CN117251843A - Method, system, equipment and medium for constructing dynamic data interval space - Google Patents
Method, system, equipment and medium for constructing dynamic data interval space Download PDFInfo
- Publication number
- CN117251843A CN117251843A CN202311206703.5A CN202311206703A CN117251843A CN 117251843 A CN117251843 A CN 117251843A CN 202311206703 A CN202311206703 A CN 202311206703A CN 117251843 A CN117251843 A CN 117251843A
- Authority
- CN
- China
- Prior art keywords
- page table
- allocated
- dynamic data
- constructing
- kernel page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 133
- 230000015654 memory Effects 0.000 claims description 38
- 238000004590 computer program Methods 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 8
- 238000012800 visualization Methods 0.000 claims description 5
- 238000005192 partition Methods 0.000 claims description 4
- 238000010586 diagram Methods 0.000 description 7
- 238000002955 isolation Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 2
- 238000000638 solvent extraction Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method, a system, equipment and a medium for constructing a dynamic data interval space, which comprises the following steps: acquiring a process to be allocated; judging whether the process to be allocated is a process corresponding to a factory equipment application program; when the process to be allocated is a process corresponding to a factory setting application program, dividing the process to be allocated into a trusted kernel page table class; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table class; the method, system, device, and medium are capable of restricting dynamic data of a kernel to different kernel page tables for processes partitioned into trusted kernel page table classes and processes in untrusted kernel page table classes.
Description
Technical Field
The invention belongs to the technical field of data distribution, and relates to a method, a system, equipment and a medium for constructing a dynamic data interval space.
Background
Currently, linux is widely used as a DCS operation system in a thermal power plant for development and design. The Linux system kernel is used as trusted software to run, manage and control the DCS bottom hardware resource, has the highest authority of the whole system running, and is the basis of the whole DCS system work and safety. However, because the kernel is written in unsafe language and contains a wide attack window and a third-party kernel module, an attacker can use the security vulnerability to obtain the highest kernel authority to implement any attack. At the same time, considering the code amount and complexity of the kernel, it is almost impossible to completely eliminate these vulnerabilities and errors in the foreseeable future, and the untrusted problem of the kernel must be a long-standing security problem. Therefore, improving the reliability and security of kernel operation has been an important research topic in the system field. The kernel isolation is used as an important method for kernel protection to isolate a large number of unreliable kernel modules into independent execution spaces, so that errors in the kernel can be effectively reduced, and attack points of the kernel are reduced. And how to limit the dynamic data of the kernel and untrusted components in different kernel page tables is a core problem to achieve isolation.
Disclosure of Invention
It is an object of the present invention to overcome the above-mentioned drawbacks of the prior art by providing a method, system, device and medium for constructing a dynamic data interval space, which is capable of confining dynamic data of a kernel and an untrusted component to different kernel page tables.
In order to achieve the above purpose, the invention adopts the following technical scheme:
in one aspect, the present invention provides a method for constructing a dynamic data interval space, including:
acquiring a process to be allocated;
judging whether the process to be allocated is a process corresponding to a factory equipment application program;
when the process to be allocated is a process corresponding to a factory setting application program, dividing the process to be allocated into a trusted kernel page table class; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table class;
different visualizations are assigned to processes that partition into trusted kernel page table classes and to processes that do not.
The method for constructing the dynamic data interval space is further improved by the following steps:
the process to be allocated is further included before the process to be allocated is acquired:
and constructing an SLUB system, and constructing a memory allocation mechanism by calling a partner system interface to fill page width through the SLUB system.
The visibility of the highest page table entry is given to processes that partition into the trusted kernel page table class.
For processes divided into the untrusted kernel page table class, modifying the visibility of each page table item in the corresponding allocated page frame in the kernel page table according to the memory allocation source mark.
In a second aspect, the present invention provides a system for constructing a dynamic data interval space, comprising:
the acquisition module is used for acquiring a process to be allocated;
the judging module is used for judging whether the process to be distributed is a process corresponding to the factory equipment application program;
the partitioning module is used for partitioning the process to be distributed into a trusted kernel page table class when the process to be distributed is a process corresponding to a factory setting application program; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table;
the allocation module is used for allocating different visualizations to the processes divided into the trusted kernel page table class and the processes in the untrusted kernel page table class.
The system for constructing the dynamic data interval space is further improved in the invention, which comprises the following steps:
the visibility of the highest page table entry is given to processes that partition into the trusted kernel page table class.
For the process divided into the untrusted kernel page table class, modifying the visibility of each page table item in the corresponding allocated page frame in the kernel page table according to the memory allocation source mark.
In a third aspect, the present invention provides a computer device comprising a memory, a processor and a computer program stored in said memory and executable on said processor, said processor implementing the steps of said method of constructing a dynamic data interval space when said computer program is executed.
In a fourth aspect, the present invention provides a computer readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method of constructing a dynamic data interval space.
The invention has the following beneficial effects:
when the method, the system, the equipment and the medium for constructing the dynamic data interval space are specifically operated, when the process to be allocated is a process corresponding to a factory setting application program, the process to be allocated is divided into a trusted kernel page table class; otherwise, the process to be allocated is divided into the untrusted kernel page table class, so that each process operates in a relatively independent address space, different visibility is redistributed, the isolation of dynamic data among the processes is realized, and mutual interference among the processes is avoided.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
FIG. 1 is a flow chart of the method of the present invention;
fig. 2 is a system configuration diagram of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The invention is described in further detail below with reference to the attached drawing figures:
example 1
Each process in the kernel is corresponding to a set of page tables, wherein the page tables record the corresponding relation between the virtual address space and the physical address space of the process. By setting page table entries in the page table, the access authority of the process to each memory page can be limited. The method comprises the steps of dividing processes corresponding to application programs set when a DCS system leaves a factory into trusted kernel page table classes, giving the highest access authority of the trusted kernel page table to each memory page, dividing dynamic data of other different modules, kernel threads and kernel components in the execution process into untrusted kernel page table classes, and setting visibility among kernel page tables according to memory allocation source marks, so that the kernel page tables run in relatively independent address spaces, isolation of the dynamic data among the kernel page tables is realized, and mutual interference among the kernel page tables is avoided. The dynamic data is a memory area dynamically applied by the system in the running process.
The invention corresponds different application program processes and dynamic memory allocation requests from different sources to different kernel-mode page tables, thereby constructing a plurality of execution spaces. Different modules and threads in the Linux kernel can realize mutual isolation and sharing of dynamic data based on different kernel page tables.
Based on the above, referring to fig. 1, the method for constructing a dynamic data interval space according to the present invention includes the steps of:
1) Constructing an SLUB system, and calling a partner system interface filling page width to construct a slot (memory allocation mechanism) by the SLUB system;
2) Judging a kernel page table class: acquiring a process to be allocated, judging whether the process is a process corresponding to a factory set application program, and dividing the process to be allocated into a trusted kernel page table class when the process to be allocated is a process corresponding to a factory device application program, otherwise, dividing the process to be allocated into an untrusted kernel page table class;
3) Visibility allocation of page table entries;
specifically, the visibility of the highest page table item is given to the process divided into the trusted kernel page table class, and the visibility of each page table item in the corresponding allocated page frame in the kernel page table is modified according to the memory allocation source mark for the process divided into the untrusted kernel page table class.
4) In the running process of the kernel, when any page frame needs to be accessed, switching to a kernel page table corresponding to the page frame.
It should be noted that, the present invention can construct three sets of Linux kernel page tables in the Linux kernel to realize the mutual isolation of dynamically distributed data between different programs and different components. Meanwhile, the method has expandability and can be easily expanded to the condition of a plurality of sets of kernel page tables. When the non-factory setting application program runs under a certain kernel page table of Linux, the current invisible memory cannot be directly accessed, so that the mutual interference of dynamic data between different programs and different components is avoided, and the aim of improving the safety and reliability of kernel operation is fulfilled.
Example two
Referring to fig. 2, the system for constructing a dynamic data interval space according to the present invention includes:
the acquisition module 1 is used for acquiring a process to be allocated;
the judging module 2 is used for judging whether the process to be distributed is a process corresponding to the factory equipment application program;
the dividing module 3 is used for dividing the process to be allocated into a trusted kernel page table class when the process to be allocated is a process corresponding to a factory setting application program; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table class;
an allocation module 4 for allocating different visualizations to processes partitioned into trusted kernel page table classes and to processes in untrusted kernel page table classes.
It should be noted that, the visibility of the highest page table entry is given to the process divided into the trusted kernel page table class; for the process divided into the untrusted kernel page table class, modifying the visibility of each page table item in the corresponding allocated page frame in the kernel page table according to the memory allocation source mark.
Example III
A computer device comprising a memory, a processor and a computer program stored in and executable on the memory, the processor implementing the steps of the method of constructing a dynamic data space when the computer program is executed, wherein the memory may comprise a memory, such as a high speed random access memory, and may also comprise a non-volatile memory, such as at least one disk memory or the like; the processors, network interfaces, memories are interconnected by an internal bus, which may be an industry standard architecture bus, a peripheral component interconnect standard bus, an extended industry standard architecture bus, etc., and the buses may be divided into address buses, data buses, control buses, etc. The memory is used for storing programs, which may include program code including computer operation instructions, in particular. The memory may include memory and non-volatile storage and provide instructions and data to the processor.
Example IV
A computer readable storage medium storing a computer program which when executed by a processor performs the steps of the method of building a dynamic data interval space, in particular the computer readable storage medium includes, but is not limited to, for example, volatile memory and/or non-volatile memory. The volatile memory may include Random Access Memory (RAM) and/or cache memory (cache), among others. The non-volatile memory may include Read Only Memory (ROM), hard disk, flash memory, optical disk, magnetic disk, and the like.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.
Claims (9)
1. A method of constructing a dynamic data interval space, comprising:
acquiring a process to be allocated;
judging whether the process to be allocated is a process corresponding to a factory equipment application program;
when the process to be allocated is a process corresponding to a factory setting application program, dividing the process to be allocated into a trusted kernel page table class; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table class;
different visualizations are assigned to processes that partition into trusted kernel page table classes and to processes that do not.
2. The method of constructing a dynamic data interval space according to claim 1, wherein prior to the obtaining a process to be allocated further comprises:
and constructing an SLUB system, and constructing a memory allocation mechanism by calling a partner system interface to fill page width through the SLUB system.
3. The method of constructing a dynamic data interval space of claim 1, wherein visibility is given to a highest page table entry for a process partitioned into a trusted kernel page table class.
4. The method of claim 1, wherein for processes partitioned into untrusted kernel page table classes, modifying the visibility of page table entries in the kernel page table corresponding to allocated page frames based on a memory allocation source flag.
5. A system for constructing a dynamic data interval space, comprising:
the acquisition module (1) is used for acquiring a process to be allocated;
the judging module (2) is used for judging whether the process to be distributed is a process corresponding to the application program of the factory equipment;
the dividing module (3) is used for dividing the process to be allocated into a trusted kernel page table class when the process to be allocated is a process corresponding to a factory setting application program; when the process to be allocated is not the process corresponding to the factory equipment application program, dividing the process to be allocated into an untrusted kernel page table class;
an allocation module (4) for allocating different visualizations to processes partitioned into trusted kernel page table classes and to processes in untrusted kernel page table classes.
6. The system for building a dynamic data interval space in accordance with claim 5 wherein visibility is given to highest page table entries for processes partitioned into trusted kernel page table classes.
7. The system for building dynamic data interval space in accordance with claim 5, wherein for processes partitioned into untrusted kernel page table classes, the visibility of each page table entry in the corresponding allocated page frame in the kernel page table is modified based on the memory allocation source flag.
8. A computer device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the steps of the method of constructing a dynamic data interval space according to any of claims 1-4 when the computer program is executed by the processor.
9. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the steps of the method of constructing a dynamic data interval space according to any one of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311206703.5A CN117251843A (en) | 2023-09-18 | 2023-09-18 | Method, system, equipment and medium for constructing dynamic data interval space |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311206703.5A CN117251843A (en) | 2023-09-18 | 2023-09-18 | Method, system, equipment and medium for constructing dynamic data interval space |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117251843A true CN117251843A (en) | 2023-12-19 |
Family
ID=89134358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311206703.5A Pending CN117251843A (en) | 2023-09-18 | 2023-09-18 | Method, system, equipment and medium for constructing dynamic data interval space |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117251843A (en) |
-
2023
- 2023-09-18 CN CN202311206703.5A patent/CN117251843A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9727338B2 (en) | System and method for translating program functions for correct handling of local-scope variables and computing system incorporating the same | |
| CA1236588A (en) | Dynamically allocated local/global storage system | |
| JP5914145B2 (en) | Memory protection circuit, processing device, and memory protection method | |
| US8190839B2 (en) | Using domains for physical address management in a multiprocessor system | |
| CN105868028B (en) | Method, device and terminal for sharing data among processes | |
| ATE476706T1 (en) | PARTITIONED STORAGE DEVICE WITH FEATURES OF DIFFERENT STORAGE TECHNOLOGIES | |
| DE102014003540A1 (en) | GENERATING AN ISOLATED EMBODIMENT ENVIRONMENT IN A CO-DESIGNED PROCESSOR | |
| US9904802B2 (en) | System on chip | |
| US8006055B2 (en) | Fine granularity hierarchiacal memory protection | |
| DE102016220639A1 (en) | Memory protection unit and method for protecting a memory address space | |
| CN104536912A (en) | Device and method for achieving memory protection mode in small operating system | |
| CN112799977A (en) | Real-time protection method and device for cache partition and cache access of computer | |
| US20150371060A1 (en) | System on chip | |
| US20170293581A1 (en) | Indicating a privilege level | |
| US20140289739A1 (en) | Allocating and sharing a data object among program instances | |
| CN105468400A (en) | Linux user mode based method and system for calling timer | |
| KR101460451B1 (en) | Apparatus and method for controlling process address space | |
| CN110929304A (en) | RISC-V based memory protection method | |
| CN117251843A (en) | Method, system, equipment and medium for constructing dynamic data interval space | |
| DE112007001541T5 (en) | Address masking between users | |
| CN114968847A (en) | Data processor | |
| US20180136977A1 (en) | Multi-queue device assignment for application groups | |
| CN107273188B (en) | Virtual machine Central Processing Unit (CPU) binding method and device | |
| CN105808318B (en) | Information processing method and electronic equipment | |
| CN116894275B (en) | Page table updating method, server, graphics processor, chip and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |