Research On Sensitive Data Protection Of Windows Application

With the sensitive information handled by the operating system more widely, malicious attacks for sensitive data are increasing. The protection technologies of sensitive data are access control and decryption. Malicious programs can bypass the protection mechanisms in order to steal data from a disk or memory. Therefore, the research which forces on security of application sensitive data is of great significance.Through analysis of the data management of Windows operating system and the technology of hardware assist virtualization, a data protection model is developed to protect the sensitive data of the application. The main contribution and innovation of this paper include:1. The data management of Windows operating system is introduced. The threats of the data attacks are classified into two kinds, which are the static data analysis and the real-time data attack. The attacks for static data can be then divided into two methods, which are physical memory analysis and disk volume analysis. The attacks for real-time data include the user mode rootkits and kernel mode rootkits.2. The present solutions are analyzed, including the host protection system, NICKLE, OverShadow and SP3. The advantages and disadvantages of those solutions are also analyzed.3. The code of process is divided into trusted code and untrusted code. The data of process is classified into two kinds, which are common data and sensitive data. Then a sensitive data protection system based on Hypervisor is developed. The attacks for static data are effectively blocked by pretreatment encryption technology and the physical page frame encryption technology. Hiding the plaintext of the application is achieved by double shadow page table and data execution protection technology. The system monitors the CR3switch and access control of page table to prevent protected area of application to be maliciously modified.4. The difficulties of sensitive data protection are from real-time data attack in the protected process. The mode switch between the trusted code and untrusted code is intercepting by executive disabled technology. Then the system uses different shadow page tables for different modes. Memory data encryption technology and page table access control technology are used to protect the protected data in the disk volume and physical memory when the process is running.