CN113343234B - Method and device for carrying out credible check on code security - Google Patents

Method and device for carrying out credible check on code security Download PDF

Info

Publication number
CN113343234B
CN113343234B CN202110648867.8A CN202110648867A CN113343234B CN 113343234 B CN113343234 B CN 113343234B CN 202110648867 A CN202110648867 A CN 202110648867A CN 113343234 B CN113343234 B CN 113343234B
Authority
CN
China
Prior art keywords
code
trusted
report
program
trusted program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110648867.8A
Other languages
Chinese (zh)
Other versions
CN113343234A (en
Inventor
姚经纬
杨文玉
肖枭
杨孙鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202110648867.8A priority Critical patent/CN113343234B/en
Publication of CN113343234A publication Critical patent/CN113343234A/en
Priority to PCT/CN2022/093834 priority patent/WO2022257722A1/en
Application granted granted Critical
Publication of CN113343234B publication Critical patent/CN113343234B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Abstract

One or more embodiments of the present specification provide a method and an apparatus for performing a trusted check on code security, where a code provider generates a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander; the code provider loads the trusted program in response to a code checking request initiated by the code demander, so that the trusted program scans the code to be checked to generate a code checking report, and generates a digital signature for anchoring the code checking report by using an identity private key of the trusted program; and the code demander confirms whether the running environment of the trusted program is trusted or not based on the remote verification report, verifies and signs the digital signature by using the identity public key of the trusted program, and further confirms whether the code to be checked is safe or not according to the code check report.

Description

Method and device for carrying out credible check on code security
Technical Field
One or more embodiments of the present disclosure relate to the field of code security, and in particular, to a method and an apparatus for performing a trusted check on code security.
Background
In the process of digital reformation, enterprises will recruit a large number of software outsourcing companies to develop application and information systems. In order to maintain the competitiveness of the company, part of outsourcing software companies carry out secret management on source codes of sold applications while selling the applications to a buyer. This results in that the purchasing party cannot perform quality supervision and risk management on the source code of the outsourcing company, and even the outsourcing company uses the compliance code when submitting for inspection and injects an illegal code when submitting for application, thereby burying a huge security risk for the purchasing party.
Disclosure of Invention
In view of this, one or more embodiments of the present disclosure provide a method and apparatus for implementing trusted scheduling.
To achieve the above object, one or more embodiments of the present disclosure provide the following technical solutions:
according to a first aspect of one or more embodiments of the present specification, there is provided a method of performing a trusted check on security of code, comprising:
the code demander initiates a remote verification challenge and a code check request;
a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being pre-provisioned by the code demander and running in a trusted execution environment at the code provider; and the code provider loads the trusted program in response to the code check request, and causes the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by using an identity private key of the trusted program;
and the code demander acquires the remote verification report and the code check report, confirms whether the running environment of the trusted program is trusted or not based on the remote verification report, verifies the digital signature by using the identity public key of the trusted program, and confirms whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the verification.
According to a second aspect of one or more embodiments of the present specification, there is provided a method for performing a trusted check on security of a code, which is applied to a code requiring party, the method including:
initiating a remote verification challenge and a code check request, causing a code provider to generate a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being provided in advance by the code demander and running in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by utilizing an identity private key of the trusted program;
and acquiring the remote verification report and the code inspection report, confirming whether the running environment of the trusted program is trusted or not based on the remote verification report, using the identity public key of the trusted program to check and sign the digital signature, and confirming whether the code to be inspected is safe or not according to the code inspection report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the check and sign.
According to a third aspect of one or more embodiments of the present specification, there is provided a method for performing a trusted check on security of a code, which is applied to a code provider, and includes:
generating a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander, wherein the trusted program is provided by the code demander in advance and runs in a trusted execution environment at the code provider, so that the code demander acquires the remote verification report and confirms whether the running environment of the trusted program is trusted or not based on the remote verification report;
and loading the trusted program in response to a code checking request initiated by the code demander, so that the trusted program: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
According to a fourth aspect of the present specification, there is provided an apparatus for performing a trusted check on code security, which is applied to a code demander, and includes:
an initiating unit, configured to initiate a remote verification challenge and a code check request, so that a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, where the trusted program is provided in advance by the code demander and runs in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by utilizing an identity private key of the trusted program;
and the confirmation unit is used for acquiring the remote verification report and the code check report, confirming whether the running environment of the trusted program is trusted or not based on the remote verification report, using the identity public key of the trusted program to check the digital signature, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the check.
According to a fifth aspect of the present specification, there is provided an apparatus for performing a trusted check on security of a code, applied to a code provider, the apparatus including:
a first generating unit, configured to generate a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander, where the trusted program is provided in advance by the code demander and runs in a trusted execution environment at the code provider, so that the code demander acquires the remote verification report and confirms whether a running environment of the trusted program is trusted based on the remote verification report;
a second generating unit, configured to load the trusted program in response to a code checking request initiated by the code demander, so that the trusted program: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
According to a sixth aspect of the present specification, there is provided an electronic apparatus comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method as described in the embodiments of the first aspect above by executing the executable instructions.
According to a seventh aspect of embodiments herein, there is provided a computer readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method as described in the embodiments of the first aspect above.
Drawings
Fig. 1 is a flowchart of a method for checking the security of code for trustworthiness according to an exemplary embodiment.
Fig. 2 is a flowchart of a second method for checking the security of code for trust according to an exemplary embodiment.
Fig. 3 is a flowchart of a third method for checking the security of code for trust according to an exemplary embodiment.
Fig. 4 is a multi-party interaction diagram of a method for checking the security of code for trust according to an exemplary embodiment.
Fig. 5 is a schematic structural diagram of an apparatus for implementing trusted checking on code security according to an exemplary embodiment.
Fig. 6 is a block diagram of an apparatus for checking the security of code according to an exemplary embodiment.
Fig. 7 is a block diagram of another apparatus for checking the security of code for trust according to an exemplary embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings in which the same numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the following exemplary embodiments do not represent all implementations consistent with one or more embodiments of the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of one or more embodiments of the specification, as detailed in the claims which follow.
It should be noted that: in other embodiments, the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification. In some other embodiments, the method may include more or fewer steps than those described herein. Moreover, a single step described in this specification may be broken down into multiple steps for description in other embodiments; multiple steps described in this specification may be combined into a single step in other embodiments.
Trusted Execution Environment (TEE) is one way to address privacy concerns. The TEE can play a role of a black box in hardware, a code and data operating system layer executed in the TEE cannot be peeped, and the TEE can be operated only through an interface defined in advance in the code. In the aspect of efficiency, due to the black box property of the TEE, plaintext data is operated in the TEE instead of complex cryptography operation in homomorphic encryption, and the efficiency of the calculation process is not lost, so that the safety and privacy of a block chain can be improved to a great extent on the premise of small performance loss by combining with the TEE. The industry is concerned with TEE solutions, and almost all mainstream chip and Software consortiums have their own TEE solutions, including TPM (Trusted Platform Module) in Software and Intel SGX (Software Guard Extensions) in hardware, ARM Trustzone and AMD PSP (Platform Security Processor).
Based on the Intel SGX (hereinafter referred to as SGX) technology, a program executed in the TEE may be referred to as a trusted program or an enclave program, the trusted program in the TEE may be custom-developed by a related technician and then put into the TEE for execution, and data output by the trusted program may be output to an untrusted environment outside the TEE through a specific output port. The trusted program may be located locally to the technician and run on an electronic device that supports the Intel SGX hardware, or may be installed and executed on a non-local electronic device.
In this specification, a trusted program is provided by a code demander and runs in an electronic device of a code provider. Since the trusted program is executed in the electronic device local to the code demander, the code demander needs to confirm that the execution environment of the trusted program meets the requirements. According to the SGX technology, a code demander can complete verification on the aspects through a complete remote verification process: in the remote authentication process, a code demander is called a challenger, the code demander initiates a remote authentication challenge to a code provider, and the remote authentication process involves another special Enclave at the code provider, namely, quoting Enclave (QE), which is an Architectural Enclave (Architectural Enclave) provided and signed by intel. The above-mentioned trusted program first needs to generate a REPORT structure for local authentication, where the REPORT structure at least contains the digest of the above-mentioned trusted program, and QE verifies whether the trusted program is on the same platform as itself based on the REPORT structure, and then QE packages the REPORT structure into a structure, and uses an EPID (Enhanced Privacy identity) private key for signature, so as to generate a remote verification REPORT, i.e. a QUOTE (self-recommended information). The EPID private key not only represents a code provider, but also represents the credibility of the underlying hardware of the code provider, and can bind information such as the version of processor firmware and the like, and only QE can access the EPID private key for signing the structure body to generate QUOTE.
Since the EPID public key is maintained and managed by the authentication server and the code demander cannot obtain the EPID public key, the code demander can send the remote verification report to the authentication server after obtaining the remote verification report of the trusted program. In the SGX technology, the authentication server may send a remote verification report to an IAS (Intel authentication Service) server provided by Intel corporation, so that the IAS server may verify a signature therein by using an EPID public key and return a verification result to a code requesting party, and the verification result is signed by the authentication server by using an identity private key thereof. If the code requiring party successfully verifies the signed verification result by using the identity public key of the remote verification server and the verification result is passed, the program abstract contained in the remote verification report can be further compared with the standard program abstract of the trusted program maintained by the code requiring party, and if the comparison result is consistent, the operating environment of the trusted program can be confirmed to be safe and trusted, so that a complete remote verification process is completed.
Fig. 1 is a flowchart of a method for checking the security of code for trustworthiness according to an exemplary embodiment. In conjunction with the above detailed description regarding the remote authentication process, the above method may comprise the steps of:
step 102: the code demander initiates a remote verification challenge and a code check request.
In one embodiment, the code provider may be understood as a party writing the source code, and when the code provider writes the source code and completes delivery to the code demander, the code demander needs to detect the source code to determine the security of the source code, thereby avoiding various risks. The specification provides a solution, so that a substitute provider can directly detect a source code and deliver a code check report to a code demander, and the code demander can obtain a credible code check result only by checking the code check report, thereby improving the efficiency of the code provider in confirming the code security. In this specification, a code provider needs to load a trusted program in its trusted execution environment, which is authenticated and validated by a code demander, or provided directly by the code demander to the code provider. A code requiring party needs to initiate a remote verification challenge and a code checking request to a code providing party, wherein the remote verification challenge is used for verifying whether the running environment of the trusted program is safe and trusted, and the code checking request is used for enabling the trusted program to check whether a source code written by the verification code providing party has no safety risk, and the remote verification challenge and the code checking request are independent and do not influence each other; subsequent flows corresponding to the remote verification challenge and the code check request also do not have logical dependencies, and thus the description does not limit the order in which the code demander initiates the remote verification challenge and the code check request. And only on the premise of confirming that the running environment of the trusted program is safe and credible, the checking of the trusted program on the source code has credibility, so that in the subsequent verification process, the running environment of the trusted program is confirmed to be safe and credible, and the source code is confirmed to have no safety risk.
Step 104: a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being pre-provisioned by the code demander and running in a trusted execution environment at the code provider; and the code provider responds to the code checking request to load the trusted program, so that the trusted program can: and scanning the code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by utilizing the identity private key of the trusted program.
In an embodiment, the code provider generates a remote authentication report for the trusted program in response to the remote authentication challenge, which may be understood as QUOTE mentioned above, based on the above detailed explanation about the process of remote authentication. And the code provider responds to the code checking request to load the trusted program, the trusted program can scan the code to be checked written by the code provider after the initialization of the trusted program is completed, of course, if the trusted program is installed in the code provider and is loaded, the trusted program can also directly scan the code to be checked written by the code provider without the step of loading the trusted program, in practical application, a duration threshold value can be set, and when the time interval of using the trusted program twice exceeds the duration threshold value, the trusted program needs to be loaded again so as to ensure that the trusted program can be updated in real time and the safety of the trusted program is ensured. In order to ensure that the code inspection report is not tampered, the trusted program can generate a private and public key pair of the trusted program based on an asymmetric encryption algorithm and sign the code inspection report by using an identity private key of the trusted program, so that the trusted program can prove that the code inspection report is indeed generated by the trusted program and can ensure that the code inspection report is not tampered.
Step 106: and the code demander acquires the remote verification report and the code check report, confirms whether the running environment of the trusted program is trusted or not based on the remote verification report, verifies the digital signature by using the identity public key of the trusted program, and confirms whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the verification.
In an embodiment, the code demander obtains the remote verification report, and confirms whether the running environment of the trusted program is safe for a particle according to the remote verification report; and verifying and signing the digital signature in the code inspection report by using the identity public key of the trusted program, where the identity public key of the trusted program may be obtained by a code demander in various ways, for example, the identity public key of the trusted program may be included in the remote verification report, and after obtaining the remote verification report, the code demander may obtain a public key therefrom for a subsequent signature verification process, or the trusted program may directly send its own identity public key to the code demander, or the code demander prestores the identity public key of the trusted program before providing the trusted program to a code provider, and this specification does not limit the obtaining way of the identity public key of the trusted program. If the code demander verification succeeds, the code inspection report can be used for indicating that the code inspection report is generated by the trusted program and is not tampered, and in this case, whether the code to be inspected is safe or not can be confirmed according to the inspection result reflected by the code inspection report. Since the operating environment of the trusted program can be confirmed to be secure and trusted through the remote verification report, the code check report generated by the trusted program placed in the secure and trusted environment should have the trustworthiness without being tampered.
In an embodiment, when the digital signature is generated by signing with the identity private key of the trusted program, the signature object includes the code check report and/or a hash value of the code check report. The trusted program can directly sign the code check report by using the identity private key thereof, and the generated digital signature comprises the code check report and corresponding signature data, so that in the signature mode, a code demander can extract the code check report from the digital signature without additionally providing the code check report by a code provider, thereby reducing the transmission quantity of data. Or, the trusted program may perform hash calculation on the code inspection report to generate a standard hash value of the code inspection report, and then use an identity private key to sign the standard hash value of the code inspection report, where the generated digital signature includes the standard hash value of the code inspection report and corresponding signature data.
By the method, the code provider does not need to provide the source code to be checked to the code demander, so that the source code is prevented from being leaked, and meanwhile, the code demander can obtain the checking result of the source code from the credible code checking report so as to confirm whether the source code has a safety risk or not. Since the code check report is generated by the trusted program, the code provider does not affect the credibility of the code check report.
In an embodiment, the remote authentication process may specifically be: the remote verification report includes a program digest of the trusted program deployed at the code provider, and the code demander cannot verify the remote verification report (queue) by itself after obtaining the remote verification report, so that the remote verification report needs to be sent to a remote verification server (IAS), and after verifying the remote verification report, the remote verification server returns a verification result to the code demander, and the verification result is signed by an authentication server by using an identity private key of the authentication server. If the code requiring party successfully verifies the signed verification result by using the identity public key of the remote verification server and the verification result passes, the program digest included in the remote verification report can be further compared with the standard program digest of the trusted program maintained by the code requiring party, if the comparison result is consistent, the operating environment of the trusted program can be determined to be trusted, and the specific details of the process can refer to the detailed description of the remote verification process, which is not described herein again.
In an embodiment, if a code provider refuses to provide a source code to a code demander for many reasons such as privacy protection, but the code demander needs to detect the source code to confirm the security of the source code, the trusted program may be made to compile the source code to be checked to generate an executable file, where the executable file may be a file with a file extension of exe format, and of course, the specification does not limit the specific format of the executable file. The code demander can obtain the executable file and deploy the executable file under the condition of confirming the security of the code to be checked. In the above embodiment, whether the code provider directly provides the source code to the code demander will not affect the verification of the source code by the code demander, and even if the code provider only provides the executable file to the code demander, the code provider can confirm the security of the source code written by the code provider to solve the conflict between the code demander and the code provider.
In an embodiment, the above-mentioned digital signature may also be used to anchor the executable file.
Optionally, when the trusted program performs signature by using its own identity private key to generate the digital signature, the signature object includes the executable file and/or the hash value of the executable file. The trusted program can directly sign the code check report and the executable file by using the identity private key thereof, and the generated digital signature comprises the code check report, the executable file and corresponding signature data, so that in the signature mode, a code demander can extract the code check report from the digital signature, and a code provider does not need to additionally provide the code check report or the executable file, thereby reducing the transmission quantity of data; when the trusted program is confirmed to run in a safe and trusted environment, the digital signature is verified, the code inspection report shows that the source code to be inspected has no security problem, and the conditions of the three aspects are all satisfied, the executable file can be deployed.
Optionally, the trusted program may perform hash calculation on the code inspection report and the executable file to generate a standard hash value of the code inspection report and a standard hash value of the executable file, and then sign the standard hash value of the code inspection report and the standard hash value of the executable file using an identity private key thereof, where the generated digital signature includes the standard hash value of the code inspection report, the standard hash value of the executable file and corresponding signature data, in this signature manner, a code demander may send the code inspection report and the executable file to a code demander, and the code demander needs to perform hash calculation on the code inspection report and the executable file after acquiring the code inspection report and the executable file, and compare the calculated hash values with the corresponding standard hash values in the digital signature, and if the comparison is consistent, it is determined that the code inspection report and the executable file are not tampered, so as to further improve the credibility of the code inspection report and the executable file; when the trusted program is confirmed to run in a safe and trusted environment, the digital signature is verified, a code check report shows that the source code to be checked has no security problem, and the conditions of the three aspects are met, the executable file can be deployed.
In the embodiment, the code requiring party can obtain the trusted code check result not only when the code providing party only provides the executable file to the code requiring party, but also the executable file obtained by the code requiring party is anchored by the digital signature, so that the executable file is generated by compiling the trusted program and is not tampered.
The method can complete checking and compiling work of the source code to be checked provided by the code provider by installing the trusted program provided or authenticated by the code demander in the trusted execution environment of the code provider; moreover, the remote verification report and the digital signature can form a complete evidence chain, so that a code demander can ensure the credibility of the code check report and the executable file by verifying the running environment of the trusted program and the credibility of the code check report; based on the characteristics of the trusted execution environment and the trusted program, the code provider does not need to deliver the source code to the code demander for inspection, so that the source code is prevented from being leaked, meanwhile, the code demander can obtain the trusted code inspection result, and when the code inspection result reflects that the source code to be inspected has no safety problem, the code demander deploys the executable file compiled by the source code. The method and the device have the advantages that the contradiction between the code provider and the code demander is solved skillfully, the corresponding purposes of both the code provider and the code demander are achieved, the legal compliance of the source code is guaranteed, and unnecessary risks are avoided.
Fig. 2 is a flowchart illustrating a method for checking the security of a code, which is applied to a code requiring party and may include the following steps:
step 202: initiating a remote verification challenge and a code check request, causing a code provider to generate a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being pre-provisioned by the code demander and running in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: and scanning the code to be checked to generate a code checking report, and generating a digital signature for anchoring the code checking report by utilizing the identity private key of the trusted program.
Step 204: and acquiring the remote verification report and the code inspection report, confirming whether the running environment of the trusted program is trusted or not based on the remote verification report, using the identity public key of the trusted program to check and sign the digital signature, and confirming whether the code to be inspected is safe or not according to the code inspection report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the check and sign.
The detailed description, the extended examples and the related explanations are referred to above, and the detailed description is omitted here.
Fig. 3 is a flowchart illustrating a method for checking the security of a code according to an exemplary embodiment of the present disclosure, which is applied to a code requiring party and may include the following steps:
step 302: and generating a remote verification report aiming at a trusted program in response to a remote verification challenge initiated by a code demander, wherein the trusted program is provided by the code demander in advance and runs in a trusted execution environment at the code provider, so that the code demander acquires the remote verification report and confirms whether the running environment of the trusted program is trusted or not based on the remote verification report.
Step 304: loading the trusted program in response to a code checking request initiated by the code demander, causing the trusted program to: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
The detailed description, the extended examples and the related explanations are referred to above, and the detailed description is omitted here.
Fig. 4 is a multi-party interaction diagram illustrating a method for checking the security of a code, according to an exemplary embodiment of the present specification, where the method includes a software demander 41, an envelope program 42, a QE43, and an IAS server 44, where the envelope program (trusted program) 42 and the QE (querying envelope) 43 are deployed at a software provider writing a source code to be checked, and the envelope program 42 and the QE43 are running in a trusted execution environment of the software provider, the envelope program 42 is provided or verified by the software demander 41 in advance, and the IAS server 44 is a remote verification server provided by a CPU provider, and the method may include the following steps:
step 402: the software demander 41 initiates a remote verification challenge and code check request on the front cover page; the above-mentioned remote verification challenge is to verify whether the running environment of the Enclave program 42 is safe and trusted, and the code check request is to enable the Enclave program 42 to check whether the source code written by the verification code provider has a security risk, and the two are independent and do not affect each other.
Step 404: the Enclave program 42 generates a program digest;
step 406: the Enclave program 42 generates the identity public key TA _ PK and the identity private key TA _ SK based on an asymmetric encryption algorithm.
Step 408: the Enclave program 42 generates a REPORT, which at least includes the program digest generated in step 404 and the identity public key TA _ PK generated in step 406, and executes step 410 to send the REPORT to the QE 43.
The software provider loads the Enclave program 42 in response to the remote verification challenge, the Enclave program 42 generates a program digest and its own public and private key pair as shown in steps 404-406, where the public key is denoted by TA _ PK and the private key is denoted by TA _ SK. Further, as shown in steps 408 to 410, a REPORT is generated, which at least includes TA _ PK and the program digest, and the REPORT is returned to the QE43 after the generation is completed. It should be noted that the occasion of generating the public and private key pair by the Enclave program 42 shown in this embodiment is only one of many possibilities, and this specification does not limit when the public and private key pair is generated and how the software demander 41 obtains the public key TA _ PK in the public and private key pair.
Step 412: the QE43 uses the EPID private key to sign the REPORT to generate a quite, and the QE43 is another special enclosure at the code provider, namely, quoting enclosure (QE for short). The QE43 verifies whether the envelope program 42 is on the same platform as itself based on the REPORT, and then the QE43 packages the REPORT structure into a structure and signs with an EPID (Enhanced Privacy Identification) private key to generate the quantum. The EPID private key not only represents the code provider, but also represents the credibility of the underlying hardware of the code provider, and can bind information such as the version of the processor firmware, and the EPID private key can be accessed only by the QE43, and the EPID public key is managed and maintained by the IAS server 44.
Step 414: enclave program 42 may perform a static scan of source code to be checked written by a software provider to generate code check report R.
Step 416: the Enclave program 42 may hash the code check report R generated in step 414 to generate a standard hash value, denoted HR, of the code check report R.
Step 418: the Enclave program 42 may also compile source code to be checked written by the software provider to generate executable file E.
Step 420: enclave program 42 may hash executable file E generated in step 418 to generate a standard hash value for executable file E, denoted by HE.
Step 422: the Enclave program 42 may sign HR and HE using its own identity private key TA _ SK to generate a digital signature S, which is = HR, HE, sign (HR, HE), where HR represents an original file of a standard hash value of the code check report R, HE represents an original file of the executable file E, and sign (HR, HE) represents signature data, according to the related art.
Step 424: the Enclave program 42 returns the digital signature S, the REPORT, the code check REPORT R, and the executable file E to the software demander 41.
Step 426: QE43 returns quale to software requestor 41.
Step 428: after the code demander 41 acquires the quantum, since it cannot acquire the EPID public key, it cannot authenticate itself, and needs to send the quantum to the IAS server 44.
Step 430: the IAS server 44 uses the EPID public key to verify the queue, and then returns the remote verification result to the code demander 41, i.e. step 432. Moreover, the above-mentioned verification result is signed by the IAS server 44 with its identity private key, if the code demander 41 successfully verifies the signed verification result by using the identity public key of the remote verification server, and the above-mentioned verification result is passed, the program digest included in the remote verification report may be further compared with the standard program digest of the trusted program maintained by the code demander itself, and if the comparison result is consistent, the operating environment of the trusted program may be determined to be trusted, and the specific details of the above-mentioned process may refer to the above-mentioned detailed description of the remote verification process, which is not described herein again.
Step 434: the code demander 41 extracts TA _ PK from the obtained REPORT and performs a signature verification operation on S, and if the signature verification is successful, it indicates that HR and HE are indeed generated by the Enclave program 42 and have not been tampered with.
Step 436: the code demander 41 respectively performs hash calculation on R and E, compares the obtained results with HE and HR extracted from the digital signature S, and if the comparison is consistent, it indicates that the code check report R and the executable file E are not tampered.
Step 438: if the remote verification is passed and the hash value check is passed, it indicates that the execution environment of the Enclave program 42 is secure and trusted, and the code check report R and the executable file E are indeed generated by running in the secure and trusted environment and have not been tampered with, so that the code check report R can be considered as trustfully reflecting the security condition of the source code to be checked.
Step 440: under the condition that the code inspection report R is considered to be trusted, if the result in the code inspection report R considers that the source code to be inspected has no security problem, it indicates that the executable file E generated by compiling the Enclave program 42 has no security risk and can be deployed.
FIG. 5 is a schematic block diagram of an apparatus provided in an exemplary embodiment. Referring to fig. 5, at the hardware level, the apparatus includes a processor 502, an internal bus 504, a network interface 506, a memory 508 and a nonvolatile memory 510, but may also include hardware required for other services. One or more embodiments of the present description may be implemented in software, such as by processor 502 reading corresponding computer programs from non-volatile storage 510 into memory 508 and then running. Of course, besides the software implementation, the one or more embodiments in this specification do not exclude other implementations, such as logic devices or combination of software and hardware, and so on, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Referring to fig. 6, an apparatus for implementing trusted scheduling may be applied to a device as shown in fig. 5 to implement the technical solution of this specification.
The device for carrying out credible check on the security of the code is applied to a code demander and comprises the following components:
an initiating unit 602, configured to initiate a remote verification challenge and a code check request, so that a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, where the trusted program is provided by the code demander in advance and runs in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by utilizing an identity private key of the trusted program;
a confirming unit 604, configured to obtain the remote verification report and the code check report, confirm whether the operating environment of the trusted program is trusted based on the remote verification report, and use the identity public key of the trusted program to check the digital signature, and confirm whether the code to be checked is safe according to the code check report when it is confirmed that the operating environment of the trusted program is trusted and the digital signature passes the check.
Optionally, the apparatus may further include: a deployment unit 606, configured to acquire an executable file generated by the trusted program compiling the code to be checked, and deploy the executable file when the code to be checked is confirmed to be safe.
Optionally, the digital signature is further used to anchor the executable file.
Optionally, the identity public key of the trusted program is included in the remote verification report.
Optionally, the confirming unit 604 is specifically configured to: a program digest of a trusted program deployed at the code provider is included in the remote verification report; said confirming whether the execution environment of the trusted program is trusted based on the remote verification report includes:
sending the remote verification report to a remote verification server, and receiving a verification result returned by the remote verification server, wherein the verification result is signed by an identity private key of the remote verification server;
and comparing the program digest contained in the remote verification report with the standard program digest of the trusted program maintained by the code demander under the condition that the signature verification is successful according to the identity public key of the remote verification server and the verification result is passed, and confirming that the operating environment of the trusted program is trusted under the condition that the comparison result is consistent.
Referring to fig. 7, the apparatus for implementing trusted scheduling may be applied to the device shown in fig. 5 to implement the technical solution of this specification.
The device for carrying out credibility check on the security of the code is applied to a code provider and comprises the following components:
a first generating unit 702, configured to generate a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander, where the trusted program is provided in advance by the code demander and runs in a trusted execution environment at the code provider, so that the code demander obtains the remote verification report and confirms whether a running environment of the trusted program is trusted based on the remote verification report;
a second generating unit 704, configured to load the trusted program in response to a code checking request initiated by the code demander, so that the trusted program: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
Optionally, when the digital signature is generated by signing with the identity private key of the trusted program, the signature object includes the code inspection report and/or the hash value of the code inspection report.
Optionally, the apparatus may further include: a compiling unit 706 used by the trusted program to compile the code to be checked to generate an executable file; the executable file is acquired by the code demander and deployed with the code to be checked confirmed as safe.
Optionally, the digital signature is further used to anchor the executable file.
Optionally, when the digital signature is generated by signing with the identity private key of the trusted program, the signature object includes the executable file and/or the hash value of the executable file.
Optionally, the identity public key of the trusted program is included in the remote verification report.
The systems, apparatuses, modules or units described in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
In a typical configuration, a computer includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transmission medium, that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein in one or more embodiments to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of one or more embodiments herein. The word "if" as used herein may be interpreted as "at" \8230; "or" when 8230; \8230; "or" in response to a determination ", depending on the context.
The above description is intended only to be exemplary of the one or more embodiments of the present disclosure, and should not be taken as limiting the one or more embodiments of the present disclosure, as any modifications, equivalents, improvements, etc. that come within the spirit and scope of the one or more embodiments of the present disclosure are intended to be included within the scope of the one or more embodiments of the present disclosure.

Claims (22)

1. A method of trusted checking of code security, comprising:
the code demander initiates a remote verification challenge and a code check request;
a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being pre-provisioned by the code demander and running in a trusted execution environment at the code provider; and the code provider responds to the code checking request to load the trusted program, so that the trusted program can: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by using an identity private key of the trusted program;
and the code demander acquires the remote verification report and the code check report, confirms whether the running environment of the trusted program is trusted or not based on the remote verification report, verifies the digital signature by using the identity public key of the trusted program, and confirms whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the verification.
2. The method of claim 1, wherein when the digital signature is generated by signing with an identity private key of the trusted program, a signature object comprises the code check report and/or a hash value of the code check report.
3. The method of claim 1, the trusted program further for compiling the code to be examined to generate an executable file; the method further comprises the following steps:
and the code demander acquires the executable file and deploys the executable file under the condition of confirming the safety of the code to be checked.
4. The method of claim 3, the digital signature further for anchoring the executable file.
5. The method of claim 4, wherein when the digital signature is generated by signing with an identity private key of the trusted program, the signature object comprises the executable file and/or a hash value of the executable file.
6. The method of claim 1, an identity public key of the trusted program being included in the remote verification report.
7. The method of claim 1, wherein a program digest of a trusted program deployed at the code provider is included in the remote verification report; said confirming whether the execution environment of the trusted program is trusted based on the remote verification report includes:
the code demander sends the remote verification report to a remote verification server and receives a verification result returned by the remote verification server, wherein the verification result is signed by an identity private key of the remote verification server;
and the code requiring party compares the program abstract contained in the remote verification report with the standard program abstract of the trusted program maintained by the code requiring party under the condition that the verification is successful according to the identity public key of the remote verification server and the verification result is passed, and confirms that the running environment of the trusted program is trusted under the condition that the comparison result is consistent.
8. A method for carrying out credible check on code security is applied to a code demander and comprises the following steps:
initiating a remote verification challenge and a code check request, causing a code provider to generate a remote verification report for a trusted program in response to the remote verification challenge, the trusted program being pre-provisioned by the code demander and running in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by utilizing an identity private key of the trusted program;
and acquiring the remote verification report and the code inspection report, confirming whether the running environment of the trusted program is trusted or not based on the remote verification report, using the identity public key of the trusted program to check and sign the digital signature, and confirming whether the code to be inspected is safe or not according to the code inspection report under the condition that the running environment of the trusted program is confirmed to be trusted and the digital signature passes the check and sign.
9. The method of claim 8, further comprising:
and acquiring an executable file generated by compiling the code to be checked by the trusted program, and deploying the executable file under the condition of confirming the safety of the code to be checked.
10. The method of claim 9, the digital signature further for anchoring the executable file.
11. The method of claim 8, an identity public key of the trusted program is included in the remote verification report.
12. The method of claim 8, wherein a program digest of a trusted program deployed at the code provider is included in the remote verification report; said confirming whether the execution environment of the trusted program is trusted based on the remote verification report includes:
sending the remote verification report to a remote verification server, and receiving a verification result returned by the remote verification server, wherein the verification result is signed by an identity private key of the remote verification server;
and comparing the program digest contained in the remote verification report with the standard program digest of the trusted program maintained by the code demander under the condition that the signature verification is successful according to the identity public key of the remote verification server and the verification result is passed, and confirming that the operating environment of the trusted program is trusted under the condition that the comparison result is consistent.
13. A method for checking the security of codes in a credibility mode is applied to code providers and comprises the following steps:
generating a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander, wherein the trusted program is provided by the code demander in advance and runs in a trusted execution environment at the code provider, so that the code demander acquires the remote verification report and confirms whether the running environment of the trusted program is trusted based on the remote verification report;
and loading the trusted program in response to a code checking request initiated by the code requiring party, so that the trusted program: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
14. The method of claim 13, wherein when the digital signature is generated by signing with a private identity key of the trusted program, the signed object comprises the code check report and/or a hash value of the code check report.
15. The method of claim 13, the trusted program further for compiling the code to be examined to generate an executable file; the executable file is acquired by the code demander and deployed with the code to be checked confirmed as safe.
16. The method of claim 15, the digital signature further for anchoring the executable file.
17. The method according to claim 16, wherein when the digital signature is generated by signing with a private identity key of the trusted program, the signature object comprises the executable file and/or a hash value of the executable file.
18. The method of claim 13, an identity public key of the trusted program being included in the remote verification report.
19. An apparatus for performing a trusted check on security of a code, applied to a code requiring party, comprises:
an initiating unit, configured to initiate a remote verification challenge and a code check request, so that a code provider generates a remote verification report for a trusted program in response to the remote verification challenge, where the trusted program is provided in advance by the code demander and runs in a trusted execution environment at the code provider; and causing a code provider to load the trusted program in response to the code check request, causing the trusted program to: scanning a code to be checked to generate a code check report, and generating a digital signature for anchoring the code check report by using an identity private key of the trusted program;
and the confirmation unit is used for acquiring the remote verification report and the code check report, confirming whether the running environment of the trusted program is trusted or not based on the remote verification report, using the identity public key of the trusted program to check the digital signature, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the check.
20. An apparatus for performing a trusted check on the security of a code, applied to a code provider, comprising:
a first generating unit, configured to generate a remote verification report for a trusted program in response to a remote verification challenge initiated by a code demander, where the trusted program is provided in advance by the code demander and runs in a trusted execution environment at the code provider, so that the code demander acquires the remote verification report and confirms whether a running environment of the trusted program is trusted based on the remote verification report;
a second generating unit, configured to load the trusted program in response to a code checking request initiated by the code demander, so that the trusted program: scanning a code to be checked to generate a code check report, generating a digital signature for anchoring the code check report by using an identity private key of the trusted program, further enabling the code requiring party to obtain the code check report, checking the digital signature by using an identity public key of the trusted program, and confirming whether the code to be checked is safe or not according to the code check report under the condition that the running environment of the trusted program is trusted and the digital signature passes the checking.
21. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of any one of claims 1-18 by executing the executable instructions.
22. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 18.
CN202110648867.8A 2021-06-10 2021-06-10 Method and device for carrying out credible check on code security Active CN113343234B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202110648867.8A CN113343234B (en) 2021-06-10 2021-06-10 Method and device for carrying out credible check on code security
PCT/CN2022/093834 WO2022257722A1 (en) 2021-06-10 2022-05-19 Method and apparatus for performing trust check on code security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110648867.8A CN113343234B (en) 2021-06-10 2021-06-10 Method and device for carrying out credible check on code security

Publications (2)

Publication Number Publication Date
CN113343234A CN113343234A (en) 2021-09-03
CN113343234B true CN113343234B (en) 2023-01-20

Family

ID=77476408

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110648867.8A Active CN113343234B (en) 2021-06-10 2021-06-10 Method and device for carrying out credible check on code security

Country Status (2)

Country Link
CN (1) CN113343234B (en)
WO (1) WO2022257722A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113343234B (en) * 2021-06-10 2023-01-20 支付宝(杭州)信息技术有限公司 Method and device for carrying out credible check on code security
CN114036527B (en) * 2021-11-04 2023-01-31 云海链控股股份有限公司 Code injection method, code running end, code injection end and related equipment
CN115051810B (en) * 2022-06-20 2023-07-25 北京大学 Interface type digital object authenticity verification method and device based on remote proof
CN116151827B (en) * 2023-04-04 2023-07-14 北京银联金卡科技有限公司 Digital wallet security system and double off-line transaction method based on security system

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111090865A (en) * 2019-12-17 2020-05-01 支付宝(杭州)信息技术有限公司 Secret key authorization method and system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997004394A1 (en) * 1995-07-14 1997-02-06 Christopher Nathan Drake Computer software authentication, protection, and security system
US8375221B1 (en) * 2011-07-29 2013-02-12 Microsoft Corporation Firmware-based trusted platform module for arm processor architectures and trustzone security extensions
DE102018101307A1 (en) * 2017-02-22 2018-08-23 Intel Corporation SGX enclave remote authentication techniques
US11244054B2 (en) * 2017-11-03 2022-02-08 Nokia Technologies Oy Method and apparatus for trusted computing
CN108399329B (en) * 2018-01-23 2022-01-21 晶晨半导体(上海)股份有限公司 Method for improving security of trusted application program
CN110011801B (en) * 2018-11-16 2020-10-20 创新先进技术有限公司 Remote certification method and device for trusted application program and electronic equipment
CN109726588B (en) * 2018-12-21 2021-04-06 上海邑游网络科技有限公司 Privacy protection method and system based on information hiding
CN112818327A (en) * 2021-02-26 2021-05-18 中国人民解放军国防科技大学 TrustZone-based user-level code and data security credibility protection method and device
CN113343234B (en) * 2021-06-10 2023-01-20 支付宝(杭州)信息技术有限公司 Method and device for carrying out credible check on code security

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111090865A (en) * 2019-12-17 2020-05-01 支付宝(杭州)信息技术有限公司 Secret key authorization method and system

Also Published As

Publication number Publication date
WO2022257722A1 (en) 2022-12-15
CN113343234A (en) 2021-09-03

Similar Documents

Publication Publication Date Title
CN113343234B (en) Method and device for carrying out credible check on code security
US11637707B2 (en) System and method for managing installation of an application package requiring high-risk permission access
US10419216B2 (en) Keying infrastructure
EP3061027B1 (en) Verifying the security of a remote server
CN107086909B (en) Identity information generation method and device and identity verification method and device
JP5212870B2 (en) Method and system for credit verification service based on multi-party verification platform
CN108055133B (en) Key security signature method based on block chain technology
CN106991298B (en) Access method of application program to interface, authorization request method and device
US20210314164A1 (en) Block content editing methods and apparatuses
KR20140039319A (en) Software run-time provenance
CN111770199B (en) Information sharing method, device and equipment
US20160162686A1 (en) Method for verifying integrity of dynamic code using hash background of the invention
Liu et al. Smacs: smart contract access control service
CN112785202A (en) Asset management method, device and system
CN110222531A (en) A kind of method, system and equipment accessing database
CN113268742B (en) Data authorization method and device and electronic equipment
CN111770112B (en) Information sharing method, device and equipment
US20160132681A1 (en) Method for performing a secure boot of a computing system and computing system
CN111931154A (en) Service processing method, device and equipment based on digital certificate
WO2022252897A1 (en) Method and apparatus for implementing trusted scheduling
CN114651253A (en) Virtual environment type verification for policy enforcement
CN113704211A (en) Data query method and device, electronic equipment and storage medium
WO2019210471A1 (en) Data invoking method and data invoking apparatus
CN113868691B (en) Authorized operation method and device of block chain based on cloud-native technology
CN111046440B (en) Tamper verification method and system for secure area content

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant