为限制应用程序的恶意行为,通过对Windows平台访问控制机制的研究以及对象管理器对资源管理方式的分析,提出在Windows7操作系统下应用程序权限能力控制方法。该方法使用权限控制和资源监控相结合的方式来实现,利用受限制的访问令牌和受限制的作业对象对应用程序进程权限进行限制,通过扩展对象管理器回调功能实现对应用程序访问资源的监控。最后通过实验验证了该方法的可行性和有效性,实现了对系统资源的细粒度监控。%To restrain the malicious behaviour of the applications,we put forward the approach for access and capability control in regard to applications in Windows 7 operating system by studying the access control mechanism of Windows platform and analysing the means of resource management by the object manager.This method is implemented by integrating the access control and resource monitoring,it uses the restricted access token and job object to restrain the privileges of program process,and realises to monitor the resources access by the applications through expanding the function of object manager callback.At last,the feasibility and availability of the method is validated with experiment,it achieves the fine-grained monitoring on system resources.
展开▼