ZHENG Lei,MA Zhao-feng,GU Ming

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.07.006

2007-01-01

Abstract:User-mode encryption systems require users manually do encryption or decryption when they want to access a file,in some of those systems the file may reside in cleartext on disk while the user is actively working on it.Encryption file systems decrease the user interaction and guarantee the files in disk is in cipher-text,but those systems are complex in design and realization.In this paper the encryption system is based on Windows NT driver model and file system filter driver to deal with data on the fly.It overcomes the disadvantages of both usermode encryption systems and encryption file systems.Additionally,through storing the encryption key in the smart card the system security is enhanced.

顾正义,黄皓

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.14.050

2009-01-01

Abstract:To solve the problem of file encryption storage in Windows system, the system's lack of Windows EFS is analyzed. In-depth studied key technologies used on development of a file system filter driver, including data processing of I/O request packet in the filter driver, tracing file statues, avoid the system re-entry. Using the teelmology of file system filter driver, a new enerypting file system is designed and implemented. The system is completely transparent to the users. It encrypt specified files, folders or a certain type of files according to the policy placed flexibly by the users. It supports different kinds of file system such as NTFS and FAT. It can also select the encryption algorithm according to the policy. Experiments show that the system has good performance and extend the Windows EFS in both features and applications.

Jianliang Xie

2009-01-01

Abstract:The secure threads and the responded strategies of Storage Area Network (SAN) were illuminated. A secure system based on a hardware encryption card was proposed. Windows Driver Foundation (WDF) was introduced, which was Microsoft s next-generation driver-development model. At last some tactics in developing the encryption card driver based on WDF were described.

FU De-sheng,PAN Yi

DOI: https://doi.org/10.3969/j.issn.1671-1122.2009.07.014

2009-01-01

Abstract:File system filter driver is one kind of means,which is used to solve the security problems of files.This paper simply illustrate the advantages and disadvantages of this technology,focused on the principle of file system filter driver which is based on WDM and the design and implementation of multi-rules encryption system based on file system filter driver,and discuss the lack ofimprovement of this system.

Yang Jianxin

DOI: https://doi.org/10.3969/j.issn.2095-2783.2011.04.003

2011-01-01

Abstract:Many access control mechanisms are employed in modern operating system to safeguard confidentiality and integrity of data.However,if malicious users can get around these mechanisms,then these mechanisms will be useless.Cryptographic technology should be applied to add a last line of defense.Encrypted file system is one of the important methods,and the storage of file key has top priority in encrypted file system.However,current storage methods of file key cannot satisfy the need of expansibility.A storage method of file key based on extended file attribute is proposed.By implementing this method in ext2 file system we can see that it can be easily integrated into current file systems and satisfy the efficiency requirement of data encryption.

Xiaosong Zhang,Fei Liu,Ting Chen,Hua Li

DOI: https://doi.org/10.1109/cis.2009.107

2009-01-01

Abstract:Traditional data leakage prevention strategies encompass access control, audit logon and authority management. They have some effects on preventing sensitive information from leakage, while the system’ s availability may be degraded seriously by their limitation. To solve this problem, a novel model based on Windows file system filter driver is proposed in this paper, in which system encrypts files automatically according to encryption strategies. Leaking confidential information out of enterprise environment, intentionally or unintentionally, will be prevented effectively. Moreover, it has the characteristic of mandatory and transparent encryption, which can compromise the contradiction between data security and user flexibility.

Lei Liu,Mingwei Cao,Yeguo Sun

DOI: https://doi.org/10.1371/journal.pone.0258464

IF: 3.7

2021-12-15

PLoS ONE

Abstract:E-documents are carriers of sensitive data, and their security in the open network environment has always been a common problem with the field of data security. Based on the use of encryption schemes to construct secure access control, this paper proposes a fusion data security protection scheme. This scheme realizes the safe storage of data and keys by designing a hybrid symmetric encryption algorithm, a data security deletion algorithm, and a key separation storage method. The scheme also uses file filter driver technology to design a user operation state monitoring method to realize real-time monitoring of user access behavior. In addition, this paper designs and implements a prototype system. Through the verification and analysis of its usability and security, it is proved that the solution can meet the data security protection requirements of sensitive E-documents in the open network environment.

multidisciplinary sciences

Zijian Deng,Xuejia Lai

DOI: https://doi.org/10.1109/sitis.2007.38

2008-01-01

Abstract:How to protect the sensitive information from unauthorized disclosure is one of the problems in computer security. In this paper we present a new method for preventing the sensitive file from unauthorized disclosure, Security File Management (SFM). SFM relies on Dual-Core technology, Extensible Firmware Interface and Trusted computing to provide a much high level of security than current solutions. All operations of sensitive files are run in Trusted Boundary. In this paper, we present the architecture of SFM, the initial designer and the security analysis.

L. Jin-gang

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

Computer Science,Engineering

Mengqi Zeng,Dawu Gu,Fangyong Hou,Yuanyuan Zhang,Tao Cheng

DOI: https://doi.org/10.1109/NAS.2009.70

2009-01-01

Abstract:Self-securing storage devices prevents intruders from undetectably tampering with or permanently deleting stored data. To accomplish this, we design an efficient self-securing disk architecture, which is based on traditional self-securing storage prototype S4: 1) On the confidentiality protection side, authenticated encryption mode GCM is adapted to process disk block in parallel ,and authentication latency is overlapped with disk access latency so that our scheme is more efficient and secure than Windows BitLocker. 2) On the integrity protection side, GHASH proposed in GCM is used to generate MAC which is more efficient than SHA-1, MD5. Moreover, ldquoMinimum Integrity Verification Treerdquo is put forward to decrease performance loss at a maximum. 3) On the access control protection side, we propose a cryptographically featured capability based access control model, which is based on existing OSD access control model. We use hybrid hard drive as an instance to build a self-securing disk prototype which is implemented by simulation. The encryption/authentication overheads are significantly reduced due to buffer techniques and combined GCM/Flash scheme. According to the simulation results, the performance overhead is less than 18%, which is efficient and practical.

Rongrong Huang,Jiwu Shu,Da Xiao,Kang Chen

2009-01-01

Journal of Computer Research and Development

Abstract:Network file systems facilitate data sharing but also introduce new vulnerabilities.Audit logs that trace the changes of file system data to prevent fraudulent manipulation of data have great value in evaluating system security.Current systems cannot satisfy the requirement of users because they fail to ensure the security of audit logs.The powerful insider adversary can modify the audit logs covertly to erase evidence of illegal modification directly via device drivers.A data integrity protection method is presented for network file systems based on secure audit logs.Every file and directory has an authenticator to ensure the integrity of data.All changes to data are traced and the corresponding audit logs are generated.At a later time,an auditor may verify the data of a file according to the authenticators and audit logs.A trusted hardware is introduced to manage audit key and to enable the generation and trustworthiness of authenticators and audit logs.A prototype of Nfsd-log is implemented based on the NFS server in Linux and its performance iS evaluated. SSH-build benchmark test shows that the total time overhead of Nfsd-log only increase by 9.2% comparing with original NFS server.

LIU Wei-peng,HU Jun,LIU Yi

DOI: https://doi.org/10.3969/j.issn.1002-137X.2008.11.026

2008-01-01

Computer Science

Abstract:Encrypted file system is an effective method to protect sensitive data of system and user from disclosing on operating system level.This paper first investigates several famous encrypted file system and points out their limits,such as use method,key protection,management and performance,then discusses a scheme of transparent encrypted and decrypted file system based on UsbKey from design objective,architecture,and implementation.This scheme is based on Linux operating system,at the same time,uses UsbKey to storage and protect key.Using LSM framework and redirecting the "read" and "write" operation of inode implement transparent encrypted and decrypted function.This paper gives some lights on the research and implementation of transparent encrypted and decrypted file system in Linux.

Jiwu Shu,Zhirong Shen,Wei Xue

DOI: https://doi.org/10.1016/j.jpdc.2014.06.003

IF: 4.542

2014-01-01

Journal of Parallel and Distributed Computing

Abstract:With the increasing amount of personal data stored in public storage, users are losing control of their physical data, putting their data information at risk of theft or being compromised. Traditional secure storage systems either require users to completely trust the storage provider or impose the considerable burden of managing files on file owners; such systems are inapplicable in the practical cloud environment. This paper addresses these challenging problems by proposing a new secure system architecture and implementing a stackable secure storage system named Shield, in which a proxy server is introduced to be in charge of authentication and access control. We propose a new variant of the Merkle Hash Tree to support efficient integrity checking and file content update; further, we have designed a hierarchical key organization to achieve convenient keys management and efficient permission revocation. Shield supports concurrent write access by employing a virtual linked list; it also provides secure file sharing without any modification to the underlying file systems. A series of evaluations over various real benchmarks show that Shield causes about 7%∼13% performance degradation when compared with eCryptfs but provides enhanced security for user’s data.

ZHANG Ning,LIU Jin-gang

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.12.035

2010-01-01

Abstract:This paper introduces a new security and reliability mechanism of the file system of Linux-limiting OS physical storage space,and make it can’t be rewritten.Will be relatively independent of the operating system installed in the physical space,and other applications software in the physical separation of space,the operating system will be installed into a physical storage medium limited to read-only,so that the operating system installed can not be rewritten on the physical layer,so as to achieve secure and reliable;at the same time,user space and system space isolated from each other in the physical space,when users need to install software or preserve documents,can be transparent in the storage space.Then describes its design principle and implement details,and comes to the conclusion of providing security and reliability without performance loss by giving fully test results.

Hong-Liang TIAN,Yong ZHANG,Xin-Hui XU,Chao LI,Chun-Xiao XING

DOI: https://doi.org/10.11897/SP.J.1016.2016.00154

2016-01-01

Chinese Journal of Computers

Abstract:Big data,known for its characteristics of high volume,high value and centralized storage, is an attractive target for attackers.Thus,big data security is an important issue.However,the two most common data security measures used in big data platforms (e.g.Hadoop)are not satisfactory:(1 )Access control mechanisms are prone to bugs and vulnerabilities;(2)Data encryption is provably secure but incurs considerable overheads during data processing.In this paper,we present TrustedSSD,a secure Solid State Drive (SSD)that efficiently guarantees the security of data-at-rest by enforcing a fine-grained access control.We first analysis the security of TrustedSSD,and then describe the design and implementation of the system,highlighting the challenges involved. We built a prototype of TrustedSSD on a commercially successful SSD controller.Experimental results on both synthetic and real-world workloads show that TrustedSSD incurs less than 3%overhead.Therefore,we believe TrustedSSD is a promising approach to big data security.

Wenjuan Tang,Yang Xu,Guojun Wang,Yaoxue Zhang

DOI: https://doi.org/10.1007/978-3-319-27161-3_23

2015-01-01

Abstract:Transparent computing is a novel network computing paradigm in which operating systems, applications, data, etc. are stored and managed on remote servers, and complex computing tasks are performed on local clients in real time. The unified and professional storage managements on servers make clients capable of owning an intrinsic advantage of storage security. However, due to runtime computing tasks of applications, protecting information flow security in end devices becomes important. In this paper, we propose a secure information flow model and design an information flow search algorithm based on Depth-first-search to prevent illegal access between files in transparent computing local environment. The main idea is to detect indirect access in information flow graph constructed with historic access records at first. Then compare the indirect access with previously designed white list to find out whether there are illegal behaviors. Intercepting access behavior is implemented by a special and secure file filter above file system at kernel level. Algorithm and security analysis show that our work can provide a secure information flow mechanism efficiently.

Luo Hui,Guan Haibing,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.08.062

2007-01-01

Abstract:Secure network file system can secure the stored data and provide confidence and integrity in opening environment.It should consider such factors as security,performance and convenience when designing a secure file system.The design and implementation of a secure network file system:SecNFS,including its design idea,system architecture,key management,security analysis,share schema and implementation techniques is described.

Ying-ying Sun,Kou-gen Zheng

DOI: https://doi.org/10.3724/sp.j.1087.2010.03115

2010-01-01

Journal of Computer Applications

Abstract:File security access control is the core of the bank automatic teller machine security. File monitoring system based on minifilter, combining users and processes to access control rights, real-time monitored files and achieved the file security access. Minifilter model shortened the development time, and was stable and compatible. The log file operation based on mutex lock, achieved the log events generat and the log written synchronization, and improved the log-written efficiency. The file monitoring system enhances the file security and the system stability.

Jie Lin,Yunliang Zhang,Zhiyong Tan,Yiqi Dai

2009-01-01

Abstract:The paper proposes a novel secure distributed disk system. By dynamically exploiting file-system semantics of on-disk data blocks and sensing activities of the local file system, the disk system can be integrated with the current file systems seamlessly without changing the standard block interface between them and can efficiently manage accesses to the files from multiple hosts. And the disk system adopts a new data distribution scheme to ensure confidentiality, reliability and availability of data, and a credibility evaluation strategy to prevent some attacks from malicious clients and data servers.

LIN Hao-xiang,DONG Yuan,ZHANG Wei,ZHANG Su-qin,HU Chang-jun

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.01.026

2007-01-01

Abstract:Recently it has been a focus to protect personal sensitive information. Using cryptographic technique is a promising way. This paper describes the design and implementation of Waycryptic, a versatile cryptographic file system for Linux. By integrating cryptographic technique into file system level, users obtain transparent, dynamic, efficient and secure encryption function without modifying their applications. Encrypted files could be saved on any physical file system which supports extended attributes (XATTR). Waycryptic also permits encrypted files to be shared among multi users and to be easily recovered by designating an account in advance. The results of Iozone and Bonnie benchmarks show that Waycryptic is comparatively efficient and is suitable for personal or multi-user systems which require enhanced security.