WO2009088362A1 - Limiting access to file and folder on a storage device - Google Patents

Limiting access to file and folder on a storage device Download PDF

Info

Publication number
WO2009088362A1
WO2009088362A1 PCT/SG2008/000450 SG2008000450W WO2009088362A1 WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1 SG 2008000450 W SG2008000450 W SG 2008000450W WO 2009088362 A1 WO2009088362 A1 WO 2009088362A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
security
sfsd
folder
user
Prior art date
Application number
PCT/SG2008/000450
Other languages
French (fr)
Inventor
Foh Lo Khiam
Jianlin Luo
Original Assignee
Dallab(S) Pte Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dallab(S) Pte Ltd filed Critical Dallab(S) Pte Ltd
Publication of WO2009088362A1 publication Critical patent/WO2009088362A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Definitions

  • the present invention relates to system and method of limiting unauthorized access to data file and folder on a storage device of an electronic device.
  • Computers such as notebooks, personal digital assistant (PDA) and some mobile telephones, are now relatively affordable and are used widely; one can retrieve and send emails while traveling; another can perform electronic banking or commerce wirelessly. Coupled with the propensity of losing one's portable electronic devices, data security in such devices is imperative, and access to confidential files and folder is desired to be restricted or limited to the owner; in other words, it is desirable to prevent unauthorized reading or copying of confidential or sensitive data on one's computing or communication devices, especially if one's device has relatively large data storage and is also used for business activities.
  • Confidentiality refers to the reversible transformation of data into a form which has little or no resemblance to the original data, thereby making the transformed data non-intelligible to those without the knowledge to reverse the transformation.
  • confidentiality is associated with cryptography or encryption and decryption of data.
  • Integrity of data refers to the assurance that data has not been tampered with. Integrity of data is often provided by digital signatures; a cryptographic checksum of the original data is calculated and stored somewhere; a verifier then calculates the checksum of the data and compares it with the stored pre-calculated checksum to ensure that the data is not tampered with.
  • FIG. 1 shows a simplified boot up process 1 of a conventional personal computer system.
  • BIOS basic input/output system
  • the BIOS boots up the computer, checks whether all the input/output (I/O) and peripheral devices are connected and operational, initializes 20 all the operable peripheral devices before the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
  • OS operating system
  • the kernel or core of the OS is loaded into the RAM.
  • the kernel then starts system initialization and configuration 40.
  • OS initialization a file system (FS) 42 is built up, as shown in FIG. 1.
  • a file filter system (FFS) 44 and its associated window file filter driver (FFD) 46 are then loaded into the RAM.
  • Loading of the OS then continues with loading 50 of all the required drivers and software applications predefined by the user.
  • the OS or computer is booted up 60, a directory of files and folders is created. The file directory can then be viewed by the user, and data files and folders can then be created, changed or removed by the user. Summary
  • the present invention provides a file security system operable at boot up in a portable computing device.
  • the file security system comprises: a file filter system and associated security file system driver (SFSD) to extend or replace functionality of a file system that is configurable with an original window operating system; wherein the file filter system is operable to interrupt the file system and the associated security file system driver (SFSD) is operable to boot up from a read-only memory (ROM).
  • SFSD security file system driver
  • the file security system further comprises a security interface driver.
  • the security interface driver generates a dialogue box for the user to create a confidential file or folder and to lock the file/folder to deny unauthorized access to confidential data or application stored therein.
  • the present invention provides a method for preventing unauthorized electronic file access in a computing device.
  • the method comprises: interrupting the file system during booting up of the computing device; replacing the file filter system that is configurable with an original window operating system with a modified file filter system; installing a security file system driver (SFSD) associated with the modified file filter system; and installing a security user interface driver, which generates a dialogue box to allow the user to create a confidential file or folder whilst loading user installable software and drivers, before completing the booting up process.
  • SFSD security file system driver
  • the SFSD in the above method further comprises a cryptographic engine.
  • the SFSD is loaded prior to loading of user data and the confidential file/folder thus created on a computing device remains secure until it is unlocked with a correct user verification.
  • the present invention also discloses a computer readable medium containing a file security system according to any one of claims 1-5 or containing a method of preventing unauthorized electronic file access according to any one of claims 6-10
  • FIG. 1 illustrates a boot up process of a conventional personal computer system
  • FIG. 2 illustrates a boot up process of a portable computing device according to one embodiment of the present invention.
  • FIG. 3A illustrates a security system for accessing a file according to another embodiment of the present invention
  • FIG. 3B illustrates a security system for accessing a folder according to yet another embodiment of the present invention.
  • FIG. 2 shows a boot up process 100 of a portable computing device according to one embodiment of the present invention.
  • a power up step 110 is followed by a basic hardware initialization step 120.
  • the basic hardware initialization step 120 involves passing control over to a basic input/output system (BIOS).
  • BIOS boots up the portable computing device, checks whether all the input/output (I/O) and peripheral devices are connected and operational, and initializes 120 all the operable peripheral devices.
  • Step 120 is followed by step 130.
  • the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
  • OS operating system
  • RAM random access memory
  • part of the OS initialization and configuration in step 140 involves building up a file system in step 142 and a file filter system in step 144, loading of a window filter driver in step 146 and loading of a security file system driver (SFSD) from a read-only memory (ROM) in step 148;
  • SFSD security file system driver
  • ROM read-only memory
  • FIG. 2 shows the step of loading a security file system driver (SFSD) in step 148.
  • SFSD security file system driver
  • the SFSD is loaded from a read-only memory (ROM). Such reading from a ROM may be reading from a protected disc during which read-write operation is denied by a separate disk filter system.
  • the booting up process reverts to step 140 to finalise the OS initialization and configuration prior to loading of user security or data registry.
  • the booting up process involves loading the user installed software and associated drivers into the RAM in step 150 and loading in step 152 of a security interface driver associated with the SFSD.
  • the security interface driver associated with the SFSD generates a dialogue box to allow a user to create a confidential file A for storing sensitive information; in another embodiment, the dialogue box allows a user to create a confidential folder B for storing files containing sensitive information or applications which the user can launch. In addition, the dialogue box also allows the user to lock or unlock the confidential file A or folder B.
  • step 160 the OS boot up process is completed in step 160.
  • the SFSD dialogue box can then be called out after the computing device has booted up to allow the user create additional confidential files or folders and to lock/unlock the confidential files/folders as and when required.
  • a user may lock a confidential file A/folder B before lending the computing device, such as a mobile phone or a PDA, to another user so that the other user can use the computing device without having access to the locked confidential file A/folder B; in addition, the user may lock selected applications, for example by storing email or short message (SMS) applications in the confidential folder B.
  • SMS short message
  • the user enters a password or passphrase; in another embodiment, the user signs in with a digital signature; in yet another embodiment, the user signs in with a biometric signature.
  • FIG. 3 A shows the system file's security process 200 according to the confidential file A embodiment of the present invention.
  • process box 210 illustrates execution of a window explorer or a third party software application. Execution of a request from the window explorer to open a locked file A sends a system call 215 to the file system 240 to obtain file A's information. The file information 245 is then sent to the SFSD 250. Within the SFSD, a search for file A in the storage disk is conducted in step 252. Following execution of step 252, a decision is made in step 254 whether the requested file A is locked or not.
  • step 254 If the decision in box 254 is no, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, in step 242, to the window explorer or requestor application. If the decision in box 254 is yes, the SFSD 250 proceeds to step 256. In step 256, the SFSD 250 prompts the user to enter a user verification.
  • the SFSD 250 checks, in step 258, whether the user verification is correct. If the user is correctly verified, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, also in step 242, to the window explorer or requestor application. If the decision in box 258 is no, the SFSD 250 informs the file system 240, which then sends a "no file" response in step 244 to the file explorer 210. The file explorer or requestor application 210 in turn informs the user that access to file A is denied.
  • FIG. 3B shows the system file's security process 300 according to the confidential folder B embodiment of the present invention.
  • Security process 300 is similar to security process 200 in substantially the same manner.
  • Execution of the file explorer 310 or requestor application sends a system call 315 to the file system 340 to obtain folder B's information.
  • the folder B information 345 is then sent to the SFSD 350.
  • a search for folder B in the storage disk is conducted in step 352.
  • search step 352 a decision is made in step 354 whether the requested folder B is locked or not.
  • step 354 If the decision in box 354 is no, the SFSD 350 passes control over to the file system 340 and the requested folder information is sent, in step 342, to the window explorer or requestor application. If the decision in box 354 is yes, the SFSD 350 proceeds to step 356. In step 356, the SFSD 350 prompts the user to enter a user verification.
  • the SFSD 350 checks, in step 358, whether the user verification is correct. If the user is correctly verified, the SFSD 350 passes control over to the file system 340 and the requested folder B information is sent, also in step 342, to the window explorer or requestor application. If the decision in box 358 is no, the SFSD 350 informs the file system 240, which then sends a "no content" response in step 344 to the file explorer 310. The file explorer or requestor application 310 in turn informs the user that access to folder B is denied.
  • the SFSD 250 includes an addition cryptographic engine 257 after step 256.
  • the SFSD 350 includes an additional cryptographic engine 357 after step 356.
  • the additional cryptographic engine 257,357 may employ a symmetric key algorithm, such as an Advanced Encryption System (AES).
  • AES Advanced Encryption System
  • the cryptographic engine 257,357 may be used to encrypt owner's verification, which is stored in the computing device.
  • the cryptographic engine 257,357 may be used to decrypt the owner's verification which is stored in the computing device by comparing it with the user verification.
  • the cryptographic engine 257,357 may be supplied to a user on a ROM, a protected ROM disk or on a separate processor.
  • An advantage of the present system is that a confidential file/folder created on an electronic device with an operating system of the present invention remains secure until it is unlocked with a correct user verification.
  • the SFSD of the present invention is loaded by the file system before the system file is fully initialized, Le,. before user data and any third party installable security software are loaded; in other words, the SFSD is executed prior to entry of user data or execution of any third party installable security software.
  • the confidential file A/folder B is denied even when security setting data entered through the SFSD dialogue box is altered or removed, or even when the computing device undergoes a clean boot-up.
  • the present invention provides data security to a computing device without much trouble to the user or with no difference from a third party installable application; a user need only to create the confidential file A or confidential folder B and to install/migrate all applications that contain confidential information into the confidential folder B.
  • Another advantage is that a computing device incorporating the security process or processes 100,200,300 of the present invention can be used by another user with no access to the confidential file A or folder B or applications installed in the confidential folder B.

Abstract

The present invention provides a modified operating system (OS) (100) operable on a portable computing device, such as, a mobile telephone, a mobile computer, an electronic organizer and a data storage device. The modified OS includes a file filter system (146), associated security file system driver (SFSD) (148) and a security user interface (152). The SFSD is loaded prior to final OS initialization/ configuration and loading of user security/data registry. A security user interface (152) associated with the SFSD then generates a dialogue box to allow the user to create a confidential file A or folder B and options for locking and/or encrypting. User identity is verified (258,358) before access to the file/folder is allowed; the file A/folder B remains secure even when security setting data created by the SFSD dialogue box is altered/removed or after the computing device undergoes a clean boot-up.

Description

Limiting Access To File And Folder On A Storage Device
Field of Invention
[0001] The present invention relates to system and method of limiting unauthorized access to data file and folder on a storage device of an electronic device.
Background
[0002] Computers, such as notebooks, personal digital assistant (PDA) and some mobile telephones, are now relatively affordable and are used widely; one can retrieve and send emails while traveling; another can perform electronic banking or commerce wirelessly. Coupled with the propensity of losing one's portable electronic devices, data security in such devices is imperative, and access to confidential files and folder is desired to be restricted or limited to the owner; in other words, it is desirable to prevent unauthorized reading or copying of confidential or sensitive data on one's computing or communication devices, especially if one's device has relatively large data storage and is also used for business activities.
[0003] Confidential or sensitive data can be made secure by the following approach:
(a) contents are accessible only after verification by passwords or other biometrics;
(b) contents are encrypted with passwords or passphrases;
(c) contents remain encrypted when copied out of a device;
(d) contents are not allowed to be copied out of a device;
(e) contents are protected and encrypted automatically when security setting is damaged or deleted; or
(f) contents are deleted after a lapse of predefined time interval.
[0004] Associated with security of data, there are two separate aspects of data security: confidentiality and integrity. Confidentiality refers to the reversible transformation of data into a form which has little or no resemblance to the original data, thereby making the transformed data non-intelligible to those without the knowledge to reverse the transformation. Thus, confidentiality is associated with cryptography or encryption and decryption of data. Integrity of data refers to the assurance that data has not been tampered with. Integrity of data is often provided by digital signatures; a cryptographic checksum of the original data is calculated and stored somewhere; a verifier then calculates the checksum of the data and compares it with the stored pre-calculated checksum to ensure that the data is not tampered with.
[0005] To ensure data security, a user may either encrypt and decrypt a file or folder selectively or manually, or run a third party application to carry out these tasks automatically. One drawback of these approaches is that the encrypted file and folder and their security settings can be removed after the computing device undergoes a clean boot-up. It can thus be seen that there exists a need for another approach to ensuring data security that can overcome the disadvantage of the existing prior art.
[0006] FIG. 1 shows a simplified boot up process 1 of a conventional personal computer system. When a personal computer is turned on 10, a microprocessor in the computer passes control over to a basic input/output system (BIOS). The BIOS boots up the computer, checks whether all the input/output (I/O) and peripheral devices are connected and operational, initializes 20 all the operable peripheral devices before the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM).
[0007] When the OS is invoked, the kernel or core of the OS is loaded into the RAM. The kernel then starts system initialization and configuration 40. After OS initialization, a file system (FS) 42 is built up, as shown in FIG. 1. A file filter system (FFS) 44 and its associated window file filter driver (FFD) 46 are then loaded into the RAM. Loading of the OS then continues with loading 50 of all the required drivers and software applications predefined by the user. After the OS or computer is booted up 60, a directory of files and folders is created. The file directory can then be viewed by the user, and data files and folders can then be created, changed or removed by the user. Summary
[0008] The following presents a simplified summary to provide a basic understanding of the present invention. This summary is not an extensive overview of the invention, and is not intended to identify key features of the invention. Rather, it is to present some of the inventive concepts of this invention in a generalised form as a prelude to the detailed description that is to follow.
[0009] In one embodiment, the present invention provides a file security system operable at boot up in a portable computing device. The file security system comprises: a file filter system and associated security file system driver (SFSD) to extend or replace functionality of a file system that is configurable with an original window operating system; wherein the file filter system is operable to interrupt the file system and the associated security file system driver (SFSD) is operable to boot up from a read-only memory (ROM).
[0010] In another embodiment, the file security system further comprises a security interface driver. The security interface driver generates a dialogue box for the user to create a confidential file or folder and to lock the file/folder to deny unauthorized access to confidential data or application stored therein.
[0011] In another embodiment, the present invention provides a method for preventing unauthorized electronic file access in a computing device. The method comprises: interrupting the file system during booting up of the computing device; replacing the file filter system that is configurable with an original window operating system with a modified file filter system; installing a security file system driver (SFSD) associated with the modified file filter system; and installing a security user interface driver, which generates a dialogue box to allow the user to create a confidential file or folder whilst loading user installable software and drivers, before completing the booting up process.
[0012] In another embodiment, the SFSD in the above method further comprises a cryptographic engine. In addition, the SFSD is loaded prior to loading of user data and the confidential file/folder thus created on a computing device remains secure until it is unlocked with a correct user verification.
[0013] The present invention also discloses a computer readable medium containing a file security system according to any one of claims 1-5 or containing a method of preventing unauthorized electronic file access according to any one of claims 6-10
Brief Description of the Drawings
[0014] This invention will be described by way of non-limiting embodiments of the present invention, with reference to the accompanying drawings, in which:
[0015] FIG. 1 illustrates a boot up process of a conventional personal computer system;
[0016] FIG. 2 illustrates a boot up process of a portable computing device according to one embodiment of the present invention; and
[0017] FIG. 3A illustrates a security system for accessing a file according to another embodiment of the present invention; and FIG. 3B illustrates a security system for accessing a folder according to yet another embodiment of the present invention.
Detailed Description
[0018] One or more specific and alternative embodiments of the present invention will now be described with reference to the attached drawings. It shall be apparent to one skilled in the art, however that this invention may be practised without such specific details. Some of the details may not be described at length so as not to obscure the invention. For ease of reference, common reference numerals or series of numerals will be used throughout the figures when referring to the same or similar features common to the figures. [0019] FIG. 2 shows a boot up process 100 of a portable computing device according to one embodiment of the present invention. As shown in FIG. 2, a power up step 110 is followed by a basic hardware initialization step 120. The basic hardware initialization step 120 involves passing control over to a basic input/output system (BIOS). The BIOS boots up the portable computing device, checks whether all the input/output (I/O) and peripheral devices are connected and operational, and initializes 120 all the operable peripheral devices.
[0020] Step 120 is followed by step 130. In step 30, the BIOS invokes the operating system (OS) to load the OS from a bootable drive into the computer's random access memory (RAM). After the OS is invoked, the kernel of the OS is loaded into the RAM; this is then followed by OS initialization and configuration in step 140.
[0021] As shown in FIG. 2, part of the OS initialization and configuration in step 140 involves building up a file system in step 142 and a file filter system in step 144, loading of a window filter driver in step 146 and loading of a security file system driver (SFSD) from a read-only memory (ROM) in step 148; the following description of the present invention deals with this aspect of configuring the system files. This approach builds the file system in layers comprising the file filter and file system drivers and allows interrupts to the system files that would be built up by an original window OS; in this way, this approach allows security of the system files to be extended or modified. In other words, security of the file system is managed at the OS level and bootable in ROM instead of a user installable application level.
[0022] In one embodiment of building the file system drivers, FIG. 2 shows the step of loading a security file system driver (SFSD) in step 148. For tighter security, the SFSD is loaded from a read-only memory (ROM). Such reading from a ROM may be reading from a protected disc during which read-write operation is denied by a separate disk filter system. After all the file system drivers are loaded, including the SFSD in step 148, the booting up process reverts to step 140 to finalise the OS initialization and configuration prior to loading of user security or data registry. Once the OS initialization and configuration processes are finalized, the booting up process involves loading the user installed software and associated drivers into the RAM in step 150 and loading in step 152 of a security interface driver associated with the SFSD. In one embodiment, the security interface driver associated with the SFSD generates a dialogue box to allow a user to create a confidential file A for storing sensitive information; in another embodiment, the dialogue box allows a user to create a confidential folder B for storing files containing sensitive information or applications which the user can launch. In addition, the dialogue box also allows the user to lock or unlock the confidential file A or folder B.
[0023] After all the user installed software and associated drivers predefined for launching during boot up are loaded in step 150, including the process in step 152, the OS boot up process is completed in step 160. The SFSD dialogue box can then be called out after the computing device has booted up to allow the user create additional confidential files or folders and to lock/unlock the confidential files/folders as and when required. For example, a user may lock a confidential file A/folder B before lending the computing device, such as a mobile phone or a PDA, to another user so that the other user can use the computing device without having access to the locked confidential file A/folder B; in addition, the user may lock selected applications, for example by storing email or short message (SMS) applications in the confidential folder B.
[0024] In one embodiment of locking or unlocking the confidential file A/folder B, the user enters a password or passphrase; in another embodiment, the user signs in with a digital signature; in yet another embodiment, the user signs in with a biometric signature.
[0025] FIG. 3 A shows the system file's security process 200 according to the confidential file A embodiment of the present invention. As shown in FIG. 3 A, process box 210 illustrates execution of a window explorer or a third party software application. Execution of a request from the window explorer to open a locked file A sends a system call 215 to the file system 240 to obtain file A's information. The file information 245 is then sent to the SFSD 250. Within the SFSD, a search for file A in the storage disk is conducted in step 252. Following execution of step 252, a decision is made in step 254 whether the requested file A is locked or not. [0026] If the decision in box 254 is no, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, in step 242, to the window explorer or requestor application. If the decision in box 254 is yes, the SFSD 250 proceeds to step 256. In step 256, the SFSD 250 prompts the user to enter a user verification.
[0027] After the user enters a user verification in step 256, the SFSD 250 checks, in step 258, whether the user verification is correct. If the user is correctly verified, the SFSD 250 passes control over to the file system 240 and the requested file information is sent, also in step 242, to the window explorer or requestor application. If the decision in box 258 is no, the SFSD 250 informs the file system 240, which then sends a "no file" response in step 244 to the file explorer 210. The file explorer or requestor application 210 in turn informs the user that access to file A is denied.
[0028] FIG. 3B shows the system file's security process 300 according to the confidential folder B embodiment of the present invention. Security process 300 is similar to security process 200 in substantially the same manner. Execution of the file explorer 310 or requestor application sends a system call 315 to the file system 340 to obtain folder B's information. The folder B information 345 is then sent to the SFSD 350. Within the SFSD 350, a search for folder B in the storage disk is conducted in step 352. Following search step 352, a decision is made in step 354 whether the requested folder B is locked or not.
[0029] If the decision in box 354 is no, the SFSD 350 passes control over to the file system 340 and the requested folder information is sent, in step 342, to the window explorer or requestor application. If the decision in box 354 is yes, the SFSD 350 proceeds to step 356. In step 356, the SFSD 350 prompts the user to enter a user verification.
[0030] After the user enters a user verification in step 356, the SFSD 350 checks, in step 358, whether the user verification is correct. If the user is correctly verified, the SFSD 350 passes control over to the file system 340 and the requested folder B information is sent, also in step 342, to the window explorer or requestor application. If the decision in box 358 is no, the SFSD 350 informs the file system 240, which then sends a "no content" response in step 344 to the file explorer 310. The file explorer or requestor application 310 in turn informs the user that access to folder B is denied.
[0031] In another embodiment of security process 200, the SFSD 250 includes an addition cryptographic engine 257 after step 256. Similarly, in another embodiment of security process 300, the SFSD 350 includes an additional cryptographic engine 357 after step 356. The additional cryptographic engine 257,357 may employ a symmetric key algorithm, such as an Advanced Encryption System (AES). The cryptographic engine 257,357 may be used to encrypt owner's verification, which is stored in the computing device. In addition, the cryptographic engine 257,357 may be used to decrypt the owner's verification which is stored in the computing device by comparing it with the user verification. The cryptographic engine 257,357 may be supplied to a user on a ROM, a protected ROM disk or on a separate processor.
[0032] An advantage of the present system is that a confidential file/folder created on an electronic device with an operating system of the present invention remains secure until it is unlocked with a correct user verification. This is because the SFSD of the present invention is loaded by the file system before the system file is fully initialized, Le,. before user data and any third party installable security software are loaded; in other words, the SFSD is executed prior to entry of user data or execution of any third party installable security software. The confidential file A/folder B is denied even when security setting data entered through the SFSD dialogue box is altered or removed, or even when the computing device undergoes a clean boot-up. In this way, all user data and system or user installable applications can be made secure, that is, in terms of confidentiality and integrity; in general, use of a mobile or portable electronic device operable with an operating system according to the present invention can be restricted by an owner or with permission from the owner.
[0033] As can be appreciated from the above description, the present invention provides data security to a computing device without much trouble to the user or with no difference from a third party installable application; a user need only to create the confidential file A or confidential folder B and to install/migrate all applications that contain confidential information into the confidential folder B. Another advantage is that a computing device incorporating the security process or processes 100,200,300 of the present invention can be used by another user with no access to the confidential file A or folder B or applications installed in the confidential folder B.
[0034] While specific embodiments have been described and illustrated, it is understood that many changes, modifications, variations and combinations thereof could be made to the present invention without departing from the scope of the invention. For example, whilst the OS was illustrated with a personal portable computing device, the principle underlying its security at a system level is applicable to an operating system that is operable in a mobile phone, a portable electronic organizer or data storage device.

Claims

CLAIMS:
1. A file security system operable at boot up in a portable computing device, said file security system comprising: a file filter system and associated security file system driver (SFSD) to extend or replace functionality of a file system that is configurable with an original window operating system; wherein the file filter system is operable to interrupt the file system and the associated security file system driver (SFSD) is operable to boot up from a read-only memory (ROM).
2. A file security system according to claim I5 further comprising a security interface driver, which generates a dialogue box for the user to create a confidential file or folder and to lock the file/folder to deny unauthorized access to confidential data or application stored therein.
3. A file security system according to claim 2, wherein access to the file/folder is verified via a password, a passphrase or sign-in signature.
4. A file security system according to any one of claims 1-3, wherein the security file system driver (SFSD) further comprises a cryptographic engine.
5. A file security system according to any one of claims 2-4, wherein the file/folder remains locked even when security setting data entered by the SFSD dialogue box is altered/removed or even after the computing device undergoes a clean boot-up.
6. A method for preventing unauthorized electronic file access in a computing device, the method comprising: interrupting the file system during booting up of the computing device; replacing the file filter system that is configurable with an original window operating system with a modified file filter system; installing a security file system driver (SFSD) associated with the modified file filter system; and installing a security user interface driver associated with the SFSD whilst loading user installable software and drivers before completing the booting up process, wherein the SFSD security interface driver generates a SFSD dialogue box to allow the user to create a confidential file or folder and to lock/unlock the confidential file/folder.
7. A method according to claim 6, wherein the SFSD further comprises a cryptographic engine.
8. A method according to claim 6 or 7, wherein the modified file filter system and its associated security file system driver (SFSD) are loaded prior to loading of user data or any user installable security application.
9. A method according to any one of claims 6-8, wherein the confidential file or folder created with the modified file filter system remains locked even when security setting data entered by the SFSD dialogue box is altered/removed or even after the computing device undergoes a clean boot-up.
10. A method according to any one of claims 6-9, wherein the computing device is a mobile telephone, a mobile personal computer, an electronic organizer or a data storage apparatus.
11. A computer readable medium containing a file security system according to any one of claims 1-5.
12. A computer readable medium containing a method of preventing unauthorized electronic file/folder access according to any one of claims 6-10.
PCT/SG2008/000450 2008-01-09 2008-11-27 Limiting access to file and folder on a storage device WO2009088362A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG200800249-5 2008-01-09
SG200800249-5A SG154348A1 (en) 2008-01-09 2008-01-09 Limiting access to file and folder on a storage device

Publications (1)

Publication Number Publication Date
WO2009088362A1 true WO2009088362A1 (en) 2009-07-16

Family

ID=40853306

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2008/000450 WO2009088362A1 (en) 2008-01-09 2008-11-27 Limiting access to file and folder on a storage device

Country Status (2)

Country Link
SG (1) SG154348A1 (en)
WO (1) WO2009088362A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102662872A (en) * 2012-03-29 2012-09-12 山东超越数控电子有限公司 Trusted cryptography module based method for protection of virtual disk image files
WO2013066397A1 (en) * 2011-10-31 2013-05-10 Hewlett-Packard Development Company, L.P. File lock preservation
US20220322054A1 (en) * 2015-06-10 2022-10-06 Honor Device Co., Ltd. Short Message Processing Method and Apparatus, and Electronic Device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999014652A1 (en) * 1997-09-16 1999-03-25 Microsoft Corporation Encrypting file system and method
US20030065875A1 (en) * 2001-09-28 2003-04-03 Van Cleve Robert E. Reserved ROM space for storage of operating system drivers
US7178165B2 (en) * 2001-08-20 2007-02-13 Lenovo (Signapore) Pte Ltd. Additional layer in operating system to protect system from hacking
US20070050620A1 (en) * 2002-10-16 2007-03-01 Duc Pham Secure file system server architecture and methods

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999014652A1 (en) * 1997-09-16 1999-03-25 Microsoft Corporation Encrypting file system and method
US7178165B2 (en) * 2001-08-20 2007-02-13 Lenovo (Signapore) Pte Ltd. Additional layer in operating system to protect system from hacking
US20030065875A1 (en) * 2001-09-28 2003-04-03 Van Cleve Robert E. Reserved ROM space for storage of operating system drivers
US20070050620A1 (en) * 2002-10-16 2007-03-01 Duc Pham Secure file system server architecture and methods

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013066397A1 (en) * 2011-10-31 2013-05-10 Hewlett-Packard Development Company, L.P. File lock preservation
CN102662872A (en) * 2012-03-29 2012-09-12 山东超越数控电子有限公司 Trusted cryptography module based method for protection of virtual disk image files
US20220322054A1 (en) * 2015-06-10 2022-10-06 Honor Device Co., Ltd. Short Message Processing Method and Apparatus, and Electronic Device
US11765557B2 (en) * 2015-06-10 2023-09-19 Honor Device Co. Ltd. Short message processing method and apparatus, and electronic device

Also Published As

Publication number Publication date
SG154348A1 (en) 2009-08-28

Similar Documents

Publication Publication Date Title
EP1679632B1 (en) Systems and methods for securely booting a computer with a trusted processing module
US9141815B2 (en) System and method for intelligence based security
EP2583410B1 (en) Single-use authentication methods for accessing encrypted data
US7313705B2 (en) Implementation of a secure computing environment by using a secure bootloader, shadow memory, and protected memory
US8909940B2 (en) Extensible pre-boot authentication
US7694121B2 (en) System and method for protected operating system boot using state validation
US8930713B2 (en) System and method for general purpose encryption of data
JP4982825B2 (en) Computer and shared password management methods
KR101775800B1 (en) Anti-theft in firmware
US20120254602A1 (en) Methods, Systems, and Apparatuses for Managing a Hard Drive Security System
US20120011354A1 (en) Boot loading of secure operating system from external device
US7840795B2 (en) Method and apparatus for limiting access to sensitive data
US20020073306A1 (en) System and method for protecting information stored on a computer
WO2005088461A1 (en) Method and device for protecting data stored in a computing device
CN107292176A (en) Method and system for accessing a trusted platform module of a computing device
US8181006B2 (en) Method and device for securely configuring a terminal by means of a startup external data storage device
US10783088B2 (en) Systems and methods for providing connected anti-malware backup storage
WO2019117951A1 (en) Boot authentication
WO2009088362A1 (en) Limiting access to file and folder on a storage device
RU2748575C1 (en) Method and device for trusted computer booting with control of peripheral interfaces
CN117874773A (en) Operating system safe starting method and device based on safety level control strategy
DriveLock et al. HP ProtectTools Firmware security features in HP Compaq business notebooks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08869611

Country of ref document: EP

Kind code of ref document: A1

DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: PI 2010003218

Country of ref document: MY

122 Ep: pct application non-entry in european phase

Ref document number: 08869611

Country of ref document: EP

Kind code of ref document: A1