WO2024001642A1 - Usb设备的管控方法、云端设备、终端设备及存储介质 - Google Patents

Usb设备的管控方法、云端设备、终端设备及存储介质 Download PDF

Info

Publication number
WO2024001642A1
WO2024001642A1 PCT/CN2023/097185 CN2023097185W WO2024001642A1 WO 2024001642 A1 WO2024001642 A1 WO 2024001642A1 CN 2023097185 W CN2023097185 W CN 2023097185W WO 2024001642 A1 WO2024001642 A1 WO 2024001642A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
information
usb device
application
target application
Prior art date
Application number
PCT/CN2023/097185
Other languages
English (en)
French (fr)
Inventor
高杰
王�义
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2024001642A1 publication Critical patent/WO2024001642A1/zh

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/85Protecting input, output or interconnection devices interconnection devices, e.g. bus-connected or in-line devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • the present disclosure relates to the field of communication security technology, and in particular to a USB device management and control method, cloud device, terminal device and storage medium.
  • USB devices At present, the management and control of USB devices is mostly focused on the USB port of the terminal, that is, monitoring the plugging and unplugging of USB devices, and then supplementing it with corresponding policy configuration to allow the use or disabling of USB devices; this method is suitable for cloud device scenarios. It is said that there are various terminal systems, and it is costly and difficult to implement corresponding policies for each terminal system. At the same time, most access requests to USB devices are transmitted to the terminal for authentication analysis and access. If this access request is illegally tampered with during transmission, it may easily cause security issues.
  • Embodiments of the present disclosure provide a USB device management and control method, cloud device, terminal device and storage medium.
  • embodiments of the present disclosure provide a USB device management and control method for use in a cloud device.
  • the cloud device is communicatively connected to a terminal device and at least one application is provided on the cloud device.
  • the method includes: responding to a message sent by the terminal device.
  • USB device redirection request obtain the target security policy; obtain the access request package of the target application, which is used by the target application to access the USB device; based on the target security policy, determine the access rights of the target application according to the access request package; determine based on the access rights Access operation information and send access operation information to the terminal device.
  • another embodiment of the present disclosure provides a USB device management and control method for a terminal device.
  • the terminal device communicates with a cloud device.
  • the method includes: when detecting the insertion of a USB device, obtaining device information of the USB device; Determine the redirection information of the USB device; generate a USB device redirection request based on the device information and redirection information, and send the USB device redirection request to the cloud device; perform operations on the USB device based on the access operation information sent by the cloud device Corresponding access operation.
  • embodiments of the present disclosure also provide a cloud device.
  • the cloud device is communicatively connected to the terminal device.
  • the cloud device includes a processor, a memory, a computer program stored in the memory and executable by the processor, and a computer program for implementing the processor. and a data bus for communication between the connection and the memory, wherein when the computer program is executed by the processor, any one of the USB device management and control methods for cloud devices provided in this disclosure is implemented.
  • embodiments of the present disclosure also provide a terminal device.
  • the terminal device is communicatively connected to a cloud device.
  • the terminal device includes a processor, a memory, a computer program stored in the memory and executable by the processor, and a computer program for implementing the processor. and a data bus for communication between the connection and the memory, wherein when the computer program is executed by the processor, any one of the USB device management and control methods for cloud devices provided in this disclosure is implemented.
  • embodiments of the present disclosure also provide a storage medium for computer-readable storage.
  • the storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the following:
  • This disclosure provides steps for any one of the USB device management and control methods for cloud devices, and/or any one of the steps for the USB device management and control method for terminal devices.
  • Figure 1 is a schematic flow chart of a USB device management and control method provided by an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of another USB device management and control method provided by an embodiment of the present disclosure
  • Figure 3 is a schematic structural block diagram of a cloud device provided by an embodiment of the present disclosure.
  • Figure 4 is a schematic structural block diagram of a terminal device provided by an embodiment of the present disclosure.
  • FIG. 5 is a schematic block diagram of a usage scenario of a USB device management and control method provided by an embodiment of the present disclosure.
  • Embodiments of the present disclosure provide a USB device management and control method, cloud device, terminal device and storage medium.
  • the USB device management and control method can be applied to a cloud device.
  • the cloud device can be, for example, a server or a device that provides cloud services.
  • FIG. 1 is a schematic flowchart of a USB device management and control method provided by an embodiment of the present disclosure.
  • the USB device management and control method includes steps S101 to S104.
  • Step S101 In response to the USB device redirection request sent by the terminal device, obtain the target security policy.
  • the cloud device is communicatively connected to the terminal device, and at least one application is installed on the cloud device. It can be understood that the application on the cloud device can access the application on the terminal device and insert it into the terminal device. USB device on.
  • the cloud device is used to provide the running environment of the cloud desktop, and at least one application program is provided on the cloud desktop. It can be understood that the application program on the cloud desktop can access the USB device, thereby realizing the cloud desktop. Desktop office, etc.
  • the application on the cloud device may access the USB device, but based on user needs, the user may not want every application to access the USB device, or There may be some malicious programs that access the USB device, causing the information in the USB device to be lost or leaked. Therefore, it is necessary to control the access of applications on the cloud device to the USB device.
  • the USB device After the USB device is inserted into the terminal device, if you need to log in to the cloud, such as a cloud desktop, you can send a USB device redirection request to the cloud device. After receiving the USB device redirection request, the cloud device obtains the target security Strategy.
  • the target security policy corresponding to the USB device redirection request can be obtained from another server.
  • the target security policy is used to indicate the access permission of the application. Through the target security policy, It can determine the access permissions of applications, thereby protecting the security of USB devices when they are connected to the cloud desktop.
  • Step S102 Obtain the access request packet of the target application program, which is used to access the USB device.
  • an access request packet will be generated to access the USB device.
  • the access request package may include application information of the target application and the access request type.
  • the application information includes the application name, developer and other information of the target application.
  • the access request type may include read access, write access, Modify at least one item in the visit.
  • a target application that needs to access the USB device is determined, and an access request packet of the target application is obtained, so that the access request type and corresponding access permission of the target application can be determined through the access request packet.
  • Step S103 Based on the target security policy, determine the access rights of the target application according to the access request package.
  • the access rights of the target application can be determined according to the access request packet, thereby achieving management and control of the USB device.
  • the target security policy is used to determine whether the target application can access the USB device, and when the target application can access the USB device, determine what access operations the target application can perform on the information in the USB device, This can prevent untrusted applications from accessing USB devices and refine management policies, thereby improving the security of USB devices and meeting the usage needs of cloud desktop scenarios.
  • Step S104 Determine the access operation information according to the access authority, and send the access operation information to the terminal device.
  • access operation information may be generated and sent to the terminal device. It can be understood that after receiving the access operation information, the terminal device can perform the access operation indicated by the access operation information on the USB device according to the access operation information.
  • the USB device in a usage scenario of the cloud, such as a cloud desktop, the USB device is connected to the terminal device, and the terminal device is communicatively connected to the cloud device. Therefore, if the USB device is accessed, the USB device can be accessed on the terminal device. If only through the policies and configurations set on the terminal device, it is difficult to adjust or configure the policies centrally in the cloud device, and it cannot adapt to a variety of applications on the cloud desktop. If the file filtering driver of the terminal device is used to implement The management and control of USB devices analyzes and intercepts requests transmitted to terminal devices, which may lead to the loss or leakage of information on the terminal devices, posing security risks.
  • This disclosure can improve the security when sending request packets to the terminal device by obtaining the target security policy in the cloud device, determining the access permissions for the access request package of the application, generating access operation information, and then transmitting it to the terminal device, and can Adjust security policies more flexibly to improve the security and convenience of controlling USB devices.
  • obtaining the access request package of the target application includes: obtaining application information of the target application. information and access request type; encapsulate the application information and access request type to obtain the access request package.
  • the target application if it needs to access the USB device, it will access it through the access request type, where the access request type is used to indicate what kind of access operation the target application should perform on the USB device, for example Perform read access, write access, or modify access, etc. It is understandable that after obtaining the access request type of the target application program, the application information of the target application program can also be obtained to determine whether the target application program can access the USB device.
  • the target application will send a URB request to the USB device that needs to be accessed.
  • the URB request will be transmitted to the user-mode service program and parsed in the service program. Thereby obtaining the application information and access request type of the target application.
  • the application information and the access request type are encapsulated to obtain an access request package, so that the target application can be determined based on the access request package. access permission.
  • security authentication can be performed on the application information and access request type in the access request package to determine the access rights of the target application.
  • the access request package is obtained, and the access request package is analyzed and controlled based on the target security policy to meet the usage scenarios of cloud devices and improve the security of USB devices. Access security.
  • the target security policy includes application information whitelist and access control information. Based on the target security policy, the access rights of the target application are determined according to the application information in the access request package and the access request type, including: determining the application information whitelist. Whether the list contains information corresponding to the application information; if the application information whitelist contains information corresponding to the application information, determine the access permissions of the target application based on the access control information and the access request type in the access request package.
  • the target security policy includes an application information whitelist and access control information.
  • the application information whitelist may be a preset one, or may be a list updated in real time from the server; and the application information whitelist There is a corresponding relationship between the list and access control information. For example, only applications in the application information whitelist have corresponding access control information.
  • the access rights of the target application when determining the access rights of the target application based on the target security policy and the application information in the access request package and the access request type, it can be determined whether the application information in the access request package exists in the application of the target security policy.
  • the application information whitelist if the application information whitelist contains information corresponding to the application information, the access request type in the access request package can be obtained to determine the target application through the access control information and access request type in the target security policy. access permission.
  • determining the access rights of the target application based on the access control information and the access request type in the access request package includes: if there is information matching the access request type in the access control information, determining the target application based on the matching information.
  • the access permission of the program if the access control information does not match the access request type, determine the access permission of the target application as the first access permission.
  • the first access permission is used to indicate that the target application cannot access the USB device.
  • the access permissions of the target application can be determined based on the matching information. For example, the access request type is read. Access, if there is read permission information and write permission information in the access control information, it can be considered that there is information matching the access request type in the access control information.
  • the access permission of the target application is determined to be The first access right.
  • the first access right is used to indicate that the target application cannot access the USB device, that is, the current access operation of the target application cannot be performed.
  • the application information in the target security policy is white.
  • the list contains information corresponding to the application information of the target application, and the access request type in the access request package is obtained. Among them, if the access control information in the target security policy includes read permission information and write permission information, the access request type includes modify access.
  • the access control information does not match the access request type, and the access permission of the target application is determined to be the first access permission; if the access request type includes read access, it can be considered that the access request information matches the access request type, and Determine the target application's access rights based on the matching information.
  • the failure to match information can be returned to the target application, so that the target application determines whether to adjust the access request type based on the failure to match the information.
  • determining the access permission of the target application based on the access control information includes: if the matching information includes read-only permission information, determining the access permission of the target application The permission is the second access permission.
  • the second access permission is used to indicate that the target application can read the information in the USB device but cannot modify the information in the USB device.
  • the access control information includes read-only permission information and the access request type at least includes read access, then it can be determined that the access control information matches the access request type, and the matching information includes read-only permission information, Thus, it is determined that the access permission of the target application is the second access permission.
  • the second access right is used to indicate that the target application can access the information stored in the USB device. Read operation, but cannot modify the information in the USB device or write new information.
  • the access permission of the target application is determined to be the third access permission, and the third access permission is used to indicate that the target application can write information to the USB device, The original information in the USB device cannot be read or modified.
  • the access control information includes write-only permission information and the access request type at least includes write access, then it can be determined that the access control information matches the access request type, and the matching information includes write-only permission information, Thus, it is determined that the access permission of the target application is the third access permission.
  • the third access right is used to indicate that the target application can write information to the USB device, but cannot read and modify the information stored in the USB device.
  • the information stored in the USB device here can be a USB device. Original storage information, thereby protecting the original storage information in the USB device.
  • the access permission of the target application is determined to be the fourth access permission.
  • the fourth access permission is used to indicate that the target application can write information, read and write information to the USB device. At least one operation of fetching and modifying.
  • the access control information includes read and write permission information
  • the access request type includes at least one of read access, write access, and modify access
  • the matching information includes read and write permission information, thereby determining that the access permission of the target application is the fourth access permission.
  • the read and write permission information is used to indicate that the target application can perform any access operations on the USB device, such as read access, write access, and modify access, when the matching information is read and write permission information. , it can be determined that the access permission of the target application is the fourth access permission.
  • the fourth access right of the target application is used to indicate that the target application can perform at least one operation of writing, reading, and modifying the USB device.
  • matching information and access request types are examples. Those skilled in the art can also set up other different operation processes. The implementation methods provided above do not limit the matching information and corresponding operation processes of the present disclosure. .
  • matching information can be determined to determine the access permissions of the target application to improve the management and control security of USB devices.
  • the method further includes: if the application information whitelist does not contain information corresponding to the application information, determining that the access permission of the target application is the first access permission.
  • the access rights of the target application are determined as the first access rights.
  • determining the access operation information according to the access rights and sending the access operation information to the terminal device includes: if the access rights are the first access rights, determining the access information as inaccessible information and sending the inaccessible information. to the terminal device.
  • the access information is determined to be inaccessible information, and the cloud device can deny the target application access to the USB device based on the inaccessible information; in other implementation scenarios Under this condition, after the cloud device determines that it cannot access the information, it does not need to send access information to the terminal device, so that the terminal device does not access the USB device when it fails to receive the access information.
  • the application in the cloud desktop needs to access the USB device, it needs to send the access information to the terminal device connected to the USB device, and implement access to the USB device in the terminal device. Therefore, when the terminal device receives the inaccessible information, it does not need to access the USB device.
  • the access information is determined according to the access right and the access request package, and the access information is sent to the terminal device, So that the terminal device can access the USB device according to the corresponding access permission and access request package.
  • the access information can be determined according to the corresponding access right and the access request packet, and The access information is sent to the terminal device so that the terminal device can access the USB device according to the access request package and corresponding access rights. It can be understood that the access permission is used to indicate that the target application can perform corresponding operations on the USB device.
  • the specific implementation process may refer to the above embodiment, and will not be repeated here.
  • obtaining the target security policy in response to the USB device redirection request sent by the terminal device, includes: determining whether the USB device has a storage function according to the device information of the USB device in the USB device redirection request; if the USB device It has storage function and obtains the target security policy.
  • USB device does not have a storage function, it can be considered that there will be no information loss or leakage in the USB device. Therefore, there is no need to obtain the target security policy, which can effectively improve cloud desktop applications' access to USB devices. processing efficiency.
  • the corresponding target security policy is obtained to protect the information in the USB device.
  • the USB device management and control method for cloud devices responds to the USB device sent by the terminal device.
  • Device redirection request obtain the target security policy; obtain the access request package of the target application, which is used by the target application to access the USB device; based on the target security policy, determine the access permissions of the target application according to the access request package; determine access based on the access permissions Operation information, and send access operation information to the terminal device.
  • Target applications on cloud devices can be managed and controlled, which improves the security of accessing USB devices and improves the convenience of adjusting security policies to adapt to cloud desktop usage scenarios.
  • the present disclosure also provides a method for managing and controlling a USB device of a terminal device.
  • the terminal device communicates with the cloud device.
  • the method includes steps S201 to S204.
  • Step S201 When it is detected that the USB device is inserted, obtain the device information of the USB device.
  • the terminal device when the terminal device detects that the USB device is inserted, it obtains the device information of the USB device. It can be understood that the device information of the USB device can indicate whether the USB device is a storage device and/or whether it stores information. And if the device information of the USB device indicates that the USB device is a storage device, access to the USB device needs to be controlled to protect the USB device and/or the information stored in the USB device.
  • Step S202 Determine the redirection information of the USB device.
  • the redirection information is used to indicate which cloud desktop or cloud the USB device can be used on, so as to achieve communication connection with the cloud desktop or cloud through the redirection information.
  • Step S203 Generate a USB device redirection request according to the device information and redirection information, and send the USB device redirection request to the cloud device.
  • a USB device redirection request is generated according to the device information and redirection information, and the USB device redirection request is sent to the cloud device, where the cloud device can provide multiple cloud desktop operating environments, and the USB device redirection request is sent to the cloud device.
  • Orientation information can be used to indicate a certain cloud desktop.
  • the cloud device can determine whether the USB device is a storage device according to the device information, and determine whether to obtain the corresponding target security policy, as described in the previous embodiments, which will not be repeated here.
  • Step S204 Perform corresponding access operations on the USB device according to the access operation information sent by the cloud device.
  • the cloud device may analyze the redirection request of the USB device and perform security checks on the target application that needs to access the USB device. Confirm, and after confirmation, send the access operation information to the terminal device, so that the terminal device can perform corresponding access operations on the USB device based on the access operation information. It can be understood that the implementation process can be as described in the previous embodiments, and will not be repeated here.
  • corresponding access to the USB device is performed based on the access information sent by the cloud device, including: If the access operation information includes the first access right, the USB device cannot be accessed; if the access operation information includes one of the second access right, the third access right, and the fourth access right, the USB device cannot be accessed according to the access right and the access request package.
  • the USB device performs corresponding access operations.
  • the second access right is used to indicate that the access request package can read the information in the USB device;
  • the third access right is used to indicate that the access request package can write the USB device;
  • the fourth access right is used to indicate the access request The package can perform read and write operations on USB devices.
  • USB device since the USB device only maps the virtual USB device to the cloud desktop, the actual operation still needs to be completed on the terminal device, so the terminal device needs to obtain the data sent by the cloud device. Access operation information and perform corresponding access operations on USB devices.
  • the access operation information includes the first access permission
  • the request packet sent by the target application on the terminal device's control cloud desktop cannot access the USB device, that is, the USB device is controlled to deny access by the target application.
  • the cloud device may not send the access operation information to the terminal device. That is, the above method also includes: the terminal device fails to receive the access operation. When information is being sent, USB is not accessed.
  • the terminal device can perform the corresponding access operation on the USB device according to the second access right and the access request package to enable the target application to access the USB device.
  • the second access right is used to indicate that the access request packet can read information in the USB device. It can be understood that after the terminal device receives the access operation information including the second access right, You can read information from the USB device to complete the access operation to the USB device.
  • the terminal device can perform the corresponding access operation on the USB device according to the third access right and the access request package, so as to enable the target application to access the USB device.
  • the third access right is used to indicate that the access request packet can write information in the USB device. It can be understood that after the terminal device receives the access operation information including the third access right, Information can be written to the USB device to complete the access operation to the USB device.
  • the terminal device can perform the corresponding access operation on the USB device according to the fourth access right and the access request package to enable the target application to access the USB device.
  • the fourth access right is used to indicate that the access request packet can read and write information in the USB device. It can be understood that after the terminal device receives the access operation information including the fourth access right, At least one of information reading, writing and modifying operations can be performed on the USB device to complete the access operation to the USB device.
  • the terminal device can perform different access operations on the USB device, thereby improving the security of accessing the USB device.
  • the method for managing and controlling a USB device of a terminal device obtains the device information of the USB device when the insertion of the USB device is detected; determines the redirection information of the USB device; and generates the USB device based on the device information and the redirection information. Redirect the request and send the USB device redirection request to the cloud device; perform corresponding access operations on the USB device according to the access operation information sent by the cloud device.
  • the security authentication of the target application by the cloud device can be used to improve the security of the target application in the cloud device accessing the USB device.
  • FIG. 3 is a schematic structural block diagram of a cloud device provided by an embodiment of the present disclosure.
  • the cloud device 300 includes a processor 301 and a memory 302.
  • the processor 301 and the memory 302 are connected through a bus 303, which is, for example, an I2C (Inter-integrated Circuit) bus.
  • I2C Inter-integrated Circuit
  • the processor 301 is used to provide computing and control capabilities to support the operation of the entire cloud device.
  • the processor 301 can be a central processing unit (Central Processing Unit, CPU).
  • the processor 301 can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC). ), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general processor may be a microprocessor or the processor may be any conventional processor.
  • the memory 302 may be a Flash chip, a read-only memory (ROM, Read-Only Memory) disk, an optical disk, a USB disk, a mobile hard disk, or the like.
  • ROM read-only memory
  • the memory 302 may be a Flash chip, a read-only memory (ROM, Read-Only Memory) disk, an optical disk, a USB disk, a mobile hard disk, or the like.
  • FIG. 3 is only a block diagram of a partial structure related to the embodiments of the present disclosure, and does not constitute a limitation on the cloud devices to which the embodiments of the present disclosure are applied.
  • the server may include more or fewer components than shown, some combinations of components, or have a different arrangement of components.
  • the processor is used to run a computer program stored in the memory, and when executing the computer program, implement any one of the USB device management and control methods for cloud devices provided by the embodiments of the present disclosure.
  • the processor is configured to run a computer program stored in the memory, and implement the following steps when executing the computer program: in response to a USB device redirection request sent by the terminal device, obtain the target security policy; obtain the target application program The access request package is used by the target application to access the USB device; based on the target security policy, the access permission of the target application is determined according to the access request package; the access operation information is determined based on the access permission, and the access operation information is sent to the terminal device.
  • the processor when obtaining the access request package of the target application, the processor is used to: obtain the application information and access request type of the target application; encapsulate the application information and access request type to obtain the access request Package; the processor is used to implement: Based on the target security policy, the processor determines the access rights of the target application based on the application information and access request type in the access request package. permissions.
  • the processor when implementing the target security policy and determining the access rights of the target application based on the application information in the access request package and the access request type, is configured to: determine whether the application information whitelist exists and the application information Corresponding information; if the application information whitelist contains information corresponding to the application information, the access permissions of the target application are determined based on the access control information and the access request type in the access request package.
  • the processor when determining the access rights of the target application based on the access control information and the access request type in the access request package, is configured to: if there is information matching the access request type in the access control information, Determine the access permission of the target application based on the matching information; if the access control information does not match the access request type, determine the access permission of the target application as the first access permission.
  • the first access permission is used to indicate that the target application cannot access the USB device to access.
  • the processor when the processor determines the access permission of the target application based on the access control information if there is information matching the access request type in the access control information, the processor is configured to: if the matching information includes read-only permission information , determine the access rights of the target application as the second access rights.
  • the second access rights are used to indicate that the target application can read the information in the USB device but cannot modify the information in the USB device; if the matching
  • the information includes write-only permission information, which determines that the access permission of the target application is the third access permission.
  • the third access permission is used to indicate that the target application can write information to the USB device and cannot read the information stored in the USB device. Get and modify operations; if the matching information includes read and write permission information, determine the access permission of the target application to be the fourth access permission.
  • the fourth access permission is used to indicate that the target application can write information, read and modify the USB device. At least one operation to modify.
  • the processor when implementing the USB device management and control method, is also used to implement: if the application information whitelist does not contain information corresponding to the application information, determine the access rights of the target application as the first access rights.
  • the processor when determining the access operation information according to the access permission and sending the access operation information to the terminal device, is configured to: if the access permission is the first access permission, determine the access information as inaccessible information. , and send the inaccessible information to the terminal device; if the access right is one of the second access right, the third access right, and the fourth access right, the access information is determined based on the access right and the access request package, and the access information is sent to the terminal device, so that the terminal device accesses the USB device according to the corresponding access permission and access request package.
  • the processor when the processor obtains the target security policy in response to the USB device redirection request sent by the terminal device, it is configured to: determine the USB device according to the device information of the USB device in the USB device redirection request. Whether it has storage function; if the USB device has storage function, obtain the target security policy.
  • FIG. 4 is a schematic structural block diagram of a terminal device provided by an embodiment of the present disclosure.
  • the terminal device 400 includes a processor 401 and a memory 402.
  • the processor 401 and the memory 402 are connected through a bus 404, which is, for example, an I2C (Inter-integrated Circuit) bus.
  • I2C Inter-integrated Circuit
  • the processor 401 is used to provide computing and control capabilities to support the operation of the entire terminal device.
  • the processor 401 can be a central processing unit (Central Processing Unit, CPU).
  • the processor 401 can also be other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC). ), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general processor may be a microprocessor or the processor may be any conventional processor.
  • the memory 402 may be a Flash chip, a read-only memory (ROM, Read-Only Memory) disk, an optical disk, a USB disk, a mobile hard disk, or the like.
  • ROM read-only memory
  • the memory 402 may be a Flash chip, a read-only memory (ROM, Read-Only Memory) disk, an optical disk, a USB disk, a mobile hard disk, or the like.
  • the server may include more or fewer components than shown, some combinations of components, or have a different arrangement of components.
  • the processor is used to run a computer program stored in the memory, and when executing the computer program, implement any of the USB device management and control methods for terminal devices provided by the embodiments of the present disclosure.
  • the processor is configured to run a computer program stored in the memory, and implement the following steps when executing the computer program: when detecting the insertion of a USB device, obtain device information of the USB device; determine redirection information of the USB device ; Generate a USB device redirection request based on the device information and redirection information, and send the USB device redirection request to the cloud device; perform corresponding access operations on the USB device based on the access operation information sent by the cloud device.
  • the processor when the processor implements corresponding access to the USB device based on the access information sent by the cloud device, it is used to implement: if the access operation information includes the first access permission, the USB device cannot be accessed; if The access operation information includes one of the second access right, the third access right, and the fourth access right.
  • the corresponding access operation is performed on the USB device according to the access right and the access request package; wherein the second access right is used to indicate the access request.
  • the package can read the information in the USB device; the third access right is used to indicate that the access request package can write to the USB device. input operation; the fourth access right is used to indicate that the access request packet can perform read and write operations on the USB device.
  • the cloud device also includes an application module, a peripheral agent module and a virtual bus module; wherein the USB device on the terminal device can be mapped to the virtual bus module through the peripheral agent module, That is to say, a USB device can be virtualized in the virtual bus module, so that the cloud device can securely control the target application's access to the USB device.
  • the peripheral agent module is used to communicate with the terminal device and is also used to communicate with the policy.
  • the management server exchanges information about security policies; the virtual bus module is used to perform security authentication on target applications and generate corresponding access request packages; the application module is used to store applications and send application information and access requests to the virtual bus module , it can be understood that the specific implementation process can be as described in the above embodiments, and will not be repeated here.
  • Embodiments of the present disclosure also provide a storage medium for computer-readable storage.
  • the storage medium stores one or more programs.
  • the one or more programs can be executed by one or more processors to implement the embodiments of the present disclosure. Any of the steps provided in the instructions are steps for a USB device management and control method for a cloud device, and/or a step for a USB device management and control method for a terminal device.
  • the storage medium may be an internal storage unit of the cloud device and/or terminal device described in the previous embodiments, such as a hard disk or memory of the cloud device and/or terminal device.
  • the storage medium can also be an external storage device of the cloud device and/or the terminal device, such as a plug-in hard drive, a smart memory card (Smart Media Card, SMC), or a secure digital (Secure Digital) equipped on the cloud device and/or the terminal device. SD) card, Flash Card, etc.
  • Such software may be distributed on computer-readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media).
  • computer storage media includes volatile and nonvolatile media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. removable, removable and non-removable media.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disk (DVD) or other optical disk storage, magnetic cassettes, tapes, disk storage or other magnetic storage devices, or may Any other medium used to store the desired information and that can be accessed by a computer.
  • communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include including any information delivery medium.
  • Embodiments of the present disclosure provide a USB device management and control method, a cloud device, a terminal device and a storage medium, aiming to improve the security of using USB devices in cloud devices and the convenience of management and control.
  • Embodiments of the present disclosure provide a USB device management and control method, cloud device, terminal device and storage medium.
  • Embodiments of the present disclosure obtain the target security policy by responding to the USB device redirection request sent by the terminal device; obtain access to the target application Request package, the target application is used to access the USB device; based on the target security policy, determine the access permission of the target application according to the access request package; determine the access operation information based on the access permission, and send the access operation information to the terminal device, which can be used in the USB
  • the access rights of the application in the cloud device are determined through the corresponding target security policy, so that USB devices can be managed and controlled on the cloud device, improving the security and convenience of USB device management and control.
  • the present disclosure can be applied to cloud desktop usage scenarios, and can improve the security and convenience of cloud desktop applications accessing USB devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

本公开提供一种USB设备的管控方法、云端设备、终端设备及存储介质。云端设备与终端设备通信连接,且云端设备上设有应用程序,该方法包括:响应于终端设备发送的USB设备重定向请求,获取目标安全策略;获取目标应用程序的访问请求包,目标应用程序用于访问USB设备;基于目标安全策略,根据访问请求包确定目标应用程序的访问权限;根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备。

Description

USB设备的管控方法、云端设备、终端设备及存储介质
相关申请的交叉引用
本公开要求享有2022年06月28日提交的名称为“USB设备的管控方法、云端设备、终端设备及存储介质”的中国专利申请CN202210744622.X的优先权,其全部内容通过引用并入本公开中。
技术领域
本公开涉及通信安全技术领域,尤其涉及一种USB设备的管控方法、云端设备、终端设备及存储介质。
背景技术
目前,对USB设备的管控大多集中在终端的USB端口进行管控,也即监控USB设备的插拔,然后辅以对应的策略配置,允许使用或禁用USB设备;此种方法对于云端设备的场景来说,终端系统多种多样,为各终端系统配以对应的策略成本较大,实现难度也较大;同时,多数对USB设备的访问请求均是传输至终端进行鉴权分析及访问的,在此访问请求的传输过程中若被非法篡改,则容易造成安全问题。
发明内容
本公开实施例提供一种USB设备的管控方法、云端设备、终端设备及存储介质。
第一方面,本公开实施例提供一种USB设备的管控方法,用于云端设备,云端设备与终端设备通信连接且在云端设备上设有至少一个应用程序,方法包括:响应于终端设备发送的USB设备重定向请求,获取目标安全策略;获取目标应用程序的访问请求包,目标应用程序用于访问USB设备;基于目标安全策略,根据访问请求包确定目标应用程序的访问权限;根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备。
第二方面,本公开另一实施例提供一种USB设备的管控方法,用于终端设备,终端设备与云端设备通信连接,方法包括:在检测到USB设备插入时,获取USB设备的设备信息;确定USB设备的重定向信息;根据设备信息和重定向信息生成USB设备重定向请求,并将USB设备重定向请求发送至云端设备;根据云端设备发送的访问操作信息,对USB设备进行 对应的访问操作。
第三方面,本公开实施例还提供一种云端设备,云端设备与终端设备通信连接,云端设备包括处理器、存储器、存储在存储器上并可被处理器执行的计算机程序以及用于实现处理器和存储器之间的连接通信的数据总线,其中所述计算机程序被处理器执行时,实现如本公开说明书提供的任一项用于云端设备的USB设备的管控方法。
第四方面,本公开实施例还提供一种终端设备,终端设备与云端设备通信连接,终端设备包括处理器、存储器、存储在存储器上并可被处理器执行的计算机程序以及用于实现处理器和存储器之间的连接通信的数据总线,其中所述计算机程序被处理器执行时,实现如本公开说明书提供的任一项用于云端设备的USB设备的管控方法。
第五方面,本公开实施例还提供一种存储介质,用于计算机可读存储,存储介质存储有一个或者多个程序,一个或者多个程序可被一个或者多个处理器执行,以实现如本公开说明书提供的任一项用于云端设备的USB设备的管控方法的步骤,和/或任一项用于终端设备的USB设备的管控方法的步骤。
附图说明
为了更清楚地说明本公开实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本公开的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1为本公开实施例提供的一种USB设备的管控方法的流程示意图;
图2为本公开实施例提供的另一种USB设备的管控方法的流程示意图;
图3为本公开实施例提供的一种云端设备的结构示意框图;
图4为本公开实施例提供的一种终端设备的结构示意框图;以及
图5为本公开实施例提供的一种使用USB设备的管控方法的使用场景示意框图。
具体实施方式
下面将结合本公开实施例中的附图,对本公开实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本公开一部分实施例,而不是全部的实施例。基于本公开中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本公开保护的范围。
附图中所示的流程图仅是示例说明,不是必须包括所有的内容和操作/步骤,也不是必须按所描述的顺序执行。例如,有的操作/步骤还可以分解、组合或部分合并,因此实际执行的顺序有可能根据实际情况改变。
应当理解,在此本公开说明书中所使用的术语仅仅是出于描述特定实施例的目的而并不意在限制本公开。如在本公开说明书和所附权利要求书中所使用的那样,除非上下文清楚地指明其它情况,否则单数形式的“一”、“一个”及“该”意在包括复数形式。
本公开实施例提供一种USB设备的管控方法、云端设备、终端设备及存储介质。其中,该USB设备的管控方法可应用于云端设备中,该云端设备可以例如是服务器,也可以是提供云端服务的设备。
下面结合附图,对本公开的一些实施例作详细说明。在不冲突的情况下,下述的实施例及实施例中的特征可以相互组合。
请参照图1,图1为本公开实施例提供的一种USB设备的管控方法的流程示意图。
如图1所示,该USB设备的管控方法包括步骤S101至步骤S104。
步骤S101、响应于终端设备发送的USB设备重定向请求,获取目标安全策略。
在一示例性实施例中,云端设备与终端设备通信连接,且云端设备上设有至少一个应用程序,可以理解的,云端设备上的应用程序可以访问终端设备上的应用程序以及插入在终端设备上的USB设备。
在一示例性实施例中,云端设备用于提供云桌面的运行环境,且云桌面上设有至少一个应用程序,可以理解的,云桌面上的应用程序可以对USB设备进行访问,从而实现云桌面办公等。
在一示例性实施例中,在USB设备进行重定向时,云端设备上的应用程序或会对USB设备进行访问,但基于用户需求,用户可能不想每个应用程序都对USB设备进行访问,或者会存在一些恶意程序进行访问导致USB设备中的信息丢失或泄露,因此,需要对云端设备上的应用程序对USB设备的访问进行管控。
在一示例性实施例中,USB设备插入终端设备后,若需登录云端,例如云桌面,可以向云端设备发送USB设备重定向请求,云端设备在接收到USB设备重定向请求后,获取目标安全策略。
可以理解的,可以在另一服务器中获取与USB设备重定向请求对应的目标安全策略。
在一示例性实施例中,目标安全策略用于指示应用程序的访问权限,通过目标安全策略, 能够确定应用程序的访问权限,从而能够保护USB设备接入云桌面时的安全性。
步骤S102、获取目标应用程序的访问请求包,目标应用程序用于访问USB设备。
在一示例性实施例中,若在云端设备上的应用程序对USB设备进行访问,会生成访问请求包,以对USB设备进行访问。可以理解的,访问请求包可以包括目标应用程序的应用信息及访问请求类型,其中,应用信息包括目标应用程序的应用名称、开发商等信息,访求请求类型可以包括读取访问、写入访问、修改访问中的至少一项。
在一示例性实施例中,确定需要访问USB设备的目标应用程序,以及获取目标应用程序的访问请求包,以能够通过访问请求包确定目标应用程序的访问请求类型及对应的访问权限。
步骤S103、基于目标安全策略,根据访问请求包确定目标应用程序的访问权限。
在一示例性实施例中,通过目标安全策略,可以根据访问请求包确定目标应用程序的访问权限,从而实现对USB设备的管控。
在一示例性实施例中,目标安全策略用于判断目标应用程序能够访问USB设备,以及在目标应用程序能够访问USB设备时,判断目标应用程序能够对USB设备中的信息进行何种访问操作,从而能够避免不受信的应用程序访问USB设备,以及能够细化管理策略,从而提升USB设备的安全性的同时,满足云桌面场景的使用需求。
步骤S104、根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备。
在一示例性实施例中,确定目标应用程序的访问权限后,可以生成访问操作信息,并将访问操作信息发送至终端设备。可以理解的,终端设备在接收到访问操作信息后,可以根据访问操作信息对USB设备进行访问操作信息所指示的访问操作。
在一示例性实施例中,在云端,例如云桌面的使用场景下,USB设备与终端设备连接,且终端设备与云端设备通信连接,因此,若对USB设备进行访问操作,可在终端设备上进行,若只通过设置于终端设备上的策略和配置,在云端设备中难以集中调整或配置策略,且无法适配云桌面上的多种应用程序,若通过终端设备的文件过滤驱动程序实现对USB设备的管控,对传输至终端设备的请求进行分析与拦截,有可能导致终端设备上的信息丢失或泄露等问题,存在安全隐患。本公开通过在云端设备中获取目标安全策略,并对应用程序的访问请求包进行确定访问权限生成访问操作信息后再传输至终端设备,可以提升向终端设备发送请求包时的安全性,以及能够更灵活地调整安全策略,从而提升对USB设备进行管控的安全性和便利性。
在一些实施例中,获取目标应用程序的访问请求包,包括:获取目标应用程序的应用信 息和访问请求类型;对应用信息和访问请求类型进行封装,得到访问请求包。
在一示例性实施例中,目标应用程序若需要对USB设备进行访问时,会通过访问请求类型来进行访问,其中,访问请求类型用于指示目标应用程序对USB设备进行何种访问操作,例如进行读取访问、写入访问或修改访问等。可以理解的,在获取到目标应用程序的访问请求类型后,还可以获取目标应用程序的应用信息,以判断目标应用程序是否能够对USB设备进行访问。
在一示例性实施过程中,目标应用程序针对需要访问的USB设备会发送一个URB请求,在云端设备中,该URB请求会被传输至用户态的服务程序,并在该服务程序中进行解析,从而获取目标应用程序的应用信息和访问请求类型。
在一示例性实施例中,在获取到目标应用程序的应用信息和访问请求类型后,将应用信息和访问请求类型进行封装,以得到访问请求包,从而能够根据访问请求包确定目标应用程序的访问权限。
基于目标安全策略,根据访问请求包确定应用程序的访问权限,包括:基于目标安全策略,根据访问请求包中的应用信息和访问请求类型确定目标应用程序的访问权限。
在一示例性实施例中,通过目标安全策略,可以对访问请求包中的应用信息和访问请求类型进行安全认证,以确定目标应用程序的访问权限。
通过对目标应用程序的应用信息和访问请求类型进行封装,得到访问请求包,以及基于目标安全策略对访问请求包进行分析和管控,以满足云端设备的使用场景的情况下,提升对USB设备的访问安全性。
在一些实施例中,目标安全策略包含应用信息白名单及访问控制信息,基于目标安全策略,根据访问请求包中的应用信息和访问请求类型确定目标应用程序的访问权限,包括:确定应用信息白名单是否存在与应用信息对应的信息;若应用信息白名单存在与应用信息对应的信息,根据访问控制信息和访问请求包中的访问请求类型确定目标应用程序的访问权限。
在一示例性实施例中,目标安全策略包括应用信息白名单以及访问控制信息,可以理解的,应用信息白名单可以是预设的,也可以是从服务端实时更新的名单;且应用信息白名单与访问控制信息存在对应关系,例如,位于应用信息白名单中的应用程序才存在对应的访问控制信息。
可以理解的,在基于目标安全策略,根据访问请求包的应用信息和访问请求类型确定目标应用程序的访问权限时,可以确定访问请求包中的应用信息是否存在于目标安全策略的应 用信息白名单中,若应用信息白名单存在与应用信息对应的信息,则可以获取访问请求包中的访问请求类型,以通过目标安全策略中的访问控制信息和访问请求类型确定目标应用程序的访问权限。
在一些实施例中,根据访问控制信息和访问请求包中的访问请求类型确定目标应用程序的访问权限,包括:若访问控制信息中存在与访问请求类型匹配的信息,根据匹配的信息确定目标应用程序的访问权限;若访问控制信息与访问请求类型未能匹配,确定目标应用程序的访问权限为第一访问权限,第一访问权限用于指示目标应用程序无法对USB设备进行访问。
在一示例性实施例中,若在目标安全策略中的访问控制信息中存在与访问请求类型匹配的信息,则可根据匹配的信息确定目标应用程序的访问权限,例如,访问请求类型为读取访问,访问控制信息中存在读取权限信息以及写入权限信息,则可认为访问控制信息中存在与访问请求类型匹配的信息。
在一示例性实施例中,若在目标安全策略中的访问控制信息中不存在与访问请求类型匹配的信息,则认为访问控制信息与访问请求类型未能匹配,确定目标应用程序的访问权限为第一访问权限,可以理解的,第一访问权限用于指示目标应用程序无法对USB设备进行访问,也即是该目标应用程序的当前访问操作无法进行,例如,目标安全策略中的应用信息白名单存在目标应用程序的应用信息对应的信息,获取访问请求包中的访问请求类型,其中,若目标安全策略中的访问控制信息包括读取权限信息以及写入权限信息,访问请求类型包括修改访问,则认为访问控制信息与访问请求类型未能匹配,从而确定目标应用程序的访问权限为第一访问权限;若访问请求类型包括读取访问,则可以认为访问请求信息与访问请求类型匹配,并根据匹配的信息确定目标应用程序的访问权限。
可以理解的,若访问控制信息与访问请求类型未能匹配,可以返回未能匹配信息给目标应用程序,以使目标应用程序基于未能匹配信息确定是否要对访问请求类型进行调整。
在一些实施例中,若访问控制信息中存在与访问请求类型匹配的信息,根据访问控制信息确定目标应用程序的访问权限,包括:若匹配的信息包括只读权限信息,确定目标应用程序的访问权限为第二访问权限,第二访问权限用于指示目标应用程序能够对USB设备中的信息进行读取操作,无法对USB设备中的信息进行修改操作。
在一示例性实施例中,若访问控制信息中包括只读权限信息,访问请求类型至少包括读取访问,则可以确定访问控制信息与访问请求类型匹配,且匹配的信息包括只读权限信息,从而确定目标应用程序的访问权限为第二访问权限。
可以理解的,第二访问权限用于指示目标应用程序能够对存储于USB设备中的信息进行 读取操作,而无法对USB设备中的信息进行修改或写入新的信息。
在另一些实施方式中,若匹配的信息包括只写权限信息,确定目标应用程序的访问权限为第三访问权限,第三访问权限用于指示目标应用程序能够对USB设备进行写入信息操作,无法对USB设备中原有信息进行读取和修改操作。
在一示例性实施例中,若访问控制信息中包括只写权限信息,访问请求类型至少包括写入访问,则可以确定访问控制信息与访问请求类型匹配,且匹配的信息包括只写权限信息,从而确定目标应用程序的访问权限为第三访问权限。
可以理解的,第三访问权限用于指示目标应用程序能够对USB设备进行写入信息操作,而无法对USB设备中存储的信息进行读取和修改,这里的USB设备存储的信息可以是USB设备原始的存储信息,从而对USB设备中原始的存储信息进行保护。
在另一些实施方式中,若匹配的信息包括读写权限信息,确定目标应用程序的访问权限为第四访问权限,第四访问权限用于指示目标应用程序能够对USB设备进行写入信息、读取和修改的至少一项操作。
在一示例性实施例中,若访问控制信息中包括读写权限信息,访问请求类型包括读取访问、写入访问和修改访问中的至少一项,则可以确定访问控制信息与访问请求类型匹配,且匹配的信息包括读写权限信息,从而确定目标应用程序的访问权限为第四访问权限。
在一示例性实施例中,读写权限信息用于指示目标应用程序可以对USB设备进行任意的访问操作,例如读取访问、写入访问以及修改访问,当匹配的信息为读写权限信息时,可以确定目标应用程序的访问权限为第四访问权限。
在一示例性实施例中,目标应用程序的第四访问权限用于指示目标应用程序能够对USB设备进行写入、读取和修改的至少一项操作。
可以理解的,上述提供的匹配信息以及访问请求类型均为举例说明,本领域技术人员还可以设置其他不同的操作处理,上述提供的实施方式并不对本公开的匹配信息以及对应的操作处理予以限定。
通过访问控制信息包括的不同权限信息以及不同的访问请求类型,可以确定匹配的信息,从而确定目标应用程序的访问权限,以提升USB设备的管控安全性。
在另一实施例中,方法还包括:若应用信息白名单不存在与应用信息对应的信息,确定目标应用程序的访问权限为第一访问权限。
在一示例性实施例中,若在应用信息白名单中不存在与目标应用程序的应用信息对应的 信息,则可以确定该目标应用程序不受信任,从而将目标应用程序的访问权限确定为第一访问权限。
在一些实施例中,根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备,包括:若访问权限为第一访问权限,将访问信息确定为无法访问信息,并将无法访问信息发送至终端设备。
在一示例性实施例中,若访问权限为第一访问权限,则将访问信息确定为无法访问信息,云端设备可基于无法访问信息,拒绝目标应用程序对USB设备的访问;在另一些实施情境下,云端设备确定无法访问信息后,无需向终端设备发送访问信息,以使终端设备在未能接收到访问信息时,不对USB设备进行访问。
可以理解的,在云桌面的场景下,在云桌面中的应用程序若需要对USB设备进行访问,均需将访问信息发送至与USB设备连接的终端设备,并在终端设备中实现对USB设备的访问,因而在终端设备接收到无法访问信息时,可以不对USB设备进行访问。
在另一些实施方式中,若访问权限为第二访问权限、第三访问权限、第四访问权限中的一种,根据访问权限和访问请求包确定访问信息,并将访问信息发送至终端设备,以使终端设备根据对应的访问权限及访问请求包对USB设备进行访问。
在一示例性实施例中,若确定的访问权限为第二访问权限、第三访问权限、第四访问权限中的一种,则可以根据对应的访问权限以及访问请求包确定访问信息,并将访问信息发送至终端设备,以使终端设备能够根据访问请求包及对应的访问权限对USB设备进行访问。可以理解的,访问权限用于指示目标应用程序能够对USB设备进行对应的操作,具体实施过程可参照上述实施例,在此不在重复撰述。
在一些实施例中,响应于终端设备发送的USB设备重定向请求,获取目标安全策略,包括:根据USB设备重定向请求中的USB设备的设备信息,确定USB设备是否具备存储功能;若USB设备具备存储功能,获取目标安全策略。
在一示例性实施例中,若USB设备不具备存储功能,可以认为USB设备不会存在信息丢失或泄露等情况,因此不需获取目标安全策略,能够有效提升云桌面的应用程序对USB设备访问的处理效率。
在一示例性实施例中,若USB设备具备存储功能,则获取对应的目标安全策略,以保护USB设备中的信息。
上述实施例提供的用于云端设备的USB设备管控方法,通过响应于终端设备发送的USB 设备重定向请求,获取目标安全策略;获取目标应用程序的访问请求包,目标应用程序用于访问USB设备;基于目标安全策略,根据访问请求包确定目标应用程序的访问权限;根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备。可以对云端设备上的目标应用程序进行管控,提升了访问USB设备的安全性,以及能够提升安全策略的调整的便利性,以适配云桌面的使用场景。
请参阅图2,本公开还提供一种用于终端设备的USB设备的管控方法,终端设备与云端设备通信连接,方法包括步骤S201~步骤S204。
步骤S201、在检测到USB设备插入时,获取USB设备的设备信息。
在一示例性实施例中,终端设备在检测到USB设备插入时,获取USB设备的设备信息,可以理解的,USB设备的设备信息可以指示USB设备是否为存储设备,和/或是否存储信息。且若USB设备的设备信息指示USB设备为存储设备时,需要对USB设备进行访问的管控,以保护USB设备和/或存储于USB设备中的信息。
步骤S202、确定USB设备的重定向信息。
在一示例性实施例中,重定向信息用于指示USB设备可被用于哪个云桌面或云端上,以通过重定向信息与云桌面或云端实现通信连接。
步骤S203、根据设备信息和重定向信息生成USB设备重定向请求,并将USB设备重定向请求发送至云端设备。
在一示例性实施例中,根据设备信息和重定向信息生成USB设备重定向请求,以及将USB设备重定向请求发送至云端设备,其中,云端设备中可以提供多个云桌面的运行环境,重定向信息可以用于指示某一云桌面。
在一示例性实施例中,云端设备可以根据设备信息确定USB设备是否为存储设备,并确定是否获取对应的目标安全策略,如前述实施例所撰述,在此不再重复撰述。
步骤S204、根据云端设备发送的访问操作信息,对USB设备进行对应的访问操作。
在一示例性实施例中,云端设备在接收到终端设备发送的USB设备的重定向请求后,可以对USB设备的重定向请求进行分析,以及对需要访问USB设备的目标应用程序进行安全性的确认,并在确认之后,发送访问操作信息给终端设备,以使得终端设备能够根据访问操作信息对USB设备进行对应的访问操作。可以理解的,实施过程可如前文实施例所撰述,在此不再重复撰述。
在一些实施例中,根据云端设备发送的访问信息,对USB设备进行对应的访问,包括: 若访问操作信息包括第一访问权限,则无法对USB设备进行访问;若访问操作信息包括第二访问权限、第三访问权限、第四访问权限中的一种,根据访问权限及访问请求包对USB设备进行对应的访问操作。第二访问权限用于指示访问请求包能够对USB设备中的信息进行读取操作;第三访问权限用于指示访问请求包能够对USB设备进行写入操作;第四访问权限用于指示访问请求包能够对USB设备进行读写操作。
在一示例性实施例中,在云桌面的使用场景下,由于USB设备仅是映射虚拟USB设备至云桌面中,实际的操作仍需在终端设备上完成,因此终端设备需要获取云端设备发送的访问操作信息,并对USB设备进行对应的访问操作。
例如,若访问操作信息包括第一访问权限,终端设备控制云桌面上目标应用程序发送的请求包无法对USB设备进行访问,也即是控制USB设备拒绝目标应用程序的访问。在另一些实施方式中,若在云端设备中确定访问权限为第一访问权限,云端设备可以不发送访问操作信息至终端设备,也即,上述方法还包括,终端设备在未能接收到访问操作信息时,不对USB进行访问操作。
又例如,若访问操作信息包括第二访问权限,终端设备可以根据第二访问权限以及访问请求包,对USB设备进行对应的访问操作,以实现目标应用程序对USB设备进行访问。在一示例性实施例中,第二访问权限用于指示访问请求包能够对USB设备中的信息进行读取操作,可以理解的,终端设备在接收到包括第二访问权限的访问操作信息后,可以对USB设备进行读取信息操作,以完成对USB设备的访问操作。
又例如,若访问操作信息包括第三访问权限,终端设备可以根据第三访问权限以及访问请求包,对USB设备进行对应的访问操作,以实现目标应用程序对USB设备进行访问。在一示例性实施例中,第三访问权限用于指示访问请求包能够对USB设备中的信息进行写入操作,可以理解的,终端设备在接收到包括第三访问权限的访问操作信息后,可以对USB设备进行信息写入操作,以完成对USB设备的访问操作。
再例如,若访问操作信息包括第四访问权限,终端设备可以根据第四访问权限以及访问请求包,对USB设备进行对应的访问操作,以实现目标应用程序对USB设备进行访问。在一示例性实施例中,第四访问权限用于指示访问请求包能够对USB设备中的信息进行读写操作,可以理解的,终端设备在接收到包括第四访问权限的访问操作信息后,可以对USB设备进行信息的读取操作、写入操作以及修改操作中的至少一项,以完成对USB设备的访问操作。
在一示例性实施例中,终端设备通过接收到包括不同的访问权限的访问操作信息,可以对USB设备进行不同的访问操作,从而能够提升访问USB设备的安全性。
上述实施例提供的用于终端设备的USB设备的管控方法,通过在检测到USB设备插入时,获取USB设备的设备信息;确定USB设备的重定向信息;根据设备信息和重定向信息生成USB设备重定向请求,并将USB设备重定向请求发送至云端设备;根据云端设备发送的访问操作信息,对USB设备进行对应的访问操作。可以在终端设备与云端设备连接时,通过云端设备对目标应用程序的安全认证,以提升云端设备中目标应用程序访问USB设备的安全性。
请参阅图3,图3为本公开实施例提供的一种云端设备的结构示意性框图。
如图3所示,云端设备300包括处理器301和存储器302,处理器301和存储器302通过总线303连接,该总线比如为I2C(Inter-integrated Circuit)总线。
在一示例性实施例中,处理器301用于提供计算和控制能力,支撑整个云端设备的运行。处理器301可以是中央处理单元(Central Processing Unit,CPU),该处理器301还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。其中,通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
在一示例性实施例中,存储器302可以是Flash芯片、只读存储器(ROM,Read-Only Memory)磁盘、光盘、U盘或移动硬盘等。
本领域技术人员可以理解,图3中示出的结构,仅仅是与本公开实施例方案相关的部分结构的框图,并不构成对本公开实施例方案所应用于其上的云端设备的限定,具体的服务器可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。
其中,处理器用于运行存储在存储器中的计算机程序,并在执行计算机程序时实现本公开实施例提供的任意一种用于云端设备所述的USB设备的管控方法。
在一实施例中,处理器用于运行存储在存储器中的计算机程序,并在执行计算机程序时实现如下步骤:响应于终端设备发送的USB设备重定向请求,获取目标安全策略;获取目标应用程序的访问请求包,目标应用程序用于访问USB设备;基于目标安全策略,根据访问请求包确定目标应用程序的访问权限;根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备。
在一实施例中,处理器在实现获取目标应用程序的访问请求包时,用于实现:获取目标应用程序的应用信息和访问请求类型;对应用信息和访问请求类型进行封装,得到访问请求 包;处理器在实现基于目标安全策略,根据访问请求包确定应用程序的访问权限时,用于实现:基于目标安全策略,根据访问请求包中的应用信息和访问请求类型确定目标应用程序的访问权限。
在一实施例中,处理器在实现基于目标安全策略,根据访问请求包中的应用信息和访问请求类型确定目标应用程序的访问权限时,用于实现:确定应用信息白名单是否存在与应用信息对应的信息;若应用信息白名单存在与应用信息对应的信息,根据访问控制信息和访问请求包中的访问请求类型确定目标应用程序的访问权限。
在一实施例中,处理器在实现根据访问控制信息和访问请求包中的访问请求类型确定目标应用程序的访问权限时,用于实现:若访问控制信息中存在与访问请求类型匹配的信息,根据匹配的信息确定目标应用程序的访问权限;若访问控制信息与访问请求类型未能匹配,确定目标应用程序的访问权限为第一访问权限,第一访问权限用于指示目标应用程序无法对USB设备进行访问。
在一实施例中,处理器在实现若访问控制信息中存在与访问请求类型匹配的信息,根据访问控制信息确定目标应用程序的访问权限时,用于实现:若匹配的信息包括只读权限信息,确定目标应用程序的访问权限为第二访问权限,第二访问权限用于指示目标应用程序能够对USB设备中的信息进行读取操作,无法对USB设备中的信息进行修改操作;若匹配的信息包括只写权限信息,确定目标应用程序的访问权限为第三访问权限,第三访问权限用于指示目标应用程序能够对USB设备进行写入信息操作,无法对USB设备中存储的信息进行读取和修改操作;若匹配的信息包括读写权限信息,确定目标应用程序的访问权限为第四访问权限,第四访问权限用于指示目标应用程序能够对USB设备进行写入信息、读取和修改的至少一项操作。
在一实施例中,处理器在实现USB设备的管控方法时,还用于实现:若应用信息白名单不存在与应用信息对应的信息,确定目标应用程序的访问权限为第一访问权限。
在一实施例中,处理器在实现根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备时,用于实现:若访问权限为第一访问权限,将访问信息确定为无法访问信息,并将无法访问信息发送至终端设备;若访问权限为第二访问权限、第三访问权限、第四访问权限中的一种,根据访问权限和访问请求包确定访问信息,并将访问信息发送至终端设备,以使终端设备根据对应的访问权限及访问请求包对USB设备进行访问。
在一实施例中,处理器在实现响应于终端设备发送的USB设备重定向请求,获取目标安全策略时,用于实现:根据USB设备重定向请求中的USB设备的设备信息,确定USB设备 是否具备存储功能;若USB设备具备存储功能,获取目标安全策略。
需要说明的是,所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,上述描述的云端设备的具体工作过程,可以参考前述用于云端设备的USB设备的管控方法实施例中的对应过程,在此不再赘述。
请参阅图4,图4为本公开实施例提供的一种终端设备的结构示意性框图。
如图4所示,终端设备400包括处理器401和存储器402,处理器401和存储器402通过总线404连接,该总线比如为I2C(Inter-integrated Circuit)总线。
在一示例性实施例中,处理器401用于提供计算和控制能力,支撑整个终端设备的运行。处理器401可以是中央处理单元(Central Processing Unit,CPU),该处理器401还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现场可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。其中,通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。
在一示例性实施例中,存储器402可以是Flash芯片、只读存储器(ROM,Read-Only Memory)磁盘、光盘、U盘或移动硬盘等。
本领域技术人员可以理解,图4中示出的结构,仅仅是与本公开实施例方案相关的部分结构的框图,并不构成对本公开实施例方案所应用于其上的终端设备的限定,具体的服务器可以包括比图中所示更多或更少的部件,或者组合某些部件,或者具有不同的部件布置。
其中,处理器用于运行存储在存储器中的计算机程序,并在执行计算机程序时实现本公开实施例提供的任意一种用于终端设备的所述的USB设备的管控方法。
在一实施例中,处理器用于运行存储在存储器中的计算机程序,并在执行计算机程序时实现如下步骤:在检测到USB设备插入时,获取USB设备的设备信息;确定USB设备的重定向信息;根据设备信息和重定向信息生成USB设备重定向请求,并将USB设备重定向请求发送至云端设备;根据云端设备发送的访问操作信息,对USB设备进行对应的访问操作。
在一实施例中,处理器在实现根据云端设备发送的访问信息,对USB设备进行对应的访问时,用于实现:若访问操作信息包括第一访问权限,则无法对USB设备进行访问;若访问操作信息包括第二访问权限、第三访问权限、第四访问权限中的一种,根据访问权限及访问请求包对USB设备进行对应的访问操作;其中,第二访问权限用于指示访问请求包能够对USB设备中的信息进行读取操作;第三访问权限用于指示访问请求包能够对USB设备进行写 入操作;第四访问权限用于指示访问请求包能够对USB设备进行读写操作。
如图5所示,在一些实施方式中,云端设备还包括应用程序模块、外设代理模块以及虚拟总线模块;其中,终端设备上的USB设备可以通过外设代理模块映射至虚拟总线模块上,也即是在虚拟总线模块中能够虚拟一个USB设备,以使得云端设备能够对目标应用程序进行访问USB设备的安全管控,其中,外设代理模块用于和终端设备进行通信,还用于与策略管理服务器进行安全策略的信息交互;虚拟总线模块用于对目标应用程序进行安全认证,并生成对应的访问请求包;应用程序模块用于存储应用程序,并发送应用信息及访问请求至虚拟总线模块中,可以理解的,具体的实施过程可如上述实施例所撰述,在此不再重复撰述。
本公开实施例还提供一种存储介质,用于计算机可读存储,存储介质存储有一个或者多个程序,一个或者多个程序可被一个或者多个处理器执行,以实现如本公开实施例说明书提供的任一项用于云端设备的USB设备的管控方法的步骤,和/或用于终端设备的USB设备的管控方法的步骤。
其中,存储介质可以是前述实施例所述的云端设备和/或终端设备的内部存储单元,例如云端设备和/或终端设备的硬盘或内存。存储介质也可以是云端设备和/或终端设备的外部存储设备,例如云端设备和/或终端设备上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施例中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包 括任何信息递送介质。
本公开实施例提供一种USB设备的管控方法、云端设备、终端设备及存储介质,旨在提升USB设备在云端设备使用的安全性和管控的便利性。本公开实施例提供一种USB设备的管控方法、云端设备、终端设备及存储介质,本公开实施例通过响应于终端设备发送的USB设备重定向请求,获取目标安全策略;获取目标应用程序的访问请求包,目标应用程序用于访问USB设备;基于目标安全策略,根据访问请求包确定目标应用程序的访问权限;根据访问权限确定访问操作信息,并将访问操作信息发送至终端设备,能够在USB设备重定向时通过对应的目标安全策略确定云端设备中的应用程序的访问权限,从而能够在云端设备对USB设备进行管控,提升USB设备的管控安全性和便利性。本公开能够适用于云桌面的使用场景,并能够提升云桌面的应用程序访问USB设备的安全性和便利性。
应当理解,在本公开说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者系统不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者系统所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者系统中还存在另外的相同要素。
上述本公开实施例序号仅仅为了描述,不代表实施例的优劣。以上所述,仅为本公开的具体实施例,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以权利要求的保护范围为准。

Claims (13)

  1. 一种USB设备的管控方法,用于云端设备,所述云端设备与终端设备通信连接且在所述云端设备上设有至少一个应用程序,所述方法包括:
    响应于所述终端设备发送的USB设备重定向请求,获取目标安全策略;
    获取目标应用程序的访问请求包,所述目标应用程序用于访问所述USB设备;
    基于所述目标安全策略,根据所述访问请求包确定所述目标应用程序的访问权限;
    根据所述访问权限确定访问操作信息,并将所述访问操作信息发送至所述终端设备。
  2. 根据权利要求1所述的USB设备的管控方法,其中,所述获取目标应用程序的访问请求包,包括:
    获取所述目标应用程序的应用信息和访问请求类型;
    对所述应用信息和访问请求类型进行封装,得到访问请求包;
    所述基于所述目标安全策略,根据所述访问请求包确定所述应用程序的访问权限,包括:
    基于所述目标安全策略,根据所述访问请求包中的应用信息和访问请求类型确定所述目标应用程序的访问权限。
  3. 根据权利要求2所述的USB设备的管控方法,其中,所述目标安全策略包含应用信息白名单及访问控制信息,所述基于所述目标安全策略,根据所述访问请求包中的应用信息和访问请求类型确定所述目标应用程序的访问权限,包括:
    确定所述应用信息白名单是否存在与所述应用信息对应的信息;
    若所述应用信息白名单存在与所述应用信息对应的信息,根据所述访问控制信息和所述访问请求包中的访问请求类型确定所述目标应用程序的访问权限。
  4. 根据权利要求3所述的USB设备的管控方法,其中,所述根据所述访问控制信息和所述访问请求包中的访问请求类型确定所述目标应用程序的访问权限,包括:
    若所述访问控制信息中存在与访问请求类型匹配的信息,根据匹配的信息确定所述目标应用程序的访问权限;
    若所述访问控制信息与所述访问请求类型未能匹配,确定所述目标应用程序的访问权限为第一访问权限,所述第一访问权限用于指示所述目标应用程序无法对所述USB设备进行访问。
  5. 根据权利要求4所述的USB设备的管控方法,其中,所述若所述访问控制信息中存 在与访问请求类型匹配的信息,根据所述访问控制信息确定所述目标应用程序的访问权限,包括:
    若匹配的信息包括只读权限信息,确定所述目标应用程序的访问权限为第二访问权限,所述第二访问权限用于指示所述目标应用程序能够对所述USB设备中的信息进行读取操作,无法对所述USB设备中的信息进行修改操作;
    若匹配的信息包括只写权限信息,确定所述目标应用程序的访问权限为第三访问权限,所述第三访问权限用于指示所述目标应用程序能够对所述USB设备进行写入信息操作,无法对所述USB设备中存储的信息进行读取和修改操作;
    若匹配的信息包括读写权限信息,确定所述目标应用程序的访问权限为第四访问权限,所述第四访问权限用于指示所述目标应用程序能够对所述USB设备进行写入信息、读取和修改的至少一项操作。
  6. 根据权利要求3所述的USB设备的管控方法,其中,所述方法还包括:
    若所述应用信息白名单不存在与所述应用信息对应的信息,确定所述目标应用程序的访问权限为第一访问权限。
  7. 根据权利要求4-6中任一项所述的USB设备的管控方法,其中,所述根据所述访问权限确定访问操作信息,并将所述访问操作信息发送至所述终端设备,包括:
    若所述访问权限为第一访问权限,将所述访问信息确定为无法访问信息;
    若所述访问权限为第二访问权限、第三访问权限、第四访问权限中的一种,根据访问权限和所述访问请求包确定访问信息,并将所述访问信息发送至所述终端设备,以使所述终端设备根据对应的访问权限及访问请求包对所述USB设备进行访问。
  8. 根据权利要求1-3中任一项所述的USB设备的管控方法,其中,所述响应于终端设备发送的USB设备重定向请求,获取目标安全策略,包括:
    根据所述USB设备重定向请求中的USB设备的设备信息,确定所述USB设备是否具备存储功能;
    若所述USB设备具备存储功能,获取所述目标安全策略。
  9. 一种USB设备的管控方法,用于终端设备,所述终端设备与云端设备通信连接,所述方法包括:
    在检测到USB设备插入时,获取所述USB设备的设备信息;
    确定所述USB设备的重定向信息;
    根据所述设备信息和所述重定向信息生成USB设备重定向请求,并将所述USB设备重定向请求发送至所述云端设备;
    根据所述云端设备发送的访问操作信息,对所述USB设备进行对应的访问操作。
  10. 根据权利要求9所述的USB设备的管控方法,其中,所述根据所述云端设备发送的访问操作信息,对所述USB设备进行对应的访问,包括:
    若所述访问操作信息包括第一访问权限,则无法对所述USB设备进行访问;
    若所述访问操作信息包括第二访问权限、第三访问权限、第四访问权限中的一种,根据所述访问权限及所述访问请求包对所述USB设备进行对应的访问操作;
    其中,所述第二访问权限用于指示所述访问请求包能够对所述USB设备中的信息进行读取操作;所述第三访问权限用于指示所述访问请求包能够对所述USB设备进行写入操作;所述第四访问权限用于指示所述访问请求包能够对所述USB设备进行读写操作。
  11. 一种云端设备,所述云端设备与终端设备通信连接,在所述云端设备上设有至少一个应用程序,所述云端设备包括处理器、存储器、存储在所述存储器上并可被所述处理器执行的计算机程序以及用于实现所述处理器和所述存储器之间的连接通信的数据总线,其中所述计算机程序被所述处理器执行时,实现如权利要求1至8中任一项所述的USB设备的管控方法的步骤。
  12. 一种终端设备,所述终端设备与云端设备通信连接,所述终端设备包括处理器、存储器、存储在所述存储器上并可被所述处理器执行的计算机程序以及用于实现所述处理器和所述存储器之间的连接通信的数据总线,其中所述计算机程序被所述处理器执行时,实现如权利要求9至10中任一项所述的USB设备的管控方法的步骤。
  13. 一种存储介质,用于计算机可读存储,所述存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器执行,以实现权利要求1至8中任一项所述的USB设备的管控方法的步骤,和/或实现权利要求9-10中任一项所述的USB设备的管控方法的步骤。
PCT/CN2023/097185 2022-06-28 2023-05-30 Usb设备的管控方法、云端设备、终端设备及存储介质 WO2024001642A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210744622.XA CN117349850A (zh) 2022-06-28 2022-06-28 Usb设备的管控方法、云端设备、终端设备及存储介质
CN202210744622.X 2022-06-28

Publications (1)

Publication Number Publication Date
WO2024001642A1 true WO2024001642A1 (zh) 2024-01-04

Family

ID=89354438

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/097185 WO2024001642A1 (zh) 2022-06-28 2023-05-30 Usb设备的管控方法、云端设备、终端设备及存储介质

Country Status (2)

Country Link
CN (1) CN117349850A (zh)
WO (1) WO2024001642A1 (zh)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944883A (zh) * 2014-03-19 2014-07-23 华存数据信息技术有限公司 一种云计算环境下云应用访问控制的系统及方法
US20160182499A1 (en) * 2014-12-22 2016-06-23 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
CN109344605A (zh) * 2018-09-10 2019-02-15 惠尔丰电子(北京)有限公司 一种智能pos机的权限控制方法及其控制系统
CN111045834A (zh) * 2018-10-15 2020-04-21 中兴通讯股份有限公司 云桌面下usb存储设备访问的方法、设备和存储介质
CN114090475A (zh) * 2020-07-02 2022-02-25 中兴通讯股份有限公司 Usb设备重定向方法、系统、电子设备及存储介质

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103944883A (zh) * 2014-03-19 2014-07-23 华存数据信息技术有限公司 一种云计算环境下云应用访问控制的系统及方法
US20160182499A1 (en) * 2014-12-22 2016-06-23 Mcafee, Inc. Trust establishment between a trusted execution environment and peripheral devices
CN109344605A (zh) * 2018-09-10 2019-02-15 惠尔丰电子(北京)有限公司 一种智能pos机的权限控制方法及其控制系统
CN111045834A (zh) * 2018-10-15 2020-04-21 中兴通讯股份有限公司 云桌面下usb存储设备访问的方法、设备和存储介质
CN114090475A (zh) * 2020-07-02 2022-02-25 中兴通讯股份有限公司 Usb设备重定向方法、系统、电子设备及存储介质

Also Published As

Publication number Publication date
CN117349850A (zh) 2024-01-05

Similar Documents

Publication Publication Date Title
US8689349B2 (en) Information flow tracking and protection
CN107851160B (zh) 用于在isa控制下进行多个共存可信执行环境的可信i/o的技术
KR101970744B1 (ko) 신뢰 레벨 활성화 기법
US10552619B2 (en) Technologies for secure trusted I/O access control
US20150220455A1 (en) Methods and apparatus for protecting operating system data
EP3935537B1 (en) Secure execution guest owner environmental controls
TW201617957A (zh) 鑑別變數之管理技術
US11263033B2 (en) Usage checks for code running within a secure sub-environment of a virtual machine
US9600629B2 (en) Securing protected health information based on software designation
CN110390184B (zh) 用于在云中执行应用的方法、装置和计算机程序产品
US20110035586A1 (en) System and method for securing a computer comprising a microkernel
US11288377B1 (en) Virtual machine-based trusted execution environment
WO2020019971A1 (zh) 一种操作系统的主动安全防护方法、系统及终端设备
US10198202B2 (en) Safe userspace device access for network function virtualization using an IOMMU to map supervisor memory to a reserved range of application virtual addresses
US20230342472A1 (en) Computer System, Trusted Function Component, and Running Method
CN110807191B (zh) 一种应用程序的安全运行方法及装置
US20230074455A1 (en) System and method for monitoring delivery of messages passed between processes from different operating systems
US20180268127A1 (en) Methods and apparatus for controlling access to secure computing resources
WO2024001642A1 (zh) Usb设备的管控方法、云端设备、终端设备及存储介质
WO2023103697A1 (zh) 一种计算机系统中的通信方法及相关产品
US20190042800A1 (en) Technologies for authenticated usb device policy enforcement
CN114443147B (zh) 基于可信硬件技术的超级监控式无人飞行器可信检测方法
EP3151154B1 (en) Data access control based on storage validation
EP4145318A1 (en) System and method for monitoring delivery of messages passed between processes from different operating systems
CN113434257B (zh) 一种Docker的操作方法、装置、服务器和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23829827

Country of ref document: EP

Kind code of ref document: A1