Concerning the poor robustness and low hiding strength of existing file hiding method based on Universal Serial Bus (USB), a new file hiding method based on capacity disguised and double file system was proposed. By analyzing the characteristics and management mechanism of Nand flash chips, the capacity disguise was achieved to deceive the host by tampering equipment capacity value in Command Status Wrap (CSW). Based on the memory management mechanism of the Flash Translation Layer (FTL), the storage area was divided into two parts including the hiding area and the common area by different marks, and a double file system was established using format function. Request for switching file system was sent by writing specific data, then it was achieved after user authentication to realize secure access to hiding areas. The experimental results and theoretical analysis show that the proposed method can achieve hiding file which is transparent to operating system, moreover, it is not affected by device operation and has better robustness and stronger hiding effect with respect to the methods based on hooking Application Programming Interface (API), modifying File Allocation Table (FAT) or encryption.

The existing methods for monitoring clipboard operations cannot defend kernel-level attacks and satisfy the practical needs due to the simple protection strategy. In order to mitigate these disadvantages, a clipboard operations monitoring technique for document contents based on Virtual Machine Monitor (VMM) was proposed, as well as a classification protection strategy for electronic documents based on clipboard operations monitoring. Firstly, system calls were intercepted and identified in VMM by modifying the shadow registers. Secondly, a mapping table between process identifier and document path was created by monitoring the document open operations, then the document path could be obtained by process identifier when the clipboard operations were intercepted. Finally, clipboard operations were filtered according to classification protection strategy. The experimental results show that the performance loss to Guest OS file system caused by the monitoring system decreases with the increase of the record size; when the record size reaches more than 64 KB, the performance loss is within 10%, which has little effect on the user.

Software tamper resistance is an important method for software protection. Concerning the control-flow tampering invoked by buffer overflow as well as some other software attacks, a software tamper-proofing method based on Function-Level Control-Flow (FLCF) monitoring was proposed. This method described the software's normal behaviors by FLCF and instrumented one guard at every entrance of functions by binary rewriting technology. The monitoring module decided whether the software was tampered or not by comparing the running status received from the guards' reports with the expected condition. A prototype system was realized and its performance was analyzed. The experimental results show that this method can effectively detect the control-flow tampering with less overhead and no false positives. It can be easily deployed and transplanted as its implementation does not need source code or any modifications of underlying devices, and system security is strengthened by isolating the monitoring module with the software being protected.