination title in the file operation requests, with
And original directory of the file destination in original desktop;
Redirection catalogue of the file destination in the virtual desktop is determined according to the original directory;
According to default decipherment algorithm to it is described redirection catalogue at the file destination with the file destination title into
Row decryption;
In response to file operation requests, read operation is carried out to the file destination after decryption, returns and reads result.
Optionally, the method also includes:
If closing the virtual desktop, according to preconfigured data scrubbing strategy, to being generated in the virtual desktop
Ephemeral data and/or redirect data be purged.
Optionally, it is described after described at least one application program by original desktop is added to the virtual desktop
Method further include:
If detecting the access request of any one application program, judge whether the application program is the virtual desktop
Interior destination application;
If it is not, then refusing the access request.
According to another aspect of the present invention, the invention also discloses a kind of access control apparatus of application program, it is applied to
Terminal device, described device include:
Creation module, for creating virtual desktop;
Adding module, at least one application program in original desktop to be added to the virtual desktop;
Hook module, it is right if any one destination application starts in the virtual desktop for detecting
Preset function in the function library of Windows carries out Inline Hook, wherein the preset function includes default network access
Function, default clipbook handling function, default registration list processing function;
Interception module, for intercepting and capturing call request of the destination application to the preset function;
First determining module, for according to the parameter in preconfigured control strategy and the call request, determine with
The parameter and the corresponding target control strategy of the preset function;
First respond module, if being to allow the call request for the target control strategy, in response to described
The preset function is called in call request;
Second respond module, if being to refuse the call request for the target control strategy, in response to described
Call request refuses the call request according to the default refusal strategy of the preset function, returns to refusal result;
Third respond module, if being to be redirected to the call request for the target control strategy, according to described
The default redirection strategy of preset function redirects the call request, and institute is called in the call request in response to redirection
State preset function.
Optionally, first determining module includes:
First determines submodule, for when the preset function includes default network access function, wherein the calling
Parameter in request includes the destination address section of network address to be visited, according to for default network access function preset configuration
Different address section and the corresponding relationship of different control strategies, determine the corresponding target control strategy of the destination address section.
Optionally, first determining module includes:
Judging submodule, for when the preset function includes default clipbook handling function, wherein the calling is asked
The parameter asked include text to be pasted, the first desktop mark belonging to the corresponding source file of the text to be pasted, it is described to
The mark of second desktop belonging to the corresponding file destination of paste text judges the first desktop mark and the second desktop mark
Whether identical know;
Second determines submodule, for if they are the same, then basis to be for the control for presetting clipbook handling function preset configuration
Strategy determines that target control strategy is to allow the call request;
Third determines submodule, for if it is different, then according to the control for default clipbook handling function preset configuration
Strategy determines that target control strategy is to refuse the call request;
Second respond module includes:
Second response submodule, if being to refuse the call request for the target control strategy, in response to institute
State call request, according to the default clipbook handling function default refusal strategy to described in the call request to viscous
Patch text carries out default modification, returns to modification result, wherein the default modification includes that character empties or to upset character arrangements suitable
Sequence.
Optionally, first determining module includes:
4th determines submodule, described pre- for including registration table write-in function when the default registration list processing function
If function includes the registration table write-in function, the parameter in the call request includes project to be written in original licensed table
In original path, the project to be written object key, the target value of the object key, according to be directed to the default registration table
The parameter in the preconfigured control strategy of function and the call request, determining and the parameter and the default note is written
The corresponding target control strategy of volume table write-in function is to redirect to the call request;
The third respond module includes:
Submodule is created, if being to redirect to the call request for the target control strategy, according to the original
Beginning path creates in the sub-key of the object key of the original licensed table redirects registration table;
Submodule is modified, for the original path in the call request to be revised as the project to be written in institute
State the redirected path redirected in registration table;
Third responds submodule, calls the default registration table that function is written for the call request in response to redirection,
The target value is written to the value of the object key of the redirected path into the redirection registration table.
Optionally, described device further include:
First judgment module, if the mesh for detecting that any one starts in the virtual desktop for presetting microfiltration driving
The file operation requests of mark application program judge file operation type then according to the file operation requests;
Second determining module, if being to open file for file operation type, it is determined that mesh in the file operation requests
Mark the original directory of file name and file destination in original desktop;
First redirection module, for the structure according to the original directory in the corresponding memory space of the virtual desktop
In the original directory is redirected, obtain the redirection catalogue of the file destination;
First replication module, for there is the file destination title in the original directory by the original desktop
File destination be copied at the redirection catalogue of the virtual desktop;
4th respond module, in response to file operation requests, opening described redirect at catalogue to have the mesh
Mark the file destination of file name.
Optionally, described device further include:
Third determining module, if being file write operation for file operation type, it is determined that in the file operation requests
Original directory in original desktop of file destination title and file destination;
Second redirection module, for the structure according to the original directory in the corresponding memory space of the virtual desktop
In the original directory is redirected, obtain the redirection catalogue of the file destination;
Second replication module is copied to the void for the file destination in the original directory by the original desktop
At the redirection catalogue of quasi- desktop;
5th respond module, for being carried out to the file destination at the redirection catalogue in response to file operation requests
Write operation;
Encrypting module, for being encrypted according to predetermined encryption algorithm to the file destination after write operation.
Optionally, described device further include:
4th determining module, if being file read operation for file operation type, it is determined that in the file operation requests
Original directory in original desktop of file destination title and file destination;
5th determining module, for determining weight of the file destination in the virtual desktop according to the original directory
Orient catalogue;
Deciphering module, for there is the file destination title at the redirection catalogue according to default decipherment algorithm
File destination be decrypted;
6th respond module, for carrying out read operation to the file destination after decryption, returning in response to file operation requests
Readback takes result.
Optionally, described device further include:
Module is removed, if for closing the virtual desktop, according to preconfigured data scrubbing strategy, to the void
The ephemeral data and/or redirection data generated in quasi- desktop is purged.
Optionally, described device further include:
Second judgment module, if judging the application program for detecting the access request of any one application program
It whether is destination application in the virtual desktop;
Refuse module, if determining application program not for the second judgment module and being the target application journey in the virtual desktop
Sequence then refuses the access request.
Compared with prior art, the present invention includes the following advantages:
In this way, the embodiment of the present invention is by creation virtual desktop, and by one or more application programs in original desktop
Be added to the virtual desktop, and in the virtual desktop any one destination application starting when, to default network access
Function, default clipbook handling function, default registration list processing function carry out Inline Hook operation, then when the target is answered
With program to it is above-mentioned any one be called by the function of Inline Hook when, the embodiment of the present invention can intercept and capture the tune
The call request control that accesses (including permission, is refused and reset with request, and according to preconfigured control strategy
To), so as to carry out various access controls such as network, clipbook, registration table to the application program in virtual desktop, really
The access safety of breath information-preserving.
Detailed description of the invention
Fig. 1 is a kind of system architecture diagram of the access control system embodiment of application program of the invention;
Fig. 2 is a kind of step flow chart of the access control method embodiment of application program of the invention;
Fig. 3 is a kind of structural block diagram of the access control system embodiment of application program of the invention.
Specific embodiment
In order to make the foregoing objectives, features and advantages of the present invention clearer and more comprehensible, with reference to the accompanying drawing and specific real
Applying mode, the present invention is described in further detail.
Referring to Fig.1, a kind of system architecture diagram of the access control system embodiment of application program of the invention is shown.
The access control system of the application program of the embodiment of the present invention is based on windows platform, is generally divided into three
Level: being respectively desktop management layer, MAC layer, file encryption layer.
Wherein, desktop management layer is responsible for desktop security environment (i.e. virtual desktop) management, is substantially carried out desktop security environment
Environmental test before creation, creation exits desktop working environment, exits the cleaning of rear environment etc..
MAC layer, the strategy for being configured according to desktop working environment carry out the application program started in desktop
Behaviour control;
File encryption layer is responsible for redirecting the data generated in desktop working environment and encryption.
Wherein, as shown in Figure 1, desktop management layer by desktop management module, creates table positioned at the top layer of general frame
Face working environment module, the preceding context detection module of creation exit desktop working environment module and exit rear environment cleaning modul group
At.
Desktop management module such as calls creation desktop working environment for providing the user with visual desktop management operation
Module carries out the creation of desktop working environment, calls and exit desktop working environment module to exit desktop working environment and cut
Change desktop working environment etc.;
Desktop working environment module is created, preceding context detection module is created for calling, checks whether current environment meets
The condition of desktop working environment is created, inspection can call windows api creation desktop and start resource manager after passing through
Into MAC layer.
Desktop working environment module is exited, is responsible for destroying the desktop working environment of creation, and calls and exits rear environment cleaning
Module, cleaning and desktop working environment relevant information specifically include such as redirection catalogue and file, registration table etc..
Rear environment cleaning modul is exited, cleaning desktop working environment related information is responsible for.
MAC layer is formed a connecting link positioned at the middle layer of general frame, is responsible for (i.e. empty under monitoring desktop working environment
Quasi- desktop) starting application program, network, clipbook control module can be called according to the configuration strategy of desktop working environment
The application letter for being protected, being controlled with registration table redirection module, and started to file encryption-decryption layer transmitting desktop working environment
Breath (can specifically include virtual desktop starting the PID (Process identifier) of application program, the identification information of the virtual desktop and
The control strategy of the virtual desktop).
MAC layer includes that protection module, network clipbook control module, registration table redirection module are applied in desktop,
Wherein, in the case that application protection module in virtual desktop for having the application program of starting in desktop, network is cliped and pasted
Plate control module, registration table redirection module are loaded into respectively in the process address space of the application program.
File encryption-decryption layer is to be responsible for place where the core of file redirection and encryption positioned at the lowest level of overall architecture
The file read-write operations for managing application program in desktop working environment execute the file write-in of application program and redirect operation, right
File is written and carries out cryptographic operation, to guarantee the safety of data.
File encryption-decryption layer includes document processing module, file redirection module, encryption and decryption service module.
Wherein, document processing module out of desktop using protection module for receiving the text of the application program in virtual desktop
Part operation requests, and file redirection module and encryption and decryption service module is called to respond this document operation requests.
Wherein, file redirection module is responsible for the file access (including reading and writing) of application program being redirected to specific bit
It sets;
Encryption/decryption module is responsible for encrypting the file data of write-in using assignment algorithm, and by the file of reading
Data are decrypted using assignment algorithm.
For the concrete function of modules in three-tier architecture in above-mentioned Fig. 1, here in conjunction with shown in Fig. 2 of the invention one
The step flow chart of the access control method embodiment of kind application program is described in detail, this method can be applied to terminal
Equipment can specifically include following steps:
Step 101, virtual desktop is created;
Wherein, as shown in Figure 1, when user selects creation virtual desktop in Windows original desktop, desktop management mould
Block can call creation desktop working environment module to create a virtual desktop, and creation desktop working environment module is empty in creation
When quasi- desktop, it is alternatively possible to context detection module before creation be called, to detect whether the environment of Windows meets creation void
The condition of quasi- desktop.
Wherein, which can be customized condition, such as Windows has run predetermined software at present;Or memory
Residue is greater than the conditions such as memory threshold.
Wherein, terminal device can be the arbitrary equipment with Windows operating system, such as PC (PC), pen
Remember this computer, tablet computer, mobile phone etc..
Wherein, original desktop is the included original desktop of Windows system, is known technology, which is not described herein again.
So when the environment of Windows meets the condition of creation virtual desktop, then desktop working environment module is created then
Windows api can be called to create virtual desktop, specifically, the CreateDesktop letter of windows system can be used
Number creation virtual desktop, wherein virtual desktop is a container.
Step 102, at least one application program in original desktop is added to the virtual desktop;
Wherein, creation desktop working environment module can also be the void of creation in Windows original desktop according to user
At least one application program in original desktop, is added to the void of the creation by least one application program of quasi- desktop selection
Quasi- desktop.So on the virtual desktop, so that it may access control to these application programs.
That is, the application program in virtual desktop is all the application program installed in original desktop.
Step 103, if any one destination application starting in the virtual desktop is detected, to Windows's
Preset function in function library carries out Inline Hook;
Wherein, the preset function includes default network access function, default clipbook handling function, presets at registration table
Manage function;
Wherein, there is application program (any one APP, when starting referred to herein as target APP), in desktop in virtual desktop
Network, clipbook control module and registration table redirection module can be injected into the process of target APP using protection module
Location space.In this way, network, clipbook control module can network function library to Windows Key Functions, i.e., default net
Network access function (such as connect function (i.e. network connection function), Sendto function are (that is, send number to a specified destination
According to function), recvfrom function (for receiving data, and capturing the address of data transmission source)), the clipbook of Windows
Key Functions in function library, i.e. default clipbook handling function (such as SetClipboardData function (is stored data
Function on to clipbook), GetClipboardData function (i.e. from clipbook obtain data function),
OleSetClipboard function (function of an IDataObject interface pointer is placed i.e. on clipbook),
OleGetClipboard function (function of an IDataObject interface pointer is obtained i.e. from clipbook) etc.) it carries out
Inline Hook operation, so as in function of the application call by Inline Hook, the correlation of interception target APP
Network access operation and clipbook operation;In addition, registration table redirection module can also registry functions library to Windows
Key Functions, i.e. default registration list processing function (such as ZwOpenKey function, ZwCreateKey function, ZwDeleteKey
Function, ZwQueryKey function, ZwEnumerateValueKey function etc.) carry out Inline Hook operation, so as to
Application call is by the function of Inline Hook, the pertinent registration table handling of interception target APP.
Wherein, the above registration list processing function is all known function, is specifically repeated no more.
Wherein, Hook mechanism allows application program to intercept and handle windows messaging or specified event etc..
Step 104, call request of the destination application to the preset function is intercepted and captured;
Wherein, when the target APP run in virtual desktop is to default network access function or default clipbook handling function
When calling, then the network of the embodiment of the present invention, clipbook control module can intercept and capture the target APP and visit the default network
Ask the call request of function or default clipbook handling function;At the target APP run in virtual desktop is to default registration table
When managing function call, then the registration table redirection module of the embodiment of the present invention can intercept and capture the target APP to the default note
The call request of volume list processing function.
Step 105, according to the parameter in preconfigured control strategy and the call request, it is determining with the parameter with
And the corresponding target control strategy of the preset function;
Wherein, the target APP configuration control that the method for the embodiment of the present invention can in advance to operating in the virtual desktop
Strategy, such as which type of call request of preset function is allowed and (let off), to which type of tune of preset function
Refused with request, which type of call request of preset function is redirected.Therefore, it is necessary to according in call request
Parameter, to determine target control plan corresponding with the parameter and called preset function in preconfigured control strategy
Slightly.
I.e. using the target control strategy come handling the call request of the preset function to intercepting and capturing.
Step 106, the call request is allowed if the target control strategy is, in response to the call request tune
With the preset function;
Step 107, if the target control strategy is to refuse the call request, in response to the call request,
The call request is refused according to the default refusal strategy of the preset function, returns to refusal result;
Wherein, every kind of preset function is all provided with corresponding refusal strategy in advance.
Step 108, if the target control strategy is to redirect to the call request, according to the preset function
The default strategy that redirects redirects the call request, and the default letter is called in the call request in response to redirection
Number.
Wherein, if any one preset function in above-mentioned three kinds of preset functions is provided with the control plan of redirection in advance
Slightly, then it can also be pre-configured with redirection strategy to the preset function, therefore, can be reset here according to the default of the preset function
The call request of the preset function is redirected to strategy, call request redirection can be understood as to call request
In parameter modify, to achieve the effect that redirection.
In this way, the embodiment of the present invention is by creation virtual desktop, and by one or more application programs in original desktop
Be added to the virtual desktop, and in the virtual desktop any one destination application starting when, to default network access
Function, default clipbook handling function, default registration list processing function carry out Inline Hook operation, then when the target is answered
With program to it is above-mentioned any one be called by the function of Inline Hook when, the embodiment of the present invention can intercept and capture the tune
The call request control that accesses (including permission, is refused and reset with request, and according to preconfigured control strategy
To), so as to carry out various access controls such as network, clipbook, registration table to the application program in virtual desktop, really
The access safety of breath information-preserving.
Optionally, in one embodiment, when the preset function includes default network access function, the calling is asked
Parameter in asking includes the destination address section of network address to be visited;
That is, when user carries out the operation of network access to the target APP run in virtual desktop, such as request
When accessing the content of some link, then step 104 can be intercepted to the connect function of network access (in advance by Inline
Hook call request), wherein the parameter in the call request includes the IP address of link to be visited (i.e. network address)
Section.
Correspondingly, when executing step 105 then network access function preset configuration can be preset differently according to being directed to
Location section from the corresponding relationship of different control strategies, determine the corresponding target control strategy of the destination address section.
Wherein, since default network access function may include that network accesses relevant multiple Key Functions, the present invention is real
Control strategy can be pre-configured with to the Key Functions of each network access in advance by applying example.
Different control plans can have due to the difference of its parameter for the Key Functions of any one network range
Slightly.
So by taking connect function here as an example, can different IP addresses section to the network address of link configure
Different control strategies.Such as the link to IP address section 1, when by calling connect function to access, control strategy is
Allow to access;Link to IP address section 2, when by calling connect function to access, control strategy is denied access;
Link to IP address section 3, by call connect function access when, control strategy attach most importance to orientation visit (such as will adjust
It is adjusted with the parameter in request, so that the call request redirected may only access one in the webpage of IP address section 3
Divide web page contents;Alternatively, the call request redirected is made to remove the web page contents in the webpage of accessible IP address section 4).
In this way, the embodiment of the present invention can carry out the control of network access to the target APP run in virtual desktop.
Optionally, the parameter packet when the preset function includes default clipbook handling function, in the call request
It is corresponding to include the first desktop mark belonging to text to be pasted, the corresponding source file of the text to be pasted, the text to be pasted
File destination belonging to the second desktop mark;
That is, when user carries out the key operation of clipbook to the target APP run in virtual desktop, such as it is right
Some content of text in target APP is replicated, it is desirable to paste another desktop (can be original desktop or other
Virtual desktop) when, then step 104 can intercept the call request to clipbook paste function (in advance by Inline Hook),
Wherein, the parameter in the call request includes text to be pasted, first belonging to the corresponding source file of the text to be pasted
Second desktop mark belonging to desktop mark, the corresponding file destination of the text to be pasted;
Wherein, when replicating paste operation, or when shearing paste operation, the text to be pasted for being replicated/shearing belongs to
One source file.Such as the target APP in the present embodiment is operated in virtual desktop 1, user is in virtual desktop 1 to target
The content in some file (i.e. source file) in APP replicate/shear, it is desirable to paste another virtual desktop 2 or
In another file (i.e. file destination) of original desktop.So system is to not only including being cut in the call request of paste operation
The text to be pasted cut/replicated further includes that the desktop mark of virtual desktop 1 and the desktop of 2/ original desktop of virtual desktop identify.
Wherein, clipbook is system share, data be also it is shared, by being carried out to default clipbook handling function
Hook can obtain out information to be pasted is which process to be copied to clipbook from, so as to know data source and correlation
Desktop controls information, therefore the control of clipbook between different virtual desktops may be implemented.
Correspondingly, can be then accomplished by the following way when executing step 105:
It is identical to judge that the first desktop mark and second desktop identify whether;
If they are the same, then target control plan is determined according to the control strategy for default clipbook handling function preset configuration
Slightly the call request is allowed;
Wherein, if it is identical, illustrate user in virtual desktop 1 to the content in some file in target APP into
Row duplication stickup/shearing paste operation when, only carry out in same virtual desktop clipbook operation, i.e., by duplication or shearing
Content is wanted to paste in the file destination in the virtual desktop 1, wherein the file destination can be in target APP, can also
With other APP being added in virtual desktop 1.In addition, source file and file destination can also be identical.
So due to the operation that the duplication/shearing paste operation is in the same virtual desktop, hence, it can be determined that this
The control strategy of call request is to let off to it.So system can call the default clipbook handling function to carry out same
Text duplication/cut and paste operation in one virtual desktop.
Wherein, presetting clipbook handling function may include that multiple clipbooks operate relevant Key Functions.These are crucial
The preconfigured control strategy of function is then let off and is not handled if it is the clipbook operation in the same virtual desktop;If
It is the clipbook operation between different virtual desktops, then refuses the call request.
If it is different, then determining target control plan according to the control strategy for default clipbook handling function preset configuration
Slightly the call request is refused;
Wherein, if it is different, then illustrate user in virtual desktop 1 to the content in some file in target APP into
When row duplication stickup/shearing paste operation, it is desirable to by text to be pasted paste another desktop (can be original desktop, its
His virtual desktop) in file destination in, wherein the file destination can be in target APP.
So since the duplication/shearing paste operation is between the operation different desktops, hence, it can be determined that the calling
The control strategy of request is to refuse it.
So when executing step 107, if the target control strategy is to refuse the call request, in response to institute
State call request, according to the default clipbook handling function default refusal strategy to described in the call request to viscous
Patch text carries out default modification, returns to modification result, wherein the default modification includes that character empties or to upset character arrangements suitable
Sequence.
Wherein, when the call request of the Key Functions to clipbook relevant operation is refused, the mode of refusal then may be used
It is modified to the text to be pasted in the call request with to be, such as text to be pasted is emptied or to upset character arrangements suitable
The modes such as sequence modify to it, then, in response to the call request, modified text to be pasted are back to and is stuck
Position in.In this way, the content being stuck is the content being modified, it is ensured that this virtual desktop in another desktop
Interior information security.
Optionally, the default registration list processing function includes registration table write-in function, when the preset function includes institute
When stating registration table write-in function, the parameter in the call request includes original road of the project to be written in original licensed table
Diameter, the object key of the project to be written, the target value of the object key;
That is, when user carries out registration table write operation to the target APP that runs in virtual desktop, then step
104 can intercept the call request to the write-in function (in advance by Inline Hook) of the registration table of this virtual desktop,
In, the parameter in the call request includes original path of the project to be written in original licensed table, the project to be written
The target value of object key, the object key;
Wherein, the structure of registration table is the tree-like directory that each project is constituted, wherein each project has one or more
Key, each key can assign value.
So due in virtual desktop target APP request to registration table carry out write operation, then meeting in the call request
Carry original path of the project of this secondary write-in in original licensed table, and this secondary write-in project which key (i.e.
Object key), and to the value of key write-in, i.e. target value.
Correspondingly, when executing step 105, then it can be according to preconfigured for the default registration table write-in function
Parameter in control strategy and the call request, it is determining corresponding with the parameter and the default registration table write-in function
Target control strategy is to redirect to the call request;
Wherein, in order to ensure being independent from each other between different desktops to the operation of registration table, the embodiment of the present invention is preparatory
It is to be redirected to the call request of the function to the registration table write-in preconfigured control strategy of function.
Correspondingly, can be then accomplished by the following way when executing step 108:
If the target control strategy is to redirect to the call request, according to the original path described original
Creation redirects registration table in the sub-key of the object key of registration table;
It is illustrated using the bibliographic structure of original licensed table as tree, wherein each item in original licensed table
Mesh be trunk in tree, project key be the leaf of trunk, the value of key is the color of leaf, is written in this registration table
Want to be revised as the color of the leaf 1 (object key) of the trunk 1 (destination item) in tree green (target value) in operation, then
Modification in order to avoid the APP in virtual desktop directly to the value of the object key of the destination item in original licensed table, the present invention
Embodiment can be according to the original path of the leaf 1 in entire tree, and re-creating one tree, (this sets not certainly
All Paths with original licensed table only sketch out the original path of leaf 1 to come), then the one tree re-created
Tree root be then to create on the cotyledon (i.e. sub-key) of the leaf 1.Here the one tree re-created is exactly to redirect note
Volume table.In this way, also having trunk 1 (referred to herein as trunk 1 '), leaf 1 in redirecting registration table (referred to herein as leaf 1 ').
The original path in the call request is revised as the project to be written in the redirection registration table
In redirected path;
For example, this wants to repair the value of the color key in the color file (destination item) under root catalogue
Change, then it is color key in color file under root catalogue that original path, which is redirected path, and redirected path is original
The color key in the color file under root catalogue under color key in path.
Call request in response to redirection calls the default registration table that function is written, and the target value is written to institute
State the value for redirecting the object key of the redirected path in registration table.
Here, it can the color file under the root catalogue under the color key into original path is written into target value
In the numerical value of color key in folder.
The embodiment of the present invention is from the angle of actual demand and application, more desktop security works based on windows platform
Make environment, it, can be to the application in newly-built desktop working environment using HOOK technology (control clipbook, network, registration table etc.)
Program carries out comprehensive access control.
Optionally, when registration table redirection module is intercepted to registration table read operation, if redirected in registration table
There are the key assignments of destination item to be read, then directly read the key assignments, if it does not exist, then reading from original licensed table should
Key assignments, and redirect registration table in draw the key assignments where catalogue.
Optionally, after step 102, can also include: according to the method for the embodiment of the present invention
If default microfiltration driving detects the file of the destination application of any one starting in the virtual desktop
Operation requests judge file operation type then according to the file operation requests;
Wherein, microfiltration frame (Minifilter) of the embodiment of the present invention based on Microsoft, develops the embodiment of the present invention
The driving of default microfiltration, wherein default microfiltration driving can be registered to microsoft system in advance.In the virtual desktop
Any file operation requests require by this preset microfiltration driving be filtered after, can just carry out file read-write.
Wherein, the default microfiltration driving configuration is in the document processing module of Fig. 1.
If user wants to open, read, write-in file data using the target APP of starting in the virtual desktop, should
After file operation requests to inner nuclear layer, by the file microfiltration frame driving A adapter tube of Microsoft, then, Microsoft's microfiltration frame is driven
Dynamic A calls the microfiltration driving B to its embodiment of the present invention registered to handle this document operation requests, and microfiltration drives
Dynamic B judges that the file operation type of this document operation requests is to open file, read file, or file data is written.
Wherein, the mark for indicating file operation type can be carried in file operation requests.Microfiltration is driven through the mark
To determine the file operation type of file operation requests.
If file operation type is to open file, it is determined that file destination title and mesh in the file operation requests
Mark original directory of the file in original desktop;
Wherein, if file operation type is to open file, i.e. target APP wants to open a file, then file operation is asked
It asks, i.e., the title and file C that open file C (file destination) can be recorded in file open request are in original desktop
In original directory.
According to the structure of the original directory in the corresponding memory space of the virtual desktop to the original directory into
Row redirects, and obtains the redirection catalogue of the file destination;
Wherein, when one virtual desktop of every creation, the embodiment of the present invention can distribute individual blank for the virtual desktop
Memory space, then in the virtual desktop operate application program caused by any file data be all stored in the storage sky
Between.
And in order to ensure, to the independence of the operation of same file, avoiding interfering with each other between different desktops, the present invention is real
Apply example can according to file C the original directory of original desktop structure, to be drawn again in memory space to the structure
System, to obtain redirection catalogue of this document C in the virtual desktop.
Wherein, the structure of the original directory of file C and redirection catalogue is completely the same, but they are located at not
In same memory space.
The file destination with the file destination title in the original directory of the original desktop is copied to
At the redirection catalogue of the virtual desktop;
Wherein, since, there are no specific file data, text is opened in target APP request here in the catalogue of above-mentioned redirection
Part C, therefore, it is necessary to read the file C of the file destination title from the original directory of original desktop, and by the data of file C
It is copied at the redirection catalogue of the virtual desktop.
That is, really storing the data of file C at the redirection catalogue of the memory space.
In response to file operation requests, the mesh with the file destination title redirected at catalogue is opened
Mark file.
Here, i.e., in response to file open request, the file C at the redirection catalogue in the memory space is opened, and simultaneously
The file C being not switched under the original directory of original desktop.
In this way, the embodiment of the present invention can realize the access control to different application, Jin Erke on different desktops
To separate sensitive applications with original desktop, the secure access of application, anti-stopping leak are realized in the case where not increasing cost
Close generation.
Optionally, if the default microfiltration driving detects the target application of any one starting in the virtual desktop
The file operation requests of program are then implemented after judging file operation type according to the file operation requests according to the present invention
Example method can also include:
If file operation type is file write operation, it is determined that the file destination title in the file operation requests, with
And original directory of the file destination in original desktop;
Wherein, if file operation type is file write operation, i.e. target APP wants to carry out write operation to a file, that
This document operation requests can record the title of the file C (file destination) for the data write, Yi Jiwen in file write request
Original directory of the part C in original desktop.
According to the structure of the original directory in the corresponding memory space of the virtual desktop to the original directory into
Row redirects, and obtains the redirection catalogue of the file destination;
Wherein, the specific descriptions for specifically performing similarly to last File Open embodiment of the step, which is not described herein again.
File destination in the original directory of the original desktop is copied to described in the virtual desktop and is reset
To at catalogue;
Wherein, the specific descriptions for specifically performing similarly to last File Open embodiment of the step, which is not described herein again.
In response to file operation requests, write operation is carried out to the file destination at the redirection catalogue;
Wherein it is possible to be counted in response to file write request to the file destination at the redirection catalogue of the virtual desktop
According to write operation, wherein the data for needing to be written carry in file write request.
The file destination after write operation is encrypted according to predetermined encryption algorithm.
Wherein, after writing, document processing module may call upon encryption and decryption service module, according to predetermined encryption
Algorithm carries out encryption storage to the file destination (i.e. the full content of file) after the write operation at the redirection catalogue.
It is individually saved in this way, the application program in virtual desktop can be operated the file data generated by the embodiment of the present invention
In specific region, refuse the application program in other desktops except the virtual desktop to the data access of the specific region.
It is understood that when the embodiment of the present invention creates multiple virtual desktops, even if each virtual desktop is to same
One application program is operated, but each file data caused by operating all is to be stored separately on each virtual desktop pair
The memory space answered, and the application program will not be changed in the initial data of original desktop, also, different virtual desktops institute
The data of generation may only be accessed by the application program in respective virtual desktop, refused the application access of other desktops, both guaranteed
Not modified arbitrarily of the initial data of original desktop, moreover, mutually independent answer can be executed in different virtual desktops
With the access control of program.
Optionally, if the default microfiltration driving detects the target application of any one starting in the virtual desktop
The file operation requests of program are then implemented after judging file operation type according to the file operation requests according to the present invention
Example method can also include:
If file operation type is file read operation, it is determined that the file destination title in the file operation requests, with
And original directory of the file destination in original desktop;
Wherein, if file operation type is file write operation, i.e. target APP wants to carry out read operation to a file, that
This document operation requests can record the name of the file C (file destination) where the data to be read in file read request
The original directory of title and file C in original desktop.
Redirection catalogue of the file destination in the virtual desktop is determined according to the original directory;
Wherein, defaulted in the virtual desktop here and the original directory of file C is redirected, it therefore, can be with
Redirection catalogue is directly determined according to the original directory.
Certainly, if in other embodiments, if by the memory space to virtual environment lookup discovery do not have
Standby file C, then can draw the redirection catalogue of file destination according to the method for the embodiment of the write operation of file destination C,
And file destination C is stored encrypted in and is redirected at catalogue;
It is specifically described referring to above-mentioned file write operation embodiment, which is not described herein again.
According to default decipherment algorithm to it is described redirection catalogue at the file destination with the file destination title into
Row decryption;
Wherein, since the file in the redirection catalogue in virtual desktop is all encryption storage, it can be by adding solution
Close service module according to default decipherment algorithm is decrypted file destination C, obtains file C in plain text.
Wherein, decryption oprerations can execute in memory, so that redirecting the file C in catalogue after this reads file C
Or encryption storage.
In response to file operation requests, read operation is carried out to the file destination after decryption, returns and reads result.
Wherein it is possible to be read out in response to file read request to the file destination after decryption, by the file data of reading
Upper layer target APP is returned in plain text.
By means of the technical solution of the embodiment of the present invention, when creating multiple virtual desktops, even if each virtual desktop
The same application program is operated, but each file data caused by operating all is to be stored separately on each virtual table
The corresponding memory space in face, and the application program will not be changed in the initial data of original desktop, also, different virtual tables
Data caused by face may only be accessed by the application program in respective virtual desktop, refuse the application access of other desktops, both
It ensure that not modified arbitrarily for the initial data of original desktop, moreover, can execute in different virtual desktops mutually indepedent
Application program access control.
Optionally, can also include: according to the method for the embodiment of the present invention
If closing the virtual desktop, according to preconfigured data scrubbing strategy, to being generated in the virtual desktop
Ephemeral data and/or redirect data be purged.
Wherein, if user closes the virtual desktop, the desktop working environment module shown in FIG. 1 that exits can be with
Calling exits rear environment cleaning modul and comes according to preconfigured data scrubbing strategy, interim to generating in the virtual desktop
Data and/or redirection data are purged.
Wherein, the operations such as which can be above-mentioned File Open, file is read, file write-in generate any one
Kind or all files data, and any one that redirects data then and can be in above-described embodiment redirects data.
Which data is specifically cleared up, then is determined according to preconfigured data scrubbing strategy.Wherein, the embodiment of the present invention
The data scrubbing strategy of the virtual desktop created at present can be formulated previously according to user demand, such as only cleaning redirects
Data;Or only clear up ephemeral data etc..
Optionally, after step 102, can also include: according to the method for the embodiment of the present invention
If detecting the access request of any one application program, judge whether the application program is the virtual desktop
Interior destination application;
Wherein, it in the virtual desktop created, if detecting the access request of any one application program, needs
First determine whether the application program is application program in the virtual desktop, referred to herein as destination application.
If it is not, then refusing the access request.
In this way, the embodiment of the present invention can only receive in this desktop in the virtual desktop after creating virtual desktop
Routine access, and refuse the application access in other desktops, so as to reach to the different application in different virtual desktops
Access control.
Wherein, the virtual desktop created in above-described embodiment can be multiple, their working principle is similar, here no longer
It repeats.
It, can be based on the safe work of more desktops of windows platform by means of the technical solution of the above embodiment of the present invention
Make environment, is carried out using HOOK technical controlling clipbook, network, registration table etc. and to the file data generated in virtual desktop
File redirection and encryption and decryption operation carry out omnibearing protection to the working environment of newly-built virtual desktop.
After entering some virtual desktop, clipbook operation, the registration list processing, net of the application program in the virtual desktop
Network operation will be protected, and encrypted storage is arrived specified region by the file data of generation, and refuses non-virtual desktop ring
Domestic application access (for example, the catalogue of file redirection is the position 1 of C disk by this virtual desktop, then the journey in other desktop
Sequence cannot access the position).
In addition, the access profile of application program can individually be set in each virtual desktop, and generated in each virtual desktop
Data are mutually isolated, mutually invisible.
When exiting any one virtual desktop, (it can be pre-configured with according to configuration and whether remain registered with table, redirect catalogue
In file etc.) decide whether to retain the data generated in the virtual desktop.
The virtual desktop of creation of the embodiment of the present invention, can not change user to the premise of the operating habit of application program
Under, the comprehensive controls such as clipbook, registration table, network, file are carried out to application program, even if the hard disk of the virtual desktop (should
Data in virtual desktop are stored in the hard disk) be detached from the machine can also be protected since the data in the hard disk are encrypted
The data safety generated in desktop security working environment, prevents unauthorized access.
In addition, the virtual desktop of the embodiment of the present invention can realize different desktop access different applications according to user demand, it will
Sensitive application is separated with ordinary desktop, and the secure access of application is realized in the case where not increasing cost, prevents generation of divulging a secret.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method
It closes, but those skilled in the art should understand that, embodiment of that present invention are not limited by the describe sequence of actions, because according to
According to the embodiment of the present invention, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should
Know, the embodiments described in the specification are all preferred embodiments, and the related movement not necessarily present invention is implemented
Necessary to example.
It is corresponding with method provided by the embodiments of the present invention, referring to Fig. 3, show a kind of application program of the present invention
Access control apparatus embodiment structural block diagram, be applied to terminal device, can specifically include following module:
Creation module 31, for creating virtual desktop;
Adding module 32, at least one application program in original desktop to be added to the virtual desktop;
Hook module 33, it is right if any one destination application starts in the virtual desktop for detecting
Preset function in the function library of Windows carries out Inline Hook, wherein the preset function includes default network access
Function, default clipbook handling function, default registration list processing function;
Interception module 34, for intercepting and capturing call request of the destination application to the preset function;
First determining module 35, for determining according to the parameter in preconfigured control strategy and the call request
Target control strategy corresponding with the parameter and the preset function;
First respond module 36, if being to allow the call request for the target control strategy, in response to institute
It states call request and calls the preset function;
Second respond module 37, if being to refuse the call request for the target control strategy, in response to institute
Call request is stated, the call request is refused according to the default refusal strategy of the preset function, returns to refusal result;
Third respond module 38, if being to be redirected to the call request for the target control strategy, according to institute
The default redirection strategy for stating preset function redirects the call request, and the call request in response to redirection is called
The preset function.
Optionally, first determining module 35 includes:
First determines submodule, for when the preset function includes default network access function, wherein the calling
Parameter in request includes the destination address section of network address to be visited, according to for default network access function preset configuration
Different address section and the corresponding relationship of different control strategies, determine the corresponding target control strategy of the destination address section.
Optionally, first determining module 35 includes:
Judging submodule, for when the preset function includes default clipbook handling function, wherein the calling is asked
The parameter asked include text to be pasted, the first desktop mark belonging to the corresponding source file of the text to be pasted, it is described to
The mark of second desktop belonging to the corresponding file destination of paste text judges the first desktop mark and the second desktop mark
Whether identical know;
Second determines submodule, for if they are the same, then basis to be for the control for presetting clipbook handling function preset configuration
Strategy determines that target control strategy is to allow the call request;
Third determines submodule, for if it is different, then according to the control for default clipbook handling function preset configuration
Strategy determines that target control strategy is to refuse the call request;
Second respond module 37 includes:
Second response submodule, if being to refuse the call request for the target control strategy, in response to institute
State call request, according to the default clipbook handling function default refusal strategy to described in the call request to viscous
Patch text carries out default modification, returns to modification result, wherein the default modification includes that character empties or to upset character arrangements suitable
Sequence.
Optionally, first determining module 35 includes:
4th determines submodule, described pre- for including registration table write-in function when the default registration list processing function
If function includes the registration table write-in function, the parameter in the call request includes project to be written in original licensed table
In original path, the project to be written object key, the target value of the object key, according to be directed to the default registration table
The parameter in the preconfigured control strategy of function and the call request, determining and the parameter and the default note is written
The corresponding target control strategy of volume table write-in function is to redirect to the call request;
The third respond module 38 includes:
Submodule is created, if being to redirect to the call request for the target control strategy, according to the original
Beginning path creates in the sub-key of the object key of the original licensed table redirects registration table;
Submodule is modified, for the original path in the call request to be revised as the project to be written in institute
State the redirected path redirected in registration table;
Third responds submodule, calls the default registration table that function is written for the call request in response to redirection,
The target value is written to the value of the object key of the redirected path into the redirection registration table.
Optionally, described device further include:
First judgment module, if the mesh for detecting that any one starts in the virtual desktop for presetting microfiltration driving
The file operation requests of mark application program judge file operation type then according to the file operation requests;
Second determining module, if being to open file for file operation type, it is determined that mesh in the file operation requests
Mark the original directory of file name and file destination in original desktop;
First redirection module, for the structure according to the original directory in the corresponding memory space of the virtual desktop
In the original directory is redirected, obtain the redirection catalogue of the file destination;
First replication module, for there is the file destination title in the original directory by the original desktop
File destination be copied at the redirection catalogue of the virtual desktop;
4th respond module, in response to file operation requests, opening described redirect at catalogue to have the mesh
Mark the file destination of file name.
Optionally, described device further include:
Third determining module, if being file write operation for file operation type, it is determined that in the file operation requests
Original directory in original desktop of file destination title and file destination;
Second redirection module, for the structure according to the original directory in the corresponding memory space of the virtual desktop
In the original directory is redirected, obtain the redirection catalogue of the file destination;
Second replication module is copied to the void for the file destination in the original directory by the original desktop
At the redirection catalogue of quasi- desktop;
5th respond module, for being carried out to the file destination at the redirection catalogue in response to file operation requests
Write operation;
Encrypting module, for being encrypted according to predetermined encryption algorithm to the file destination after write operation.
Optionally, described device further include:
4th determining module, if being file read operation for file operation type, it is determined that in the file operation requests
Original directory in original desktop of file destination title and file destination;
5th determining module, for determining weight of the file destination in the virtual desktop according to the original directory
Orient catalogue;
Deciphering module, for there is the file destination title at the redirection catalogue according to default decipherment algorithm
File destination be decrypted;
6th respond module, for carrying out read operation to the file destination after decryption, returning in response to file operation requests
Readback takes result.
Optionally, described device further include:
Module is removed, if for closing the virtual desktop, according to preconfigured data scrubbing strategy, to the void
The ephemeral data and/or redirection data generated in quasi- desktop is purged.
Optionally, described device further include:
Second judgment module, if judging the application program for detecting the access request of any one application program
It whether is destination application in the virtual desktop;
Refuse module, if determining application program not for the second judgment module and being the target application journey in the virtual desktop
Sequence then refuses the access request.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiment of the embodiment of the present invention can provide as method, apparatus or calculate
Machine program product.Therefore, the embodiment of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present invention can be used one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
The embodiment of the present invention be referring to according to the method for the embodiment of the present invention, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these
Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices
Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices
In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet
The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram
The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that
Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus
The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart
And/or in one or more blocks of the block diagram specify function the step of.
Although the preferred embodiment of the embodiment of the present invention has been described, once a person skilled in the art knows bases
This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as
Including preferred embodiment and fall into all change and modification of range of embodiment of the invention.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap
Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article
Or the element that terminal device is intrinsic.In the absence of more restrictions, being wanted by what sentence "including a ..." limited
Element, it is not excluded that there is also other identical elements in process, method, article or the terminal device for including the element.
The access control of access control method to a kind of application program provided by the present invention and a kind of application program above
Device processed, is described in detail, and used herein a specific example illustrates the principle and implementation of the invention,
The above description of the embodiment is only used to help understand the method for the present invention and its core ideas;Meanwhile for the one of this field
As technical staff, according to the thought of the present invention, there will be changes in the specific implementation manner and application range, to sum up institute
It states, the contents of this specification are not to be construed as limiting the invention.
Claims (14)
1. a kind of access control method of application program, which is characterized in that be applied to terminal device, which comprises
Create virtual desktop;
At least one application program in original desktop is added to the virtual desktop;
If any one destination application starting in the virtual desktop is detected, to pre- in the function library of Windows
If function carries out Inline Hook, wherein the preset function includes default network access function, default clipbook operation letter
Number, default registration list processing function;
Intercept and capture call request of the destination application to the preset function;
According to the parameter in preconfigured control strategy and the call request, determining and the parameter and the default letter
The corresponding target control strategy of number;
If the target control strategy is to allow the call request, the default letter is called in response to the call request
Number;
If the target control strategy is to refuse the call request, in response to the call request, according to described default
The default refusal strategy of function refuses the call request, returns to refusal result;
If the target control strategy is to redirect to the call request, according to the default redirection plan of the preset function
Slightly the call request is redirected, the preset function is called in the call request in response to redirection.
2. the method according to claim 1, wherein when the preset function includes default network access function
When, the parameter in the call request includes the destination address section of network address to be visited;
The parameter according in preconfigured control strategy and the call request, it is determining with the parameter and described pre-
If the corresponding target control strategy of function, comprising:
According to the different address section for presetting network access function preset configuration and the corresponding relationship of different control strategies is directed to, determine
The corresponding target control strategy of the destination address section.
3. the method according to claim 1, wherein when the preset function includes default clipbook handling function
When, the parameter in the call request includes text to be pasted, the first table belonging to the corresponding source file of the text to be pasted
Second desktop mark belonging to face mark, the corresponding file destination of the text to be pasted;
The parameter according in preconfigured control strategy and the call request, it is determining with the parameter and described pre-
If the corresponding target control strategy of function, comprising:
It is identical to judge that the first desktop mark and second desktop identify whether;
If they are the same, then determine that target control strategy is according to the control strategy for default clipbook handling function preset configuration
The call request is allowed;
If it is different, then determining that target control strategy is according to the control strategy for default clipbook handling function preset configuration
The call request is refused;
If the target control strategy is to refuse the call request, in response to the call request, according to described
The default refusal strategy of preset function refuses the call request, returns to refusal result, comprising:
If the target control strategy is to refuse the call request, in response to the call request, according to described default
The default refusal strategy of clipbook handling function carries out default modification to the text to be pasted in the call request, returns
Modify result, wherein the default modification includes that character empties or upset character arrangements sequence.
4. the method according to claim 1, wherein the default registration list processing function includes registration table write-in
Function, when the preset function includes the registration table write-in function, the parameter in the call request includes item to be written
Object key, the target value of the object key of original path of the mesh in original licensed table, the project to be written;
The parameter according in preconfigured control strategy and the call request, it is determining with the parameter and described pre-
If the corresponding target control strategy of function, comprising:
The parameter in the preconfigured control strategy of function and the call request is written according to for the default registration table, really
Fixed target control strategy corresponding with the parameter and the default registration table write-in function is to reset to the call request
To;
If the target control strategy is to redirect to the call request, default according to the preset function is reset
The call request is redirected to strategy, the preset function is called in the call request in response to redirection, comprising:
If the target control strategy is to redirect to the call request, according to the original path in the original licensed
Creation redirects registration table in the sub-key of the object key of table;
The original path in the call request is revised as the project to be written in the redirection registration table
Redirected path;
Call request in response to redirection calls the default registration table that function is written, and the target value is written to described heavy
Orient the value of the object key of the redirected path in registration table.
5. the method according to claim 1, wherein described at least one application program by original desktop adds
It adds to after the virtual desktop, the method also includes:
If default microfiltration driving detects the file operation of the destination application of any one starting in the virtual desktop
Request, then according to the file operation requests, judge file operation type;
If file operation type is file write operation, it is determined that file destination title and mesh in the file operation requests
Mark original directory of the file in original desktop;
Weight is carried out to the original directory in the corresponding memory space of the virtual desktop according to the structure of the original directory
Orientation, obtains the redirection catalogue of the file destination;
File destination in the original directory of the original desktop is copied to the redirection mesh of the virtual desktop
At record;
In response to file operation requests, write operation is carried out to the file destination at the redirection catalogue;
The file destination after write operation is encrypted according to predetermined encryption algorithm.
6. according to the method described in claim 5, it is characterized in that, if the default microfiltration driving detects the virtual table
The file operation requests of any one destination application started judge file then according to the file operation requests in face
After action type, the method also includes:
If file operation type is file read operation, it is determined that file destination title and mesh in the file operation requests
Mark original directory of the file in original desktop;
Redirection catalogue of the file destination in the virtual desktop is determined according to the original directory;
The file destination with the file destination title at the redirection catalogue is solved according to default decipherment algorithm
It is close;
In response to file operation requests, read operation is carried out to the file destination after decryption, returns and reads result.
7. the method according to claim 1, wherein the method also includes:
If closing the virtual desktop, according to preconfigured data scrubbing strategy, face what is generated in the virtual desktop
When data and/or redirect data be purged;
After described at least one application program by original desktop is added to the virtual desktop, if detecting any one
The access request of application program judges whether the application program is destination application in the virtual desktop;
If it is not, then refusing the access request.
8. a kind of access control apparatus of application program, which is characterized in that be applied to terminal device, described device includes:
Creation module, for creating virtual desktop;
Adding module, at least one application program in original desktop to be added to the virtual desktop;
Hook module, if any one destination application starts in the virtual desktop for detecting, to Windows's
Preset function in function library carries out Inline Hook, wherein the preset function includes default network access function, presets
Clipbook handling function, default registration list processing function;
Interception module, for intercepting and capturing call request of the destination application to the preset function;
First determining module, for according to the parameter in preconfigured control strategy and the call request, it is determining with it is described
Parameter and the corresponding target control strategy of the preset function;
First respond module, if being to allow the call request for the target control strategy, in response to the calling
Preset function described in request call;
Second respond module, if being to refuse the call request for the target control strategy, in response to the calling
Request, refuses the call request according to the default refusal strategy of the preset function, returns to refusal result;
Third respond module, if being to be redirected to the call request for the target control strategy, according to described default
The default redirection strategy of function redirects the call request, described pre- in response to the call request calling of redirection
If function.
9. device according to claim 8, which is characterized in that first determining module includes:
First determines submodule, for when the preset function includes default network access function, wherein the call request
In parameter include network address to be visited destination address section, according to for default network access function preset configuration not
With the corresponding relationship of address field and different control strategies, the corresponding target control strategy of the destination address section is determined.
10. device according to claim 8, which is characterized in that
First determining module includes:
Judging submodule, for when the preset function includes default clipbook handling function, wherein in the call request
Parameter include text to be pasted, it is the first desktop mark belonging to the corresponding source file of the text to be pasted, described to be pasted
The mark of second desktop belonging to the corresponding file destination of text, judges the first desktop mark and second desktop mark is
It is no identical;
Second determines submodule, is used for if they are the same, then basis is directed to the control strategy of default clipbook handling function preset configuration,
Determine that target control strategy is to allow the call request;
Third determines submodule, for if it is different, then according to the control strategy for default clipbook handling function preset configuration,
Determine that target control strategy is to refuse the call request;
Second respond module includes:
Second response submodule, if being to refuse the call request for the target control strategy, in response to the tune
With request, according to the default refusal strategy of the default clipbook handling function to the text to be pasted in the call request
This carries out default modification, returns to modification result, wherein the default modification includes that character empties or upset character arrangements sequence.
11. device according to claim 8, which is characterized in that
First determining module includes:
4th determines submodule, for including registration table write-in function, the default letter when the default registration list processing function
When number includes registration table write-in function, the parameter in the call request includes project to be written in original licensed table
Original path, the object key of the project to be written, the target value of the object key are written according to for the default registration table
Parameter in the preconfigured control strategy of function and the call request, determining and the parameter and the default registration table
It is to redirect to the call request that the corresponding target control strategy of function, which is written,;
The third respond module includes:
Submodule is created, if being to redirect to the call request for the target control strategy, according to the original road
Diameter creates in the sub-key of the object key of the original licensed table redirects registration table;
Submodule is modified, for the original path in the call request to be revised as the project to be written described heavy
Orient the redirected path in registration table;
Third responds submodule, calls the default registration table that function is written for the call request in response to redirection, by institute
State the value of the object key for the redirected path that target value is written into the redirection registration table.
12. device according to claim 8, which is characterized in that described device further include:
First judgment module, if detecting that any one target started is answered in the virtual desktop for presetting microfiltration driving
File operation type is judged then according to the file operation requests with the file operation requests of program;
Third determining module, if being file write operation for file operation type, it is determined that the mesh in the file operation requests
Mark the original directory of file name and file destination in original desktop;
Second redirection module is right in the corresponding memory space of the virtual desktop for the structure according to the original directory
The original directory redirects, and obtains the redirection catalogue of the file destination;
Second replication module is copied to the virtual table for the file destination in the original directory by the original desktop
At the redirection catalogue in face;
5th respond module, for carrying out writing behaviour to the file destination at the redirection catalogue in response to file operation requests
Make;
Encrypting module, for being encrypted according to predetermined encryption algorithm to the file destination after write operation.
13. device according to claim 12, which is characterized in that described device further include:
4th determining module, if being file read operation for file operation type, it is determined that the mesh in the file operation requests
Mark the original directory of file name and file destination in original desktop;
5th determining module, for determining redirection of the file destination in the virtual desktop according to the original directory
Catalogue;
Deciphering module, for according to default decipherment algorithm to it is described redirection catalogue at the mesh with the file destination title
Mark file is decrypted;
6th respond module, for carrying out read operation to the file destination after decryption, returning and read in response to file operation requests
Take result.
14. device according to claim 8, which is characterized in that described device further include:
Module is removed, if for closing the virtual desktop, according to preconfigured data scrubbing strategy, to the virtual table
The ephemeral data and/or redirection data generated in face is purged;
Second judgment module, if whether judging the application program for detecting the access request of any one application program
For the destination application in the virtual desktop;
Refuse module, if determining application program not for the second judgment module and being the destination application in the virtual desktop,
Then refuse the access request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798889.0A CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810798889.0A CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109117664A true CN109117664A (en) | 2019-01-01 |
| CN109117664B CN109117664B (en) | 2020-11-10 |
Family
ID=64863041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810798889.0A Active CN109117664B (en) | 2018-07-19 | 2018-07-19 | Access control method and device for application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109117664B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096856A (en) * | 2019-04-19 | 2019-08-06 | 奇安信科技集团股份有限公司 | Access control method, system, electronic device and medium |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN112269986A (en) * | 2020-10-29 | 2021-01-26 | 深信服科技股份有限公司 | Process management method, device and storage medium |
| CN112685745A (en) * | 2020-12-31 | 2021-04-20 | 北京梆梆安全科技有限公司 | Firmware detection method, device, equipment and storage medium |
| CN112905260A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Application starting method and device, electronic equipment and storage medium |
| CN113515389A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Calling method, device and system of intermediate interface, storage medium and electronic device |
| CN115543663A (en) * | 2022-12-01 | 2022-12-30 | 北京志翔科技股份有限公司 | Data processing method and device, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| EP3118768A1 (en) * | 2015-07-17 | 2017-01-18 | Backes SRT GmbH | Method for forming a virtual environment in an operating system of a computer |
| CN106951775A (en) * | 2016-01-06 | 2017-07-14 | 梁洪亮 | A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology |
-
2018
- 2018-07-19 CN CN201810798889.0A patent/CN109117664B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102314373A (en) * | 2011-07-07 | 2012-01-11 | 李鹏 | Method for realizing safe working environment based on virtualization technology |
| CN102821094A (en) * | 2012-07-09 | 2012-12-12 | 深圳市深信服电子科技有限公司 | Method and system for secure data processing in virtual desktop |
| CN103605930A (en) * | 2013-11-27 | 2014-02-26 | 湖北民族学院 | Double file anti-divulging method and system based on HOOK and filtering driving |
| CN103778384A (en) * | 2014-02-24 | 2014-05-07 | 北京明朝万达科技有限公司 | Identity authentication based virtual terminal safety environment protection method and system |
| CN104318179A (en) * | 2014-10-30 | 2015-01-28 | 成都卫士通信息产业股份有限公司 | File redirection technology based virtualized security desktop |
| EP3118768A1 (en) * | 2015-07-17 | 2017-01-18 | Backes SRT GmbH | Method for forming a virtual environment in an operating system of a computer |
| CN106951775A (en) * | 2016-01-06 | 2017-07-14 | 梁洪亮 | A kind of safe-guard system based on operating system nucleus Intel Virtualization Technology |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110096856A (en) * | 2019-04-19 | 2019-08-06 | 奇安信科技集团股份有限公司 | Access control method, system, electronic device and medium |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN110457925B (en) * | 2019-08-12 | 2023-05-09 | 深圳市网心科技有限公司 | Application data isolation method and device in internal and external storage, terminal and storage medium |
| CN113515389A (en) * | 2020-04-09 | 2021-10-19 | 奇安信安全技术(珠海)有限公司 | Calling method, device and system of intermediate interface, storage medium and electronic device |
| CN113515389B (en) * | 2020-04-09 | 2024-03-01 | 奇安信安全技术(珠海)有限公司 | Method and device for calling intermediate interface, system, storage medium and electronic device |
| CN111539010B (en) * | 2020-06-16 | 2023-09-01 | 北京明朝万达科技股份有限公司 | Clipboard control method, device, electronic equipment and computer readable storage medium |
| CN111539010A (en) * | 2020-06-16 | 2020-08-14 | 北京明朝万达科技股份有限公司 | Clipboard control method and device, electronic equipment and computer-readable storage medium |
| CN112269986A (en) * | 2020-10-29 | 2021-01-26 | 深信服科技股份有限公司 | Process management method, device and storage medium |
| CN112685745A (en) * | 2020-12-31 | 2021-04-20 | 北京梆梆安全科技有限公司 | Firmware detection method, device, equipment and storage medium |
| CN112685745B (en) * | 2020-12-31 | 2023-11-21 | 北京梆梆安全科技有限公司 | Firmware detection method, device, equipment and storage medium |
| CN112905260A (en) * | 2021-02-07 | 2021-06-04 | 深信服科技股份有限公司 | Application starting method and device, electronic equipment and storage medium |
| CN112905260B (en) * | 2021-02-07 | 2024-02-23 | 深信服科技股份有限公司 | Application starting method and device, electronic equipment and storage medium |
| CN115543663A (en) * | 2022-12-01 | 2022-12-30 | 北京志翔科技股份有限公司 | Data processing method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109117664B (en) | 2020-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109117664A (en) | The access control method and device of application program | |
| AU2020200073B2 (en) | Method and apparatus for multi-tenancy secrets management | |
| CN104025544B (en) | Sensitive information leakage prevention system, and sensitive information leakage prevention method | |
| US20080052514A1 (en) | Information Sharing System, Information Sharing Method, Group Management Program and Compartment Management Program | |
| CN104268479B (en) | A kind of method of text maninulation isolation, device and mobile terminal | |
| JP2008276756A (en) | Web services intermediary | |
| JP2013521587A (en) | Information protection using zones | |
| CN111756621A (en) | Method and device for managing data of group users and maintaining instant messaging group | |
| CN102281141B (en) | Document permission management method, apparatus and system | |
| CN104462997B (en) | Method, device and system for protecting work data in mobile terminal | |
| CN103268456A (en) | Method and device for file safety control | |
| CN105530261B (en) | The guard method of privacy information and device | |
| CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
| CN105991565A (en) | Reading and writing separation method and system and database agent server | |
| CN103778379B (en) | Application in management equipment performs and data access | |
| CN106873958A (en) | The call method and device of a kind of API | |
| CN105162763A (en) | Method and device for processing communication data | |
| CN112651039A (en) | Electric power data differentiation desensitization method and device fusing service scenes | |
| CN108399341B (en) | Windows dual file management and control system based on mobile terminal | |
| US20110170674A1 (en) | Apparatus, a mediating method, a program thereof and a system | |
| CN107294930A (en) | The management method and device of file propagation | |
| CN106130968A (en) | A kind of identity identifying method and system | |
| CN111625843A (en) | Data transparent encryption and decryption system suitable for big data platform | |
| CN116488913A (en) | Security access control method and device based on dynamic access of network environment | |
| CN105205403A (en) | Method and system for managing and controlling file data of local area network based on file filtering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |