CN112784263B - Bit lock disk handler management system and method - Google Patents

Abstract

The invention discloses a bit lock disk processing program management system and a method, which control and coordinate the system operation through a processing module, and comprise the following steps: an access right module for setting access right including user unit, creating virtual user and making the confidential file correspond to different program identification codes (PID); the bit lock disk protection module is coupled with the access right module and used for authenticating the access right; the bit lock disk management module is used for managing the establishment of a bit lock disk; the bit lock disk drive module is coupled with the bit lock disk management module and drives the bit lock disk to operate, wherein the bit lock disk drive module comprises: program identification code unit, which allocates specific program identification code according to access authority; and a Hook unit intercepting the disallowed handler according to the program identification code and connecting the allowed handler to A Program Interface (API).

Description

Translated fromChinese

位元锁磁盘处理程序管理系统与方法Bit lock disk handler management system and method

技术领域Technical field

本发明涉及一种磁盘处理程序管理系统与方法，更详而言之，为一种位元锁磁盘处理程序管理系统与方法，解决执行应用程序时，可能造成程序识别码(PID)于操作系统下相冲突问题。The present invention relates to a disk processing program management system and method. More specifically, it is a bit-locked disk processing program management system and method, which solves the problem of program identification code (PID) in the operating system when executing an application program. The next phase conflict problem.

背景技术Background technique

随着计算机科技的发展，现代人不管在工作、学习、科研或其他应用皆采用计算机，或各种终端机为作业工具，尤其在企业、政府单位、金融机构、军事单位，均无时无刻在产生大量的电子档案。然而，在信息化时代，只要牵涉到重要的，具有无论商务、策略、军事、智慧创作等等具重大价值的电子档案，即存在因组织内部管理不慎而泄漏，或遭到外部攻击的可能，例如从组织内部非法备份、破坏电子档案，或是物理上将装有电子档案的储存设备夹带至外部，再到由外部终端机通过网络攻击或窃取，一再使得企业或组织承受利益上的损失。此外，由于现代计算机的操作系统多可容纳多组用户账号，亦或网络服务器的分享，因此在多位使用者同时共享下，就必须对各种不同机密程度的机密文件加以区分。With the development of computer technology, modern people use computers or various terminals as work tools whether in work, study, scientific research or other applications. Especially in enterprises, government units, financial institutions, and military units, a large number of products are generated all the time. electronic files. However, in the information age, as long as important electronic files are involved, whether they are of great value in business, strategy, military, intellectual creation, etc., there is a possibility that they will be leaked due to careless internal management of the organization, or be attacked by external parties. , such as illegal backup and destruction of electronic files within the organization, or physical entrainment of storage devices containing electronic files to the outside, and then external terminals through network attacks or theft, which have repeatedly caused enterprises or organizations to suffer losses in profits. . In addition, since most modern computer operating systems can accommodate multiple sets of user accounts or network server sharing, when shared by multiple users at the same time, it is necessary to distinguish various confidential documents with different levels of confidentiality.

对于上述文件区分的方式，现时的作法通常针对组织或企业内，每一个用户的业务性质，规划分出相对的访问权限，例如特定的用户，对于特定机密文件，具有打印、预览、读取、拷贝、执行、编辑的访问权限，但对于较不相关的业务被赋予的访问权限较低，则仅能执行预览和读取，而无法拷贝、编辑，以使组织或企业内的机密文件能分开管理。因此，为达到上述目的，其中一种作法为在组织或企业的系统内引入一沙盒机制(SandBox)，使能存取的机密文件、软件，或设定均被局限在操作系统提供的资源中，而不能超过，做到多个用户隔离，在它们之间提供不同程度的保护，以控制病毒、恶意软件的攻击，更重要的，能防止企业或组织机密文件由内部泄漏至外部，例如：软件公司的离职员工将原公司开发的程序代码携出至竞争公司，或是商务公司将具有机密性的业务文件带出。Regarding the above-mentioned file classification method, the current practice is usually to plan and separate relative access rights according to the business nature of each user in the organization or enterprise. For example, a specific user has the ability to print, preview, read, Access permissions for copying, executing, and editing, but for less relevant businesses, which are given lower access permissions, they can only preview and read, but cannot copy or edit, so that confidential files within the organization or enterprise can be separated. manage. Therefore, in order to achieve the above purpose, one method is to introduce a sandbox mechanism (SandBox) into the system of an organization or enterprise, so that the confidential files, software, or settings that can be accessed are limited to the resources provided by the operating system. within, but not exceeding, to isolate multiple users and provide varying degrees of protection between them to control attacks by viruses and malware. More importantly, it can prevent corporate or organizational confidential files from leaking from inside to outside, such as : Resigned employees of software companies bring program codes developed by the original company to competing companies, or business companies bring confidential business documents.

传统上，某个程序发生错误(Error)时，只能选择重新启动操作系统，而上述沙盒机制，对机密文件执行访问权限的管理来说，通常以操作系统中的程序识别码(ProcessIdentifier，PID)，做为机密文件的访问权限管理依据。所谓的程序识别码，是大多数类UNIX (UNIX-Like)操作系统的核心用于标识机密文件的一个数值，这一数值，可以作为许多函数调用的参数，以调整程序优先级、删除(Kill)程序，或程序的访问权限控制之类的过程控制。Traditionally, when an error occurs in a program, the only option is to restart the operating system. However, the above-mentioned sandbox mechanism usually uses the program identification code (ProcessIdentifier) in the operating system to manage access rights to confidential files. PID) as the basis for access rights management of confidential files. The so-called program identification code is a value used by the core of most UNIX-like operating systems to identify confidential files. This value can be used as a parameter in many function calls to adjust program priority, delete (Kill) ) program, or process control such as program access control.

虽然程序识别码有上述优点，然而，对于某些特定的应用程序(例如MicrosoftExcel)来说，以程序识别码做为机密文件的权限管理，可能遭遇的困难在于，当有多个机密文件在同一个特定的应用程序下执行时，操作系统会分配予该些应用程序同样的程序识别码，这会导致所述的沙盒机制无法区分不同的机密文件系对应至何种访问权限，从而可能引起处理程序上的错误。如图1所示，其显示了用户301、应用程序303、程序识别码305、机密文件307，与程序接口309的错误的情形。其中，当实际用户301A通过执行应用程序303(例如上述的Microsoft Excel)开启机密文件307中的第一文件307A与第二文件307C时，由于第一文件307A与第二文件307C均对应第一程序识别码305A，造成在沙盒机制111中，无法分辨出第一文件307A与第二文件307C对于实际用户301A的访问权限究竟为何。Although program identification codes have the above advantages, for some specific applications (such as Microsoft Excel), the difficulty that may be encountered when using program identification codes as permission management for confidential files is that when there are multiple confidential files at the same time, When a specific application is executed, the operating system will assign the same program identification code to these applications. This will cause the sandbox mechanism to be unable to distinguish what access rights correspond to different confidential files, which may cause Handler errors. As shown in Figure 1, it shows the error situation of user 301, application program 303, program identification code 305, confidential file 307, and program interface 309. Among them, when the actual user 301A opens the first file 307A and the second file 307C in the confidential file 307 by executing the application program 303 (such as the above-mentioned Microsoft Excel), since the first file 307A and the second file 307C both correspond to the first program The identification code 305A causes the sandbox mechanism 111 to be unable to distinguish the access rights of the first file 307A and the second file 307C to the actual user 301A.

因此，于现时习知技术上，上述在沙盒机制中，通过程序识别码管理机密文件的访问权限的系统与方法，仍有进一步改进的必要，以避免沙盒机制中的访问权限，对于特定应用程序可能产生错误，而使用户对于不同机密文件的访问权限无法被有效发挥，且可能影响到操作系统稳定性的缺点。Therefore, based on the current technology, the above-mentioned system and method for managing access rights of confidential files through program identification codes in the sandbox mechanism still need to be further improved to prevent the access rights in the sandbox mechanism from being limited to specific Applications may generate errors that prevent users from effectively exercising their access rights to different confidential files, and may affect the stability of the operating system.

发明内容Contents of the invention

有鉴于此，本发明的目的在于提供一种位元锁磁盘处理程序管理系统与方法。In view of this, an object of the present invention is to provide a bit lock disk processing program management system and method.

为达到上述目的，本发明采用以下技术方案：In order to achieve the above objects, the present invention adopts the following technical solutions:

一种位元锁磁盘处理程序管理系统，以解决通过同一个应用程序(如MicrosoftExcel、Word、Power Point)开启多个机密文件，会对应到同一个程序识别码(ProcessIdentifier，PID)的问题。A bit lock disk processing program management system to solve the problem of opening multiple confidential files through the same application (such as Microsoft Excel, Word, Power Point), which will correspond to the same process identification code (ProcessIdentifier, PID).

本发明的系统通过处理模块，分配系统组件的运算资源，与处理程序的协调。本发明的系统架构包含访问权限模块，设定位元锁磁盘的访问权限，包含写入、读取、预览、拷贝、删除，或打印等处理程序；位元锁磁盘保护模块，耦接访问权限模块，以认证位元锁磁盘对于用户的访问权限，其认证的方式，可为基于位元锁(BitLocker)的认证方式；位元锁磁盘管理模块，管理储存于位元锁磁盘中的机密文件，及位元锁磁盘的建立与数量；位元锁磁盘驱动模块，耦接上述的位元锁磁盘管理模块，驱动位元锁磁盘的运作，其中，上述的位元锁磁盘驱动模块更包含：程序识别码单元，根据访问权限模块所设定的访问权限，给予用户、应用程序，与机密文件特定的程序识别码(PID)；以及，拦管单元(Hook)，根据程序识别码，拦截访问权限不允许的处理程序，并将访问权限允许的处理程序连接至程序接口(Application Programming Interface，API)。The system of the present invention allocates computing resources of system components and coordinates with processing programs through processing modules. The system architecture of the present invention includes an access authority module, which sets the access authority of the bit lock disk, including processing procedures such as writing, reading, previewing, copying, deleting, or printing; a bit lock disk protection module, which couples the access authority The module is used to authenticate the user's access rights to the Bit Lock disk. The authentication method can be based on the Bit Lock (BitLocker) authentication method; the Bit Lock disk management module is used to manage confidential files stored in the Bit Lock disk. , and the establishment and quantity of bit-lock disks; the bit-lock disk driver module is coupled to the above-mentioned bit-lock disk management module to drive the operation of the bit-lock disk, wherein the above-mentioned bit lock disk driver module further includes: The program identification code unit gives specific program identification codes (PID) to users, applications, and confidential files based on the access rights set by the access authority module; and the blocking unit (Hook) intercepts access based on the program identification code. Handlers whose access rights are not allowed and connect handlers whose access rights are allowed to the Application Programming Interface (API).

根据本发明内容，相同应用程序的不同文件，将对应不同的程序识别码(PID)，亦即，第一文件所对应的第一程序识别码，与第二文件所对应的第二程序识别码并不相同。According to the present invention, different files of the same application program will correspond to different program identification codes (PID), that is, the first program identification code corresponding to the first file, and the second program identification code corresponding to the second file. Not the same.

