CN109697174A - A kind of airborne computer storage system sensitivity zoning means of defence - Google Patents

A kind of airborne computer storage system sensitivity zoning means of defence Download PDF

Info

Publication number
CN109697174A
CN109697174A CN201811533512.9A CN201811533512A CN109697174A CN 109697174 A CN109697174 A CN 109697174A CN 201811533512 A CN201811533512 A CN 201811533512A CN 109697174 A CN109697174 A CN 109697174A
Authority
CN
China
Prior art keywords
storage medium
logic
storage system
airborne computer
subregion
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811533512.9A
Other languages
Chinese (zh)
Other versions
CN109697174B (en
Inventor
索晓杰
马小博
段小虎
冯军波
康晓东
白晨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Aeronautics Computing Technique Research Institute of AVIC
Original Assignee
Xian Aeronautics Computing Technique Research Institute of AVIC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Aeronautics Computing Technique Research Institute of AVIC filed Critical Xian Aeronautics Computing Technique Research Institute of AVIC
Priority to CN201811533512.9A priority Critical patent/CN109697174B/en
Publication of CN109697174A publication Critical patent/CN109697174A/en
Application granted granted Critical
Publication of CN109697174B publication Critical patent/CN109697174B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The characteristics of the present invention is based on airborne computer storage systems proposes a kind of airborne computer storage system sensitivity zoning means of defence, belongs to airborne computer design field.The storage system of airborne computer uses partition management mode, by designing electronic hardware logic control access authority, the prevention policies of software flexible configuration, realize the access control of subregion, it selects different control strategies that can realize the key protection of sensitivity zoning, avoids causing loss of data or damage to sensitivity zoning illegal operation or maloperation.The subregion range flexibly configurable protected in this method, prevention policies may be selected, and hardware data encryption function is configurable.This method has stronger versatility.

Description

A kind of airborne computer storage system sensitivity zoning means of defence
Technical field
A kind of airborne computer storage system sensitivity zoning means of defence of the present invention is based on airborne computer storage system The characteristics of propose, belong to airborne computer design field.
Background technique
Storage medium generally uses word extension or Bits Expanding technology by multi-disc low capacity or low-bit width in hardware design Memory be spliced into the storage medium for meeting system requirements.Word extension is to go out to store with the identical memory expansion of multi-disc bit wide The method of the biggish storage medium of capacity, word extend the capacity of an extended menory;Bits Expanding is the multi-disc storage few with digit Device is combined into the extended method of the more storage medium of digit, the capacity of Bits Expanding not only extended menory, also extended menory Bit wide.
Memory in airborne computer system frequently with multi-disc low-bit width (8 or 16) is realized by Bits Expanding mode The storage medium of high-bit width (32 or 64).In airborne computer system, using partition management method to storage medium into Row management.It loses or can bring after damaging heavy losses or the data of increase maintenance cost to be known as sensitive data, store sensitive number According to subregion be known as sensitivity zoning.
Each subregion includes that the part memory space of multiple memories is constituted in the storage system that Bits Expanding is realized.Storage Device is mostly used FLASH and realizes, FLASH chip generally is configured with write-protect signal, can be controlled by software or hardware.The signal Can be achieved whether to allow to execute write operation to entire FLASH chip.Therefore the included write-protect signal of memory is not able to satisfy machine Carry the subregion protection requirements of computer memory system.
Memory space access right control logic is designed in the decoding logic of storage system, design configurations are soft in software Part realizes the subregion protection of access resource.The key protection for realizing sensitivity zoning avoids number caused by illegal operation or maloperation According to loss or damage.
Summary of the invention
The purpose of the present invention is: in view of the importance of sensitivity zoning, propose a kind of airborne computer storage system sensitivity point Area's means of defence.By designing electronic hardware logic control access authority, the prevention policies of software flexible configuration realize subregion Access control selects different control strategies that can realize the key protection of sensitivity zoning, avoid to sensitivity zoning illegal operation or Maloperation causes loss of data or damage.
Technical solution of the present invention: a kind of airborne computer storage system sensitivity zoning means of defence, is based on airborne The characteristics of storage system partition management of calculation machine, realizes that storage system includes processor unit, logic decoding unit (FPGA), deposits Storage media;The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit using Bits Expanding technology by storage medium;It deposits Each subregion of storage medium includes a part of the few storage medium of multiple digits in storage system;Logic decoding unit will be located Control signal and the address for managing device unit storage bus, are decoded as the control signal of storage medium, complete processor and be situated between to storage The access of matter;Control signal of the storage medium according to logic decoding unit, completes the write-in or reading of data.
The multi-disc storage medium that digit is lacked is extended to the storage more than digit using Bits Expanding technology and is situated between by the storage medium Matter.Each subregion of storage system includes a part of the few storage medium of multiple digits, and the few storage medium of digit is included Safeguard measure (writing protection function) be unable to satisfy sensitivity zoning protection demand.
The logic decoding unit devises protection logic and encryption logic in logic decoding, completes to access authority Judgement, forbids maloperation.Wherein address space decision logic of the protection logic comprising guard zone, access authority decision logic, And decision logic enable/is forbidden in protection;Encryption logic includes that decision logic, encryption logic enable/are forbidden in encryption.
Corresponding configuration software is designed in the processor unit, it can be achieved that the address space for needing to protect subregion is arranged, Access authority setting, the enabled setting (default is forbidden) of safeguard function, encrypts enabled setting.By by configuration information in product maintenance It is set under state, user haves no right to change relevant parameter in use process, to realize the key protection of sensitive information.
The invention has the advantages that the present invention realizes the subregion protection of storage system by programmable logic (electronic hardware), High reliablity;Encryption function is devised simultaneously;Safeguard function and protection can be set according to the requirement of system, software flexible Strategy, flexibility with higher.This method has stronger versatility in other storage systems simultaneously.
Detailed description of the invention
Fig. 1 is present system structural block diagram.
Fig. 2 is storage system regional addressing permission software and hardware configuration figure.
Fig. 3 is storage system guard zone access operation state transition graph.
Specific embodiment
A kind of airborne computer storage system sensitivity zoning means of defence is the storage system subregion based on airborne computer The characteristics of management, realizes that storage system includes processor unit, logic decoding unit (FPGA), storage medium.Storage medium is adopted The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit with Bits Expanding technology.Storage medium in storage system Each subregion includes a part of the few storage medium of multiple digits;Processor unit is stored bus by logic decoding unit Signal and address are controlled, the control signal of storage medium is decoded as, completes access of the processor to storage medium;Storage medium according to According to the control signal of logic decoding unit, the write-in or reading of data are completed.
A kind of airborne computer storage system sensitivity zoning means of defence according to claim 1, which is characterized in that The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit using Bits Expanding technology by the storage medium.Storage system Each subregion of system includes a part of the few storage medium of multiple digits, the included safeguard measure of the few storage medium of digit (writing protection function) is unable to satisfy the demand of sensitivity zoning protection.
A kind of airborne computer storage system sensitivity zoning means of defence according to claim 1, which is characterized in that The logic decoding unit devises protection logic and encryption logic in logic decoding, completes the judgement to access authority, prohibits Only maloperation.Wherein protection logic includes the address space decision logic of guard zone, access authority decision logic, and protection Enable/forbid decision logic;Encryption logic includes that decision logic, encryption logic enable/are forbidden in encryption.
A kind of airborne computer storage system sensitivity zoning means of defence according to claim 1, which is characterized in that Corresponding configuration software is designed in the processor unit, it can be achieved that the address space for needing to protect subregion is arranged, access authority Setting, the enabled setting (default is forbidden) of safeguard function, encrypts enabled setting.By the way that configuration information is divided into product maintenance state It sets, user haves no right to change relevant parameter in use process, to realize the key protection of sensitive information.
The present invention is described in further details below.
A kind of airborne computer storage system sensitivity zoning means of defence is the storage system subregion based on airborne computer The characteristics of management, realizes that storage system includes processor unit, logic decoding unit (FPGA), storage medium.Storage medium is adopted The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit with Bits Expanding technology.Storage medium in storage system Each subregion includes a part of the few storage medium of multiple digits;Processor unit is stored bus by logic decoding unit Signal and address are controlled, the control signal of storage medium is decoded as, completes access of the processor to storage medium;Storage medium according to According to the control signal of logic decoding unit, the write-in or reading of data are completed.Memory system architecture figure is referring to Fig. 1.
Limited partition address register, limited regional addressing permission registers, limited subregion are devised in hardware logic to be made It can register, the limited enabled register of subregion encryption.Storage is restricted the initial address of subregion in limited partition address register And end address, software is configurable, realizes that the design object of limited subregion flexible configuration, limited partition address register definitions are shown in Table 1.
Whether the reading and writing permission that limited subregion is arranged in limited regional addressing permission registers is restricted, and difference setting corresponds to Different permissions, access authority combination have: it is readable it is writeable, allow to read to forbid writing, forbid reading to allow to write, forbid reading to forbid writing.By Limit regional addressing permission registers definition is shown in Table 2.
Limited subregion enable register identification subregion it is limited whether effectively, if being set as invalid, without subregion Access limitation, if be set as effectively, according to the setting for being limited partition address register, limited regional addressing permission registers Regional addressing limitation is carried out, limited subregion enables register definitions and is shown in Table 3.
Limited subregion encrypt enabled register it is effective when, the data of write-in are stored in storage after hardware logic is encrypted The data of medium, reading export after decryption.The encryption policy that position negates is devised in logic.Limited partition data encryption makes Energy register definitions are shown in Table 4.
Table 1 is limited partition address register
Note: ADDR_START_L: subregion initial address low side;Initialization value is 0
ADDR_START_H: subregion initial address is high-end;Initialization value is 0
ADDR_END_L: subregion end address low side;Initialization value is 0
ADDR_END_H: subregion end address low side;Initialization value is 0
Table 2 is limited regional addressing permission registers
Note: R:0 indicates permission read operation, and 1 indicates to forbid read operation;Initialization value is 0
W:0 indicates permission write operation, and 1 indicates to forbid write operation;Initialization value is 0
E:0 indicates permission erasing operation, and 1 indicates to forbid erasing operation;Initialization value is 0
Table 3 is limited subregion and enables register
Note: EN:0 expression does not limit access authority, and 1 indicates limitation access authority;Initialization value is 0
Table 4 is limited partition data and encrypts enabled register
Note: EN:0 indicates that data do not encrypt, and 1 indicates data encryption;Initialization value is 0
The limitation of partition holding access authority is completed jointly by software and hardware, and software is responsible for initial configuration, and logic is responsible for access right The management of limit.Setting procedure is as shown in Figure 2.The access authority for configuring limited subregion, is arranged enabled limited subregion, and setting encryption makes It can register.After enabled safeguard function, processor is as shown in Figure 3 to an access operation process of storage medium.

Claims (4)

1. a kind of airborne computer storage system sensitivity zoning means of defence, it is characterised in that: this method is based on airborne calculating The characteristics of storage system partition management of machine, realizes that storage system includes processor unit, logic decoding unit, storage medium; The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit using Bits Expanding technology by storage medium;In storage system Each subregion of storage medium includes a part of the few storage medium of multiple digits;Logic decoding unit is by processor unit Control signal and the address for storing bus, are decoded as the control signal of storage medium, complete access of the processor to storage medium; Control signal of the storage medium according to logic decoding unit, completes the write-in or reading of data.
2. airborne computer storage system sensitivity zoning means of defence according to claim 1, it is characterised in that: described to deposit The multi-disc storage medium that digit is lacked is extended to the storage medium more than digit using Bits Expanding technology by storage media;Storage system it is every A subregion all includes a part of the few storage medium of multiple digits, and the included safeguard measure of the few storage medium of digit can not expire The demand of sufficient sensitivity zoning protection.
3. airborne computer storage system sensitivity zoning means of defence according to claim 1, it is characterised in that: described to patrol It collects decoding unit and devises protection logic and encryption logic in logic decoding, complete the judgement to access authority, forbid accidentally grasping Make;Wherein address space decision logic of the protection logic comprising guard zone, access authority decision logic, and protect and enable/ Forbid decision logic;Encryption logic includes that decision logic, encryption logic enable/are forbidden in encryption.
4. airborne computer storage system sensitivity zoning means of defence according to claim 1, it is characterised in that: the place Corresponding configuration software is designed in reason device unit, it can be achieved that the address space for needing to protect subregion is arranged, and access authority setting is prevented The enabled setting of protective function, encrypts enabled setting;By setting configuration information under product maintenance state, used in use process Family haves no right to change relevant parameter, to realize the key protection of sensitive information.
CN201811533512.9A 2018-12-14 2018-12-14 Sensitive partition protection method for airborne computer storage system Active CN109697174B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811533512.9A CN109697174B (en) 2018-12-14 2018-12-14 Sensitive partition protection method for airborne computer storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811533512.9A CN109697174B (en) 2018-12-14 2018-12-14 Sensitive partition protection method for airborne computer storage system

Publications (2)

Publication Number Publication Date
CN109697174A true CN109697174A (en) 2019-04-30
CN109697174B CN109697174B (en) 2023-06-23

Family

ID=66231749

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811533512.9A Active CN109697174B (en) 2018-12-14 2018-12-14 Sensitive partition protection method for airborne computer storage system

Country Status (1)

Country Link
CN (1) CN109697174B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112231178A (en) * 2020-11-03 2021-01-15 中国航空工业集团公司西安航空计算技术研究所 Power-on time timing system suitable for airborne high-safety computer
CN114327263A (en) * 2021-12-15 2022-04-12 中国航空工业集团公司成都飞机设计研究所 Multi-level management method for NVM of flight control computer

Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety
CN1567362A (en) * 2003-06-10 2005-01-19 大唐微电子技术有限公司 IC smart card with dynamic logic sectorization and access right control function and implementing method thereof
CN1619588A (en) * 2003-11-18 2005-05-25 株式会社瑞萨科技 Information processing unit
CN1936870A (en) * 2005-09-23 2007-03-28 中国科学院计算技术研究所 Hard-disc fan-area data enciphering and deciphering method and system
US20100107220A1 (en) * 2008-10-24 2010-04-29 Synopsys, Inc. Secure consultation system
CN102171704A (en) * 2008-10-03 2011-08-31 微软公司 External encryption and recovery management with hardware encrypted storage devices
CN102999453A (en) * 2012-10-12 2013-03-27 杭州中天微系统有限公司 Universal nonvolatile memory control device for system on chip
CN103136124A (en) * 2011-11-28 2013-06-05 国民技术股份有限公司 Intelligent card hardware firewall system and realizing method thereof
CN103620617A (en) * 2011-06-29 2014-03-05 英特尔公司 Method and apparatus for memory encryption with integrity check and protection against replay attacks
CN103714626A (en) * 2013-05-01 2014-04-09 汪风珍 Multi-password pre-warning type bank card capable of being controlled by different card
CN105787360A (en) * 2016-03-02 2016-07-20 杭州字节信息技术有限公司 Method for technically controlling secure access to embedded system memory
CN106485131A (en) * 2016-11-02 2017-03-08 黄松柏 Interactive obscure type dynamic encryption lock control system
CN106934258A (en) * 2015-12-31 2017-07-07 北京兆易创新科技股份有限公司 A kind of embedded system
CN107832635A (en) * 2017-11-29 2018-03-23 鼎信信息科技有限责任公司 Access right control method, device, equipment and computer-readable recording medium
CN108123791A (en) * 2017-12-26 2018-06-05 衡阳师范学院 A kind of implementation method and device of lightweight block cipher SCS
US20180300165A1 (en) * 2017-04-18 2018-10-18 Amazon Technologies, Inc. Virtualization of control and status signals

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1567362A (en) * 2003-06-10 2005-01-19 大唐微电子技术有限公司 IC smart card with dynamic logic sectorization and access right control function and implementing method thereof
CN1619588A (en) * 2003-11-18 2005-05-25 株式会社瑞萨科技 Information processing unit
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety
CN1936870A (en) * 2005-09-23 2007-03-28 中国科学院计算技术研究所 Hard-disc fan-area data enciphering and deciphering method and system
CN102171704A (en) * 2008-10-03 2011-08-31 微软公司 External encryption and recovery management with hardware encrypted storage devices
US20100107220A1 (en) * 2008-10-24 2010-04-29 Synopsys, Inc. Secure consultation system
CN103620617A (en) * 2011-06-29 2014-03-05 英特尔公司 Method and apparatus for memory encryption with integrity check and protection against replay attacks
CN103136124A (en) * 2011-11-28 2013-06-05 国民技术股份有限公司 Intelligent card hardware firewall system and realizing method thereof
CN102999453A (en) * 2012-10-12 2013-03-27 杭州中天微系统有限公司 Universal nonvolatile memory control device for system on chip
CN103714626A (en) * 2013-05-01 2014-04-09 汪风珍 Multi-password pre-warning type bank card capable of being controlled by different card
CN106934258A (en) * 2015-12-31 2017-07-07 北京兆易创新科技股份有限公司 A kind of embedded system
CN105787360A (en) * 2016-03-02 2016-07-20 杭州字节信息技术有限公司 Method for technically controlling secure access to embedded system memory
CN106485131A (en) * 2016-11-02 2017-03-08 黄松柏 Interactive obscure type dynamic encryption lock control system
US20180300165A1 (en) * 2017-04-18 2018-10-18 Amazon Technologies, Inc. Virtualization of control and status signals
CN107832635A (en) * 2017-11-29 2018-03-23 鼎信信息科技有限责任公司 Access right control method, device, equipment and computer-readable recording medium
CN108123791A (en) * 2017-12-26 2018-06-05 衡阳师范学院 A kind of implementation method and device of lightweight block cipher SCS

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
于晴;王海洋;: "BIOS级的涉密计算机硬件安全防护", 信息网络安全 *
付俊辉等: "《微机原理与接口技术》", 30 September 2015 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112231178A (en) * 2020-11-03 2021-01-15 中国航空工业集团公司西安航空计算技术研究所 Power-on time timing system suitable for airborne high-safety computer
CN112231178B (en) * 2020-11-03 2023-11-24 中国航空工业集团公司西安航空计算技术研究所 Power-on time timing system suitable for airborne high-safety computer
CN114327263A (en) * 2021-12-15 2022-04-12 中国航空工业集团公司成都飞机设计研究所 Multi-level management method for NVM of flight control computer

Also Published As

Publication number Publication date
CN109697174B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
RU2298824C2 (en) Method and device for encoding/decoding data in high capacity memory device
US8464073B2 (en) Method and system for secure data storage
US9785784B2 (en) Security management unit, host controller interface including same, method operating host controller interface, and devices including host controller interface
EP2998869B1 (en) Dynamic memory address remapping in computing systems
US7062623B2 (en) Method and device for providing hidden storage in non-volatile memory
CN109844751A (en) Direct memory access authorization in processing system
US10698840B2 (en) Method and apparatus to generate zero content over garbage data when encryption parameters are changed
EP3355232B1 (en) Input/output data encryption
EP3667535B1 (en) Storage data encryption and decryption device and method
KR102223819B1 (en) Virtual bands concentration for self encrypting drives
US20050022002A1 (en) Protected configuration space in a protected environment
CN111695163B (en) Storage device and control method
US9343162B2 (en) Protection against side-channel attacks on non-volatile memory
CN109697174A (en) A kind of airborne computer storage system sensitivity zoning means of defence
US20070266063A1 (en) System and method for data storage firewall on data storage unit
TWI711940B (en) Device, system, and method for secure snapshot management for data storage devices
CN106295414B (en) Non-volatile memory with partitioned write protection and protection position scrambling processing and write operation method thereof
US20060206704A1 (en) Data transmission system and method for operating a data transmission system
CN109643344A (en) Method and apparatus for sharing safety metadata repository space
US8219824B2 (en) Storage apparatus, memory card accessing apparatus and method of reading/writing the same
US10296468B2 (en) Storage system and cache control apparatus for storage system
CN106775448A (en) The file memory method and safety deleting method of a kind of encrypted card
CN106599701A (en) Hard disk encryption method, hard disk and hard disk encryption equipment
US7840745B2 (en) Data accessing system, controller and storage device having the same, and operation method thereof
US11956348B2 (en) Systems, methods, and apparatus for security key management for I/O devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant