CN104573505A - Single hard disk and double operating system partitioning method by filtration drive - Google Patents
Single hard disk and double operating system partitioning method by filtration drive Download PDFInfo
- Publication number
- CN104573505A CN104573505A CN201410850432.1A CN201410850432A CN104573505A CN 104573505 A CN104573505 A CN 104573505A CN 201410850432 A CN201410850432 A CN 201410850432A CN 104573505 A CN104573505 A CN 104573505A
- Authority
- CN
- China
- Prior art keywords
- subregion
- request
- partition
- hard disk
- workspace
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a single hard disk and double operating system partitioning method by filtration drive, and belongs to the technical field of safety protection technologies for office data of subscriber terminal equipment. The method is characterized in that a hard disk in the subscriber terminal equipment is sequentially divided into a user working area operation system partition, a user free area operation system partition, a user working area data partition and a user free area data partition; two different minifilter drive modules for dealing with various document systems are installed in the user working area operation system partition and the user free area operation system partition; and a partition address to be filtered and input and output operation (I/O) are registered into corresponding document system filter management device FltMgr for filtering an I/O request outside the partition and blocking corresponding I/O operation. Compared with the hard disk partitioning method by using a hard dish partitioning card, the partitioning method provided by the invention has the advantages that the subscriber terminal equipment is not required to be modified, and the method is easy to popularize.
Description
Technical field
The present invention relates to a kind of method using file system filter driver to realize the isolation of single hard disk dual operating systems subregion.In order to the independence of the data of two by stages, filtration drive is used to isolate at the subregion of file system layer to two operating systems.
Background technology
Current subscriber terminal equipment is widely used, as user surfs the web, routine office work, generally all install windows operating system, these operating system supports that user installs voluntarily and unloads any software, brings very large hidden danger to the safety of system, easily suffer to be hidden in the attack such as virus or wooden horse in mounting software voluntarily, office system belongs to the operation system of unit, and the data related to are unit sensitive datas, and the leakage of data can bring security threat.How allowing user can optionally mounting software on the terminal device oneself used, can guaranteeing that again the safety of user when using office system is a problem demanding prompt solution.
Publication number is that the Chinese patent of CN 2869997Y discloses a kind of method adopting the subregion of hard disk isolation card to single hard disk to isolate.Fdisk isolation card carries out decoding to hard disk instruction, judges which kind of operation computing machine will carry out to hard disk, lets slip the instruction of current permission, stops current unallowed instruction.Although the method can realize the isolating problem between dual operating systems, adopt the mode of hardware to implement extremely inconvenient, need to transform terminal, and cost is very high, is not easy to popularize.
This method only needs to install two windows operating systems on current terminal device hard disk, one of them operating system is defined as workspace, Internet resources in this system and software resource are subject to the control of rear end white list mechanism, be placed on hard disk after the file of user all performs encryption, another operating system is defined as user area, and user is free to online and uses software.In two systems, install a filtration drive respectively, make workspace can not access the data of free zone, in case virus document is availed oneself of the opportunity to get in, free zone can not access the data of workspace too, in case operational data is maliciously stolen.
This method is compared with the mode of existing employing hardware isolated, and greatly saved the cost of isolation, and reduced the complexity of technology, be adapted at carrying out large scale deployment in enterprises and institutions, easy to use and maintenance, has good application in mobile office field.
Summary of the invention
The object of this invention is to provide a kind of method being realized the subregion isolation of terminal device single hard disk dual operating systems by filtration drive.It is characterized in that, this kind ofly can guarantee that in subscriber terminal equipment user prevents the safety protecting method of poisoning intrusion when using office system, successively containing following steps:
Step (1) is to the initialization according to the following steps of the hard disk of in described subscriber terminal equipment:
Step (1.1) is divided into four subregions connected in turn the hard disk described in, be expressed as: the first subregion (C), second subregion (D), the 3rd subregion (E) as data partition, workspace and the 4th subregion (F) as data partition, free zone, wherein
Described the first subregion (C) and the 3rd subregion (E) are defined as workspace, refer to the subregion having enterprises and individuals's sensitive data,
Described the second subregion (D) and the 4th subregion (F) are the free zones that confession under directions user freely uses,
Step (1.2) as in described first subregion (C) of workspace install a working area manipulation system, as described second subregion (D) of user area in installation a free zone operating system,
Step (1.3) loads a workspace file system microfiltration and drives Minifilter module in described the first subregion (C), the operation of the free zone I/O filtered will be needed by this module, comprise and being registered in described workspace file system filtration manager FltMgr based on interrupting filtering the I/O request of IRP, the Fast I/O agreement of I/O operation and file system filter callback operation
Step (1.4) is driving Minifilter module as loading a free zone file system microfiltration in second subregion (D) of free zone, to the operation of the workspace I/O filtered be needed by this module, comprise and be registered in described free zone file system filter manager FltMgr based on interrupting filtering the I/O request of IRP, the Fast I/O agreement of I/O operation and file system filter callback operation;
Step (2) performs the isolated operation of described workspace according to the following steps:
I/O request is read in step (2.1) start,
Step (2.2) starts I/O request and filters,
Step (2.3) judges whether the request partition in described I/O request is described the second subregion (D) or the 4th subregion (F):
If so, then block I/O request and I/O operation, perform step (2.4),
If not the described I/O that then lets pass asks and I/O operation, performs step (2.4),
Step (2.4) returns step (2.2);
Step (3) performs the isolated operation of described free zone according to the following steps:
I/O request is read in step (3.1) start,
Step (3.2) starts I/O request and filters,
Step (3.3) judges whether the request partition in described I/O request is described the first subregion (C) or the 3rd subregion (E):
If so, then block I/O request and I/O operation, perform step (3.4),
If not the described I/O that then lets pass asks and I/O operation, performs step (3.4),
Step (3.4) returns step (3.2).
The present invention has following advantage: do not need extra hardware device, and cost is reduced greatly; Do not need the technical support of hardware vendor in implementation process, be simple and easy to use; Easy maintenance.
Accompanying drawing explanation
Fig. 1 fdisk structural drawing.
Fig. 2 workspace isolation process flow diagram.
Fig. 3 free zone isolation process flow diagram.
Fig. 4 FB(flow block) of the present invention.
Embodiment
The fltMgr.sys of Windows provides an I/O filter frame, and its allows one to be called as file system microfiltration to drive the driving of (MiniFilter) to be loaded in system, and register to FltMgr the I/O that it will filter and operate.FltMgr is file system filter manager, it provides a Governance framework, writes file driving filter to facilitate developer.Filtrable I/O operation comprises: the I/O based on IRP asks, Fast I/O agreement, and file system filter callback operation.
In the present invention, the subregion that will isolate can be read during Minifilter drive load, and in InstanceSetupCallback routine, Minifilter driving is mounted on the subregion of needs isolation, and be the I/O request registration pre-oper callback routine by this subregion, in this routine, all operations are carried out blocking and returning.When carrying out I/O and filtering, can judge in InstanceSetupCallback routine whether subregion is the subregion needing isolation, then being driven by MiniFilter is mounted on this subregion, follow-up I/O request all can enter the pre-oper callback routine that Minifilter is its registration, and the I/O request entering this routine all can be blocked thus to achieve in single hard disk between two operating systems can not the order of visit data mutually.
For making above-mentioned purpose of the present invention, feature and advantage more become apparent, below in conjunction with accompanying drawing of the present invention, complete, detailed description is carried out to the technical scheme in the embodiment of the present invention.Embodiment described below is section Example of the present invention, is not whole embodiments.Based on embodiments of the invention, the every other embodiment that those skilled in the art obtain under the prerequisite not making creative work, all in protection scope of the present invention.
One station terminal hard disk is divided into C, D, E, F tetra-continuous print subregions by step 1, as shown in Figure 1.C, E are defined as workspace, and workspace refers to the Office Area of user, has the sensitive data of enterprises and individuals in this district, in C subregion installment work district operating system;
D, F are defined as user area, and user area refers to that user's freely uses district, and in this district, user can unrestricted accesses network resource and use software, installs free zone operating system at D subregion.
Step 2 enters working area manipulation system, and the subregion of D, F two free zones is written to registration table.
Step 3 is in workspace installation file system filtration drive, and filtration drive can read free zone subregion D, F of needing isolation, and when asking when there being I/O to be read-write D, F subregion, blocked, idiographic flow as shown in Figure 2.
Step 4 freedom of entry district operating system, is written to registration table by the subregion of C, E two workspaces.
Step 5 is in free zone installation file system filtration drive, and filtration drive can read workspace partition C, E of needing isolation, and when asking when there being I/O to be read-write C, E subregion, blocked, idiographic flow as shown in Figure 3.
Claims (1)
1. use filtration drive to realize a method for single hard disk dual operating systems subregion isolation, it is characterized in that, this kind ofly can guarantee that in subscriber terminal equipment user prevents the safety protecting method of poisoning intrusion when using office system, successively containing following steps:
Step (1) is to the initialization according to the following steps of the hard disk of in described subscriber terminal equipment:
Step (1.1) is divided into four subregions connected in turn the hard disk described in, be expressed as: the first subregion (C), second subregion (D), the 3rd subregion (E) as data partition, workspace and the 4th subregion (F) as data partition, free zone, wherein
Described the first subregion (C) and the 3rd subregion (E) are defined as workspace, refer to there is enterprise
The subregion of industry and individual sensitive data, described the second subregion (D) and the 4th subregion (F),
The free zone that confession under directions user freely uses,
Step (1.2) as in described first subregion (C) of workspace install a working area manipulation system, as described second subregion (D) of user area in installation a free zone operating system,
Step (1.3) loads a workspace file system microfiltration and drives Minifilter module in described the first subregion (C), the operation of the free zone I/O filtered will be needed by this module, comprise and being registered in described workspace file system filtration manager FltMgr based on interrupting filtering the I/O request of IRP, the Fast I/O agreement of I/O operation and file system filter callback operation
Step (1.4) is driving Minifilter module as loading a free zone file system microfiltration in second subregion (D) of free zone, to the operation of the workspace I/O filtered be needed by this module, comprise and be registered in described free zone file system filter manager FltMgr based on interrupting filtering the I/O request of IRP, the Fast I/O agreement of I/O operation and file system filter callback operation;
Step (2) performs the isolated operation of described workspace according to the following steps:
I/O request is read in step (2.1) start,
Step (2.2) starts I/O request and filters,
Step (2.3) judges whether the request partition in described I/O request is described the second subregion (D) or the 4th subregion (F):
If so, then block I/O request and I/O operation, perform step (2.4),
If not the described I/O that then lets pass asks and I/O operation, performs step (2.4),
Step (2.4) returns step (2.2);
Step (3) performs the isolated operation of described free zone according to the following steps:
I/O request is read in step (3.1) start,
Step (3.2) starts I/O request and filters,
Step (3.3) judges whether the request partition in described I/O request is described the first subregion (C) or the 3rd subregion (E):
If so, then block I/O request and I/O operation, perform step (3.4),
If not the described I/O that then lets pass asks and I/O operation, performs step (3.4),
Step (3.4) returns step (3.2).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410850432.1A CN104573505A (en) | 2014-12-30 | 2014-12-30 | Single hard disk and double operating system partitioning method by filtration drive |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410850432.1A CN104573505A (en) | 2014-12-30 | 2014-12-30 | Single hard disk and double operating system partitioning method by filtration drive |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104573505A true CN104573505A (en) | 2015-04-29 |
Family
ID=53089544
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410850432.1A Pending CN104573505A (en) | 2014-12-30 | 2014-12-30 | Single hard disk and double operating system partitioning method by filtration drive |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104573505A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407821A (en) * | 2016-09-10 | 2017-02-15 | 北京力鼎创软科技有限公司 | Disk isolation method and system |
| CN109284161A (en) * | 2018-09-13 | 2019-01-29 | 深圳市青葡萄科技有限公司 | Software distribution method under desktop virtual environment |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
| CN101976180A (en) * | 2010-09-03 | 2011-02-16 | 北京思创银联科技有限公司 | Method for shielding local disk |
| CN103853664A (en) * | 2012-11-28 | 2014-06-11 | 联想(北京)有限公司 | Method and electronic device for achieving multiple operating systems |
| CN103870762A (en) * | 2012-12-18 | 2014-06-18 | 联想(北京)有限公司 | Partition accessing method and electronic equipment |
-
2014
- 2014-12-30 CN CN201410850432.1A patent/CN104573505A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101645873A (en) * | 2008-08-07 | 2010-02-10 | 联想(北京)有限公司 | Method for realizing network isolation in environments of computer and virtual machine |
| CN101976180A (en) * | 2010-09-03 | 2011-02-16 | 北京思创银联科技有限公司 | Method for shielding local disk |
| CN103853664A (en) * | 2012-11-28 | 2014-06-11 | 联想(北京)有限公司 | Method and electronic device for achieving multiple operating systems |
| CN103870762A (en) * | 2012-12-18 | 2014-06-18 | 联想(北京)有限公司 | Partition accessing method and electronic equipment |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106407821A (en) * | 2016-09-10 | 2017-02-15 | 北京力鼎创软科技有限公司 | Disk isolation method and system |
| CN109284161A (en) * | 2018-09-13 | 2019-01-29 | 深圳市青葡萄科技有限公司 | Software distribution method under desktop virtual environment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2397537C2 (en) | Computer security control, for instance in virtual machine or real operating system | |
| CA2988332C (en) | Operating system independent, secure data storage subsystem | |
| EP2316092B1 (en) | Systems and methods for controlling access to data through application virtualization layers | |
| EP3418932B1 (en) | Method, system, and device for securely handling virtual function driver communications with a physical function driver | |
| US9021546B1 (en) | Systems and methods for workload security in virtual data centers | |
| US10282210B2 (en) | System and method for virtual hardware control | |
| EP3087531B1 (en) | Systems and methods for introducing variation in sub-system output signals to prevent device fingerprinting | |
| CN103970533B (en) | The information recording method and device of screen recording | |
| CN101273364B (en) | Method for computing platform data protection | |
| EP2705643A1 (en) | Techniques for providing access to data in dynamic shared accounts | |
| WO2009106938A1 (en) | Selective exposure to usb device functionality for a virtual machine | |
| US9565168B1 (en) | System and method of a trusted computing operation mode | |
| CN101409714A (en) | Firewall system based on virtual machine | |
| US20180365412A1 (en) | Time limited application enablement | |
| CN103345604A (en) | Sandbox system based on light-weight virtual machine monitor and method for monitoring OS with sandbox system | |
| CN105117223A (en) | Processing method and system of input event | |
| CN104573505A (en) | Single hard disk and double operating system partitioning method by filtration drive | |
| CN102222189A (en) | Method for protecting operating system | |
| US9569241B2 (en) | Sharing devices assigned to virtual machines using runtime exclusion | |
| CN102737198B (en) | Object protection method and device | |
| US9754109B1 (en) | Systems and methods for managing access | |
| CN101833485B (en) | System protection method based on snapshot | |
| CN102254121A (en) | Method, device and system for processing data | |
| CN110602162B (en) | Terminal evidence obtaining method, device, equipment and storage medium | |
| JP2006259942A (en) | Security management system, server device, client terminal and security protection method used therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150429 |
|
| RJ01 | Rejection of invention patent application after publication |