WO2008135969A1 - Dispositif de stockage et procédé destiné à la manipulation de données - Google Patents

Dispositif de stockage et procédé destiné à la manipulation de données Download PDF

Info

Publication number
WO2008135969A1
WO2008135969A1 PCT/IL2008/000552 IL2008000552W WO2008135969A1 WO 2008135969 A1 WO2008135969 A1 WO 2008135969A1 IL 2008000552 W IL2008000552 W IL 2008000552W WO 2008135969 A1 WO2008135969 A1 WO 2008135969A1
Authority
WO
WIPO (PCT)
Prior art keywords
storage device
restricted
restricted area
data
area
Prior art date
Application number
PCT/IL2008/000552
Other languages
English (en)
Inventor
Amir Mosek
Original Assignee
Sandisk Il Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/772,207 external-priority patent/US7636825B2/en
Application filed by Sandisk Il Ltd. filed Critical Sandisk Il Ltd.
Priority to JP2010505004A priority Critical patent/JP4665065B2/ja
Priority to KR1020097022968A priority patent/KR101498014B1/ko
Publication of WO2008135969A1 publication Critical patent/WO2008135969A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • G06F3/0632Configuration or reconfiguration of storage systems by initialisation or re-initialisation of storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0604Improving or facilitating administration, e.g. storage management
    • G06F3/0605Improving or facilitating administration, e.g. storage management by facilitating the interaction with a user or administrator
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0679Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • the present invention relates to systems for enabling an authorized application to access data in restricted storage areas using only a file-system application-interface (FSAPI).
  • FSAPI file-system application-interface
  • NVM Non- volatile memory
  • Access to restricted sub-areas such as the boot partition and system data (e.g. security keys) is restricted; these sub-areas cannot be accessed by applications using only FSAPI.
  • Other storage sub-areas that are intended to serve applications and users are accessed by the file system using FSAPI.
  • This restriction is typically implemented by limiting the range of addresses that are accessible to the file system, excluding the addresses of the restricted sub-areas.
  • Such solutions involve flagging the RAM, rebooting the host system without powering down, checking the flag by the boot code, and loading special code from the boot partition that can access the boot partition.
  • This procedure implies that there will be a non- uniformity among the components involved (e.g. storage device, host system, and OS).
  • Such a situation makes the update of restricted areas (e.g. boot partition) in a storage device a very costly feature.
  • a prior-art system such as that disclosed by Moran, US Patent Application No. 20060031632 (hereinafter referred to as Moran '632), hereby incorporated by reference as if fully set forth herein, discloses a system for storing data without the data being directly written by the file system of the host system.
  • Moran '632 discloses only an internal backup mechanism by which the storage device protects data written by the host system from being lost (by restoring it automatically upon powering up), but fails to disclose how data can be read from a different logical address than the address where the data was written. Therefore, systems according to Moran '632 cannot be useful for enabling access to data in restricted areas.
  • file-system application-interface FSAPI
  • file- system API file-system API
  • storage area is used herein to refer to a sequential logical (not physical) address range of the storage device.
  • FAT32 is used herein to refer to a file system defined in the Microsoft FAT32 specifications.
  • cluster is used herein to refer to a data structure defined in the Microsoft FAT32 specifications.
  • FAT entry is used herein to refer to a data structure defined in the Microsoft FAT32 specifications.
  • file allocation table and “FAT” are used herein to refer to a data structure defined in the Microsoft FAT32 specifications.
  • DIrEntry is used herein to refer to a data structure defined in the Microsoft FAT32 specifications.
  • last update-time field and "LUT field” are used herein to refer to a parameter in the DirEntry, specifying the last time that a file was updated, as defined in the Microsoft FAT32 specifications.
  • file-length parameter is used herein to refer to a parameter in the DirEntry, specifying the length of the file in bytes, as defined in the Microsoft FAT32 specifications.
  • ctor is used herein to refer to a logical sequential address of a data packet.
  • the data packets can be either logical sequential 512 bytes, logical- sequential FAT32 sectors, or logical sequential FAT32 clusters.
  • file is used herein to refer to any data object that can be handled by FSAPI (e.g. a data file, a part of a data file, a directory, and a play list).
  • FSAPI e.g. a data file, a part of a data file, a directory, and a play list.
  • FAT32 sector is used herein to refer to a sector of 512 bytes.
  • logical partition is used herein to refer to a logical sequential range of sectors. Logical partitions can be managed only by one host-software module at a time. Examples of host-software modules include file system and chipset boot ROM.
  • the term "restricted area” is used herein to refer to a logical partition that should not be accessed by the host file-system but by other modules.
  • the term “non-restricted area” is used herein to refer to a logical partition that may be accessed by the host file- system.
  • restrictive sector is used herein to refer to a sector that is in the range of the restricted area.
  • non-restricted sector is used herein to refer to a sector that is in the range of the non-restricted area.
  • smuggling is used herein to refer to an internal storage operation by which the host file-system writes data into one logical address, and the storage device internally enables access to the data at a different logical address. In a special case, smuggling can be used to allow the host file-system to read and write data in restricted areas.
  • the term “smuggled data” is used herein to refer to data on which a smuggling operation has been performed.
  • wasted sector is used herein to refer to a logical sector that the storage device does not use for data storage due to a smuggling operation.
  • releasing space is used herein to refer to the conversion of wasted sectors to sectors that store data.
  • the present invention teaches a method for accessing restricted areas in a storage device using only FSAPI.
  • the first step is to store the file, which is to be smuggled into a restricted area, in a non-restricted area.
  • the file is stored with an attribute that is legitimate in FSAPI, but is recognizable by the storage device as a "smuggling indication”.
  • the second step performed by the storage device, is to search for a "smuggling indication" in the newly-stored file.
  • the third step which takes place only if a smuggling indication has been detected, is the smuggling of the file, which is performed internally by the storage device, to the designated restricted area.
  • the smuggling indication is the name of the file.
  • the smuggling indication is special content in the body of the file (e.g. header, footer, or any other pre-defined offset in the file).
  • the smuggling of the file from the non-restricted area to the restricted area is performed by physically copying the data from the non-restricted area to the restricted area. This is referred to as the "Copy" mode.
  • the smuggling is performed by logically mapping the non-restricted area into the restricted area, so that a device, which needs to read data from the restricted area, is redirected to the non- restricted area. This is referred to as the "Map-Out" mode.
  • the smuggling is performed by converting the logical offset of the smuggled data in the file to a corresponding offset in the restricted area, thereby mapping the non-restricted area to the restricted area for reading.
  • the storage device detects the operation as "reading smuggled data”. The data will be retrieved from the corresponding location in the restricted area by matching the offset in the restricted area to the offset in the smuggled file. This is referred to as the "Map-In" mode.
  • the smuggling in either Copy, Map- Out, or Map-In mode, is performed after the writing into the non- restricted area has been completed, and the file has been closed. In other preferred embodiments of the present invention, in either Map-Out or Map-In mode, the smuggling is performed while the file is being written. . . . . .
  • the storage device reuses the logical addresses of the non-restricted areas, which have been mapped to restricted area addresses and lost, by adding a virtual sub-area beyond the capacity of the storage device, and mapping the virtual sub-area into the lost range of addresses.
  • the application deletes the file that has just been written after waiting a reasonable period of time for the smuggling operation to take place. This procedure releases the non-restricted area for use. This is referred to as the "Copy-Delete" mode.
  • the steps of detection, smuggling, and releasing space can be performed on a part of a file, as described below.
  • the steps of detection, smuggling, and releasing space can be performed on a plurality of files in which each restricted area has its own specific pointer for indicating the destination of the smuggling to the storage device.
  • a computing system (a) a host system having: (i) a file system and a block device driver for running on the host system; and (ii) at least one application for running on the host system; and (b) a storage device having: (i) a controller for controlling the storage device; and (ii) a storage area for storing information in the storage device; and (c) a first mechanism for restricting access, by the file system, to a restricted area of the storage area; and (d) a second mechanism, residing in the storage device, for enabling at least one application to access the restricted area via the file system.
  • the second mechanism is configured to enable the storage device to copy data from a non-restricted area of the storage area to the restricted area.
  • the second mechanism is operative to direct the storage device to route host-system read-requests, directed to addresses in the restricted area, to addresses in a non-restricted area of the storage area.
  • the second mechanism is operative to apply access commands of the host system to restricted data residing in the restricted area when the host system requests access to non-restricted data addressed to a non-restricted area of the storage area.
  • a computer-readable storage medium having computer-readable code embodied on the computer-readable storage medium, the computer-readable code including: (a) program code for restricting access, by a file system running on a host system, to a restricted area of a storage area of a storage device; and (b) program code for enabling at least one application to access the restricted area via the file system.
  • the computer-readable code further includes: (c) program code for enabling the storage device to copy data from a non-restricted area of the storage area to the restricted area.
  • the computer-readable code further includes: (c) program code for directing the storage device to route host-system read-requests, directed to addresses in the restricted area, to addresses in a non-restricted area of the storage area.
  • the computer-readable code further includes: (c) program code for applying access commands of the host system to restricted data residing in the restricted area when the host system requests access to non-restricted data addressed to a non-restricted area of the storage area.
  • Figure 1 is a simplified schematic block diagram of a computing system for smuggling data and releasing space of a storage device, according to preferred embodiments of the present invention
  • Figure 2A is a simplified block diagram of a Copy-Delete mode for smuggling data and releasing space showing the logical partitions of a storage device, according to preferred embodiments of the present invention
  • Figure 2B shows the partitions of Figure 2A after receiving a write request from FAT32 for smuggled data
  • Figure 2C shows the partitions of Figure 2B after the storage device internally copies the smuggled data into the restricted area
  • Figure 2D shows the partitions of Figure 2C after the smuggled data that was stored in the non-restricted area is deleted;
  • Figure 3 A is a simplified block diagram of a Map-In mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention
  • Figure 3B shows the partitions of Figure 3A after receiving a write request from FAT32 to write a data sector into a non-restricted sector;
  • Figure 3C shows the partitions of Figure 3B after the data sector has been stored internally by the storage device in a restricted sector
  • Figure 4A is a simplified block diagram of a Map-Out mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention
  • Figure 4B shows the partitions of Figure 4A after receiving a write request from FAT32 to write a data sector into a non-restricted sector;
  • Figure 4C shows the partitions of Figure 4B after a restricted sector has been mapped by the storage device to the non-restricted sector that was written in
  • Figure 4B is a simplified block diagram of a Map-In mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention
  • Figure 5B shows the partitions of Figure 5A after receiving a write request from FAT32 to write a data sector into a non-restricted sector;
  • Figure 5C shows the partitions of Figure 5B after receiving a write request from FAT32 to write a data sector into a virtual sector;
  • Figure 5D shows the partitions of Figure 5C after receiving a request from
  • Figure 6A is a simplified block diagram of a Map-Out mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention
  • Figure 6B shows the partitions of Figure 6A after receiving a write request from FAT32 to write a data sector into a non-restricted sector;
  • Figure 6C shows the partitions of Figure 6B after receiving a write request from FAT32 to write a data sector into a virtual sector;
  • Figure 6D shows the partitions of Figure 6C after receiving a read request from FAT32 to read a virtual sector
  • Figure 7A is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (A): create a new smuggled file, according to preferred embodiments of the present invention
  • Figure 7B is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (B): delete a smuggled file, according to preferred embodiments of the present invention
  • Figure 7C is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (C): overwrite a smuggled file, according to preferred embodiments of the present invention
  • Figure 7D is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (D): update a smuggled file, according to preferred embodiments of the present invention
  • Figure 7E is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (E): append to a smuggled file, according to preferred embodiments of the present invention.
  • the present invention relates to systems for enabling an authorized application to access data in restricted storage areas using only FSAPI.
  • the principles and operation for enabling an authorized application to access data in restricted storage areas using only FSAPI, according to the present invention, may be better understood with reference to the accompanying description and the drawings.
  • the storage device is divided into two logical partitions: a restricted area for storing an OS image, the OS image, and a non-restricted area for storing user applications and data files.
  • the host-system processor accesses the storage device's restricted area by executing a software code stored in the host-system processor's NVM.
  • This software code which is the boot ROM, is automatically executed by the host-system processor upon powering up.
  • the host- system processor loads the OS image from the restricted area to the host-system RAM, moves to the start address in the RAM, and then executes the code.
  • the boot ROM is limited in size, and therefore, cannot include any information regarding FAT32 metadata and data structures.
  • the host system accesses the storage device's non-restricted area via the FAT32.
  • the FAT32 is executed when the boot process is completed.
  • the non-restricted area starts from sector "FAT32StartSector" that can be any sector greater than the OS-image sectors.
  • the storage device has software or hardware logic, referred to herein as the "FAT32 engine", that recognizes the metadata and the data structures used by the FAT32, such as the location and the structure of the FAT and DIR entries.
  • FAT32 engine software or hardware logic
  • the OS image (stored in the restricted area) is updated by user- application requests, via the FAT32, to write data into the non- restricted area.
  • the storage device stores, in a non- volatile hidden area (i.e. hidden from the host-system processor, the boot ROM, and the FAT32), a string which includes the name of a file to be smuggled (e.g. OSIMAGE.BIN), and a pointer (e.g. 4 bytes) to the start sector of the restricted area.
  • a non- volatile hidden area i.e. hidden from the host-system processor, the boot ROM, and the FAT32
  • a string which includes the name of a file to be smuggled e.g. OSIMAGE.BIN
  • a pointer e.g. 4 bytes
  • FIG. 1 is a simplified schematic block diagram of a computing system for smuggling data and releasing space of a storage device, according to preferred embodiments of the present invention.
  • a computing system 2 having a host system 4, is shown.
  • Host system 4 includes a file system 5, an OS 6, drivers 7, a host-system processor 8, and an application 9.
  • Drivers 7 include standard block device drivers.
  • Host system 4 is shown operationally connected to a storage device 10 having a controller 12 and a storage area 14.
  • Storage area 14 has a restricted area 16 and a non-restricted area 18.
  • Figures 2A-D are simplified block diagrams of a Copy-Delete mode for smuggling data and releasing space at various stages of the process, according to preferred embodiments of the present invention.
  • Figures 2A-D show four stages for updating an OS image by smuggling data into a restricted area via a non-restricted area, and then releasing the non-restricted area of any intermediate data that was generated during the smuggling process.
  • Figure 2A is a simplified block diagram of a Copy-Delete mode for smuggling data and releasing space showing the logical partitions of a storage device, according to preferred embodiments of the present invention.
  • the storage device has two partitions, a restricted area 20 for storing the OS image, and a non-restricted area 22 for storing user data.
  • Figure 2B shows the partitions of Figure 2A after receiving a write request from FAT32 for smuggled data.
  • Figure 2B shows a smuggled file 24 (e.g. OS image).
  • the storage device stores smuggled file 24 in non-restricted area 22. The detection process is described with regard to Figures 7A-E.
  • FIG 2C shows the partitions of Figure 2B after the storage device internally copies the smuggled data into the restricted area.
  • Smuggled file 24 is shown copied into restricted area 20.
  • Smuggled file 24 then becomes a restricted file 26 (i.e. a data file that cannot be accessed by FAT32).
  • Figure 2D shows the partitions of Figure 2C after the smuggled data that was stored in the non-restricted area is deleted.
  • the deletion of smuggled file 24 can be initiated by the application that wrote the file (after a safety delay that allows the storage device to complete the smuggling), or by the storage device itself (upon the next powering up).
  • smuggled file 24 being the OS image
  • the OS image is stored in the restricted area (as restricted file 26), and can be accessed by the host- system processor's boot ROM, but cannot be read by FAT32.
  • the Copy-Delete mode of smuggling data and releasing space is not applicable to partial updates of an OS image, but only to cases in which the OS image is fully updated.
  • Figures 3A-C are simplified block diagrams of a Map-In mode of smuggling data at various stages of the process, according to preferred embodiments of the present invention.
  • Figures 3A-C show three stages for updating an OS image by writing the data into a non-restricted area, and then smuggling the data by mapping the non-restricted area into a restricted area.
  • Figure 3A is a simplified block diagram of a Map-In mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention.
  • restricted area 20 for storing the OS image
  • non-restricted area 22 for storing user data.
  • Figure 3B shows the partitions of Figure 3A after receiving a write request from FAT32 to write a data sector into a non-restricted sector.
  • a data sector 30 is shown being written into a non-restricted sector 32.
  • the storage device detects (according to the data-smuggling detection-scheme described with regard to Figures 7A-E) that FAT32 sent requests for writing data sector 30 that match the criteria of the smuggled file, then the storage device maps (Mapping A) non-restricted sector 32 to a restricted sector 34 by "translating" sector numbers of non-restricted sector 32 into restricted-area sector numbers of restricted sector 34.
  • the “translation” is performed as follows: the storage device calculates the offset of non-restricted sector 32 in the file (described in detail with regard to Figures 7A-E), and the sector offset is translated to a sector offset in restricted area 20.
  • Figure 3C shows the partitions of Figure 3B after the data sector has been stored internally by the storage device in a restricted sector.
  • Any write request from FAT32 (to non-restricted sector 32), or from the host-system's boot-ROM code (to restricted sector 34) is routed internally by the storage device to restricted sector 34.
  • the routing mechanism is managed by the storage device, which manages a lookup table of non-restricted to restricted sectors. Every entry in the table includes a non- restricted sector number that was smuggled, and a corresponding restricted sector number that was mapped in Figure 3B.
  • the storage device monitors the write requests coming from FAT32, and checks in the lookup table if the non-restricted sector is requested.
  • the storage device routes (Mapping B) the write request for the data sector, which is expected to be located in a sector 36, to be actually written in a sector 38.
  • This process is referred to as the Map- In mode, since the process maps sectors in the range of a non-restricted area into sectors in the range of a restricted area.
  • the Map-In mode is mostly applicable to cases in which the host-system processor requires fast response from the storage device, and thus, is not tolerant of the "preparations" required by the FAT32 engine of the storage device in order to build the lookup table.
  • the preparations required by the FAT32 engine are described with regard to Figures 7A-E.
  • the Map-In mode internally routes the FAT32 requests (executed by the host-system processor) to restricted sectors according to the lookup table without indication to FAT32.
  • the non-restricted sectors that appear in the lookup table are not used by the storage device for storing data.
  • a method for such wasted sectors to be reused by FAT32 is described with regard to Figures 5A-D.
  • Figures 4A-C are simplified block diagrams of a Map-Out mode of smuggling data at various stages of the process, according to preferred embodiments of the present invention.
  • Figures 4A-C show three stages for updating an OS image by smuggling data directly into a non-restricted sector, and then mapping out a restricted sector into the non-restricted sector.
  • Figure 4A is a simplified block diagram of a Map-Out mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention. Restricted area 20 and non-restricted area 22 are shown (as described with regard to Figures 2A and 2A).
  • Figure 4B shows the partitions of Figure 4A after receiving a write request from FAT32 to write a data sector into a non-restricted sector.
  • the storage device stores the data in a non-restricted sector 40 as requested by FAT32.
  • Figure 4C shows the partitions of Figure 4B after a restricted sector has been mapped by the storage device to the non-restricted sector that was written in Figure 4B.
  • a data sector 42 is internally mapped (Mapping C), according to the lookup table described with regard to Figure 3C, by the storage device into non-restricted sector 40.
  • the Map-Out mode maps sectors in the range of a restricted area into sectors in the range of a non-restricted area. Such mappings create a situation in which the restricted sectors that appear in the lookup table are not used by the storage device for storing OS-image data. A method for such wasted sectors to be reused by FAT32 is described with regard to Figures 6A-D.
  • the Map-Out mode is mostly applicable to cases in which the host-system processor does not require fast response from the storage device, and thus, is not tolerant of the preparations required by the FAT32 engine of the storage device in order to build the lookup table.
  • Figures 5A-D are simplified block diagrams of releasing space in the Map-In mode of smuggling data at various stages of the process, according to preferred embodiments of the present invention.
  • Figures 5A-D show four stages for utilizing wasted sectors created during the Map-In process.
  • FIG. 5A is a simplified block diagram of a Map-In mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention.
  • a restricted area 50 for storing the OS image, a non-restricted area 52 for storing user data, and a virtual area 54 are shown.
  • the storage device presents to the host system virtual area 54 having the size of restricted area 50.
  • Virtual area 54 is a logical sequential range of sectors.
  • the storage device presents, to FAT32 of the host system, an area having sectors for non-restricted area 52 and sectors for virtual area 54.
  • FAT32 manages non- restricted area 52 and virtual area 54 as one non-restricted area.
  • Figure 5B shows the partitions of Figure 5A after receiving a write request from FAT32 to write a data sector into a non-restricted sector.
  • a data sector 56 is shown being written into a non-restricted sector 58.
  • the storage device detects (according to the data-smuggling detection-scheme described with regard to Figures 7A-E) that FAT32 sent requests for writing data sector 56 that match the criteria of the smuggled file, then the storage device checks the lookup table, and gets the sector number for a restricted sector 60 for writing the smuggled data.
  • the storage device routes (Mapping D) data sector 56 to be stored into restricted sector 60.
  • FIG. 5C shows the partitions of Figure 5B after receiving a write request from FAT32 to write a data sector into a virtual sector.
  • Smuggled data 62 stored in restricted area 50, is shown receiving a request to write a data sector 64 into a virtual sector 66 in the range of virtual area 54 from FAT32 executed on the host-system processor.
  • the storage device in addition to the lookup table mentioned with regard to Figure 3C, manages a "virtual-to-logical" (VTL) lookup table. Every entry in the VTL table includes a virtual sector number and a corresponding non-restricted sector number.
  • VTL virtual-to-logical
  • the storage device When FAT32 tries to write data sector 64 to a virtual data sector 66 (a sector in the range of virtual area 54), the storage device internally checks the VTL lookup table to determine if virtual sector 66 has already been mapped to a non-restricted sector.
  • the storage device internally routes (Mapping E) the FAT32 request to a matching non-restricted sector 68. If virtual sector 66 has not been mapped yet, the storage device goes checks the non-restricted sector-numbers in the VTL lookup table to see whether a virtual sector is mapped to a non-restricted sector. If the storage device finds a non-restricted sector to which no virtual sector is mapped (i.e.
  • the storage device maps (Mapping E) virtual sector 66 to non-restricted sector 68 (the available "wasted sector), and updates the corresponding entry in the VTL lookup table with the non-restricted sector-number.
  • the storage device then internally stores data sector 64 (sent by FAT32 to virtual sector 66) into sector 68.
  • the storage device updates the lookup table with the mapped sector-number of restricted sector 62 (as described with regard to Figures 3C).
  • FAT32 tries to access (i.e. read or write) non-restricted sector 68 (as shown in Figure 5C)
  • the storage device internally routes (Mapping F) the request to restricted sector 62 (in restricted area 50).
  • the storage device uses the available storage area in restricted area 50 to store data sectors that are sent by FAT32 to a virtual address. These data sectors are then mapped directly from virtual area 54 into restricted area 50. As soon as more data is smuggled into restricted area 50, and more wasted area is created in non- restricted area 52, the storage device moves these "directly-mapped" data sectors from restricted area 50 to non-restricted area 52, making restricted area 50 available for the newly-smuggled data.
  • Figure 5D shows the partitions of Figure 5C after receiving a request from FAT32 to read or a virtual sector that has been mapped by the storage device to the non-restricted sector that was already mapped into a restricted sector in Figure 5C.
  • FAT32 tries to read or write virtual sector 66, which has already been mapped into a non-restricted logical sector 70 (which, in turn, has already been mapped into restricted sector 62), from the storage device.
  • the storage device checks the VTL lookup table for mapped non-restricted logical sector 70, and routes (Mapping G) the FAT32 request to non-restricted logical sector 70.
  • Figures 6A-D are simplified block diagrams of releasing space in the Map-Out mode of smuggling data at various stages of the process, according to preferred embodiments of the present invention. Figures 6A-D show four stages for utilizing wasted sectors created during the Map-Out process.
  • Figure 6A is a simplified block diagram of a Map-Out mode of smuggling data showing the logical partitions of a storage device, according to preferred embodiments of the present invention. Restricted area 50, non-restricted area 52, and virtual area 54 are shown (as described with regard to Figure 5A).
  • Figure 6B shows the partitions of Figure 6A after receiving a write request from FAT32 to write a data sector into a non-restricted sector.
  • a data sector 72 is shown being written into a non-restricted sector 74. If the storage device detects (according to the data-smuggling detection-scheme described with regard to Figures 7A-E) that FAT32 sent requests for writing data sector 72 that match the criteria of the smuggled file, then the storage device checks the lookup table (described with regard to Figure 3C), and gets the sector number for a restricted sector 76.
  • the storage device internally stores data sector 72 into non-restricted sector 74.
  • the storage device updates the lookup table with the sector number of mapped non-restricted sector 74.
  • the host-system processor tries to read the OS image from restricted sector 76 in restricted area 50, the storage device internally routes (Mapping H) the request to data sector 74 in non- restricted area 52 instead of to the restricted sector 76.
  • Figure 6C shows the partitions of Figure 6B after receiving a write request from FAT32 to write a data sector into a virtual sector.
  • a data sector 78 is shown being written into virtual sector 80 by FAT32 executed on host processor.
  • the storage device translates an address of virtual area 54 into an address of restricted area 50 by applying a fixed offset.
  • the storage device internally offsets (Mapping I) the address from virtual area 54 into restricted area 50, and stores data sector 78 in restricted area 50.
  • mapping J the data that is intended for restricted area 50 is actually stored in non-restricted area 52, and the storage device retrieves (Mapping J) the data from a mapped non-restricted sector 82 in non-restricted area 52.
  • Figure 6D shows the partitions of Figure 6C after receiving a read request from FAT32 to read a virtual sector.
  • the storage device receives a read request from FAT32 to read virtual sector 80, the storage device applies the fixed offset (Mapping K), and reads a data sector 84 from restricted area 50.
  • Figures 7A-E are simplified flowcharts of the data-smuggling detection- scheme, implemented in a host system having a storage device, for the various data- smuggling scenarios listed below, according to preferred embodiments of the present invention.
  • Figures 7A-E show five data-smuggling scenarios for a smuggled file, covering all the ordinary update operations that FAT32 might need to perform on any file in the storage device.
  • the data-smuggling scenarios are:
  • (C) overwrite a smuggled file (when a new smuggled file needs to replace an old smuggled file by deleting the old smuggled file, and creating the new smuggled file);
  • the data-smuggling detection-scheme makes use of monitoring any write request coming from FAT32 to the storage device, and identifying whether the request is for the FAT, directory entry FAT32 sector, or data cluster.
  • Data that is intended to update a file by smuggling the file is identified by detection of a pre-defined string that is stored in NVM.
  • the pre-defined string hereinafter referred to as the "smuggled-file identifier”
  • the smuggled-file identifier is the full path and file name of the smuggled file.
  • the smuggled-file identifier is sent by the application, via FAT32, as a part of the smuggled-file directory-entry data.
  • Step 102 the storage device initializes the FAT32 engine as follows (Step 102):
  • the storage device mounts the FAT32 engine
  • the storage device sets a pointer, hereinafter referred to as "smuggled- file DirEntry pointer", that points to smuggled DirEntry address (DirEntry sector and offset within the FAT32 sector) to NULL;
  • FileExistsFlag is a binary parameter having the values "TRUE” or "FALSE”, as follows:
  • the storage device checks whether a file with the filename of the smuggled-file identifier exists (looks for a DirEntry of the file in NVM);
  • the storage device reads the entire FAT chain from FAT, and then reconstructs the smuggled-file data-cluster numbers by following the linked list.
  • Step 104 the storage device then waits for a write request from FAT32 (Step 104).
  • the storage device checks whether the FileExistsFlag is TRUE or FALSE (Step 106). At this point, the individual data-smuggling scenarios follow different flows in Figures 7A-E that are described below.
  • FIG. 7A is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (A): create a new smuggled file, according to preferred embodiments of the present invention.
  • a Flow A (represented by a dotted line) in Figure 7A depicts the procedural path for creating a new smuggled file.
  • Flow A performs the following steps.
  • Step 100 the storage device performs its internal initialization, and sets the FileExistsFlag to FALSE, and the smuggled-file DirEntry Pointer to point at the last cluster of DirEntries of the directory where the new smuggled file is supposed to be stored (Step 102).
  • the storage device then waits for the write request (Step 104), and checks the FileExistsFlag (Step 106). Since the file does not exist at this point in Scenario (A), FileExistsFlag is FALSE, and the storage device checks whether the conditions below are valid (Step 108).
  • FIG 7B is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (B): delete a smuggled file, according to preferred embodiments of the present invention.
  • a Flow B in Figure 7B depicts the procedural path for deleting a smuggled file.
  • the storage device checks the FileExistsFlag (Step 106). If FileExistsFlag is TRUE, the storage device checks whether the new DirEntry is being updated or not (i.e. verifies if the currently- written FAT32 sector is the same as the smuggled-file DirEntry pointer) (Step 112).
  • the storage device checks if the write request to the DirEntry is a "close” operation (by checking the LUT field and the file-length parameter in the DirEntry which are updated in this case) (Step 114). If the write request is a close operation, the storage device waits for the next "update operations" (i.e. write requests) from FAT32 (Step 104).
  • Step 114 If the write request to the DirEntry is not a "close” operation (Step 114), meaning that the storage device detects that the write request to the smuggled-file DirEntry is a "delete” operation by writing a "delete flag" to the smuggled-file DirEntry, the storage device sets the FileExistsFlag to FALSE, updates the smuggled- file DirEntry pointer, cleans the smuggled-file cluster-numbers in the linked list (so that no data cluster belongs to the smuggled file) (Step 116), and waits for the next write operation from FAT32 (Step 104).
  • Figure 7C is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (C): overwrite a smuggled file, according to preferred embodiments of the present invention.
  • the flow for overwriting a smuggled file is a combination of Flow B of Figure 7B for deleting a smuggled file, followed by Flow A of Figure 7A for creating a new smuggled file.
  • the procedural path for overwriting a smuggled file is depicted in Figure 7C as a Flow Cl, related to Flow B of Figure 7B (i.e.
  • Steps 100, 102, 104, 106, 112, 114, 116, and 104 followed by a Flow C2, related to Flow A of Figure 7A (i.e. the sequence of Steps 104, 106, 108, 110, and 104).
  • Figure 7D is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (D): update a smuggled file, according to preferred embodiments of the present invention.
  • a Flow D in Figure 7D depicts the procedural path for updating a smuggled file in place. If the smuggled-file DirEntry is not being updated (Step 112), the storage device checks whether the current write request is updating one of the smuggled-file data-clusters by checking if the write request refers to one of the smuggled-file cluster-numbers in the linked list (Step 118).
  • the storage device finds that one of smuggled-file data- clusters is being updated, then the storage device smuggles the data clusters (using the Map-In or Map-Out smuggling mode described in Figures 3 and 3), and sets the FileExistsFlag (Step 120), and then waits for the next write request (Step 104). It is noted that in Scenario (B) (Step 106 of Figure 7B) the FileExistsFlag can be detected as TRUE due to being set in Scenario (D) (Step 120 of Figure 7D).
  • Figure 7E is a simplified flowchart of the data-smuggling detection-scheme, implemented in a host system having a storage device, for Scenario (E): append to a smuggled file, according to preferred embodiments of the present invention.
  • a Flow E in Figure 7E depicts the procedural path for appending to a smuggled file.
  • the storage device checks if at least one of the FAT entries that are being updated refers to the smuggled-file data-clusters in the FAT by checking if the write request refers to one of the smuggled-file cluster-numbers in the linked list (Step 122). If one or more of the smuggled-file data-cluster FAT entries in the FAT are being updated, the storage device updates the smuggled-file cluster-numbers in the linked list with the new or deleted cluster numbers (Step 124), and then waits for the next write request from FAT32 (Step 104).
  • FAT32 Eventually, after FAT32 updates the smuggled-file data-clusters and/or the data-cluster FAT entries in the FAT, FAT32 will have to close the file by updating the LUT field and possibly file-length field in the smuggled-file DirEntry as described above.
  • the storage device waits for the write requests from FAT32 (Step 104), and expects one of the following scenarios to happen:
  • the storage device After performing the sequence of Steps 100 and 102, the storage device performs the sequence of Steps 104, 106, 112, 114, and 116 (described above);
  • the storage device After performing the sequence of Steps 100 and 102, the storage device performs the sequence of Steps 104, 106, 112, 118, and 120 (described above) several times. The number of iterations that the storage device performs these steps depends on the number of updates coming from FAT32; or
  • the storage device performs the sequence of Steps 104, 106, 112, 118, 122, and 124 (described above) several times due to allocation of the new data-cluster FAT entries. The number of iterations that the storage device performs depends on the number of data-cluster FAT entries being updated.
  • the storage device also performs the sequence of Steps 104, 106, 112, 118, and 120 (Scenario (D)) several times due to the newly-allocated data-cluster updates. The number of iterations that the storage device performs depends on the number of data-cluster updates. While the invention has been described with respect to a limited number of embodiments, it will be appreciated that many variations, modifications, and other applications of the invention may be made.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Human Computer Interaction (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention a trait à un support de stockage lisible par ordinateur comprenant un code lisible par ordinateur, et à des procédés destinés à son utilisation. Ledit support inclut : un code de programme pour limiter l'accès, par un système de fichiers fonctionnant sur un système hôte, à une zone à accès réservé faisant partie de la zone de stockage d'un dispositif de stockage ; et un code de programme pour permettre à une ou plusieurs applications d'accéder à la zone à accès réservé par l'intermédiaire du système de fichiers. Le code lisible par ordinateur comprend également, de préférence : un code de programme pour permettre au dispositif de stockage de copier dans la zone à accès réservé des données provenant d'une zone à accès non réservé ; un code de programme pour obliger le dispositif de stockage à acheminer les demandes de lecture par le système hôte, destinées à des adresses dans la zone à accès réservé, vers des adresses qui se trouvent dans une zone à accès non réservé ; un code de programme pour appliquer des commandes d'accès du système hôte à des données à accès réservé résidant dans la zone à accès réservé lorsque le système hôte demande à accéder à des données à accès non réservé dans une zone à accès non réservé.
PCT/IL2008/000552 2007-05-03 2008-04-27 Dispositif de stockage et procédé destiné à la manipulation de données WO2008135969A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2010505004A JP4665065B2 (ja) 2007-05-03 2008-04-27 記憶装置およびデータスマグリングの方法
KR1020097022968A KR101498014B1 (ko) 2007-05-03 2008-04-27 내부 저장 동작을 사용하는 데이터에 대해 데이터를 기록하기 위한 저장 장치와 방법

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US91568807P 2007-05-03 2007-05-03
US60/915,688 2007-05-03
US11/772,207 US7636825B2 (en) 2007-05-03 2007-06-30 Storage device for data-smuggling
US11/772,211 US7822935B2 (en) 2007-05-03 2007-06-30 Methods for data-smuggling
US11/772,211 2007-06-30
US11/772,207 2007-06-30

Publications (1)

Publication Number Publication Date
WO2008135969A1 true WO2008135969A1 (fr) 2008-11-13

Family

ID=39677739

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2008/000552 WO2008135969A1 (fr) 2007-05-03 2008-04-27 Dispositif de stockage et procédé destiné à la manipulation de données

Country Status (1)

Country Link
WO (1) WO2008135969A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011146202A1 (fr) * 2010-05-20 2011-11-24 Sandisk Il Ltd. Dispositif hôte et procédé permettant d'accéder à un fichier virtuel dans un dispositif de stockage sans passer par un cache dans le dispositif hôte
WO2012127266A1 (fr) * 2011-03-23 2012-09-27 Sandisk Il Ltd. Dispositif de stockage et procédé de mise à jour des données dans une partition du dispositif de stockage
US8301694B2 (en) 2010-05-20 2012-10-30 Sandisk Il Ltd. Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device
US9092597B2 (en) 2009-12-09 2015-07-28 Sandisk Technologies Inc. Storage device and method for using a virtual file in a public memory area to access a plurality of protected files in a private memory area

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5579522A (en) * 1991-05-06 1996-11-26 Intel Corporation Dynamic non-volatile memory update in a computer system
WO2005013133A2 (fr) * 2003-07-28 2005-02-10 Sandisk Secure Content Solutions, Inc. Systeme, appareil et procede de commande d'un dispositif de stockage
WO2006066604A1 (fr) * 2004-12-22 2006-06-29 Telecom Italia S.P.A. Procede et systeme de controle d'acces et de protection des donnees dans des memoires numeriques, memoire numerique apparentee et programme informatique correspondant

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5579522A (en) * 1991-05-06 1996-11-26 Intel Corporation Dynamic non-volatile memory update in a computer system
WO2005013133A2 (fr) * 2003-07-28 2005-02-10 Sandisk Secure Content Solutions, Inc. Systeme, appareil et procede de commande d'un dispositif de stockage
WO2006066604A1 (fr) * 2004-12-22 2006-06-29 Telecom Italia S.P.A. Procede et systeme de controle d'acces et de protection des donnees dans des memoires numeriques, memoire numerique apparentee et programme informatique correspondant

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9092597B2 (en) 2009-12-09 2015-07-28 Sandisk Technologies Inc. Storage device and method for using a virtual file in a public memory area to access a plurality of protected files in a private memory area
WO2011146202A1 (fr) * 2010-05-20 2011-11-24 Sandisk Il Ltd. Dispositif hôte et procédé permettant d'accéder à un fichier virtuel dans un dispositif de stockage sans passer par un cache dans le dispositif hôte
US8301715B2 (en) 2010-05-20 2012-10-30 Sandisk Il Ltd. Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device
US8301694B2 (en) 2010-05-20 2012-10-30 Sandisk Il Ltd. Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device
US8601088B2 (en) 2010-05-20 2013-12-03 Sandisk Il Ltd. Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device
US8694598B2 (en) 2010-05-20 2014-04-08 Sandisk Il Ltd. Host device and method for accessing a virtual file in a storage device by bypassing a cache in the host device
WO2012127266A1 (fr) * 2011-03-23 2012-09-27 Sandisk Il Ltd. Dispositif de stockage et procédé de mise à jour des données dans une partition du dispositif de stockage
US8909900B2 (en) 2011-03-23 2014-12-09 Sandisk Il Ltd. Storage device and method for updating data in a partition of the storage device

Similar Documents

Publication Publication Date Title
US7636825B2 (en) Storage device for data-smuggling
US6948165B1 (en) Method for installing an application program, to be executed during each bootload of a computer system for presenting a user with content options prior to conventional system startup presentation, without requiring a user's participation to install the program
US7953948B1 (en) System and method for data protection on a storage medium
US6999913B2 (en) Emulated read-write disk drive using a protected medium
JP5636034B2 (ja) データ利用についてのマウント時間の調停
US8370835B2 (en) Method for dynamically generating a configuration for a virtual machine with a virtual hard disk in an external storage device
US7032107B2 (en) Virtual partition for recording and restoring computer data files
US6915420B2 (en) Method for creating and protecting a back-up operating system within existing storage that is not hidden during operation
JP6450598B2 (ja) 情報処理装置、情報処理方法およびプログラム
US9933948B2 (en) Tiered storage system, computer using tiered storage device, and method of correcting count of accesses to file
US9778860B2 (en) Re-TRIM of free space within VHDX
WO2005071522A1 (fr) Procede de redemarrage a vitesse elevee, dispositif de traitement d'informations et programme correspondant
CN109074308B (zh) 适应性的块转换表(btt)
JP2007249573A (ja) 自動拡張可能なボリュームに対して最適なi/oコマンドを発行するストレージシステム及びその制御方法
US20140372710A1 (en) System and method for recovering from an unexpected shutdown in a write-back caching environment
US11409451B2 (en) Systems, methods, and storage media for using the otherwise-unutilized storage space on a storage device
US20060085663A1 (en) Method for keeping snapshot image in a storage system
WO2008135969A1 (fr) Dispositif de stockage et procédé destiné à la manipulation de données
US20190179803A1 (en) Apparatus and method for file sharing between applications
JP2000305818A (ja) チップカードのメモリ断片化解消(デフラグ)
US20190004838A1 (en) Hypervisor with virtual-memory file system
US20140059293A1 (en) Method for protecting a gpt cached disks data integrity in an external operating system environment
TWI564803B (zh) 用於儲存虛擬化的系統和方法
EP2306294A1 (fr) Procédé permettant d'accéder à un système de stockage comprenant de multiples systèmes de fichiers

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08738254

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2010505004

Country of ref document: JP

ENP Entry into the national phase

Ref document number: 20097022968

Country of ref document: KR

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08738254

Country of ref document: EP

Kind code of ref document: A1