CN117251838A - Access control method for system active USB mobile storage device - Google Patents
Access control method for system active USB mobile storage device Download PDFInfo
- Publication number
- CN117251838A CN117251838A CN202311300816.1A CN202311300816A CN117251838A CN 117251838 A CN117251838 A CN 117251838A CN 202311300816 A CN202311300816 A CN 202311300816A CN 117251838 A CN117251838 A CN 117251838A
- Authority
- CN
- China
- Prior art keywords
- equipment
- mobile storage
- identifier
- storage device
- usb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 230000008569 process Effects 0.000 claims abstract description 29
- 230000007246 mechanism Effects 0.000 claims abstract description 22
- 238000012545 processing Methods 0.000 claims abstract description 10
- 238000001514 detection method Methods 0.000 claims description 11
- 230000001960 triggered effect Effects 0.000 claims description 6
- 238000012795 verification Methods 0.000 claims description 5
- 238000011217 control strategy Methods 0.000 claims description 3
- 238000013475 authorization Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 description 9
- 230000002093 peripheral effect Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 3
- 230000007474 system interaction Effects 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000001902 propagating effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention provides a system active USB mobile storage device access control method. The method comprises the following steps: determining an identifier of the device according to the characteristic combination information of the USB mobile storage device; tracking and intercepting a USB device state setting function by using a Kprobe mechanism based on an identifier of the device, and checking and verifying whether the device has mounting permission according to a mobile storage device white list and access operation permission configuration information so as to enable the device to be mounted normally or refused to be mounted; and tracking and intercepting a file system mounting function by using a Kprobe mechanism based on the identifier of the equipment, and executing access operation permission configuration on the equipment file system according to the mobile storage equipment white list and the access operation permission configuration information so as to support permission checking and control processing of the subsequent access operation process of the equipment. The invention can realize the setting of the access authority of the USB mobile storage device, and gives corresponding access control processing in time according to the authorization condition when the system accesses the USB mobile storage device or the files thereof.
Description
Technical Field
The invention relates to the technical field of computer system security, in particular to an access control method of a system active USB (Universal Serial Bus, universal serial bus interface) mobile storage device.
Background
Terminal security is an important component of computer and information system security, and is particularly important in the scene that mobile storage media (such as USB equipment) such as offices of enterprises and public institutions are frequently accessed to related terminals, and is consistent with network security. Information security for USB (Universal Serial Bus, universal serial bus interface) peripherals should ensure that secret/private information is not compromised, while also preventing viruses from propagating laterally through the peripheral. In other words, efficient implementation of fine-grained access control operations for reading, writing, and executing of USB mobile storage devices is a precondition and technical means to achieve the above-mentioned goals. In view of the wide variety of software on terminals that read and write files in peripherals, it is desirable to provide a versatile and stable lightweight solution at the system kernel level that performs timely inspection and verification when related software performs access operations such as reading, writing, executing, etc. on the peripherals, and provides appropriate prompts to users for access refusal situations, while not affecting other normal functions of the software.
According to the autonomous controllable overall strategy of national information security and computer core technology, the problem of the current lack of a general access control technical scheme for the compatibility of a domestic processor platform and a Linux system with various mainstream USB mobile storage devices is solved, the active USB mobile storage device access control method of the system aims at realizing access control of USB mobile storage devices of domestic Linux desktop operating systems such as a system letter, a Galaxy, euler and the like and other Linux mainstream desktop operating systems such as Debian, ubuntu, centOS, so that the potential terminal security problem in the process of domestic improvement of computer systems of enterprises and public institutions is solved, the situation that secret information in office terminals leaks through accessing the USB mobile storage devices is practically prevented, and meanwhile, a computer effectively preventing virus invasion is transmitted transversely through accessing the USB mobile storage devices.
Currently, the USB device access control technology in the prior art may be divided into a storage device side access control technology and a host side access control technology. The access control technology of the storage device end generally performs security authentication and encryption processing on the device by designing a special hardware structure and developing a corresponding firmware program, has complex related implementation and high research, development and implementation costs, may involve multiple encryption and decryption processing during the production or storage and access of a hardware chip, and cannot ensure that the information of the host device is not leaked. In the host access control technology, the physical shielding method and the boot program shielding method are both that simple USB interface equipment is completely disabled (the host cannot use any USB peripheral) or is completely opened and available, and the management and control granularity is too thick and inflexible; the existing related software control method either requires direct modification of the kernel and the driver, which increases implementation difficulty and easily causes unstable system, or the UDEV-based control policy rule file is easily modified by a third party application, or the host is completely disabled (which also causes that the host cannot use any USB peripheral), and the host is coarse in control granularity (only distinguishes brands and manufacturers and whether to mount connection), and lacks fine granularity control such as read/write/execute.
In general, the existing USB equipment access control technology has the problems of high implementation cost and difficulty, easy system instability, large management and control granularity, inflexibility and the like.
Disclosure of Invention
The embodiment of the invention provides a system active USB mobile storage device access control method, which is used for realizing the fine granularity access control of a light USB mobile storage device which is universal, stable, flexible and effective and has a system kernel level on a mainstream Linux desktop operating system platform.
In order to achieve the above purpose, the present invention adopts the following technical scheme.
A system active USB mobile storage device access control method includes:
determining an identifier of the device according to the characteristic combination information which is inherent in the USB mobile storage device and has invariance and uniqueness;
based on the identifier of the equipment, tracking and intercepting a USB equipment state setting function by using a KBrobe mechanism, and performing validity checking and verification on whether the equipment has mounting permission according to a mobile storage equipment white list and access operation permission configuration information so as to enable the equipment to be mounted normally or be refused;
based on the identifier of the device, tracking and intercepting a file system mounting function by using a KBrobe mechanism, and executing access operation permission configuration on the file system of the device according to the mobile storage device white list and the access operation permission configuration information so as to support permission checking and control processing of the subsequent access operation process of the device.
Preferably, the determining the identifier of the device according to the characteristic combination information inherent to the USB mobile storage device and having invariance and uniqueness includes:
setting a device identifier which is formed by a device manufacturer identifier, a device product identifier and a device serial number triplet and is used for realizing unique identification on single device according to the device characteristic information, constructing a device white list, an access control list and a device access control strategy according to the device identifier, and forming a mobile storage device white list and access operation authority configuration.
Preferably, the tracking and intercepting the USB device state setting function by using a Kprobe mechanism based on the identifier of the device, and performing validity check and verification on whether the device has a mounting right according to a mobile storage device white list and access operation right configuration information, so that the device is normally mounted or refused to mount, including:
acquiring the current state of the equipment, an equipment manufacturer identifier, an equipment product identifier and an equipment serial number, and starting from the equipment enumeration process, when the equipment enters an access (attached) state, but not before entering a configured state, preparing identifier information of the equipment;
before the equipment is mounted, an equipment enumeration process is implemented, a Kprobe mechanism is utilized to detect hot plug equipment enumeration, and a detection point callback function is inserted into a state setting function in the equipment enumeration process;
when the equipment enumeration occurs in the system, the callback function is triggered in advance, and whether the equipment has mounting permission or not is checked and verified in the callback function in a legal way, so that the equipment is normally mounted or refused to be used, and subsequent mounting cannot be completed.
Preferably, the tracking and intercepting the file system mount function by using a Kprobe mechanism based on the identifier of the device, and executing access operation permission configuration on the device file system according to the mobile storage device white list and the access operation permission configuration information to support permission checking and control processing of a subsequent access operation process of the device, including:
when the equipment is hot plugged, a kernel monitors the connection of the corresponding new equipment, generates a hot plug event and notifies a user space equipment manager udev to detect relevant equipment information, a daemon acquires the equipment information through a netlink socket and a uevent event, a uevent event information sequence analyzes and constructs an equipment identifier triplet, a logic equipment name devname and equipment path devpath information, and the equipment identifier triplet, the logic equipment name devname and the equipment path devpath information are sent to a USB mobile storage equipment access control module through the netlink socket;
inserting a detection point callback function at a mounting function of the USB mobile storage device file system by using a KBrobe mechanism, and triggering the callback function when the system performs mounting operation on the USB mobile storage device file system;
the callback function controls the read, write and execution authorities of the device according to the access control authority list in the device white list, and gives specific access operation authorities to the device.
Preferably, the method comprises:
and constructing a daemon process and a USB mobile storage device access control service process, cooperating with a USB mobile storage device access control kernel module, and prompting a user when the USB mobile storage device refuses to access.
The technical scheme provided by the embodiment of the invention can be seen that the embodiment of the invention provides a lightweight technical scheme for controlling the access of the USB mobile storage device, which relates to a Linux system, is mainly used for setting the access authority of the USB mobile storage device, and provides corresponding access control processing (release or refusal) in time according to the authorization condition when the system accesses the USB mobile storage device or the file thereof, and does not influence other normal functions of the system.
Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an access control method for a system active USB mobile storage device according to an embodiment of the present invention;
FIG. 2 is a flowchart of a USB mobile storage device mounting control provided in an embodiment of the present invention;
FIG. 3 is a flow chart of a read, write and execute control of a USB mobile storage device according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating an interaction relationship between a kernel access control module and daemon according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein the same or similar reference numerals refer to the same or similar elements or elements having the same or similar functions throughout. The embodiments described below by referring to the drawings are exemplary only for explaining the present invention and are not to be construed as limiting the present invention.
As used herein, the singular forms "a", "an", "the" and "the" are intended to include the plural forms as well, unless expressly stated otherwise, as understood by those skilled in the art. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may also be present. Further, "connected" or "coupled" as used herein may include wirelessly connected or coupled. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
It will be understood by those skilled in the art that, unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the prior art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
For the purpose of facilitating an understanding of the embodiments of the invention, reference will now be made to the drawings of several specific embodiments illustrated in the drawings and in no way should be taken to limit the embodiments of the invention.
The implementation principle of the access control method of the system active USB mobile storage device provided by the embodiment of the invention is shown in figure 1, and the method comprises the following processing procedures: the method comprises a device unique identifier extraction method, a device enumeration time mounting control method, a device read-write execution permission configuration method and a device access control process method. Here, the USB mobile storage device covers various mobile hard disks, USB discs, SD cards, TF cards, mobile phones, etc. connected through USB interfaces (including USB2.0 interfaces, USB3.0 interfaces, etc.); the access control method belongs to the host access control technology, and units and individuals to which the system belongs can autonomously set specific access authority (mounting, reading, writing and executing) configuration of different USB mobile storage devices according to information security laws, regulations and security requirements, so the name of the system initiative is obtained.
The device unique identifier extraction method comprises the following steps: and constructing a unique identifier which can identify the single device and is not easy to modify according to the device characteristic information, and constructing a device white list, a specific mounting, reading, writing and executing access authority configuration and access control list and a device access control strategy. The USB mobile storage device has a plurality of characteristics including a device descriptor, and the characteristics that the selected information gain is large and the selected information gain is fixed in the device and does not change with time are formed into a device identifier by a triplet which is formed by a device manufacturer identifier, a device product identifier and a device serial number and can realize unique identification on a single device.
The embodiment of the invention provides a device mounting control flow chart shown in figure 2. The mounting control method during equipment enumeration comprises the following steps: the kernel detection Kprobe mechanism is utilized to insert detection points and callback functions at a state setting function in the device enumeration process, so that when the device enumeration occurs in the system, the callback functions are triggered in advance, whether the device has mounting permission or not is checked and verified legally in the callback functions, and the device is normally mounted or refused to be used so that subsequent mounting cannot be completed. The specific treatment process comprises the following steps:
(1) the analysis equipment identifies the process and selects control time: the device identification process involves functions, starting from the device enumeration process, when the device enters an access (attached) state, but before entering a configured state, identifier information of the device is provided, which is a suitable control opportunity at this time, and the device can be made unavailable on the system, i.e. even if it cannot be mounted on the system.
(2) Inserting a probe point: before the equipment is mounted, an equipment enumeration process is implemented, a Kprobe mechanism is utilized to detect hot plug equipment enumeration, and specifically, a detection point and a callback function are inserted at a state setting function in the equipment enumeration process;
(3) triggering callback: when the equipment enumeration occurs in the system, the callback function is triggered in advance, and whether the equipment has mounting authority or not is validated in the callback function, so that the equipment is normally mounted or refused to be used, subsequent mounting cannot be completed, and a user is properly prompted, so that the friendliness of system interaction is supported.
The embodiment of the invention provides a device read, write and execute control flow chart shown in figure 3. The method for configuring the read-write execution permission during equipment mounting comprises the following steps: in the daemon, a user space device manager udev and a network connection (Netlink) communication mechanism are used for detecting a hot plug event of the USB mobile storage device, unique identifier information of the device is constructed by analyzing the hot plug event, a detection point and a callback function are inserted into a file system mounting function by utilizing a Kprobe mechanism, when a file system mounting operation aiming at the USB mobile storage device occurs in the system, the callback function is triggered in advance, whether related devices have read, write and execute authorities or not is validated according to a device white list and an access control authority list in the callback function, and corresponding readable, writable or executable authorities are configured for the file system mounting of the device. The specific treatment process comprises the following steps:
(1) constructing a device identifier: the method is characterized in that the characteristics of large information gain and no change with time when fixed in equipment are selected, and the equipment identifier is composed of a triplet consisting of an equipment manufacturer identifier, an equipment product identifier and an equipment serial number which can realize unique identification on single equipment.
(2) Resolving the device identifier: the interaction relationship between the kernel access control module and the daemon process provided by the embodiment of the invention is shown in fig. 4. When in hot plug, the detailed information of the equipment is sent out by the kernel through a netlink socket and a uevent event, the daemon can acquire the equipment information through a netlink related API, and the information sequence of the uevent event is analyzed to construct a complete equipment identifier triplet, a logic equipment name devname and equipment path devpath information;
(3) insertion probe: and inserting a detection point and a callback function at a file system mounting function by using a KBrobe mechanism, and triggering the callback function when the system performs file system mounting operation on the USB mobile storage device.
(4) Triggering callback: when the callback function in the step (3) is triggered, the callback function can control the read, write and execution authorities of the equipment according to the access control authority list in the white list, give specific authorities to the file system mount of the equipment and give proper prompts to users, so that the friendliness of system interaction is supported.
The device access control process method comprises the following steps: the access control service process of the USB mobile storage device is constructed, the access control kernel module of the USB mobile storage device is cooperated, and when the access operation refused by the USB mobile storage device occurs, the user is properly prompted, so that the friendliness of system interaction is supported.
In summary, the access control method of the active USB mobile storage device of the system provided by the embodiment of the invention is compatible with various mainstream USB mobile storage devices, and can be used in a mainstream Linux desktop operating system and is a fine granularity access control method of a lightweight USB mobile storage device of a system kernel level.
The access control method of the system active USB mobile storage device has the characteristics of light weight, stability, universality, initiative, flexibility, convenience and the like. The active USB mobile storage device access control method of the system does not involve modification of a system kernel and related device drivers, is convenient to implement, has strong universality and fine control granularity, and supports single USB mobile storage device and flexible access control of reading, writing and executing.
The invention provides a system active mobile storage device access control method. When the USB mobile storage device is inserted into the host, the daemon process uses the uevent event sequence sent by the netlink mechanism to acquire device information, and a construction scheme for acquiring a device identifier from the uevent event sequence, which is compatible with various USB mobile storage devices, is provided, by analyzing proper control occasions, the detection point is inserted into the USB device state setting function usb_set_device_state () of the driving module by using the Kprobe mechanism to realize the mounting control of the mobile storage device access, and the detection point is inserted into the mounting function do_mount () of the file system during the mounting of the Kprobe mechanism to realize the reading, writing and executing control of the mobile storage device access. The tools used by the technology are provided by the Linux kernel, so that fine-granularity mounting, reading, writing and executing control of the USB mobile storage device compatible with various main streams can be realized in the Linux series operating system.
Those of ordinary skill in the art will appreciate that: the drawing is a schematic diagram of one embodiment and the modules or flows in the drawing are not necessarily required to practice the invention.
From the above description of embodiments, it will be apparent to those skilled in the art that the present invention may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the embodiments or some parts of the embodiments of the present invention.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for apparatus or system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, with reference to the description of method embodiments in part. The apparatus and system embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
Claims (5)
1. A system active USB mobile storage device access control method, comprising:
determining an identifier of the device according to the characteristic combination information which is inherent in the USB mobile storage device and has invariance and uniqueness;
based on the identifier of the equipment, tracking and intercepting a USB equipment state setting function by using a KBrobe mechanism, and performing validity checking and verification on whether the equipment has mounting permission according to a mobile storage equipment white list and access operation permission configuration information so as to enable the equipment to be mounted normally or be refused;
based on the identifier of the device, tracking and intercepting a file system mounting function by using a KBrobe mechanism, and executing access operation permission configuration on the file system of the device according to the mobile storage device white list and the access operation permission configuration information so as to support permission checking and control processing of the subsequent access operation process of the device.
2. The method of claim 1, wherein the determining the identifier of the device based on the characteristic combination information inherent to the USB mobile storage device and having invariance and uniqueness comprises:
setting a device identifier which is formed by a device manufacturer identifier, a device product identifier and a device serial number triplet and is used for realizing unique identification on single device according to the device characteristic information, constructing a device white list, an access control list and a device access control strategy according to the device identifier, and forming a mobile storage device white list and access operation authority configuration.
3. The method of claim 1, wherein the tracking and intercepting the USB device state setting function by using a Kprobe mechanism based on the identifier of the device, and performing validity check and verification on whether the device has a mount permission according to a mobile storage device whitelist and access operation permission configuration information, so that the device is normally mounted or is refused to be mounted, includes:
acquiring the current state of the equipment, an equipment manufacturer identifier, an equipment product identifier and an equipment serial number, and starting from the equipment enumeration process, when the equipment enters an access (attached) state, but not before entering a configured state, preparing identifier information of the equipment;
before the equipment is mounted, an equipment enumeration process is implemented, a Kprobe mechanism is utilized to detect hot plug equipment enumeration, and a detection point callback function is inserted into a state setting function in the equipment enumeration process;
when the equipment enumeration occurs in the system, the callback function is triggered in advance, and whether the equipment has mounting permission or not is checked and verified in the callback function in a legal way, so that the equipment is normally mounted or refused to be used, and subsequent mounting cannot be completed.
4. The method of claim 1, wherein the tracking and intercepting the file system mount function by using a Kprobe mechanism based on the identifier of the device, and performing access operation permission configuration on the device file system according to the mobile storage device whitelist and the access operation permission configuration information to support permission checking and control processing of a subsequent access operation process of the device, comprises:
when the equipment is hot plugged, a kernel monitors the connection of the corresponding new equipment, generates a hot plug event and notifies a user space equipment manager udev to detect relevant equipment information, a daemon acquires the equipment information through a netlink socket and a uevent event, a uevent event information sequence analyzes and constructs an equipment identifier triplet, a logic equipment name devname and equipment path devpath information, and the equipment identifier triplet, the logic equipment name devname and the equipment path devpath information are sent to a USB mobile storage equipment access control module through the netlink socket;
inserting a detection point callback function at a mounting function of the USB mobile storage device file system by using a KBrobe mechanism, and triggering the callback function when the system performs mounting operation on the USB mobile storage device file system;
the callback function controls the read, write and execution authorities of the device according to the access control authority list in the device white list, and gives specific access operation authorities to the device.
5. A method according to any one of claims 1 to 4, wherein the method comprises:
and constructing a daemon process and a USB mobile storage device access control service process, cooperating with a USB mobile storage device access control kernel module, and prompting a user when the USB mobile storage device refuses to access.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311300816.1A CN117251838A (en) | 2023-10-09 | 2023-10-09 | Access control method for system active USB mobile storage device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311300816.1A CN117251838A (en) | 2023-10-09 | 2023-10-09 | Access control method for system active USB mobile storage device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117251838A true CN117251838A (en) | 2023-12-19 |
Family
ID=89131128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311300816.1A Pending CN117251838A (en) | 2023-10-09 | 2023-10-09 | Access control method for system active USB mobile storage device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117251838A (en) |
-
2023
- 2023-10-09 CN CN202311300816.1A patent/CN117251838A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11599650B2 (en) | Secure computing system | |
| US10162975B2 (en) | Secure computing system | |
| Fang et al. | Permission based Android security: Issues and countermeasures | |
| US9183383B1 (en) | System and method of limiting the operation of trusted applications in presence of suspicious programs | |
| US7028149B2 (en) | System and method for resetting a platform configuration register | |
| US10078754B1 (en) | Volume cryptographic key management | |
| EP3074907B1 (en) | Controlled storage device access | |
| JP5696227B2 (en) | Method and device for controlling access to a computer system | |
| EP2336962A2 (en) | Information processing apparatus, program, storage medium and information processing system | |
| WO2017088135A1 (en) | Method and device for configuring security indication information | |
| WO2008118663A1 (en) | Direct peripheral communication for restricted mode operation | |
| US20210089684A1 (en) | Controlled access to data stored in a secure partition | |
| Kang et al. | USBWall: A novel security mechanism to protect against maliciously reprogrammed USB devices | |
| CN110543775A (en) | data security protection method and system based on super-fusion concept | |
| EP3586234B1 (en) | Methods and apparatus for controlling access to secure computing resources | |
| US11941264B2 (en) | Data storage apparatus with variable computer file system | |
| CN117251838A (en) | Access control method for system active USB mobile storage device | |
| EP3151154B1 (en) | Data access control based on storage validation | |
| US11815944B2 (en) | System and method for securing firmware function calls using session-based encryption | |
| US11461490B1 (en) | Systems, methods, and devices for conditionally allowing processes to alter data on a storage device | |
| CN113836529A (en) | Process detection method, device, storage medium and computer equipment | |
| US20150302211A1 (en) | Removable storage medium security system and method thereof | |
| CN113051533A (en) | Safety management method of terminal equipment | |
| CN114580005B (en) | Data access method, computer device and readable storage medium | |
| Kim | Regulating smart devices in restricted spaces |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |