CN113609538B - Access control method, device and equipment for mobile storage medium and storage medium - Google Patents

Access control method, device and equipment for mobile storage medium and storage medium Download PDF

Info

Publication number
CN113609538B
CN113609538B CN202110781963.XA CN202110781963A CN113609538B CN 113609538 B CN113609538 B CN 113609538B CN 202110781963 A CN202110781963 A CN 202110781963A CN 113609538 B CN113609538 B CN 113609538B
Authority
CN
China
Prior art keywords
storage medium
file
mobile storage
identification information
virtual disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110781963.XA
Other languages
Chinese (zh)
Other versions
CN113609538A (en
Inventor
余斯航
陈桂耀
刘凡
唐志军
陈锦山
林文彬
李兆祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Digital Rongan Technology Co ltd
Shenzhen Rongan Networks Technology Co ltd
Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd
Original Assignee
Fujian Digital Rongan Technology Co ltd
Shenzhen Rongan Networks Technology Co ltd
Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Digital Rongan Technology Co ltd, Shenzhen Rongan Networks Technology Co ltd, Electric Power Research Institute of State Grid Fujian Electric Power Co Ltd filed Critical Fujian Digital Rongan Technology Co ltd
Priority to CN202110781963.XA priority Critical patent/CN113609538B/en
Publication of CN113609538A publication Critical patent/CN113609538A/en
Application granted granted Critical
Publication of CN113609538B publication Critical patent/CN113609538B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0662Virtualisation aspects
    • G06F3/0664Virtualisation aspects at device level, e.g. emulation of a storage device or system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0679Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Abstract

The invention discloses an access control method, device and equipment for a mobile storage medium and the storage medium. When receiving a signal that a mobile storage medium is accessed to the first computer equipment, mounting the virtual disk to an operating system of the first computer equipment so as to enable the virtual disk and the mobile storage medium to establish a mapping relation; when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium; judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information; if not, acquiring an original file corresponding to the target identification information; and transmitting the original file to the target application. The invention adopts the virtual disk based on NBD to simulate the mobile storage medium of the access equipment, prevents the equipment from accessing the blacklist file therein, and improves the access safety.

Description

Access control method, device and equipment for mobile storage medium and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, a device, and a storage medium for controlling access to a mobile storage medium.
Background
In the field of security industry, a host computer is often isolated from an external network, and in order to transfer files, a mobile storage medium typified by a usb disk is generally used for file transfer. The types of files in the USB flash disk are many, and for files containing sensitive information in the USB flash disk, a mode of encrypting the USB flash disk files or modifying a system drive is generally adopted to prevent the host from accessing, however, encrypting the USB flash disk files can modify file contents, and once a password is forgotten or software is in error, the original USB flash disk files are difficult to recover; modifying the system driver requires modifying the host system driver or invoking a system underlying interface, which increases the security risk of the system.
As is clear from this, the conventional access to the removable storage medium file has a problem of low security.
Disclosure of Invention
The invention mainly aims to provide a method, a device, equipment and a storage medium for controlling access of a mobile storage medium, and aims to solve the technical problem of low access security to a mobile storage medium file in the prior art.
According to a first aspect of the present invention, there is provided an access control method for a mobile storage medium, for a first computer device, in which a virtual disk based on a network block device NBD is provided;
the method comprises the following steps:
when receiving a signal that a mobile storage medium is accessed to the first computer equipment, mounting the virtual disk to an operating system of the first computer equipment so as to enable the virtual disk and the mobile storage medium to establish a mapping relation;
when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium;
judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information;
if not, acquiring an original file corresponding to the target identification information;
and transmitting the original file to the target application.
Optionally, a second computer device is connected to the first computer device; the step of accessing the mobile storage medium based on the mapping relation to obtain the target identification information in the mobile storage medium when the request of the target application for accessing the virtual disk is received comprises the following steps:
When a request of accessing the virtual disk by a target application in the second computer equipment is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information in the mobile storage medium;
the step of transmitting the original file to the target application includes:
and transmitting the original file to a target application in the second computer device.
Optionally, after the step of determining, based on the target identification information, whether the file corresponding to the target identification information is a blacklist file, the method further includes:
if yes, useless data are transmitted to the target application.
Optionally, a blacklist is set in the first computer device, and the blacklist includes identification information of blacklist files;
the step of judging whether the file corresponding to the target identification information is a blacklist file based on the target identification information specifically comprises the following steps:
and judging whether the target identification information is in the blacklist or not based on the target identification information so as to judge whether the file corresponding to the target identification information is the blacklist file or not.
Optionally, the blacklist file includes: files containing sensitive information and/or files infected with viruses.
Optionally, the identification information includes: at least one of a file suffix name, a file name, file location information, and a file size.
Optionally, a USB interface is provided in the first computer device;
the step of mounting the virtual disk to an operating system of the first computer device when receiving a signal that the mobile storage medium is accessed to the first computer device, so that a mapping relationship between the virtual disk and the mobile storage medium is established, includes:
and when receiving a signal of the mobile storage medium accessing the USB interface, mounting the virtual disk to an operating system of the first computer device so as to enable the virtual disk and the mobile storage medium to establish a mapping relation.
According to a second aspect of the present invention, there is provided an access control apparatus for a mobile storage medium for a first computer device having a virtual disk based on a network block device NBD provided therein;
the device comprises:
the mounting module is used for mounting the virtual disk to an operating system of the first computer equipment when receiving a signal that the mobile storage medium is accessed to the first computer equipment, so that a mapping relation is established between the virtual disk and the mobile storage medium;
The first acquisition module is used for accessing the mobile storage medium based on the mapping relation when receiving a request of a target application for accessing the virtual disk so as to acquire target identification information of a file in the mobile storage medium;
the judging module is used for judging whether the file corresponding to the target identification information is a blacklist file or not based on the target identification information;
the second acquisition module is used for acquiring an original file corresponding to the target identification information if not;
and the transmission module is used for transmitting the original file to the target application.
According to a third aspect of the present invention, there is provided an access control device for a removable storage medium, comprising: an access control method program for an NBD based virtual disk, a USB interface, a memory, a processor and a removable storage medium stored in said memory and executable on said processor, said access control method program for a removable storage medium realizing the steps as described in any one of the possible implementations of the first aspect when executed by said processor.
According to a fourth aspect of the present invention there is provided a storage medium having stored thereon an access control method program for a mobile storage medium, which when executed by a processor implements the steps described in any one of the possible implementations of the first aspect.
According to the access control method, the device, the equipment and the storage medium of the mobile storage medium, when a signal of the mobile storage medium accessing the first computer equipment is received, the virtual disk is mounted to an operating system of the first computer equipment, so that a mapping relation is established between the virtual disk and the mobile storage medium; when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium; judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information; if not, acquiring an original file corresponding to the target identification information; and transmitting the original file to the target application. The mobile storage medium accessed to the computer equipment is simulated by adopting the virtual disk based on NBD, whether the file in the mobile storage medium is a blacklist file is judged, if not, the original file is transmitted to the target application, so that the computer equipment can be prevented from accessing the blacklist file in the mobile storage medium without modifying the original file in the mobile storage medium or a system driver in the target application, the access limit to the mobile storage medium is formed, and the access security of the mobile storage medium is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an embodiment of a method for controlling access to a removable storage medium according to the present invention;
FIG. 2 is a detailed flowchart illustrating the step S200 in FIG. 1;
FIG. 3 is a detailed flowchart illustrating the step S500 in FIG. 1;
FIG. 4 is a detailed flowchart illustrating the step of S300 in FIG. 1;
FIG. 5 is a flowchart illustrating the steps following S300 in FIG. 1;
FIG. 6 is a detailed flow chart of the step S100 in FIG. 1;
FIG. 7 is a functional block diagram of an access control device for a removable storage medium according to an embodiment of the present invention;
fig. 8 is a schematic hardware architecture of an access control device for a mobile storage medium according to an embodiment of the present invention.
The achievement of the objects, functional features and advantages of the present invention will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
The main solutions of the embodiments of the present invention are: when receiving a signal that a mobile storage medium is accessed to the first computer equipment, mounting the virtual disk to an operating system of the first computer equipment so as to enable the virtual disk and the mobile storage medium to establish a mapping relation; when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium; judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information; if not, acquiring an original file corresponding to the target identification information; and transmitting the original file to the target application.
The access to the mobile storage medium file in the prior art has the problem of low security.
The invention provides a solution, by adopting a virtual disk based on NBD to simulate a mobile storage medium accessed to computer equipment, judging whether the file in the mobile storage medium is a blacklist file, if not, transmitting the original file to a target application, so that the computer equipment can be prevented from accessing the blacklist file in the mobile storage medium without modifying the original file in the mobile storage medium or a system driver in the target application, access restriction on the mobile storage medium is formed, and the access security of the mobile storage medium is improved
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "first" and "second" in the description and claims of embodiments of the invention are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order, and it should be understood that such data may be interchanged in appropriate circumstances such that the embodiments described herein may be practiced in other than those illustrated or described.
Referring to fig. 1, one embodiment of the present invention provides an access control method for a removable storage medium, for a first computer device having a virtual disk based on a network block device NBD disposed therein;
the method comprises the following steps:
step S100, when receiving a signal that a mobile storage medium is accessed to the first computer equipment, mounting the virtual disk to an operating system of the first computer equipment so as to enable the virtual disk and the mobile storage medium to establish a mapping relation;
The main execution body of the method of the present embodiment is a first computer device, which is equipped with a Linux system and is provided with a virtual disk based on NBD (Network Block Device ). In Linux, NBD is a device node whose content is provided by a remote machine, and is typically used to access storage devices that are not physically on the local machine but on the remote machine. In this embodiment, the NBD provides a block device that can emulate a disk space that can be accessed by a system application or a remote computer device.
It is understood that the virtual disk in this embodiment is a disk space simulated by NBD, and the removable storage medium is a convenient medium for information exchange, including a usb disk, a removable hard disk, a floppy disk, an optical disk, a memory card, and the like.
In a specific implementation, the mobile storage medium can be accessed to the first computer device through a USB interface, and when an access signal of the mobile storage medium is received, the virtual disk based on NBD is mounted to an operating system of the first computer device. Wherein, the mount is a process by which the operating system makes computer files and directories on a storage device accessible to users via the computer's file system. In this embodiment, the virtual disk may be accessed through a file system of the first computer device.
It should be appreciated that the purpose of mounting a virtual disk to the operating system of a first computer device is two, firstly to allow the virtual disk to emulate access to a removable storage medium of the computer device and secondly to allow applications in the first computer device to access the removable storage medium through the virtual disk. In this embodiment, the virtual disk realizes the simulation of the mobile storage medium accessed to the computer device by establishing a mapping relationship with the mobile storage medium, when an application in the first computer device accesses the virtual disk, the application can access the mobile storage medium, and process the obtained target identification information in the mobile storage medium, so that the application in the first computer device can only obtain authorized files, i.e. only obtain files not on the blacklist, thereby achieving the effect of preventing the computer device from accessing the blacklist files in the mobile storage medium.
Step S200, when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium;
it should be noted that, the target identification information in this embodiment is identification information read by the first computer device from the mobile storage medium through the virtual disk, where the identification information is used to identify the file. In a specific implementation, the identification information of the file includes: at least one of a file suffix name, a file name, file location information, and a file size.
In a specific implementation, when an access request for accessing a virtual disk sent by a target application in a first computer device is received, accessing a mobile storage medium based on a mapping relation, processing the obtained target identification information, and finally returning the file obtained after processing through the virtual disk, so that the target application can only obtain authorized files, namely can only obtain files which are not on a blacklist, thereby achieving the effect of preventing the computer device from accessing the blacklist files in the mobile storage medium.
As an embodiment of the present invention, referring to fig. 2, fig. 2 is a detailed implementation step of step S200 in fig. 1, where the first computer device is connected to a second computer device; the step of accessing the mobile storage medium based on the mapping relation to obtain the target identification information in the mobile storage medium when the request of the target application for accessing the virtual disk is received comprises the following steps:
step S202, when a request of accessing the virtual disk by a target application in the second computer equipment is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information in the mobile storage medium;
It should be noted that the first computer device is connected with a second computer device, where the target application in the second computer device may access the mobile storage medium of the first computer device through the mounted virtual disk, and the second computer device is mounted with a Linux system or a Windows system.
In a specific implementation, a target application in the second computer equipment sends an access request for accessing the virtual disk, the first computer equipment accesses the mobile storage medium when receiving the request, processes the obtained target identification information, and finally returns the processed file through the virtual disk, so that the target application in the second computer equipment can only obtain the authorized file, namely can only obtain the file which is not on the blacklist, and the effect of preventing the computer equipment from accessing the blacklist file in the mobile storage medium is achieved.
Step S300, based on the target identification information, judging whether a file corresponding to the target identification information is a blacklist file or not;
it should be noted that, the target identification information in this embodiment is used to identify the file. In a specific implementation, the identification information of the file includes: at least one of a file suffix name, a file name, file location information, and a file size.
It should be understood that the blacklist file in this embodiment includes: files containing sensitive information and/or files infected with viruses.
In a specific implementation, based on the target identification information, whether a file corresponding to the target identification information is a blacklist file is judged. And transmitting useless data to the target application when the judging result is the blacklist file, and directly transmitting the obtained original file to the target application without any processing on the judging result which does not belong to the blacklist file.
As an embodiment of the present invention, referring to fig. 4, fig. 4 is a detailed implementation step of step S300 in fig. 1, where a blacklist is provided in the first computer device, where the blacklist includes identification information of a blacklist file;
the step of judging whether the file corresponding to the target identification information is a blacklist file based on the target identification information specifically comprises the following steps:
Step S302, based on the target identification information, judging whether the target identification information is in the blacklist or not so as to judge whether a file corresponding to the target identification information is a blacklist file or not;
it should be noted that, the blacklist includes identification information of the blacklist file, where the identification information is preset and stored in the blacklist, and the content can be modified by the configuration file. The identification information and the target identification information have a corresponding relation, and whether the file corresponding to the target identification information is a blacklist file can be judged by comparing the identification information with the target identification information.
The file corresponding to the target identification information is the target file, the process of judging whether the target identification information is in the blacklist is to judge whether the target identification information corresponds to the identification information of the blacklist file in the blacklist, if so, the target file is determined to be the blacklist file, and if not, the target file is determined not to belong to the blacklist file.
In specific implementations, there are various ways to determine whether the target identifier information is in the blacklist, and several implementations are given below, but the method is not limited to the following examples:
In the first mode, the identification information of the file is the location information of the file, the target identification information is the target directory information of the target file, the identification information of the blacklist file included in the blacklist is the directory information of the blacklist file, whether the target directory information corresponds to the directory information of the blacklist file is judged, if so, the target file is determined to be the blacklist file, and if not, the target file is determined to not belong to the blacklist file.
In the second mode, the identification information of the file is the file name of the file, the target identification information is the target name of the target file, the identification information of the blacklist file included in the blacklist is the name of the blacklist file, whether the target name corresponds to the name of the blacklist file is judged, if so, the target file is determined to be the blacklist file, and if not, the target file is determined to not belong to the blacklist file.
As an embodiment of the present invention, referring to fig. 5, fig. 5 is an implementation step after step S300 in fig. 1, and after the step of determining, based on the target identification information, whether the file corresponding to the target identification information is a blacklist file, the method further includes:
Step S310, if yes, useless data are transmitted to the target application;
it will be appreciated that when the target file is determined to be a blacklist file, it is known that the target file is a file that prevents the target application from accessing its content in this embodiment, so in this embodiment, it is not necessary to acquire the content of the target file identified as the blacklist file, but rather, useless data is transmitted to the target application, so that when the target application opens the blacklist file, the target application cannot view the content thereof. Specifically, if the blacklist file is directly opened in the target application, the blacklist file presents blank content; if the blacklist file is opened by adopting a 16-system file viewing tool, the content of the blacklist file is presented as useless data.
It should be understood that the foregoing steps enable the directory and the file name of the file in the mobile storage medium to be displayed on the target application by accessing the mobile storage medium to obtain the target identification information of the file in the mobile storage medium, and when the user opens a file, that is, determines the type of the file according to the target identification information of the file, and transmits the original file content or the useless data to the target application according to the determination result of the file type.
In particular implementations, there are various ways to prevent the target application from accessing the blacklist file in addition to transmitting the garbage data to the target application, and several implementations are given below, but are not limited to the following examples:
in a first way, a blacklist file may be set to be non-clickable on the target application. When the file clicked by the user is a blacklist file, reporting errors. That is, the blacklist file cannot be accessed by the target application.
In the second mode, when the target identification information of the file is acquired by accessing the mobile storage medium, that is, the file type is determined by the target identification information, and if the file is determined to be a blacklisted file, the file directory and the file name thereof are not displayed on the target application. That is, the blacklist file cannot be accessed by the target application.
It can be understood that, by processing the blacklist file, the content of the blacklist file cannot be read in the target application, that is, the method of this embodiment prevents the target application from reading the blacklist file.
Step S400, if not, acquiring an original file corresponding to the target identification information;
the file corresponding to the target identification information is a target file, and in this embodiment, the target file is an original file in the mobile storage medium.
It can be understood that when it is determined that the target identification information is not in the blacklist, it is known that the target file does not belong to the file that prevents the target application from accessing the content thereof in this embodiment, so in this embodiment, the original file is obtained, and no processing is performed on the original file, and the original file is directly transmitted to the target application through the virtual disk.
Step S500, transmitting the original file to the target application;
in this embodiment, the original file is transferred to the target application through the virtual disk.
As an embodiment of the present invention, referring to fig. 3, fig. 3 is a detailed implementation step of step S500 in fig. 1, where the first computer device is connected to a second computer device; the step of transmitting the original file to the target application includes:
step S502, transmitting the original file to a target application in the second computer device.
It should be noted that the first computer device is connected with a second computer device, where the target application in the second computer device may access the mobile storage medium of the first computer device through the mounted virtual disk, and the second computer device is mounted with a Linux system or a Windows system.
It can be understood that when it is determined that the target file is not a blacklist file, it means that the target file does not belong to a file that prevents the target application from accessing the content of the target file in this embodiment, so that no processing is performed on the target file, and the target file is directly transmitted to the second computer device through the virtual disk, so that the target application in the second computer device obtains the original target file. In this embodiment, only the judgment operation is performed on the file, which does not destroy the content of the file.
As an embodiment of the present invention, referring to fig. 6, fig. 6 is a detailed implementation step of step S100 in fig. 1, where a USB interface is disposed in the first computer device;
the step of mounting the virtual disk to an operating system of the first computer device when receiving a signal that the mobile storage medium is accessed to the first computer device, so that a mapping relationship between the virtual disk and the mobile storage medium is established, includes:
step S102, when receiving a signal that a mobile storage medium accesses the USB interface, the virtual disk is mounted to an operating system of the first computer device, so that a mapping relationship is established between the virtual disk and the mobile storage medium.
USB, universal serial bus (Universal Serial Bus), is a serial bus standard, and is also a technical specification of an input/output interface, and is widely applied to information communication products such as computer equipment. The USB interface is identical at the end where the computer device is connected, but a different interface type is typically used when the device end is connected. The types of USB interfaces include: b-5Pin, micro USB, type-C, etc.
In the above technical solution, the mobile storage medium is connected to the computer device through the USB interface.
In particular implementations, other serial or parallel interfaces suitable for use with the present invention may be employed in addition to a USB interface for accessing a computer device.
Through the above embodiment, when receiving a signal that a mobile storage medium accesses the first computer device, the virtual disk is mounted to an operating system of the first computer device, so that a mapping relationship is established between the virtual disk and the mobile storage medium; when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium; judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information; if not, acquiring an original file corresponding to the target identification information; and transmitting the original file to the target application. The mobile storage medium accessed to the computer equipment is simulated by adopting the virtual disk based on NBD, whether the file in the mobile storage medium is a blacklist file is judged, if not, the original file is transmitted to the target application, so that the computer equipment can be prevented from accessing the blacklist file in the mobile storage medium without modifying the original file in the mobile storage medium or a system driver in the target application, the access limit to the mobile storage medium is formed, and the access security of the mobile storage medium is improved.
Based on the same inventive concept, the embodiment of the invention also provides an apparatus for access control of a mobile storage medium, which is used for a first computer device, wherein a virtual disk based on a network block device NBD is arranged in the first computer device. Referring to fig. 1, fig. 1 is a flowchart illustrating an embodiment of a method for controlling access to a removable storage medium according to the present invention, where the method for controlling access to a removable storage medium according to the embodiment of the present invention may be executed by an access control device for a removable storage medium, and the access control device for a removable storage medium may be provided on an access control device for a removable storage medium or may be provided separately.
The access control device of the mobile storage medium is realized in a hardware and/or software mode, and when a signal of the mobile storage medium accessing the first computer equipment is received, a virtual disk is mounted to an operating system of the first computer equipment; when a request of a target application for accessing the virtual disk is received, accessing the mobile storage medium to acquire storage data in the mobile storage medium; judging whether the target file in the stored data is a blacklist file or not; if not, transmitting the target file to the target application.
If the access control means of the removable storage medium is implemented in software, it may be an access control method program of the removable storage medium built in the access control device of the removable storage medium. The access control method program of the mobile storage medium on the access control equipment of the mobile storage medium is used for completing the operations of mounting the virtual disk, accessing the mobile storage medium by using the virtual disk, acquiring storage data, processing the storage data and transmitting files to a target application.
Referring to fig. 7, the access control device of the removable storage medium includes the following program modules:
the mounting module 100 is configured to mount the virtual disk to an operating system of the first computer device when receiving a signal that the mobile storage medium accesses the first computer device, so that a mapping relationship is established between the virtual disk and the mobile storage medium;
the main execution body of the method of the present embodiment is a first computer device, which is equipped with a Linux system and is provided with a virtual disk based on NBD (Network Block Device ). In Linux, NBD is a device node whose content is provided by a remote machine, and is typically used to access storage devices that are not physically on the local machine but on the remote machine. In this embodiment, the NBD provides a block device that can emulate a disk space that can be accessed by a system application or a remote computer device.
It is understood that the virtual disk in this embodiment is a disk space simulated by NBD, and the removable storage medium is a convenient medium for information exchange, including a usb disk, a removable hard disk, a floppy disk, an optical disk, a memory card, and the like.
In a specific implementation, the mobile storage medium may be accessed to the first computer device through a USB interface, and when receiving an access signal of the mobile storage medium, the mounting module 100 mounts the virtual disk based on NBD to an operating system of the first computer device. Wherein, the mount is a process by which the operating system makes computer files and directories on a storage device accessible to users via the computer's file system. In this embodiment, the virtual disk may be accessed through a file system of the first computer device.
It should be appreciated that the purpose of the mounting module 100 to mount a virtual disk to the operating system of the first computer device is two, namely to allow the virtual disk to emulate an access to a removable storage medium of the computer device and two, to allow an application in the first computer device to access the removable storage medium through the virtual disk. In this embodiment, the virtual disk realizes the simulation of the mobile storage medium accessed to the computer device by establishing a mapping relationship with the mobile storage medium, when an application in the first computer device accesses the virtual disk, the application can access the mobile storage medium, and process the obtained target identification information in the mobile storage medium, so that the application in the first computer device can only obtain authorized files, i.e. only obtain files not on the blacklist, thereby achieving the effect of preventing the computer device from accessing the blacklist files in the mobile storage medium.
The first obtaining module 200 is configured to access the mobile storage medium based on the mapping relationship when receiving a request of the target application to access the virtual disk, so as to obtain target identification information of a file in the mobile storage medium;
it should be noted that, the target identification information in this embodiment is identification information read by the first computer device from the mobile storage medium through the virtual disk, where the identification information is used to identify the file. In a specific implementation, the identification information of the file includes: at least one of a file suffix name, a file name, file location information, and a file size.
In a specific implementation, when an access request for accessing a virtual disk sent by a target application in a first computer device is received, accessing a mobile storage medium based on a mapping relation, processing the obtained target identification information, and finally returning the file obtained after processing through the virtual disk, so that the target application can only obtain authorized files, namely can only obtain files which are not on a blacklist, thereby achieving the effect of preventing the computer device from accessing the blacklist files in the mobile storage medium.
Optionally, the first computer device is connected with a second computer device, wherein a target application in the second computer device can access a mobile storage medium of the first computer device through a mounted virtual disk, and the second computer device is provided with a Linux system or a Windows system.
In a specific implementation, a target application in the second computer device sends an access request for accessing the virtual disk, when the first computer device receives the request, the first computer device accesses the mobile storage medium, processes the target identification information acquired by the first acquisition module 200, and finally returns the file obtained after the processing through the virtual disk, so that the target application in the second computer device can only acquire the authorized file, namely, only acquire the file which is not on the blacklist, thereby achieving the effect of preventing the computer device from accessing the blacklist file in the mobile storage medium.
The judging module 300 is configured to judge, based on the target identification information, whether a file corresponding to the target identification information is a blacklist file;
it should be noted that, the target identification information in this embodiment is used to identify the file. In a specific implementation, the identification information of the file includes: at least one of a file suffix name, a file name, file location information, and a file size.
It should be understood that the blacklist file in this embodiment includes: files containing sensitive information and/or files infected with viruses.
In a specific implementation, based on the target identification information, the determining module 300 determines whether the file corresponding to the target identification information is a blacklist file. And transmitting useless data to the target application when the judging result is the blacklist file, and directly transmitting the obtained original file to the target application without any processing on the judging result which does not belong to the blacklist file.
Further, the blacklist includes identification information of the blacklist file, the identification information is preset content stored in the blacklist, and the blacklist file can be modified through the configuration file. The identification information and the target identification information have a corresponding relation, and whether the file corresponding to the target identification information is a blacklist file can be judged by comparing the identification information with the target identification information.
The file corresponding to the target identification information is the target file, the process of judging whether the target identification information is in the blacklist is to judge whether the target identification information corresponds to the identification information of the blacklist file in the blacklist, if so, the target file is determined to be the blacklist file, and if not, the target file is determined not to belong to the blacklist file.
In specific implementations, there are various ways to determine whether the target identifier is in the blacklist by the determining module 300, and several implementations are given below, but the method is not limited to the following examples:
in the first mode, the identification information of the file is the location information of the file, the target identification information is the target directory information of the target file, the identification information of the blacklist file included in the blacklist is the directory information of the blacklist file, whether the target directory information corresponds to the directory information of the blacklist file is judged, if so, the target file is determined to be the blacklist file, and if not, the target file is determined to not belong to the blacklist file.
In the second mode, the identification information of the file is the file name of the file, the target identification information is the target name of the target file, the identification information of the blacklist file included in the blacklist is the name of the blacklist file, whether the target name corresponds to the name of the blacklist file is judged, if so, the target file is determined to be the blacklist file, and if not, the target file is determined to not belong to the blacklist file.
It will be appreciated that when the target file is determined to be a blacklist file, it is known that the target file is a file that prevents the target application from accessing its content in this embodiment, so in this embodiment, it is not necessary to acquire the content of the target file identified as the blacklist file, but rather, useless data is transmitted to the target application, so that when the target application opens the blacklist file, the target application cannot view the content thereof. Specifically, if the blacklist file is directly opened in the target application, the blacklist file presents blank content; if the blacklist file is opened by adopting a 16-system file viewing tool, the content of the blacklist file is presented as useless data.
It should be understood that the foregoing steps enable the directory and the file name of the file in the mobile storage medium to be displayed on the target application by accessing the mobile storage medium to obtain the target identification information of the file in the mobile storage medium, and when the user opens a file, that is, determines the type of the file according to the target identification information of the file, and transmits the original file content or the useless data to the target application according to the determination result of the file type.
In particular implementations, there are various ways to prevent the target application from accessing the blacklist file in addition to transmitting the garbage data to the target application, and several implementations are given below, but are not limited to the following examples:
in a first way, a blacklist file may be set to be non-clickable on the target application. When the file clicked by the user is a blacklist file, reporting errors. That is, the blacklist file cannot be accessed by the target application.
In the second mode, when the target identification information of the file is acquired by accessing the mobile storage medium, that is, the file type is determined by the target identification information, and if the file is determined to be a blacklisted file, the file directory and the file name thereof are not displayed on the target application. That is, the blacklist file cannot be accessed by the target application.
It can be appreciated that, by processing the blacklist file, the content of the blacklist file cannot be read in the target application, that is, the target application is prevented from reading the blacklist file in this embodiment.
And the second obtaining module 400 is configured to obtain the original file corresponding to the target identification information if not.
The file corresponding to the target identification information is a target file, and in this embodiment, the target file is an original file in the mobile storage medium.
It may be understood that when it is determined that the target identification information is not in the blacklist, it is known that the target file does not belong to the file that prevents the target application from accessing the content thereof in this embodiment, so in this embodiment, the second obtaining module 400 obtains the original file, and does not perform any processing on the original file, and directly transmits the original file to the target application through the virtual disk.
And the transmission module 500 is used for transmitting the original file to the target application.
In this embodiment, the transmission module 500 transmits the original file to the target application through the virtual disk.
Optionally, the first computer device is connected with a second computer device, wherein a target application in the second computer device can access a mobile storage medium of the first computer device through a mounted virtual disk, and the second computer device is provided with a Linux system or a Windows system.
It may be understood that when it is determined that the target file is not a blacklist file, it means that the target file does not belong to a file that prevents the target application from accessing the content of the target file in this embodiment, so that no processing is performed on the target file, and the transmission module 500 directly transmits the target file to the second computer device through the virtual disk, so that the target application in the second computer device obtains the original target file. In this embodiment, only the judgment operation is performed on the file, which does not destroy the content of the file.
Optionally, a USB interface, that is, a universal serial bus (Universal Serial Bus), is disposed in the first computer device, which is a serial bus standard and is also a technical specification of an input/output interface, and is widely used in information communication products such as computer devices. The USB interface is identical at the end where the computer device is connected, but a different interface type is typically used when the device end is connected. The types of USB interfaces include: b-5Pin, micro USB, type-C, etc.
In the above technical solution, the mobile storage medium is connected to the computer device through the USB interface.
In particular implementations, other serial or parallel interfaces suitable for use with the present invention may be employed in addition to a USB interface for accessing a computer device.
Through the above embodiment, when receiving a signal that a mobile storage medium accesses the first computer device, the virtual disk is mounted to an operating system of the first computer device, so that a mapping relationship is established between the virtual disk and the mobile storage medium; when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium; judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information; if not, acquiring an original file corresponding to the target identification information; and transmitting the original file to the target application. The mobile storage medium accessed to the computer equipment is simulated by adopting the virtual disk based on NBD, whether the file in the mobile storage medium is a blacklist file is judged, if not, the original file is transmitted to the target application, so that the computer equipment can be prevented from accessing the blacklist file in the mobile storage medium without modifying the original file in the mobile storage medium or a system driver in the target application, the access limit to the mobile storage medium is formed, and the access security of the mobile storage medium is improved.
Based on the same inventive concept, an embodiment of the present invention provides an access control device for a mobile storage medium, and for convenience of explanation, only a portion related to the embodiment of the present invention is shown, and specific technical details are not disclosed, and reference is made to a method portion of the embodiment of the present invention. The access control device of the mobile storage medium includes: the access control method comprises a USB interface 1003, a memory 1004, a processor 1001, and a mobile storage medium access control method program stored on the memory 1004 and executable on the processor 1001, and an NBD-based virtual disk, wherein the mobile storage medium access control method program realizes the corresponding functions of the mobile storage medium access control method embodiment when being executed by the processor 1001.
It will be appreciated by those skilled in the art that the structure shown in fig. 8 does not constitute a limitation of the access control device of the removable storage medium, and may include more or less components than those illustrated, or may combine certain components, or may be arranged in different components.
Based on the same inventive concept, an embodiment of the present invention provides a storage medium having stored thereon an access control method program of a mobile storage medium, which when executed by a processor, implements the steps described in any of the foregoing embodiments of the access control method of the mobile storage medium.
Including volatile or nonvolatile, removable or non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, computer program modules or other data. Storage media includes, but is not limited to, RAM (Random Access Memory ), ROM (Read-Only Memory), EEPROM (Electrically Eraable Programmable Read Only Memory, charged erasable programmable Read-Only Memory), flash Memory or other Memory technology, CD-ROM (Compact Disc Read-Only Memory), digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage, or any other medium which can be used to store the desired information and which can be accessed by a computer.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.

Claims (9)

1. An access control method for a mobile storage medium is characterized by being used for a first computer device, wherein a virtual disk based on a network block device NBD is arranged in the first computer device;
The method comprises the following steps:
when receiving a signal that a mobile storage medium is accessed to the first computer equipment, mounting the virtual disk to an operating system of the first computer equipment so as to enable the virtual disk and the mobile storage medium to establish a mapping relation;
when a request of accessing the virtual disk by a target application is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information of a file in the mobile storage medium;
judging whether a file corresponding to the target identification information is a blacklist file or not based on the target identification information;
if not, acquiring an original file corresponding to the target identification information;
transmitting the original file to the target application;
the first computer equipment is connected with second computer equipment; the step of accessing the mobile storage medium based on the mapping relation to obtain the target identification information in the mobile storage medium when the request of the target application for accessing the virtual disk is received comprises the following steps:
when a request of accessing the virtual disk by a target application in the second computer equipment is received, accessing the mobile storage medium based on the mapping relation to acquire target identification information in the mobile storage medium;
The step of transmitting the original file to the target application includes:
transmitting the original file to a target application in the second computer device; and accessing the mobile storage medium of the first computer device by the target application in the second computer device through the mounted virtual disk.
2. The access control method of a mobile storage medium according to claim 1, wherein after the step of determining whether the file corresponding to the target identification information is a blacklist file based on the target identification information, the method further comprises:
if yes, useless data are transmitted to the target application.
3. The access control method of a mobile storage medium according to claim 1, wherein a blacklist is provided in the first computer device, and the blacklist includes identification information of blacklist files;
the step of judging whether the file corresponding to the target identification information is a blacklist file based on the target identification information specifically comprises the following steps:
and judging whether the target identification information is in the blacklist or not based on the target identification information so as to judge whether the file corresponding to the target identification information is the blacklist file or not.
4. The access control method of a mobile storage medium according to claim 1, wherein the blacklist file includes: files containing sensitive information and/or files infected with viruses.
5. The access control method of a mobile storage medium according to claim 1, wherein the target identification information includes: at least one of a file suffix name, a file name, file location information, and a file size.
6. The access control method of a mobile storage medium according to claims 1 to 5, wherein a USB interface is provided in the first computer device;
the step of mounting the virtual disk to an operating system of the first computer device when receiving a signal that the mobile storage medium is accessed to the first computer device, so that a mapping relationship between the virtual disk and the mobile storage medium is established, includes:
and when receiving a signal of the mobile storage medium accessing the USB interface, mounting the virtual disk to an operating system of the first computer device so as to enable the virtual disk and the mobile storage medium to establish a mapping relation.
7. An access control device for a mobile storage medium, characterized by being used for a first computer device, wherein a virtual disk based on NBD is arranged in the first computer device;
The device comprises:
the mounting module is used for mounting the virtual disk to an operating system of the first computer equipment when receiving a signal that the mobile storage medium is accessed to the first computer equipment, so that a mapping relation is established between the virtual disk and the mobile storage medium;
the first acquisition module is used for accessing the mobile storage medium based on the mapping relation when receiving a request of a target application for accessing the virtual disk so as to acquire target identification information of a file in the mobile storage medium;
the judging module is used for judging whether the file corresponding to the target identification information is a blacklist file or not based on the target identification information;
the second acquisition module is used for acquiring an original file corresponding to the target identification information if not;
the transmission module is used for transmitting the original file to the target application;
the first computer equipment is connected with second computer equipment;
the first obtaining module is further configured to access the mobile storage medium based on the mapping relationship when receiving a request for accessing the virtual disk from a target application in the second computer device, so as to obtain target identification information in the mobile storage medium;
The transmission module is further used for transmitting the original file to a target application in the second computer device; and enabling the target application in the second computer device to access the mobile storage medium of the first computer device through the mounted virtual disk access.
8. An access control device for a removable storage medium, the device comprising an NBD based virtual disk, a USB interface, a memory, a processor and an access control method program stored in the memory and executable on the processor, the access control method program of a removable storage medium, when executed by the processor, implementing the steps of the method according to any of claims 1-6.
9. A storage medium, characterized in that the storage medium has stored thereon an access control method program for a mobile storage medium, which, when being executed by a processor, carries out the steps of the method according to any of claims 1-6.
CN202110781963.XA 2021-07-09 2021-07-09 Access control method, device and equipment for mobile storage medium and storage medium Active CN113609538B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110781963.XA CN113609538B (en) 2021-07-09 2021-07-09 Access control method, device and equipment for mobile storage medium and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110781963.XA CN113609538B (en) 2021-07-09 2021-07-09 Access control method, device and equipment for mobile storage medium and storage medium

Publications (2)

Publication Number Publication Date
CN113609538A CN113609538A (en) 2021-11-05
CN113609538B true CN113609538B (en) 2024-03-08

Family

ID=78337441

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110781963.XA Active CN113609538B (en) 2021-07-09 2021-07-09 Access control method, device and equipment for mobile storage medium and storage medium

Country Status (1)

Country Link
CN (1) CN113609538B (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6212635B1 (en) * 1997-07-18 2001-04-03 David C. Reardon Network security system allowing access and modification to a security subsystem after initial installation when a master token is in place
WO2006051037A1 (en) * 2004-11-09 2006-05-18 Thomson Licensing Bonding contents on separate storage media
CN101051292A (en) * 2007-01-08 2007-10-10 中国信息安全产品测评认证中心 Reliable U disc, method for realizing reliable U disc safety and its data communication with computer
CN101488952A (en) * 2008-12-10 2009-07-22 华中科技大学 Mobile storage apparatus, data secured transmission method and system
CN102426555A (en) * 2011-10-31 2012-04-25 北京天地融科技有限公司 Mobile memory, and access control method and system thereof
CN102622311A (en) * 2011-12-29 2012-08-01 北京神州绿盟信息安全科技股份有限公司 USB (universal serial bus) mobile memory device access control method, USB mobile memory device access control device and USB mobile memory device access control system
CN103065102A (en) * 2012-12-26 2013-04-24 中国人民解放军国防科学技术大学 Data encryption mobile storage management method based on virtual disk
CN104166638A (en) * 2013-05-15 2014-11-26 万波 Method for communicating with secure removable storage device through file system
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN111428272A (en) * 2020-04-21 2020-07-17 深圳融安网络科技有限公司 Secure access method and device of mobile storage device and storage medium

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6212635B1 (en) * 1997-07-18 2001-04-03 David C. Reardon Network security system allowing access and modification to a security subsystem after initial installation when a master token is in place
WO2006051037A1 (en) * 2004-11-09 2006-05-18 Thomson Licensing Bonding contents on separate storage media
CN101051292A (en) * 2007-01-08 2007-10-10 中国信息安全产品测评认证中心 Reliable U disc, method for realizing reliable U disc safety and its data communication with computer
CN101488952A (en) * 2008-12-10 2009-07-22 华中科技大学 Mobile storage apparatus, data secured transmission method and system
CN102426555A (en) * 2011-10-31 2012-04-25 北京天地融科技有限公司 Mobile memory, and access control method and system thereof
CN102622311A (en) * 2011-12-29 2012-08-01 北京神州绿盟信息安全科技股份有限公司 USB (universal serial bus) mobile memory device access control method, USB mobile memory device access control device and USB mobile memory device access control system
CN103065102A (en) * 2012-12-26 2013-04-24 中国人民解放军国防科学技术大学 Data encryption mobile storage management method based on virtual disk
CN104166638A (en) * 2013-05-15 2014-11-26 万波 Method for communicating with secure removable storage device through file system
CN109933278A (en) * 2017-12-19 2019-06-25 中国电信股份有限公司 For realizing the method and apparatus of block device carry access
CN111428272A (en) * 2020-04-21 2020-07-17 深圳融安网络科技有限公司 Secure access method and device of mobile storage device and storage medium

Also Published As

Publication number Publication date
CN113609538A (en) 2021-11-05

Similar Documents

Publication Publication Date Title
US9740639B2 (en) Map-based rapid data encryption policy compliance
JP4430722B2 (en) Multiprotocol unified file locking
US6272560B1 (en) Self-identifying peripheral device
EP2751735B1 (en) Encrypted chunk-based rapid data encryption policy compliance
EP3200434A2 (en) Domain name resolution
US20100185874A1 (en) Method of Mass Storage Memory Management for Large Capacity Universal Integrated Circuit Cards
WO2002095588B1 (en) Decentralized virus scanning for stored data
US20190238560A1 (en) Systems and methods to provide secure storage
JP2009518759A (en) Media card with command pass-through mechanism
CN115277143A (en) Data secure transmission method, device, equipment and storage medium
CN113609538B (en) Access control method, device and equipment for mobile storage medium and storage medium
CN111753268B (en) Single sign-on method, single sign-on device, storage medium and mobile terminal
US20050177577A1 (en) Accessing data on remote storage servers
CN109033804A (en) A kind of software virtual machine authorization method and device
CN112084524B (en) USB flash disk access method and USB flash disk
CN114237817A (en) Virtual machine data reading and writing method and related device
CN112153061A (en) Data access method, device, equipment and computer readable storage medium
CN112860448A (en) System and method for access control in an electronic control unit of a vehicle
CN113032351B (en) Recovery method and device of network file system
TWI767113B (en) System for using certificate stored in carrier to conduct online transactions and method thereof
CN113194013B (en) Control method, device and storage medium for terminal equipment to access network
CN116578348A (en) Data processing method and device of mobile storage device and processor
JP2022021473A (en) Information processing apparatus, method for controlling information processing apparatus, information processing system, and program
CN112765663A (en) File access control method, device, equipment, server and storage medium
CN115964290A (en) License authorization test method, system, equipment and computer storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant