Study on Secure File Transfer Scheme on ARM9-based Security

Transcription

1 Study on Secure File Transfer Scheme on ARM9-based Security Authentication Platform * (School of Computer Science and Engineering, Hunan University of Science and Technology, Xiangtan, ) * idlink@163.com Abstract A file transfer scheme on ARM9-based security authentication platform is proposed for secure transfer of file between computer and storage device. The scheme has designed several functional modules on basis of self-designed ARM9 platform, which include secure hiding, transfer management, recovery and destruction management. User can directly operate the files by using these functions. By comparing with traditional software based secure file transfer system, our scheme has better performance on security and transfer overhead. 1. Introduction Keywords: ARM9, File Hiding, Recovery Management, Transfer Overhead With the rapid development of network, network file storage makes life and work much convenient. However, data security is concerned by more and more people. At present, people always use software for secure authentication of secret files. Software authentication system [1-2] has lots of security vulnerabilities in secret file transfer between removable storage device and computer. The current software authentication system [3-9] cannot meet the security requirement in secret file transfer by using only general password authentication. It is pressed for a secure file transfer system with high security and controllability in user terminal and removable storage device. In order to prevent important files from theft and leakage, USB filtering driver is used in literature [10]. Device control is implemented by intercepting in loading of USB storage device; in literature [11], USB filtering driver is combined with file filtering driver for device controlling. Literature [12] has used file filtering driver for controlling storage device, however, multi-volume and unique reorganization did not take into account since multiple volumes may produced in file system for one removable storage device. Consequently, literature [13] has presented authority grading for volumes in removable device. Real-time control is implemented by recognizing the produced volumes, unique identification and access authority of each volume. This method mainly concentrate on application driver controlling under API of operating system, it is not effective in authentication terminal for file transfer. In result, these methods have certain threaten to secure authentication. In our paper, a secure file transfer system based on fingerprint characteristics is proposed. The scheme consists of hardware authentication and secure file transfer management. Hardware authentication is on basis of biometric recognition principle, which integrates self-designed ARM9 master-controlling circuit, fingerprint signal processing circuit, USB data acquisition circuit and power supply. A secure file transfer device with fingerprint recognition is produced. On basis of the device, we have designed management software for encrypted file transfer with identity authentication and file hiding. A distributed algorithm for effectively hiding file is integrated in the software, which makes distributed file hidden and complete recovery. The system has compact architecture, high performance, convenient authority management and operation and retrospective functions as well. 2. Design of Secure File Transfer System 2.1. Hardware Architecture According to requirements of system functions, the hardware architecture is divided as shown International Journal of Advancements in Computing Technology(IJACT) Volume5,Number8,April 2013 doi: /ijact.vol5.issue

2 in Figure 1. A hardware architecture based on ARM9 is used. Master controlling CPU is S3C2440, which shoulders controlling and operation of the whole system. High-capacity Flash and RAM are used for temporary storage and data storage management. External interface devices adopt mature USB bus control technology for interconnection of external storage and confidential computer. If high-speed devices (CPU, SRAM, Flash, system, power protect unit, USB2.0 controller) use AHB interconnection, 1G Flash storage device could be used for secure storage of abundant data. Fingerprint acquisition chip is American Veridicom FPS200, which can directly output digital image signal. A pixel is indicated with 8 bits. Three interface modes (CPU, SPI, USB) are optional. The area of required sensor array is easy to define Design of Software Modules Figure 1. Hardware architecture of system Modules of Driver Mounting and Task Control Driver mounting and task control modules of the entire system are implemented by using driver mount control thread. After starting, the thread repeats scanning the sda device file under /dev directory. If detected, a USB storage device is inserted. In this case, system determines the authority. If readable and writable, the driver g_file_storage.ko module will be mounted with read and write mode. If read-only, the driver g_file_storage.ko module will be mounted with read-only mode. If no authority, the driver is unmounted. After that, the thread repeats scanning the sda device file under /dev directory. If not exist, USB storage device is extracted. In this case, the thread will unmount the mounted driver. The flow is shown as Figure

3 Figure 2. Flow of driver mounting Figure 3. Flow of application software on upper computer Modules of File Transfer and Task Management The module of file transfer is shown in Figure 3. PC application software supervises the access of USB removable transmission medium. If detected, the accessed USB is immediately hidden. User can access and transfer files only by using the software. (1) Module for Hiding USB device For sake of hiding USB device module, custom file traversal function is used to replace entry address of original file traversal function. After that, the system calls original function. In this case, the file traversal function called by system is actually the custom. There are two ways to mount API in Windows operating system: one is to mount API at user level; the other one is to mount API at kernel layer. The former is applicable for high stability of user-state, easy to realize and more robust. The latter requires the use of drivers, which is more complicated but better hiding effect. Our work adopts the former way to hide USB device module. As shown in Figure 4, once the system software detected removable storage volumes carried with USB device, it will immediately distinguish. The procedure usually performs when the kernel, device driver or application access file or directory in the volume at the first time. All of IRP for this volume will be sent to its driver by FO manager. The unauthorized USB devices will be shielded directly with no response. For the authorized ones, system will close all of other probable accessing ways immediately. A kernel thread will be created to access the lower computer, by which API functions provided by lower computer can be called to access or transfer files in the inserted USB devices. 192

4 Figure 4. Flow of hiding module Figure 5. Flow of file transfer module (2) Module of File Transfer The file transfer module of our system is shown in Figure 5. The module is completely different from the past file copy and paste and has used file cutting encryption algorithm. The target file is cut into several parts. These parts are hidden into uncertain positions in operating system or file system of removable device and related information is saved in log file. Moreover, the log file will save authorized user name permitted to operate the target file, operating time, operating type and other relevant information. Anyone who transfers files will leaves some relevant information. According to the information, the traceability to file transfer is realized. The security of files in upper computer and removable device is highly improved. System confirms identity of user, if authorized, it will traversal the specific disc and search the existed LOG files. The LOG files under the directory are pushed. Once count of files is greater than two, a new LOG file is generated and pushed. The transferred file will be cut into parts and then distributed to random positions of hash table. These positions are recorded into LOG file. Finally, for authorized user, an image file with the same name to the original file should be created at the saved path of transferred file. It is invalid to access this file directly. The file is only the entry to transfer file. (3) The Modules of Recovery and Destruction The modules of recovery and destruction actually use the log file generated by target file to realize file recovery and destruction. According to information in log file, the module searches all parts of target file. By using related decryption algorithm, the target file could be completely recovered. Same to recovery, the destruction is to delete all parts instead of decryption. The file is not complete if it is operated directly without using the module. Recovery or destruction only through the modules can recover or destroy the file. The destruction module need to find host file, erase fragment information and then delete image file. The function destroyinfoformdir() verifies if the image file is invalid and then read relevant fragments and host file. The function destroyfile() is to destroy file fragments according to relevant information. 193

5 The function firstly obtains pointer and fragment size of the host file, opens it with function fopen() and moves the pointer to the end with fseek(). Finally, verify whether tag exists at the end of host file. If exists, function fwrite() will delete fragment information according to fragment size. 3. Experiments and Analysis The experiments conduct on personal computer with Intel Pentium Dual-Core 2GHz CPU and 2G memory and ARM9 Linux system. The test files include 200 files with different types. The Figure 6, Figure 7 and Figure 8 show the physical picture of our platform, login interface and software interface. The final experimental environment is on self-designed embedded authentication platform based on ARM9 CPU (frequency: 170MHz). Figure 6. Picture of our platform Figure 7. System login interface Figure 8.Software interface In order to further verify the file system for the safety of the virus resistance performance, we embed respectively three different virus in the file system by the malicious software in the base of designing feature code library. As shown in Table 1, according to the method and the other two kinds of different methods of killing experimental, in three different feature code file system of mobile storage volume, the space of the killing method designed in the base of literature [12] is slow, it is invalid for the killing of shock wave software, and the killing method designed in the base of literature [13] is also invalid for the killing of worm virus, but the method of this article can quickly isolation and killing three different virus file in the mobile storage volume. Therefore, the method of this article has a better safety performance in safety and protection aspects of the virus. The standard files are chosen in experiments. As shown in Table 2, we conduct secure file transfer to three different types of removable storage device. The experimental results show that our scheme has better performance to read arbitrary volumes by comparing with literature [12]. The reason is that our ARM9 based authentication platform could rapid control write-read to arbitrary volume. The transferred file will be hidden in each system file of operating system randomly. Once the file destroyed, our recovery algorithm could recover to the original. Consequently, our scheme has better performance in terms of controllability and security in file transfer procedure. 194

6 Table1. Performance comparison chart of System security Objects Document [12] Document The method of this [13] article Shock wave software invalid valid valid Worm virus valid invalid valid Trojan virus valid valid valid 4. Conclusions An ARM9 based secure file transfer system is proposed. By comparing hardware model and experiments, our scheme has the following advantages that: (1) the use of self-designed embedded secure file transfer platform based on ARM9, has solved the dependency on unreliable platform for file transfer; (2) file hiding and recovery in file transfer has realized on the proposed platform; (3) security and response speed is better in secure file transfer. Since the creation of secure file transfer model is much complicated, the system may cost much hardware resources. In future, low-overhead and high-speed file transfer scheme will be concentrated. Method Literature [13] Removable Storage device Table2. Performance Comparison of File Transfer Controllability of File Transfer Overhead of Secure File Transfer Arbitrary volume read-writ e Recovery Destruction CPU Speed Power Overhead Transmission Rate Kingston 4G USB Disk Yes No No Medium Low Medium Seagate Mobile Hard No No No Medium Higher Medium Disk Hitachi Mobile Hard Disk No No No Medium Low Medium Kingston 4G USB Disk Yes Yes Yes Fast Higher Fast Our method Seagate Mobile Hard Disk Hitachi Mobile Hard Disk Yes Yes Yes Fast Higher Fast Yes Yes Yes Fast Higher Fast 5. Acknowledgements This paper is supported by the National Natural Science Foundation of China (No ).National Natural Science Foundation of Hunan Province and Xiangtan united Foundation under Grant (No.11JJ9014), the Planned Science and Technology Project of Hunan Province, China (No. 2011GK3156, 2011GK3205 ), the SRIP Project of Hunan Science and Technology University (No.SZZ ), and the College Students' Innovative Project of Hunan Province (No.KDSC1105). 6. References [1] H. Tang, F. Bo, K. Hou, J. Zhou, Design of Secure File Transfer System based on ARM, China Science and Technology Information, vol.4, pp.94-96,

7 [2] J. Qin, P. Wang, Mobile Media Management System based on USB Device Driver, Computer and Digital Engineering, vol.38, no.4, pp , [3] L. Zheng, Z. Ma, M. Gu, Techniques of File System Filter Driver-based and Security-enhanced Encryption System, Mini-Micro Systems, vol.7, no.7, pp , [4] H. Hu, F. Yao, C. He, Solution of Windows Files Security Protection based on File System Filter Driver, Computer Application, vol.29, no.1, pp , [5] J. Zou, W. Cai, A USB Storage Device Monitor and Control System based on WDF Filter Driver, Computer Engineering and Science, vol.32, no.3, pp.42-44, [6] Zhe Jia, Lei Pang, Shoushan Luo, Yang Xin, Miao Zhang, Research on Distributed Privacy-Preserving Data Mining, JCIT, Vol. 7, No. 1, pp , 2012 [7] Lei Pang, Jian-feng Sun, Shou-shan Luo, Bai Wang, Yang Xin, A Research of the Privacy Preserving Architecture of Electronic Auction, JCIT, Vol. 7, No. 1, pp , 2012 [8] J. Li, H. Shu, W. Dong, Y. Xie, Security Monitoring Technology of USB Storage Device based on Driver Layer, Computer Engineering, vol.34, no.8, pp , [9] G. Sun, D. Chen, D. Wu, Research and Implementation of Secure-Mobile Storage System, Computer Engineering, vol.35, no.11, pp , [10] Z. Gu, L. Zhou, G. Lv, The Access Control Technology of Spatial DataFiles based on File System Filter Driver, 11th IEEE International Conference on Communication Technology, pp , [11] D. Jovan, B. Madalina, Entropy Analysis and New Constructions of Biometric Key Generation Systems, IEEE Transactions on Information Theory, vol.54, no.5, pp , [12] F. M. Bui, K. Martln, H. Lu, K. N. Plataniotis, D. Hatzinakos, Fuzzy Key Binding Strategies based on Quantization Index Modulation (QIM) for Biometric Encryption (BE) Applications,, IEEE Transactions on Information Forensics and Security, vol.5, no.l, pp , [13] Y. Suteu, S. Rane, J. S. Yedidia, S. C. Draper, A. Vetro, Feature Transformation of Biometric Templates for Secure Biometric Systems based on Error Correcting Codes, IEEE Computer Society Conference on Computer Vision and Pattern Recognition Workshops, pp.l-6,