CN104572398A - Method for user monitoring encrypted disks - Google Patents
Method for user monitoring encrypted disks Download PDFInfo
- Publication number
- CN104572398A CN104572398A CN201510040140.6A CN201510040140A CN104572398A CN 104572398 A CN104572398 A CN 104572398A CN 201510040140 A CN201510040140 A CN 201510040140A CN 104572398 A CN104572398 A CN 104572398A
- Authority
- CN
- China
- Prior art keywords
- encryption
- user space
- software
- module
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method for user monitoring encrypted disks. The method includes embedding a software layer between the monitoring and auditing environment and an encrypting storage device; when monitoring and auditing are required, allowing the software layer to provide a completely transparent plaintext storage device, injecting a user mode progress, capturing the encryption and decryption interaction data of the user mode and kernel mode, and decrypting the encrypted data to acquire the plaintexts in a decryption process reproducing manner to filter and monitor. According to an existing monitoring and auditing system, a software implementation scheme is provided, and the files of the encrypting storage device can be audited and monitored; the software can be embedded into the existing monitoring and auditing environment conveniently, changes of existing monitoring and auditing software and operation system are omitted, and the arrangement cost is reduced greatly; the method has high universality, compatibility and stability when being adopted by various encrypting software, the effect on the system stability is avoided, and the frequent updating and modification are omitted.
Description
Technical field
The present invention relates to the technical fields such as information security, Data Audit, remote assistance, specifically, is a kind of method that User space monitors encryption disk.
Background technology
Along with network technology is popularized gradually, and leakage of information is to the threat caused of living.People start in live and work, use the mode of cryptographic storage not to be subject to unauthorized access to protect the data of oneself gradually.And the problem brought thus is, in the network that authority is controlled, be difficult to monitor the storage data of encryption.Sensitive data departs from monitoring and causes the event leaked to happen occasionally, and most incident of leakage is difficult to take precautions against and evidence obtaining.
Such as, classified papers A has some responsive character when unencryption, in the transmitting procedure of Intranet, and can by general content monitoring system identification and record.But encrypt once there be people to employ the equipment of Encryption Tool to storage file A, unless then he or she, other people have no way of reading this memory device, more have no way of identifying this file whether classified papers, or whether it comprises confidential information.
Although memory device is encrypted on information privacy have advantage, anti-divulging a secret is being required, in higher environment, to there is many contradictions, difficulty of such as auditing, evidence obtaining difficulty.
Summary of the invention
A kind of User space is the object of the present invention is to provide to monitor the method for encryption disk, by to existing auditing and supervisory system, a kind of effective, level and smooth software implement scheme is provided, it can be audited, the file monitored on encrypted memory device, can embed very easily in existing monitoring, audit environment for realizing software of the present invention, and need not existing monitoring, audit software, operating system be changed, greatly reduce lower deployment cost; Meanwhile, the present invention can accomplish good universality, compatibility and stability to multiple encryption software, can not impact system stability, also need not frequently upgrade and revise.
The present invention is achieved through the following technical solutions: a kind of User space monitors the method for encryption disk, in monitoring, a software layer is embedded between audit environment and encrypted memory device, monitor at needs, during audit, this software layer provides the stored in clear equipment seeming completely transparent, by injecting User space process, intercept and capture the encryption of User space and kernel state, deciphering interaction data, the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realize filtering and monitoring, when there being people to use encryption software to be encrypted memory device, give record in time for post audit, when the file that monitoring and auditing process attempts to access is arranged in encrypted storage medium, cryptographic storage medium can real-time loading deciphering.
Further, to better implement the present invention, described " by injecting User space process; intercept and capture the encryption of User space and kernel state, deciphering interaction data; the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realizing filtering and monitoring " specifically comprises the following steps:
1) realize the Message-based IPC module of a User space, the startup of all processes in described Message-based IPC module monitors system, can identify whether the process of current startup is the target process needing to carry out monitoring according to specific characteristic matching;
2) realize the dynamic link library injection module of a User space, described dynamic link library injection module can be injected in intended target process;
3) with the form of dynamic link library, realize a process monitoring module, in process, search User space and kernel state interactive interface, and by the mode of hot patch, the data stream of this interface is redirected in process monitoring module and goes;
4), in storage encryption process, when User space process and kernel carry out data interaction, these interaction data streams and file location information is recorded to encryption interaction content interception module;
5) when the file monitored, audit progress needs are accessed is arranged in the storage medium of encryption, the data stream that software finds deciphering flow process to use from encryption interaction content interception module, and use the driving of this data stream and target software to carry out alternately, the deciphering of deciphering flow process, the realization storage data of resetting.
Further, to better implement the present invention, described " User space monitors the method for encryption disk " comprises with lower module:
Message-based IPC module, process initiations all in surveillance, and whether be a storage encryption software process according to the process that software signatures identification starts;
Dynamic link library injection module, is injected into encryption interception module in process to be monitored;
Encryption interaction content interception module, record decryption information;
Encryption device heavy duty module, reloads the storage data of having encrypted and provides expressly access interface.
Further, to better implement the present invention, described " process injection ", certain dynamic link libraries is placed in the process space to run, and use the mode of hot patch to replace former process and monitors function with driving the interface function of communication for self certain, to reach the encryption session process of supervision User space process and driving;
Described " mode of hot patch ", in process operational process, does not need to restart process, modifies and the process code amending method come into force in real time in internal memory to process code;
Described " encryption device heavy duty ", the information utilizing encryption interaction content interception module to record, carries out " playback " to deciphering flow process and obtains process expressly.
The present invention compared with prior art, has the following advantages and beneficial effect:
(1) the present invention passes through existing auditing and supervisory system, a kind of effective, level and smooth software implement scheme is provided, it can be audited, the file monitored on encrypted memory device, can embed very easily in existing monitoring, audit environment for realizing software of the present invention, and need not existing monitoring, audit software, operating system be changed, greatly reduce lower deployment cost; Meanwhile, the present invention can accomplish good universality, compatibility and stability to multiple encryption software, can not impact system stability, also need not frequently upgrade and revise.
(2) application of the present invention has the transparency, stability and convenience advantage.
Accompanying drawing explanation
Fig. 1 is this software and storage encryption software work schematic diagram before monitoring module injects.
Fig. 2 is that the monitoring module of this software injects storage encryption software workflow figure.
Fig. 3 is this software and storage encryption software work schematic diagram after monitoring module injects.
Fig. 4 is the storage datamation schematic diagram after the encryption of heavily loaded module loading.
Embodiment
The present invention relates to the aspects of contents such as the injection of User space process, process initiation monitoring, internal storage code patch, is a kind of integrated application of computer technology in above-mentioned field.In implementation procedure of the present invention, the application of multiple software function module can be related to.Applicant thinks, as reading over application documents, accurate understanding is of the present invention realize principle and goal of the invention after, when in conjunction with existing known technology, those skilled in the art can use its software programming technical ability grasped to realize the present invention completely.
Below in conjunction with embodiment, the present invention is described in further detail, but embodiments of the present invention are not limited thereto.
Embodiment 1:
The present invention proposes a kind of method that User space monitors encryption disk, composition graphs 1, Fig. 2, Fig. 3, shown in Fig. 4, in monitoring, a software layer is embedded between audit environment and encrypted memory device, monitor at needs, during audit, this software layer provides the stored in clear equipment seeming completely transparent, by injecting User space process, intercept and capture the encryption of User space and kernel state, deciphering interaction data, the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realize filtering and monitoring, when there being people to use encryption software to be encrypted memory device, give record in time for post audit, when the file that monitoring and auditing process attempts to access is arranged in encrypted storage medium, cryptographic storage medium can real-time loading deciphering, by to existing auditing and supervisory system, a kind of effective, level and smooth software implement scheme is provided, it can be audited, the file monitored on encrypted memory device, can embed very easily in existing monitoring, audit environment for realizing software of the present invention, and need not existing monitoring, audit software, operating system be changed, greatly reduce lower deployment cost, meanwhile, the present invention can accomplish good universality, compatibility and stability to multiple encryption software, can not impact system stability, also need not frequently upgrade and revise.
Embodiment 2:
The present embodiment is at the enterprising one-step optimization in the basis of above-described embodiment, further, to better implement the present invention, shown in composition graphs 1, Fig. 2, Fig. 3, Fig. 4, described " by injecting User space process; intercept and capture the encryption of User space and kernel state, deciphering interaction data, the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realizes filtering and monitoring " specifically comprises the following steps:
1) realize the Message-based IPC module of a User space, the startup of all processes in described Message-based IPC module monitors system, can identify whether the process of current startup is the target process needing to carry out monitoring according to specific characteristic matching;
2) realize the dynamic link library injection module of a User space, described dynamic link library injection module can be injected in intended target process;
3) with the form of dynamic link library, realize a process monitoring module, in process, search User space and kernel state interactive interface, and by the mode of hot patch, the data stream of this interface is redirected in process monitoring module and goes;
4), in storage encryption process, when User space process and kernel carry out data interaction, these interaction data streams and file location information is recorded to encryption interaction content interception module;
5) when the file monitored, audit progress needs are accessed is arranged in the storage medium of encryption, the data stream that software finds deciphering flow process to use from encryption interaction content interception module, and use the driving of this data stream and target software to carry out alternately, the deciphering of deciphering flow process, the realization storage data of resetting.
Described target software, refers to the software realizing memory data encryption, typically includes but not limited to truectrypt, beecrypt etc.
Described encrypted memory device (encrypted memory or cryptographic storage medium), refers to the memory device employing encryption software and be encrypted data.Its whole realization is a data block and supporting memory device filtration drive, and the carrier of data block can be a file or real physical disk.The external manifestation of data block is: form independently subregion (partition) or a volume (volume) in an operating system, once by authenticating user identification success, it will carry (mount) in operating system, use as normal disk partition, the encrypting and decrypting operation on it is invisible to the file operation of user; But without authentication, then data block (storing file or the memory device of data) not directly reads.
Described data stream is redirected, refer to the code execution flow journey of modifying target process, will the mode of flow leading to the dynamic link library of injection target process be performed, the dynamic link library injected, codes implement first record data stream, then data stream is returned to former execution flow process.
Described User space and kernel state interactive interface, refer to have the calling interface that kernel state driver exposes to User space process with the form of function, different according to system difference; Typically, being ntdll.ZwDeviceControl in windows system, is ioctl in linux system.
Embodiment 3:
The present embodiment is at the enterprising one-step optimization in the basis of above-mentioned any embodiment, and further, to better implement the present invention, shown in composition graphs 1, Fig. 2, Fig. 3, Fig. 4, described " User space monitors the method for encryption disk " comprises with lower module:
Message-based IPC module, process initiations all in surveillance, and whether be a storage encryption software process according to the process that software signatures identification starts; Described software signatures includes but not limited to multiple key element: the hash value of software executable, the importing table of executable file, the digital signature of executable file, the filename etc. of executable file.
Dynamic link library injection module, is injected into encryption interception module in process to be monitored;
Encryption interaction content interception module, record decryption information; Described decryption information, refers to that User space process and kernel encrypt the interactive information driven in ciphering process, comprises cipher mode, Key Tpe and length, key data.
Encryption device heavy duty module, reloads the storage data of having encrypted and provides expressly access interface.
Embodiment 4:
The present embodiment is at the enterprising one-step optimization in the basis of above-described embodiment, further, to better implement the present invention, shown in composition graphs 1, Fig. 2, Fig. 3, Fig. 4, described " process injection ", certain dynamic link libraries is placed in the process space to run, and uses the mode of hot patch to replace former process to monitor function with driving the interface function of communication for self certain, to reach the encryption session process of supervision User space process and driving;
Described " mode of hot patch ", in process operational process, do not need to restart process, in internal memory, process code is modified and the process code amending method come into force in real time, described process code amending method refers to modifies to the proceeding internal memory of target software, instead of refer to modify to the executable file of target software, change the execution flow process of code.
Described " encryption device heavy duty ", utilize the information that encryption interaction content interception module has recorded, " playback " is carried out to deciphering flow process and obtains process expressly, do not need to know concrete decruption key structure and implication, only use given data to re-execute flow process, obtain the result after deciphering.For the software/equipment supporting multiple cipher mode, this way has universality.
Embodiment 5:
The present embodiment is at the enterprising one-step optimization in the basis of above-mentioned any embodiment, and shown in composition graphs 1, Fig. 2, Fig. 3, Fig. 4, a kind of User space monitors the method for encryption disk, comprises the following steps:
1, user starts storing encryption program, by Message-based IPC Module recognition.
2, the storing encryption program information recognized is sent to dynamic link library injection module by Message-based IPC module.
3, dynamic link library injection module is according to aforementioned information, encryption interaction content interception module is injected the memory headroom of storing encryption program process.
4, encrypt interaction content interception module in the memory headroom of storing encryption program process, search this process and the mutual function interface of storage encryption driver, preserve the memory address fAddr of this function interface, and change the entrance of this function into a skip instruction, jump to encryption interaction content interception module.
5, recording interactive data, the encryption and decryption of user operates and drives mutual content, has all been redirected to encryption interaction content interception module, and encryption interaction content interception module is to the encryption and decryption operation of user and drive mutual content to carry out data record.
6, after encrypting interaction content interception module record, according to the fAddr value of preserving before, the mutual function interface of original storage encryption driver is returned in redirect, and control is returned former storing encryption program.
7, when needs audit, during the data of supervisory user cryptographic storage, decrypted data stream in the interaction data recorded before is committed to the mutual function interface fAddr of storage encryption driver by encryption device heavy duty module, is loaded by memory device, read wherein data with clear-text way.
The present invention has these advantages following:
1, transparent: controlled personnel almost can not perceive obvious hydraulic performance decline and abnormal operation.Because process monitoring module is moved in encryption software memory headroom, the process of entity is not monitored.For former encryption software without any impact.The module of encryption device heavy duty simultaneously, again for upper layer application provides the method for a transparent access encrypted memory device, makes encrypted memory device seem to be as good as with general memory device.
2, stable: to use former deciphering flow process to reset and realize whole deciphering flow process.The disk drive that former software carries is make use of completely during deciphering.The upgrading of target software can not affect the realization of this method.This method uses the mode that User space process is injected simultaneously, and the impact for whole operating system is reduced to minimum, can not have any operation to other processes.
3, convenient: to dispose with the program, existing audit, monitoring process by the access of traditional storage access operations realization to file, can not revise the file access interface of original audit, monitoring process, realize completely level and smooth intervention.
The present invention passes through existing auditing and supervisory system, a kind of effective, level and smooth software implement scheme is provided, it can be audited, the file monitored on encrypted memory device, can embed very easily in existing monitoring, audit environment for realizing software of the present invention, and need not existing monitoring, audit software, operating system be changed, greatly reduce lower deployment cost; Meanwhile, the present invention can accomplish good universality, compatibility and stability to multiple encryption software, can not impact system stability, also need not frequently upgrade and revise.
The above is only preferred embodiment of the present invention, and not do any pro forma restriction to the present invention, every any simple modification, equivalent variations done above embodiment according to technical spirit of the present invention, all falls within protection scope of the present invention.
Claims (4)
1. a User space monitors the method for encrypting disk, it is characterized in that: in monitoring, between audit environment and encrypted memory device, embed a software layer, when needs monitoring, audit, this software layer provides the stored in clear equipment seeming completely transparent, by injecting User space process, intercept and capture the encryption of User space and kernel state, deciphering interaction data, the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realizes filtering and monitoring.
2. a kind of User space according to claim 1 monitors the method for encryption disk, it is characterized in that: described " by injecting User space process; intercept and capture the encryption of User space and kernel state, deciphering interaction data; the mode of then being reset by deciphering flow process is decrypted acquisition expressly to encrypted data, realizing filtering and monitoring " specifically comprises the following steps:
1) realize the Message-based IPC module of a User space, the startup of all processes in described Message-based IPC module monitors system, can identify whether the process of current startup is the target process needing to carry out monitoring according to specific characteristic matching;
2) realize the dynamic link library injection module of a User space, described dynamic link library injection module can be injected in intended target process;
3) with the form of dynamic link library, realize a process monitoring module, in process, search User space and kernel state interactive interface, and by the mode of hot patch, the data stream of this interface is redirected in process monitoring module and goes;
4), in storage encryption process, when User space process and kernel carry out data interaction, these interaction data streams and file location information is recorded to encryption interaction content interception module;
5) when the file monitored, audit progress needs are accessed is arranged in the storage medium of encryption, the data stream that software finds deciphering flow process to use from encryption interaction content interception module, and use the driving of this data stream and target software to carry out alternately, the deciphering of deciphering flow process, the realization storage data of resetting.
3. a kind of User space according to claim 1 and 2 monitors the method for encryption disk, it is characterized in that: described " User space monitors the method for encryption disk " comprises with lower module:
Message-based IPC module, process initiations all in surveillance, and whether be a storage encryption software process according to the process that software signatures identification starts;
Dynamic link library injection module, is injected into encryption interception module in process to be monitored;
Encryption interaction content interception module, record decryption information;
Encryption device heavy duty module, reloads the storage data of having encrypted and provides expressly access interface.
4. a kind of User space according to claim 3 monitors the method for encryption disk, it is characterized in that: described " process injection ", certain dynamic link libraries is placed in the process space to run, and use the mode of hot patch to replace former process and monitors function with driving the interface function of communication for self certain, to reach the encryption session process of supervision User space process and driving;
Described " mode of hot patch ", in process operational process, does not need to restart process, modifies and the process code amending method come into force in real time in internal memory to process code;
Described " encryption device heavy duty ", the information utilizing encryption interaction content interception module to record, carries out " playback " to deciphering flow process and obtains process expressly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510040140.6A CN104572398B (en) | 2015-01-27 | 2015-01-27 | A kind of method of User space monitoring encryption disk |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510040140.6A CN104572398B (en) | 2015-01-27 | 2015-01-27 | A kind of method of User space monitoring encryption disk |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104572398A true CN104572398A (en) | 2015-04-29 |
| CN104572398B CN104572398B (en) | 2018-04-17 |
Family
ID=53088532
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510040140.6A Active CN104572398B (en) | 2015-01-27 | 2015-01-27 | A kind of method of User space monitoring encryption disk |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104572398B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101442449A (en) * | 2008-12-18 | 2009-05-27 | 中国移动通信集团浙江有限公司 | Method for completely auditing user behaviors under centralization access mode |
| US20090323536A1 (en) * | 2008-06-30 | 2009-12-31 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device and system for network interception |
-
2015
- 2015-01-27 CN CN201510040140.6A patent/CN104572398B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090323536A1 (en) * | 2008-06-30 | 2009-12-31 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device and system for network interception |
| CN101442449A (en) * | 2008-12-18 | 2009-05-27 | 中国移动通信集团浙江有限公司 | Method for completely auditing user behaviors under centralization access mode |
Non-Patent Citations (4)
| Title |
|---|
| 朱建明等: "《无线局域网安全方法与技术 第2版》", 31 August 2009 * |
| 李金锁: "重放攻击教学案例设计", 《九江职业技术学院学报》 * |
| 王前: "基于API HOOK的数据文件透明加解密系统设计与实现", 《HTTPS://WENKU.BAIDU.COM/VIEW/A976957DA26925C52CC5BFCF.HTML》 * |
| 陈学军: "Windows平台下串口通信数据实时获取与监测", 《自动化仪表》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104572398B (en) | 2018-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100946042B1 (en) | Tamper-resistant trusted virtual machine | |
| US20210294879A1 (en) | Securing executable code integrity using auto-derivative key | |
| EP2696305B1 (en) | Method and device for file protection | |
| US7155745B1 (en) | Data storage device provided with function for user's access right | |
| CN100446024C (en) | Protection method and system of electronic document | |
| US20080016127A1 (en) | Utilizing software for backing up and recovering data | |
| CN103106372A (en) | Lightweight class privacy data encryption method and system for Android system | |
| CN101853363A (en) | File protection method and system | |
| CN101441601B (en) | Ciphering transmission method of hard disk ATA instruction and system | |
| WO2005081115A1 (en) | Application-based access control system and method using virtual disk | |
| CN112269547B (en) | Active and controllable hard disk data deleting method and device without operating system | |
| CN103020537A (en) | Data encrypting method, data encrypting device, data deciphering method and data deciphering device | |
| US20050198517A1 (en) | System and method for distributed module authentication | |
| US9208333B2 (en) | Secure data recorder | |
| CN103294969A (en) | File system mounting method and file system mounting device | |
| US20120131057A1 (en) | Non-deterministic audit log protection | |
| CN102693399A (en) | System and method for on-line separation and recovery of electronic documents | |
| CN106100851B (en) | Password management system, intelligent wristwatch and its cipher management method | |
| CN102073597A (en) | Full disk encryption method of operating system disk based on user identity authentication | |
| Khashan et al. | Secure Stored Images Using Transparent Crypto Filter Driver. | |
| CN103440465B (en) | A kind of mobile memory medium method of controlling security | |
| KR101749209B1 (en) | Method and apparatus for hiding information of application, and method and apparatus for executing application | |
| US20170149561A1 (en) | Method and system for identifying manipulation of data records | |
| US9122504B2 (en) | Apparatus and method for encryption in virtualized environment using auxiliary medium | |
| CN104572398A (en) | Method for user monitoring encrypted disks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |