内网安全中硬件设备控制的研究与实现
|
摘要
随着计算机技术的发展和网络的广泛应用,大多数企业都通过内部网络作为信息管理和数据传输的平台。内部网络在提高企业运行效率的同时,也为企业内部带来了安全隐患。研究表明,利用各类硬件设备存储工具从企业内部直接带走信息已经成为了信息流失的主要方式。因此,保障企业内部网络安全的当务之急就是控制硬件设备的使用。
目前,国内外对于内部安全系统中硬件设备控制领域的研究,主要是针对光驱/刻录机、软驱、串/并口和USB口等设备。但是,多数都只是对以上设备在应用级进行简单的启禁或屏蔽,并存在控制粒度粗等尚需解决的问题。
本文是作者在参与一个企业内部网络安全管理系统的研究和设计之后,对硬件设备控制所涉及的理论及技术进行的总结。该项目主要基于Windows系统平台实现一个内网安全管理系统,由客户端、服务器和控制台构成,实现泄密防护、文件安全服务、运行状态监控、系统资源管理等四个方面的安全保障。
在该系统中,要实现对各种常用硬件设备的控制,必须基于Windows操作系统的驱动程序构架。其中,WDM驱动程序是即插即用外围设备所采用的驱动类型。因此,在本文的实践过程中,作者对WDM驱动程序的结构、原理和编程技术进行了深入的研究和实践,并综合运用了Windows DDK、Driver Studio等工具实现了所承担任务的研发工作。在此过程中,作者完成的主要工作为:
1.实现了对几种设备的控制。不仅有简单的启/禁控制,更有单向传输、双向传输等多种控制方式,控制粒度细,极大地增强了系统的灵活性和可用性。
2.实现了从驱动层对设备进行控制,代码运行在内核级,响应时间短。
在论文的组织上,作者从研究背景到国内外的研究现状均进行了分析和总结。在此基础上,详细阐述了内部网络安全管理系统的设计方案以及各功能模块之间的关系与通信。随后对硬件设备控制模块进行了深入的解析,不仅分析了模块实现原理和关键例程,也给出了最终的相关测试数据。最后作者就论文的主要成果和存在的问题进行了总结,并提出了进一步完善的思路。
As the rapid development of computer technology and the wide using of the networks, most enterprises use computers as the main tool for managing information and data. It makes the enterprises run more efficient but also bring in some security problems. So it’s important to raise the security level and to keep its convenience.
So far, all the researches on this area are focus on CD/DVD-ROM+/-RW, floppy drive, COM/LPT and USB devices.But most of them can only simply forbid or shield those devices in users’mode, which lead to coarse control granularity.
This dissertation is the author’s theory sum-up and improvement after joining in the development of an intranet security management subject which is based on Windows operating systems. It’s made up of clients, servers and control panels, and provides cipher protection, files security, state monitoring and system resource management.
The system has to be based on Windows driver architecture, especially the WDM which is a kind of driver of PNP devices. So the author had a deep research on WDM architecture, theory and programming technology. and programmed the drivers with lots of tools such as Windows DDK, Driver Studio and so on.
The following are the author’s mainly work during the research:
1. Not only provides completely forbidding mode, but also the read-only and written-only mode. Can fit all kinds of users’demands.
2. Control the devices in the kernel mode, takes little time to run. The whole dissertation is organized like this: analyzes the background and the research situation of this topic first. Demonstrates the design of the intranet security management system and how the modules communicate with one another. Then describes the implement of the whole hardware resources management system and gives the test data. At last the author gives the conclusion of the main results and the further work.
目前,国内外对于内部安全系统中硬件设备控制领域的研究,主要是针对光驱/刻录机、软驱、串/并口和USB口等设备。但是,多数都只是对以上设备在应用级进行简单的启禁或屏蔽,并存在控制粒度粗等尚需解决的问题。
本文是作者在参与一个企业内部网络安全管理系统的研究和设计之后,对硬件设备控制所涉及的理论及技术进行的总结。该项目主要基于Windows系统平台实现一个内网安全管理系统,由客户端、服务器和控制台构成,实现泄密防护、文件安全服务、运行状态监控、系统资源管理等四个方面的安全保障。
在该系统中,要实现对各种常用硬件设备的控制,必须基于Windows操作系统的驱动程序构架。其中,WDM驱动程序是即插即用外围设备所采用的驱动类型。因此,在本文的实践过程中,作者对WDM驱动程序的结构、原理和编程技术进行了深入的研究和实践,并综合运用了Windows DDK、Driver Studio等工具实现了所承担任务的研发工作。在此过程中,作者完成的主要工作为:
1.实现了对几种设备的控制。不仅有简单的启/禁控制,更有单向传输、双向传输等多种控制方式,控制粒度细,极大地增强了系统的灵活性和可用性。
2.实现了从驱动层对设备进行控制,代码运行在内核级,响应时间短。
在论文的组织上,作者从研究背景到国内外的研究现状均进行了分析和总结。在此基础上,详细阐述了内部网络安全管理系统的设计方案以及各功能模块之间的关系与通信。随后对硬件设备控制模块进行了深入的解析,不仅分析了模块实现原理和关键例程,也给出了最终的相关测试数据。最后作者就论文的主要成果和存在的问题进行了总结,并提出了进一步完善的思路。
As the rapid development of computer technology and the wide using of the networks, most enterprises use computers as the main tool for managing information and data. It makes the enterprises run more efficient but also bring in some security problems. So it’s important to raise the security level and to keep its convenience.
So far, all the researches on this area are focus on CD/DVD-ROM+/-RW, floppy drive, COM/LPT and USB devices.But most of them can only simply forbid or shield those devices in users’mode, which lead to coarse control granularity.
This dissertation is the author’s theory sum-up and improvement after joining in the development of an intranet security management subject which is based on Windows operating systems. It’s made up of clients, servers and control panels, and provides cipher protection, files security, state monitoring and system resource management.
The system has to be based on Windows driver architecture, especially the WDM which is a kind of driver of PNP devices. So the author had a deep research on WDM architecture, theory and programming technology. and programmed the drivers with lots of tools such as Windows DDK, Driver Studio and so on.
The following are the author’s mainly work during the research:
1. Not only provides completely forbidding mode, but also the read-only and written-only mode. Can fit all kinds of users’demands.
2. Control the devices in the kernel mode, takes little time to run. The whole dissertation is organized like this: analyzes the background and the research situation of this topic first. Demonstrates the design of the intranet security management system and how the modules communicate with one another. Then describes the implement of the whole hardware resources management system and gives the test data. At last the author gives the conclusion of the main results and the further work.
引文
[1] Andrew S. Tanenbaum.计算机网络(第四版),潘爱民译.北京,清华大学出版社,2004,5-6
[2] 王毅彦.国家电子政务信息安全平台研究.计算机安全,2005,(6):27
[3] http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
[4] http://www.cert.org/archive/pdf/ecrimesummary05.pdf
[5] 张翼春.信息安全 管理为先.计算机安全,2006,(1):36
[6] Mckinlay A. Software Safety and Security. Computer Security Applications Conference,1990. Proceedings of the Sixth Annual,1990:313-320
[7] 叶代亮.内网的安全管理.计算机安全,2005,(12):22
[8] http://www.topsec.com.cn/products/ngfw4000.asp
[9] http://www.seentech.com.cn/products/netguard/ngongneng.asp
[10] http://www.anyatweb.com/cn
[11] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press,2000,2-10
[12] Chris Cant. Writing Windows WDM Device Drivers. R&D/Miller Freeman Inc,2000,30-55
[13] Microsoft Corporation.Windows2000 驱动程序开发大全,冯博琴等译.北京:机械工业出版社,2001,2-20
[14] 武安河.Windows 2000/XP WDM 设备驱动程序开发.北京:电子工业出版社,2003,10-16
[15] Art Baker, Jerry Lozano. Windows 2000 设备驱动程序设计指南,施诺等译.北京:机械工业出版社,2001,52-68
[16] http://www.microsoft.com/whdc/devtools/ddk/default.mspx
[17] 杨富国.网络操作系统安全.北京:清华大学出版社,北京交通大学出版社,2005,38-52
[18] 刘志雄,贺贵明,宋志伟.Ethernet 网络监控的原理及其在 Windows 环境下的编程实现.武汉大学学报(工学版),2002,35(1):102-105
[19] WestNet Learning Technologies. Computer Network Analysis and Design. Infopower,2003,32-74
[20] Xu Congqi, Xie Xuhui. Design and research of WDM driver for PCI device under Windows 2000. Modern Electronics Technique,2004,27(23):18-20
[21] http://www.usb.org
[22] 冉林仓. Windows API 编程.北京:清华大学出版社.2005,1-20
[23] W.Clay Richardson,Donald Avondolio,Joe Vitale 等.Java 高级编程:JDK5,沈文炎,刘琼,王卫东等译.北京:机械工业出版社,2006,86-111
[24] Song Bin, Pei Changxing. The Methods for Communication between the Application and Device Driver. IT AGE,2005,(3):10-12
[25] Don Anderson. Universal Serial Bus System Architecture. Addison Wesley,2000,15-200
[26] Jan Axelson. USB 大全,陈逸译.北京:北京大学出版社,2003,27-66
[27] 杨成.用 DDK 开发 Windows USB 驱动程序.程序员,2002,(8):57-59
[28] 陈向群.Windows 内核实验教程.北京:机械工业出版社,2002,151-210
[29] http://www.driverworks.com
[30] Roger S. Pressman.软件工程:实践者的研究方法(第五版),郑人杰等译.北京:机械工业出版社,2005,598-612
[31] Tari Z.,Shun-Wu Chan.. A role-based access control for intranet security. Internet Computing, Volume 1,Issue 5,Sept.-Oct.1997:24–34
[32] Gangadharan, M., Kai Hwang. Intranet security with micro-firewalls and mobile agents for proactive intrusion response.Computer Networks and Mobile Computing, 2001. Proceedings. 2001 International Conference on 16-19 Oct. 2001:325-332
[33] Yung-Kao Hsu, Seymour, S.. Intranet security framework based on short-lived certificates. Internet Computing,Volume 2,Issue 2,March-April 1998:73-79
[34] Jun Xu, Singhal M.. Design and evaluation of a high-performance ATM firewall switch and its applications. Selected Areas in Communications, Volume 17, Issue 6, June 1999:1190-1200
[35] Bruschi D., Cavallaro L., Rosti E..Less harm, less worry or how to improve network security by bounding system offensiveness. Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference 11-15 Dec. 2000:188-195
[36] Baraka H., El-Manawy H.A., Attiya A.. An integrated model for intranet security using prevention and detection techniques. Computers and Communications, 1998. ISCC '98. Proceedings. Third IEEE Symposium on 30 June-2 July 1998:498-502
[37] Yung-Kao Hsu. Development of an intranet security infrastructure and its application. Enabling Technologies: Infrastructure for Collaborative Enterprises, 1998. (WET ICE '98) Proceedings., Seventh IEEE International Workshops on 17-19 June 1998:334-339
[38] Gassman B.. Internet security, and firewalls protection on the internet. ELECTRO'96. Professional Program. Proceedings.30 April-2 May 1996:93-107
[39] Nikolaidis I.. Internet and intranet security, 2nd edition [Book Review]. Network, IEEE, Volume 16,Issue 2,March-April 2002:5-5
[40] Jeong Gyoo-Yeong,Seo Dong-il,Kwon Soo-Gab,Kim Jeong-Ho. Intranet Security Evaluation Using Hacking Techniques. Advanced Communication Technology,The 9th International Conference on Volume 1,Feb. 2007:810-814
[41] Pi-Ju Tsai, Dwen-Ren Tsai, Wen-Pin Tai. Intranet Security using Attribute Certificates under the Privilege Management Infrastructure. Security Technology, 2005. CCST '05. 39th Annual 2005 International Carnahan Conference on 11-14 Oct.2005 :1-4
[42] Manish Gupta,Shamik Banerjee,Rao H.R.,Shambhu Upadhyaya. Intrusion countermeasures security model based on prioritization scheme for intranet access security (emerging concepts category). Information Assurance Workshop,2003.IEEE Systems,Man and Cybernetics Society,18-20 June 2003 :174-180
[43] Wool A.. A quantitative study of firewall configuration errors. Computer,Volume 37,Issue 6,June 2004 :62-67
[44] Hayes J.M.. Restricting access with certificate attributes in multiple root environments - a recipe for certificate masquerading. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual 10-14 Dec. 2001 :386-390
[45] Mayer A., Wool A., Ziskind E.. Fang: a firewall analysis engine. Security and Privacy,2000.S&P 2000.Proceedings.2000 IEEE Symposium on 14-17 May 2000 :177-187
[46] Sousa, J.P.. Intranet security: an increasing concern in industrial environments. Industrial Electronics,1997.ISIE '97.,Proceedings of the IEEE International Symposium on Volume 1,7-11 July 1997 :35-38 vol.1
[47] Al-Salqan Y.Y.. Cryptographic key recovery. Distributed Computing Systems, 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of 29-31 Oct.1997 :34-37
[48] Davis B.C., Ylonen T.. Working group report on Internet/intranet security. Enabling Technologies:Infrastructure for Collaborative Enterprises,1997, Proceedings Sixth IEEE workshops on 18-20 June 1997 :305-308
[49] 王胜举. U—guard 内网安全管理系统 1.0 研发. 中国新技术新产品精选, 2007(4):65-67
[50] 张兵. 内部网信息安全挑战与应对措施. 通信世界, 2007(13):8-10
[51] 沈 婕 , 许 敏 . 一 种 基 于 强 审 计 技 术 的 内 网 安 全 管 理 系 统 模 型 . 网 络 与 信息,2007(03):74-75
[52] 董文生. 内网安全之“防内”专题 如何构建可信并可控的内网. 信息安全与通信保密,2004(12):72-73
[2] 王毅彦.国家电子政务信息安全平台研究.计算机安全,2005,(6):27
[3] http://www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml
[4] http://www.cert.org/archive/pdf/ecrimesummary05.pdf
[5] 张翼春.信息安全 管理为先.计算机安全,2006,(1):36
[6] Mckinlay A. Software Safety and Security. Computer Security Applications Conference,1990. Proceedings of the Sixth Annual,1990:313-320
[7] 叶代亮.内网的安全管理.计算机安全,2005,(12):22
[8] http://www.topsec.com.cn/products/ngfw4000.asp
[9] http://www.seentech.com.cn/products/netguard/ngongneng.asp
[10] http://www.anyatweb.com/cn
[11] Walter Oney. Programming the Microsoft Windows Driver Model. Microsoft Press,2000,2-10
[12] Chris Cant. Writing Windows WDM Device Drivers. R&D/Miller Freeman Inc,2000,30-55
[13] Microsoft Corporation.Windows2000 驱动程序开发大全,冯博琴等译.北京:机械工业出版社,2001,2-20
[14] 武安河.Windows 2000/XP WDM 设备驱动程序开发.北京:电子工业出版社,2003,10-16
[15] Art Baker, Jerry Lozano. Windows 2000 设备驱动程序设计指南,施诺等译.北京:机械工业出版社,2001,52-68
[16] http://www.microsoft.com/whdc/devtools/ddk/default.mspx
[17] 杨富国.网络操作系统安全.北京:清华大学出版社,北京交通大学出版社,2005,38-52
[18] 刘志雄,贺贵明,宋志伟.Ethernet 网络监控的原理及其在 Windows 环境下的编程实现.武汉大学学报(工学版),2002,35(1):102-105
[19] WestNet Learning Technologies. Computer Network Analysis and Design. Infopower,2003,32-74
[20] Xu Congqi, Xie Xuhui. Design and research of WDM driver for PCI device under Windows 2000. Modern Electronics Technique,2004,27(23):18-20
[21] http://www.usb.org
[22] 冉林仓. Windows API 编程.北京:清华大学出版社.2005,1-20
[23] W.Clay Richardson,Donald Avondolio,Joe Vitale 等.Java 高级编程:JDK5,沈文炎,刘琼,王卫东等译.北京:机械工业出版社,2006,86-111
[24] Song Bin, Pei Changxing. The Methods for Communication between the Application and Device Driver. IT AGE,2005,(3):10-12
[25] Don Anderson. Universal Serial Bus System Architecture. Addison Wesley,2000,15-200
[26] Jan Axelson. USB 大全,陈逸译.北京:北京大学出版社,2003,27-66
[27] 杨成.用 DDK 开发 Windows USB 驱动程序.程序员,2002,(8):57-59
[28] 陈向群.Windows 内核实验教程.北京:机械工业出版社,2002,151-210
[29] http://www.driverworks.com
[30] Roger S. Pressman.软件工程:实践者的研究方法(第五版),郑人杰等译.北京:机械工业出版社,2005,598-612
[31] Tari Z.,Shun-Wu Chan.. A role-based access control for intranet security. Internet Computing, Volume 1,Issue 5,Sept.-Oct.1997:24–34
[32] Gangadharan, M., Kai Hwang. Intranet security with micro-firewalls and mobile agents for proactive intrusion response.Computer Networks and Mobile Computing, 2001. Proceedings. 2001 International Conference on 16-19 Oct. 2001:325-332
[33] Yung-Kao Hsu, Seymour, S.. Intranet security framework based on short-lived certificates. Internet Computing,Volume 2,Issue 2,March-April 1998:73-79
[34] Jun Xu, Singhal M.. Design and evaluation of a high-performance ATM firewall switch and its applications. Selected Areas in Communications, Volume 17, Issue 6, June 1999:1190-1200
[35] Bruschi D., Cavallaro L., Rosti E..Less harm, less worry or how to improve network security by bounding system offensiveness. Computer Security Applications, 2000. ACSAC '00. 16th Annual Conference 11-15 Dec. 2000:188-195
[36] Baraka H., El-Manawy H.A., Attiya A.. An integrated model for intranet security using prevention and detection techniques. Computers and Communications, 1998. ISCC '98. Proceedings. Third IEEE Symposium on 30 June-2 July 1998:498-502
[37] Yung-Kao Hsu. Development of an intranet security infrastructure and its application. Enabling Technologies: Infrastructure for Collaborative Enterprises, 1998. (WET ICE '98) Proceedings., Seventh IEEE International Workshops on 17-19 June 1998:334-339
[38] Gassman B.. Internet security, and firewalls protection on the internet. ELECTRO'96. Professional Program. Proceedings.30 April-2 May 1996:93-107
[39] Nikolaidis I.. Internet and intranet security, 2nd edition [Book Review]. Network, IEEE, Volume 16,Issue 2,March-April 2002:5-5
[40] Jeong Gyoo-Yeong,Seo Dong-il,Kwon Soo-Gab,Kim Jeong-Ho. Intranet Security Evaluation Using Hacking Techniques. Advanced Communication Technology,The 9th International Conference on Volume 1,Feb. 2007:810-814
[41] Pi-Ju Tsai, Dwen-Ren Tsai, Wen-Pin Tai. Intranet Security using Attribute Certificates under the Privilege Management Infrastructure. Security Technology, 2005. CCST '05. 39th Annual 2005 International Carnahan Conference on 11-14 Oct.2005 :1-4
[42] Manish Gupta,Shamik Banerjee,Rao H.R.,Shambhu Upadhyaya. Intrusion countermeasures security model based on prioritization scheme for intranet access security (emerging concepts category). Information Assurance Workshop,2003.IEEE Systems,Man and Cybernetics Society,18-20 June 2003 :174-180
[43] Wool A.. A quantitative study of firewall configuration errors. Computer,Volume 37,Issue 6,June 2004 :62-67
[44] Hayes J.M.. Restricting access with certificate attributes in multiple root environments - a recipe for certificate masquerading. Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual 10-14 Dec. 2001 :386-390
[45] Mayer A., Wool A., Ziskind E.. Fang: a firewall analysis engine. Security and Privacy,2000.S&P 2000.Proceedings.2000 IEEE Symposium on 14-17 May 2000 :177-187
[46] Sousa, J.P.. Intranet security: an increasing concern in industrial environments. Industrial Electronics,1997.ISIE '97.,Proceedings of the IEEE International Symposium on Volume 1,7-11 July 1997 :35-38 vol.1
[47] Al-Salqan Y.Y.. Cryptographic key recovery. Distributed Computing Systems, 1997, Proceedings of the Sixth IEEE Computer Society Workshop on Future Trends of 29-31 Oct.1997 :34-37
[48] Davis B.C., Ylonen T.. Working group report on Internet/intranet security. Enabling Technologies:Infrastructure for Collaborative Enterprises,1997, Proceedings Sixth IEEE workshops on 18-20 June 1997 :305-308
[49] 王胜举. U—guard 内网安全管理系统 1.0 研发. 中国新技术新产品精选, 2007(4):65-67
[50] 张兵. 内部网信息安全挑战与应对措施. 通信世界, 2007(13):8-10
[51] 沈 婕 , 许 敏 . 一 种 基 于 强 审 计 技 术 的 内 网 安 全 管 理 系 统 模 型 . 网 络 与 信息,2007(03):74-75
[52] 董文生. 内网安全之“防内”专题 如何构建可信并可控的内网. 信息安全与通信保密,2004(12):72-73