CN113138946A - USB data mapping filtering method and device based on embedded Linux - Google Patents
USB data mapping filtering method and device based on embedded Linux Download PDFInfo
- Publication number
- CN113138946A CN113138946A CN202110426302.5A CN202110426302A CN113138946A CN 113138946 A CN113138946 A CN 113138946A CN 202110426302 A CN202110426302 A CN 202110426302A CN 113138946 A CN113138946 A CN 113138946A
- Authority
- CN
- China
- Prior art keywords
- usb
- data
- usb device
- real
- endpoint
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/10—Program control for peripheral devices
- G06F13/102—Program control for peripheral devices where the programme performs an interfacing function, e.g. device driver
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2213/00—Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F2213/0042—Universal serial bus [USB]
Abstract
The invention discloses a USB data mapping and filtering method and device based on an embedded Li nux.A simulated composite USB device is arranged in a Li nux kernel, and data is forwarded between a CTRL control endpoint of a real USB device and an I N/OUT data endpoint as well as between a CTRL control endpoint of the simulated composite USB device and a I N/OUT data endpoint. The device can identify, authorize and filter data of a plurality of USB devices, then simulate a multi-interface simulation composite USB device to be connected to a host, and provide one-to-many access safety protection of the USB interface for a target host.
Description
Technical Field
The present invention relates to the field of mapping and data filtering for Universal Serial Bus (USB) devices. In particular to a USB data mapping filtering method and a device based on embedded Linux.
Background
Over the years, USB interfaces have replaced a variety of serial and parallel ports, becoming the most common peripheral interface on computers. USB is already a standard communication method for computer peripherals such as mice, keyboards, printers, optical drives, flash disks, mobile hard disks, smart phones, etc.; even non-intelligent products such as various electric fans, electronic cigarettes and mobile power supplies are charged through the USB interface. There are increasing behaviors that are damaged by various attacks on computers through USB interfaces, such as USB bombs, BadUSB firmware attacks, and so on.
At present, the method for mapping and protecting the USB interface mainly performs encapsulation and forwarding through the network interface. USB redirection techniques such as those used in cloud desktop environments; and for example, connecting the USB storage device to a server, and sharing the file system of the USB storage device to a specific client user in the local area network by the server through the Ethernet in the modes of ftp, samba, nfs and the like.
In the prior art, data is required to be forwarded through a network, and the prior art cannot be applied to a network environment.
The position of inserting the USB equipment is not the same as the position of the user, so the USB equipment is inconvenient to use.
The control of the host protection software on the USB interface is limited, and only the control of the USB flash disk can be prohibited or started, and the content of the USB flash disk file cannot be filtered. The BadUSB attacks simulate the operation of a keyboard and a mouse, and conventional security software and antivirus software cannot work.
Disclosure of Invention
Therefore, the technical problem to be solved by the present invention is to provide a USB data mapping filtering method and apparatus based on embedded Linux, wherein the apparatus can identify, authorize, and filter data for a plurality of USB devices, then simulate a multi-interface simulated composite USB device to be connected to a host, and provide a one-to-many access security protection of a USB interface for a target host.
In order to solve the technical problems, the invention provides the following technical scheme:
a USB data mapping and filtering method based on embedded Linux is characterized IN that an analog composite USB device is arranged IN a Linux kernel, and data is forwarded between a CTRL control endpoint of a real USB device and an IN/OUT data endpoint as well as between a CTRL control endpoint of the analog composite USB device and the IN/OUT data endpoint.
According to the USB data mapping and filtering method based on the embedded Linux, after the simulated composite USB device is arranged IN the Linux kernel, an associated data structure is created IN the Linux kernel, wherein the associated data structure comprises a first endpoint data structure associated with a CTRL control endpoint and an IN/OUT data endpoint of a real USB device, a second endpoint data structure associated with the CTRL control endpoint and the IN/OUT data endpoint of the simulated composite USB device, urb, a USB request linked list and a fifo queue for data forwarding.
The USB data mapping and filtering method based on the embedded Linux specifically comprises the following steps:
1) setting a simulated composite USB device in a Linux kernel;
2) and performing data filtering on the network traffic input into the Linux kernel by the IN data endpoint of the real USB device, and forwarding the filtered network traffic to the target host.
The USB data mapping and filtering method based on the embedded Linux includes the specific steps of setting the simulated composite USB device in the Linux kernel:
1-1) registering a general usb gadget function, a usb device plugging notification function, a usb gadget plugging state change callback function and a user interface character device with a Linux kernel, and initializing the usb gadget plugging state change callback function;
1-2) creating a usb device proxy and a usb gadget proxy, and setting a filtering function;
1-3) acquiring the state of a USB host physical port, acquiring the configuration, interface and endpoint descriptor of real USB equipment if the real USB equipment is connected, and initializing the data structure of the interface connected with the real USB equipment;
1-4) obtaining the state of a USB Device physical port, if a target host is connected, calculating the number of interfaces which need to be mapped to the target host currently, registering a USB gadget driver to a Linux kernel, traversing the USB interface to be mapped in a bind function, creating a corresponding USB function instance, and adding the instance into the configuration of the gadget Device to realize the simulation of the multi-interface simulation composite USB Device.
According to the USB data mapping and filtering method based on the embedded Linux, in the system operation process, event processing threads uniformly process events occurring in the system operation process, then according to the processed state, whether the composite USB equipment needs to be mapped again or not is judged, and if yes, 1-4) operation and operation for creating a related data structure are executed.
Before data filtering is carried out on network traffic output by an IN data endpoint of real USB equipment, the USB device proxy thread polls the network traffic forwarded to the real USB equipment by the simulated composite USB equipment, and the USB gadget proxy thread polls the network traffic forwarded to the target host by the simulated composite USB equipment and forwards the network traffic output by the IN data endpoint of the real USB equipment according to a polling result.
In the USB data mapping and filtering method based on embedded Linux, in the process of forwarding the network traffic between the real USB device and the target host through the simulated composite USB device, the polling of the network traffic forwarded from the simulated composite USB device to the target host by the USB gadget proxy thread includes: the CTRL of the analog composite USB device controls whether the gadget fifo queue has data or not, whether the IN data end fifo queue of the analog composite USB device has data or not and whether the OUT data end USB request of the analog composite USB device is finished or not; the polling of the network traffic forwarded to the real USB device by the USB device proxy thread by the simulated composite USB device includes: CTRL of real USB device controls whether endpoint dev fifo queue has data, whether IN data endpoint urb of real USB device is completed, and whether OUT data endpoint fifo queue of real USB device has data; IN the process that a target host polls an analog composite USB device through a USB gadget proxy thread, if a CTRL control end point gadget fifo queue of the analog composite USB device has data, taking OUT a data buffer and mounting the data buffer into a USB request structure body to submit to the gadget analog device, if an IN data end point fifo queue of the analog composite USB device has data, taking OUT the data buffer and mounting the data buffer into a USB request structure body to submit to the gadget analog device, and if an OUT data end point USB request of the analog composite USB device is completed, submitting the USB request data buffer to the IN data end point fifo queue and simultaneously submitting an empty data buffer USB request to the gadget analog device; IN the process that the simulated composite USB device polls the real USB device through the USB device proxy thread, if a CTRL control endpoint dev fifo queue of the real USB device has data, taking OUT the data buffer and mounting the data buffer to an urb structural body to submit to the corresponding real USB device, if a I N data endpoint urb of the real USB device is finished, submitting the urb buffer to an IN data endpoint fifo queue, simultaneously submitting the empty data buffer to the real USB device corresponding to the IN data endpoint, and if an OUT data endpoint fifo queue of the real USB device has data, taking OUT the data buffer and mounting the data buffer to a urb structural body to submit to the corresponding real USB device.
According to the USB data mapping and filtering method based on the embedded Linux, when the USB gadget proxy thread polls the network traffic forwarded by the simulated composite USB device to the target host, the IN data endpoint fifo queue of the simulated composite USB device takes out the data, the data is sent to the filtering module to be analyzed according to the custom rule by using the filtering function, then the processing result is returned, and if the processing result is allowed, the USB request is submitted to the gadget simulation device.
The Device for performing data mapping and filtering by using the USB data mapping and filtering method based on the embedded Linux comprises an SoC hardware mainboard based on an embedded Linux system, wherein the SoC hardware mainboard is respectively in communication connection with a USB host physical port and a USB Device port, the USB host physical port is used for inserting real USB equipment, and the USB Device port is used for connecting a protection target host.
The device is characterized in that a Linux inner core on the SoC hardware mainboard is internally provided with:
the control module is used for providing an API (application programming interface) for the outside, controlling the USB host physical port to be powered on/off and configuring an authorization mode of real USB equipment connected to the USB host physical port, wherein the authorization mode comprises forbidden, straight-through and filtering;
the USB HOST physical port module is used for managing USB equipment inserted into the USB HOST physical port;
the USB DEVICE physical port module is used for retrieving real USB equipment authorized and valid on the current DEVICE when the USB DEVICE physical port is connected to the host, acquiring interface information of the real USB equipment, combining and simulating the real USB equipment into multi-interface simulation composite USB equipment, and simulating various functions realized by the composite USB equipment through the multi-interface;
the mapping module is used for acquiring the current system state through the plugging of real USB equipment, the plugging of a host computer connecting line and a user interface control event, calculating the type and the number of interfaces to be mapped to a target host computer, and then constructing multi-interface simulation composite USB equipment according to the information of each interface;
the data forwarding module is used for forwarding data between the control end point and the IN/OUT data end point of the real USB device and the simulated composite USB device through a background thread;
the data filtering module is used for filtering the data forwarded by the data forwarding module according to a user-defined filtering rule strategy; and setting a filtering function through the data forwarding module, filtering the real USB equipment endpoint data according to a certain rule strategy, and finally returning a filtering result to the data forwarding module, wherein if the filtering result is allowed to be forwarded, the data forwarding module forwards the data, otherwise, the data is discarded.
The technical scheme of the invention achieves the following beneficial technical effects:
the attack such as USB bomb and the like is physically prevented, and the filtering and discrimination of USB communication data are realized from software. And convenient to use, plug-and-play need not extra configuration.
Drawings
FIG. 1 is a schematic diagram of the operation of the device for mapping and filtering data according to the present invention, which uses the USB data mapping and filtering method based on embedded Linux;
FIG. 2 is a schematic diagram of an interface mapping between a real USB device and a simulated composite USB device in the device for performing data mapping filtering by using an embedded Linux-based USB data mapping filtering method according to the present invention;
fig. 3 is a schematic diagram illustrating the forwarding of endpoint data in the device for performing data mapping filtering by using the USB data mapping filtering method based on embedded Linux.
Detailed Description
As shown in fig. 1, the apparatus for performing data mapping and filtering by using an embedded Linux-based USB data mapping and filtering method in the present invention includes an SoC hardware motherboard running an embedded Linux system, and the SoC hardware motherboard is in communication connection with 6 USB host physical ports and 1 USB Device physical port, respectively, where the USB host physical ports are used for plugging real USB devices, and the USB Device physical ports are used for connecting a protection target host.
In this embodiment, a control module, a USB HOST physical port module, a USB DEVICE physical port module, a mapping module, a data forwarding module, and a data filtering module are disposed in the Linux kernel on the SoC hardware motherboard. The control module is used for providing an API (application programming interface) for the outside, controlling the USB host physical port to be powered on/off and configuring an authorization mode of real USB equipment connected to the USB host physical port, wherein the authorization mode comprises forbidden, straight-through and filtering; the USB HOST physical port module is used for managing real USB equipment inserted into the USB HOST physical port; the USB DEVICE physical port module is used for retrieving real USB equipment authorized and valid on the current DEVICE when the USB DEVICE physical port is connected to the host, acquiring interface information of the real USB equipment, combining and simulating the real USB equipment into multi-interface simulation composite USB equipment, and simulating various functions realized by the composite USB equipment through the multi-interface; the mapping module is used for acquiring the current system state through real USB equipment plugging and unplugging, host computer connecting line plugging and unplugging and user interface control events, calculating the type and the number of interfaces to be mapped to a target host computer, and then constructing multi-interface simulation composite USB equipment according to the information of each interface; the data forwarding module is used for forwarding data between a CTRL control endpoint and an IN/OUT data endpoint of the real USB device and the simulated composite USB device through a background thread; the data filtering module is used for filtering the data forwarded by the data forwarding module according to a user-defined filtering rule strategy; and setting a filtering function through the data forwarding module, filtering the real USB equipment endpoint data according to a certain rule strategy, and finally returning a filtering result to the data forwarding module, wherein if the filtering result is allowed to be forwarded, the data forwarding module forwards the data, otherwise, the data is discarded. The customized filtering rule strategy is set according to a specific real USB device accessed through the USB host physical PORT, for example, for a USB wireless network card device, the data packet can be analyzed and filtered according to quintuple information such as IP, PORT, PROTOCOL and the like, so that a function similar to a firewall is realized, and for a storage device such as a U disk and the like, a file system of the storage device can be analyzed, then an SCSI command in the data packet is analyzed, and reading and writing of some risk files are intercepted.
When the real USB equipment is connected with the target host through the device, the data filtering and forwarding are realized through the simulated composite USB equipment arranged in the Linux kernel, and the specific steps are as follows:
1) the method comprises the following steps of setting an analog composite USB device in a Linux kernel:
1-1) registering a general usb gadget function, a usb device plugging notification function, a usb gadget plugging state change callback function and a user interface character device with a Linux kernel, and initializing the usb gadget plugging state change callback function;
1-2) creating a usb device proxy and a usb gadget proxy, and setting a filtering function; the USB device proxy is a real USB device endpoint data forwarding proxy thread, and the USB gadget proxy is a simulated composite USB device endpoint data forwarding proxy thread;
1-3) acquiring the state of a USB host port, acquiring the configuration, interface and endpoint descriptor of real USB equipment if the real USB equipment is connected, and initializing the data structure of the interface connected with the real USB equipment;
1-4) acquiring the state of the device port, if a target host is connected, calculating the number of interfaces which need to be mapped to the target host currently, registering a USB gadget driver to a Linux kernel, traversing a USB interface to be mapped in a bind function, creating a corresponding USB function instance, and adding the USB function instance to the configuration of gadget equipment to realize the simulation of the multi-interface simulation composite USB equipment; after the simulated composite USB device is arranged IN the Linux kernel, an associated data structure is created IN the Linux kernel, wherein the associated data structure comprises a first endpoint data structure associated with a CTRL control endpoint and an IN/OUT data endpoint of a real USB device, a second endpoint data structure associated with the CTRL control endpoint and the IN/OUT data endpoint of the simulated composite USB device, urb, a USB request linked list and a fifo queue for data forwarding;
2) the network traffic output by the IN data endpoint of the real USB device into the Linux kernel is data-filtered, that is, the network traffic from the real USB device is filtered by the simulated composite USB device IN the Linux kernel, and the filtered network traffic is forwarded to the target host, as shown IN fig. 2 and 3. In the process of realizing network traffic forwarding between the real USB device and the target host through the simulated composite USB device, the polling of the network traffic forwarded to the target host by the simulated composite USB device by the USB gadget proxy thread includes: the CTRL of the analog composite USB device controls whether the gadget fifo queue has data or not, whether the IN data end fifo queue of the analog composite USB device has data or not and whether the OUT data end USB request of the analog composite USB device is finished or not; the polling of the network traffic forwarded to the real USB device by the USB device proxy thread by the simulated composite USB device includes: CTRL of real USB device controls whether endpoint dev fifo queue has data, whether IN data endpoint urb of real USB device is completed, and whether OUT data endpoint fifo queue of real USB device has data; IN the process that a USB gap proxy thread polls network traffic forwarded by a simulated composite USB device to a target host, if a CTRL control end point gadget fifo queue of the simulated composite USB device has data, taking OUT a data buffer and mounting the data buffer into a USB request structure body and submitting the data buffer to the gadget simulated device, if an IN data end point fifo queue of the simulated composite USB device has data, taking OUT the data buffer and mounting the data buffer into a USB request structure body and submitting the data buffer to the gadget simulated device, and if an OUT data end point USB request of the simulated composite USB device is completed, submitting the USB request data buffer to an IN data end point fifo queue, and simultaneously submitting an empty data buffer USB request to the gadget simulated device; IN the process that the USB device proxy thread polls the network traffic forwarded by the simulated composite USB device to the real USB device, if the CTRL control endpoint dev fifo queue of the real USB device has data, the data buffer is taken OUT and mounted IN the urb structure body to be submitted to the corresponding real USB device, if the IN data endpoint urb of the real USB device is completed, the data buffer is submitted to the IN data endpoint fifo queue, meanwhile, the empty data buffer is submitted to the real USB device corresponding to the IN data endpoint, and if the OUT data endpoint fifo queue of the real USB device has data, the data buffer is taken OUT and mounted IN the urb structure body to be submitted to the corresponding real USB device. IN this embodiment, when the real USB device forwards the network traffic to the emulated composite USB device, when the IN data endpoint urb of the real USB device is completed, the urb completion function receives the network traffic of the real USB device and submits the network traffic to the IN data endpoint fifo queue, and at the same time submits the null data buffer url to the real USB device corresponding to the IN data endpoint, and when the OUT data endpoint USB request of the emulated composite USB device is completed, the USB request completion function receives the network traffic of the target host and submits the network traffic to the IN data endpoint fifo queue, and at the same time submits the null data buffer USB request to the gadget emulated device. For data input into an IN data endpoint of a target host, the urb completion function is used for receiving data from a real USB device and submitting the data to a fifo queue, and the USB request completion function forwards the data to the target host and releases a data buffer; for data output via the OUT endpoint of the target host, the urb completion function is used to send data to the real USB device, releasing the data buffer, while the USB request completion function is used to receive data from the target host and submit the data to the fifo queue.
In this embodiment, before usb device proxy thread polling and usb gadget proxy thread polling are performed, a memory pool is created, a group of data buffers is pre-allocated, and then when data forwarding is performed by using a fifo queue, only the pointer address of the data buffer is transmitted through the fifo queue. IN other words, when the forwarding thread USB device proxy and the forwarding thread USB gadget proxy submit urb to the IN data endpoint of the real USB device and submit USB request to the OUT data endpoint of the simulated composite USB device, a data buffer is applied from the memory pool, and when the forwarding thread USB device proxy and the forwarding thread USB gadget proxy submit urb to the OUT data endpoint of the real USB device and submit USB request to the IN data endpoint of the simulated composite USB device, the data buffer taken OUT from the fifo queue is directly used.
And when the USB gadget proxy thread polls, after the data is taken out from the IN data endpoint fifo queue of the real USB device, the data is sent to the filtering module to be analyzed by using the filtering function according to the custom rule, and then the processing result is returned, if the result is allowed, the USB request is submitted to the gadget simulation device.
In the system operation process, the event processing thread uniformly processes the events generated in the system operation process, then judges whether the simulated composite USB equipment needs to be remapped or not according to the processed state, and if so, executes 1-4) operation. In this embodiment, the creation of the association data structure is incorporated into step 1-4).
Step 1-1), a change callback function of the usb gadget plugging state is registered, so that the event thread can timely know the change of the usb gadget plugging state. In the prior art, when the usb gap plug state changes, only the usb _ gap _ set _ state function in the Linux kernel source code updates the state variable.
The specific implementation manner that the event thread can timely know the change of the usb gadget plugging state by using the usb gadget plugging state change callback function is as follows: a custom function pointer trigger _ event (i.e., a custom state change callback function) and a wait _ queue _ head pointer event _ wq are added to the struct usb _ gadget structure and assigned in the bind function registered in the usb _ composition _ driver. When the kernel calls the usb _ gadget _ set _ state function, judging that the trigger _ event function pointer is not NULL, calling trigger _ event (), and using the usb _ gadget structure as a parameter transfer-in function; in the specific function corresponding to the trigger _ event function pointer, calling wake _ up _ interrupt (gadget- > event _ wq) to notify the event thread.
In the invention, the device is a USB protection device, can identify, authorize and filter data of a plurality of real USB devices, simulates a multi-interface simulation composite USB device, and safely forwards network flow sent by the real USB device to a protected target host by utilizing the simulation composite USB device, so as to provide one-to-many access safety protection with a USB interface for a high-safety level computer.
The data endpoint naming IN this embodiment is based on the data Input (IN) and data Output (OUT) of the target host, and complies with the USB device data endpoint naming specification.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications are possible which remain within the scope of the appended claims.
Claims (10)
1. A USB data mapping and filtering method based on embedded Linux is characterized IN that an analog composite USB device is arranged IN a Linux kernel, and data is forwarded between a CTRL control end point of a real USB device and an IN/OUT data end point and between a CTRL control end point of the analog composite USB device and the IN/OUT data end point.
2. The embedded Linux-based USB data mapping filtering method according to claim 1, wherein after placing the emulated composite USB device within the Linux kernel, an association data structure is created within the Linux kernel that includes a first endpoint data structure associated with the CTRL control endpoint and the IN/OUT data endpoint of the real USB device, a second endpoint data structure associated with the CTRL control endpoint and the IN/OUT data endpoint of the emulated composite USB device, urb, USB request chain table, and fifo queues for data forwarding.
3. The network traffic replication method according to claim 2, characterized by comprising the specific steps of:
1) setting a simulated composite USB device in a Linux kernel;
2) and performing data filtering on the network traffic input into the Linux kernel by the IN data endpoint of the real USB device, and forwarding the filtered network traffic to the target host.
4. The embedded Linux-based USB data mapping and filtering method of claim 3, wherein the step of setting the simulated composite USB device in the Linux kernel comprises the specific steps of:
1-1) registering a general usb gadget function, a usb device plugging notification function, a usb gadget plugging state change callback function and a user interface character device with a Linux kernel, and initializing the usb gadget plugging state change callback function;
1-2) creating a usb device proxy and a usb gadget proxy, and setting a filtering function;
1-3) acquiring the state of a USB host physical port, acquiring the configuration, interface and endpoint descriptor of real USB equipment if the real USB equipment is connected, and initializing the data structure of the interface connected with the real USB equipment;
1-4) obtaining the state of a USB Device physical port, if a target host is connected, calculating the number of interfaces which need to be mapped to the target host currently, registering a USB gadget driver to a Linux kernel, traversing the USB interface to be mapped in a bind function, creating a corresponding USB function instance, and adding the instance into the configuration of the gadget Device to realize the simulation of the multi-interface simulation composite USB Device.
5. The USB data mapping and filtering method based on embedded Linux according to claim 4, wherein during the system running process, the event processing thread processes events occurring during the system running process uniformly, then according to the processed state, it is determined whether the simulated composite USB device needs to be remapped, and if necessary, the operations of 1-4) and the operation of creating the associated data structure are executed.
6. The embedded Linux-based USB data mapping and filtering method according to claim 5, wherein before data filtering is performed on network traffic output by an IN data endpoint of the real USB device, the USB device proxy thread polls network traffic forwarded by the simulated composite USB device to the real USB device, the USB gadget proxy thread polls network traffic forwarded by the simulated composite USB device to the target host, and forwards network traffic output by the IN data endpoint of the real USB device according to a polling result.
7. The embedded Linux-based USB data mapping filtering method of claim 6, wherein in a process of implementing network traffic forwarding between the real USB device and the target host through the simulated composite USB device, the polling of the network traffic forwarded to the target host by the simulated composite USB device by the USB gadget proxy thread comprises: the CTRL of the analog composite USB device controls whether the gadget fifo queue has data or not, whether the IN data end fifo queue of the analog composite USB device has data or not and whether the OUT data end USB request of the analog composite USB device is finished or not; the polling of the network traffic forwarded to the real USB device by the USB device proxy thread by the simulated composite USB device includes: CTRL of real USB device controls whether endpoint dev fifo queue has data, whether IN data endpoint urb of real USB device is completed, and whether OUT data endpoint fifo queue of real USB device has data; IN the process that a target host polls an analog composite USB device through a USB gadget proxy thread, if a CTRL control end point gadget fifo queue of the analog composite USB device has data, taking OUT a data buffer and mounting the data buffer into a USB request structure body to submit to the gadget analog device, if an IN data end point fifo queue of the analog composite USB device has data, taking OUT the data buffer and mounting the data buffer into a USB request structure body to submit to the gadget analog device, and if an OUT data end point USB request of the analog composite USB device is completed, submitting the USB request data buffer to the IN data end point fifo queue and simultaneously submitting an empty data buffer USB request to the gadget analog device; IN the process that the simulated composite USB device polls the real USB device through the USB device proxy thread, if the CTRL control endpoint dev fifo queue of the real USB device has data, the data buffer is taken OUT and is mounted IN the urb structural body to be submitted to the corresponding real USB device, if the IN data endpoint urb of the real USB device is finished, the urb buffer is submitted to the IN data endpoint fifo queue, meanwhile, the empty data buffer is submitted to the real USB device corresponding to the IN data endpoint, and if the OUT data endpoint fifo queue of the real USB device has data, the data buffer is taken OUT and is mounted IN the urb structural body to be submitted to the corresponding real USB device.
8. The embedded Linux-based USB data mapping and filtering method according to claim 7, wherein when the USB gadget proxy thread polls the network traffic forwarded by the simulated composite USB device to the target host, the IN data endpoint fifo queue of the simulated composite USB device takes out the data, sends the data to the filter module for analysis according to the custom rule by using the filter function, and then returns the processing result, and if the result is allowed, submits the USB request to the gadget simulation device.
9. An apparatus for performing data mapping filtering by using the embedded Linux-based USB data mapping filtering method according to any one of claims 1 to 8, comprising an SoC hardware motherboard running an embedded Linux system, wherein the SoC hardware motherboard is respectively in communication connection with a USB host physical port and a USB Device physical port, the USB host physical port is used for inserting a real USB Device, and the USB Device physical port is used for connecting a protection target host.
10. The apparatus according to claim 9, wherein, within the Linux kernel on the SoC hardware motherboard:
the control module is used for providing an API (application programming interface) for the outside, controlling the USB host physical port to be powered on/off and configuring an authorization mode of real USB equipment connected to the USB host physical port, wherein the authorization mode comprises forbidden, straight-through and filtering;
the USB HOST physical port module is used for managing real USB equipment inserted into the USB HOST physical port;
the USB DEVICE physical port module is used for retrieving real USB equipment authorized and valid on the current DEVICE when the USB DEVICE physical port is connected to the host, acquiring interface information of the real USB equipment, combining and simulating the real USB equipment into multi-interface simulation composite USB equipment, and simulating various functions realized by the composite USB equipment through the multi-interface;
the mapping module is used for acquiring the current system state through the plugging of real USB equipment, the plugging of a host computer connecting line and a user interface control event, calculating the type and the number of interfaces to be mapped to a target host computer, and then constructing multi-interface simulation composite USB equipment according to the information of each interface;
the data forwarding module is used for forwarding data between a CTRL control endpoint and an IN/OUT data endpoint of the real USB device and the simulated composite USB device through a background thread;
the data filtering module is used for filtering the data forwarded by the data forwarding module according to a user-defined filtering rule strategy; and setting a filtering function through the data forwarding module, filtering the real USB equipment endpoint data according to a certain rule strategy, and finally returning a filtering result to the data forwarding module, wherein if the filtering result is allowed to be forwarded, the data forwarding module forwards the data, otherwise, the data is discarded.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110426302.5A CN113138946B (en) | 2021-04-20 | 2021-04-20 | USB data mapping filtering method and device based on embedded Linux |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110426302.5A CN113138946B (en) | 2021-04-20 | 2021-04-20 | USB data mapping filtering method and device based on embedded Linux |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113138946A true CN113138946A (en) | 2021-07-20 |
| CN113138946B CN113138946B (en) | 2022-06-03 |
Family
ID=76812823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110426302.5A Active CN113138946B (en) | 2021-04-20 | 2021-04-20 | USB data mapping filtering method and device based on embedded Linux |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113138946B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116303150A (en) * | 2023-05-25 | 2023-06-23 | 深圳市链科网络科技有限公司 | Data driving method and device based on virtual USB |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8738952B1 (en) * | 2010-03-29 | 2014-05-27 | Amazon Technologies, Inc. | Device controller low power mode |
| CN106341777A (en) * | 2016-08-11 | 2017-01-18 | 深圳创维-Rgb电子有限公司 | USB virtual device creation method, device and system |
| CN110688657A (en) * | 2019-09-26 | 2020-01-14 | 福州浩恒影音工程有限公司 | USB flash disk virus isolator and working method thereof |
| CN112052201A (en) * | 2020-09-27 | 2020-12-08 | 中孚安全技术有限公司 | USB device management and control method and system based on Linux kernel layer |
| CN112416447A (en) * | 2020-12-03 | 2021-02-26 | 深圳市国科亿道科技有限公司 | Method for realizing multiple composite function devices by one USB port and composite device |
-
2021
- 2021-04-20 CN CN202110426302.5A patent/CN113138946B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8738952B1 (en) * | 2010-03-29 | 2014-05-27 | Amazon Technologies, Inc. | Device controller low power mode |
| CN106341777A (en) * | 2016-08-11 | 2017-01-18 | 深圳创维-Rgb电子有限公司 | USB virtual device creation method, device and system |
| CN110688657A (en) * | 2019-09-26 | 2020-01-14 | 福州浩恒影音工程有限公司 | USB flash disk virus isolator and working method thereof |
| CN112052201A (en) * | 2020-09-27 | 2020-12-08 | 中孚安全技术有限公司 | USB device management and control method and system based on Linux kernel layer |
| CN112416447A (en) * | 2020-12-03 | 2021-02-26 | 深圳市国科亿道科技有限公司 | Method for realizing multiple composite function devices by one USB port and composite device |
Non-Patent Citations (1)
| Title |
|---|
| 黄少滨: "嵌入式系统USB Gadget驱动研究与实现", 《中国优秀硕士论文电子期刊网》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116303150A (en) * | 2023-05-25 | 2023-06-23 | 深圳市链科网络科技有限公司 | Data driving method and device based on virtual USB |
| CN116303150B (en) * | 2023-05-25 | 2023-07-21 | 深圳市链科网络科技有限公司 | Data driving method and device based on virtual USB |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113138946B (en) | 2022-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102567074B (en) | USB (universal serial bus) device redirecting method facing virtual machines | |
| US7617400B2 (en) | Storage partitioning | |
| US9507619B2 (en) | Virtualizing a host USB adapter | |
| EP2593875B1 (en) | Out-of-band access to storage devices through port-sharing hardware | |
| US20080270780A1 (en) | Design structure for disabling a universal serial bus port | |
| CN109597640B (en) | Account management method, device, equipment and medium for application program | |
| US20180074707A1 (en) | Implementing extent granularity authorization command flow processing in capi adapters | |
| US11934333B2 (en) | Storage protocol emulation in a peripheral device | |
| CN113138946B (en) | USB data mapping filtering method and device based on embedded Linux | |
| CN111290836A (en) | Virtual machine snapshot creating method and device, storage medium and computer equipment | |
| US10055574B2 (en) | Implementing extent granularity authorization processing in CAPI adapters | |
| CN115442083B (en) | Device access method, data exchange method, device and storage medium | |
| US9710624B2 (en) | Implementing extent granularity authorization initialization processing in CAPI adapters | |
| US10169605B2 (en) | Implementing block device extent granularity authorization model processing in CAPI adapters | |
| US10055573B2 (en) | Implementing extent granularity authorization and deauthorization processing in CAPI adapters | |
| CN111352357B (en) | Robot control method and device and terminal equipment | |
| US8719496B2 (en) | Storage apparatus and method for executing exclusive extent processing in parallel using counter values | |
| US8095715B1 (en) | SCSI HBA management using logical units | |
| US8271725B1 (en) | Method and apparatus for providing a host-independent name to identify a meta-device that represents a logical unit number | |
| CN114064526A (en) | Memory protection unit | |
| CN114706657A (en) | Multi-platform virtual machine management interface, management method, terminal and storage medium | |
| CN114124301A (en) | Virtual media transmission system with data check and error retransmission mechanism | |
| CN112732176A (en) | SSD (solid State disk) access method and device based on FPGA (field programmable Gate array), storage system and storage medium | |
| WO2008141852A1 (en) | A framework for managing attributes of objects |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |