CN107003950B - File system protection method and device and storage equipment - Google Patents
File system protection method and device and storage equipment Download PDFInfo
- Publication number
- CN107003950B CN107003950B CN201580001165.3A CN201580001165A CN107003950B CN 107003950 B CN107003950 B CN 107003950B CN 201580001165 A CN201580001165 A CN 201580001165A CN 107003950 B CN107003950 B CN 107003950B
- Authority
- CN
- China
- Prior art keywords
- file system
- space
- address
- instruction
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/16—Protection against loss of memory contents
Abstract
A file system protection method and device are provided, the method comprises: receiving an access instruction, wherein the access instruction is used for accessing a file system, the access instruction comprises an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction (S101); acquiring an address range of a file system space from a preset register, wherein the file system space is a virtual address space of a file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a virtual continuous address space according to a physical space of the NVM (S102); judging whether the access instruction belongs to the instruction in the file system space or not according to the instruction address and the address range of the file system space (S103); when the access instruction does not belong to an instruction in the file system space, the access instruction is prohibited from accessing the file system (S104). The security of the file system can be improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a file system protection method and apparatus, and a storage device.
Background
The operating state of the operating system comprises a kernel state and a user state, wherein the kernel state is a mode operated by the kernel of the operating system, and an instruction operated in the mode can access a system memory, a peripheral and the like without limit, but has higher requirements on the reliability and the safety of the instruction; the user state refers to a non-privileged state, instructions running in the non-privileged state are limited by hardware, certain privileged operations cannot be performed, and the requirements on the reliability and the safety of the instructions are low. The virtual address space of the operating system comprises a kernel space and a user space, wherein the instructions of the kernel space run in a kernel mode, and the instructions of the user space run in a user mode.
The file system is a software mechanism in the operating system that is responsible for managing and storing file information, and the security of the file system is very important to the stability of the operating system, so that the conventional file system operates in a kernel mode in order to ensure the security of the file system. Because the file system works in the kernel mode, when a user needs to access the file in the file system, the operating system needs to be switched from the user mode to the kernel mode and needs to be processed by a lengthy I/O software stack, so that the processing process is increased. At present, in order to simplify the processing procedure of accessing files in a file system by a user, there is a technical scheme in the prior art for enabling the file system to work in a user mode. However, since both the user process and the kernel thread have the right to access the file system operating in the user mode, when an illegal pointer exists in the user process or the kernel thread and points to the file system, if the operation is a write operation, the file system will be modified, resulting in an error in the file system and lowering the security of the file system.
Disclosure of Invention
The embodiment of the invention discloses a file system protection method, a file system protection device and storage equipment, which are used for improving the security of a file system.
A first aspect of the present invention discloses a file system protection method, which is applied to a storage device having a file system in a memory, where the memory is a non-volatile memory (NVM), and the method includes:
receiving an access instruction, wherein the access instruction is used for accessing the file system, and the access instruction contains an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction;
acquiring an address range of a file system space from a preset register, wherein the file system space is a virtual address space of the file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM;
judging whether the access instruction belongs to an instruction in the file system space or not according to the instruction address and the address range of the file system space;
and when the access instruction does not belong to the instruction in the file system space, forbidding the access instruction to access the file system.
With reference to the first aspect of the embodiment of the present invention, in a first possible implementation manner of the first aspect of the embodiment of the present invention, the method further includes:
and when the access instruction belongs to the instruction in the file system space, allowing the access instruction to access the file system.
With reference to the first aspect of the embodiment of the present invention or the first possible implementation manner of the first aspect of the embodiment of the present invention, in a second possible implementation manner of the first aspect of the embodiment of the present invention, the method further includes:
when the process to which the access instruction belongs accesses the file system for the first time, linking library codes in the file system to a library code space in the file system space in a library linking mode, wherein the library code space is a fixed virtual space in the file system space, and the library codes are software logic for managing the file system.
With reference to the second possible implementation manner of the first aspect of the embodiment of the present invention, in a third possible implementation manner of the first aspect of the embodiment of the present invention, the preset register includes a first register and a second register;
the obtaining of the address range of the file system space from the preset register includes:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
With reference to the second possible implementation manner of the first aspect of the embodiment of the present invention, in a fourth possible implementation manner of the first aspect of the embodiment of the present invention, the obtaining an address range of a file system space from a preset register includes:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from a preset register.
A second aspect of the present invention discloses a file system protection device, where the device is disposed in a storage device, and a memory of the storage device is provided with a file system, where the memory is an NVM, including:
a receiving module, configured to receive an access instruction, where the access instruction is used to access the file system, and the access instruction includes an instruction address, where the instruction address is a virtual address used to map a physical address of the access instruction;
an obtaining module, configured to obtain an address range of a file system space from a preset register, where the file system space is a virtual address space of the file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM;
the judging module is used for judging whether the access instruction belongs to the instruction in the file system space according to the instruction address and the address range of the file system space;
and the control module is used for forbidding the access instruction to access the file system when the access instruction does not belong to the instruction in the file system space.
With reference to the second aspect of the present embodiment, in a first possible implementation manner of the second aspect of the present embodiment, the control module is further configured to allow the access instruction to access the file system when the access instruction belongs to an instruction in the file system space.
With reference to the second aspect of the embodiment of the present invention or the first possible implementation manner of the second aspect of the embodiment of the present invention, in a second possible implementation manner of the second aspect of the embodiment of the present invention, the apparatus further includes:
and the link module is used for linking the library code in the file system to a library code space in the file system space in a link library mode when the process to which the access instruction belongs accesses the file system for the first time, wherein the library code space is a fixed virtual space in the file system space, and the library code is software logic for managing the file system.
With reference to the second possible implementation manner of the second aspect of the embodiment of the present invention, in a third possible implementation manner of the second aspect of the embodiment of the present invention, the preset register includes a first register and a second register;
the acquisition module is specifically configured to:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
With reference to the second possible implementation manner of the second aspect of the embodiment of the present invention, in a fourth possible implementation manner of the second aspect of the embodiment of the present invention, the obtaining module is specifically configured to obtain an address range of the file system space according to a start address of the virtual address space of the operating system and an end address of the file system space obtained from a preset register.
A third aspect of the embodiments of the present invention discloses a storage device, including:
the memory is used for storing a file system and files, wherein the memory is an NVM (non-volatile memory);
the processor is connected with the memory through a memory bus, and the processor is used for:
receiving an access instruction, wherein the access instruction is used for accessing the file system and comprises an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction;
acquiring an address range of a file system space from a preset register, wherein the file system space is a virtual address space of the file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM;
judging whether the access instruction belongs to an instruction in the file system space or not according to the instruction address and the address range of the file system space;
and when the access instruction does not belong to the instruction in the file system space, forbidding the access instruction to access the file system.
With reference to the third aspect of the embodiment of the present invention, in a first possible implementation manner of the third aspect of the embodiment of the present invention, the processor is further configured to:
and when the access instruction belongs to the instruction in the file system space, allowing the access instruction to access the file system.
With reference to the third aspect of the embodiment or the first possible implementation manner of the third aspect of the embodiment, in a second possible implementation manner of the third aspect of the embodiment, the processor is further configured to:
when the process to which the access instruction belongs accesses the file system for the first time, linking library codes in the file system to a library code space in the file system space in a library linking mode, wherein the library code space is a fixed virtual space in the file system space, and the library codes are software logic for managing the file system.
With reference to the second possible implementation manner of the third aspect of the embodiment of the present invention, in a third possible implementation manner of the third aspect of the embodiment of the present invention, the preset register includes a first register and a second register;
the way for the processor to obtain the address range of the file system space from the preset register specifically is as follows:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
With reference to the second possible implementation manner of the third aspect of the embodiment of the present invention, in a fourth possible implementation manner of the third aspect of the embodiment of the present invention, a manner of acquiring, by the processor, an address range of the file system space from the preset register is specifically:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from a preset register.
In the embodiment of the invention, after an access instruction containing an instruction address is received, the address range of the file system space is obtained from a preset register, whether the access instruction belongs to the instruction in the file system space is judged according to the instruction address and the address range of the file system space, and when the access instruction does not belong to the instruction in the file system space, the access instruction is forbidden to access the file system. The file system protection method provided by the embodiment of the invention can avoid the wrong operation of the file system caused by the illegal instruction, and improve the safety of the file system running in the user space of the operating system.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only drawings of some embodiments of the present invention.
FIG. 1 is a flowchart of a file system protection method according to an embodiment of the present invention;
FIG. 2 is a flow chart of another file system protection method disclosed by the embodiment of the invention;
FIG. 3 is a block diagram of a file system protection apparatus according to an embodiment of the present invention;
FIG. 4 is a block diagram of a memory device according to an embodiment of the present invention;
FIG. 5 is a partition diagram of the virtual address space of the operating system according to the embodiment of the present invention;
FIG. 6 is a diagram illustrating a virtual address space of an operating system according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating a distribution of virtual address spaces of another operating system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments.
The embodiment of the invention discloses a file system protection method and equipment, which are used for improving the security of a file system. The following are detailed below.
In order to better understand the embodiment of the present invention, an application scenario of the embodiment of the present invention is described below. In the embodiment of the present invention, a memory of a storage device is provided with a file system, where the memory is an NVM, such as: phase-change memory (PCM), Magnetoresistive Random Access Memory (MRAM), variable resistance memory (ReRAM), and the like. The physical space of the NVM can be virtualized as a continuous address space, i.e., an operating system virtual address space. Translation of the operating system virtual address space addresses to NVM physical addresses may be accomplished through page tables. Referring to fig. 5, fig. 5 is a diagram illustrating a partition of a virtual address space of an operating system according to an embodiment of the present invention. As shown in fig. 5, the operating system virtual address space may include a kernel space and a user space, instructions of the kernel space run in a kernel mode, and instructions of the user space run at a lower privilege level, i.e., a user mode. The user space may include a process space and a file system space, wherein the process space is a process private space, that is, a space in the user space that is private to each process, and is used for process activities and stack allocation; the file system space is a space shared by the processes, that is, a space which all the processes have access permission in the user space. The file system space is a virtual address space of the file system, which may include a data space and a library code space. Wherein the data space is used for mapping a data storage area of the file system, and the library code space is used for mapping a library code storage area of the file system. The library code storage area is used for storing library codes of the file system, and the library codes are software logic for managing the file system. In an embodiment of the present invention, library code of the file system is linked to the library code space in a manner of linking the library, and the process may access the file system by calling a function in the library code space.
Referring to fig. 1, fig. 1 is a flowchart illustrating a file system protection method according to an embodiment of the present invention. As shown in fig. 1, the file system protection method may include the following steps.
S101, receiving an access instruction, wherein the access instruction is used for accessing a file system, the access instruction comprises an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction.
In this embodiment, the instruction address may be obtained according to a logical address of a library function called by the access instruction and a start address of a library code space.
S102, an address range of a file system space is obtained from a preset register, wherein the file system space is a virtual address space of a file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a virtual continuous address space according to a physical space of the NVM.
In this embodiment, a register is added in advance, and the register is used to store some or all of the start address and the end address of the file system space, and after receiving an access instruction generated by a user operation, the stored address is obtained from the register to determine the address range of the file system space.
S103, judging whether the access instruction belongs to the instruction in the file system space or not according to the instruction address and the address range of the file system space.
In this embodiment, after the address range of the file system space is obtained, whether the access instruction belongs to the instruction in the file system is determined according to the instruction address included in the access instruction and the address range of the file system space, that is, whether the instruction address belongs to the address range of the library code space in the file system space is determined, that is, whether the instruction address belongs to the address range of the file system space is determined.
And S104, when the access instruction does not belong to the instruction in the file system space, prohibiting the access instruction from accessing the file system.
In this embodiment, when the access instruction does not belong to an instruction in the file system space, that is, the instruction address does not belong to the address range of the file system space, it indicates that an illegal pointer exists, and the access instruction is prohibited from accessing the file system; when the access instruction belongs to an instruction in the file system space, namely the instruction address belongs to the address range of the file system space, the illegal pointer does not exist, and the access instruction is allowed to access the file system.
In one embodiment, the predetermined registers include a first register and a second register;
the manner of obtaining the address range of the file system space from the preset register is specifically as follows:
acquiring a starting address of a file system space from a first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
For example, referring to fig. 6, fig. 6 is a distribution diagram of a virtual address space of an operating system according to an embodiment of the present invention. As shown in fig. 6, the address of the kernel space is greater than the address of the file system space, and the address of the file system space is greater than the address of the process space, and a preset register is added, where the preset register includes a first register and a second register. The first register may be configured to store a starting address of a file system space, that is, an ending address of a process space; the second register may be used to store the end address of the file system space, i.e. the start address of the kernel space. After the initial address and the end address of the file system space are obtained, whether the instruction address is smaller than the end address of the file system space and larger than the initial address of the file system space is judged, namely whether the instruction address is smaller than the initial address of the kernel space and larger than the end address of the process space is judged, and when the instruction address is smaller than the end address of the file system space and larger than the initial address of the file system space, an illegal pointer does not exist, and the access instruction is allowed to access the file system; accordingly, when the instruction address is greater than the ending address of the file system space, or less than the starting address of the file system space, indicating that an illegal pointer exists, the access instruction will be prohibited from accessing the file system.
In an embodiment, the manner of obtaining the address range of the file system space from the preset register is specifically as follows:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from the preset register.
For example, referring to fig. 7, fig. 7 is a distribution diagram of a virtual address space of another operating system according to an embodiment of the disclosure. As shown in FIG. 7, the address of the kernel space is greater than the address of the process space, the address of the process space is greater than the address of the file system space, the starting address of the virtual address space of the operating system is the starting address of the file system space, and the ending address of the file system space is the starting address of the process space. A preset register is added for storing the ending address of the file system space, i.e. the starting address of the process space. After the initial address and the end address of the file system space are obtained, whether the instruction address is smaller than the end address of the file system space or not is judged, namely whether the instruction address is smaller than the initial address of the process space or not is judged, when the instruction address is smaller than the end address of the file system space, it is indicated that an illegal pointer does not exist, and the access instruction is allowed to access the file system; accordingly, when the instruction address is greater than the ending address of the file system space, indicating that an illegal pointer exists, the access instruction will be prohibited from accessing the file system.
In the file system protection method described in fig. 1, after receiving an access instruction including an instruction address, an address range of a file system space is obtained from a preset register, and it is determined whether the access instruction belongs to an instruction in the file system space according to the instruction address and the address range of the file system space, and when the access instruction does not belong to an instruction in the file system space, the access instruction is prohibited from accessing the file system. By adopting the file system protection method provided by the embodiment of the invention, when the access instruction for accessing the file system does not belong to the instruction in the space of the file system, the access instruction can be prohibited from accessing the file system, so that the wrong operation of the illegal access instruction on the file system can be avoided, and the safety of the file system running in the user space of the operating system is improved.
Referring to fig. 2, fig. 2 is a flowchart illustrating another file system protection method according to an embodiment of the present invention. As shown in fig. 2, the file system protection may include the following steps.
S201, receiving an access instruction containing an access address and an instruction address, wherein the access address is a virtual address used for mapping the NVM physical address, and the instruction address is a virtual address used for mapping the physical address of the access instruction.
In this embodiment, the instruction address may be obtained according to a logical address of a library function called by the access instruction and a start address of a library code space.
S202, when the process to which the access instruction belongs is to access the file system for the first time, the library code in the file system is linked to a library code space in a file system space in a library linking mode, the file system space is a virtual address space of the file system, the file system space belongs to a user space in an operating system virtual address space, the operating system virtual address space is a continuous virtual address space according to a physical space of the NVM, the library code space is a fixed virtual space in the file system space, and the library code is software logic for managing the file system.
In the embodiment, after receiving an access instruction generated by user operation, whether a process to which the access instruction belongs is for accessing the file system for the first time is judged, and when the process to which the access instruction belongs is for accessing the file system for the first time, a library code in the file system is linked to a library code space in a file system space in a library linking manner, so that the access instruction accesses the file system; when the process to which the access instruction belongs is not the first access to the file system, step S203 is executed.
S203, acquiring an address range of the file system space from a preset register.
In this embodiment, a register is added in advance, and the register is used to store some or all addresses in a start address and an end address of a file system space, and after an access instruction generated by a user operation is received or a library code in the file system is linked to a library code space in the file system space in a linked library manner, the stored address is obtained from the register to determine an address range of the file system space.
And S204, judging whether the access instruction is an instruction for accessing the file system or not according to the access address and the address range of the file system space.
In this embodiment, after the address range of the file system space is obtained from the preset register, whether the access instruction is an instruction for accessing the file system is determined according to the access address and the address range of the file system space, that is, whether the access address belongs to the address range of the file system space is determined.
S205, when the access instruction is an instruction for accessing the file system, whether the access instruction belongs to the instruction in the file system space is judged according to the instruction address and the address range of the file system space.
In this embodiment, when the access instruction is an instruction for accessing a file system, whether the access instruction belongs to an instruction in a file system space is determined according to an instruction address and an address range of the file system space, that is, whether the instruction address belongs to an address range of a library code space in the file system space is determined, that is, whether the instruction address belongs to an address range of the file system space is determined; when the access instruction is not an instruction to access the file system, normal access will be performed.
And S206, when the access instruction does not belong to the instruction in the file system space, prohibiting the access instruction from accessing the file system.
And S207, when the access instruction belongs to the instruction in the file system space, allowing the access instruction to access the file system.
In this embodiment, when the access instruction does not belong to an instruction in the file system space, it indicates that the access address is an illegal address, and the access instruction is prohibited from accessing the file system; and when the access instruction belongs to the instruction in the file system space, the access address is indicated to be a legal address, and the access instruction is allowed to access the file system.
In one embodiment, the predetermined registers include a first register and a second register;
the manner of obtaining the address range of the file system space from the preset register is specifically as follows:
acquiring a starting address of a file system space from a first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
For example, referring to fig. 6, fig. 6 is a distribution diagram of a virtual address space of an operating system according to an embodiment of the present invention. As shown in fig. 6, the address of the kernel space is greater than the address of the file system space, and the address of the file system space is greater than the address of the process space, and a preset register is added, where the preset register includes a first register and a second register. The first register may be configured to store a starting address of a file system space, that is, an ending address of a process space; the second register may be used to store the end address of the file system space, i.e. the start address of the kernel space. After the start address and the end address of the file system space are obtained, whether the access address is smaller than the end address of the file system space and larger than the start address of the file system space is judged, namely, whether the access address is smaller than the initial address of the kernel space and larger than the end address of the process space is judged, when the access address is less than the end address of the file system space and greater than the start address of the file system space, it will be determined whether the instruction address is less than the ending address of the file system space and greater than the starting address of the file system space, namely, whether the instruction address is smaller than the initial address of the kernel space and larger than the end address of the process space is judged, when the instruction address is smaller than the ending address of the file system space and larger than the starting address of the file system space, the access address is indicated to be a legal address, and the access instruction is allowed to access the file system; correspondingly, when the instruction address is larger than the ending address of the file system space or smaller than the starting address of the file system space, the access address is indicated as an illegal address, and the access instruction is prohibited from accessing the file system.
In an embodiment, the manner of obtaining the address range of the file system space from the preset register is specifically as follows:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from the preset register.
For example, referring to fig. 7, fig. 7 is a distribution diagram of a virtual address space of another operating system according to an embodiment of the disclosure. As shown in FIG. 7, the address of the kernel space is greater than the address of the process space, the address of the process space is greater than the address of the file system space, the starting address of the virtual address space of the operating system is the starting address of the file system space, and the ending address of the file system space is the starting address of the process space. A preset register is added for storing the ending address of the file system space, i.e. the starting address of the process space. After the initial address and the end address of the file system space are obtained, whether the access address is smaller than the end address of the file system space or not is judged, namely whether the access address is smaller than the initial address of the process space or not is judged, when the access address is smaller than the end address of the file system space, whether the instruction address is smaller than the end address of the file system space or not is judged, namely whether the instruction address is smaller than the initial address of the process space or not is judged, when the instruction address is smaller than the end address of the file system space, the access address is a legal address, and the access instruction is allowed to access the file system; correspondingly, when the instruction address is larger than the ending address of the file system space, indicating that the access address is an illegal address, the access instruction is prohibited from accessing the file system.
In the file system protection method described in fig. 2, after receiving an access instruction including an instruction address, an address range of a file system space is obtained from a preset register, and whether the access instruction belongs to an instruction in the file system space is determined according to the instruction address and the address range of the file system space, and when the access instruction does not belong to an instruction in the file system space, the access instruction is prohibited from accessing the file system. By the file system protection method provided by the embodiment of the invention, when the access instruction for accessing the file system does not belong to the instruction in the space of the file system, the access instruction can be prohibited from accessing the file system, so that the wrong operation of the file system caused by the illegal access instruction is avoided, and the safety of the file system running in the user space of the operating system is improved.
Referring to fig. 3, fig. 3 is a structural diagram of a file system protection device according to an embodiment of the present invention. As shown in fig. 3, the file system protection apparatus 300 may include:
a receiving module 301, configured to receive an access instruction, where the access instruction is used to access a file system, and the access instruction includes an instruction address, and the instruction address is a virtual address used to map a physical address of the access instruction;
an obtaining module 302, configured to obtain an address range of a file system space from a preset register, where the file system space is a virtual address space of a file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a virtual continuous address space according to a physical space of the NVM;
the judging module 303 is configured to judge whether the access instruction belongs to an instruction in the file system space according to the instruction address and the address range of the file system space;
and the control module 304 is used for forbidding the access instruction to access the file system when the access instruction does not belong to the instruction in the file system space.
As a possible implementation, the control module 304 is further configured to allow the access instruction to access the file system when the access instruction belongs to an instruction in the file system space.
As a possible implementation, the file system protection apparatus 300 may further include:
the linking module 305 is configured to link, when the process to which the access instruction belongs first accesses the file system, a library code in the file system to a library code space in a file system space in a linked library manner, where the library code space is a fixed virtual space in the file system space, and the library code is software logic for managing the file system.
As a possible implementation, the preset registers include a first register and a second register;
the obtaining module 302 is specifically configured to:
acquiring a starting address of a file system space from a first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
As a possible implementation manner, the obtaining module 302 is specifically configured to obtain an address range of the file system space according to a start address of the virtual address space of the operating system and an end address of the file system space obtained from a preset register.
In the file system protection apparatus described in fig. 3, after receiving the access instruction including the instruction address, the address range of the file system space is obtained from the preset register, and it is determined whether the access instruction belongs to the instruction in the file system space according to the instruction address and the address range of the file system space, and when the access instruction does not belong to the instruction in the file system space, the access instruction is prohibited from accessing the file system. The file system protection device provided by the embodiment of the invention can prohibit the access instruction from accessing the file system when the access instruction for accessing the file system does not belong to the instruction in the space of the file system, thereby avoiding the wrong operation of the illegal access instruction on the file system and improving the safety of the file system running in the user space.
Referring to fig. 4, fig. 4 is a structural diagram of a memory device according to an embodiment of the disclosure. As shown in fig. 4, the storage device 400 may include:
a memory 401, configured to store a file system and a file, where the memory 401 is an NVM;
the processor 402 is connected to the memory 401 through a memory bus 403, and the processor 402 is configured to:
receiving an access instruction, wherein the access instruction is used for accessing a file system and comprises an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction;
acquiring an address range of a file system space from a preset register, wherein the file system space is a virtual address space of a file system, the file system space belongs to a user space in an operating system virtual address space, and the operating system virtual address space is a virtual continuous address space according to a physical space of the NVM;
judging whether the access instruction belongs to an instruction in the file system space or not according to the instruction address and the address range of the file system space;
when the access instruction does not belong to an instruction in the file system space, the access instruction is prohibited from accessing the file system.
As a possible implementation, the processor 402 is further configured to:
when the access instruction belongs to an instruction in the file system space, the access instruction is allowed to access the file system.
As a possible implementation, the processor 402 is further configured to:
when the process to which the access instruction belongs accesses the file system for the first time, the library code in the file system is linked to a library code space in a file system space in a manner of linking a library, wherein the library code space is a fixed virtual space in the file system space, and the library code is software logic for managing the file system.
As a possible implementation, the preset registers include a first register and a second register;
the way for the processor 402 to obtain the address range of the file system space from the preset register is specifically as follows:
acquiring a starting address of a file system space from a first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
As a possible implementation manner, the way for the processor 402 to obtain the address range of the file system space from the preset register is specifically:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from the preset register.
In the storage device described in fig. 4, after receiving the access instruction including the instruction address, the address range of the file system space is obtained from the preset register, and it is determined whether the access instruction belongs to the instruction in the file system space according to the instruction address and the address range of the file system space, and when the access instruction does not belong to the instruction in the file system space, the access instruction is prohibited from accessing the file system. According to the storage device provided by the embodiment of the invention, when the access instruction for accessing the file system does not belong to the instruction in the space of the file system, the illegal access instruction can be prohibited from accessing the file system, so that the file system is prevented from being operated wrongly by the illegal access instruction, and the safety of the file system running in the user space is improved.
The embodiment of the invention further discloses a computer storage medium, wherein a computer program is stored in the computer storage medium, and when the computer program in the computer storage medium is read into a computer, the computer can complete all the steps of the data transmission method disclosed by the embodiment of the invention. The storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like. And are not limited herein.
It should be noted that, for simplicity of description, the above-mentioned embodiments of the method are described as a series of acts or combinations, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
The file system protection method and device provided by the embodiment of the present invention are described in detail above, and the principle and the embodiment of the present invention are explained in detail herein by applying a specific example, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention.
Claims (15)
1. A file system protection method is applied to a storage device with a file system in a memory, wherein the memory is a non-volatile memory (NVM), and an operating system virtual address space of the storage device comprises a kernel space and a user space, an instruction of the kernel space operates in a kernel state, an instruction of the user space operates in a user state, the file system operates in the user state, the user space comprises a file system space, the file system space is a virtual address space of the file system, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM, and the method comprises:
receiving an access instruction, wherein the access instruction is used for accessing the file system, and the access instruction contains an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction;
acquiring an address range of a file system space from a preset register;
judging whether the access instruction belongs to an instruction in the file system space or not according to the instruction address and the address range of the file system space;
and when the access instruction does not belong to the instruction in the file system space, forbidding the access instruction to access the file system.
2. The method of claim 1, further comprising:
and when the access instruction belongs to the instruction in the file system space, allowing the access instruction to access the file system.
3. The method according to claim 1 or 2, characterized in that the method further comprises:
when the process to which the access instruction belongs accesses the file system for the first time, linking library codes in the file system to a library code space in the file system space in a library linking mode, wherein the library code space is a fixed virtual space in the file system space, and the library codes are software logic for managing the file system.
4. The method of claim 3, wherein the predetermined registers comprise a first register and a second register;
the obtaining of the address range of the file system space from the preset register includes:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
5. The method of claim 3, wherein obtaining the address range of the file system space from the predetermined register comprises:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from a preset register.
6. A file system protection device, the device is disposed in a storage device, a file system is disposed in a memory of the storage device, wherein the memory is a non-volatile memory (NVM), and an operating system virtual address space of the storage device includes a kernel space and a user space, an instruction of the kernel space operates in a kernel state, an instruction of the user space operates in a user state, the file system operates in the user state, the user space includes a file system space, the file system space is a virtual address space of the file system, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM, including:
a receiving module, configured to receive an access instruction, where the access instruction is used to access the file system, and the access instruction includes an instruction address, where the instruction address is a virtual address used to map a physical address of the access instruction;
the acquisition module is used for acquiring an address range of a file system space from a preset register;
the judging module is used for judging whether the access instruction belongs to the instruction in the file system space according to the instruction address and the address range of the file system space;
and the control module is used for forbidding the access instruction to access the file system when the access instruction does not belong to the instruction in the file system space.
7. The apparatus of claim 6, wherein the control module is further configured to allow the access instruction to access the file system when the access instruction belongs to an instruction in the file system space.
8. The apparatus of claim 6 or 7, further comprising:
and the link module is used for linking the library code in the file system to a library code space in the file system space in a link library mode when the process to which the access instruction belongs accesses the file system for the first time, wherein the library code space is a fixed virtual space in the file system space, and the library code is software logic for managing the file system.
9. The apparatus of claim 8, wherein the predetermined registers comprise a first register and a second register;
the acquisition module is specifically configured to:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
10. The apparatus of claim 8, wherein the obtaining module is specifically configured to obtain the address range of the file system space according to a start address of the operating system virtual address space and an end address of the file system space obtained from a preset register.
11. A storage device, comprising:
the memory is used for storing a file system and a file, wherein the memory is a non-volatile memory (NVM), an operating system virtual address space of the storage device comprises a kernel space and a user space, an instruction of the kernel space runs in a kernel mode, an instruction of the user space runs in a user mode, the file system runs in the user mode, the user space comprises a file system space, the file system space is a virtual address space of the file system, and the operating system virtual address space is a continuous address space virtualized according to a physical space of the NVM;
the processor is connected with the memory through a memory bus, and the processor is used for:
receiving an access instruction, wherein the access instruction is used for accessing the file system and comprises an instruction address, and the instruction address is a virtual address used for mapping a physical address of the access instruction;
acquiring an address range of a file system space from a preset register;
judging whether the access instruction belongs to an instruction in the file system space or not according to the instruction address and the address range of the file system space;
and when the access instruction does not belong to the instruction in the file system space, forbidding the access instruction to access the file system.
12. The memory device of claim 11, wherein the processor is further configured to:
and when the access instruction belongs to the instruction in the file system space, allowing the access instruction to access the file system.
13. The memory device of claim 11 or 12, wherein the processor is further configured to:
when the process to which the access instruction belongs accesses the file system for the first time, linking library codes in the file system to a library code space in the file system space in a library linking mode, wherein the library code space is a fixed virtual space in the file system space, and the library codes are software logic for managing the file system.
14. The memory device according to claim 13, wherein the predetermined registers include a first register and a second register;
the way for the processor to obtain the address range of the file system space from the preset register specifically is as follows:
acquiring a starting address of the file system space from the first register;
acquiring an end address of the file system space from the second register;
and obtaining the address range of the file system space according to the starting address of the file system space and the ending address of the file system space.
15. The storage device according to claim 13, wherein the processor obtains the address range of the file system space from the predetermined register by:
and obtaining the address range of the file system space according to the starting address of the virtual address space of the operating system and the ending address of the file system space obtained from a preset register.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2015/085781 WO2017020194A1 (en) | 2015-07-31 | 2015-07-31 | File system protection method, device and storage apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107003950A CN107003950A (en) | 2017-08-01 |
| CN107003950B true CN107003950B (en) | 2020-12-01 |
Family
ID=57942307
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201580001165.3A Active CN107003950B (en) | 2015-07-31 | 2015-07-31 | File system protection method and device and storage equipment |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107003950B (en) |
| WO (1) | WO2017020194A1 (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581108A (en) * | 2003-07-31 | 2005-02-16 | 深圳市中兴通讯股份有限公司南京分公司 | Internal memory management method with internal memory protection function |
| CN102541984A (en) * | 2011-10-25 | 2012-07-04 | 曙光信息产业(北京)有限公司 | File system of distributed type file system client side |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1696320A1 (en) * | 2005-02-25 | 2006-08-30 | Moxa Technologies Co., Ltd. | Electronic device with an embedded linux application system |
| US20060195693A1 (en) * | 2005-02-28 | 2006-08-31 | Intel Corporation | Specter rendering |
| US9069983B1 (en) * | 2009-04-29 | 2015-06-30 | Symantec Corporation | Method and apparatus for protecting sensitive information from disclosure through virtual machines files |
| US8819670B2 (en) * | 2010-03-31 | 2014-08-26 | Verizon Patent And Licensing Inc. | Automated software installation with interview |
| US8312224B2 (en) * | 2010-05-27 | 2012-11-13 | International Business Machines Corporation | Recovery in shared memory environment |
| CN102184143B (en) * | 2011-04-25 | 2013-08-14 | 深圳市江波龙电子有限公司 | Data protection method, device and system for storage device |
| CN102930205A (en) * | 2012-10-10 | 2013-02-13 | 北京奇虎科技有限公司 | Monitoring unit and method |
| CN103488588A (en) * | 2013-10-09 | 2014-01-01 | 中国科学院计算技术研究所 | Memory protection method and system and network interface controller |
-
2015
- 2015-07-31 WO PCT/CN2015/085781 patent/WO2017020194A1/en active Application Filing
- 2015-07-31 CN CN201580001165.3A patent/CN107003950B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1581108A (en) * | 2003-07-31 | 2005-02-16 | 深圳市中兴通讯股份有限公司南京分公司 | Internal memory management method with internal memory protection function |
| CN102541984A (en) * | 2011-10-25 | 2012-07-04 | 曙光信息产业(北京)有限公司 | File system of distributed type file system client side |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017020194A1 (en) | 2017-02-09 |
| CN107003950A (en) | 2017-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11182507B2 (en) | Domain crossing in executing instructions in computer processors | |
| RU2513909C1 (en) | Restricting memory areas for instruction reading depending on hardware mode and security flag | |
| US11561904B2 (en) | Security configurations in page table entries for execution domains | |
| KR20210032004A (en) | Domain register for instructions being executed by the computer processor | |
| EP3844615A1 (en) | Virtual machine register in a computer processor | |
| CN104011733B (en) | There is during system pre-boot the secure data protection of the read only memory locking of improvement | |
| US9286242B2 (en) | Information processing apparatus and program execution method | |
| JP2017505492A (en) | Area specification operation to specify the area of the memory attribute unit corresponding to the target memory address | |
| EP3242214B1 (en) | Method and device for protecting information of mcu chip | |
| US11914726B2 (en) | Access control for processor registers based on execution domains | |
| CN112639779A (en) | Security configuration for translation of memory addresses from object-specific virtual address space to physical address space | |
| EP2637124B1 (en) | Method for implementing security of non-volatile memory | |
| EP3844614A1 (en) | Dynamic configuration of a computer processor based on the presence of a hypervisor | |
| CN112602070A (en) | Memory access control by permissions specified in page table entries of an execution domain | |
| US11714656B2 (en) | Memory system executing loading of software at startup and control method | |
| IL256164A (en) | Secure mode state data access tracking | |
| CN107003950B (en) | File system protection method and device and storage equipment | |
| CN113260999A (en) | Reducing unauthorized memory access | |
| US10635309B2 (en) | Method for protecting user data of a storage device, and electronic computing system | |
| US20200174920A1 (en) | Method for randomizing address space layout of embedded system based on hardware and apparatus for the same | |
| CN117667426A (en) | User thread stack protection method, device and equipment | |
| US20170249083A1 (en) | Electronic apparatus and control method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |