[go: up one dir, main page]

CN114611130B - Data protection method and device, storage medium and electronic equipment - Google Patents

Data protection method and device, storage medium and electronic equipment Download PDF

Info

Publication number
CN114611130B
CN114611130B CN202210348665.6A CN202210348665A CN114611130B CN 114611130 B CN114611130 B CN 114611130B CN 202210348665 A CN202210348665 A CN 202210348665A CN 114611130 B CN114611130 B CN 114611130B
Authority
CN
China
Prior art keywords
packet
cbw
data packet
data
virtual machine
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210348665.6A
Other languages
Chinese (zh)
Other versions
CN114611130A (en
Inventor
赵凯铭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210348665.6A priority Critical patent/CN114611130B/en
Publication of CN114611130A publication Critical patent/CN114611130A/en
Application granted granted Critical
Publication of CN114611130B publication Critical patent/CN114611130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/38Information transfer, e.g. on bus
    • G06F13/42Bus transfer protocol, e.g. handshake; Synchronisation
    • G06F13/4282Bus transfer protocol, e.g. handshake; Synchronisation on a serial bus, e.g. I2C bus, SPI bus
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0042Universal serial bus [USB]

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data protection method, a device, a storage medium and electronic equipment, wherein the data protection method comprises the following steps: acquiring a USB request block URB data packet; filtering a command block packet CBW data packet from the URB data packet; under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine, analyzing the CBW data packet to determine whether the CBW data packet is a data packet for inquiry; and under the condition that the CBW data packet is determined to be the data packet for query, modifying the value of the write protection field in the common data packet for feeding back the target virtual machine so as to realize write protection of the peripheral storage device. By means of the technical scheme, the embodiment of the application can improve the data security.

Description

Data protection method and device, storage medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data protection method, a data protection device, a storage medium, and an electronic device.
Background
Along with the continuous development of virtualization technology, the traditional office mode mainly comprising a physical PC is gradually replaced by a novel office mode of combining a virtualized desktop of a remote server with a user local cloud desktop terminal. In the new mode, a user can log in a remote personal virtual desktop only by using the portable cloud desktop terminal, so that the purposes of centralized control, unified transportation and cost saving are achieved.
The USB redirection is to establish connection between a physical USB device of a user local cloud desktop terminal and a virtual USB device in a virtualization system of a remote server through a network, and redirect a USB request block (USB Request Block, URB) request and response thereof to the USB device, thereby realizing normal use of the USB device in the system.
Currently, existing USB redirection techniques can be divided into virtual USB bus schemes (alternatively referred to as USB port redirection) and virtual USB device driven schemes (alternatively referred to as USB port redirection).
In the process of implementing the present invention, the inventor finds that the following problems exist in the prior art: the existing USB redirection technology has the problem of low data security. For example, whether it is USB port redirection or USB port redirection, there is a risk of copying data within the virtual machine into the peripheral storage device over USB orientation; as another example, since the peripheral storage device may store confidential data, it also has a risk of being tampered with by a virtual machine user.
Disclosure of Invention
The embodiment of the application aims to provide a data protection method, a data protection device, a storage medium and electronic equipment, so as to improve data security.
In a first aspect, an embodiment of the present application provides a data protection method, where the data protection method is applied to a physical machine plugged with a peripheral storage device, and a target virtual machine is deployed on the physical machine, and the data protection method includes: acquiring a USB request block URB data packet; filtering a command block packet CBW data packet from the URB data packet; under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine, analyzing the CBW data packet to determine whether the CBW data packet is a data packet for inquiry; and under the condition that the CBW data packet is determined to be the data packet for query, modifying the value of the write protection field in the common data packet for feeding back the target virtual machine so as to realize write protection of the peripheral storage device.
Therefore, in the embodiment of the application, under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine, the CBW data packet is analyzed to determine whether the CBW data packet is a data packet for query, and under the condition that the CBW data packet is determined to be the data packet for query, the value of the write protection field in the common data packet for feeding back the target virtual machine is modified, so that the write protection of the external storage device can be realized, the situation that confidential data in the external storage device is tampered is avoided, the situation that sensitive data in the virtual machine is imported into the external storage device due to the fact that the credibility of a user of the virtual machine is not high is avoided, and the data security is improved.
In one possible embodiment, the CBW packet includes a command block CBWCB field for device execution; the parsing the CBW data packet to determine whether the CBW data packet is a data packet for query includes: extracting CBWCB fields from the CBW data packet; the CBWCB fields are parsed using the small computer system interface SCSI protocol to determine if the CBW packet is a packet for querying.
Therefore, the embodiment of the application determines whether the CBW data packet is a data packet for inquiry by using the SCSI protocol, thereby improving the analysis efficiency.
In one possible embodiment, in a case that the CBW packet is determined to be a packet for query, modifying a value of a write protection field in a normal packet for feeding back the target virtual machine includes: in the event that the CBWCB field is determined to be an instruction to query data, the value of the write protect field in the normal data packet is modified.
Therefore, the embodiment of the application improves the modifying efficiency by modifying the value of the write protection field in the common data packet under the condition that the CBWCB field is determined to be the instruction for inquiring the data.
In one possible embodiment, filtering the command block packet CBW packet from the URB packet includes: and filtering the command block packet CBW data packet from the URB data packet under the condition that the operation authority of the target virtual machine is read-only and write-free.
Therefore, different virtual machine users in the embodiment of the application have different operation authorities of the peripheral storage equipment, so that personalized setting of the operation authorities can be realized, and further different requirements of the users are met.
In a second aspect, an embodiment of the present application provides a data protection device, where the data protection device is applied to a physical machine plugged with a peripheral storage device, and a target virtual machine is deployed on the physical machine, and the data protection device includes: the acquisition module is used for acquiring the URB data packet of the USB request block; the filtering module is used for filtering a command block packet CBW data packet from the URB data packet; the analysis module is used for analyzing the CBW data packet to determine whether the CBW data packet is a data packet for inquiry or not under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine; and the modification module is used for modifying the value of the write protection field in the common data packet for feeding back the target virtual machine under the condition that the CBW data packet is determined to be the data packet for query so as to realize write protection of the peripheral storage equipment.
In one possible embodiment, the CBW packet includes a command block CBWCB field for device execution;
The analysis module is specifically used for: extracting CBWCB fields from the CBW data packet; the CBWCB fields are parsed using the small computer system interface SCSI protocol to determine if the CBW packet is a packet for querying.
In one possible embodiment, the parsing module is specifically configured to modify a value of a write protection field in a normal data packet in a case that the CBWCB field is determined to be an instruction for querying data.
In one possible embodiment, the filtering module is specifically configured to filter the command block packet CBW packet from the URB packet if the operation authority of the target virtual machine is read-only and write-free.
In a third aspect, embodiments of the present application provide a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect or any alternative implementation of the first aspect.
In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory in communication via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any alternative implementation of the first aspect.
In a fifth aspect, the application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any of the possible implementations of the first aspect.
In order to make the above objects, features and advantages of the embodiments of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 illustrates a flow diagram for implementing redirection based on a desktop transport protocol and a USB redirection protocol Usbredir protocol, as shown in the prior art;
FIG. 2 is a schematic diagram of an application scenario in which the present application is implemented;
FIG. 3 is a flowchart of a data protection method according to an embodiment of the present application;
FIG. 4 shows a specific flowchart of a data protection method according to an embodiment of the present application;
FIG. 5 is a block diagram of a data protection device according to an embodiment of the present application;
Fig. 6 shows a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made more apparent and fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the invention, are within the scope of the invention.
With the continuous development of virtualization technologies, the traditional office mode mainly comprising a physical personal computer (Personal Computer, PC) is gradually replaced by the office mode of combining a virtualized desktop with a local cloud terminal. However, compared with the traditional physical PC, the cloud desktop is still immature in support of USB devices. USB devices have become a relatively wide variety of computer peripheral interfaces due to their advantages such as data transfer rates and plug and play. Supporting USB devices at clients (e.g., virtual machines, etc.) can also plug and play, guarantee transmission rates, and add personalized customization functionality has become one of the key requirements of cloud desktop clients.
To meet this demand, USB redirection techniques are typically used to allow clients to directly operate the USB devices of the physical machine. The USB redirection technology may be divided into a virtual USB bus scheme (USB port redirection) and a virtual USB device driver scheme (USB port redirection), where the virtual USB bus scheme has good device compatibility, and the virtual USB device driver scheme has a higher data transmission rate and a lower latency.
For example, referring to FIG. 1, FIG. 1 illustrates a flow chart of a prior art implementation of redirection based on desktop transport protocol (Simple Protocol for Independent Computing Environment, SPICE) and USB redirect protocol Usbredir protocols. Specifically, the key steps of the redirection as shown in fig. 1 include:
Libusb is a USB device driver in a user mode, and since the user space driver and the kernel driver cannot be performed simultaneously, in the redirection process, that is, usbredirhost _command in the USB request block (USB request block, urb, usbredir) will call libusb _set_auto_detect_kernel_driver function to unbind the peripheral storage device (such as a USB disk) from the kernel driver of the physical machine (or Client side), the user mode driver provided by Libusb receives the device, so that the user mode program can interact with the device through the application programming interface (Application Programming Interface, API) provided by Libusb;
USB redirection (i.e., usbredir) is responsible for encapsulating URB data with Usbredir protocol into a data format that can be transferred in both physical and host machines;
The client SPICE-GTK in SPICE protocol then directly invokes Libusb relevant interfaces to initialize, obtain device handle, and provide real parameters for Usbredirhost corresponding callback functions through Usbredirhost _open_full interface in Usbredir. And, for two callbacks, read_gust_data_func and write_gust_data_func, they are responsible for communicating with Usbredir on the virtual machine side, both of which are eventually data transferred over the SPICE-specific channel SpiceUsbredirChannel;
The SERVER side SPICE-SERVER in the SPICE protocol is coupled with the SPICE-VMC module, data received from the SPICE-SERVER is written into the virtual character device Redirect through the qemu-char character device interface, and then submitted to the virtual buffer area after being analyzed by the Usbredir part of protocol, so as to be processed by the USB main controller of the virtual machine;
After receiving the data, the USB master controller of the virtual machine can interact with the USB application program through the operating system of the virtual machine, and the USB redirection is completed, so that the physical USB equipment of the client machine can be operated in the virtual machine.
However, although this solution solves the drawbacks in the redirection of the USB port, there is no guarantee in terms of the security of the data, i.e. the solution does not implement the USB redirection function in the remote desktop connection tool used by the client, which is read-only for the redirected USB device, and cannot guarantee that the data in the virtual machine is not copied.
Based on this, the embodiment of the application provides a data protection scheme, which filters out command block packets (Command Block Wrapper, CBW) data packets according to a Bulk-Only protocol in a physical machine, analyzes specific SCSI instructions in the CBW data packets, modifies write protection bits in a common data packet according to a reply data format of the SCSI instructions, encapsulates the write protection bits again by Usbredir protocol, and sends the write protection bits to a SPICE-SERVER terminal by using a USB redirection channel in SPICE so as to solve the problem that a USB redirection device Only reads.
Referring to fig. 2, fig. 2 is a schematic diagram of an application scenario in which the present application is implemented. As shown in fig. 2, the embodiment of the present application is modified by the use of the Libusb module and Usbredir module shown in fig. 1. Specifically:
And acquiring a USB request block URB data packet, filtering a command block CBW data packet from the URB data packet, and judging the direction of the CBW data packet. If it is determined that the transmission direction of the CBW packet is from the target virtual machine to the physical machine, then analyzing the CBW packet by using the SCSI protocol to determine whether the CBW packet is a packet for query. And if the operation option of the target virtual machine is determined to be read-only and not written and the CBW data packet is a data packet for query, opening write protection in a reply data packet (namely a common data packet) of the CBW data packet.
Here, as shown in fig. 2, the processing steps between Libusb and Usbredir are mainly shown, and other parts identical to those of fig. 1 are omitted.
Referring to fig. 3, fig. 3 shows a flowchart of a data protection method according to an embodiment of the present application. The method shown in fig. 3 is applied to a physical machine plugged with a peripheral storage device, and a target virtual machine is deployed on the physical machine, and the data protection method comprises the following steps:
In step S310, a URB packet is acquired.
Specifically, the Libusb module may parse out Usbredir packets (e.g., the packets may be usb_ redir _bulk_packet, etc.). And Usbredir the packet may be composed of a linked header usb_ redir _header, a type header type_header, and data. And, in Usbredirparser _do_read interface of Usbredir, one Usbredir packet is read three times, namely, the type and the length in the usb_ redir _header are read first, and the packet type is determined according to the type, so that it is known how many bytes can be read to the type_header for the second time. And subtracting the length of the type_header from the length to know the last available data field length.
And, callbacks of usbredirhost and usbredirparser in Usbredir modules can be registered, that is, usbredirhost _open_full can be called in the spice_usb_ backend _channel_new interface, and the key is that the callbacks of usbredirhost and usbredirparser, namely, read_guide_data_func and write_guide_data_func, are realized by SPICE-GTK, that is, data is transferred through a USB redirection channel in SPICE. Second, this is also achieved by usbredirhost for different types of data packets.
And, callbacks of different types of data packets can be triggered, namely, after usbredirparser _do_read finishes reading data, a usbredirparser _call_type_func interface is entered, different callbacks, such as usb_ redir _bulk_packet type, are called according to different types of data packets, bulk_packet_func is called, and the callback is registered when usbredirhost _open_full, namely, usbredirhost _bulk_packet.
Based on the above setting, usbredirhost _bulk_packet interface in Usbredir module can obtain the URB data packet.
In step S320, the command block packet CBW packet is filtered out of the URB packet.
It should be appreciated that the URB packets may contain other data in addition to the CBW packets.
For example, the URB packets may include CBW packets, command execution status (Command Status Wrapper, CSW) packets, and normal packets.
It should also be understood that the specific process of filtering the CBW packet from the URB packet may be set according to actual requirements, and embodiments of the present application are not limited thereto.
For example, the command block packet CBW packet may be filtered out of the URB packet using Bulk-Only protocol.
It should also be understood that, with Bulk-Only protocol, the specific process of filtering the CBW packet from the URB packet may be set according to actual requirements, and embodiments of the present application are not limited thereto.
For example, considering that the CBW packet includes a dCBWSignature field for identifying the CBW packet, and the value of the dCBWSignature field is fixed (for example, the display value of the small end pattern of the field thereof is 43425355h, and the display value of the large end pattern of the field thereof in the log is 55534243 h), it is possible to detect whether the dCBWSignature field is included in the URB packet to determine whether it is the CBW packet. If it is determined that the URB packet includes the dCBWSignature field, the current packet may be determined to be a CBW packet.
It should be noted that, since different virtual machine users may have different operation rights (or peripheral access rights), the operation rights of the target virtual machine user may be determined first, and step S320 may be executed if the operation rights of the target virtual machine are determined to be read-only and write-free; if the operation authority of the target virtual machine is determined to be readable and writable, the related flow can be executed according to the prior art means.
In step S330, if the transmission direction of the CBW packet is from the target virtual machine to the physical machine, the CBW packet is parsed to determine whether the CBW packet is a packet for query.
Specifically, after filtering the CBW packet through the dCBWSignature field, it is considered that the CBW packet further includes a bmCBWFlags field for reflecting a direction of data transmission, further it may represent that a transmission direction is host-to-device (or virtual machine-to-physical machine) when a most significant bit of the bmCBWFlags field is 0, and it represents that a transmission direction is device-to-host (or physical machine-to-virtual machine) when a most significant bit of the bmCBWFlags field is 1.
And upon determining that the most significant bit of the CBW packet is 0, and considering that the CBW packet includes a command block CBWCB field for device execution, further extracting CBWCB field from the CBW packet.
For example, the format parsing of CBWCB is to parse according to different protocol types, and the protocol type may be indicated by bInterfaceSubClass field, and the bInterfaceSubClass field may be specified in the usb redir device connect packet in Usbredir protocol (including bInterfaceClass and bInterfaceProtocol types). And CBWCB fields may also be extracted from the CBW packet by bInterfaceSubClass fields.
It should be noted that, for the device with bInterfaceClass value of 08h (mass storage device), bInterfaceProtocol value of 50h (Bulk-Only transmission protocol), bInterfaceClass value of 06h (SCSI protocol) is the scope of the present application, and the present application will not be discussed for other protocol types.
And, after extracting CBWCB fields, the CBWCB fields may be parsed using SCSI protocol, and in case it is determined that the most significant bit of bmCBWFlags fields of CBW packets is 1 and the first byte of CBWCB is 1Ah (data of SCSI is big end Mode), it is determined that CBWCB fields are instructions for querying data, i.e., mode Sense (6) instructions; if not, then it is determined CBWCB that the field is not an instruction for the query.
In step S340, in the case that the CBW packet is determined to be a packet for query, the value of the write protection field in the normal packet for feeding back the target virtual machine is modified to implement write protection for the peripheral storage device.
Specifically, in the case where it is determined that the CBWCB field is an instruction for a Data packet for query, considering that Data-In Data corresponding to the Mode Sense (6) instruction contains information of a field by selecting a DEVICE parameter DEVICE-SPECIFIC PARAMETER and the field DEVICE-SPECIFIC PARAMETER also contains a value of a write-protect WP field, the Data-In Data appears In a normal packet phase of Bulk-Only protocol, which is that an usb_ redir _bulk_packet Data packet without Data is sent to an In-direction port of an external storage DEVICE (for example, a USB DEVICE) by an analog machine Qemu through Usbredir protocol, submitted to a physical DEVICE through libusb _submit_transfer interface, response Data of the physical DEVICE to CBW is acquired and transferred back to the analog machine Qemu through Usbredir protocol encapsulation.
And, before the data is transmitted back to the simulation machine Qemu, the embodiment of the present application modifies the common data packet corresponding to the MODE SENSE (6) instruction in the usbredirhost _bulk_packet_complex interface, and opens the write protection bit of the common data packet (for example, the value of the write protection bit WP can be modified from 0 to 1), so that the peripheral storage device perceived by the virtual machine is read-only.
It should be noted here that the specific device of the peripheral storage device may be set according to actual requirements, and the embodiment of the present application is not limited to this.
By means of the technical scheme, the embodiment of the application can realize that the high-capacity peripheral storage equipment is read only after redirection, so that the safety of the virtual machine data is ensured, and the virtual machine data cannot be exported to the cloud terminal through the redirected peripheral storage equipment.
And, since the read-only function directly modifies the relevant data of the SCSI command based on the Usbredir protocol, the user cannot close the function after connecting to the virtual machine, thereby increasing the robustness of the function.
And the read-only function can be controlled to be started or not through the command line parameters of the remote desktop connection tool, so that the flexibility of the function is improved.
In order to facilitate an understanding of embodiments of the present application, the following description is made by way of specific examples.
Referring to fig. 4, fig. 4 shows a specific flowchart of a data protection method according to an embodiment of the present application. As shown in fig. 4, the data protection method includes:
in step S410, the user logs in to the management platform of the enterprise cloud and the desktop cloud, and may set access rights of different tenants to the peripheral.
For example, which peripheral storage devices need to be write protected can be set.
For another example, for the same peripheral storage device, different operation authorities of users can be set, that is, which virtual machine users can have read-write authorities (not only can read data in the peripheral storage device, but also can write data into the peripheral storage device), and which virtual machine users can only read and not write (that is, they can only read data in the peripheral storage device, but can not write data into the peripheral storage device).
In step S420, in the cloud terminal, the tenant logs in the cloud terminal, and at this time, the cloud terminal has acquired the access rights of the virtual machine user to the peripheral from the management platform.
In step S430, the cloud terminal controls whether to open the USB device for redirection and then read the USB device by adding a specified parameter to the remote desktop connection tool command line when the virtual machine user uses the remote desktop connection tool to connect the virtual machine according to the authority of the virtual machine user.
It should be understood that the specific process of step S430 may be referred to in the related description of fig. 3, and the detailed description is not repeated here.
In step S440, if the read-only option is opened, the device redirected to the virtual machine is not writable, i.e. the security of the virtual machine data is protected.
Step S450, after exiting the remote desktop tool, the USB device may be normally used on the cloud terminal.
It should be understood that the above data protection method is only exemplary, and those skilled in the art can make various modifications according to the above method, and the schemes after the modifications also belong to the protection scope of the present application.
Referring to fig. 5, fig. 5 shows a block diagram of a data protection device 500 according to an embodiment of the application. It should be understood that the data protection apparatus 500 is capable of performing the steps in the above method embodiments, and specific functions of the data protection apparatus 500 may be referred to the above description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy. The data protection apparatus 500 includes at least one software functional module that can be stored in a memory in the form of software or firmware (firmware) or cured in an Operating System (OS) of the data protection apparatus 500. Specifically, the data protection apparatus 500 includes:
an obtaining module 510, configured to obtain a USB request block URB packet;
a filtering module 520, configured to filter the command block packet CBW packet from the URB packet;
The parsing module 530 is configured to parse the CBW packet to determine whether the CBW packet is a packet for query, if the transmission direction of the CBW packet is from the target virtual machine to the physical machine;
and the modification module 540 is configured to modify a value of a write protection field in a normal data packet for feeding back the target virtual machine to implement write protection for the peripheral storage device, in the case that the CBW data packet is determined to be a data packet for query.
In one possible embodiment, the CBW packet includes a command block CBWCB field for device execution;
The parsing module 530 is specifically configured to: extracting CBWCB fields from the CBW data packet; the CBWCB fields are parsed using the small computer system interface SCSI protocol to determine if the CBW packet is a packet for querying.
In one possible embodiment, the parsing module 530 is specifically configured to modify a value of a write protection field in a normal data packet in a case that the CBWCB field is determined to be an instruction for querying data.
In one possible embodiment, the filtering module 520 is specifically configured to filter the command block packet CBW packet from the URB packet if the operation authority of the target virtual machine is read-only and write-free.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the apparatus described above, and this will not be repeated here.
Referring to fig. 6, fig. 6 shows a block diagram of an electronic device 600 according to an embodiment of the application. As shown in fig. 6, electronic device 600 may include a processor 610, a communication interface 620, a memory 630, and at least one communication bus 640. Wherein communication bus 640 is used to enable direct connection communications for these components. The communication interface 620 of the device in the embodiment of the present application is used for performing signaling or data communication with other node devices. The processor 610 may be an integrated circuit chip with signal processing capabilities. The processor 610 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU for short), a network processor (Network Processor, NP for short), etc.; but also digital signal processors (DIGITAL SIGNAL Processing, DSP for short), application SPECIFIC INTEGRATED Circuit (ASIC for short), field programmable gate arrays (Field Programmable GATE ARRAY FPGA for short), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 610 may be any conventional processor or the like.
The Memory 630 may be, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-Only Memory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electric Erasable Programmable Read-Only Memory, EEPROM), etc. The memory 630 has stored therein computer readable instructions which, when executed by the processor 610, can cause the electronic device 600 to perform the steps of the method embodiments described above.
The electronic device 600 may also include a memory controller, an input-output unit, an audio unit, a display unit.
The memory 630, the memory controller, the processor 610, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected directly or indirectly to each other, so as to realize data transmission or interaction. For example, the elements may be electrically coupled to each other via one or more communication buses 640. The processor 610 is configured to execute executable modules stored in the memory 630, such as software functional modules or computer programs included in the electronic device 600.
The input-output unit is used for providing the user with input data to realize the interaction between the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.
The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.
The display unit provides an interactive interface (e.g. a user-operated interface) between the electronic device and the user or is used to display image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the touch display may be a capacitive touch screen or a resistive touch screen, etc. supporting single-point and multi-point touch operations. Supporting single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are passed to the processor for calculation and processing.
It is to be understood that the configuration shown in fig. 6 is illustrative only, and that electronic device 600 may also include more or fewer components than shown in fig. 6, or have a different configuration than shown in fig. 6. The components shown in fig. 6 may be implemented in hardware, software, or a combination thereof.
The present application provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the embodiments.
The application also provides a computer program product which, when run on a computer, causes the computer to perform the method according to the method embodiments.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the system described above, and this will not be repeated here.
It should be noted that, in the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described as different from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other. For the apparatus class embodiments, the description is relatively simple as it is substantially similar to the method embodiments, and reference is made to the description of the method embodiments for relevant points.
It should be understood that, in various embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present application.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The apparatus embodiments described above are merely illustrative, for example, of the flowcharts and block diagrams in the figures that illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes. It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only of the preferred embodiments of the present application and is not intended to limit the present application, but various modifications and variations can be made to the present application by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. The data protection method is applied to a physical machine with a peripheral storage device inserted therein, and a target virtual machine is deployed on the physical machine, and comprises the following steps:
Acquiring a USB request block URB data packet;
filtering a command block packet CBW data packet from the URB data packet;
analyzing the CBW data packet to determine whether the CBW data packet is a data packet for inquiry or not under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine;
and under the condition that the CBW data packet is determined to be the data packet for query, modifying the value of a write protection field in the common data packet for feeding back the target virtual machine so as to realize write protection of the peripheral storage equipment.
2. The data protection method of claim 1, wherein the CBW data packet includes a command block CBWCB field for device execution;
analyzing the CBW data packet to determine whether the CBW data packet is a data packet for query, including:
extracting the CBWCB fields from the CBW packet;
The CBWCB fields are parsed using the small computer system interface SCSI protocol to determine if the CBW packet is a packet for querying.
3. The data protection method according to claim 2, wherein, in the case that the CBW packet is determined to be a packet for query, modifying a value of a write protection field in a normal packet for feeding back the target virtual machine, comprises:
and modifying the value of the write protection field in the common data packet in the case that the CBWCB field is determined to be an instruction for querying data.
4. The data protection method according to claim 1, wherein filtering the command block packet CBW packet from the URB packet comprises:
And filtering a command block packet CBW data packet from the URB data packet under the condition that the operation authority of the target virtual machine is read-only and write-free.
5. A data protection device, wherein the data protection device is applied to a physical machine to which a peripheral storage device is plugged, and a target virtual machine is deployed on the physical machine, the data protection device comprising:
the acquisition module is used for acquiring the URB data packet of the USB request block;
the filtering module is used for filtering a command block packet CBW data packet from the URB data packet;
the analyzing module is used for analyzing the CBW data packet to determine whether the CBW data packet is a data packet for inquiry or not under the condition that the transmission direction of the CBW data packet is from the target virtual machine to the physical machine;
And the modification module is used for modifying the value of the write protection field in the common data packet for feeding back the target virtual machine under the condition that the CBW data packet is determined to be the data packet for query so as to realize write protection of the peripheral storage equipment.
6. The data protection apparatus of claim 5, wherein the CBW data packet includes a command block CBWCB field for device execution;
The analysis module is specifically configured to: extracting the CBWCB fields from the CBW packet; the CBWCB fields are parsed using the small computer system interface SCSI protocol to determine if the CBW packet is a packet for querying.
7. The data protection device according to claim 6, wherein the parsing module is specifically configured to modify a value of a write protection field in the normal data packet if the CBWCB field is determined to be an instruction for querying data.
8. The data protection device according to claim 5, wherein the filtering module is specifically configured to filter a command block packet CBW packet from the URB packet if the operation authority of the target virtual machine is read-only and write-free.
9. A storage medium having stored thereon a computer program which, when executed by a processor, performs the data protection method according to any of claims 1-4.
10. An electronic device comprising a processor, a memory and a computer program stored on the memory, characterized in that the processor executes the computer program to implement the data protection method according to any of claims 1-4.
CN202210348665.6A 2022-04-01 2022-04-01 Data protection method and device, storage medium and electronic equipment Active CN114611130B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210348665.6A CN114611130B (en) 2022-04-01 2022-04-01 Data protection method and device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210348665.6A CN114611130B (en) 2022-04-01 2022-04-01 Data protection method and device, storage medium and electronic equipment

Publications (2)

Publication Number Publication Date
CN114611130A CN114611130A (en) 2022-06-10
CN114611130B true CN114611130B (en) 2024-07-09

Family

ID=81866937

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210348665.6A Active CN114611130B (en) 2022-04-01 2022-04-01 Data protection method and device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN114611130B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN120066593B (en) * 2024-12-30 2025-12-26 中国船舶集团有限公司第七一六研究所 Dynamic USB device optimization method based on Linux

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105069383A (en) * 2015-05-21 2015-11-18 中国科学院计算技术研究所 Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system
CN106407151A (en) * 2016-09-05 2017-02-15 华为技术有限公司 Information processing method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10635816B2 (en) * 2016-04-04 2020-04-28 Wyse Technology L.L.C. Restricting reprogramming of a redirected USB device
CN112148421B (en) * 2019-06-29 2024-01-30 华为技术有限公司 Virtual machine migration method and device
CN111666122B (en) * 2020-05-22 2022-05-27 湖南云之翼软件有限公司 Novel USB storage equipment redirection method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105069383A (en) * 2015-05-21 2015-11-18 中国科学院计算技术研究所 Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system
CN106407151A (en) * 2016-09-05 2017-02-15 华为技术有限公司 Information processing method and device

Also Published As

Publication number Publication date
CN114611130A (en) 2022-06-10

Similar Documents

Publication Publication Date Title
EP4524710A2 (en) Data security protection method, device and system, security control framework and storage medium
US8868628B2 (en) Sharing computer data among computers
CN109634718B (en) Method and system for creating mirror image by cloud platform
US8255930B2 (en) Method and system for dynamically switching between different device configurations
CN104200172B (en) A kind of safe gatherer of usb data, system and method
US11347519B2 (en) Systems and methods for detecting short-term changes to BIOS setup
JP2010517424A (en) Encryption key container on USB token
US20080127344A1 (en) Method and system for detecting windows rootkit that modifies the kernel mode system service dispatch table
US7610409B2 (en) Method for transporting data through universal serial bus and universal serial bus device
CN102422256A (en) Method for accessing a portable storage data carrier with additional modules and portable storage data carrier
JP7291764B2 (en) Ethereum virtual machine transaction processing method, apparatus, equipment, program and medium
CN110244983A (en) Method for fixing serial number, terminal equipment and storage medium
CA2450334A1 (en) Accessing a protected area of a storage device
CN114611130B (en) Data protection method and device, storage medium and electronic equipment
CN109960554B (en) Method, device and computer storage medium for displaying reading content
CN107729768A (en) Page display method and device, intelligent panel and storage medium
US7996631B1 (en) System and method for accessing storage devices attached to a stateless client
Breuk et al. Integrating DMA attacks in exploitation frameworks
CN112580086B (en) Access protection method, device and equipment for configuration file and storage medium
US9189299B2 (en) Framework for system communication for handling data
EP2981882A1 (en) Removable storage device identity and configuration information
Hes et al. The Capture-HPC client architecture
US20210342419A1 (en) Bundled enterprise application users
US10394722B1 (en) Managing alt-mode interfaces of a USB Type-C device
CN101167040B (en) Signaling to a peripheral via irregular read operations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant