An operating system protection method, system, electronic device and readable storage medium

By setting trusted status flags for programs in the operating system and redirecting the modification operations of unknown programs, the problem of unknown programs damaging the operating system is solved, achieving lightweight isolation and efficient protection, suitable for server and industrial control environments.

CN122153873APending Publication Date: 2026-06-05HUANENG POWER INT CO LTD RIZHAO POWER PLANT +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUANENG POWER INT CO LTD RIZHAO POWER PLANT
Filing Date
2026-02-28
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies cannot effectively prevent unknown programs from damaging the operating system, and sandbox technology is complex to apply.

Method used

By setting trusted status flags for programs in the operating system, monitoring and intercepting process modifications to system objects, redirecting modifications by unknown programs to surrogate system objects, and synchronizing the contents of the surrogate object to the original object after the unknown program becomes a trusted program.

Benefits of technology

It achieves kernel-level lightweight isolation, precisely preventing unknown programs from tampering with the system state, maintaining security and performance compatibility, and is suitable for servers and industrial control environments that need to run a large number of third-party or self-developed scripts.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153873A_ABST
    Figure CN122153873A_ABST
Patent Text Reader

Abstract

The application provides an operating system protection method, system, electronic equipment and readable storage medium, comprising: a program marking step: setting a trusted state mark for a program in an operating system, and distinguishing the program into a trusted program and an unknown program; wherein the program refers to an executable code file stored on a storage medium; an operation redirection step: monitoring and intercepting a modification operation of a process on a system object in an operating system kernel; when the modification operation is intercepted, the following sub-steps are executed: judging whether the process is a process triggered by an unknown program according to the trusted state mark of the executable code file corresponding to the process initiating the modification operation; if yes, the modification operation is redirected to a dummy system object; a synchronization step: when an unknown program is changed into a trusted program, the contents of all dummy system objects associated with the program are updated to their respective original system objects.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of computer security technology, and in particular relates to AI model copyright protection and trusted reasoning methods and systems. Background Technology

[0002] In recent years, with the rapid development of information technology, computer system security has become increasingly serious. Among the aspects of information system security, the security of operating systems, network management systems, and database management systems is central. The operating system is the central manager of computer hardware and software resources and data, responsible for the massive resource management of the computer system, frequent input / output control, and uninterrupted communication between the user and the operating system. System security has become an issue that cannot be ignored, and operating system security is particularly critical. Currently, attack methods targeting operating systems are increasingly numerous and complex. These attacks exploit vulnerabilities in the operating system itself to maliciously damage it, leading to the tampering of resource configurations, the implantation and execution of malicious programs, and the unauthorized takeover of superuser privileges through buffer overflow attacks.

[0003] Hackers attack operating systems for two main reasons: first, to steal users' private data; and second, to maliciously damage the operating system, rendering it unable to function properly, thus compromising its integrity. Regarding the protection of operating system integrity, sandboxing is a widely used and mature technology. A sandbox, as the name suggests, can be seen as a container where everything done inside can be completely rewritten. Essentially, a sandbox is a hard drive filtering file driver. Specifically, it writes data to the hard drive, but not actually to a storage location. Reading content requires determining whether it existed before the sandbox was opened or was written afterward, and the data is read from different locations accordingly. After a restart, the storage location is cleared.

[0004] Currently, the security community boasts a diverse array of sandbox technologies and products, including software sandboxes, virtualization sandboxes, and hardware sandboxes. However, sandbox technology is still widely regarded as "a technology under development," and no single product can truly be considered a sandbox in the strictest sense.

[0005] However, the above methods cannot effectively prevent unknown programs from damaging the operating system. Furthermore, sandbox technology is complex to apply. Summary of the Invention

[0006] This invention provides a method for protecting the integrity of unknown programs in an operating system, which can at least solve the technical problems of not being able to effectively prevent unknown programs from damaging the operating system and the complexity of sandbox technology.

[0007] The technical solution provided by this invention is as follows: On the one hand, a method for integrity protection against unknown programs in an operating system is provided, including: Program marking step S1: Set a trusted status mark for the program in the operating system to distinguish the program into trusted programs and unknown programs; wherein, the program refers to an executable code file stored on the storage medium; Operation redirection step S2: In the operating system kernel, monitor and intercept process modifications to system objects; when a modification operation is intercepted, execute the following sub-steps: Based on the trusted status flag of the executable code file corresponding to the process that initiated the modification operation, determine whether the process is a process triggered by an unknown program; If so, the modification operation is redirected to a substitute system object, wherein the substitute system object is located in a separate clone storage area and corresponds to the original system object that the modification operation was originally intended to modify; Synchronization step S3: When an unknown program is changed to a trusted program, the contents of all surrogate system objects associated with that program are updated to their respective original system objects.

[0008] In an optional implementation, the program marking step S1, setting a trusted state flag for the program, includes: In response to user commands, set a flag for the specified program; or The program is automatically assigned an initial tag based on a preset strategy; the preset strategy includes: determining whether the program is located in a preset set of trusted storage paths, or verifying whether the program has a valid digital signature.

[0009] In one alternative implementation, the system object includes a file, directory, device file, or symbolic link.

[0010] In one optional implementation, the operation redirection step, when creating a substitute system object corresponding to the original system object, includes cloning the metadata of the original system object; the metadata includes file permission attributes, owner attributes, or timestamp information.

[0011] In one optional implementation, the intercepted modification operations in the operation redirection step S2 include: writing a file, creating a file, deleting a file, renaming a file, truncating a file, or modifying a file through memory mapping.

[0012] In one optional implementation, the triggering condition for the synchronization step S3 includes: Receive a user-issued instruction to change a specified unknown program into a trusted program; or, Based on the behavioral analysis results of the unknown program during the preset observation period, a change instruction is automatically generated.

[0013] In one optional implementation, during the synchronization step S3, when updating the content of the substitute system object to the original system object, if it is detected that the original system object has been modified since the creation of the corresponding substitute system object, then the conflict resolution strategy is applied. The preset conflict resolution strategies include: overwriting with a substitute version, overwriting with the original version, or retaining both and notifying the user.

[0014] On the other hand, an electronic device is provided, including a processor, a memory, and a computer program stored in the memory, wherein the computer program, when executed by the processor, implements the method described in any of the preceding claims.

[0015] In one alternative implementation, a configuration management module is also included, which provides an interface to perform at least one of the following operations: managing the trusted status of the program, configuring clone storage areas, setting behavior observation policies and conflict resolution policies, and viewing program behavior logs.

[0016] In another aspect, a computer-readable storage medium is provided, on which a computer program is stored, characterized in that the computer program, when executed by a processor, implements the method described in any of the preceding claims.

[0017] The method provided in this embodiment of the invention has at least the following beneficial effects: The method provided in this invention achieves kernel-level, on-demand, lightweight isolation. Without altering program execution or relying on full virtualization or sandbox overload, it precisely prevents unknown programs from tampering with the system's true state through only the efficient operation of kernel path redirection, achieving an optimal balance between security, performance, and compatibility. Attached Figure Description The above and other objects, features and advantages of this disclosure will become more apparent from the accompanying drawings, in which like reference numerals generally denote like parts.

[0018] Figure 1 A schematic diagram of a method for protecting the integrity of unknown programs in an operating system is shown. Detailed Implementation

[0019] Embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that the present disclosure will be thorough and complete, and will fully convey the scope of the present disclosure to those skilled in the art.

[0020] The term "comprising" and its variations as used herein signify open inclusion, i.e., "including but not limited to". Unless otherwise stated, the term "or" means "and / or". The term "based on" means "at least partially based on". The terms "one example embodiment" and "one embodiment" mean "at least one example embodiment". The term "another embodiment" means "at least one additional embodiment". The terms "first", "second", etc., may refer to different or the same objects. Other explicit and implicit definitions may also be included below.

[0021] Operating system integrity protection has always been a core issue in operating system security. Operating system integrity includes file system integrity, process integrity, and device integrity. As the operating system's data manager, the file system's integrity has always been the weakest link in the overall system's security and the most easily exploited target by attackers. How to protect the integrity of the operating system's file system remains an indelible topic in the field of operating system security.

[0022] Following the principles of access control, all behaviors and events in an operating system can be categorized into two types: subjects and objects. Processes are considered subjects, and the file system is considered an object. When the subject is unknown or untrustworthy, its actions on the object may result in the object becoming untrustworthy. For operating system users, it is often difficult to determine the trustworthiness of an unknown program. Allowing a malicious program to run unchecked could damage the system. However, if a completely unknown program is not allowed to run, it will be impossible to determine whether it is trustworthy. To address this issue, this invention proposes a scheme for analyzing the behavior of unknown programs and protecting their integrity.

[0023] This invention provides an immunity mechanism against modifications to the file system by unknown programs in the operating system, aiming to prevent such programs from damaging the system. For programs with unknown states, it can effectively curb their damage to the operating system without affecting their normal operation. Simultaneously, it has minimal impact on system performance and can be widely applied in various fields such as network servers, data centers, industrial control, and personal desktops. The specific solution is as follows.

[0024] Please see Figure 1 On the one hand, embodiments of the present invention provide a method for integrity protection against unknown programs in an operating system, including: Program marking step S1: Set a trusted status mark for the program in the operating system to distinguish the program from the unknown program; where program refers to the executable code file stored on the storage medium; Operation redirection step S2: In the operating system kernel, monitor and intercept process modifications to system objects; when a modification operation is intercepted, execute the following sub-steps: Based on the trusted status flag of the executable code file corresponding to the process that initiated the modification operation, determine whether the process is a process initiated by an unknown program; If so, the modification operation will be redirected to a substitute system object, which is located in a separate clone storage area and corresponds to the original system object that the modification operation was originally intended to modify. Synchronization step S3: When an unknown program is changed to a trusted program, the contents of all surrogate system objects associated with that program are updated to their respective original system objects.

[0025] The method provided in this embodiment of the invention has at least the following beneficial effects: The method provided in this invention achieves kernel-level, on-demand, lightweight isolation. Without altering program execution or relying on full virtualization or sandbox overload, it precisely prevents unknown programs from tampering with the system's true state through only the efficient operation of kernel path redirection, achieving an optimal balance between security, performance, and compatibility. This is particularly suitable for servers and industrial control environments that require running numerous third-party or self-developed scripts and plugins.

[0026] In the program marking step S1, a trusted status mark is set for the program in the operating system to distinguish the program from the unknown program; where a program refers to an executable code file stored on the storage medium.

[0027] For example, a flag can be recorded in the file system's extended attributes. For instance, in Linux systems, the command `setfattr -n user.trust_level -v “unknown” / path / to / program` can be used to add an attribute named `user.trust_level` with the value `unknown` to a program file. A value of `trusted` indicates a trusted program. The flag can be a simple binary state (trusted / unknown) or it can contain richer policy information (such as "partially restricted").

[0028] In operation redirection step S2, the operating system kernel monitors and intercepts process modifications to system objects. For example, "hooks" can be set at critical system calls (such as open, write, unlink, rename) or virtual file system interfaces using mechanisms provided by the operating system kernel (such as Linux's LSM framework or file system filter drivers). When a hook function is triggered, the operating system kernel traces which executable file launched the current process and reads the file's "trusted status flag." If the flag is "unknown," the kernel checks whether a corresponding surrogate system object already exists for the target file (the original system object). If not, a copy is created in a clone storage area (such as a standalone virtual disk image mounted at / .shadow). Subsequently, the target path for this operation is transparently redirected to the surrogate file at the kernel level.

[0029] In synchronization step S3, when an unknown program is changed to a trusted program, the contents of all surrogate system objects associated with that program are updated to their respective original system objects.

[0030] In this step, users can use the management tool to change the label of a program from "unknown" to "trusted". After an unknown program is changed to a trusted program, the contents of all surrogate system objects associated with that program will be updated to their respective original system objects.

[0031] In an optional implementation, the process of setting a trusted state flag for the program in step S1 includes: In response to user commands, set a flag for the specified program; or The program is automatically assigned an initial tag based on a preset strategy. The preset strategy includes: determining whether the program is located in a preset set of trusted storage paths, or verifying whether the program has a valid digital signature.

[0032] For example, manual marking can be used: a user right-clicks a downloaded, unfamiliar installation package and selects "Run this program in protected mode" from the pop-up menu, and the system marks it as "unknown". This embodiment can also use automatic marking, where the system automatically verifies the program's digital signature certificate. If the signature is valid and the certificate issuer is on the trusted list (such as Microsoft or Apple), it is marked as "trusted"; if there is no signature or the signature is invalid, it is initially marked as "unknown".

[0033] This invention, through automatic labeling based on preset rules, establishes a secure initial state upon installation or first run, excluding a massive number of programs from trusted sources (such as system components and legitimate app stores) from monitoring, significantly reducing overall system performance overhead and management complexity. Manual labeling, on the other hand, provides users with the necessary flexibility and control for handling edge cases.

[0034] In one alternative implementation, system objects include files, directories, device files, or symbolic links.

[0035] It should be noted that the device file, in Unix / Linux systems, refers to ` / dev / sda` representing the entire first hard drive. Without protection, an unknown program writing directly to this file can corrupt the entire disk. The method provided in this embodiment redirects its operations to a regular image file in the cloned region, protecting the real disk. Symbolic links, such as ` / etc / localtime`, are typically symbolic links pointing to a real timezone file. Malicious programs may tamper with the link's target. This method protects the link itself or its target file from modification by unknown programs.

[0036] This invention extends the scope of protection to device files and symbolic links, blocking the path for unknown programs to launch low-level attacks using special file types. This makes the protection mechanism no longer limited to regular data files, but covers multiple entry points for operating system resource access, achieving a more comprehensive and complete system integrity protection.

[0037] In one alternative implementation, the operation redirection step, when creating a substitute system object corresponding to the original system object, includes cloning the metadata of the original system object; the metadata includes file permission attributes, owner attributes, or timestamp information.

[0038] It should be noted that some programs check file permissions (such as whether they are writable) or rely on timestamps to determine file status. If the substitute file has default permissions, it may cause abnormal program behavior or cause the program to refuse to run. This invention creates a highly realistic "illusionary" environment for unknown programs by precisely cloning metadata. This ensures that the program's behavior in the isolated environment is highly consistent with its expected behavior in the real system, significantly improving the accuracy and reliability of behavior observation and analysis, and avoiding misjudgments caused by environmental distortion.

[0039] In one optional implementation, the intercepted modification operations in the operation redirection step S2 include: writing a file, creating a file, deleting a file, renaming a file, truncating a file, or modifying a file through memory mapping.

[0040] It's important to note that if only traditional file system write calls are intercepted, file modifications via memory mapping (mmap) will not be monitored. For example, kernel hooks need to intercept memory mapping-related system calls such as mmap() and munmap(). When an unknown program requests to map a file in writable mode, the kernel redirects it to the corresponding proxy file for mapping. This embodiment includes "file modifications via memory mapping" in its interception scope, ensuring that regardless of the underlying I / O mechanism used by the unknown program, its modification behavior cannot escape monitoring. This achieves comprehensive capture of file modification behavior, making the isolation mechanism as secure as container technology, but with a lighter implementation.

[0041] In one optional implementation, the triggering conditions for synchronization step S3 include: Receive a user-issued instruction to change a specified unknown program into a trusted program; or, Based on the analysis results of the unknown program's behavior during the preset observation period, change instructions are automatically generated.

[0042] This invention introduces a behavior-based automatic trust conversion mechanism, enabling the system to evolve from static, rule-based protection to a security system with dynamic learning and adaptive capabilities. This significantly reduces the need for manual intervention by users and proactively identifies new software with good behavior, improving system intelligence and user experience.

[0043] In one optional implementation, during the synchronization step S3, when updating the content of the substitute system object to the original system object, if it is detected that the original system object has been modified since the creation of the corresponding substitute system object, the conflict resolution strategy is followed. The preset conflict resolution strategies include: overwriting with a substitute version, overwriting with the original version, or retaining both and notifying the user.

[0044] For example, a conflict resolution strategy that overrides with a substitute version can be applied to all modifications to the program that the user trusts. A conflict resolution strategy that overrides with the original version can be applied to modifications to the program that are invalid or harmful, preserving the user's manual modifications.

[0045] This invention provides a structured conflict resolution mechanism, ensuring the security and determinism of the data synchronization process in complex multi-tasking, multi-user operating environments. It prevents accidental data loss that may result from automatic synchronization, transforming potential data consistency issues into controllable, policy-manageable events, greatly enhancing the practicality and reliability of the method.

[0046] In another aspect, an electronic device is provided, characterized in that it includes a processor, a memory, and a computer program stored in the memory, wherein the computer program, when executed by the processor, implements the method described above.

[0047] In one alternative implementation, a configuration management module is also included, which provides an interface to perform at least one of the following operations: managing the trusted status of the program, configuring clone storage areas, setting behavior observation policies and conflict resolution policies, and viewing program behavior logs.

[0048] In another aspect, a computer-readable storage medium is provided having a computer program stored thereon, which, when executed by a processor, implements any of the methods described above.

[0049] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or technical improvements to the embodiments in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. A method for protecting the integrity of unknown programs in an operating system, characterized in that, include: Program tagging steps: Set a trusted status tag for programs in the operating system to distinguish the programs into trusted programs and unknown programs; wherein, the program refers to an executable code file stored on the storage medium; Operation redirection steps: In the operating system kernel, monitor and intercept processes' modifications to system objects; when a modification is intercepted, execute the following sub-steps: Based on the trusted status flag of the executable code file corresponding to the process that initiated the modification operation, determine whether the process is a process triggered by an unknown program; If so, the modification operation is redirected to a substitute system object, wherein the substitute system object is located in a separate clone storage area and corresponds to the original system object that the modification operation was originally intended to modify; Synchronization steps: When an unknown program is changed to a trusted program, the contents of all surrogate system objects associated with that program are updated to their respective original system objects.

2. The method according to claim 1, characterized in that, In the program marking step S1, setting a trusted state flag for the program includes: In response to user commands, set a flag for the specified program; or The program is automatically assigned an initial tag based on a preset strategy; the preset strategy includes: determining whether the program is located in a preset set of trusted storage paths, or verifying whether the program has a valid digital signature.

3. The method according to claim 1, characterized in that, The system objects include files, directories, device files, or symbolic links.

4. The method according to claim 1, characterized in that, In the operation redirection step, when creating a substitute system object corresponding to the original system object, the metadata of the original system object is cloned; the metadata includes file permission attributes, owner attributes, or timestamp information.

5. The method according to claim 1, characterized in that, In the operation redirection step S2, the intercepted modification operations include: writing a file, creating a file, deleting a file, renaming a file, truncating a file, or modifying a file through memory mapping.

6. The method according to claim 1, characterized in that, The triggering conditions for the synchronization step S3 include: Receive a user-issued instruction to change a specified unknown program into a trusted program; or, Based on the behavioral analysis results of the unknown program during the preset observation period, a change instruction is automatically generated.

7. The method according to claim 1, characterized in that, In the synchronization step S3, when updating the content of the substitute system object to the original system object, if it is detected that the original system object has been modified since the creation of the corresponding substitute system object, the conflict resolution strategy is followed. The preset conflict resolution strategies include: overwriting with a substitute version, overwriting with the original version, or retaining both and notifying the user.

8. An electronic device, characterized in that, It includes a processor, a memory, and a computer program stored in the memory, which, when executed by the processor, implements the method as described in any one of claims 1 to 7.

9. The electronic device according to claim 8, characterized in that, It also includes a configuration management module, which provides an interface to perform at least one of the following operations: managing the trusted status marking of the program, configuring clone storage areas, setting behavior observation policies and conflict resolution policies, and viewing program behavior logs.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the method as described in any one of claims 1 to 7.