CN116414451A

CN116414451A - Remote verification method and device based on application-only Memory

Info

Publication number: CN116414451A
Application number: CN202111643190.5A
Authority: CN
Inventors: 蔡启申
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2021-12-29
Filing date: 2021-12-29
Publication date: 2023-07-11

Abstract

The invention provides a remote verification method and device based on an application-only Memory. The method may include: sending a memory initialization request to the high security domain according to the received verification request, so that the high security domain allocates a first storage area for the low security domain; executing a target application program, and recording a control flow jump path in the execution process of the target application program to a first storage area; and sending a data reading request to the high security domain based on the completion of the execution of the target application program or the occurrence of memory fullness abnormality in the first storage area, so that the high security domain reads a plurality of control flow jump paths from the first storage area and generates a verification report. The register and related logic are added in the memory controller, so that the high security domain distributes the application-only memory for the low security domain, and the data is stored in the application-only memory, thereby not only ensuring the data integrity and preventing the attacker from falsifying, but also reducing the context switching times between the low security domain and the high security domain and improving the remote verification performance of the control flow.

Description

Remote verification method and device based on application-only Memory

Technical Field

The invention relates to the field of remote verification, in particular to a remote verification method and device based on an application-only Memory.

Background

The internet of things is penetrating into many aspects of daily life, such as smart meters, traffic lights, and the like. These devices are deployed in automobiles, medical, industrial, smart cities, factories, and some critical infrastructure. The internet of things system is divided into a front end and a rear end. The front end is typically an embedded device that is deployed in a relatively open environment and is vulnerable to attack. Although the backend device of the internet of things generally confirms the availability of the backend device through the heartbeat information sent by the front-end embedded device, the backend device still cannot judge the integrity of the front-end device. E.g., whether an attacker is attacking the front-end device or whether the attack is successful. Thus, the backend device needs to remotely authenticate the front-end device to determine the integrity of the front-end device.

Remote authentication is a mechanism by which trust can be established in a remote device. I.e. the remote device records the running process of the device and sends it to the remote verifier. A remote verifier determines if the status of the remote device is normal.

Disclosure of Invention

The embodiment of the application provides a remote verification method and device based on an application-only Memory, which realize that a high security domain distributes the application-only Memory for a low security domain by adding a register and related logic in a Memory controller, and protect the integrity of data stored in the application-only Memory by the low security domain and prevent an attacker from tampering. Meanwhile, the data is stored in the application-only memory, so that the number of context switching times between the low security domain and the high security domain is reduced, and the remote verification performance of the control flow is greatly improved.

In a first aspect, an embodiment of the present application provides a remote authentication method, where the method is performed by a front-end device in an internet of things system, where the front-end device includes a low security domain and a high security domain, and the high security domain has a higher authority than the low security domain, and the method includes: receiving a verification request sent by a remote device, wherein the verification request is used for requesting to verify a target application program in a low security domain; sending a memory initialization request to a high security domain so that the high security domain allocates a first storage area for a low security domain, wherein the first storage area is a storage area to which data can only be added; executing a target application program, and recording a control flow jump path in the execution process of the target application program to a first storage area; based on the completion of target application program execution or the occurrence of memory fullness abnormality in the first storage area, sending a data reading request to the high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths; the verification report is sent to the remote device.

According to the remote verification method provided by the embodiment of the application, after the front-end equipment receives a verification request for a target application program, the low security domain applies for a first storage area (application-only Memory) to the high security domain. And then executing the target application program in the low security domain, and recording the control flow jump path generated in the execution process of the target application program into the application-only Memory. Because the application-only Memory has the attribute that only data can be added, the Memory in the application-only Memory is ensured; integrity of path information, preventing attacker tampering. Further, the control flow jump path of the target application program is saved in the application-only Memory. When the target application program execution is completed or the application-only Memory generates a full exception, triggering the high-security area to read address information from the application-only Memory reduces the number of context switching between the low-security domain and the high-security domain, and improves the remote verification performance of the control flow.

In one possible implementation, the front-end device includes a memory controller, where the memory controller includes: a first register, a second register, and a third register; the high security domain allocates a first storage area for the low security domain, comprising: acquiring a section of continuous physical address through a high security domain, and taking the continuous physical address as the physical address of a first storage area; the first register, the second register and the third register are initialized so that the value of the first register is the starting address of the physical address, the value of the second register is the ending address of the physical address and the value of the third register is the current writable address of the physical address.

That is, the high security domain allocates a first Memory region (application-only Memory) for the low security domain by adding registers and their associated logic in the Memory controller. Specifically, the start address, the end address, and the current writable address of the application-only Memory are recorded by registers in the Memory controller. When there is data written to the application-only Memory, the current writable address of the application-only Memory can be updated by changing the value of the register. And the attacker is prevented from tampering the data stored in the application-only Memory.

In one possible implementation, recording the control flow jump path during execution of the target application program to the first storage area includes: acquiring a start address, a stop address and a current writable address of the first storage area; acquiring the length of a control flow jump path required to be written into a first storage area by a target application program and a writing address written into the first storage area by the target application program; judging whether the writing address is the same as the current writable address of the first storage area or not based on the fact that the writing address is located between the starting address and the ending address of the first storage area; generating a write exception based on the write address being different from the current writable address of the first storage region, stopping writing the control stream jump path to the first storage region; and writing the control flow jump path into the first storage area based on the writing address being the same as the current writable address of the first storage area, and updating the current writable address of the first storage area according to the length of the control flow jump path.

That is, when recording a control flow jump path generated during execution of a target application program to a first storage area (application-only Memory), it is necessary to determine a write address of the jump path to determine that the write address is located in the application-only Memory. Further, when the write address is located in the application-only Memory, it is also necessary to compare the write address with the current writable address of the application-only Memory. The path is written to the application-only Memory only if the write address is the same as the current writable address of the application-only Memory. The user is prevented from modifying the data already written in the application-only Memory (when the writing address is smaller than the current writable address of the application-only Memory, the user is considered to need to modify the data in the application-only Memory).

In one possible implementation, before the low security domain executes the target application, the method further includes: acquiring a code file of a target application program, wherein the code file comprises a plurality of branches; for each of a plurality of branches in a code file, replacing a source instruction at the branch with a jump instruction, the jump instruction being for causing a target application to execute a jump board code, the jump board code including the source instruction at the branch; and executing the source instruction in the springboard code to acquire the path information of the next instruction needing to jump.

That is, when the integrity of the control flow is verified for the target application, the control flow jump path of the target program needs to be acquired. Thus requiring modification and instrumentation of the target application. The jump instruction at the branch of the code file of the target application program is sent to the springboard code for execution, and the jump address of the target application program at the branch is obtained without changing the layout of the code file of the target application program.

In one possible implementation, after the high security domain reads the control flow jump path from the first storage area, the method further includes: the first storage region is reconfigured to enable the first storage region to store the control flow jump path of the low security domain write target application.

That is, after the high security domain reads the control flow jump path from the first Memory area (application-only Memory), the application-only Memory needs to be reconfigured. Specifically, the high security area needs to initialize the values of the registers (the first register, the second register, and the third register) that store the start address, the end address, and the current writable address of the application-only Memory, so that the value of the first register is the start address of the application-only Memory, the value of the second register is the end address of the application-only Memory, and the value of the third register is the current writable address of the application-only Memory (the current writable address of the application-only Memory after the reset is the start address of the application-only Memory).

In one possible implementation, generating the validation report from the plurality of control flow hopping paths includes: carrying out hash calculation on each of a plurality of control flow jump paths to obtain a plurality of hash values; wherein, hash calculation is carried out on the nth path to obtainHash value Measurement of nth path _n The method comprises the following steps:

Measurement _n ＝Hash(Measurment _n-1 ||Destination Address)

wherein, measurement is carried out _n-1 As the hash value of the n-1 path, destination Address is the destination address that the target application needs to jump to when executing the n-1 path; signing the hash values and the verification request to obtain a verification report.

That is, after the high security domain acquires a plurality of control flow hopping paths from the first storage area (application-only Memory), it is necessary to perform hash calculation for each control flow hopping path. When hash calculation is performed on the control flow jump path, a hash value of the last jump path of the current jump path and a destination address of the current jump path need to be obtained. And then carrying out hash operation on the hash value of the last jump path of the current jump path and the destination address of the current jump path to obtain the hash value of the current control flow jump path.

In a second aspect, an embodiment of the present application further provides a remote authentication method, where the method is performed by a front-end device in an internet of things system, where the front-end device includes a low security domain and a high security domain, the high security domain has a higher authority than the low security domain, and a memory of the front-end device is divided into a plurality of sub-areas, and the method includes: receiving a plurality of verification requests sent by a remote device, wherein the verification requests are used for requesting verification of a plurality of target application programs in a low security domain; assigning a sub-area to each of a plurality of target applications; sending a memory initialization request to the high security domain, so that the high security domain allocates a first storage area for each sub-area, wherein the first storage area is a storage area to which data can only be added; executing the target application program for each target application program in the plurality of target application programs, and recording a control flow jump path in the execution process of the target application program to a first storage area of a subarea corresponding to the target application program; based on the completion of target application program execution or the occurrence of memory fullness abnormality in a first storage area, sending a data reading request to a high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths; the verification report is sent to the remote device.

According to the remote verification method, the memory of the front-end equipment is divided into a plurality of sub-areas. Different sub-areas are allocated to different target application programs in the front-end equipment system, and a corresponding first Memory area (application-only Memory) is allocated to each sub-area. That is, multiple sections of application-only Memory are provided in the same device system to cope with the situation that multiple applications in the same device system perform remote authentication in parallel.

In one possible implementation, the front-end device includes a memory controller, where the memory controller includes: a third memory and a fourth memory; sending a memory initialization request to the high security domain to cause the high security domain to allocate a first storage area for each sub-area, comprising: for each target application program in a plurality of target application programs, acquiring a first register and a second register of the subarea, wherein the first register records a starting address of the subarea, and the second register records a termination address of the subarea; acquiring a section of continuous physical address through a high security domain, and taking the continuous physical address as the physical address of a first storage area; initializing a first register, a second register, a third register and a fourth register, so that the value of the first register is the initial address of the physical address, the value of the second register is the final address of the physical address, the value of the third register is the current writable address of the physical address, and the fourth register is used for storing the access authority information of the first storage area.

That is, the high security domain allocates a first Memory region (application-only Memory) for the low security domain by adding registers and their associated logic in the Memory controller. Specifically, the register of the sub-region is multiplexed to record the start address and the end address of the application-only Memory, and the register is added in the Memory controller to record the current writable address of the application-only Memory and the access permission of the application-only Memory. It is ensured that only the core in which the target application program operates in the low security domain can write the application-only Memory and only the high security domain can read the application-only Memory. The security of the data in the application-only Memory is ensured.

In one possible implementation, assigning a sub-area to each of a plurality of target applications includes: for each target application program in a plurality of target application programs, acquiring a code file of the target application program; and inserting an operation code file into the code file of the target application program, so that the target application program can perform read-write operation on one sub-area in the multiple sub-areas in the execution process.

That is, when a sub-region is allocated to a target application, an operation code file for the sub-region is inserted in a code file of the target application. In order to ensure that the control flow jump path of the target application program can be stored in the application-only Memory of the sub-region in the execution process of the target application program.

In a third aspect, embodiments of the present application provide a terminal device that includes a low security domain and a high security domain, where the high security domain has a higher authority than the low security domain,

the low security domain includes:

the communication module is used for receiving a verification request sent by the remote equipment, wherein the verification request is used for requesting to verify a target application program in a low security domain;

the communication module is also used for sending a memory initialization request to the high security domain;

the processing module is used for executing the target application program and recording a control flow jump path in the execution process of the target application program to the first storage area;

the exception handling module is used for sending a data reading request to the high security domain;

the communication module is also used for receiving the verification report sent by the high security domain and sending the verification report to the remote equipment;

the high security domain includes:

the memory initialization module is used for distributing a first storage area for the low security domain according to a memory initialization request, wherein the first storage area is a storage area to which data can only be added; the data collection module is used for reading a plurality of control flow jump paths in the first storage area;

and the verification module is used for generating a verification report according to the plurality of control flow jump paths.

In one possible implementation, the front-end device includes a memory controller, where the memory controller includes: the memory initialization module is used for:

acquiring a section of continuous physical address as the physical address of a first storage area;

the first register, the second register and the third register are initialized so that the value of the first register is the starting address of the physical address, the value of the second register is the ending address of the physical address and the value of the third register is the writable address of the current physical address of the physical address.

In one possible implementation, the processing module is further configured to

Acquiring a starting address, a terminating address and a current writable address of a first storage area;

acquiring the length of a control flow jump path required to be written into a first storage area by a target application program and a writing address written into the first storage area by the target application program;

judging whether the writing address is the same as the current writable address of the first storage area or not based on the fact that the writing address is located between the starting address and the ending address of the first storage area;

generating a write exception based on the write address being different from the current writable address of the first storage region, stopping writing the control stream jump path to the first storage region;

And writing the control flow jump path into the first storage area based on the writing address being the same as the current writable address of the first storage area, and updating the current writable address of the first storage area according to the length of the control flow jump path.

In one possible implementation, before executing the target application, the processing module is further configured to:

acquiring a code file of a target application program, wherein the code file comprises a plurality of branches;

for each of a plurality of branches in the code file, replacing a source instruction at the branch with a jump instruction, the jump instruction being for causing the target application to execute a springboard code, the springboard code including the source instruction at the branch;

and executing the source instruction in the springboard code to acquire the path information of the next instruction needing to jump.

In one possible implementation, after reading the control flow jump path in the first storage area, the data collection module is further configured to:

the first storage region is reconfigured to enable the first storage region to store the control flow jump path of the low security domain write target application.

In one possible implementation, the verification module is configured to:

Carrying out hash calculation on each of a plurality of control flow jump paths to obtain a plurality of hash values; carrying out hash calculation on the nth path to obtain a hash value Measurement of the nth path _n The method comprises the following steps:

Measurement _n ＝Hash(Measurment _n-1 ||Destination Address)

In a fourth aspect, embodiments of the present application provide a terminal device, where the terminal device includes a low security domain and a high security domain, the high security domain has a higher authority than the low security domain, a memory of the terminal device is divided into a plurality of sub-regions,

the low security domain includes:

the communication module is used for receiving a plurality of verification requests sent by the remote equipment, wherein the verification requests are used for requesting verification of a plurality of target application programs in a low security domain;

the processing module is used for distributing a sub-area for each application program in the target application programs;

the processing module is also used for executing the target application program for each target application program in the plurality of target application programs, and recording a control flow jump path in the execution process of the target application program to a first storage area of the subarea corresponding to the target application program;

the high security domain includes:

the memory initialization module is used for distributing a first storage area for each sub-area according to the memory initialization request, wherein the first storage area is a storage area which can only be added with data;

the data collection module is used for reading a plurality of control flow jump paths in the first storage area;

In one possible implementation, the front-end device includes a memory controller, the memory controller including: the memory initialization module is used for:

for each target application program in a plurality of target application programs, acquiring a first register and a second register of the subarea, wherein the first register records a starting address of the subarea, and the second register records a termination address of the subarea;

acquiring a section of continuous physical address through a high security domain, and taking the continuous physical address as the physical address of a first storage area;

Initializing the first register, the second register, the third register and the fourth register to enable the value of the first register to be the initial address of the physical address, the value of the second register to be the final address of the physical address, the value of the third register to be the current writable address of the physical address, and the fourth register to be used for storing the access authority information of the first storage area.

In one possible implementation, the processing module is configured to:

obtaining a target application code file for each target application in a plurality of target applications;

and inserting an operation code file into the code file of the target application program, so that the target application program can perform read-write operation on one sub-area in the multiple sub-areas in the execution process.

In a fifth aspect, embodiments of the present application provide an electronic device, including: at least one memory for storing a target application;

at least one processor that can be time-multiplexed in a high security domain and a low security domain, the processor being configured to, when the processor is in the low security domain:

receiving a verification request sent by a remote device, wherein the verification request is used for requesting to verify a target application program in a low security domain;

Sending a memory initialization request to a high security domain so that the high security domain allocates a first storage area for a low security domain, wherein the first storage area is a storage area to which data can only be added;

executing a target application program, and recording a control flow jump path in the execution process of the target application program to a first storage area;

based on the completion of target application program execution or the occurrence of memory fullness abnormality in a first storage area, sending a data reading request to a high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths;

the verification report is sent to the remote device.

In a sixth aspect, embodiments of the present application provide an electronic device, including: at least one memory for storing a target application, the memory area in the at least one memory being divided into a plurality of sub-areas;

receiving a plurality of verification requests sent by a remote device, wherein the plurality of verification requests are used for requesting verification of a plurality of target application programs in a low security domain

Assigning a sub-area to each of a plurality of target applications;

sending a memory initialization request to the high security domain so that the high security domain allocates a first storage area for each sub-area, wherein the first storage area is a storage area to which data can only be added;

executing the target application program for each target application program in the plurality of target application programs, and recording a control flow jump path in the execution process of the target application program to a first storage area of a subarea corresponding to the target application program;

based on the completion of target application program execution or the occurrence of memory fullness abnormality in the first storage area, sending a data reading request to a high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths;

the verification report is sent to the remote device.

In a seventh aspect, embodiments of the present application provide a computer-readable medium having instructions stored therein, which when run on a computer, cause the computer to perform the method of the first or second aspect.

In an eighth aspect, embodiments of the present application provide a computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of the first or second aspect.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic diagram of TPM-based remote authentication;

fig. 2 is a schematic diagram of an ARM trust zone architecture;

FIG. 3a is a schematic diagram of ARM Trustzone-based remote verification of control flow integrity;

FIG. 3b is a further schematic diagram of ARM Trustzone based remote verification of control flow integrity

FIG. 4 is a diagram of an LO_FAT system architecture;

fig. 5 is an application scenario diagram provided in an embodiment of the present application;

fig. 6 is a schematic structural diagram of a front-end device according to an embodiment of the present application;

FIG. 7 is a diagram of a processor system architecture according to an embodiment of the present application;

FIG. 8 is a flowchart of an application-only Memory remote verification method according to an embodiment of the present application;

FIG. 9 is a schematic flow chart of writing data into a first storage area according to an embodiment of the present disclosure;

FIG. 10 is a flowchart of yet another remote verification method based on an application-only Memory provided in an embodiment of the present application;

FIG. 11 is a schematic diagram of the division of regions of TZC-400;

FIG. 12 is a schematic view of an application-only rights configuration for a region;

fig. 13 is a schematic structural diagram of a front-end device according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be described below with reference to the accompanying drawings.

In the description of embodiments herein, any embodiment or design that is "exemplary," "such as," or "for example" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary," "such as" or "for example," etc., is intended to present related concepts in a concrete fashion.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating an indicated technical feature. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.

First, remote authentication is described. One key component of remote authentication is a trusted store that is used to record the operation of the authenticated device, preventing an attacker from tampering with the data generated during operation of the authenticated device. As shown in fig. 1, in a conventional remote authentication scheme for servers and desktops, trusted storage is provided by a trusted platform module (Trusted Platform Module, TPM). But deploying a TPM on a low-end embedded device is overly complex and expensive. Therefore, the academia also adopts some lightweight schemes to provide trusted storage, but also brings great performance cost. Further, conventional remote verification measures the initial state of the system by measuring static executable files only at system start-up, and cannot cope with exploit attacks at runtime, typically ROP attacks.

Second, remote verification also presents a granularity selection problem. Such as validating at the granularity of a module (coarse) or validating at the granularity of a code jump (fine). Wherein the coarser the granularity of verification, the worse the security, but the lower the performance overhead will be. The finer the verification granularity, the better the security, but the higher the performance overhead will be.

Next, an ARM processor architecture in a remote device is described. ARM is a processor architecture used by most Internet of things devices. ARM trust zone is a hardware-based security function. Fig. 2 is a schematic diagram of an ARM trust zone architecture, as shown in fig. 2, in which two protection domains with different rights, namely a security world and a common world, are introduced into a processor level by modifying an original hardware architecture, and a processor only operates in one environment at any time. Meanwhile, the two worlds of the secure world and the general world are hardware-isolated and have different rights. Applications or operating systems running in the general world may be severely restricted from accessing resources in the secure world. In turn, programs running in the secure world can normally access resources in the general world. The hardware isolation and different rights and other attribute behaviors between the secure world and the common world provide an effective mechanism for protecting the code and data of an application program. Typically, the general world is used to run commodity operating systems (e.g., android, iOS, etc.). Commodity operating systems running in the general world provide a normal execution environment (Rich Execution Environment, REE). The secure world then always uses a secure small kernel (TEE-kernel) to provide a trusted execution environment (Trusted Execution Environment, TEE) in which confidential data can be stored and accessed. In this way, even if the operating system in the general world is destroyed or hacked (e.g., iOS has been jagged or Android has been ROOT), a hacker still cannot obtain confidential data stored in the TEE. Thus, the secure world can provide trusted storage for the general world (the non-secure world), and even if the REEs are hacked, the integrity of the data stored in the secure world can be ensured.

There are several schemes currently available for verifying the control flow integrity of a remote device. The first scheme is shown in fig. 3a and 3 b. Fig. 3a and 3b provide schematic diagrams of an ARM trust zone-based control flow integrity verification architecture.

And step 1, statically analyzing a target application module on the remote equipment by a verifier to acquire a control flow diagram of the target application. The control flow graph covers the path of all legal control flows for the target application.

And 2, measuring each path in the control flow graph, namely calculating a hash value, and storing the hash value in a Measurement DB.

Step 3, the verifier sends a verification request, namely Change c, to a target application on the remote device;

and 4, executing the target application on the remote equipment, and recording a control flow jump path of the target application in the execution process. The jump path includes the address of a branch jump that the target application may be attacked during execution, including: forward and reverse hops.

Since the number of branch jumps is very large during execution of the target application, the amount of data generated is also very large. In order to reduce the data volume in the network transmission process, the branch challenge address is recorded in a way of calculating the hash value of the branch jump address in a specific scene. Specifically, the hash value Measurement of the branch address of the nth hop _n The method comprises the following steps:

Measurement _n ＝Hash(Measurmemt _n-1 ||Destination Address)

wherein, measurement is carried out _n-1 The hash value of the n-1 path is Destination Address, which is the destination address that the target application needs to jump to when executing the n-1 path.

Step 5, the remote device sends a verification request (Challenge c) and a Measurement to the verifier _n Signing, generating a verification report, and transmitting the verification report to a verifier.

In the process of executing the target application, the target application cannot record the jump address in the process of executing. Thus, there is also a need to retrofit and instrumentation target applications. Referring to FIG. 3b, branch_c is executed after the branch_c instruction is executed, but the branch jump address cannot be recorded, as per the original logic of the target application. Thus, the program needs to be instrumented to jump the branch_c instruction to trapolines. the trapolines sends a jump address to the trusted store provided by the ArmTrustZone and then jumps to the ins_c instruction. As shown in fig. 3b, first, a jump instruction is inserted into a target application program stub, and a jump board code is executed at a branch jump, corresponding to (2) in fig. 3 b. The springboard code then sends the branch jump address to the Hash Engine of the secure world, corresponding to (3) in fig. 3 b.

Hash Engine in the secure world calculates a metric of branch jump address. If all branch jump addresses have been performed, the person generates a verification report (Attestation Report), corresponding to (4) in FIG. 3 b. Otherwise, the springboard code is returned, corresponding to (5) in fig. 3 b. The springboard code jumps again to the next instruction and the application continues to execute, corresponding to (6) in fig. 3 b.

Step 6, verifying the signature of the received verification report, and then according to the Measurement in the verification report _n The search is performed in the Measurement DB. If the and Measurement can be retrieved in the Measurement DB _n The same hash value indicates that the control flow path on the remote device is legitimate. Otherwise, the path is attacked.

The first approach, although capable of verifying the integrity of the control flow of the remote device. However, when executing the target application on the remote device, each branch jump performs three more operations than the original program logic: (1) jump to trapnolines. (2) a switch of the context of the normal world to the secure world. (3) hash operations in the secure world. Of these three operations, the common world-to-secure world context switching performance overhead is highest. Thus, in the first scheme, the overall performance overhead of the system is linearly related to the number of branch hops to be verified, and if the number of branch hops to be verified in the application program is large, the performance overhead is very large.

The second approach, shown in fig. 4, lo_fat is a hardware-based control flow remote verification technique that modifies the pipeline of the processor, tracks the control flow with a widely-available branch filter, and provides on-chip storage to hold the metric values of the control flow path.

In the second approach, the pipeline of the processor needs to be modified, which is a deep customization for remote proof of control flow integrity for this application, is implemented on an open source RISC-V microcontroller SoC (pulspino), and academic research is possible, but this modification is too large for commercial processors to be accepted by commercial processor vendors.

The main application scene of the method is the integrity verification of the control flow of the remote equipment in the Internet of things system. The overall system architecture mainly comprises: a verifier and a prover. The prover sends a remote verification report to the verifier to prove that the current state of the prover is normal and not attacked. After the verifier determines that the state of the prover is normal through the verification report transmitted by the prover, confidential data may be transmitted to the prover. Fig. 5 is an application scenario diagram provided in the embodiment of the present application. The remote verification scheme based on the application-only Memory control flow integrity is mainly applied to an Internet of things system. The architecture diagram of the internet of things system shown in fig. 5 includes: server 10 and front-end devices 11, front-end devices 12, front-end devices 13 and front-end devices 14. The head-end 11, head-end 12, head-end 13, and head-end 14 may all be in communication with the server 10. Wherein, the front-end device 11, the front-end device 12, the front-end device 13 and the front-end device 14 have a low security domain and a high security domain. The high security domain has higher rights than the low security domain. That is, the high security domain can manage the memory and control the access authority of the low security domain to the memory.

When the server 10 needs to communicate with the front-end device 11, the server 10 needs to verify the availability of the target application on the front-end device 11 that communicates with the server 10. In the process of verifying the availability of the head-end equipment 11 by the server 10, the server 10 serves as a verifier, and the verified head-end equipment 11 serves as a prover. The control flow graph of the target application being verified on the head-end equipment 11 needs to be acquired first at the server 10, which control flow graph covers the path of all legal control flows of the target application. Then, the server 10 calculates a hash value for each path in the acquired control flow graph, and saves the hash value in the database of the server 10. The server 10 then initiates a validation request to the target application on the remote device 11. After the remote device 11 receives the authentication request sent by the server 10, the low security area in the remote device 11 sends a Memory initialization request to the high security domain, which requests that the high security domain allocate a Memory-only (AOM) storage area for the low security domain. After the high security domain allocates an application-only Memory for the low security domain, executing the target application program in the low security domain, and recording control flow path jump address information summarized in the execution process of the target application program to the application-only Memory. And when the execution of the target application program is completed or the application-only Memory generates a Memory full exception, sending a data reading request to the high security domain by the low security domain. After the high security domain receives the data reading request sent by the low security domain, the control flow jump paths of the target application program are read from the application-only Memory, and the hash value of each control flow jump path is calculated. Then, a verification report is generated in the high security domain based on the hash value of each control flow jump path and the verification request transmitted by the server, and the verification report is transmitted to the low security domain. After signing the verification report by the low security domain, it is sent to the server 10. After receiving the verification report, the server 10 verifies the signature of the verification report. The server 10 then obtains the hash value of the control flow path in the verification report and looks for the presence or absence of the same hash value as the hash value in the verification report in the database of the server 10. If so, the control flow path representing the target application on the remote device 11 is legal. Otherwise, the target application on the remote device 11 is attacked.

Fig. 6 is a schematic structural diagram of a front-end device according to an embodiment of the present application. Referring to fig. 6, the front-end apparatus includes: a low security domain 61, a high security domain 62, firmware 63, an add-only Memory (AOM) 64, a storage area NW Memory corresponding to the low security domain, and a storage area SW corresponding to the high security domain. Wherein the low security domain 61 is used for running a commodity operating system that provides a normal execution environment REE. The high security domain 62 provides a trusted execution environment TEE using a secure small kernel (TEE-kernel) in which confidential data may be stored and accessed.

The low security domain 61 includes: a communication initialization module 611, an exception handling module 612, and a target application 613. The high security domain 62 includes: a memory initialization module 621, a data collection module 622, and a remote authentication module 623.

The communication initialization module 611 is configured to receive a remote authentication request from an authenticator. After the communication initialization module 611 receives the authentication request, the communication initialization module 611 sends a memory initialization request to the memory initialization module 621 of the high security domain.

The Memory initialization module 621 allocates an application-only Memory to the low security domain after receiving the Memory initialization request sent by the communication initialization module 611. The application-only Memory is a storage area to which data can only be added. The Memory initialization module 621 mainly includes modifications to the Memory controller in the processor when assigning an application-only Memory to the low security domain 61.

Fig. 7 is a schematic diagram of a processor system according to an embodiment of the present application. As shown in fig. 7, the memory controller is located between the CPU Core and the Dynamic Random Access Memory (DRAM). The memory controller is used for realizing access control from the CPU Core to the DRAM. In one example, the process of the Memory initialization module 621 allocating an application-only Memory for the low security domain 61 includes steps 1-2.

Step 1: the three registers are added in the memory controller as follows: address_s Register, address_e Register, cursor Register, represent the start ADDRESS, end ADDRESS, and current writable location, respectively. The newly added registers are writable only in the high security domain 62 and not in the low security domain 61.

Step 2: the memory initialization module 621 obtains a continuous segment of physical addresses in the memory. And then the memory initialization module writes the initial ADDRESS of the physical ADDRESS into the ADDRESS_S Register, writes the ending ADDRESS of the physical ADDRESS into the ADRESS_E Register, and writes the current writable ADDRESS of the physical ADDRESS into the Cursor Register. After the initialization of the application-only Memory is completed, the initial address of the Cursor Register is the start address of the physical address.

After the Memory initialization module 621 allocates an application-only Memory to the low security domain 61, the target application 613 is executed in the low security domain 61, and the jump address information of the target application 613 to jump in each branch is recorded in the application-only Memory by the CPU.

In one possible example, in order to obtain information that the target application jumps on each branch, the target application needs to be instrumented. Comprising the following steps: step 1-step 3.

Step 1, a code file of a target application program is obtained, wherein the code file comprises a plurality of branches.

When the code file of the target application program is acquired, the acquired code file may be the source code of the target application program or the binary code of the target application program.

And 2, replacing a source instruction at the branch with a jump instruction for each of a plurality of branches in the code file, wherein the jump instruction is used for enabling the target application program to execute a jump board code, and the jump board code comprises the source instruction at the branch.

Because the springboard code is long, if the springboard code is directly used to replace the source instruction at the branch, the layout of the code file is disturbed. Thus, replacing the source instruction with a jump instruction of the same length as the source instruction at the branch causes the code file to execute at the jump instruction to automatically jump to the jump board code where the source instruction is executed. After the source instruction is executed in the springboard code, the next instruction is automatically jumped.

And step 3, executing a source instruction in the springboard code to acquire path information of the next instruction needing to be jumped.

In one possible example, when the target application 613 is executed, the exception handling module 612 sends a data read request to the data collecting module 622 to cause the data collecting module 622 to read address information of the branch jump address of the target application 613 from the application-only Memory. The data collection module 622 sends a data read request to the data collection module 622 to cause the data collection module 622 to read the address information of the branch jump address of the target application 613 from the application-only Memory. After the data collection module 622 reads the address information of the branch jump address of the target application 613 from the application-only Memory, it is further required to reset the application-only Memory so that the low security domain can continue to store data.

In another possible example, when an exception occurs in the application-only Memory, the exception handling module 612 determines that an exception occurred in the application-only Memory. Based on the exception occurring in the application-only Memory, the Memory full exception is taken. The exception handling module 612 sends a data read request to the data collection module 622 to cause the data collection module 622 to read the address information of the branch jump address of the target application 613 from the application-only Memory. After the data collection module 622 reads the address information of the branch jump address of the target application 613 from the application-only Memory, it is further required to reset the application-only Memory so that the application-only Memory stores the address information of the branch jump address of the target application.

After the data collection module 622 reads the address information of the branch jump address of the target application 613 from the application-only Memory, the acquired address information of the branch jump address is sent to the remote authentication module 623. The remote authentication module 623 calculates a hash value for each piece of address information received. The calculated hash value and the received remote verification request are then signed after execution of the target application 613 is completed, generating a verification report. The remote authentication module 623 then sends the authentication report to the communication and initialization module 611, such that the communication and initialization module 611 sends the authentication report to the remote device for authentication.

In the embodiment of the application, the high security domain is allocated to the low security domain by adding the register and the related logic in the Memory controller. Because the application-only Memory can only add data, the data stored in the application-only Memory is prevented from being tampered by an attacker, and the integrity of the data stored in the application-only Memory under the low security domain is ensured. Further, in the execution process of the target application program, the path information acquired in the low security domain is stored in the application-only Memory, so that the data in the application-only Memory is sent to the high security domain only when the execution of the target application program is finished or the application-only Memory generates a Memory full exception, the context switching times between the low security domain and the high security domain are reduced, and the remote verification performance of the control flow is greatly improved.

Fig. 8 is a flowchart of an application-only Memory remote verification method according to an embodiment of the present application. The method is executed by front-end equipment in the internet of things system shown in fig. 5, wherein the front-end equipment comprises a low security domain and a high security domain, and the high security domain has higher authority than the low security domain. Referring to fig. 8, the method includes steps S801 to S805.

In step S801, a verification request sent by a remote device is received, where the verification request is used to request verification of a target application in a low security domain.

The communication and initialization module 611 in the head-end equipment receives the authentication request from the remote equipment. The authentication request includes information of the target application program to be authenticated.

In step S802, a memory initialization request is sent to the high security domain, so that the high security domain allocates a first storage area for the low security domain, where the first storage area is a storage area to which only data can be added.

After the communication and initialization module receives the verification information sent by the remote equipment, the communication and initialization module sends a memory initialization request to a memory initialization module of the high security domain. The Memory initialization request is used for requesting a Memory initialization module of a high security domain to allocate a first Memory area, namely an application-only Memory, for a low security domain, wherein the first Memory area is a Memory area to which data can only be added.

In one possible example, the memory initialization module allocates a first storage area for the low security domain, first, three registers need to be added to the memory controller. The three registers added in the memory controller are respectively: address_s Register, address_e Register, cursor Register. Wherein address_s Register is used to represent a start ADDRESS of the first storage area, address_e Register is used to represent a stop ADDRESS of the first storage area, and Cursor Register is used to represent a current writable location of the first storage area. When the first storage area is just initially completed, the current writable location of the first storage area is the start address of the first storage area. Then, the memory initialization module acquires a segment of continuous physical address from the memory of the front-end equipment, and writes the physical address into three newly added registers in the memory controller. Specifically, the memory initialization module writes the start ADDRESS of the physical ADDRESS into the address_s Register, writes the end ADDRESS of the physical ADDRESS into the address_e Register, and writes the current writable ADDRESS of the physical ADDRESS into the Cursor Register. The initial value of the Cursor Register is the initial address of the physical address.

In another possible embodiment, address_s Register and memory_size Register may also be used to represent the starting ADDRESS and Size of the application-only Memory, respectively. The address_s Register, address_e Register in the above example is replaced with address_s Register and memory_size Register to identify the ADDRESS range of the application-only Memory.

Step S803, the target application is executed, and the control flow jump path in the execution process of the target application is recorded in the first storage area.

Because the target application program is directly executed in the low security domain, the path information of the control flow for jumping in the execution process of the target application program cannot be obtained. Thus requiring modification and instrumentation of the target application. I.e. before executing the target application, it is necessary to obtain the code file of the target application, and to insert a jump instruction at each branch of the code file of the target application. In one example, the nth instruction of the target application is replaced with a jump instruction and placed into the springboard code. When the target application program executes to the nth instruction, a jump instruction inserted at the nth instruction is executed, and jumps to the springboard code. The target application program executes the nth instruction in the springboard code, and automatically jumps to the (n+1) th instruction after the execution of the nth instruction is completed. At this time, the springboard code obtains the address information of the (n+1) th instruction, and sends the address information to the first storage area for storage.

When the CPU is in the low security domain, and the writing process of writing the path information of the control flow of the target application program for jumping in the low security domain into the first storage area is as shown in fig. 9. Referring to fig. 9, steps S901 to S909 are included.

In step S901, a start ADDRESS address_s, a current writable ADDRESS Cursor, and a termination ADDRESS address_e of the first storage area are acquired.

In step S902, the current writing address x is obtained and the data length y of the address to be written to the first storage area is obtained.

Step S903, it is determined whether the current write ADDRESS x is located between the start ADDRESS address_s and the end ADDRESS address_e of the first storage area, and step S905 is performed based on x > =address_s & x < address_e, otherwise step S904 is performed.

Step S904, executing the processing logic of the original memory writing.

Step S905, determining whether the current writing address x is equal to the current writable address Cursor of the first storage area, executing step S907 based on x=cursor, otherwise executing step S906.

In step S906, a write exception is generated, and the CPU jumps to the exception handling module and processes the write exception by the exception handling module.

The fact that the current write address x is not equal to the current writable address Cursor of the first storage area includes two cases. In the first case, x < cursor, it may be determined that the current operator wants to modify the data already stored in the first storage area. At this time, the first storage area generates modification abnormality, the CPU jumps to the abnormality processing module, and the abnormality processing module suspends modification operation of the current program to the first storage area. In the second case, x is greater than the first storage area, a discontinuous write exception is generated in the first storage area, the CPU jumps to the exception handling module, and the exception handling module pauses the write operation of the current program to the first storage area. The modification of the data already stored in the first storage area by an attacker is avoided.

In step S907, address information is written into the first storage area. And updates the current writable address Cursor of the first storage area. Updated cursor=cursor+y.

Step S908, it is determined whether the updated current writable ADDRESS Cursor is equal to the termination ADDRESS address_e of the first storage area, and step S909 is executed based on the updated cursor=address_e, otherwise step S902 is executed.

In step S909, a memory full exception is generated, the CPU jumps to an exception handling module, and the exception handling module sends a data read request to the high security domain.

Step S804, based on the completion of the execution of the target application program or the occurrence of the memory fullness abnormality in the first storage area, a data read request is sent to the high security domain, so that the high security domain reads the control flow jump path from the first storage area, and generates a verification report according to the control flow jump path.

In this embodiment of the present application, the exception handling module is triggered to send a data read request to the high security domain when the target application completes execution and the first storage area generates a memory full exception.

In one possible example, if the memory space of the first memory region is small, then there is a request for the first memory region to send a data read to the high security domain because the memory full exception triggers the exception handling module 612 before the target application execution is complete. After the data collection module 622 of the high security domain receives the data read request, the data collection module 622 reads the path information from the first storage area. The data collection module 622 then sends the path information to the remote authentication module 623, while the data collection module 622 initializes the first storage area, i.e., resets the ADDRESS_S Register, ADRESS_E Register, cursor Register, for subsequent use by the low security domain. After the initialization of the first storage area is completed, the target application program is continuously executed, and the control flow jump path of the target application program is recorded in the first storage area. After the target application completes execution, the target application triggers the memory processing module 612 to send a data read request to the data collection module 622. The data collection module 622 reads the path information from the first storage area and transmits the path information to the remote authentication module 623. The remote authentication module 623 generates an authentication report according to the received path information.

In one possible example, if the storage space of the first storage area is large. There is a memory full exception that will not occur in the first memory region until the target application execution is completed. At this time, only after the target application program execution is completed, the target application program triggers the memory processing module 612 to send a data read request to the data collection module 622. The data collection module 622 reads the path information from the first storage area and transmits the path information to the remote authentication module 623. The remote authentication module 623 generates an authentication report according to the received path information.

The remote authentication module 623 computes a hash value once for each control flow hop path for the receiving target application. The remote verification module 623 then signs the computed hash values with the verification request received by the communication and initialization module 611, generating a verification report. The verification report is then sent to the communication and initialization module 611. The communication and initialization module 611 sends the verification report to the remote device.

The remote authentication module 623 may calculate a hash value for a control flow skip path of a target application program each time it is received. The remote authentication module 623 may also store the received control flow path after receiving the control flow path of the target application, and calculate hash values for the received control flow path after completing execution of the target application.

In one example, when calculating the hash value for each path, it is also necessary to obtain the hash value for the previous path. Taking the calculation of the hash value of the nth path as an example, explanation will be given. Carrying out hash calculation on the nth path to obtain a hash value Measurement of the nth path _n The method comprises the following steps:

Measurement _n ＝Hash(Measurment _n-1 ||Destination Address)

wherein, measurement is carried out _n-1 Is the firstThe hash value of the n-1 path Destination Address is the destination address of the target application program which needs to jump when executing the n-th path;

step S805, transmitting the verification report to a remote device.

In the embodiment of the application, the high security domain allocates the first storage area (application-only Memory) which can only be added with data for the low security domain, so that the data stored in the application-only Memory is prevented from being tampered by an attacker, and the integrity of the data stored in the application-only Memory under the low security domain is ensured. Further, in the execution process of the target application program, the path information acquired in the low security domain is stored in the application-only Memory, so that the data in the application-only Memory is sent to the high security domain only when the execution of the target application program is finished or the application-only Memory generates a Memory full exception, the context switching times between the low security domain and the high security domain are reduced, and the remote verification performance of the control flow is greatly improved.

In the remote authentication scheme shown in fig. 8, only one application-only Memory exists in the system of the head-end equipment. And the invention is not limited to only one application-only Memory in the whole system. The embodiment of the application also provides a scheme for carrying out remote verification on a plurality of applications in the same system in parallel. In the embodiment of the application, multiple sections of application-only Memory can be provided for multiple processes in the system of the front-end equipment by setting multiple groups of registers in the Memory controller of the front-end equipment. Wherein, each segment of application-only Memory corresponds to 3 registers, which are named ADDRESS_S Register, ADDRESS_E Register, cursor Register, respectively. The ADDRESS_S Register records the starting ADDRESS of the application-only Memory, the ADDRESS_E Register records the ending ADDRESS of the application-only Memory, and the Cursor Register records the current writable position of the application-only Memory.

Fig. 10 is a flowchart of an application-only Memory remote verification method according to an embodiment of the present application. The method can be performed by a front-end device in the internet of things system shown in fig. 6, wherein the front-end device comprises a low security domain and a high security domain, the high security domain has higher authority than the low security domain, and a memory of the front-end device is divided into a plurality of sub-areas. Referring to fig. 10, the method includes steps S1001 to S1006.

In step S1001, a plurality of authentication requests sent by a remote device are received, where the plurality of authentication requests are used to request authentication of a plurality of target applications in the low security domain.

Step S1002, allocating a sub-area for each application program of the plurality of target application programs.

In one possible example, a sub-region is allocated to each of a plurality of target applications, requiring each target application code file to be acquired. And then, inserting an operation code file into the obtained code file, so that the target application program can perform read-write operation on one sub-area in the multiple sub-areas in the execution process.

It should be noted that, the target application program and the sub-region are in one-to-one correspondence.

In step S1003, a memory initialization request is sent to the high security domain, so that the high security domain allocates a first storage area to each sub-area, and the first storage area is a storage area to which only data can be added.

Step S1004, for each of the plurality of target application programs, executing the target application program, and recording the control flow jump path in the execution process of the target application program to the first storage area of the sub-area corresponding to the target application program.

In step S1005, for each of the plurality of target applications, the target application is executed, and the control flow jump path in the execution process of the target application is recorded in the first storage area of the sub-area corresponding to the target application.

Step S1006, the verification report is sent to the remote device.

The execution process for each target application in steps S1003-S1006 is the same as steps S802-S805, and will not be described in detail here.

Further, to describe in detail how multiple segments of application-only Memory are provided for use by multiple processes in the system of the headend device. Taking ARM CoreLink TZC-400TrustZone Address Space Controller as an example, TZC-400 supports a multiple Region architecture. The division of the regions of the TZC-400 is shown in fig. 11, which supports 9 regions (regions), where region 0 is the base region, contains all physical addresses, and the other regions are divided over region 0, without overlapping each other.

For each region in the TZC-400, a set of registers records the region's scope and access rights. The starting address of the region can be recorded by setting a Base address register. The termination address of the region is recorded by setting a Top address register. The access rights of the high security domain to this region are recorded by setting Region attribute register registers. Each of the CPUs checks the access right of the region when the CPU is in the low security domain by setting Region ID access register register record.

In one example, region1 on TAC-400 is illustrated when a processor of a multi-region architecture supported by TZC-400 implements an application-only Memory based remote verification scheme for control flow integrity. The start address of region1 is recorded in region1 by setting a Base address register. The termination address of region1 is recorded by setting the Top address register. The access rights of the high security domain to region1 are recorded by setting Region attribute register registers. The access rights of region1 are checked by each of the CPUs when the CPU is in the low security domain by setting Region ID access register register record. The implementation flow of the scheme comprises the following steps: step 1-step 4.

Step 1, for region1, adding a first register and a second register in the memory controller, wherein the first register is used for recording the application-only attribute of region1, and the second register is used for recording the current writable position of region 1.

In one possible example, a first register region_application <1> register is added to the memory controller to record the application-only attribute of Region 1. A second register, region_Cursor_1Register, is added to the memory controller to record the current writable location of Region 1.

Step 2, the memory initialization module obtains a section of continuous physical address in the memory of the front-end equipment.

And 3, replacing the starting address and the ending address of the region1 by the starting address and the ending address of the physical address acquired by the memory initialization module, and setting the current writable position of the region1 as the starting address of the physical address.

Specifically, the memory initialization module writes the acquired start address of the physical address into the Base address register of Region1 and the region_Cursor_1st respectively, and writes the termination address of the physical address into the Top address of Region 1.

And 4, setting attribute information of the region1 through a memory initialization module, wherein the attribute information comprises access authority and writing authority of the region1 and an application-only attribute of the region 1.

Specifically, the memory initialization module may set s_rd_en=1 by setting Region attribute register of region1 so that the high security domain is readable by region 1. Then, the writable authority of each check region1 in the CPU is set through the memory initialization module, so that the check region1 where the target application running in the region1 runs can be written, and other check regions 1 in the CPU cannot be written.

Further, the Memory initialization module sets the application-only permission of the application-only Memory of the check Region1 where the target application running in Region1 runs through the region_application_1st. As shown in fig. 12, when the target application running in region1 has an application-only Memory of region1 with an application-only authority, a parameter nsaid_ap_en=1 of the application-only authority may be set, otherwise nsaid_ap_en=0 is set. Although, the above embodiment only describes the setting of the application-only Memory for region 1. But the settings for the application-only Memory on the other regions of TZC-400 are the same as the settings for the application-only Memory on region 1. The description will not be repeated here.

After the Memory initialization module allocates an application-only Memory for each region. The process of performing remote verification of the control flow on the target application program on each region is the same as step S801 to step S805, and will not be described here again.

In the embodiment of the application, a scheme for performing remote verification on multiple applications in the same system in parallel is provided based on a processor supporting a multi-region architecture. In the embodiment of the application, different regions are allocated to different target application programs so as to prevent confusion of control flow data of the different target application programs. Further, the method comprises the steps of. By adding multiple sets of registers in the Memory controller, an application-only Memory is provided for each region. So that remote authentication services can be provided for different applications in the same system, respectively.

The embodiment of the application also provides front-end equipment which can be used for realizing the remote verification method based on the application-only Memory as shown in fig. 8 and 9. As shown in fig. 13, the front-end apparatus includes: processor 1301, network interface 1302, memory 1303. Optionally, the front-end device further comprises an input device 1304. Wherein the processor 1301, the network interface 1302, the memory 1303, the input device 1304 may be connected by a bus or other means.

The memory 1303 is a memory device of the front-end device for storing programs and data, such as a verification request sent by the storage server. The memory 1303 provides a storage space storing an operating system of the server and program instructions of program instructions to implement the Webshell detection method. Operating systems include, but are not limited to: windows (an operating system), linux (an operating system), hong (an operating system), and the like, without limitation.

In this scenario, processor 1301 (alternatively referred to as a central processing unit (central processing unit, CPU)) is the compute core and control core of the front-end equipment. Processor 1301 reads the program instructions and data held in memory 1303, thereby executing a remote authentication method. After reading the program instruction stored in the Memory 1303, the processor 1301 stores the received suspected verification request, and sends a Memory initialization request to the high security domain, so that the high security domain allocates an application-only Memory for the low security domain. Then, the processor 1301 executes the target application in the low security area, and records the control flow jump path during the execution of the target application to the application-only Memory.

The network interface 1302 may include a standard wired interface, a wireless interface (e.g., WI-FI, mobile communication interface, etc.). The network interface 1302 is controlled by the processor 1301 for transceiving data. For example, receiving a verification request sent by the server, and sending a verification report generated by the front-end device to the server. The input device 1304 is for receiving input information of a user.

The method steps in the embodiments of the present application may be implemented by hardware, or may be implemented by a processor executing software instructions. The software instructions may be comprised of corresponding software modules that may be stored in random access memory (random access memory, RAM), flash memory, read-only memory (ROM), programmable ROM (PROM), erasable programmable PROM (EPROM), electrically erasable programmable EPROM (EEPROM), registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. An exemplary storage medium is coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the present application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in or transmitted across a computer-readable storage medium. The computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital Subscriber Line (DSL)), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

It will be appreciated that the various numerical numbers referred to in the embodiments of the present application are merely for ease of description and are not intended to limit the scope of the embodiments of the present application.

Claims

1. A remote authentication method, performed by a front-end device in an internet of things system, the front-end device including a low security domain and a high security domain, the high security domain having a higher authority than the low security domain, the method comprising:

receiving a verification request sent by a remote device, wherein the verification request is used for requesting to verify a target application program in the low security domain;

sending a memory initialization request to the high security domain so that the high security domain allocates a first storage area for the low security domain, wherein the first storage area is a storage area to which data can only be added;

executing the target application program, and recording a control flow jump path in the execution process of the target application program to the first storage area;

based on the completion of the execution of the target application program or the occurrence of a memory fullness abnormality in the first storage area, sending a data reading request to the high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths after the completion of the execution of the target application program;

And sending the verification report to a remote device.

2. The method of claim 1, wherein the head-end equipment comprises a memory controller, and wherein the memory controller comprises: a first register, a second register, and a third register; the high security domain allocates a first storage area for the low security domain, including:

acquiring a section of continuous physical address through the high security domain, and taking the continuous physical address as the physical address of the first storage area;

initializing the first register, the second register and the third register so that the value of the first register is the starting address of the physical address, the value of the second register is the ending address of the physical address and the value of the third register is the current writable address of the physical address.

3. The method of claim 2, wherein the recording the control flow jump path during execution of the target application to the first storage area comprises:

acquiring a start address, a stop address and a current writable address of the first storage area;

generating a write exception based on the write address being different from a current writable address of the first storage area, stopping writing the control stream jump path into the first storage area;

and writing a control flow jump path into the first storage area based on the fact that the writing address is the same as the current writable address of the first storage area, and updating the current writable address of the first storage area according to the length of the control flow jump path.

4. A method according to any of claims 1-3, wherein the method further comprises, prior to the execution of the target application by the low security domain:

for each of a plurality of branches in the code file, replacing a source instruction at the branch with a jump instruction, wherein the jump instruction is used for enabling the target application program to execute a jump board code, and the jump board code comprises the source instruction at the branch;

And executing the source instruction in the springboard code to acquire the path information of the next instruction needing to be jumped.

5. The method of claim 1, wherein after the high security domain reads the control flow jump path from the first storage area, the method further comprises:

the first storage area is reconfigured to enable the first storage area to store a control flow jump path of the low security domain write target application.

6. The method of claim 1, wherein generating the validation report from the plurality of control flow hopping paths comprises:

performing hash calculation on each of the control flow jump paths to obtain a plurality of hash values; wherein, for the nthCarrying out hash calculation on the path to obtain a hash value Measurement of the nth path _n The method comprises the following steps:

Measurement _n ＝Hash(Measurment _n-1 ||Destination Address)

7. A remote authentication method, wherein the method is performed by a front-end device in an internet of things system, the front-end device including a low security domain and a high security domain, the high security domain having a higher authority than the low security domain, a memory of the front-end device being divided into a plurality of sub-regions, the method comprising:

Receiving a plurality of verification requests sent by a remote device, wherein the verification requests are used for requesting verification of a plurality of target application programs in the low security domain;

assigning a sub-area to each of the plurality of target applications;

sending a memory initialization request to the high security domain, so that the high security domain allocates a first storage area for each sub-area, wherein the first storage area is a storage area to which data can only be added;

executing a target application program for each target application program in a plurality of target application programs, and recording a control flow jump path in the execution process of the target application program to a first storage area of a subarea corresponding to the target application program;

based on the completion of the execution of the target application program or the occurrence of memory fullness abnormality in the first storage area, sending a data reading request to the high security domain, so that the high security domain reads a plurality of control flow jump paths from the first storage area, and generating a verification report according to the plurality of control flow jump paths;

and sending the verification report to a remote device.

8. The method of claim 7, wherein the front-end equipment includes a memory controller, and wherein the memory controller includes: a third memory and a fourth memory; the sending a memory initialization request to the high security domain, so that the high security domain allocates a first storage area to each sub-area, including:

initializing the first register, a second register, a third register and a fourth register, so that the value of the first register is the initial address of the physical address, the value of the second register is the final address of the physical address, the value of the third register is the current writable address of the physical address, and the fourth register is used for storing the access right information of the first storage area.

9. The method of claim 7 or 8, wherein said assigning a sub-area to each of said plurality of target applications comprises:

for each target application program in a plurality of target application programs, acquiring a code file of the target application program;

and inserting an operation code file into the code file of the target application program, so that the target application program can perform read-write operation on one sub-area in a plurality of sub-areas in the execution process.

The target application controls the flow path control flow path.

10. A terminal device, characterized in that the device comprises a low security domain and a high security domain, the high security domain has higher authority than the low security domain,

the low security domain includes:

the communication module is used for receiving a verification request sent by the remote equipment, wherein the verification request is used for requesting to verify the target application program in the low security domain;

the communication module is also used for receiving a verification report sent by the high security domain and sending the verification report to the remote equipment;

the high security domain includes:

the memory initialization module is used for distributing a first storage area for the low security domain according to the memory initialization request, wherein the first storage area is a storage area which can only be added with data; the data collection module is used for reading a plurality of control flow jump paths in the first storage area;

11. The device of claim 10, wherein the head-end equipment comprises a memory controller, the memory controller comprising: the memory initialization module is used for:

initializing the first register, the second register and the third register so that the value of the first register is the starting address of the physical address, the value of the second register is the ending address of the physical address and the value of the third register is the writable address of the current physical address of the physical address.

12. The apparatus of claim 11, wherein the processing module is further configured to

13. The apparatus of any of claims 10-12, wherein the processing module is further configured to, prior to executing the target application:

14. The device of claim 10, wherein after reading the control flow jump path in the first storage area, the data collection module is further to:

15. The apparatus of claim 10, wherein the authentication module is configured to:

performing hash calculation on each of the control flow jump paths to obtain a plurality of hash values; carrying out hash calculation on the nth path to obtain a hash value Measurement of the nth path _n The method comprises the following steps:

Measurement _n ＝Hash(Measurment _n-1 ||Destination Address)

16. A terminal device, characterized in that the terminal device comprises a low security domain and a high security domain, the high security domain has higher authority than the low security domain, the memory of the terminal device is divided into a plurality of subareas,

the low security domain includes:

the communication module is used for receiving a plurality of verification requests sent by the remote equipment, wherein the verification requests are used for requesting verification of a plurality of target application programs in the low security domain;

A processing module, configured to allocate a sub-area to each application program in the plurality of target application programs;

the communication module is further used for sending a memory initialization request to the high security domain;

the processing module is further configured to execute a target application program for each target application program in the plurality of target application programs, and record a control flow skip path in the execution process of the target application program to a first storage area of a sub-area corresponding to the target application program;

the high security domain includes:

the memory initialization module is used for distributing a first storage area for each sub-area according to a memory initialization request, wherein the first storage area is a storage area which can only be added with data;

17. The device of claim 16, wherein the head-end equipment comprises a memory controller, the memory controller comprising: the memory initialization module is used for:

18. The apparatus of claim 16 or 17, wherein the processing module is configured to:

19. An electronic device, comprising: at least one memory for storing a target application;

And sending the verification report to a remote device.

20. An electronic device, comprising: at least one memory for storing a target application, a memory area in the at least one memory being divided into a plurality of sub-areas;

assigning a sub-area to each of the plurality of target applications;

and sending the verification report to a remote device.

21. A computer readable medium having instructions stored therein which, when run on a computer, cause the computer to perform the method of any of claims 1-6 or claims 7-9.

22. A computer program product comprising instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-6 or claims 7-9.