CN114722386A - U disk transmission monitoring method based on Fanotify mechanism - Google Patents
U disk transmission monitoring method based on Fanotify mechanism Download PDFInfo
- Publication number
- CN114722386A CN114722386A CN202210336088.9A CN202210336088A CN114722386A CN 114722386 A CN114722386 A CN 114722386A CN 202210336088 A CN202210336088 A CN 202210336088A CN 114722386 A CN114722386 A CN 114722386A
- Authority
- CN
- China
- Prior art keywords
- disk
- fanotify
- usb flash
- flash disk
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000012544 monitoring process Methods 0.000 title claims abstract description 50
- 230000005540 biological transmission Effects 0.000 title claims abstract description 36
- 230000007246 mechanism Effects 0.000 title claims abstract description 24
- 238000012545 processing Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims description 25
- 230000001960 triggered effect Effects 0.000 claims description 4
- 230000006978 adaptation Effects 0.000 abstract description 10
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2213/00—Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F2213/0042—Universal serial bus [USB]
Abstract
The invention discloses a USB flash disk transmission monitoring method based on a Fanotify mechanism, which comprises the following steps: the method comprises the following steps: carrying out system initialization, including Netlink initialization and Fanotify initialization; step two: when a USB flash disk is inserted into a system, a Netlink thread receives an Add message of USB equipment, a list item is established by taking the name of the USB flash disk as Key to identify the USB flash disk, the state is Add, and the list item is inserted into a USB flash disk list; step three: the timer traverses the U disk list, compares with/proc/mounts, finds the directory of the U disk Mount to the file system, and calls the Fanotify interface Fanotify _ mark to monitor the directory; step four: when a user copies a file in the U disk, triggering a Fanotify event; step five: when the USB flash disk is pulled out, searching a USB flash disk list by taking the name of the USB flash disk as Key, and processing corresponding processing according to the state after the USB flash disk list is found; step six: the timer traverses the USB flash disk list and compares with/proc/mounts. The invention can use the application layer scheme to replace the kernel scheme on the Linux system, thereby obviously reducing the adaptation workload and improving the stability.
Description
Technical Field
The invention relates to the field of data monitoring, in particular to a USB flash disk transmission monitoring method based on a Fanotify mechanism.
Background
In host security protection, it is necessary to prevent leakage of confidential files caused by copying of a usb disk, and it is also necessary to prevent entry of malicious files into a host caused by copying of a usb disk. Therefore, host security protection software needs to realize management and control of pluggable storage devices such as a U disk;
under Linux, a removable storage device such as a USB disk and a USB hard disk is usually driven in a manner called USB-storage, and to use the removable storage device, the removable storage device must load the kernel module (modprobe USB-storage). The current U disk transmission monitoring scheme commonly used in the industry is realized by modifying and replacing the kernel module, and has the disadvantages that adaptation needs to be performed for each kernel version, and when the kernel is changed, synchronous modification is needed, otherwise, the compatibility problem may occur.
The current universal USB flash disk monitoring method on Linux needs to be realized by modifying a kernel driver, and due to the fact that Linux kernel versions are multiple and configuration is flexible, the kernel-based scheme is large in adaptation workload and poor in stability.
The existing U disk transmission monitoring method has the problems of large scheme adaptation workload of a kernel and poor stability, and brings certain influence on the use of the U disk transmission monitoring method, so that the U disk transmission monitoring method based on the Fanotify mechanism is provided.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: how to solve the problems of large scheme adaptation workload and poor stability of a kernel in the conventional USB flash disk transmission monitoring method and bring certain influence to the use of the USB flash disk transmission monitoring method, and the method for monitoring the USB flash disk transmission based on the Fanotify mechanism is provided.
The invention solves the technical problems through the following technical scheme, and the invention comprises the following steps:
the method comprises the following steps: carrying out system initialization, including Netlink initialization and Fanotify initialization;
step two: when a USB flash disk is inserted into a system, a Netlink thread receives an Add message of USB equipment, a list item is established by taking the name of the USB flash disk as Key to identify the USB flash disk, the state is Add, and the list item is inserted into a USB flash disk list;
step three: the timer traverses the U disk list, compares with/proc/mounts, finds the directory of the U disk Mount to the file system, and calls the Fanotify interface Fanotify _ mark to monitor the directory;
step four: when a user copies a file in the U disk, triggering a Fanotify event;
step five: when the USB flash disk is pulled out, searching a USB flash disk list by taking the name of the USB flash disk as Key, and processing corresponding processing according to the state after the USB flash disk list is found;
step six: and traversing the U disk list by the timer, comparing with/proc/mounts, and calling the Fanotify interface Fanotify _ mark to cancel monitoring on the directory when finding that the directory of the directory U disk Mount has disappeared to indicate that the Unmount operation has been executed.
Further, the Netlink initialization process in the first step is as follows: and when the Netlink is initialized, creating a Socket to monitor a NETLINK _ KOBJECT _ UEVENT event, and creating a thread for reading Socket data.
Further, the Fanotify initialization process in the first step is as follows: when the Fanotify is initialized, the Fanotify _ init is called first to create a Fanotify instance, and a thread is created for reading a Fanotify event.
Further, after the notification event is triggered in the fourth step, the notification thread reads a file operation event, and performs corresponding processing according to the transmission policy of the usb disk, where the specific processing process is as follows: initializing and creating the Fanotify, then receiving the Fanotify event, analyzing the Fanotify event, obtaining a process file name and a process PID, and then carrying out corresponding processing according to a USB flash disk transmission strategy.
Further, the specific process of the second step is as follows: firstly, establishing a Socket by using a Netlink to monitor a NETLINK _ KOBJECT _ UEVENT event, then judging whether a U disk is inserted, when the U disk is inserted, establishing a table entry by taking the U disk equipment name as a Key, inserting the table entry into a U disk list by taking the state as Add, when the U disk is pulled out, searching the U disk list by taking the U disk equipment name as the Key, and processing corresponding processing according to the state after finding.
Further, the specific process of the sixth step is as follows: and traversing the U disk list by the timer, comparing the U disk list with/proc/mounts to judge whether the U disk is Mount or Unmount, monitoring the file system directory of the U disk Mount by using the Fanotify when the U disk is Mount, and canceling the monitoring of the file system directory of the U disk Mount by the Fanotify when the U disk is Unmount.
Compared with the prior art, the invention has the following advantages: according to the USB flash disk transmission monitoring method based on the Fanotify mechanism, the monitoring of USB flash disk file transmission is realized by combining the Netlink mechanism and the Fanotify mechanism of Linux, the safety of data information is better ensured, the method is realized in an application layer completely, and kernel drive does not need to be modified, so that the adaptation workload of each Linux version is small, the stability is good, the USB flash disk transmission monitoring is realized in the application layer by combining the Netlink mechanism and the Fanotify mechanism of Linux, the adaptation workload is reduced, the stability is improved, the USB flash disk transmission is stably and efficiently monitored, the data safety is effectively protected, and the method is more worthy of popularization and use.
Drawings
FIG. 1 is an overall flow diagram of the present invention;
FIG. 2 is a flow chart of a USB flash disk plugging and unplugging monitoring process according to the present invention;
FIG. 3 is a flow chart of the USB flash disk Mount and Unmount monitoring process of the present invention;
FIG. 4 is a flow chart of a USB flash drive transmission monitoring processing state machine of the present invention;
fig. 5 is a flow chart of the Fanotify document monitoring process of the present invention.
Detailed Description
The following examples are given for the detailed implementation and specific operation of the present invention, but the scope of the present invention is not limited to the following examples.
As shown in fig. 1 to 5, the present embodiment provides a technical solution: a method for monitoring U disk transmission based on a Fanotify mechanism comprises the following steps:
the method comprises the following steps: performing system initialization including Netlink initialization and Fanotify initialization, wherein the Netlink initialization process is as follows: establishing a Socket to monitor a NETLINK _ KOBJECT _ UEVENT event and establishing a thread for reading Socket data during Netlink initialization, wherein the Fanotify initialization process comprises the following steps: when the Fanotify is initialized, calling the Fanotify _ init to create a Fanotify instance, and creating a thread for reading a Fanotify event, wherein the step initializes a Netlink module and a Fanotify module of Linux on an application layer and is used for monitoring a plug-in event of a U disk and reading and writing of a U disk file system;
step two: when a USB (universal serial bus) disk is inserted into a system, a Netlink thread receives an Add message of USB equipment, a table item is established by taking the name of the USB disk as a Key to identify the USB disk, the state is Add, the table item is inserted into a USB disk list, firstly, a Socket is established by using the Netlink to monitor a NETLINK _ KOBJECT _ UEVENT event, then, whether the USB disk is inserted is judged, when the USB disk is inserted, the table item is established by taking the name of the USB disk as the Key, the state is Add and the USB disk list is inserted, when the USB disk is pulled out, the USB disk list is searched by taking the name of the USB disk as the Key, and corresponding processing is carried out according to the found state, wherein the step uses a Netlink mechanism of Linux, and receives and processes the USB disk insertion message on an application layer;
step three: the timer traverses the U disk list, compares with/proc/mounts, finds out the U disk Mount to the directory of the file system, calls the Fanotify interface Fanotify _ mark to monitor the directory, periodically checks whether the inserted U disk is mapped to the directory of the file system in the application layer, if so, performs read-write monitoring on the directory of the file system mapped by the U disk;
step four: when a user copies files in the U disk, a Fanotify event is triggered, a Fanotify thread reads the file operation event after the Fanotify event is triggered, corresponding processing is carried out according to a U disk transmission strategy, and the specific processing process is as follows: initializing and creating a Fanotify, then receiving a Fanotify event, analyzing the Fanotify event, acquiring a process file name and a process PID, and then carrying out corresponding processing according to a U disk transmission strategy, wherein the step of processing the U disk file transmission event at an application layer and carrying out corresponding processing according to a transmission strategy configured in advance (for example, a file is prohibited to be copied to the U disk in a secret scene);
step five: when the USB flash disk is pulled out, searching a USB flash disk list by taking the name of the USB flash disk as Key, and processing corresponding processing according to the state after the USB flash disk is found, wherein the USB flash disk pulling event is processed in an application layer and the state of the USB flash disk is changed;
step six: the timer traverses the U disk list, compares with/proc/mounts, and when finding that the directory of the directory U disk Mount has disappeared, indicating that the Unmount operation has been executed, calls the notification interface notification _ mark to cancel monitoring of the directory, which has the following specific process: the timer traverses the USB flash disk list, compares with/proc/mounts to judge whether the USB flash disk is Mount or Unmount, when the USB flash disk is Mount, the Fanotify is used for monitoring the file system directory of the USB flash disk Mount, when the USB flash disk is Unmount, the Fanotify monitoring is cancelled for monitoring the file system directory of the USB flash disk Mount, and when the mapping relation between the USB flash disk and the file system directory is cancelled in the step, the monitoring of the file system directory is synchronously cancelled.
When the scheme is used, a U disk monitoring strategy is defined in advance, for example, aiming at a confidential scene, the strategy is defined as the U disk read-only, namely, files can only be copied from the U disk to the host; aiming at a safety protection scene, defining a U disk as readable and writable, wherein reading and writing need scanning processing, namely, extra scanning processing needs to be carried out on a file when the file is copied from the U disk, wherein the scanning processing comprises calculating the HASH value of the U disk, recording information such as the size of the file and the like, calling other modules to judge whether the file is malicious or not and the like, and the file operation can be continued only when the file is scanned, in the implementation of the scheme, firstly, a NETLINK _ KOBJECT _ UEVENT event is received through a NETLINK mechanism of Linux to judge the insertion and the extraction of the U disk; then, whether the U disk is mounted and a mounted file system path are judged by regularly reading/proc/mounts; then monitoring the path mounted by the U disk by using Fanotify, and performing corresponding processing according to a predefined strategy after monitoring a file reading and writing event;
the invention combines the Netlink mechanism and the Fanotify mechanism of Linux to realize the monitoring of the file transmission of the U disk, and the monitoring is realized in an application layer without modifying kernel drive, so the invention has small adaptive workload and good stability for each Linux version.
The steps are all realized in a Linux application layer, kernel codes are not required to be modified, most of Linux versions can be compatible, adaptation modification is not required to be carried out according to different Linux kernel versions, and after the method is adopted, an application layer scheme is used for replacing a kernel scheme in a Linux system, so that the adaptation workload of a USB flash disk transmission monitoring scheme for each Linux version can be obviously reduced, the stability is improved, the USB flash disk transmission monitoring method is combined with a Netlink and Fanotify mechanism in Linux, the USB flash disk transmission monitoring is realized in the application layer, the adaptation workload is reduced, and the stability is improved.
Fanotify: fanotify is a new file monitoring technology on a Linux platform, and is often used as antivirus software or virus program malicious access control, a Fanotify mechanism provides authority check and access control functions for monitoring files, can provide PID (process number, which can uniquely determine one process) of a process for operating files, and can also provide monitoring for the whole file system.
Netlik: netlink is a special socket, which is specific to Linux, and is a way to perform bi-directional data transmission between kernel and user applications. There are many applications that use NETLINK to communicate between applications and kernels, such as kernel event notification to user mode (NETLINK _ KOBJECT _ UEVENT), process AUDIT (NETLINK _ audio), FIREWALL (NETLINK _ FIREWALL), etc.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (6)
1. A U disk transmission monitoring method based on a Fanotify mechanism is characterized by comprising the following steps:
the method comprises the following steps: carrying out system initialization, including Netlink initialization and Fanotify initialization;
step two: when a USB flash disk is inserted into a system, a Netlink thread receives an Add message of USB equipment, a list item is established by taking the name of the USB flash disk as Key to identify the USB flash disk, the state is Add, and the list item is inserted into a USB flash disk list;
step three: the timer traverses the U disk list, compares with/proc/mounts, finds the directory of the U disk Mount to the file system, and calls the Fanotify interface Fanotify _ mark to monitor the directory;
step four: when a user copies files in the U disk, triggering a Fanotify event;
step five: when the USB flash disk is pulled out, searching a USB flash disk list by taking the name of the USB flash disk as Key, and processing corresponding processing according to the state after the USB flash disk list is found;
step six: and traversing the U disk list by the timer, comparing with/proc/mounts, and calling the Fanotify interface Fanotify _ mark to cancel monitoring on the directory when finding that the directory of the directory U disk Mount has disappeared to indicate that the Unmount operation has been executed.
2. The method for monitoring U disk transmission based on Fanotify mechanism according to claim 1, wherein: the Netlink initialization process in the first step is as follows: and when the Netlink is initialized, creating a Socket to monitor a NETLINK _ KOBJECT _ UEVENT event, and creating a thread for reading Socket data.
3. The method for monitoring U disk transmission based on Fanotify mechanism according to claim 1, wherein: the Fanotify initialization process in the first step is as follows: when the Fanotify is initialized, the Fanotify _ init is called first to create a Fanotify instance, and a thread is created for reading a Fanotify event.
4. The method for monitoring U disk transmission based on Fanotify mechanism according to claim 1, wherein: after the notification event is triggered in the fourth step, the notification thread reads the file operation event, and performs corresponding processing according to the transmission policy of the usb disk, where the specific processing process is as follows: initializing and creating the Fanotify, then receiving the Fanotify event, analyzing the Fanotify event, obtaining a process file name and a process PID, and then carrying out corresponding processing according to a USB flash disk transmission strategy.
5. The method for monitoring U disk transmission based on the Fanotify mechanism according to claim 1, wherein: the specific process of the second step is as follows: firstly, establishing a Socket by using a Netlink to monitor a NETLINK _ KOBJECT _ UEVENT event, then judging whether a U disk is inserted, when the U disk is inserted, establishing a table entry by taking the name of the U disk as a Key, inserting the table entry into a U disk list by taking the name of the U disk as the Key, when the U disk is pulled out, searching the U disk list by taking the name of the U disk as the Key, and processing corresponding processing according to the state after the U disk is found.
6. The method for monitoring U disk transmission based on Fanotify mechanism according to claim 1, wherein: the concrete process of the step six is as follows: and traversing the U disk list by the timer, comparing with/proc/mounts to judge whether the U disk is Mount or Unmount, using the Fanotify to monitor the file system directory of the U disk Mount when the U disk is Mount, and canceling the monitoring of the Fanotify to the file system directory of the U disk Mount when the U disk is Unmount.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210336088.9A CN114722386A (en) | 2022-03-31 | 2022-03-31 | U disk transmission monitoring method based on Fanotify mechanism |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210336088.9A CN114722386A (en) | 2022-03-31 | 2022-03-31 | U disk transmission monitoring method based on Fanotify mechanism |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114722386A true CN114722386A (en) | 2022-07-08 |
Family
ID=82242091
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210336088.9A Withdrawn CN114722386A (en) | 2022-03-31 | 2022-03-31 | U disk transmission monitoring method based on Fanotify mechanism |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114722386A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117573214A (en) * | 2024-01-17 | 2024-02-20 | 深圳前海深蕾半导体有限公司 | Method and device for fusing serial device and Android system frame |
CN117573214B (en) * | 2024-01-17 | 2024-04-19 | 深圳前海深蕾半导体有限公司 | Method and device for fusing serial device and Android system frame |
-
2022
- 2022-03-31 CN CN202210336088.9A patent/CN114722386A/en not_active Withdrawn
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117573214A (en) * | 2024-01-17 | 2024-02-20 | 深圳前海深蕾半导体有限公司 | Method and device for fusing serial device and Android system frame |
CN117573214B (en) * | 2024-01-17 | 2024-04-19 | 深圳前海深蕾半导体有限公司 | Method and device for fusing serial device and Android system frame |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11611586B2 (en) | Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots | |
US8719935B2 (en) | Mitigating false positives in malware detection | |
KR101443932B1 (en) | System analysis and management | |
US8037290B1 (en) | Preboot security data update | |
US7437764B1 (en) | Vulnerability assessment of disk images | |
US20110225128A1 (en) | Clean store for operating system and software recovery | |
US20070283444A1 (en) | Apparatus And System For Preventing Virus | |
US20100005531A1 (en) | Isolated multiplexed multi-dimensional processing in a virtual processing space having virus, spyware, and hacker protection features | |
JP2005327239A (en) | Security-related programming interface | |
US20120030766A1 (en) | Method and system for defining a safe storage area for use in recovering a computer system | |
US20130036431A1 (en) | Constraining Execution of Specified Device Drivers | |
EP3682332B1 (en) | Method and apparatus for erasing or writing flash data | |
US9690944B2 (en) | System and method updating disk encryption software and performing pre-boot compatibility verification | |
CN102819469A (en) | Method and system for recovering operating system | |
US9330260B1 (en) | Detecting auto-start malware by checking its aggressive load point behaviors | |
US9384353B2 (en) | System and method for encryption of disk based on pre-boot compatibility testing | |
US11822659B2 (en) | Systems and methods for anti-malware scanning using automatically-created white lists | |
CN103761170A (en) | System file recovery method, device and system | |
CN114722386A (en) | U disk transmission monitoring method based on Fanotify mechanism | |
US20050010752A1 (en) | Method and system for operating system anti-tampering | |
CN109145599B (en) | Protection method for malicious viruses | |
CN114861160A (en) | Method, device, equipment and storage medium for improving non-administrator account authority | |
JP2009169868A (en) | Storage area access device and method for accessing storage area | |
CN113228016A (en) | Apparatus and method for luxo software decryption | |
CN111581660A (en) | Method and apparatus for preventing trojan from destroying shared file, medium and electronic device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20220708 |
|
WW01 | Invention patent application withdrawn after publication |