CN111832054B - Transparent encryption and decryption method, system and storage medium based on multithreading environment - Google Patents
Transparent encryption and decryption method, system and storage medium based on multithreading environment Download PDFInfo
- Publication number
- CN111832054B CN111832054B CN202010684966.7A CN202010684966A CN111832054B CN 111832054 B CN111832054 B CN 111832054B CN 202010684966 A CN202010684966 A CN 202010684966A CN 111832054 B CN111832054 B CN 111832054B
- Authority
- CN
- China
- Prior art keywords
- file
- virtual
- vfd
- descriptor
- virtual file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a transparent encryption and decryption method based on a multithreading environment, computer equipment and a storage medium, wherein the transparent encryption and decryption method comprises the following steps: acquiring a file descriptor FD, and receiving an operation request of a first thread on a file; operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, judging the current state of the file descriptor FD if the virtual file descriptor VFD is not searched, directly returning error information by the virtual file system if the current state is marked as a closed state, and ending the process; if the current state is marked as an initialization state, an I/O function of an operating system is called to directly perform plaintext operation on the file; and if the virtual file descriptor VFD is found, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD. The method and the device can solve the problem of mutual exclusion among multiple threads and avoid file data errors.
Description
Technical Field
The invention relates to the technical field of data protection, in particular to a transparent encryption and decryption method, system and storage medium based on a multi-thread environment.
Background
In the actual operation of the transparent encryption and decryption system, the problem of multi-thread concurrency exists. When a plurality of threads operate a file at the same time, mutual exclusion operation is needed for accessing and destroying the thread shared data of the virtual file layer. The global VFDSet and the virtual file descriptor VFD are thread-shared at the virtual file level, the virtual file descriptor VFD is consistent with the real file descriptor, and the global VFDSet is a collection of storage virtual file descriptors VFD. The opening and closing of the file and the reading and writing operations need to use the data of the global VFDSet and the virtual file descriptor VFD, and in order to avoid data errors, a mutual exclusion lock needs to be added to the access of the global VFDSet and the virtual file descriptor VFD. In a multi-thread environment, when an application layer has frequent file operations, due to the influence of a mutual exclusion lock, the program running efficiency is reduced, and the problems of no response, blockage, black screen and the like of the process of the application layer are caused with high probability, so that the user experience is seriously influenced.
Disclosure of Invention
In order to solve the above problems, it is necessary to provide a transparent encryption and decryption method, system and storage medium based on a multi-thread environment.
The invention provides a transparent encryption and decryption method based on a multithreading environment in a first aspect, which comprises the following steps:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
and 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process.
Further, the step 3 specifically includes:
the second thread marks the state of the file descriptor FD as a closed state in the file closing process; and after the second thread finishes closing the file, marking the state of the file descriptor FD as an initialization state.
Further, after the step 4, the method further includes: receiving a file closing request of a first thread, clearing records of a corresponding Virtual File Descriptor (VFD), and subtracting 1 from a reference count of a memory resource; and when the reference count of the memory resource becomes 0, automatically releasing the referenced memory resource.
Further, the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
each time a real file is opened, a file descriptor FD is distributed, a virtual file descriptor VFD is created based on the file descriptor FD, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, between the virtual file VF and the real file path, and clears the corresponding relation record in the virtual file system after all operations on the real file are finished.
Further, the step 4 specifically includes:
the first thread realizes transparent encryption write operation on the file in a virtual file system layer based on a Virtual File Descriptor (VFD); or
The first thread realizes transparent decryption reading operation on the file at a virtual file system layer based on the virtual file descriptor VFD.
Further, the first thread implements a transparent encrypted write operation on the file in the virtual file system layer based on the virtual file descriptor VFD, and specifically includes:
step 6-1, a virtual file VF object is obtained through the searching of a virtual file descriptor VFD;
step 6-2, calling a Vwrite function of the virtual file VF, if the Vwrite function cannot be successfully called, entering step 6-3, and if the Vwrite function can be successfully called, entering step 6-13;
step 6-3, judging the state of the virtual file system VFS, if the state is an encrypted file, entering step 6-4, and if the state is a temporary file, entering step 6-8;
6-4, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
6-5, calling a Write function of the encrypted file to Write data into the content part of the file;
6-6, calling an encryption and decryption interface of the file code to encrypt the written data through a security module to obtain a data ciphertext;
6-7, calling a Write function of the operating system to Write the data ciphertext into a real file, and entering the step 6-13;
6-8, encrypting and writing the data into a temporary file, and writing the data plaintext into a real file;
6-9, judging whether the number of bytes written into the real file is equal to or exceeds a preset byte threshold, if so, entering step 6-10, and if not, entering step 6-13;
step 6-10, judging whether the file type of the real file belongs to the encrypted file type, if so, entering step 6-11, otherwise, directly calling a Write function of an operating system to Write the data plaintext into the real file, and entering step 6-13;
6-11, replacing the content in the temporary file into a real file, and deleting the temporary file;
step 6-12, switching the state of the virtual file system VFS into an encrypted file, and entering step 6-13;
and 6-13, returning the Write result and ending the process.
Further, the first thread realizes a transparent decryption read operation on the file in a virtual file system layer based on the virtual file descriptor VFD, and specifically includes:
step 7-1, a virtual file VF object is obtained through the search of a virtual file descriptor VFD;
step 7-2, calling a Vread function of the virtual file VF, if the Vread function cannot be successfully called, entering step 7-3, and if the Vread function can be successfully called, entering step 7-10;
7-3, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
7-4, calling a Read function of the encrypted file to Read the encrypted file;
7-5, calling a Read function of the operating system to Read a data ciphertext in the real file;
7-6, calling an encryption and decryption interface of the file code to decrypt the data ciphertext through a security module to obtain a data plaintext, and entering the step 7-7;
and 7-7, returning a Read result and ending the process.
The second aspect of the present invention further provides a computer device, including: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
and 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process.
Further, the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
each time a real file is opened, a file descriptor FD is distributed, a virtual file descriptor VFD is created based on the file descriptor FD, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file VF is used for storing a real file path; each virtual file VF object is referenced by a plurality of virtual file descriptor VFD objects; the virtual file VF holds an object for operating the encrypted file and the temporary file, and reads and writes the file through the encrypted file or the temporary file;
the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, between the virtual file VF and the real file path, and clears the corresponding relation record in the virtual file system after all operations on the real file are finished.
The third aspect of the present invention also provides a computer-readable storage medium, in which computer-executable instructions are stored, and when the computer-executable instructions are executed by a processor, the transparent encryption and decryption method based on the multithreading environment is implemented.
The method and the device realize the processes of obtaining and storing the virtual file descriptor VFD and setting and obtaining the state of the virtual file descriptor VFD through the atomic operation function, thereby effectively avoiding the problem of mutual exclusion among multiple threads; meanwhile, the invention judges whether the behavior of closing the file by other threads exists based on the state mark of the file descriptor FD, and does not execute read-write operation when judging that the behavior of closing the file by other threads exists, thereby avoiding file data errors. In addition, the invention also adopts a reference counting method to avoid the memory abnormity caused by the early release of the VFD object of the virtual file descriptor.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
The above and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a basic block diagram of a transparent encryption and decryption system according to the present invention;
FIG. 2 is a flow chart illustrating transparent write encryption based on a multi-threaded environment of the present invention;
FIG. 3 is a flow chart illustrating transparent write encryption of a file by a first thread of the present invention;
FIG. 4 is a flow chart illustrating transparent read decryption of a file by the first thread of the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
Fig. 1 shows a basic framework diagram of a transparent encryption and decryption system according to the present invention.
As shown in fig. 1, the transparent encryption and decryption system includes: a file system calling interface interception layer, a virtual file system layer and a file system calling layer;
the file system call interface intercepting layer intercepts an I/O function appointed in a libc library function of a system based on a hook technology so as to receive a file access request of an application program and enter the virtual file system layer;
the virtual file system layer judges the file type and decides whether to encrypt and decrypt the file data based on the file type, and if the decision judges that the file needs to be encrypted and decrypted, an encryption and decryption interface is called to encrypt and decrypt the data;
and the file system calling layer is used for receiving the call of the virtual file system layer and entering the kernel, operating a real file through a kernel virtual file system interface in the kernel mode, and writing the encrypted data transmitted by the file system calling layer into the file or reading the encrypted data from the file system calling layer.
In practical application, the application layer operates a mobile phone storage system through open/read/write I/O functions in Libc library functions of the system, calls I/O function operation files of a Linux system through JNI, adds a proxy layer, namely a virtual file system, to a Native layer, and intercepts the open/read/write I/O functions of Libc. Therefore, when the application layer has file I/O operation, the application layer firstly walks to the virtual file system layer, the virtual file system layer decides whether the file needs to be encrypted/decrypted, then calls the encryption/decryption interface to encrypt/decrypt the data, and finally calls the system I/O function and operates the system file system.
According to an embodiment of the present invention, the file types include the following two types: encrypt files and ignore files.
The virtual file system determines whether encryption is required by judging the type of a file, and the type of the file is written at the beginning of the file.
When the file type is judged to be the encrypted file, the virtual file system calls an encryption and decryption interface to encrypt and decrypt the file when the application program operates the file. Specifically, the encrypted file types to be encrypted and decrypted at least include UTF-8 unicode (with bom) text, Microsoft Office file, Zip file, PDF file, JPEG picture data, and PNG picture data.
When the file type is judged to be the ignored file, the file does not need to be encrypted and decrypted, and the virtual file system does not perform any processing and is operated by the file system of the operating system.
However, in the case of creating a new file, since the file Size is 0, the file type of the real file cannot be determined at this time. Therefore, at this time, a temporary file needs to be created in the virtual file system, and an encryption and decryption interface is called to generate a key ciphertext, and the key ciphertext is written into the head of the temporary file; writing the data plaintext into a real file, encrypting the data plaintext and writing the encrypted data plaintext into a temporary file; and after the number of bytes written into the real file is equal to the preset byte threshold value, judging the file type of the real file.
Taking the preset byte threshold value equal to 100 bytes as an example, when the byte number written in the real file is greater than or equal to 100 bytes, judging whether the file type of the real file belongs to the encrypted file type, if so, replacing the content in the temporary file into the real file, deleting the temporary file, simultaneously switching the state of the virtual file system VFS into the encrypted file, and continuing to execute the decision corresponding to the encrypted file; if not, directly writing the data into the real file, deleting the temporary file, and judging the file as an ignored file by the virtual file system when performing a read-write request on the file next time;
when the data writing is finished and the number of written bytes is less than 100 bytes, when the file is closed, further judging whether the file type of the real file belongs to the encrypted file type, if so, replacing the content in the temporary file into the real file, deleting the temporary file, and when a reading and writing request is carried out on the file next time, judging that the file is the encrypted file by the virtual file system; if the encryption is not needed, the temporary file is directly deleted, and the virtual file system can judge that the file is an ignored file when the read-write request is carried out on the file next time.
According to an embodiment of the invention, the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
the virtual file descriptor VFD corresponds to the real file descriptor FD one by one, the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, a virtual file descriptor VFD is created every time a file is opened, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file VF corresponds to a real file, and since the same file may be opened many times, the operating system may allocate a plurality of different file descriptors FD, and one virtual file VF object may be referred to by a plurality of virtual file descriptors VFD objects; storing a real file path in a virtual file VF object; the virtual file VF holds an object for operating the encrypted file and the temporary file, and the virtual file VF reads and writes the file through the encrypted file or the temporary file; the virtual file system stores the corresponding relationship between the virtual file VF and the real file path, and clears the corresponding relationship record after all file operations are finished.
It should be noted that, the virtual file system of the present invention operates the real file through the virtual file descriptor VFD and the virtual file VF, and does not directly operate the real file descriptor FD. The virtual file descriptor VFD stores the reference of the object of the virtual file VF, and operates the real file through the read-write function of the virtual file VF.
In specific application, for a single thread situation, a virtual file descriptor VFD object is created when a file is opened, and the file descriptor FD and the virtual file descriptor VFD are stored as a pair of key values in the global VFDSet. When a file is read and written, a virtual file descriptor VFD is found from the global VFDSet through the file descriptor FD, and then the virtual file descriptor VFD is used for reading and writing; when the file is closed, the virtual file descriptor VFD is cleared from the global VFDSet, the object of the virtual file descriptor VFD is destroyed, and finally a close function of an operating system is called to close the file. However in one case of multithreading, there may be thread a closing the file, but not yet clearing the record of the virtual file descriptor VFD from the global VFDSet; the thread B reads and writes the file, acquires the virtual file descriptor VFD through the file descriptor FD, and when the object of the virtual file descriptor VFD is being operated, if the thread a releases the object of the virtual file descriptor VFD, the thread B will have memory abnormality. In another case: thread A closes the file, and records of a virtual file descriptor VFD are cleared from the global VFDSet, but a virtual file descriptor VFD object is not released yet; at this time, the thread B reads and writes the file, and the virtual file descriptor VFD cannot be found by the file descriptor FD, then the system local interface is called to normally read and write the file data, which may cause the file data to be damaged by writing the plaintext data into the encrypted file or read and transmit the undecrypted data to the application layer. Therefore, to solve the above problem, it is necessary to lock the VFDSet and VFD to avoid the multiple threads of mutually exclusive access.
Based on this, the first aspect of the present invention provides a transparent encryption and decryption method based on a multi-thread environment, the method comprising the following steps:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
and 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process.
It should be noted that the atomic operation function is __ sync _ fetch _ and _ or ()/__ sync _ fetch _ and _ and (), so that the processes of obtaining and storing the virtual file descriptor VFD and setting and obtaining the state of the virtual file descriptor VFD are atomic operations, and there is no mutual exclusion problem between threads.
Further, the step 3 specifically includes:
the second thread marks the state of the file descriptor FD as a closed state in the file closing process; and after the second thread finishes closing the file, marking the state of the file descriptor FD as an initialization state.
Further, after the step 4, the method further includes:
receiving a file closing request of a first thread, clearing records of a corresponding Virtual File Descriptor (VFD), and subtracting 1 from a reference count of a memory resource; and when the reference count of the memory resource becomes 0, automatically releasing the referenced memory resource.
It should be noted that the reference count is used to record that the current memory resource is referred by the virtual file descriptors VFD of n threads, when a virtual file descriptor VFD of a thread is newly added, the reference count is increased by 1, and when a virtual file descriptor VFD of a thread is invalidated, the reference count is decreased by 1.
It should be noted that, if a plurality of threads operate a file through their respective virtual file descriptors VFD, if one thread needs to close the file, the record of the corresponding virtual file descriptor VFD is cleared, and since other threads still need to operate the file at this time, that is, the virtual file descriptors VFD of other threads referencing the same memory resource (VFD object) still exist, the system does not release the memory resource, thereby effectively avoiding the problem of memory abnormality caused by the fact that the VFD object is released in advance; and when the reference count is changed into 0, the file is closed by all the threads, and the system automatically releases the corresponding memory resources.
Further, the step 4 specifically includes:
the first thread realizes transparent encryption write operation on the file in a virtual file system layer based on a Virtual File Descriptor (VFD); or
The first thread realizes transparent decryption reading operation on the file at a virtual file system layer based on the virtual file descriptor VFD.
As shown in fig. 3, the first thread implements transparent encrypted write operation on a file in a virtual file system layer based on a virtual file descriptor VFD, and specifically includes:
step 6-1, a virtual file VF object is obtained through the searching of a virtual file descriptor VFD;
step 6-2, calling a Vwrite function of the virtual file VF, if the Vwrite function cannot be successfully called, entering step 6-3, and if the Vwrite function can be successfully called, entering step 6-13;
step 6-3, judging the state of the virtual file system VFS, if the state is an encrypted file, entering step 6-4, and if the state is a temporary file, entering step 6-8;
6-4, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
6-5, calling a Write function of the encrypted file to Write data into the content part of the file;
6-6, calling an encryption and decryption interface of the file code to encrypt the written data through a security module to obtain a data ciphertext;
6-7, calling a Write function of the operating system to Write the data ciphertext into a real file, and entering the step 6-13;
6-8, encrypting and writing the data into a temporary file, and writing the data plaintext into a real file;
6-9, judging whether the number of bytes written into the real file is equal to or exceeds a preset byte threshold, if so, entering step 6-10, and if not, entering step 6-13;
step 6-10, judging whether the file type of the real file belongs to the encrypted file type, if so, entering step 6-11, otherwise, directly calling a Write function of an operating system to Write the data plaintext into the real file, and entering step 6-13;
6-11, replacing the content in the temporary file into a real file, and deleting the temporary file;
step 6-12, switching the state of the virtual file system VFS into an encrypted file, and entering step 6-13;
and 6-13, returning the Write result and ending the process.
As shown in fig. 4, the first thread implements a transparent decryption read operation on a file in a virtual file system layer based on a virtual file descriptor VFD, and specifically includes:
step 7-1, a virtual file VF object is obtained through the search of a virtual file descriptor VFD;
step 7-2, calling a Vread function of the virtual file VF, if the Vread function cannot be successfully called, entering step 7-3, and if the Vread function can be successfully called, entering step 7-10;
7-3, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
7-4, calling a Read function of the encrypted file to Read the encrypted file;
7-5, calling a Read function of the operating system to Read a data ciphertext in the real file;
7-6, calling an encryption and decryption interface of the file code to decrypt the data ciphertext through a security module to obtain a data plaintext, and entering the step 7-7;
and 7-7, returning a Read result and ending the process.
The second aspect of the present invention further provides a computer device, including: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
and 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process.
Further, the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
the virtual file descriptor VFD corresponds to the real file descriptor FD one by one, the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, a virtual file descriptor VFD is created every time a file is opened, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file VF corresponds to a real file, and since the same file may be opened many times, the operating system may allocate a plurality of different file descriptors FD, and one virtual file VF object may be referred to by a plurality of virtual file descriptors VFD objects; storing a real file path in a virtual file VF object; the virtual file VF holds an object for operating the encrypted file and the temporary file, and the virtual file VF reads and writes the file through the encrypted file or the temporary file; the virtual file system stores the corresponding relationship between the virtual file VF and the real file path, and clears the corresponding relationship record after all file operations are finished.
The third aspect of the present invention further provides a computer-readable storage medium having computer-executable instructions stored therein, wherein: the computer executable instructions, when executed by the processor, implement the transparent encryption and decryption method based on the multithreading environment.
The encryption and decryption process of the invention is relatively transparent, and for the file generated by the application, the disk is encrypted and stored when being stored, and the file is decrypted and opened when being opened. And the end user can not feel the existence of the encryption and decryption process when working normally. The implementation principle of the transparent encryption and decryption scheme is equivalent to that a proxy layer is added on the system I/O calling layer to proxy all operations on files. The proxy layer needs to maintain the encryption and decryption states of files, and since one physical file may be opened many times, the operating system allocates a plurality of different file descriptors FD, so the proxy layer also needs to maintain the mapping relationship between the physical file and the plurality of file descriptors FD, and access processing of global data under the condition of multiple threads.
The method and the device realize the acquisition and storage of the VFD and the setting and acquisition process of the state of the VFD through the atomic operation function, thereby effectively avoiding the problem of mutual exclusion among multiple threads; meanwhile, the invention judges whether the behavior of closing the file by other threads exists based on the state mark of the file descriptor FD, and does not execute read-write operation when judging that the behavior of closing the file by other threads exists, thereby avoiding file data errors. In addition, the invention also adopts a reference counting method to avoid the memory abnormity caused by the early release of the VFD object of the virtual file descriptor.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (8)
1. A transparent encryption and decryption method based on a multithreading environment is characterized by comprising the following steps:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4, wherein the global VFDSet is a set for storing the virtual file descriptors VFD;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
step 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process;
the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
each time a real file is opened, a file descriptor FD is distributed, a virtual file descriptor VFD is created based on the file descriptor FD, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, between the virtual file VF and the real file path, and clears the corresponding relation record in the virtual file system after all operations on the real file are finished.
2. The transparent encryption and decryption method based on the multi-thread environment according to claim 1, wherein the step 3 further comprises:
the second thread marks the state of the file descriptor FD as a closed state in the file closing process; and after the second thread finishes closing the file, marking the state of the file descriptor FD as an initialization state.
3. The transparent encryption and decryption method based on multithreading environment according to claim 1, wherein after the step 4, the method further comprises:
receiving a file closing request of a first thread, clearing records of a corresponding Virtual File Descriptor (VFD), and subtracting 1 from a reference count of a memory resource; and when the reference count of the memory resource becomes 0, automatically releasing the referenced memory resource.
4. The transparent encryption and decryption method based on the multi-thread environment as claimed in claim 1, wherein the step 4 specifically comprises:
the first thread realizes transparent encryption write operation on the file in a virtual file system layer based on a Virtual File Descriptor (VFD); or
The first thread realizes transparent decryption reading operation on the file at a virtual file system layer based on the virtual file descriptor VFD.
5. The transparent encryption and decryption method based on the multithreading environment according to claim 4, wherein the first thread implements transparent encrypted write operation on the file at the virtual file system layer based on the virtual file descriptor VFD, and specifically includes:
step 6-1, a virtual file VF object is obtained through the searching of a virtual file descriptor VFD;
step 6-2, calling a Vwrite function of the virtual file VF, if the Vwrite function cannot be successfully called, entering step 6-3, and if the Vwrite function can be successfully called, entering step 6-13;
step 6-3, judging the state of the virtual file system VFS, if the state is an encrypted file, entering step 6-4, and if the state is a temporary file, entering step 6-8;
6-4, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
6-5, calling a Write function of the encrypted file to Write data into the content part of the file;
6-6, calling an encryption and decryption interface of the file code to encrypt the written data through a security module to obtain a data ciphertext;
6-7, calling a Write function of the operating system to Write the data ciphertext into a real file, and entering the step 6-13;
6-8, encrypting and writing the data into a temporary file, and writing the data plaintext into a real file;
6-9, judging whether the number of bytes written into the real file is equal to or exceeds a preset byte threshold, if so, entering step 6-10, and if not, entering step 6-13;
step 6-10, judging whether the file type of the real file belongs to the encrypted file type, if so, entering step 6-11, otherwise, directly calling a Write function of an operating system to Write the data plaintext into the real file, and entering step 6-13;
6-11, replacing the content in the temporary file into a real file, and deleting the temporary file;
step 6-12, switching the state of the virtual file system VFS into an encrypted file, and entering step 6-13;
and 6-13, returning the Write result and ending the process.
6. The transparent encryption and decryption method based on the multi-thread environment as claimed in claim 4, wherein the first thread implements transparent decryption read operation for the file at the virtual file system layer based on the virtual file descriptor VFD, and specifically includes:
step 7-1, a virtual file VF object is obtained through the search of a virtual file descriptor VFD;
step 7-2, calling a Vread function of the virtual file VF, if the Vread function cannot be successfully called, entering step 7-3, and if the Vread function can be successfully called, entering step 7-10;
7-3, adjusting the file offset, skipping over the encrypted file header, and directly positioning to the file content part of the encrypted file;
7-4, calling a Read function of the encrypted file to Read the encrypted file;
7-5, calling a Read function of the operating system to Read a data ciphertext in the real file;
7-6, calling an encryption and decryption interface of the file code to decrypt the data ciphertext through a security module to obtain a data plaintext, and entering the step 7-7;
and 7-7, returning a Read result and ending the process.
7. A transparent encryption and decryption system based on a multi-threaded environment, comprising: a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
step 1, obtaining a file descriptor FD, and receiving an operation request of a first thread on a file;
step 2, operating the global VFDSet by adopting an atomic operation function, searching a virtual file descriptor VFD corresponding to the global VFDSet in the global VFDSet through the file descriptor FD, if the virtual file descriptor VFD is not found, entering step 3, and if the virtual file descriptor VFD is found, entering step 4, wherein the global VFDSet is a set for storing the virtual file descriptors VFD;
step 3, judging the current state of the file descriptor FD, if the current state is marked as a closed state, indicating that the second thread is closing the file operation, directly returning error information by the virtual file system, and ending the process; if the current state is marked as an initialization state, calling an I/O function of an operating system to directly perform plaintext operation on the file, and ending the process;
step 4, realizing transparent encryption and decryption operation on the file in a virtual file system layer based on the virtual file descriptor VFD, calling an I/O function of an operating system to operate the file, and ending the process;
the virtual file system operates real files through virtual file descriptors VFD and virtual files VF;
each time a real file is opened, a file descriptor FD is distributed, a virtual file descriptor VFD is created based on the file descriptor FD, and a virtual file descriptor VFD object is destroyed when the file is closed;
the virtual file VF is used for storing a real file path; each virtual file VF object is referenced by a plurality of virtual file descriptor VFD objects; the virtual file VF holds an object for operating the encrypted file and the temporary file, and reads and writes the file through the encrypted file or the temporary file;
the virtual file system stores the corresponding relation between the file descriptor FD and the virtual file descriptor VFD, between the virtual file VF and the real file path, and clears the corresponding relation record in the virtual file system after all operations on the real file are finished.
8. A computer-readable storage medium having computer-executable instructions stored therein, the computer-readable storage medium characterized in that: the computer executable instructions, when executed by a processor, implement the transparent encryption and decryption method based on a multi-threaded environment of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010684966.7A CN111832054B (en) | 2020-07-16 | 2020-07-16 | Transparent encryption and decryption method, system and storage medium based on multithreading environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010684966.7A CN111832054B (en) | 2020-07-16 | 2020-07-16 | Transparent encryption and decryption method, system and storage medium based on multithreading environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111832054A CN111832054A (en) | 2020-10-27 |
| CN111832054B true CN111832054B (en) | 2022-03-15 |
Family
ID=72924099
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010684966.7A Active CN111832054B (en) | 2020-07-16 | 2020-07-16 | Transparent encryption and decryption method, system and storage medium based on multithreading environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111832054B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107045530A (en) * | 2017-01-20 | 2017-08-15 | 华中科技大学 | A kind of method that object storage system is embodied as to local file system |
| US9875192B1 (en) * | 2015-06-25 | 2018-01-23 | Amazon Technologies, Inc. | File system service for virtualized graphics processing units |
| CN108133151A (en) * | 2018-02-08 | 2018-06-08 | 北京指掌易科技有限公司 | Document encrypting apparatus, document handling method and mobile terminal device |
| CN110795400A (en) * | 2019-10-12 | 2020-02-14 | 苏州浪潮智能科技有限公司 | File management method, device, equipment and medium |
-
2020
- 2020-07-16 CN CN202010684966.7A patent/CN111832054B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9875192B1 (en) * | 2015-06-25 | 2018-01-23 | Amazon Technologies, Inc. | File system service for virtualized graphics processing units |
| CN107045530A (en) * | 2017-01-20 | 2017-08-15 | 华中科技大学 | A kind of method that object storage system is embodied as to local file system |
| CN108133151A (en) * | 2018-02-08 | 2018-06-08 | 北京指掌易科技有限公司 | Document encrypting apparatus, document handling method and mobile terminal device |
| CN110795400A (en) * | 2019-10-12 | 2020-02-14 | 苏州浪潮智能科技有限公司 | File management method, device, equipment and medium |
Non-Patent Citations (1)
| Title |
|---|
| 一种透明加解密文件系统的设计与实现;颜智润等;《计算机应用与软件》;20170930;5-8、32 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111832054A (en) | 2020-10-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Priebe et al. | SGX-LKL: Securing the host OS interface for trusted execution | |
| CN107977573B (en) | Method and system for secure disk access control | |
| Ji et al. | Enabling refinable {Cross-Host} attack investigation with efficient data flow tagging and tracking | |
| US10235520B2 (en) | System and method for analyzing patch file | |
| US11822654B2 (en) | System and method for runtime detection, analysis and signature determination of obfuscated malicious code | |
| CN104598809A (en) | Program monitoring method and defending method thereof, as well as relevant device | |
| US20080222215A1 (en) | Method for Deleting Virus Program and Method to Get Back the Data Destroyed by the Virus | |
| Saltaformaggio et al. | Screen after Previous Screens:{Spatial-Temporal} Recreation of Android App Displays from Memory Images | |
| Onarlioglu et al. | Privexec: Private execution as an operating system service | |
| US20140281499A1 (en) | Method and system for enabling communications between unrelated applications | |
| JP2014515858A (en) | Method and apparatus for recombining executing instructions | |
| CN108229190B (en) | Transparent encryption and decryption control method, device, program, storage medium and electronic equipment | |
| US9990493B2 (en) | Data processing system security device and security method | |
| CN113591091A (en) | Application processing method and device, cloud environment and storage medium | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| CN109120618B (en) | Cloud platform controlled side channel attack detection method based on hardware virtualization | |
| CN105550582B (en) | Access the method and system of virtual disk | |
| CN105453104B (en) | System protection file security control device and management method | |
| CN113176926A (en) | API dynamic monitoring method and system based on virtual machine introspection technology | |
| Pridgen et al. | Picking up the trash: Exploiting generational GC for memory analysis | |
| CN111832054B (en) | Transparent encryption and decryption method, system and storage medium based on multithreading environment | |
| Petkovic et al. | A host based method for data leak protection by tracking sensitive data flow | |
| Malik | Android system call analysis for malicious application detection | |
| US20140258720A1 (en) | Systems and methods for transparent per-file encryption and decryption via metadata identification | |
| KR20190035244A (en) | Screen leak prevention program and screen leak prevention service providing method for injecting watermark into captured data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A transparent encryption and decryption method, system, and storage medium based on a multi-threaded environment Effective date of registration: 20230412 Granted publication date: 20220315 Pledgee: China Construction Bank Corporation Zhengzhou Jinshui sub branch Pledgor: ZHENGZHOU XINDA JIEAN INFORMATION TECHNOLOGY Co.,Ltd. Registration number: Y2023980037751 |