WO2023098406A1 - Usb设备接入控制方法、装置及电子设备 - Google Patents
Usb设备接入控制方法、装置及电子设备 Download PDFInfo
- Publication number
- WO2023098406A1 WO2023098406A1 PCT/CN2022/130163 CN2022130163W WO2023098406A1 WO 2023098406 A1 WO2023098406 A1 WO 2023098406A1 CN 2022130163 W CN2022130163 W CN 2022130163W WO 2023098406 A1 WO2023098406 A1 WO 2023098406A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- descriptor
- usb
- usb device
- access control
- registration information
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 72
- 238000004590 computer program Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 abstract description 5
- 238000004891 communication Methods 0.000 description 45
- 238000007405 data analysis Methods 0.000 description 33
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000013475 authorization Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 7
- 230000003287 optical effect Effects 0.000 description 5
- 241000700605 Viruses Species 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 239000002131 composite material Substances 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000003213 activating effect Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 239000004020 conductor Substances 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/85—Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/40—Bus structure
- G06F13/4004—Coupling between buses
- G06F13/4022—Coupling between buses using switching circuits, e.g. switching matrix, connection or expansion network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/42—Bus transfer protocol, e.g. handshake; Synchronisation
- G06F13/4282—Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
Definitions
- the present disclosure relates to the field of device access control, in particular, to a USB device access control method, device, electronic device, and computer-readable medium.
- these hosts or equipment are often not suitable for such systems on the market due to the particularity of the system.
- Security protection software or the installation of security software may easily cause compatibility problems with the original software of the host, and even affect performance.
- the hosts of these engineer stations or worker stations will basically not upgrade the operating system after they go online. Even after installing security software, they often do not update the anti-malware software version and malicious code library in time, and cannot achieve comprehensive security protection. .
- the present disclosure provides a USB device access control method, device, electronic device and computer readable medium, which can protect the data security of the protected device through the USB access control device externally connected to the protected device.
- a USB device access control method is proposed, the method is applied to a USB access control device, and the USB access control device is connected to the protected device through an interface, and the method includes: in the USB When the device is inserted into the USB access control device, obtain the descriptor of the USB device; compare the descriptor of the USB device with the registration information of the USB device; if the descriptor of the USB device is consistent with the USB The registration information of the device is the same, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device; when the USB device communicates with the protected device, continue to obtain the the descriptor of the USB device, and compare the descriptor of the USB device with the registration information of the USB device; if the descriptor of the USB device is different from the registration information of the USB device, disconnect the USB interface into the switch deployed in the control device.
- acquiring the descriptor of the USB device includes: sending a Get_Descriptor control packet to the USB device; receiving a device descriptor determined by the USB device according to the Get_Descriptor control packet.
- comparing the descriptor of the USB device with the registration information of the USB device includes: comparing whether the bDeviceClass in the device descriptor is the same as the bDeviceClass in the registration information; comparing the device description Whether the bDeviceSubClass in the descriptor is the same as the bDeviceSubClass in the registration information; compare whether the bDeviceProtocol in the device descriptor is the same as the bDeviceProtocol in the registration information; compare the bLength in the device descriptor with the registration Whether the bLength in the information is the same; compare whether the bDescriptorType in the device descriptor is the same as the bDescriptorType in the registration information; and compare whether the bString in the device descriptor is the same as the bString in the registration information.
- closing the switch deployed in the USB access control device includes: if bDeviceClass, bDeviceSubClass, bDeviceProtocol, bLength, bDescriptorType, and bString are correspondingly the same as bDeviceClass, bDeviceSubClass, bDeviceProtocol, bLength, bDescriptorType, and bString in the registration information, and the switch deployed in the USB access control device is closed.
- disconnecting the switch deployed in the USB access control device includes: if bDeviceClass, bDeviceSubClass, bDeviceProtocol in the device descriptor , bLength, bDescriptorType, and bString are different from any of bDeviceClass, bDeviceSubClass, bDeviceProtocol, bLength, bDescriptorType, and bString in the registration information, and disconnect the switch deployed in the USB access control device.
- acquiring the descriptor of the USB device includes: sending a Get_Descriptor_Configuration control packet to the USB device; receiving a configuration descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet.
- comparing the descriptor of the USB device with the registration information of the USB device includes: comparing whether the bNumInterfaces in the configuration descriptor is the same as the bNumInterfaces in the registration information; comparing the configuration description whether the bConfigurationValue in the descriptor is the same as the bConfigurationValue in the registration information; and compare whether the wTotalLength in the configuration descriptor is the same as the wTotalLength in the registration information.
- closing the switch deployed in the USB access control device includes: if bNumInterfaces, bConfigurationValue, and wTotalLength in the configuration descriptor Corresponding to bNumInterfaces, bConfigurationValue, and wTotalLengthl in the registration information, close the switch deployed in the USB access control device.
- disconnecting the switch deployed in the USB access control device includes: if bNumInterfaces, bConfigurationValue, and wTotalLength is different from any one of bNumInterfaces, bConfigurationValue, and wTotalLength in the registration information, and the switch deployed in the USB access control device is turned off.
- obtaining the descriptor of the USB device includes: sending a Get_Descriptor_Configuration control packet to the USB device; receiving an interface descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet.
- comparing the descriptor of the USB device with the registration information of the USB device includes: comparing whether the bInterfaceNumber in the interface descriptor is the same as the bInterfaceNumber in the registration information; comparing the interface description Whether the bInterfaceClass in the descriptor is the same as the bInterfaceClass in the registration information; compare whether the bInterfaceSubClass in the interface descriptor is the same as the bInterfaceSubClass in the registration information; and compare the bInterfaceProtocol in the interface descriptor with the Whether the bInterfaceProtocol in the registration information is the same.
- closing the switch deployed in the USB access control device includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol corresponds to the bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, and closes the switch deployed in the USB access control device.
- disconnecting the switch deployed in the USB access control device includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass in the interface descriptor , and bInterfaceProtocol is different from any one of bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, disconnect the switch deployed in the USB access control device.
- the descriptor of the USB device includes a device descriptor, a configuration descriptor, and an interface descriptor; if the descriptor of the USB device is the same as the registration information of the USB device, close the USB access control
- the switch deployed in the device includes: if the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device are corresponding to the device descriptor, configuration descriptor, and interface descriptor in the registration information , closing the switch deployed in the USB access control device.
- disconnecting the switch deployed in the USB access control device includes: if the device descriptor in the descriptor of the USB device , Configuration Descriptor, and Interface Descriptor are different from any of the Device Descriptor, Configuration Descriptor, and Interface Descriptor in the registration information, and disconnect the switch deployed in the USB access control device.
- the descriptor of the USB device also includes a HID descriptor; if the descriptor of the USB device is the same as the registration information of the USB device, close the USB access
- the switch deployed in the control device includes: if the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the descriptor of the USB device are the same as the device descriptor, configuration descriptor, and interface in the registration information
- the descriptor and the HID descriptor are correspondingly the same, and the switch deployed in the USB access control device is closed.
- disconnecting the switch deployed in the USB access control device includes: if the device descriptor in the descriptor of the USB device , Configuration Descriptor, Interface Descriptor, and HID Descriptor are different from any of the Device Descriptor, Configuration Descriptor, Interface Descriptor, and HID Descriptor in the registration information, disconnect the USB access control The switch deployed in the device.
- a USB device access control device is proposed, the device is applied to a USB access control device, and the USB access control device is connected to the protected device through an interface, and the device includes: a first acquisition module , when the USB device is inserted into the USB access control device, obtain the descriptor of the USB device; a comparison module, used to compare the descriptor of the USB device with the registration information of the USB device; close A module, if the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device; the second acquisition module, when the USB device communicates with the protected device, continue to obtain the descriptor of the USB device, and compare the descriptor of the USB device with the registration information of the USB device; disconnect the module, if The descriptor of the USB device is different from the registration information of the USB device, and the switch deployed in the USB access control device is turned off.
- an electronic device which includes: one or more processors; a storage device for storing one or more programs; when one or more programs are executed by one or more processors Execution causes one or more processors to implement the method as above.
- a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, the above method is implemented.
- the method is applied to the USB access control device, and the USB access control device is connected to the protected device through an interface.
- the data security of the protected device can be protected by connecting the USB access control device externally to the protected device.
- the data security of the protected device can also be guaranteed without installing security protection software on the protected device.
- the USB access control device may determine whether to close a switch deployed in the USB access control device according to the descriptor of the USB device. If the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- Fig. 1 is a schematic structural diagram of a USB device access control system according to an exemplary embodiment.
- Fig. 2 is a flowchart showing a method for controlling access of a USB device according to an exemplary embodiment.
- Fig. 3 is a schematic diagram showing a specific deployment of a USB communication data analysis module in a USB access control device according to an exemplary embodiment.
- Fig. 4 is a flow chart showing a method for controlling access of a USB device according to another exemplary embodiment.
- Fig. 5 is a flow chart showing a method for controlling access of a USB device according to another exemplary embodiment.
- Fig. 6 is a flowchart of a method for controlling access of a USB device according to another exemplary embodiment.
- Fig. 7 is a schematic diagram showing the connection relationship between the data forwarding module and the USB communication data analysis module according to an exemplary embodiment.
- Fig. 8 is a schematic diagram of a network version of a USB device access control system according to an exemplary embodiment.
- Fig. 9 is a schematic diagram of software deployed on a management workstation A according to an exemplary embodiment.
- Fig. 10 is a schematic diagram showing the connection relationship between the USB communication data analysis module and the data forwarding module in the USB registration device according to an exemplary embodiment.
- Fig. 11 is a block diagram of an apparatus for controlling access of a USB device according to an exemplary embodiment.
- Fig. 12 is a block diagram of an electronic device according to an exemplary embodiment.
- Fig. 13 is a block diagram showing a computer readable medium according to an exemplary embodiment.
- Example embodiments will now be described more fully with reference to the accompanying drawings.
- Example embodiments may, however, be embodied in many forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art.
- the same reference numerals denote the same or similar parts in the drawings, and thus their repeated descriptions will be omitted.
- Fig. 1 is a schematic structural diagram of a USB device access control system according to an exemplary embodiment.
- the USB device access control system 100 may include a USB access control device 110 , a USB device 120 and a protected device 130 .
- the USB access control device 110 is equipped with two USB ports, which are USB port UA1 and USB port UA2 respectively.
- the number of USB ports can be increased according to actual application scenarios.
- the USB access control device 110 and the USB device 120 can be connected through the USB port UA1.
- the USB access control device 110 and the protected device 130 can be connected through the USB port UA2.
- the USB access control device 110 can be used to protect the security of data in the protected device 130.
- the USB access control device 110 may determine whether to allow the USB device 120 to communicate with the protected device 130 according to the descriptor of the USB device 120 . Specifically, if the descriptor of the USB device 120 is the same as the registration information of the USB device 120 , the USB device 120 is allowed to communicate with the protected device 130 . On the contrary, if the descriptor of the USB device 120 is different from the registration information of the USB device 120 , the USB device 120 is not allowed to communicate with the protected device 130 .
- the USB access control device 110 may be a security device capable of protecting data.
- the USB device 120 may be an external storage device, an external HID device, and so on.
- the external storage device may be a USB flash drive, a mobile hard disk, and the like.
- the external HID device can be a mouse, keyboard, gamepad, etc.
- Fig. 2 is a flowchart showing a method for controlling access of a USB device according to an exemplary embodiment. The method is applied to a USB access control device, and the USB access control device is connected to the protected device through an interface.
- the USB device access control method may include steps S210 to S250.
- step S210 when the USB device is inserted into the USB access control device, the descriptor of the USB device is obtained.
- step S220 the descriptor of the USB device is compared with the registration information of the USB device.
- step S230 if the descriptor of the USB device is the same as the registration information of the USB device, close a switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- step S240 when the USB device communicates with the protected device, continue to obtain the descriptor of the USB device, and compare the descriptor of the USB device with the registration information of the USB device.
- step S250 if the descriptor of the USB device is different from the registration information of the USB device, turn off the switch deployed in the USB access control device.
- the method can protect the data security of the protected device by externally connecting the USB access control device to the protected device.
- the USB access control device may determine whether to close a switch deployed in the USB access control device according to the descriptor of the USB device. If the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- the USB access control device 110 may include an interface control module and a system control module.
- the interface control module has three USB ports, namely USB port UA1, USB port UA2, and USB port UB.
- USB port UA1 and USB port UA2 are external interfaces
- USB port UB is internal interface.
- the internal interface UA2 is connected to the corresponding USB port UC of the protected device 130 .
- the external interface UA1 is used to access one or more USB devices 120 .
- the system control module is connected with an internal interface, which is a USB port UD.
- the UD of the system control module is used to electrically connect with the UB of the interface control module, and controls the security authentication of the external equipment connected to the external interface UA1 on the interface control module.
- USB communication data analysis modules and two switches are also deployed in the interface control module.
- one end of a USB communication data analysis module is connected to the external interface UA1, the other end is connected to one end of a switch, and the other end of the switch is connected to the internal interface UB.
- One end of another USB communication data analysis module is connected to the external interface UA1, the other end is connected to one end of a switch, and the other end of the switch is connected to the external interface UA2.
- the USB communication data analysis module is serially connected and bypassed on the connection between the external interface of the interface control module and the USB port of the protected device, and the descriptor of the USB device in the direct connection path will be monitored in real time.
- the USB communication data analysis module is based on the USB protocol. Analysis implementation, used to analyze the descriptor of the USB device.
- the USB device 120 when the USB device 120 is inserted into the direct connection external interface UA1, the USB port UC of the protected device is connected, the inserted USB device 120 is powered on, and will enter the device identification process according to the USB specification, that is, the USB device 120 enumeration process.
- the USB device 120 when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the switch between the internal interface UB and the external interface UA1 of the USB access control device 110 is closed, and the system control module can control the connection between the two.
- the inter-USB communication data analysis module obtains the descriptor of the USB device 120, and compares the descriptor of the USB device 120 with the registration information of the USB device 120.
- the descriptor of the USB device 120 is the same as the registration information of the USB device 120, close the switch deployed in the USB access control device 110 (for example, the switch between the external interface UA1 and the external interface UA2), so that the USB device 120 and the The protection device 130 can communicate; when the USB device 120 communicates with the protected device 130, it is also necessary to continue to obtain the USB device 120 through the USB communication data analysis module between the external interface UA1 and the external interface UA2 of the USB access control device 110.
- Descriptor continue comparing the descriptor of the USB device 120 with the registration information of the USB device 120, if the descriptor of the USB device 120 is different from the registration information of the USB device 120, disconnect the switch deployed in the USB access control device (for example , the switch between the external interface UA1 and the external interface UA2), at this time, the USB device 120 and the protected device 130 cannot communicate, so as to protect the data security of the protected device 130.
- the switch deployed in the USB access control device for example , the switch between the external interface UA1 and the external interface UA2
- the USB device 120 is inserted into the UA1 of the USB access control device 110, the corresponding USB port on the protected device 130 is connected through the internal connection of the USB access control device 110, and the inserted USB device 120 is powered on.
- the device identification process will be entered, that is, the first enumeration process of the USB device 120 .
- the communication data between the USB device 120 and the protected device 130 extracts the descriptors in the enumeration process (for example, supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identification, configuration Supported interface number, interface number, interface class, interface subclass, interface protocol, etc.), compare and match with the registration information, if any inconsistency is found, disconnect the communication between the USB device 120 and the protected device 130, and send an alarm message .
- the descriptors in the enumeration process for example, supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identification, configuration Supported interface number, interface number, interface class, interface subclass, interface protocol, etc.
- the above-mentioned descriptors of the USB device 120 may include any one or more of the following: device descriptor, configuration descriptor, interface descriptor, and HID descriptor.
- a USB device 120 has only one device descriptor, and the device descriptor includes the following table 1.
- the USB device 120 can have at least one or more configuration descriptors.
- the last item bNumConfigurations of the above-mentioned device descriptors limits the number of configuration descriptors.
- the USB device 120 currently selects one of the configurations,
- the configuration descriptor information is shown in Table 2, where bConfigurationValue is the identifier of the current configuration.
- the foregoing interface descriptor may be used to describe the situation of the interface under the foregoing current configuration.
- a single-function USB device 120 has an interface, such as a USB flash drive.
- the composite function USB device 120 has multiple interfaces, for example, a composite device integrating a mouse and a keyboard, wherein one interface corresponds to one function.
- a USB device 120 can have multiple configurations, but currently only one configuration can be selected.
- the device descriptor device type bDeviceClass is 0, it indicates that the interface descriptor is used to identify the category.
- the interface class, interface subclass, and interface protocol are used to describe the category to which the function of the USB device 120 belongs.
- Fig. 4 is a flow chart showing a method for controlling access of a USB device according to another exemplary embodiment.
- the acquisition of the descriptor of the USB device in step S210 may include step S410 and step S420 .
- step S410 a Get_Descriptor control packet is sent to the USB device.
- step S420 the device descriptor determined by the Get_Descriptor control packet of the USB device is received.
- the method may request to obtain the device descriptor of the USB device by sending a USB command (for example, Get_Descriptor control packet) to the USB device, so that the USB access control device can quickly obtain the device descriptor of the USB device.
- a USB command for example, Get_Descriptor control packet
- the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the device descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the device descriptor.
- the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor control packet to the USB device 120, and the USB device 120 returns its device descriptor to the USB communication data analysis module based on the control packet, for example, returns bDeviceClass, bDeviceSubClass, bDeviceProtocol, bLength, bDescriptorType, and bString in the device descriptor.
- the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained device descriptor, so as to enumerate the USB device 120 for the first time.
- comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bDeviceClass in the device descriptor with the bDeviceClass in the registration information; comparing the bDeviceSubClass in the device descriptor with the bDeviceSubClass in the registration information Whether they are the same; compare whether the bDeviceProtocol in the device descriptor is the same as the bDeviceProtocol in the registration information; compare whether the bLength in the device descriptor is the same as the bLength in the registration information; compare the bDescriptorType in the device descriptor with the bDescriptorType in the registration information Whether they are the same; and compare whether the bString in the device descriptor is the same as the bString in the registration information.
- the closed USB interface The switch deployed in the input control device 110. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
- the switch deployed in the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the device descriptor in the descriptor of the USB device 120 is different from the device descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
- Fig. 5 is a flow chart showing a method for controlling access of a USB device according to another exemplary embodiment.
- the acquisition of the descriptor of the USB device in step S210 may include step S510 and step S520 .
- step S510 a Get_Descriptor_Configuration control packet is sent to the USB device.
- step S520 the configuration descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet is received.
- the method may request to obtain the configuration descriptor of the USB device by sending a USB command (for example, Get_Descriptor_Configuration control packet) to the USB device, so that the USB access control device can quickly obtain the configuration descriptor of the USB device.
- a USB command for example, Get_Descriptor_Configuration control packet
- the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the configuration descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the configuration descriptor.
- the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor_Configuration control packet to the USB device 120, and the USB device 120 returns its configuration descriptor to the USB communication data analysis module based on the control packet, for example, returns bNumInterfaces, bConfigurationValue, and wTotalLength in the configuration descriptor.
- the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained configuration descriptor, so as to enumerate the USB device 120 for the first time.
- comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bNumInterfaces in the configuration descriptor with the bNumInterfaces in the registration information; comparing the bConfigurationValue in the configuration descriptor with the bConfigurationValue in the registration information Whether they are the same; and compare whether the wTotalLength in the configuration descriptor is the same as the wTotalLength in the registration information.
- the switch of the USB access control device 110 is closed. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
- the switch of the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the configuration descriptor in the descriptor of the USB device 120 is different from the configuration descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
- Fig. 6 shows a flow chart of a method for controlling access of a USB device according to another exemplary embodiment.
- the acquisition of the descriptor of the USB device in step S210 may include step S610 and step S620 .
- step S610 a Get_Descriptor_Configuration control packet is sent to the USB device.
- step S620 the interface descriptor determined by the USB device according to the Get_Descriptor_Configuration control packet is received.
- the method may request to obtain the interface descriptor of the USB device by sending a USB command (for example, Get_Descriptor_Configuration control packet) to the USB device, so that the USB access control device can quickly obtain the interface descriptor of the USB device.
- a USB command for example, Get_Descriptor_Configuration control packet
- the system control module controls the USB communication data analysis module between the internal interface UB and the external interface UA1 to obtain the interface descriptor of the USB device 120 , and determine whether to close or open a switch deployed in the USB access control device 110 based on the interface descriptor.
- the USB communication data analysis module when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the internal interface UB and the external interface UA1 sends a Get_Descriptor_Configuration control packet to the USB device 120, and the USB device 120 returns its interface descriptor to the USB communication data analysis module based on the control packet, for example, returns bInterfaceNumber, bInterfaceClass, bDeviceSubClass, and bInterfaceProtocol in the interface descriptor.
- the USB communication data analysis module may compare the registration information of the USB device 120 obtained in advance with the currently obtained interface descriptor, and enumerate the USB device 120 for the first time in this way.
- comparing the descriptor of the USB device 120 with the registration information of the USB device 120 includes: comparing the bInterfaceNumber in the interface descriptor with the bInterfaceNumber in the registration information; comparing the bInterfaceClass in the interface descriptor with the bInterfaceClass in the registration information Whether they are the same; compare whether the bInterfaceSubClass in the interface descriptor is the same as the bInterfaceSubClass in the registration information; and compare whether the bInterfaceProtocol in the interface descriptor is the same as the bInterfaceProtocol in the registration information.
- closing the switch deployed in the USB access control device 110 includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, And bInterfaceProtocol corresponds to the bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, and the switch deployed in the USB access control device 110 is closed. For example, close the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
- disconnecting the switch deployed in the USB access control device 110 includes: if bInterfaceNumber, bInterfaceClass, bInterfaceSubClass in the interface descriptor , and bInterfaceProtocol is different from any of bInterfaceNumber, bInterfaceClass, bInterfaceSubClass, and bInterfaceProtocol in the registration information, the switch deployed in the USB access control device 110 is turned off. For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 . It should be noted that if the interface descriptor in the descriptor of the USB device 120 is different from the interface descriptor in the registration information, and the state of the switch in the USB access control device 110 is off, then continue to let it Just leave it disconnected.
- the descriptor of the USB device may be a device descriptor, or a configuration descriptor, or an interface descriptor. It should be noted that the descriptor of the USB device in the present invention may include a device descriptor, a configuration descriptor, and an interface descriptor. 3, when the USB device 120 is inserted into the external interface UA1 of the USB access control device 110, the USB communication data analysis module between the external interface UA1 and the internal interface UB in the USB access control device 110 is used to obtain A device descriptor, a configuration descriptor, and an interface descriptor of the USB device 120.
- a USB command is sent to the USB device 120, and the USB device 120 returns a device descriptor, a configuration descriptor, and an interface descriptor according to the corresponding USB command.
- the USB communication data analysis module compares the device descriptor, configuration descriptor and interface descriptor based on the device descriptor, configuration descriptor and interface descriptor in the registration information of the USB device 120, that is, the USB device 120 The first enumeration of . If the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 are the same as the device descriptor, configuration descriptor, and interface descriptor in the registration information, the closed USB access control device 110 deploys switch.
- USB access Switches deployed in the control device 110 For example, disconnect the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 .
- any of the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 is different from the device descriptor, configuration descriptor, and interface descriptor in the registration information, and The state of the switch in the USB access control device 110 itself is in the off state, so it is enough to continue to keep it in the off state at this time.
- the USB device 120 is a HID device, that is, Human Interface Devices (HID), a human-machine interface device.
- the descriptor of the USB device 120 may include not only the above-mentioned device descriptor, configuration descriptor, and interface descriptor, but also a HID descriptor. If the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the descriptor of the USB device 120 are corresponding to the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the registration information, close A switch deployed in the USB access control device 110 .
- the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the descriptor of the USB device 120 and the device descriptor, configuration descriptor, interface descriptor, and HID descriptor in the registration information have any One difference is to turn off the switch deployed in the USB access control device 110 . It should be noted that if any of the device descriptor, configuration descriptor, and interface descriptor in the descriptor of the USB device 120 is different from the device descriptor, configuration descriptor, and interface descriptor in the registration information, and The state of the switch in the USB access control device 110 itself is in the off state, so it is enough to continue to keep it in the off state at this time.
- the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is closed, and the USB device 120 can communicate with the protected device 130 at this time.
- the user may change the function of the USB device 120 through the hidden function of the USB device 120 during the use of the USB device 120, such as opening the hidden storage area, activating the storage function, etc., such operations cause the descriptor of the USB device 120 to change.
- the re-enumeration of the USB device 120 is triggered.
- the USB communication data analysis module analyzes the USB communication data between UA1 and UA2 in real time. After the USB device 120 passes the authentication If re-enumeration information is found during the use of the USB device 120, the communication between UA1 and UA2 will be disconnected and an alarm will be triggered. For example, after the first enumeration of the USB device 120 is passed, the switch between the external interface UA1 and the external interface UA2 in the USB access control device 110 is closed, and the USB device 120 can communicate with the protected device 130 at this time.
- the USB device access control method provided by the present invention can realize the takeover of each interface of the protected device 130, ensuring that the USB interface or serial device using the protected device 130 can pass through an external terminal protection device (that is, a USB access control device) 110) is completed, so that the purpose of protecting the USB interface or serial port of the protected device 130 can be achieved without installing security protection software on the protected device 130.
- a USB access control device 110 when using the USB device 120, the USB access control device 110 will compare the descriptor information of the USB device 120 with the registration information of the USB device 120, if the comparison result is different, the access of the USB device 120 will be prohibited, and the process will be terminated.
- USB device 120 is used.
- the USB communication data analysis module in the USB access control device 110 can be connected in series between the USB device 120 inserted by the user and the protected device 130, and between the USB device 120 and the system control module in the USB access control device 110 .
- the communication data forwarding is realized by the data forwarding module so that the USB communication data analysis module can bypass between the USB device 120 inserted by the user and the protected device 130 , and between the system control module in the USB access control device 110 .
- There is a switch between the USB device 120 inserted by the user and the protected device 130 for example, a program-controlled electronic switch, and the control program can control the connection between the USB device 120 inserted by the user and the protected device 130 .
- the USB access control device 110 can be connected to the control center through the network port to realize unified management, and can also operate independently without the control center.
- the USB device needs to be registered before being used, that is, to perform device authorization.
- Traditional device authorization is only for the vendor ID (VID), product identification code (PID) and serial number information of the USB device.
- VIP vendor ID
- PID product identification code
- serial number information of the USB device.
- the registration process in the present invention is to obtain the descriptor information of the USB device, to confirm the access mode of the USB device, and to load the corresponding driver.
- USB descriptors include device descriptors, configuration descriptors, interface descriptors, endpoint descriptors, and string descriptors.
- HID devices also include three types of descriptors: HID descriptors, report descriptors, and physical descriptors.
- the USB registration device C is connected to the management workstation B through the USB port.
- the USB communication data analysis module in the USB registered device C can obtain the descriptor of the USB device, that is, the registration information, and verify the descriptor of the USB device according to the USB protocol specification. Then send the descriptor of the verified USB device to the management work B through the USB communication port.
- the management workstation B can report the registration information of the USB device to the management server A through the network, so that the management server A can uniformly manage the registration information of the USB device.
- the management server A can be requested to obtain the registration information of the USB device, so that after the USB device is inserted into the USB access control device D and F, the registration information of the USB device is compared with the USB The descriptor of the device. If they are consistent, the USB device can communicate with the protected devices G and E; on the contrary, if they are not consistent, the USB device and the protected devices G and E may not be able to communicate.
- the registration authorization of the USB device can be realized by software or hardware.
- FIG. 8 shows that the registration and authorization of the USB device is realized by means of hardware.
- the registration authorization of the USB device is realized through the cooperation between the USB registration device C and the management workstation B.
- FIG. 9 shows that the registration authorization of the USB device is realized through the software installed in the management job B.
- the user inserts the USB device into the USB port of the management workstation, and realizes the registration and authorization of the USB device through the USB device registration module and the USB communication data analysis module in the management work B.
- the registration software or hardware When the USB device is registered and authorized, the registration software or hardware will read the device descriptor, configuration descriptor, interface descriptor and other information of the USB device, and record the current USB interface descriptor information according to the currently used USB device configuration descriptor.
- This information includes: supplier ID, product identification code (PID) and serial number information, configuration number, currently used configuration identifier, number of interfaces supported by configuration, interface number, interface class, interface subclass, interface protocol, etc., and based on The information generates a unique identifier as a legal mark of the USB device.
- the USB device is a Human Interface Devices (HID), human-machine interface device, in view of the fact that there are many attacks based on the HID device class, the registration software or hardware will further collect the HID descriptor information of the HID device.
- HID Human Interface Devices
- the type definition of the HID device can be placed in the interface descriptor, and the USB device descriptor and configuration descriptor do not contain the information of the HID device.
- the USB device communication data analysis module can be connected in series between the USB registration port and the USB communication port or use a data forwarding module to realize a bypass connection on the communication line between the USB registration port and the USB communication port .
- Fig. 11 is a block diagram of an apparatus for controlling access to a USB device according to another exemplary embodiment.
- the USB device access control apparatus 200 includes: a first acquisition module 210 , a comparison module 220 , a closing module 230 , a second acquisition module 240 and a disconnection module 250 .
- the first obtaining module 210 obtains the descriptor of the USB device when the USB device is inserted into the USB access control device.
- the comparison module 220 is configured to compare the descriptor of the USB device with the registration information of the USB device.
- Closing module 230 if the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- the second acquiring module 240 when the USB device communicates with the protected device, continues to acquire the descriptor of the USB device, and compares the descriptor of the USB device with the registration information of the USB device.
- the disconnection module 250 if the descriptor of the USB device is different from the registration information of the USB device, disconnect the switch deployed in the USB access control device.
- the USB device access control device 200 can protect the data security of the protected device through the USB access control device externally connected to the protected device.
- the data security of the protected device can also be guaranteed without installing security protection software on the protected device.
- the USB access control device may determine whether to close a switch deployed in the USB access control device according to the descriptor of the USB device. If the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- the USB device access control apparatus 200 may be used to implement the USB device access control method described in the above embodiments.
- Fig. 12 is a block diagram of an electronic device according to an exemplary embodiment.
- FIG. 12 An electronic device 300 according to this embodiment of the present disclosure is described below with reference to FIG. 12 .
- the electronic device 300 shown in FIG. 12 is only an example, and should not limit the functions and scope of use of the embodiments of the present disclosure.
- electronic device 300 takes the form of a general-purpose computing device.
- Components of the electronic device 300 may include, but are not limited to: at least one processing unit 310, at least one storage unit 320, a bus 330 connecting different system components (including the storage unit 320 and the processing unit 310), a display unit 340, and the like.
- the storage unit stores program codes, and the program codes can be executed by the processing unit 310, so that the processing unit 310 executes the steps in this specification according to various exemplary embodiments of the present disclosure.
- the processing unit 310 may execute the steps shown in FIG. 2 to FIG. 6 .
- the storage unit 320 may include a readable medium in the form of a volatile storage unit, such as a random access storage unit (RAM) 3201 and/or a cache storage unit 3202 , and may further include a read-only storage unit (ROM) 3203 .
- RAM random access storage unit
- ROM read-only storage unit
- the storage unit 320 may also include a program/utility 3204 having a set (at least one) of program modules 3205, such program modules 3205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the realization of the network environment.
- program modules 3205 including but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of these examples may include the realization of the network environment.
- Bus 330 may represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local area using any of a variety of bus structures. bus.
- the electronic device 300 can also communicate with one or more external devices 300 (such as keyboards, pointing devices, Bluetooth devices, etc.), so that the user can communicate with the devices that the electronic device 300 interacts with, and/or the electronic device 300 can communicate with one or more Any device (eg, router, modem, etc.) that communicates with multiple other computing devices. Such communication may occur through input/output (I/O) interface 350 .
- the electronic device 300 can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through the network adapter 360 .
- the network adapter 360 can communicate with other modules of the electronic device 300 through the bus 330 .
- other hardware and/or software modules may be used in conjunction with electronic device 300, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives And data backup storage system, etc.
- the technical solution according to the embodiment of the present disclosure can be embodied in the form of a software product, and the software product can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.) etc.) or on the network, including several instructions to make a computing device (which may be a personal computer, server, or network device, etc.) execute the above method according to the embodiments of the present disclosure.
- a non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
- a computing device which may be a personal computer, server, or network device, etc.
- the software product may utilize any combination of one or more readable media.
- the readable medium may be a readable signal medium or a readable storage medium.
- the readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, or device, or any combination thereof. More specific examples (non-exhaustive list) of readable storage media include: electrical connection with one or more conductors, portable disk, hard disk, random access memory (RAM), read only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
- the computer readable storage medium may include a data signal carrying readable program code in baseband or as part of a carrier wave traveling as a data signal. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing.
- a readable storage medium may also be any readable medium other than a readable storage medium that can send, propagate or transport a program for use by or in conjunction with an instruction execution system, apparatus or device.
- the program code contained on the readable storage medium may be transmitted by any suitable medium, including but not limited to wireless, cable, optical cable, RF, etc., or any suitable combination of the above.
- Program code for performing the operations of the present disclosure may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural Programming language - such as "C" or a similar programming language.
- the program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute.
- the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (for example, using an Internet service provider). business to connect via the Internet).
- LAN local area network
- WAN wide area network
- Internet service provider for example, using an Internet service provider
- the above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by the device, the computer-readable medium realizes the following functions: the USB access control device externally connected to the protected device can Protect the data security of the protected device. The data security of the protected device can also be guaranteed without installing security protection software on the protected device.
- the USB access control device may determine whether to close a switch deployed in the USB access control device according to the descriptor of the USB device. If the descriptor of the USB device is the same as the registration information of the USB device, close the switch deployed in the USB access control device, so that the USB device can communicate with the protected device.
- modules in the above embodiments can be distributed in the device according to the description of the embodiment, and corresponding changes can also be made in one or more devices that are only different from the embodiment.
- the modules in the above embodiments can be combined into one module, and can also be further split into multiple sub-modules.
- the exemplary embodiments described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, server, mobile terminal, or network device, etc.) execute the method according to the embodiment of the present disclosure.
- a non-volatile storage medium which can be CD-ROM, U disk, mobile hard disk, etc.
- a computing device which may be a personal computer, server, mobile terminal, or network device, etc.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Information Transfer Systems (AREA)
Abstract
Description
Claims (20)
- 一种USB设备接入控制方法,其中,该方法应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该方法包括:在所述USB设备插入所述USB接入控制设备时,获取所述USB设备的描述符;比对所述USB设备的描述符与所述USB设备的注册信息;如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关,使得所述USB设备与所述被保护设备能够通信;在所述USB设备与所述被保护设备通信时,继续获取所述USB设备的描述符,并比对所述USB设备的描述符与所述USB设备的注册信息;如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关。
- 如权利要求1所述的USB设备接入控制方法,其中,获取所述USB设备的描述符包括:向所述USB设备发送Get_Descriptor控制包;接收所述USB设备根据所述Get_Descriptor控制包确定的设备描述符。
- 如权利要求2所述的USB设备接入控制方法,其中,比对所述USB设备的描述符与所述USB设备的注册信息包括:比对所述设备描述符中的bDeviceClass与所述注册信息中的bDeviceClass是否相同;比对所述设备描述符中的bDeviceSubClass与所述注册信息中的bDeviceSubClass是否相同;比对所述设备描述符中的bDeviceProtocol与所述注册信息中的bDeviceProtocol是否相同;比对所述设备描述符中的bLength与所述注册信息中的bLength是 否相同;比对所述设备描述符中的bDescriptorType与所述注册信息中bDescriptorType是否相同;以及比对所述设备描述符中的bString与所述注册信息中bString是否相同。
- 如权利要求3所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关包括:如果所述设备描述符中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString与所述注册信息中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString对应相同,闭合所述USB接入控制设备中部署的开关。
- 如权利要求3所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关包括:如果所述设备描述符中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString与所述注册信息中的bDeviceClass、bDeviceSubClass、bDeviceProtocol、bLength、bDescriptorType、以及bString存在任意一项不同,断开所述USB接入控制设备中部署的开关。
- 如权利要求1所述的USB设备接入控制方法,其中,获取所述USB设备的描述符包括:向所述USB设备发送Get_Descriptor_Configuration控制包;接收所述USB设备根据所述Get_Descriptor_Configuration控制包确定的配置描述符。
- 如权利要求6所述的USB设备接入控制方法,其中,比对所述USB设备的描述符与所述USB设备的注册信息包括:比对所述配置描述符中的bNumInterfaces与所述注册信息中的 bNumInterfaces是否相同;比对所述配置描述符中的bConfigurationValue与所述注册信息中的bConfigurationValue是否相同;以及比对所述配置描述符中的wTotalLength与所述注册信息中的wTotalLength是否相同。
- 如权利要求7所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关包括:如果所述配置描述符中的bNumInterfaces、bConfigurationValue、以及wTotalLength与所述注册信息中的bNumInterfaces、bConfigurationValue、以及wTotalLengthl对应相同,闭合所述USB接入控制设备中部署的开关。
- 如权利要求7所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关包括:如果所述配置描述符中的bNumInterfaces、bConfigurationValue、以及wTotalLength与所述注册信息中的bNumInterfaces、bConfigurationValue、以及wTotalLength存在任意一项不同,断开所述USB接入控制设备中部署的开关。
- 如权利要求1所述的USB设备接入控制方法,其中,获取所述USB设备的描述符包括:向所述USB设备发送Get_Descriptor_Configuration控制包;接收所述USB设备根据所述Get_Descriptor_Configuration控制包确定的接口描述符。
- 如权利要求10所述的USB设备接入控制方法,其中,比对所述USB设备的描述符与所述USB设备的注册信息包括:比对所述接口描述符中的bInterfaceNumber与所述注册信息中的bInterfaceNumber是否相同;比对所述接口描述符中的bInterfaceClass与所述注册信息中的 bInterfaceClass是否相同;比对所述接口描述符中的bInterfaceSubClass与所述注册信息中的bInterfaceSubClass是否相同;以及比对所述接口描述符中的bInterfaceProtocol与所述注册信息中的bInterfaceProtocol是否相同。
- 如权利要求11所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关包括:如果所述接口描述符中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol与所述注册信息中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol对应相同,闭合所述USB接入控制设备中部署的开关。
- 如权利要求11所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关包括:如果所述接口描述符中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol与所述注册信息中的bInterfaceNumber、bInterfaceClass、bInterfaceSubClass、以及bInterfaceProtocol存在任意一项不同,断开所述USB接入控制设备中部署的开关。
- 如权利要求1所述的USB设备接入控制方法,其中,所述USB设备的描述符包括设备描述符、配置描述符、以及接口描述符;如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关包括:如果所述USB设备的描述符中的设备描述符、配置描述符、以及接口描述符与所述注册信息中的设备描述符、配置描述符、以及接口描述符对应相同,闭合所述USB接入控制设备中部署的开关。
- 如权利要求14所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接 入控制设备中部署的开关包括:如果所述USB设备的描述符中的设备描述符、配置描述符、以及接口描述符与所述注册信息中的设备描述符、配置描述符、以及接口描述符存在任意一项不同,断开所述USB接入控制设备中部署的开关。
- 如权利要求14所述的USB设备接入控制方法,其中,如果所述USB设备为HID设备,所述USB设备的描述符还包括HID描述符;如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关包括:如果所述USB设备的描述符中的设备描述符、配置描述符、接口描述符、以及HID描述符与所述注册信息中的设备描述符、配置描述符、接口描述符、以及HID描述符对应相同,闭合所述USB接入控制设备中部署的开关。
- 如权利要求16所述的USB设备接入控制方法,其中,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关包括:如果所述USB设备的描述符中的设备描述符、配置描述符、接口描述符、以及HID描述符与所述注册信息中的设备描述符、配置描述符、接口描述符、以及HID描述符存在任意一项不同,断开所述USB接入控制设备中部署的开关。
- 一种USB设备接入控制装置,其中,该装置应用于USB接入控制设备,所述USB接入控制设备与被保护设备通过接口连接,该装置包括:第一获取模块,在所述USB设备插入所述USB接入控制设备时,获取所述USB设备的描述符;比对模块,用于比对所述USB设备的描述符与所述USB设备的注册信息;闭合模块,如果所述USB设备的描述符与所述USB设备的注册信息相同,闭合所述USB接入控制设备中部署的开关,使得所述USB设备与所述被保护设备能够通信;第二获取模块,在所述USB设备与所述被保护设备通信时,继续获取所述USB设备的描述符,并比对所述USB设备的描述符与所述USB设备的注册信息;断开模块,如果所述USB设备的描述符与所述USB设备的注册信息不同,断开所述USB接入控制设备中部署的开关。
- 一种电子设备,其中,包括:一个或多个处理器;存储装置,用于存储一个或多个程序;当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现如权利要求1-17中任一项所述的方法。
- 一种计算机可读介质,其上存储有计算机程序,其中,所述程序被处理器执行时实现如权利要求1-17中任一项所述的方法。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020247020869A KR20240115276A (ko) | 2021-11-30 | 2022-11-06 | Usb장치 접근 제어 방법, 장치 및 전자 장치 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111449978.2 | 2021-11-30 | ||
CN202111449978.2A CN114139226A (zh) | 2021-11-30 | 2021-11-30 | Usb设备接入控制方法、装置及电子设备 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/678,110 Continuation US20240320380A1 (en) | 2021-11-30 | 2024-05-30 | Method, Apparatus and Electronic Device for Controlling Access of USB Device |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023098406A1 true WO2023098406A1 (zh) | 2023-06-08 |
Family
ID=80386294
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2022/130163 WO2023098406A1 (zh) | 2021-11-30 | 2022-11-06 | Usb设备接入控制方法、装置及电子设备 |
Country Status (3)
Country | Link |
---|---|
KR (1) | KR20240115276A (zh) |
CN (1) | CN114139226A (zh) |
WO (1) | WO2023098406A1 (zh) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114139226A (zh) * | 2021-11-30 | 2022-03-04 | 北京博衍思创信息科技有限公司 | Usb设备接入控制方法、装置及电子设备 |
CN114595178A (zh) * | 2022-03-11 | 2022-06-07 | 北京博衍思创信息科技有限公司 | 一种用于hid键鼠设备防护的外接式防护设备和方法 |
CN117389421B (zh) * | 2023-12-07 | 2024-05-14 | 浙江网商银行股份有限公司 | 一种可信接入处理方法、装置、存储介质及电子设备 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101013406A (zh) * | 2007-02-12 | 2007-08-08 | 北京飞天诚信科技有限公司 | 一种可自动安装的信息安全设备及其控制方法 |
CN101593252A (zh) * | 2009-05-27 | 2009-12-02 | 北京飞天诚信科技有限公司 | 一种计算机对usb设备进行访问的控制方法和系统 |
CN101661441A (zh) * | 2009-09-08 | 2010-03-03 | 王德高 | 一种基于互联网的usb移动存储设备保护方法 |
CN102332073A (zh) * | 2011-07-07 | 2012-01-25 | 曙光信息产业股份有限公司 | 一种控制usb端口设备开关的方法 |
CN102760104A (zh) * | 2012-06-25 | 2012-10-31 | 成都卫士通信息产业股份有限公司 | 一种usb设备控制方法 |
CN114139226A (zh) * | 2021-11-30 | 2022-03-04 | 北京博衍思创信息科技有限公司 | Usb设备接入控制方法、装置及电子设备 |
-
2021
- 2021-11-30 CN CN202111449978.2A patent/CN114139226A/zh active Pending
-
2022
- 2022-11-06 KR KR1020247020869A patent/KR20240115276A/ko unknown
- 2022-11-06 WO PCT/CN2022/130163 patent/WO2023098406A1/zh active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101013406A (zh) * | 2007-02-12 | 2007-08-08 | 北京飞天诚信科技有限公司 | 一种可自动安装的信息安全设备及其控制方法 |
CN101593252A (zh) * | 2009-05-27 | 2009-12-02 | 北京飞天诚信科技有限公司 | 一种计算机对usb设备进行访问的控制方法和系统 |
CN101661441A (zh) * | 2009-09-08 | 2010-03-03 | 王德高 | 一种基于互联网的usb移动存储设备保护方法 |
CN102332073A (zh) * | 2011-07-07 | 2012-01-25 | 曙光信息产业股份有限公司 | 一种控制usb端口设备开关的方法 |
CN102760104A (zh) * | 2012-06-25 | 2012-10-31 | 成都卫士通信息产业股份有限公司 | 一种usb设备控制方法 |
CN114139226A (zh) * | 2021-11-30 | 2022-03-04 | 北京博衍思创信息科技有限公司 | Usb设备接入控制方法、装置及电子设备 |
Also Published As
Publication number | Publication date |
---|---|
CN114139226A (zh) | 2022-03-04 |
KR20240115276A (ko) | 2024-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023098406A1 (zh) | Usb设备接入控制方法、装置及电子设备 | |
WO2023098407A1 (zh) | Usb设备与被保护设备的通信控制方法、装置及电子设备 | |
CN103023867B (zh) | 用于动态配置网络安全设置的便携式安全设备和方法 | |
US7464158B2 (en) | Secure initialization of intrusion detection system | |
US20160373408A1 (en) | Usb firewall devices | |
US8869273B2 (en) | Apparatus and method for enhancing security of data on a host computing device and a peripheral device | |
US20070005987A1 (en) | Wireless detection and/or containment of compromised electronic devices in multiple power states | |
US11907382B2 (en) | Secure access to accessory device resources | |
US10523427B2 (en) | Systems and methods for management controller management of key encryption key | |
CN103166952B (zh) | 一种嵌入式车载数据采集终端 | |
WO2024021577A1 (zh) | 防篡改的数据保护方法及系统 | |
Yuan et al. | Smartpatch: Verifying the authenticity of the trigger-event in the IoT platform | |
Shwartz et al. | Inner conflict: How smart device components can cause harm | |
US20240137768A1 (en) | Automatic dynamic secure connection system and method thereof | |
US20240320379A1 (en) | Method, Apparatus and Electronic Device for Controlliing the Communication between USB Device and Protected Device | |
US20240320380A1 (en) | Method, Apparatus and Electronic Device for Controlling Access of USB Device | |
AU2019255300B2 (en) | Anti-virus device for industrial control systems | |
KR100537930B1 (ko) | 유에스비 키보드를 통한 입력데이터의 보안방법과 이를구현하는 보안시스템 | |
CN111625846A (zh) | 一种移动终端设备及系统状态记录方法 | |
CN111479273A (zh) | 一种网络接入安全性的检测方法、装置、设备及存储介质 | |
WO2016209203A1 (en) | Usb firewall devices | |
WO2024002342A1 (zh) | 基于云技术的可信执行系统及方法 | |
Wu et al. | Industrial control trusted computing platform for power monitoring system | |
KR101908428B1 (ko) | 가상사설망을 통해 접속하는 기기를 차단하는 방법, 센터 장치 및 시스템 | |
Singh et al. | Juice Jacking: Security Issues and Improvements in USB Technology. Sustainability 2022, 14, 939 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 22900211 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 20247020869 Country of ref document: KR Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020247020869 Country of ref document: KR |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2022900211 Country of ref document: EP Effective date: 20240701 |