CN107003950A - A kind of file system guard method, device and storage device - Google Patents

A kind of file system guard method, device and storage device Download PDF

Info

Publication number
CN107003950A
CN107003950A CN201580001165.3A CN201580001165A CN107003950A CN 107003950 A CN107003950 A CN 107003950A CN 201580001165 A CN201580001165 A CN 201580001165A CN 107003950 A CN107003950 A CN 107003950A
Authority
CN
China
Prior art keywords
file system
space
address
access instruction
instruction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201580001165.3A
Other languages
Chinese (zh)
Other versions
CN107003950B (en
Inventor
于群
徐君
王元钢
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN107003950A publication Critical patent/CN107003950A/en
Application granted granted Critical
Publication of CN107003950B publication Critical patent/CN107003950B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/16Protection against loss of memory contents

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

A kind of file system guard method and device, this method include:Access instruction is received, wherein, access instruction is used to access file system, and access instruction includes IA, and IA is for mapping the virtual address of the physical address of access instruction (S101);The address realm of file system space is obtained from default register, wherein, file system space is the virtual address space of file system, the user's space that file system space belongs in operating system virtual address space, operating system virtual address space is according to the virtual continuation address space (S102) of NVM physical space;According to IA and the address realm of file system space, the instruction (S103) whether access instruction belongs in file system space is judged;When access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system (S104).The security of file system can be improved.

Description

A kind of file system guard method, device and storage device Technical field
The present invention relates to field of computer technology, more particularly to a kind of file system guard method, device and storage device.
Background technology
The working condition of operating system includes kernel state and User space, kernel state is the pattern that operating system nucleus is run, the instruction of the pattern is operated in, unrestrictedly Installed System Memory, peripheral hardware etc. can be conducted interviews, but it is higher to the reliability and security requirement of instruction;User space refers to unprivileged, and the instruction of operation in this condition is by hardware limitation, it is impossible to carry out some privileged operations, but relatively low to the reliability and security requirement of instruction.Operating system virtual address space includes kernel spacing and user's space, and the instruction operation of kernel spacing is in kernel state, and the instruction operation of user's space is in User space.
File system is that the software mechanism with storage file information is responsible in operating system, and the security of file system is extremely important to the stability of operating system, and therefore, in order to ensure the security of file system, traditional file system is operated in kernel state.Because file system is operated in kernel state, when user needs to access the file in file system, operating system needs to be switched to kernel state by User space, and needs tediously long I/O software stacks to handle, and adds processing procedure.At present, in order to simplify the processing procedure that user accesses file in file system, also there is the technical scheme for making file system be operated in User space in the prior art.But, because consumer process and kernel thread all have the authority for accessing the file system for being operated in User space, therefore, when consumer process or kernel thread have illegal pointer, and during illegal pointer sensing file system, if the operation is write operation, file system will be changed, cause file system mistake occur, reduce the security of file system.
The content of the invention
The embodiment of the invention discloses a kind of file system guard method, device and storage device, the security for improving file system.
First aspect of the embodiment of the present invention discloses a kind of file system guard method, and methods described is applied to be provided with the storage device of file system in internal memory, wherein, it is described in save as nonvolatile memory (non-violate memory, NVM), including:
Access instruction is received, wherein, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
The address realm of file system space is obtained from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
According to the IA and the address realm of the file system space, the instruction whether access instruction belongs in the file system space is judged;
When the access instruction is not belonging to the instruction in the file system space, the access instruction is forbidden to access the file system.
With reference to the embodiment of the present invention in a first aspect, in the first possible implementation of first aspect of the embodiment of the present invention, methods described also includes:
When the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
With reference to the first possible implementation of first aspect of the embodiment of the present invention or first aspect of the embodiment of the present invention, in second of possible implementation of first aspect of the embodiment of the present invention, methods described also includes:
When the process belonging to the access instruction accesses the file system first, bank code in the file system is linked to the bank code space in the file system space in the way of chained library, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
With reference to second of possible implementation of first aspect of the embodiment of the present invention, in the third possible implementation of first aspect of the embodiment of the present invention, the default register includes the first register and the second register;
The address realm that file system space is obtained from default register includes:
The initial address of the file system space is obtained from first register;
The end address of the file system space is obtained from second register;
Obtained according to the end address of the initial address of the file system space and the file system space Obtain the address realm of the file system space.
With reference to second of possible implementation of first aspect of the embodiment of the present invention, in the 4th kind of possible implementation of first aspect of the embodiment of the present invention, the address realm for obtaining file system space from default register includes:
The end address of the file system space obtained according to the initial address of the operating system virtual address space and from default register obtains the address realm of the file system space.
Second aspect of the embodiment of the present invention discloses a kind of file system protection device, and described device is arranged in storage device, and file system is provided with the internal memory of the storage device, wherein, it is described in save as NVM, including:
Receiving module, for receiving access instruction, wherein, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
Acquisition module, address realm for obtaining file system space from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
Judge module, for the address realm according to the IA and the file system space, judges the instruction whether access instruction belongs in the file system space;
Control module, for be not belonging to when the access instruction in the file system space instruction when, forbid the access instruction to access the file system.
With reference to second aspect of the embodiment of the present invention, in the first possible implementation of second aspect of the embodiment of the present invention, the control module, is additionally operable to when the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
With reference to the first possible implementation of second aspect of the embodiment of the present invention or second aspect of the embodiment of the present invention, in second of possible implementation of second aspect of the embodiment of the present invention, described device also includes:
Link module, for when the process belonging to the access instruction accesses the file system first, the bank code in the file system to be linked to the storehouse generation in the file system space in the way of chained library Code space, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
With reference to second of possible implementation of second aspect of the embodiment of the present invention, in the third possible implementation of second aspect of the embodiment of the present invention, the default register includes the first register and the second register;
The acquisition module specifically for:
The initial address of the file system space is obtained from first register;
The end address of the file system space is obtained from second register;
The address realm of the file system space is obtained according to the end address of the initial address of the file system space and the file system space.
With reference to second of possible implementation of second aspect of the embodiment of the present invention, in the 4th kind of possible implementation of second aspect of the embodiment of the present invention, the acquisition module, the end address of the file system space obtained specifically for the initial address according to the operating system virtual address space and from default register obtains the address realm of the file system space.
The third aspect of the embodiment of the present invention discloses a kind of storage device, including:
Internal memory, for storage file system and file, wherein, it is described in save as NVM;
Processor is used for by rambus and the Memory linkage, the processor:
Access instruction is received, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
The address realm of file system space is obtained from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
According to the IA and the address realm of the file system space, the instruction whether access instruction belongs in the file system space is judged;
When the access instruction is not belonging to the instruction in the file system space, the access instruction is forbidden to access the file system.
With reference to the third aspect of the embodiment of the present invention, in the first possible reality of the third aspect of the embodiment of the present invention In existing mode, the processor is additionally operable to:
When the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
With reference to the first possible implementation of the third aspect of the embodiment of the present invention or the third aspect of the embodiment of the present invention, in second of possible implementation of the third aspect of the embodiment of the present invention, the processor is additionally operable to:
When the process belonging to the access instruction accesses the file system first, bank code in the file system is linked to the bank code space in the file system space in the way of chained library, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
With reference to second of possible implementation of the third aspect of the embodiment of the present invention, in the third possible implementation of the third aspect of the embodiment of the present invention, the default register includes the first register and the second register;
The mode that the processor obtains the address realm of file system space from default register is specially:
The initial address of the file system space is obtained from first register;
The end address of the file system space is obtained from second register;
The address realm of the file system space is obtained according to the end address of the initial address of the file system space and the file system space.
With reference to second of possible implementation of the third aspect of the embodiment of the present invention, in the 4th kind of possible implementation of the third aspect of the embodiment of the present invention, the mode that the processor obtains the address realm of file system space from default register is specially:
The end address of the file system space obtained according to the initial address of the operating system virtual address space and from default register obtains the address realm of the file system space.
In the embodiment of the present invention, after receiving the access instruction for including IA, the address realm of file system space will be obtained from default register, and according to IA and the address realm of file system space, judge the instruction whether access instruction belongs in file system space, when access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.By file system guard method provided in an embodiment of the present invention illegal instruction can be avoided to produce the operation of mistake to file system, improve fortune Row is in the security of the file system of the user's space of operating system.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, will be briefly described to the required accompanying drawing used in embodiment below, it should be apparent that, drawings in the following description are only the accompanying drawing of some embodiments of the present invention.
Fig. 1 is a kind of flow chart of file system guard method disclosed in the embodiment of the present invention;
Fig. 2 is the flow chart of another file system guard method disclosed in the embodiment of the present invention;
Fig. 3 is a kind of structure chart of file system protection device disclosed in the embodiment of the present invention;
Fig. 4 is a kind of structure chart of storage device disclosed in the embodiment of the present invention;
Fig. 5 is a kind of division figure of operating system virtual address space disclosed in the embodiment of the present invention;
Fig. 6 is a kind of distribution map of operating system virtual address space disclosed in the embodiment of the present invention;
Fig. 7 is the distribution map of another operating system virtual address space disclosed in the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.
The embodiment of the invention discloses a kind of file system guard method and equipment, the security for improving file system.It is described in detail individually below.
The application scenarios of the embodiment of the present invention are first described by embodiment below for a better understanding of the present invention.In embodiments of the present invention, file system is provided with the internal memory of storage device, wherein, this is interior to save as NVM, such as:Phase transition storage (phase-change memory, PCM), magnetoresistive RAM (magnetic random access memory, MRAM), variable resistance type memory (resistive random-access memory, ReRAM) etc..NVM physical space can be virtual as continuous address space, i.e. operating system virtual address space.The address of operating system virtual address space and the conversion of NVM physical address can be realized by page table.Referring to Fig. 5, Fig. 5 is a kind of division figure of operating system virtual address space disclosed in the embodiment of the present invention.As shown in figure 5, operating system virtual address space can be with Including kernel spacing and user's space, the instruction operation of kernel spacing is in kernel state, and the instruction operation of user's space is on relatively low privilege level, i.e. User space.User's space can include the process space and file system space, wherein, the process space is the privately owned space of process, is as the privately owned space of each process in user's space, is distributed for Process Movement and storehouse;File system space is the space that process is shared, the space that as all processes all have permission to access in the user space.File system space is the virtual address space of file system, and file system space can include data space and bank code space.Wherein, data space is used for the data storage area of map file system, and bank code space is used for the bank code memory block of map file system.Bank code memory block is used for the bank code of storage file system, and bank code is the software logic of management file system.In embodiments of the present invention, the bank code of file system is linked to bank code space in the way of chained library, and process can be by calling the function access file system in bank code space.
Referring to Fig. 1, Fig. 1 is a kind of flow chart of file system guard method disclosed in the embodiment of the present invention.As shown in figure 1, this document system protection method may comprise steps of.
S101, reception access instruction, wherein, access instruction is used to access file system, and access instruction includes IA, and IA is the virtual address for mapping the physical address of access instruction.
In the present embodiment, the logical address for the built-in function that IA can be called according to access instruction and the initial address in bank code space are obtained.
S102, from default register obtain file system space address realm, wherein, file system space is the virtual address space of file system, the user's space that file system space belongs in operating system virtual address space, operating system virtual address space is according to the virtual continuation address space of NVM physical space.
In the present embodiment, add register in advance, the part or all of address that the register is used in the initial address and end address of storage file system space, receive after user operates the access instruction produced, the address of storage will be obtained from the register to determine the address realm of file system space.
S103, the address realm according to IA and file system space, judge the instruction whether access instruction belongs in file system space.
In the present embodiment, after getting the address realm of file system space, by the IA and the address realm of file system space that are included according to access instruction, judge the instruction whether access instruction belongs in file system, that is the address realm in the bank code space whether decision instruction address belongs in file system space It that is to say whether decision instruction address belongs to the address realm of file system space.
S104, when access instruction is not belonging to the instruction in file system space, forbid access instruction access file system.
In the present embodiment, when the instruction in file system space, i.e. IA are not belonging to when access instruction being not belonging to the address realm of file system space, show there is illegal pointer, access instruction will be forbidden to access file system;When the instruction that access instruction belongs in file system space, i.e., when IA belongs to the address realm of file system space, show that illegal pointer is not present, it is allowed to which access instruction accesses file system.
In one embodiment, default register includes the first register and the second register;
The mode of the address realm of acquisition file system space is specially from default register:
The initial address of file system space is obtained from the first register;
The end address of file system space is obtained from the second register;
The address realm of file system space is obtained according to the end address of the initial address of file system space and file system space.
For example, referring to Fig. 6, Fig. 6 is a kind of distribution map of operating system virtual address space disclosed in the embodiment of the present invention.As shown in fig. 6, the address of kernel spacing is more than the address of file system space, the address of file system space is more than the address of the process space, adds default register, the default register includes the first register and the second register.Wherein, the first register can be used for the end address of the initial address of storage file system space, the i.e. process space;Second register can be used for the initial address of the end address of storage file system space, i.e. kernel spacing.After the initial address and end address for getting file system space, it will determine that whether IA is less than the end address of file system space and more than the initial address of file system space, i.e. whether decision instruction address is less than the initial address of kernel spacing, and more than the end address of the process space, when IA is less than the end address of file system space and the initial address more than file system space, show that illegal pointer is not present, access instruction will be allowed to access file system;Correspondingly, when IA be more than file system space end address, or less than file system space initial address when, show there is illegal pointer, will forbid access instruction access file system.
In one embodiment, the mode from the address realm of default register acquisition file system space is specially:
The end address of the file system space obtained according to the initial address of operating system virtual address space and from default register obtains the address realm of file system space.
For example, referring to Fig. 7, Fig. 7 is the distribution map of another operating system virtual address space disclosed in the embodiment of the present invention.As shown in Figure 7, the address of kernel spacing is more than the address of the process space, the address of the process space is more than the address of file system space, and the initial address of operating system virtual address space is the initial address of file system space, and the end address of file system space is the initial address of the process space.Default register is added, the initial address for the end address of storage file system space, the i.e. process space.After getting initial address and the end address of file system space, it will determine that whether IA is less than the end address of file system space, i.e. whether decision instruction address is less than the initial address of the process space, when IA is less than the end address of file system space, show that illegal pointer is not present, access instruction will be allowed to access file system;Correspondingly, when IA is more than the end address of file system space, show there is illegal pointer, access instruction will be forbidden to access file system.
In the file system guard method described by Fig. 1; after receiving the access instruction for including IA; the address realm of file system space will be obtained from default register; and according to IA and the address realm of file system space; judge the instruction whether access instruction belongs in file system space; when access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.Using file system guard method provided in an embodiment of the present invention; when the access instruction for accessing file system is not belonging to the instruction in file system space; the access instruction can be forbidden to access file system; so as to avoid illegal access instruction from producing the operation of mistake to file system, the security of the file system for the user's space for running on operating system is improved.
Referring to Fig. 2, Fig. 2 is the flow chart of another file system guard method disclosed in the embodiment of the present invention.As shown in Fig. 2 this document system protection may comprise steps of.
S201, reception include reference address and the access instruction of IA, wherein, reference address is the virtual address for mapping NVM physical address, and IA is the virtual address for mapping the physical address of access instruction.
In the present embodiment, the logical address for the built-in function that IA can be called according to access instruction and the initial address in bank code space are obtained.
S202, the process belonging to access instruction be first access file system when, bank code space bank code in file system linked to file in the way of chained library in system space, file system space is the virtual address space of file system, and the user that file system space belongs in operating system virtual address space is empty Between, operating system virtual address space is that, according to the virtual continuation address space of NVM physical space, bank code space is one section of fixed Virtual Space in file system space, wherein, bank code is the software logic of management file system.
In the present embodiment, receive after user operates the access instruction produced, whether will determine that the process belonging to access instruction is to access file system first, when the process belonging to access instruction is to access file system first, bank code space bank code in file system linked to file in the way of chained library in system space, so that access instruction accesses file system;When the process belonging to access instruction is not to access file system first, step S203 will be performed.
S203, from default register obtain file system space address realm.
In the present embodiment, add register in advance, the part or all of address that the register is used in the initial address and end address of storage file system space, receive after user operates the access instruction produced, or after the bank code space in system space that the bank code in file system is linked to file in the way of chained library, the address of storage will be obtained from the register to determine the address realm of file system space.
Whether S204, the address realm according to reference address and file system space, it is the instruction for accessing file system to judge access instruction.
In the present embodiment, after getting the address realm of file system space from default register, by the address realm according to reference address and file system space, whether be the instruction that accesses file system, that is, judge whether reference address belongs to the address realm of file system space if judging access instruction.
S205, when access instruction for access file system instruction when, by the address realm according to IA and file system space, judge the instruction whether access instruction belongs in file system space.
In the present embodiment, when instruction of the access instruction for access file system, by the address realm according to IA and file system space, judge the instruction whether access instruction belongs in file system space, i.e. the address realm in the bank code space whether decision instruction address belongs in file system space, that is to say whether decision instruction address belongs to the address realm of file system space;When access instruction is not to access the instruction of file system, will normally it be accessed.
S206, when access instruction is not belonging to the instruction in file system space, forbid access instruction access file system.
S207, when access instruction belongs to the instruction in file system space, it is allowed to access instruction access file system.
In the present embodiment, when access instruction is not belonging to the instruction in file system space, it is illegal address to show reference address, and access instruction will be forbidden to access file system;When access instruction belongs to the instruction in file system space, it is legal address to show reference address, it is allowed to which access instruction accesses file system.
In one embodiment, default register includes the first register and the second register;
The mode of the address realm of acquisition file system space is specially from default register:
The initial address of file system space is obtained from the first register;
The end address of file system space is obtained from the second register;
The address realm of file system space is obtained according to the end address of the initial address of file system space and file system space.
For example, referring to Fig. 6, Fig. 6 is a kind of distribution map of operating system virtual address space disclosed in the embodiment of the present invention.As shown in fig. 6, the address of kernel spacing is more than the address of file system space, the address of file system space is more than the address of the process space, adds default register, the default register includes the first register and the second register.Wherein, the first register can be used for the end address of the initial address of storage file system space, the i.e. process space;Second register can be used for the initial address of the end address of storage file system space, i.e. kernel spacing.After the initial address and end address for getting file system space, it will determine that whether reference address is less than the end address of file system space, and more than the initial address of file system space, judge whether reference address is less than the initial address of kernel spacing, and more than the end address of the process space, when reference address is less than the end address of file system space and the initial address more than file system space, it will determine that whether IA is less than the end address of file system space and more than the initial address of file system space, i.e. whether decision instruction address is less than the initial address of kernel spacing, and more than the end address of the process space, when IA is less than the end address of file system space and the initial address more than file system space, it is legal address to show reference address, access instruction will be allowed to access file system;Correspondingly, when IA be more than file system space end address, or less than file system space initial address when, show reference address be illegal address, will forbid access instruction access file system.
In one embodiment, the mode from the address realm of default register acquisition file system space is specially:
The end address of the file system space obtained according to the initial address of operating system virtual address space and from default register obtains the address realm of file system space.
For example, referring to Fig. 7, Fig. 7 is that another operating system virtual address is empty disclosed in the embodiment of the present invention Between distribution map.As shown in Figure 7, the address of kernel spacing is more than the address of the process space, the address of the process space is more than the address of file system space, and the initial address of operating system virtual address space is the initial address of file system space, and the end address of file system space is the initial address of the process space.Default register is added, the initial address for the end address of storage file system space, the i.e. process space.After getting initial address and the end address of file system space, it will determine that whether reference address is less than the end address of file system space, judge whether reference address is less than the initial address of the process space, when reference address is less than the end address of file system space, it will determine that whether IA is less than the end address of file system space, i.e. whether decision instruction address is less than the initial address of the process space, when IA is less than the end address of file system space, it is legal address to show reference address, access instruction will be allowed to access file system;Correspondingly, when IA is more than the end address of file system space, it is illegal address to show reference address, and access instruction will be forbidden to access file system.
In the file system guard method described by Fig. 2; after receiving the access instruction for including IA; the address realm of file system space will be obtained from default register; and according to IA and the address realm of file system space; judge the instruction whether access instruction belongs in file system space; when access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.Pass through file system guard method provided in an embodiment of the present invention; when the access instruction for accessing file system is not belonging to the instruction in file system space; the access instruction can be forbidden to access file system; so as to avoid the operation that illegal access instruction produces mistake to file system, the security of the file system for the user's space for running on operating system is improved.
Referring to Fig. 3, Fig. 3 is a kind of structure chart of file system protection device disclosed in the embodiment of the present invention.As shown in figure 3, this document system protection device 300 can include:
Receiving module 301, for receiving access instruction, wherein, access instruction is used to access file system, and access instruction includes IA, and IA is the virtual address for mapping the physical address of access instruction;
Acquisition module 302, address realm for obtaining file system space from default register, wherein, file system space is the virtual address space of file system, the user's space that file system space belongs in operating system virtual address space, operating system virtual address space is according to the virtual continuation address space of NVM physical space;
Judge module 303, for the address realm according to IA and file system space, judges the instruction whether access instruction belongs in file system space;
Control module 304, for when access instruction is not belonging to the instruction in file system space, forbidding access instruction to access file system.
As a kind of possible embodiment, control module 304 is additionally operable to when access instruction belongs to the instruction in file system space, it is allowed to which access instruction accesses file system.
As a kind of possible embodiment, file system protection device 300 can also include:
Link module 305, for when the process belonging to access instruction accesses file system first, bank code space bank code in file system linked to file in the way of chained library in system space, bank code space is one section of fixed Virtual Space in file system space, wherein, bank code is the software logic of management file system.
As a kind of possible embodiment, default register includes the first register and the second register;
Acquisition module 302 specifically for:
The initial address of file system space is obtained from the first register;
The end address of file system space is obtained from the second register;
The address realm of file system space is obtained according to the end address of the initial address of file system space and file system space.
As a kind of possible embodiment, acquisition module 302, the end address of the file system space obtained specifically for the initial address according to operating system virtual address space and from default register obtains the address realm of file system space.
In the file system protection device described by Fig. 3; after receiving the access instruction for including IA; the address realm of file system space will be obtained from default register; and according to IA and the address realm of file system space; judge the instruction whether access instruction belongs in file system space; when access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.File system protection device provided in an embodiment of the present invention can be when the access instruction for accessing file system be not belonging to the instruction in file system space; the access instruction is forbidden to access file system; so as to avoid the operation that illegal access instruction produces mistake to file system, the security for the file system for running on user's space is improved.
Referring to Fig. 4, Fig. 4 is a kind of structure chart of storage device disclosed in the embodiment of the present invention.As shown in figure 4, the storage device 400 can include:
Internal memory 401, for storage file system and file, wherein, internal memory 401 is NVM;
Processor 402 is connected by rambus 403 with internal memory 401, and processor 402 is used for:
Access instruction is received, access instruction is used to access file system, and access instruction includes IA, and IA is the virtual address for mapping the physical address of access instruction;
The address realm of file system space is obtained from default register, wherein, file system space is the virtual address space of file system, the user's space that file system space belongs in operating system virtual address space, operating system virtual address space is according to the virtual continuation address space of NVM physical space;
According to IA and the address realm of file system space, the instruction whether access instruction belongs in file system space is judged;
When access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.
As a kind of possible embodiment, processor 402 is additionally operable to:
When access instruction belongs to the instruction in file system space, it is allowed to which access instruction accesses file system.
As a kind of possible embodiment, processor 402 is additionally operable to:
When the process belonging to access instruction accesses file system first, bank code space bank code in file system linked to file in the way of chained library in system space, bank code space is one section of fixed Virtual Space in file system space, wherein, bank code is the software logic of management file system.
As a kind of possible embodiment, default register includes the first register and the second register;
The mode that processor 402 obtains the address realm of file system space from default register is specially:
The initial address of file system space is obtained from the first register;
The end address of file system space is obtained from the second register;
The address realm of file system space is obtained according to the end address of the initial address of file system space and file system space.
As a kind of possible embodiment, the mode that processor 402 obtains the address realm of file system space from default register is specially:
The end address of the file system space obtained according to the initial address of operating system virtual address space and from default register obtains the address realm of file system space.
In the storage device described by Fig. 4, after receiving the access instruction for including IA, the address realm of file system space will be obtained from default register, and according to IA and the address realm of file system space, judge the instruction whether access instruction belongs in file system space, when access instruction is not belonging to the instruction in file system space, access instruction is forbidden to access file system.Storage device provided in an embodiment of the present invention, when the access instruction for accessing file system is not belonging to the instruction in file system space, the illegal access instruction can be forbidden to access file system, to avoid illegal access instruction from producing the operation of mistake to file system, so as to improve the security for the file system for running on user's space.
The embodiment of the present invention further discloses a kind of computer-readable storage medium, the computer-readable storage medium is stored with computer program, when the computer program in computer-readable storage medium is read into computer, computer is enabled to complete the Overall Steps of data transmission method disclosed in the embodiment of the present invention.Storage medium can include:Flash disk, read-only storage (Read-Only Memory, ROM), random access device (Random Access Memory, RAM), disk or CD etc..Do not limit herein.
It should be noted that, for each foregoing embodiment of the method, in order to be briefly described, therefore it is all expressed as to a series of combination of actions, but those skilled in the art should know, the present invention is not limited by described sequence of movement, because according to the present invention, certain some step can be carried out sequentially or simultaneously using other.Secondly, those skilled in the art should also know, embodiment described in this description belongs to preferred embodiment, and involved action and the module not necessarily present invention are necessary.
The file system guard method provided above the embodiment of the present invention and equipment are described in detail; specific case used herein is set forth to the principle and embodiment of the present invention, and the explanation of above example is only intended to help to understand method and its core concept of the invention.

Claims (15)

  1. A kind of file system guard method, methods described is applied to be provided with the storage device of file system in internal memory, wherein, it is described in save as nonvolatile memory NVM, it is characterised in that including:
    Access instruction is received, wherein, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
    The address realm of file system space is obtained from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
    According to the IA and the address realm of the file system space, the instruction whether access instruction belongs in the file system space is judged;
    When the access instruction is not belonging to the instruction in the file system space, the access instruction is forbidden to access the file system.
  2. According to the method described in claim 1, it is characterised in that methods described also includes:
    When the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
  3. Method according to claim 1 or 2, it is characterised in that methods described also includes:
    When the process belonging to the access instruction accesses the file system first, bank code in the file system is linked to the bank code space in the file system space in the way of chained library, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
  4. Method according to claim 3, it is characterised in that the default register includes the first register and the second register;
    The address realm that file system space is obtained from default register includes:
    The initial address of the file system space is obtained from first register;
    The end address of the file system space is obtained from second register;
    The address realm of the file system space is obtained according to the end address of the initial address of the file system space and the file system space.
  5. Method according to claim 3, it is characterised in that the address realm for obtaining file system space from default register includes:
    The end address of the file system space obtained according to the initial address of the operating system virtual address space and from default register obtains the address realm of the file system space.
  6. A kind of file system protection device, described device is arranged in storage device, and file system is provided with the internal memory of the storage device, wherein, it is described in save as nonvolatile memory NVM, it is characterised in that including:
    Receiving module, for receiving access instruction, wherein, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
    Acquisition module, address realm for obtaining file system space from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
    Judge module, for the address realm according to the IA and the file system space, judges the instruction whether access instruction belongs in the file system space;
    Control module, for be not belonging to when the access instruction in the file system space instruction when, forbid the access instruction to access the file system.
  7. Device according to claim 6, it is characterised in that the control module, is additionally operable to when the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
  8. Device according to claim 6 or 7, it is characterised in that described device also includes:
    Link module, for when the process belonging to the access instruction accesses the file system first, bank code in the file system is linked to the bank code space in the file system space in the way of chained library, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
  9. Device according to claim 8, it is characterised in that the default register includes the first register and the second register;
    The acquisition module specifically for:
    The initial address of the file system space is obtained from first register;
    The end address of the file system space is obtained from second register;
    The address realm of the file system space is obtained according to the end address of the initial address of the file system space and the file system space.
  10. Device according to claim 8, it is characterized in that, the acquisition module, the end address of the file system space obtained specifically for the initial address according to the operating system virtual address space and from default register obtains the address realm of the file system space.
  11. A kind of storage device, it is characterised in that including:
    Internal memory, for storage file system and file, wherein, it is described in save as nonvolatile memory NVM;
    Processor is used for by rambus and the Memory linkage, the processor:
    Access instruction is received, the access instruction is used to access the file system, and the access instruction includes IA, and the IA is the virtual address for mapping the physical address of the access instruction;
    The address realm of file system space is obtained from default register, wherein, the file system space is the virtual address space of the file system, the user's space that the file system space belongs in operating system virtual address space, the operating system virtual address space is according to the virtual continuation address space of the physical space of the NVM;
    According to the IA and the address realm of the file system space, the instruction whether access instruction belongs in the file system space is judged;
    When the access instruction is not belonging to the instruction in the file system space, the access instruction is forbidden to access the file system.
  12. Storage device according to claim 11, it is characterised in that the processor is additionally operable to:
    When the access instruction belongs to the instruction in the file system space, it is allowed to which the access instruction accesses the file system.
  13. Storage device according to claim 11 or 12, it is characterised in that the processor is additionally operable to:
    When the process belonging to the access instruction accesses the file system first, bank code in the file system is linked to the bank code space in the file system space in the way of chained library, the bank code space is one section of fixed Virtual Space in the file system space, wherein, the bank code is the software logic for managing the file system.
  14. Storage device according to claim 13, it is characterised in that the default register includes the first register and the second register;
    The mode that the processor obtains the address realm of file system space from default register is specially:
    The initial address of the file system space is obtained from first register;
    The end address of the file system space is obtained from second register;
    The address realm of the file system space is obtained according to the end address of the initial address of the file system space and the file system space.
  15. Storage device according to claim 13, it is characterised in that the mode of address realm that the processor obtains file system space from default register is specially:
    The end address of the file system space obtained according to the initial address of the operating system virtual address space and from default register obtains the address realm of the file system space.
CN201580001165.3A 2015-07-31 2015-07-31 File system protection method and device and storage equipment Active CN107003950B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2015/085781 WO2017020194A1 (en) 2015-07-31 2015-07-31 File system protection method, device and storage apparatus

Publications (2)

Publication Number Publication Date
CN107003950A true CN107003950A (en) 2017-08-01
CN107003950B CN107003950B (en) 2020-12-01

Family

ID=57942307

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201580001165.3A Active CN107003950B (en) 2015-07-31 2015-07-31 File system protection method and device and storage equipment

Country Status (2)

Country Link
CN (1) CN107003950B (en)
WO (1) WO2017020194A1 (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581108A (en) * 2003-07-31 2005-02-16 深圳市中兴通讯股份有限公司南京分公司 Internal memory management method with internal memory protection function
EP1696320A1 (en) * 2005-02-25 2006-08-30 Moxa Technologies Co., Ltd. Electronic device with an embedded linux application system
US20060195693A1 (en) * 2005-02-28 2006-08-31 Intel Corporation Specter rendering
US20110246981A1 (en) * 2010-03-31 2011-10-06 Verizon Patent And Licensing, Inc. Automated software installation with interview
US20110296113A1 (en) * 2010-05-27 2011-12-01 International Business Machines Corporation Recovery in shared memory environment
CN102541984A (en) * 2011-10-25 2012-07-04 曙光信息产业(北京)有限公司 File system of distributed type file system client side
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9069983B1 (en) * 2009-04-29 2015-06-30 Symantec Corporation Method and apparatus for protecting sensitive information from disclosure through virtual machines files
CN102184143B (en) * 2011-04-25 2013-08-14 深圳市江波龙电子有限公司 Data protection method, device and system for storage device
CN103488588A (en) * 2013-10-09 2014-01-01 中国科学院计算技术研究所 Memory protection method and system and network interface controller

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1581108A (en) * 2003-07-31 2005-02-16 深圳市中兴通讯股份有限公司南京分公司 Internal memory management method with internal memory protection function
EP1696320A1 (en) * 2005-02-25 2006-08-30 Moxa Technologies Co., Ltd. Electronic device with an embedded linux application system
US20060195693A1 (en) * 2005-02-28 2006-08-31 Intel Corporation Specter rendering
US20110246981A1 (en) * 2010-03-31 2011-10-06 Verizon Patent And Licensing, Inc. Automated software installation with interview
US20110296113A1 (en) * 2010-05-27 2011-12-01 International Business Machines Corporation Recovery in shared memory environment
CN102541984A (en) * 2011-10-25 2012-07-04 曙光信息产业(北京)有限公司 File system of distributed type file system client side
CN102930205A (en) * 2012-10-10 2013-02-13 北京奇虎科技有限公司 Monitoring unit and method

Also Published As

Publication number Publication date
WO2017020194A1 (en) 2017-02-09
CN107003950B (en) 2020-12-01

Similar Documents

Publication Publication Date Title
US20240134677A1 (en) Protected regions management of memory
US11182507B2 (en) Domain crossing in executing instructions in computer processors
US9785784B2 (en) Security management unit, host controller interface including same, method operating host controller interface, and devices including host controller interface
JP6652491B2 (en) Area specifying operation for specifying the area of the memory attribute unit corresponding to the target memory address
US20230004420A1 (en) Virtual Machine Register in a Computer Processor
EP3844650B1 (en) Security configurations in page table entries for execution domains
CN101369245B (en) A kind of system and method realizing memory defect map
CN112602062A (en) Domain registers for instructions being executed in a computer processor
US10915457B2 (en) Memory access control through permissions specified in page table entries for execution domains
EP2637124B1 (en) Method for implementing security of non-volatile memory
US11126453B2 (en) Protected regions management of memory
US11977495B2 (en) Memory access determination
CN110928737B (en) Method and device for monitoring memory access behavior of sample process
CN112639736A (en) Execution domain based access control of processor registers
KR20210025836A (en) Memory controller, storage device including the same and operating method thereof
CN107003950A (en) A kind of file system guard method, device and storage device
CN110968863A (en) Mitigating side channel attacks using executable only memory (XOM)
US8478970B2 (en) Accessing value for local variable from function call stack upon offset matching with instruction extracted stack pointer offset or from cache
US20240192891A1 (en) Memory device active command tracking
US20230342049A1 (en) Reading a master boot record for a namespace using a regular read operation
US20160026400A1 (en) Loading method and dividing method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant