DATA BLACKHOLE PROCESSING METHOD BASED ON MOBILE STORAGE DEVICE, AND MOBILE STORAGE DEVICE

US 20160350530A1
Filed: 03/03/2015
Published: 12/01/2016
Est. Priority Date: 03/04/2014
Status: Abandoned Application

First Claim

Patent Images

1. A data black hole processing method based on a mobile storage device, comprising:

configuring a data black hole system in a computing device so as to form a data black hole terminal, wherein the data black hole system can store intermediate data and an operation result generated during operation of the computing device in a specific storage location, and ensure that the computing device runs normally;

establishing a data black hole space, wherein the data black hole space comprises a data storage partition established in the mobile storage device, wherein the data storage partition is adapted to be visited by the data black hole system but not by an operating system or software of an application layer, wherein the mobile storage device is coupled with the computing device;

establishing a corresponding relationship between a user using the computing device and the data black hole space or a part of the data black hole space;

re-directing a data writing operation generated by an operation of the user at the data black hole terminal to the data black hole space corresponding to the user;

blocking a data persistence operation to a local storage device; and

blocking data output through a local port except for data output to the data black hole terminal so as to ensure data entering the data black hole terminal or the data black hole space only exists in the data black hole space.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A data blackhole processing method based on a mobile storage device, comprising: a computing device deploying a data blackhole system, causing the computing device to become a data blackhole terminal; a data blackhole system being taken to mean a system where process data and operation results of the process of operation of the computing device are stored in a specific storage location to ensure normal operation of the computing device; establishing a data blackhole space, comprising the data storage area opened on said mobile storage device; establishing a correspondence between the user of the computing device and the data blackhole space or a portion of the data blackhole space; redirecting to the data blackhole space corresponding to the user the data generated by the user when operating the data blackhole terminal; preventing a data persistence operation from being performed on the local storage device, and preventing output of the data to a local port by means of a non-data blackhole terminal. Also provided is a mobile storage device. On the basis of the data blackhole processing method of the mobile storage device as well as the mobile storage device, data security and anti-leak protection are increased.

Citations

20 Claims

1. A data black hole processing method based on a mobile storage device, comprising:
- configuring a data black hole system in a computing device so as to form a data black hole terminal, wherein the data black hole system can store intermediate data and an operation result generated during operation of the computing device in a specific storage location, and ensure that the computing device runs normally;
  
  establishing a data black hole space, wherein the data black hole space comprises a data storage partition established in the mobile storage device, wherein the data storage partition is adapted to be visited by the data black hole system but not by an operating system or software of an application layer, wherein the mobile storage device is coupled with the computing device;
  
  establishing a corresponding relationship between a user using the computing device and the data black hole space or a part of the data black hole space;
  
  re-directing a data writing operation generated by an operation of the user at the data black hole terminal to the data black hole space corresponding to the user;
  
  blocking a data persistence operation to a local storage device; and
  
  blocking data output through a local port except for data output to the data black hole terminal so as to ensure data entering the data black hole terminal or the data black hole space only exists in the data black hole space.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 18, 19, 20)
- - 2. The method according to claim 1, wherein configuring the data black hole system comprises configuring a data security storage method, which is adapted to re-direct a data writing operation generated by an operation of a user at the data black hole terminal to a data black hole space corresponding to the user, wherein the data security storage method comprises:
    - receiving a first hardware instruction;
      
      if the first hardware instruction is a storage instruction, changing a destination address in the storage instruction to an address in the data black hole space corresponding to the user; and
      
      sending the changed storage instruction to a hardware layer for execution.
  - 3. The method according to claim 2, wherein configuring the data black hole system comprises configuring a data security reading method, which comprises:
    - receiving a second hardware instruction;
      
      if the second hardware instruction is a reading instruction and data to be read by the reading instruction has been stored in the data black hole space, changing a source address in the reading instruction to an address in the data black hole space corresponding to the user; and
      
      sending the changed reading instruction to the hardware layer for execution.
  - 4. The method according to claim 2, wherein configuring the data black hole system comprises configuring a data security reading method, which comprises:
    - receiving a second hardware instruction;
      
      if the second hardware instruction is a reading instruction and data to be read by the reading instruction has been stored in the data black hole space, providing the user with a choice between reading data in a local storage device or in the data black hole space;
      
      reading the data in the local storage device or in the data black hole space based on the user'"'"'s choice; and
      
      sending, if reading the data in the data black hole space, the changed reading instruction to the hardware layer for execution and if reading the data in the local storage device, the reading instruction to the hardware layer for execution.
  - 5. The method according to claim 4, wherein reading the data in the data black hole space comprises:
    - changing a source address in the reading instruction to an address in the data black hole space corresponding to the user.
  - 6. The method according to claim 3, wherein receiving the hardware instruction comprises:
    - receiving the first and second hardware instruction from a hardware abstract layer.
  - 7. The method according to claim 1, wherein configuring the data black hole system comprises configuring a data security storage method, which is adapted to re-direct a data writing operation generated by an operation of a user at the data black hole terminal to a data black hole space corresponding to the user, wherein the data security storage method comprises:
    - buffering a first instruction runtime environment, wherein the first instruction runtime environment comprises an address register, which is adapted to store an address of a next machine instruction to be executed, wherein the address of the next machine instruction to be executed is a first address;
      
      acquiring a machine instruction segment to be dispatched, wherein a last instruction in the machine instruction segment to be dispatched is a first program transfer instruction;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a storage instruction in the machine instruction segment, changing a destination address in the storage instruction to a corresponding storage address in the data black hole space;
      
      inserting, before the first program transfer instruction, a second program transfer instruction so as to form an instruction reconstruction segment with a second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform;
      
      changing the first address stored in the address register to the second address; and
      
      restoring the first instruction runtime environment.
  - 8. The method according to claim 1, wherein configuring the data black hole system comprises configuring a data security storage method, which is adapted to re-direct a data writing operation generated by an operation of a user at the data black hole terminal to a data black hole space corresponding to the user, wherein the data security storage method comprises:
    - buffering a first instruction runtime environment;
      
      reading a destination address from a first storage location and acquiring a machine instruction segment to be dispatched based on the destination address, wherein a last instruction in the machine instruction segment to be dispatched is a first program transfer instruction;
      
      storing a destination address of the first program transfer instruction in the first storage location;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a storage instruction in the machine instruction segment, changing a destination address in the storage instruction to a corresponding storage address in the data black hole space;
      
      replacing the first program transfer instruction with a second program transfer instruction so as to form an instruction reconstruction segment with a second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform; and
      
      restoring the first instruction runtime environment and jumping to the second address for further operation.
  - 9. The method according to claim 1, wherein configuring the data black hole system comprises configuring a data security storage method, which is adapted to re-direct a data writing operation generated by an operation of a user at the data black hole terminal to a data black hole space corresponding to the user, wherein the data security storage method comprises:
    - buffering a first instruction runtime environment;
      
      acquiring an address and a parameter of a program transfer instruction stored in a stack;
      
      based on the address and the parameter, computing an address of a next instruction to be executed, wherein the address of the next instruction to be executed is a first address;
      
      acquiring a machine instruction segment to be dispatched based on the first address, wherein a last instruction in the machine instruction segment to be dispatched is a first program transfer instruction;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a storage instruction in the machine instruction segment, changing a destination address in the storage instruction to a corresponding storage address in the data black hole space;
      
      replacing the first program transfer instruction with a push instruction, wherein an address and a parameter of the first program transfer instruction are recorded in the push instruction;
      
      adding a second program transfer instruction after the push instruction so as to form an instruction reconstruction segment with a second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform; and
      
      restoring the first instruction runtime environment and jumping to the second address for further operation.
  - 10. The method according to claim 7, wherein configuring the data black hole system comprises configuring a data security reading method, which comprises:
    - buffering a second instruction runtime environment, wherein the second instruction runtime environment comprises an address register, which is adapted to store an address of a next machine instruction to be executed, wherein the address of the next machine instruction to be executed is the first address;
      
      acquiring a machine instruction segment to be dispatched, wherein a last instruction in the machine instruction segment to be dispatched is the first program transfer instruction;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a reading machine instruction in the machine instruction segment and data to be read by the reading machine instruction has been stored in the data black hole space, changing a source address in the reading instruction to a corresponding storage address in the data black hole space;
      
      inserting, before the first program transfer instruction, the second program transfer instruction so as to form an instruction reconstruction segment with the second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform;
      
      changing the first address stored in the address register to the second address; and
      
      restoring the second instruction runtime environment.
  - 11. The method according to claim 8, wherein configuring the data black hole system comprises configuring a data security reading method, which comprises:
    - buffering a second instruction runtime environment;
      
      reading a destination address from the first storage location and acquiring a machine instruction segment to be dispatched based on the destination address, wherein a last instruction in the machine instruction segment to be dispatched is the first program transfer instruction;
      
      storing a destination address of the first program transfer instruction in the first storage location;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a reading instruction in the machine instruction segment and data to be read by the reading instruction has been stored in the data black hole space, changing a source address in the reading instruction to a corresponding storage address in the data black hole space;
      
      replacing the first program transfer instruction with the second program transfer instruction so as to form an instruction reconstruction segment with the second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform; and
      
      restoring the second instruction runtime environment and jumping to the second address for further operation.
  - 12. The method according to claim 9, wherein configuring the data black hole system comprises configuring a data security reading method, which comprises:
    - buffering a second instruction runtime environment;
      
      acquiring an address and a parameter of a program transfer instruction stored in a stack;
      
      computing an address of a next instruction to be executed, wherein the address of the next instruction to be executed is the first address;
      
      acquiring a machine instruction segment to be dispatched based on the first address, wherein a last instruction in the machine instruction segment to be dispatched is the first program transfer instruction;
      
      analyzing each instruction in the machine instruction segment to be dispatched and, if there is a reading instruction in the machine instruction segment and data to be read by the reading instruction has been stored in the data black hole space, changing a source address in the reading instruction to a corresponding storage address in the data black hole space;
      
      replacing the first program transfer instruction with a push instruction, wherein an address and a parameter of the first program transfer instruction are recorded in the push instruction;
      
      adding the second program transfer instruction after the push instruction so as to form an instruction reconstruction segment with the second address, wherein the second program transfer instruction points to an entrance address of an instruction reconstruction platform; and
      
      restoring the second instruction runtime environment and jumping to the second address for further operation.
  - 13. The method according to claim 7, wherein acquiring the machine instruction segment to be dispatched comprises:
    - reading an address of a machine instruction to be dispatched from the address register;
      
      for finding a program transfer instruction, retrieving the machine instruction to which the address of the machine instruction points and other instructions following the machine instruction till first found of a program transfer instruction, which is called the first program transfer instruction, wherein the first program transfer instruction is adapted to change an order for executing machine instructions; and
      
      forming the machine instruction segment to be dispatched including the first program transfer instruction and all machine instructions to be dispatched before the first program transfer instruction.
  - 14. The method according to claim 7, wherein acquiring the machine instruction segment to be dispatched comprises:
    - reading an address of a machine instruction to be dispatched from the address register;
      
      for finding a program transfer instruction, retrieving the machine instruction to which the address of the machine instruction points and other instructions following the machine instruction till a first program transfer instruction with a parameter address is found, which is called the first program transfer instruction, wherein the first program transfer instruction is adapted to change an order for executing machine instructions; and
      
      forming the machine instruction segment to be dispatched including the first program transfer instruction and all machine instructions to be dispatched before the first program transfer instruction.
  - 18. The method according to claim 4, wherein receiving the hardware instruction comprises:
    - receiving the first and second hardware instruction from a hardware abstract layer.
  - 19. The method according to claim 8, wherein acquiring the machine instruction segment to be dispatched comprises:
    - reading an address of a machine instruction to be dispatched from the address register;
      
      for finding a program transfer instruction, retrieving the machine instruction to which the address of the machine instruction points and other instructions following the machine instruction till first found of a program transfer instruction, which is called the first program transfer instruction, wherein the first program transfer instruction is adapted to change an order for executing machine instructions; and
      
      forming the machine instruction segment to be dispatched including the first program transfer instruction and all machine instructions to be dispatched before the first program transfer instruction.
  - 20. The method according to claim 8, wherein acquiring the machine instruction segment to be dispatched comprises:
    - reading an address of a machine instruction to be dispatched from the address register;
      
      for finding a program transfer instruction, retrieving the machine instruction to which the address of the machine instruction points and other instructions following the machine instruction till a first program transfer instruction with a parameter address is found, which is called the first program transfer instruction, wherein the first program transfer instruction is adapted to change an order for executing machine instructions; and
      
      forming the machine instruction segment to be dispatched including the first program transfer instruction and all machine instructions to be dispatched before the first program transfer instruction.

15. A mobile storage device, comprising:
- a mobile data security access unit and a security storage space, wherein the mobile storage device carries an operating system, wherein the security storage space is inaccessible to the operating system and software of the operating system and the security storage space is adapted to be visited by the mobile data security access unit;
  
  wherein, when the mobile storage device is coupled with a computing device, a central processing unit of the computing device is adapted to run the operating system carried by the mobile storage device, and a user communicates with the mobile storage device through a input/output device of the computing device, wherein the mobile data security access unit receives an instruction from the operating system carried by the mobile storage device and send the instruction to the central processing unit of the computing device;
  
  wherein, the mobile data security access unit comprises;
  
  a receiving unit, adapted to receive a hardware instruction;
  
  an instruction analysis unit, adapted to determine whether the hardware instruction is a storage instruction or a reading instruction and to generate a determinant signal;
  
  an instruction modification unit, based on the determinant signal, adapted to, if the hardware instruction is a storage instruction, change a destination address in the storage instruction to a corresponding storage address in the security storage space, and if the hardware instruction is a reading instruction, adapted to retrieve a bitmap and change a reading address in the reading instruction based on data of the bitmap, wherein the bitmap is adapted to represent whether data with an address in a local storage space is dumped to the security storage space;
  
  a transmitting unit, adapted to send the changed storage or reading instruction to a hardware layer for execution.
- View Dependent Claims (16, 17)
- - 16. The mobile storage device according to claim 15, further comprising:
    - an updating unit, adapted to update a bit corresponding to the destination address of the storage instruction in the bitmap after the instruction modification unit changes the storage instruction.
  - 17. The mobile storage device according to claim 15, further comprising:
    - an encryption/decryption unit, adapted to encrypt or decrypt data entering or exiting the security storage space, wherein the encryption/decryption unit is coupled with the security storage space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Antaios (Beijing) Information Technology Co. Ltd.
Original Assignee
Antaios (Beijing) Information Technology Co. Ltd.
Inventors
WANG, Jiaxiang

Application Number

US15/116,193
Publication Number

US 20160350530A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 12/1441   for a range

G06F 21/53   by executing in a restricte...

G06F 21/602   Providing cryptographic fac...

G06F 21/606   by securing the transmissio...

G06F 21/78   to assure secure storage of...

G06F 2212/1052   Security improvement

G06F 3/0622   in relation to access

G06F 3/0644   Management of space entitie...

G06F 3/0653   Monitoring storage devices ...

G06F 3/067   Distributed or networked st...

DATA BLACKHOLE PROCESSING METHOD BASED ON MOBILE STORAGE DEVICE, AND MOBILE STORAGE DEVICE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DATA BLACKHOLE PROCESSING METHOD BASED ON MOBILE STORAGE DEVICE, AND MOBILE STORAGE DEVICE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links