根据本发明内容，访问权限模块的系统架构更包含用户单元，以根据多个机密文件于同一个应用程序下执行的需要，创建所需数量的虚拟用户，使不同的机密文件可以对应不同的程序识别码，根据本发明一较佳的实施例中，上述创建虚拟用户的方式，为通过程序接口(API)执行。According to the present invention, the system architecture of the access permission module further includes a user unit to create a required number of virtual users based on the need for multiple confidential files to be executed under the same application program, so that different confidential files can correspond to different programs. Identification code, according to a preferred embodiment of the present invention, the above method of creating a virtual user is executed through a program interface (API).

根据本发明内容，访问权限模块的系统架构更包含函数公式库单元，记录特定用户、应用程序，与机密文件的程序识别码的函数公式，其中，该函数公式库单元中的函数公式格式，可为一动态链接函数公式库（Dynamic-Link Library，DLL）。According to the present invention, the system architecture of the access authority module further includes a function formula library unit that records the function formulas of specific users, applications, and program identification codes of confidential files. The function formula format in the function formula library unit can be It is a dynamic link function formula library (Dynamic-Link Library, DLL).

一种位元锁磁盘处理程序管理方法，该方法包含下列步骤：处理模块判断应用程序执行前是否已经启动第一文件；若上列的判断为否，则程序识别码单元建立对应于第一文件的第一程序识别码；若上列的判断为真，则用户单元根据应用的需要，在实际用户的环境下，建立虚拟用户；以及，在相同的应用程序的环境下，程序识别码单元对于上述的虚拟用户，建立对应于第二文件的第二程序识别码，当关闭第二文件后，可选择在一预定时间后，删除上述的虚拟用户，或不删除虚拟用户。A bit lock disk processing program management method, the method includes the following steps: the processing module determines whether the first file has been started before the application program is executed; if the above determination is no, the program identification code unit establishes a file corresponding to the first file The first program identification code of The above-mentioned virtual user establishes a second program identification code corresponding to the second file. After closing the second file, you can choose to delete the above-mentioned virtual user after a predetermined time, or not delete the virtual user.

根据本发明内容，上述位元锁磁盘处理程序管理方法，更包含处理模块于实际用户的环境下，启动应用程序；拦管单元(Hook)拦截所有的处理程序(Process)。According to the present invention, the above-mentioned bit lock disk processing program management method further includes a processing module that starts an application program in an actual user environment; and an interception management unit (Hook) intercepts all processing programs (Process).

根据本发明内容，上述位元锁磁盘处理程序管理方法，更包含拦管单元根据访问权限，拦截第一文件中，不允许的处理程序，并将允许的处理程序，链接至程序接口。According to the present invention, the above-mentioned bit lock disk handler management method further includes the interception management unit intercepting the handlers that are not allowed in the first file according to the access rights, and linking the allowed handlers to the program interface.

根据本发明内容，拦管单元根据访问权限，拦截第二文件中的处理程序，待建立虚拟用户后，将允许的处理程序，链接至程序接口。According to the content of the present invention, the interception and management unit intercepts the processing programs in the second file according to the access rights. After the virtual user is established, the allowed processing programs are linked to the program interface.

根据本发明内容，上述位元锁磁盘处理程序管理方法，更包含处理模块，在实际用户的操作系统环境下，执行访问权限允许的第一文件。According to the present invention, the above-mentioned bit lock disk processing program management method further includes a processing module that executes the first file allowed by the access permission in the operating system environment of the actual user.

根据本发明内容，上述位元锁磁盘处理程序管理方法，更包含处理模块，通过runas程序，于虚拟用户的环境下，由应用程序执行访问权限允许的第二文件。According to the content of the present invention, the above-mentioned bit lock disk processing program management method further includes a processing module, through the runas program, in the environment of the virtual user, the application program executes the second file allowed by the access permission.

根据本发明内容，上述位元锁磁盘处理程序管理方法，更包含以访问权限模块设定每一个用户的访问权限，并储存于用户单元。According to the present invention, the above-mentioned bit lock disk processing program management method further includes setting the access rights of each user using an access rights module and storing the access rights in the user unit.

以上所述是用以说明本发明的目的、技术手段以及其可达成的功效，相关领域内熟悉此技术的人可以经由以下实施例的示范与伴随的图式说明及申请专利范围更清楚明了本发明。The above is used to illustrate the purpose, technical means and achievable effects of the present invention. Those familiar with this technology in the relevant field can have a clearer understanding of the present invention through the demonstration of the following embodiments and the accompanying drawings and the scope of the patent application. invention.

附图说明Description of drawings

如下所述对本发明的详细描述与实施例的示意图，应使本发明更被充分地理解；然而，应可理解此仅限于作为理解本发明应用的参考，而非限制本发明于一特定实施例之中。The following detailed description of the present invention and the schematic diagrams of the embodiments should make the present invention more fully understood; however, it should be understood that these are only used as a reference for understanding the application of the present invention, and do not limit the present invention to a specific embodiment. among.

图1说明在以往的沙盒机制下，根据程序识别码(PID)来设定一用户对于应用程序，或机密文件的访问权限时，可能遭遇的问题。Figure 1 illustrates the problems that may be encountered when setting a user's access rights to applications or confidential files based on the program identification code (PID) under the previous sandbox mechanism.

图2说明位元锁磁盘处理程序管理系统的系统架构。Figure 2 illustrates the system architecture of the bit lock disk handler management system.

图3显示在本发明中，访问权限不同的数个机密文件，在实际用户的环境下如何于处理模块中执行。Figure 3 shows how in the present invention, several confidential files with different access rights are executed in the processing module in an actual user environment.

图4显示在位元锁磁盘处理程序管理方法的步骤。Figure 4 shows the steps in the bit lock disk handler management method.

图5显示在位元锁磁盘处理程序管理方法的步骤流程。Figure 5 shows the step flow in the bit lock disk handler management method.

符号说明Symbol Description

具体实施方式Detailed ways

以下通过特定的具体实施例说明本发明的实施方式，熟悉此技术的人士可通过本说明书所揭示的内容轻易地了解本发明的功效性与其优点。且本发明亦可通过其他具体实施例加以运用及实施，本说明书所阐述的各项细节亦可基于不同需求而应用，且在不悖离本发明的精神下进行各种不同的修饰或变更。The following describes the implementation of the present invention through specific embodiments. Those familiar with this technology can easily understand the effectiveness and advantages of the present invention through the contents disclosed in this specification. Moreover, the present invention can also be applied and implemented through other specific embodiments. Various details described in this specification can also be applied based on different needs, and various modifications or changes can be made without departing from the spirit of the present invention.

在本发明的目的，在于提出一种位元锁磁盘处理程序管理系统与方法，解决以往的沙盒机制中，利用程序识别码(PID)来设定一用户对于应用程序，或机密文件的访问权限时，某些特定的应用程序在打开不同的机密文件时，会将处理程序合并入一个相同的程序识别码，且无法于该些特定的应用程序，加入修正的参数将程序识别码分开。举例来说，当在实际用户为Lisa的环境下，若以Excel打开两个机密文件的情况下，其程序识别码会被合并到同一个，例如2010(号码仅为举例)，而不会以两个程序识别码来代表两个机密文件(如1020、1030)，在沙盒机制中，此现象可能会影响到沙盒机制的稳定性，并对机密文件的保护产生可能漏洞的问题。本发明提供的解决策略，在于利用程序接口，根据开启机密文件的数量，在所应用的实际用户环境下，创建出所需数量的虚拟用户，使上述数个机密文件，利用runas程序，使其可以分别在不同的虚拟用户上执行，以使该些特定的应用程序，能依据用户的不同，对上述的机密文件赋予不同的程序识别码，从而达到使不同的机密文件，能够对应不同访问权限，并避免程序错误，达到提高系统稳定性，以及操作便利性的目的。其中，本发明的沙盒机制，为位元锁(BitLocker)。本发明具体实施的技术手段，则将详述如后。The purpose of the present invention is to propose a bit lock disk processing program management system and method to solve the problem of using a program identification code (PID) to set a user's access to applications or confidential files in the previous sandbox mechanism. When accessing permissions, some specific applications will merge the handlers into the same program identification code when opening different confidential files, and it is impossible to add modified parameters to separate the application identification codes in these specific applications. For example, when the actual user is Lisa, if two confidential files are opened in Excel, their program identification codes will be merged into the same one, such as 2010 (the number is only an example), instead of Two program identification codes represent two confidential files (such as 1020, 1030). In the sandbox mechanism, this phenomenon may affect the stability of the sandbox mechanism and create possible vulnerabilities in the protection of confidential files. The solution strategy provided by the present invention is to use the program interface to create the required number of virtual users according to the number of opened confidential files in the actual user environment applied, so that the above-mentioned several confidential files can be made available through the runas program. It can be executed on different virtual users respectively, so that these specific applications can assign different program identification codes to the above-mentioned confidential files according to different users, so that different confidential files can correspond to different access rights. , and avoid program errors to achieve the purpose of improving system stability and operational convenience. Among them, the sandbox mechanism of the present invention is BitLocker. The technical means for the specific implementation of the present invention will be described in detail below.

在本发明中，所述的处理模块201，通常包含处理芯片、内存、暂存内存、显示设备、网络通讯模块、操作系统及应用程序等等，以通常已知方式相互连接，执行运算、暂存、显示及数据传输，与提供位元锁磁盘处理程序管理系统200的运作与管理协调等功能，基于以上系属通常已知架构，故在此不赘述。此外，在本发明中，所述的访问权限，包含写入、读取、预览、拷贝、删除，或打印等处理程序，而所述的用户301、应用程序303、程序识别码305、机密文件307，均可依照应用的需要，创建或执行所需的数量，例如第一程序识别码305A、第二程序识别码305C，第N识别码，或是第一文件307A、第二文件307C，第N文件等等，本领域熟知技术者于阅读本说明书后，当可轻易得到理解，于此先行叙明。In the present invention, the processing module 201 usually includes a processing chip, a memory, a temporary memory, a display device, a network communication module, an operating system, an application program, etc., which are connected to each other in a generally known manner to perform calculations, temporary storage, etc. Storage, display and data transmission, as well as providing functions such as operation and management coordination of the bit lock disk processing program management system 200. Since the above is a commonly known architecture, it will not be described in detail here. In addition, in the present invention, the access rights include writing, reading, previewing, copying, deleting, or printing processing procedures, and the user 301, application program 303, program identification code 305, confidential file 307, the required number can be created or executed according to the needs of the application, such as the first program identification code 305A, the second program identification code 305C, the Nth identification code, or the first file 307A, the second file 307C, the Nth identification code N files, etc., those skilled in the art can easily understand them after reading this specification, so they are described in advance.

请参阅图2与图3，为达本发明的目的，本发明提出了一种位元锁磁盘处理程序管理系统200，执行本系统需通过上述的处理模块201执行，处理模块201分配系统组件的运算资源，与处理程序的协调。Please refer to Figures 2 and 3. In order to achieve the purpose of the present invention, the present invention proposes a bit lock disk processing program management system 200. The execution of this system needs to be executed through the above-mentioned processing module 201. The processing module 201 allocates system components. Computing resources,coordination with handlers.

本发明中，位元锁磁盘处理程序管理系统200架构包含：访问权限模块209，设定位元锁磁盘的访问权限，包含写入、读取、预览、拷贝、删除，或打印等处理程序，其中，访问权限模块209包含用户单元209A，以根据多个机密文件307于同一个应用程序303下执行的需要，利用程序接口309，创建所需数量的虚拟用户，使不同的机密文件307可以对应不同的程序识别码305；位元锁磁盘保护模块207，耦接访问权限模块209，以认证位元锁磁盘对于用户301的访问权限，其认证的方式，可为基于位元锁(BitLocker)的认证方式；位元锁磁盘管理模块203，管理储存于位元锁磁盘中的机密文件307，及位元锁磁盘的建立与数量。In the present invention, the architecture of the bit lock disk processing program management system 200 includes: an access authority module 209, which sets the access authority of the bit lock disk, including writing, reading, previewing, copying, deleting, or printing processing programs, Among them, the access authority module 209 includes a user unit 209A, which uses the program interface 309 to create the required number of virtual users according to the need for multiple confidential files 307 to be executed under the same application 303, so that different confidential files 307 can correspond to Different program identification codes 305; the Bit Lock disk protection module 207 is coupled to the access authority module 209 to authenticate the access authority of the Bit Lock disk to the user 301. The authentication method can be based on Bit Lock (BitLocker). Authentication method; the bit lock disk management module 203 manages the confidential files 307 stored in the bit lock disk, and the creation and quantity of the bit lock disk.

在本发明中，位元锁磁盘处理程序管理系统200更包含：位元锁磁盘驱动模块205，耦接上述的位元锁磁盘管理模块203，驱动位元锁磁盘的运作，其中，上述的位元锁磁盘驱动模块205更包含：程序识别码单元205A，根据访问权限模块209所设定的访问权限，给予用户301、应用程序303，与机密文件307特定的程序识别码305；以及，拦管单元205C，根据程序识别码305，拦截访问权限不允许的处理程序，并将访问权限允许的处理程序连接至程序接口309。In the present invention, the bit lock disk processing program management system 200 further includes: a bit lock disk driver module 205, coupled to the above-mentioned bit lock disk management module 203, driving the operation of the bit lock disk, wherein the above-mentioned bit lock disk The Yuansuo disk driver module 205 further includes: a program identification code unit 205A, which gives specific program identification codes 305 to the user 301, the application 303, and the confidential file 307 according to the access permissions set by the access permission module 209; and, blocking management Unit 205C, according to the program identification code 305, intercepts processing programs that are not allowed to have access rights, and connects processing programs that are allowed to have access rights to the program interface 309.

应当注意者为，在本发明内容中，上述实际用户301A，与虚拟用户301C，为对应实际上同样的用户301，亦即，实际用户301A与虚拟用户301C对于应用程序303而言，具有相同的访问权限，但，对于第一文件307A与第二文件307C而言，因在组织或企业内的业务性质不同，可能具有不相同的访问权限，因此，位元锁磁盘处理程序管理系统200为了使第一文件307A与第二文件307C具有不同的程序识别码305，需要将第二文件307C于虚拟用户301C中执行。在本发明实施例中，上述第一文件307A与第二文件307C，可于处理模块201中的同一个，或不同一个画面执行。It should be noted that in the context of the present invention, the above-mentioned actual user 301A and virtual user 301C correspond to actually the same user 301, that is, the actual user 301A and the virtual user 301C have the same information for the application 303. However, the first file 307A and the second file 307C may have different access rights due to different business nature within the organization or enterprise. Therefore, in order to use the Bit Lock Disk Processor Management System 200 The first file 307A and the second file 307C have different program identification codes 305, and the second file 307C needs to be executed in the virtual user 301C. In the embodiment of the present invention, the first file 307A and the second file 307C can be executed on the same or different screens in the processing module 201 .

请参阅图3，其显示了在处理模块201中，位元锁磁盘处理程序管理系统200的执行方式。在本发明的实施例中，当实际用户301A，例如Lisa，在位元锁的执行环境下，通过应用程序303执行第一文件307A时，程序识别码单元205A对第一文件307A赋予第一程序识别码305A。在一实施例下，拦管单元205C通过该第一程序识别码305A识别实际用户301A在访问权限模块209中所设定的允许，与不允许的访问权限。例如，包含是否能能预览第一文件307A的内容，其对第一文件307A的内容能否写入、拷贝、删除，或打印等等。当确认完访问权限后，拦管单元205C将所允许的处理程序连接至程序接口(API)309，并将不允许的处理程序加以拦截。Please refer to FIG. 3 , which shows the execution mode of the bit lock disk handler management system 200 in the processing module 201 . In the embodiment of the present invention, when the actual user 301A, such as Lisa, executes the first file 307A through the application program 303 in the execution environment of bit lock, the program identification code unit 205A assigns the first program to the first file 307A. Identification code 305A. In one embodiment, the blocking unit 205C identifies the allowed and disallowed access rights set by the actual user 301A in the access rights module 209 through the first program identification code 305A. For example, it includes whether the content of the first file 307A can be previewed, whether the content of the first file 307A can be written, copied, deleted, or printed, and so on. After confirming the access rights, the interception management unit 205C connects the allowed processing programs to the program interface (API) 309 and intercepts the disallowed processing programs.

承上述，当实际用户301A，例如Lisa，通过上述相同的应用程序303执行第二文件307C时，本系统则创建具有与实际用户301A相同访问权限的虚拟用户301C，并在虚拟用户301C，采用随机数生成虚拟名字，例如Dean的环境下，此时程序识别码单元205A则将第二文件307C赋予第二程序识别码305C，利于执行第二文件307C，以达到本发明针对同一个用户301，相对应同一应用程序303产生不同的程序识别码305，其中之一是对虚拟用户301C产生对应的程序识别码305。因此，相同用户可使用相同应用程序303开启不同的机密文件307，而此机密文件307对应使用者其中之一为虚拟使用者，因此被赋予不同的程序识别码305，利于同一用户开启具有不同程序识别码305，而属于相同应用程序303的不同文件。例如第二个 Excel的机密文件307在虚拟用户301C下执行，且程序识别码305和前一个Excel的机密文件307不同。其中，当注意者为，上述的Excel仅为举例，其亦可依照应用程序303实际的使用状况，应用于两个机密文件307会合并程序识别码305的应用程序303上，例如Word或Power Point。Following the above, when the actual user 301A, such as Lisa, executes the second file 307C through the same application 303 mentioned above, the system creates a virtual user 301C with the same access rights as the actual user 301A, and in the virtual user 301C, uses random Digitally generate a virtual name, for example, in Dean's environment, at this time, the program identification code unit 205A assigns the second file 307C to the second program identification code 305C, which facilitates the execution of the second file 307C, so that the present invention targets the same user 301. Different program identification codes 305 are generated corresponding to the same application program 303, one of which is the corresponding program identification code 305 generated for the virtual user 301C. Therefore, the same user can use the same application 303 to open different confidential files 307, and one of the corresponding users of the confidential file 307 is a virtual user, and therefore is assigned a different program identification code 305, which facilitates the same user to open different programs. identification code 305, but different files belonging to the same application 303. For example, the second Excel confidential file 307 is executed under the virtual user 301C, and the program identification code 305 is different from the previous Excel confidential file 307. It should be noted that the above-mentioned Excel is only an example, and it can also be applied to the application 303 in which the two confidential documents 307 merge the program identification code 305 according to the actual usage of the application 303, such as Word or Power Point. .

根据本发明一实施例，访问权限模块209的系统架构更包含函数公式库单元209C，记录特定用户301、应用程序303，与机密文件307的程序识别码305的函数公式，其中，该函数公式库单元209C中的函数公式格式，可为一动态链接函数公式库（Dynamic-LinkLibrary，DLL）。其中，根据本发明的一观点，机密文件307的程序识别码305，可依照应用的需要，由访问权限模块209进行设定，亦可由程序识别码单元205A所赋予，以适应不同应用程序303的状况，提高位元锁磁盘处理程序管理系统200的兼容性。According to an embodiment of the present invention, the system architecture of the access permission module 209 further includes a function formula library unit 209C, which records the function formulas of the specific user 301, the application program 303, and the program identification code 305 of the confidential file 307, wherein the function formula library The function formula format in unit 209C can be a dynamic link function formula library (Dynamic-LinkLibrary, DLL). Among them, according to one aspect of the present invention, the program identification code 305 of the confidential document 307 can be set by the access authority module 209 according to the needs of the application, or can be assigned by the program identification code unit 205A to adapt to the requirements of different applications 303 situation to improve the compatibility of the bit lock disk handler management system 200.

根据本发明一实施例，位元锁磁盘保护模块207内所含的保护密钥，可为对应访问权限模块209中，不同访问权限的设定，其保护密钥的形式，可为但不限于可信赖平台模块(Trusted Platform Module，TPM)、客户端识别码(PIN Code)、移动装置密钥，或以上的组合。在本发明一观点中，移动装置密钥可为一储存于USB随身碟中的密钥，使访问权限得依用户301所对应的使用者的业务性质，对应不同的密钥保护形式。According to an embodiment of the present invention, the protection key contained in the bit lock disk protection module 207 can be corresponding to the settings of different access permissions in the access permission module 209, and the form of the protection key can be, but is not limited to Trusted Platform Module (TPM), client identification code (PIN Code), mobile device key, or a combination of the above. In one aspect of the present invention, the mobile device key can be a key stored in a USB flash drive, so that the access rights can correspond to different key protection forms according to the business nature of the user corresponding to the user 301.

请参阅图4与图5，本发明提出了一种位元锁磁盘处理程序管理方法400：该方法包含下列步骤：在步骤S2中，处理模块201于一用户301的环境下，启动应用程序303；执行步骤S4时，处理模块201判断一应用程序303事前是否已经启动第一文件307A；接着在步骤S5中，若步骤S4的判断为否，则程序识别码单元205A建立对应于第一文件307A的第一程序识别码305A；执行步骤S8时，若步骤S4的判断为是，则本系统根据应用的需要，在用户301的环境下，建立虚拟用户301C，此采用随机数生成；在步骤S10中，程序识别码单元205A建立对应于应用程序303第二文件307C的第二程序识别码305C；其中，第一程序识别码305A，不同于第二程序识别码305C。Referring to Figures 4 and 5, the present invention proposes a bit lock disk processing program management method 400: the method includes the following steps: In step S2, the processing module 201 starts the application 303 in the environment of a user 301 ; When executing step S4, the processing module 201 determines whether an application program 303 has previously started the first file 307A; then in step S5, if the determination in step S4 is no, the program identification code unit 205A establishes a file corresponding to the first file 307A. The first program identification code 305A; when executing step S8, if the judgment of step S4 is yes, the system will establish a virtual user 301C in the environment of the user 301 according to the needs of the application, which is generated by random numbers; in step S10 , the program identification code unit 205A creates a second program identification code 305C corresponding to the second file 307C of the application program 303; wherein the first program identification code 305A is different from the second program identification code 305C.

根据本发明内容，上述位元锁磁盘处理程序管理方法400，更包含步骤S2，处理模块201于实际用户301A的环境下，启动应用程序303；步骤S3，拦管单元205C拦截所有的处理程序(Process)。According to the present invention, the above-mentioned bit lock disk processing program management method 400 further includes step S2, the processing module 201 starts the application program 303 in the environment of the actual user 301A; step S3, the interception management unit 205C intercepts all processing programs ( Process).

根据本发明内容，上述位元锁磁盘处理程序管理方法400，更包含步骤S6中，拦管单元205C根据访问权限，拦截第一文件307A中，不允许的处理程序，并将允许的处理程序，链接至程序接口309。According to the content of the present invention, the above-mentioned bit lock disk processing program management method 400 further includes that in step S6, the interception management unit 205C intercepts the processing programs that are not allowed in the first file 307A according to the access rights, and transfers the processing programs that are allowed to the first file 307A. Link to program interface 309.

根据本发明一实施例，上述的方法步骤更包含步骤S7，处理模块201，在实际用户301A的环境下，执行访问权限允许的第一文件307A，其中，拦管单元205C根据访问权限，将允许的处理程序，链接至程序接口309。According to an embodiment of the present invention, the above method steps further include step S7. In the environment of the actual user 301A, the processing module 201 executes the first file 307A allowed by the access permission, wherein the blocking unit 205C will allow the file 307A to be allowed based on the access permission. The processing program is linked to the program interface 309.

根据本发明内容，更包含步骤S9，拦管单元205C拦截第二文件307C中的处理程序。According to the content of the present invention, step S9 is further included, in which the interception unit 205C intercepts the processing program in the second file 307C.

根据本发明一实施例，上述的方法步骤更包含步骤S11，拦管单元205C将根据访问权限，将允许的处理程序链接至程序接口309，处理模块201于虚拟用户301C的环境下执行应用程序303的第二文件307C。其中，在本发明的一实施例，当第二文件307C被实际用户301A关闭之后，用户单元209A可在一预定的时间后，选择删除，或不删除虚拟用户301C。在本发明的一观点中，考虑到虚拟用户301C的建立需要的运行时间，因此当第二文件307C被关闭后，可选择保留虚拟用户301C，使之后的第二文件307C，或其它对应于应用程序303的机密文件307在启动时能以较快的速度执行。According to an embodiment of the present invention, the above method steps further include step S11. The blocking unit 205C will link the allowed processing program to the program interface 309 according to the access permission. The processing module 201 executes the application program 303 in the environment of the virtual user 301C. The second document 307C. Among them, in an embodiment of the present invention, after the second file 307C is closed by the actual user 301A, the user unit 209A can choose to delete it after a predetermined time, or not to delete the virtual user 301C. In one aspect of the present invention, considering the running time required to establish the virtual user 301C, when the second file 307C is closed, you can choose to retain the virtual user 301C so that the subsequent second file 307C or other corresponding application The confidential file 307 of the program 303 can be executed at a faster speed when started.

根据本发明一实施例，上述的方法步骤，更包含步骤S1，由访问权限模块209设定每一个用户301的访问权限，并将访问权限的内容，储存于用户单元209A中，其中，该访问权限的文件格式，可为一访问权限矩阵(Access Control Matrix)。According to an embodiment of the present invention, the above method steps further include step S1, in which the access authority module 209 sets the access authority of each user 301, and stores the content of the access authority in the user unit 209A, wherein the access authority The file format of permissions can be an access permission matrix (Access Control Matrix).

本发明将以较佳实施例及观点加以叙述，此类叙述是解释本发明的结构，仅用以说明而非用以限制本发明的申请专利范围。因此，除说明书中的较佳实施例之外，本发明亦可广泛实行于其他实施例中。The present invention will be described with preferred embodiments and viewpoints. Such descriptions are to explain the structure of the present invention and are only used to illustrate but not to limit the patentable scope of the present invention. Therefore, in addition to the preferred embodiments in the description, the present invention can also be widely implemented in other embodiments.

以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明公开的技术范围内，可轻易想到变化或替换，都应涵盖在本发明的保护范围之内。因此，本发明的保护范围应以所述权利要求的保护范围为准。The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person familiar with the technical field can easily think of changes or substitutions within the technical scope disclosed in the present invention. should be covered by the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.

Claims (11)

Translated fromChinese

1.一种位元锁磁盘处理程序管理系统，通过处理模块分配运算资源，其特征在于，包含：1. A bit lock disk processing program management system, which allocates computing resources through processing modules, is characterized by including:一访问权限模块，设定一访问权限，其中，该访问权限模块，包含：An access permission module sets an access permission, wherein the access permission module includes:一用户单元，创建所需数量的虚拟用户，对应不同的程序识别码PID；A user unit creates the required number of virtual users, corresponding to different program identification codes PID;一位元锁磁盘保护模块，耦接该访问权限模块，认证该位元锁磁盘对于用户的该访问权限；A bit-lock disk protection module is coupled to the access rights module to authenticate the user's access rights to the bit-lock disk;一位元锁磁盘驱动模块，耦接位元锁磁盘管理模块，驱动该位元锁磁盘运作，其中，该位元锁磁盘驱动模块包含：一程序识别码单元，根据该访问权限，给予机密文件程序识别码，其中，不同的机密文件，对应不同的程序识别码，其中该虚拟用户与实际用户有相同访问权限，并在该虚拟用户采用随机数生成虚拟名字，此时该程序识别码单元将赋予不同程序识别码，以达到针对同一个用户，相对应同一应用程序产生不同的程序识别码，其中之一是对该虚拟用户产生对应的程序识别码；以及，A bit lock disk driver module is coupled to the bit lock disk management module to drive the operation of the bit lock disk. The bit lock disk driver module includes: a program identification code unit that gives confidential files based on the access rights. Program identification code, where different confidential files correspond to different program identification codes. The virtual user has the same access rights as the actual user, and a random number is used to generate a virtual name for the virtual user. At this time, the program identification code unit will Assign different program identification codes to generate different program identification codes corresponding to the same application for the same user, one of which is to generate a corresponding program identification code for the virtual user; and,一位元锁磁盘管理模块，管理该位元锁磁盘的建立。The bit lock disk management module manages the creation of the bit lock disk.2.如权利要求1所述的位元锁磁盘处理程序管理系统，其特征在于，还包含一拦管单元，根据程序识别码，拦截不允许的处理程序，并将允许的处理程序连接至程序接口。2. The bit lock disk handler management system as claimed in claim 1, further comprising an interception and management unit that intercepts disallowed handlers based on program identification codes and connects allowed handlers to the program. interface.3.如权利要求1所述的位元锁磁盘处理程序管理系统，其特征在于，还包括：客户端单元；该客户端单元，通过程序接口创建虚拟用户。3. The bit lock disk processing program management system according to claim 1, further comprising: a client unit; the client unit creates virtual users through a program interface.4.如权利要求1所述的位元锁磁盘处理程序管理系统，其特征在于，还包括：用户单元；当虚拟用户下的机密文件关闭后，该用户单元选择删除，或不删除虚拟用户。4. The bit lock disk handler management system according to claim 1, further comprising: a user unit; when the confidential file under the virtual user is closed, the user unit chooses to delete or not delete the virtual user.5.如权利要求1所述的位元锁磁盘处理程序管理系统，其特征在于，还包含一函数公式库单元，记录程序识别码的函数公式，其中，该函数公式库单元中的函数公式格式，可为一动态链接函数公式库。5. The bit lock disk processing program management system of claim 1, further comprising a function formula library unit to record the function formula of the program identification code, wherein the function formula format in the function formula library unit , which can be a dynamic link function formula library.6.如权利要求1所述的位元锁磁盘处理程序管理系统，其特征在于，该位元锁磁盘保护模块的保护密钥形式，为可信赖平台模块、客户端识别码、移动装置密钥，或以上的组合。6. The bit lock disk handler management system of claim 1, wherein the protection key form of the bit lock disk protection module is a trusted platform module, a client identification code, and a mobile device key. , or a combination of the above.7.一种位元锁磁盘处理程序管理方法，其特征在于，包含以下步骤：7. A bit lock disk handler management method, characterized in that it includes the following steps:一用户启动一应用程序；A user launches an application;判断是否具有该应用程序所开启的第一文件，若真，则一用户单元产生一虚拟用户；Determine whether there is a first file opened by the application program. If true, a user unit generates a virtual user;一程序识别码单元建立对应于该虚拟用户的第二文件的一第二程序识别码，其中该第二程序识别码，不同于第一文件所对应的一第一程序识别码，该程序识别码单元，根据访问权限，给予机密文件程序识别码，其中，不同的机密文件，对应不同的程序识别码，其中该虚拟用户与实际用户有相同访问权限，并在该虚拟用户采用随机数生成虚拟名字，该程序识别码单元将赋予不同程序识别码，以达到针对同一个用户，相对应同一应用程序产生不同的程序识别码，其中之一是对该虚拟用户产生对应的程序识别码。A program identification code unit creates a second program identification code corresponding to the second file of the virtual user, wherein the second program identification code is different from a first program identification code corresponding to the first file, and the program identification code The unit, based on the access rights, gives confidential files program identification codes. Different confidential files correspond to different program identification codes. The virtual user has the same access rights as the actual user, and a random number is used to generate a virtual name for the virtual user. , the program identification code unit will assign different program identification codes to generate different program identification codes corresponding to the same application program for the same user, one of which is to generate a corresponding program identification code for the virtual user.8.如权利要求7所述的位元锁磁盘处理程序管理方法，其特征在于，其步骤还包含当第二文件被关闭后，选择删除，或不删除该虚拟用户。8. The bit lock disk handler management method according to claim 7, wherein the step further includes selecting to delete or not delete the virtual user after the second file is closed.9.如权利要求7所述的位元锁磁盘处理程序管理方法，其特征在于，该第一程序识别码，与该第二程序识别码对应的机密文件格式，为Excel的格式。9. The bit lock disk processing program management method of claim 7, wherein the first program identification code and the confidential file format corresponding to the second program identification code are in Excel format.10.如权利要求7所述的位元锁磁盘处理程序管理方法，其特征在于，其步骤更包含，由一访问权限模块，设定每一个用户的访问权限，并将访问权限中所含的内容，储存于该用户单元中。10. The bit lock disk processing program management method according to claim 7, characterized in that the step further includes: setting the access rights of each user by an access rights module, and setting the access rights contained in the access rights. Content, stored in this user unit.11.如权利要求7所述的位元锁磁盘处理程序管理方法，其特征在于，该用户单元通过程序接口建立该虚拟用户。11. The bit lock disk processing program management method as claimed in claim 7, wherein the user unit creates the virtual user through a program interface.