CN100530212C - Bus line fire wall of embedded system - Google Patents

Bus line fire wall of embedded system Download PDF

Info

Publication number
CN100530212C
CN100530212C CN 200610114301 CN200610114301A CN100530212C CN 100530212 C CN100530212 C CN 100530212C CN 200610114301 CN200610114301 CN 200610114301 CN 200610114301 A CN200610114301 A CN 200610114301A CN 100530212 C CN100530212 C CN 100530212C
Authority
CN
China
Prior art keywords
bus
signal
module
interface
connectivity port
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 200610114301
Other languages
Chinese (zh)
Other versions
CN101174285A (en
Inventor
孟晓风
郑伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN 200610114301 priority Critical patent/CN100530212C/en
Publication of CN101174285A publication Critical patent/CN101174285A/en
Application granted granted Critical
Publication of CN100530212C publication Critical patent/CN100530212C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to a firewall protection embedded in a bus system, which is characterized in that a bus IP core realized with FPGA logic integration technology is connected in series between the interface bus of embedded processor and the peripheral interface of the embedded processor to real-time monitor the instructions at the key ports of the embedded system, wherein, the bus IP core adopts forward regular mapping to identify normal port instructions and intercept abnormal port instructions; the bus IP core comprises three layers of organizational structure, that are, a bus adapting interface, bus firewall arranged in the firewall prevention layer, and a standard bus interface; the function of the bus firewall is realized with the special function module in the bus firewall embedded in the IP core firewall protection layer; the special function module comprises a work-mode selecting module, a through mode module, a filter mode module, a rule learning module, a bus monitor module, a signal buffer module, a state coding module, and a state detector module; the inside of the bus firewall is connected mutually with the signal relative with the bus information.

Description

Embedded system bus fire wall
(1) technical field:
A kind of embedded system bus of the present invention fire wall, relate to a kind of bus fire wall that the embedded computer system digital information transmission is monitored, being particularly related to a kind of information on the embedded computer system interface bus is transmitted monitors, realize the bus fire wall of embedded system security protection, belong to field of computer technology.
(2) background technology:
Adjoint network technology and wireless communication technique develop, and embedded system is used and constantly expanded its breadth and depth, and upward to satellite remote control change rail, down to the realization of digitized home network, embedded system shows the flourishing vigor that participates in wireless telecommunications and networking change.Meanwhile, the safety problem of embedded system emerges, and these problems often may cause heavy economic losses or personal injury, and for example satellite is instigated rebellion within enemy camp, ATM (automatic teller machine) stolen, the automatic driving instrument is out of control, intelligent appliance is revealed household information etc.
At present, the security mechanism of embedded system mainly is based upon on the protection system at environmental interference or software/hardware self-operating fault, and technical measures have watchdog reset, parts redundant etc.In case embedded system is got in touch by wireless telecommunications or access network and the external world, this closure, internally-oriented security mechanism are difficult to the threat of reply malicious intrusions.Because storage space volume is limited, technological achievements such as the intrusion detection that embedded system can only limited use multi-purpose computer field obtains, fire prevention filtrations, relies on embedded system security protection system existence that outer layer protocol protects foundation easily broken up, detected incomplete, take system memory space, response time and wait weak point slowly.
(3) summary of the invention:
The invention provides a kind of embedded system bus fire wall, its objective is: embedded system interface bus information is monitored, that the bus fire wall that blocking-up invasion intention realizes on the system bottom framework, system's security protection system of this bus fire wall are difficult for being broken up, detecting is complete, it is good to take that system memory space is few, the response time reaches security performance soon.
A kind of embedded system bus of the present invention fire wall, its technical scheme is: connecting between flush bonding processor interface bus 100 and its Peripheral Interface 200 into one and utilizing FPGA{FPGA is the abbreviation of Field Programmable Gate Array (field programmable gate array) } the bus IP kernel realized of logic integrated technology, enforcement adopts the F-rule mapping method to discern normal port command and tackle unusual port command to the real-time monitoring of embedded system key port instruction.
The bus IP kernel is divided into the three-layer weave framework: be made up of bus adaptable interface 1, the bus fire wall 2 and the Standard bus interface 3 that are located in the fireprotection layer; In fireprotection layer, be provided with bus fire wall 2, the function of this bus fire wall 2 is realized by the special module that is embedded in bus fire wall inside, selects module 5 (this mode of operation selects module to comprise direct mode operation module 11 and filtered model module 12), rule learning module 6, monitoring bus module 7, signal damping module 8, state encoding module 9, detected state machine module 10 to form by mode of operation;
It is as follows that 2 pairs of external port of bus fire wall connect situation:
Bus adaptable interface 1 is realized the flush bonding processor interface bus signal is delivered to bus fire wall 2 corresponding ports, and this bus adaptable interface 1 is an open interface, can define as the case may be; Now definition situation of the present invention is described below: with the total bus reset signal of most of flush bonding processor interface buss, port reads signal, port write signal, peripheral access useful signal, address bus, data bus, look-at-me transmission signal as bus adaptable interface 1.For cooperating the work of bus fire wall 2, bus adaptable interface 1 also provides an external timing signal (realizing by adding crystal oscillator) and a main frame read-write rule base to allow signal (being realized by outside wire jumper) to bus fire wall 2.Correspondingly, bus fire wall 2 comprises following and connectivity port bus adaptable interface 1: bus adaptable interface reset signal connectivity port 31, bus adaptable interface peripheral access useful signal connectivity port 32, bus adaptable interface read signal connectivity port 33, bus adaptable interface write signal connectivity port 34, bus adaptable interface data bus connectivity port 35, bus adaptable interface address bus connectivity port 36, bus adaptable interface main frame read-write rule base allows signal connection end mouth 37, bus adaptable interface external timing signal connectivity port 38, bus adaptable interface system interrupt signals connectivity port 39; Wherein, port 31, port 32, port 33, port 34, port 35, port 36 and mode of operation select module 5, rule learning module 6 to be connected; Port 38 provides clock signal 16, this clock signal 16 buffer input signal modules 8 and detected state machine module 10; Port 37 is connected with rule learning module 6.Port 39 receiving system look-at-mes 13 are connected with detected state machine module 10;
Standard bus interface 3 realizes that the bus signals after 2 processing of bus fire wall is passed to Peripheral Interface and bus adaptable interface 1 is similar, and this Peripheral Interface also is an open interface, defines according to real needs; Similar with aforementioned bus adaptable interface 1 port definition, bus fire wall 2 of the present invention comprises following and connectivity port Standard bus interface 3: Standard bus interface reset signal connectivity port 40, Standard bus interface peripheral access useful signal connectivity port 41, Standard bus interface read signal connectivity port 42, Standard bus interface write signal connectivity port 43, Standard bus interface address bus connectivity port 44, Standard bus interface data bus connectivity port 45; Above-mentioned port selects module 5, signal damping module 8 corresponding end to be connected with mode of operation respectively;
Rule base 4 is realized by outer extension memory in order to the rule of memory bus fire wall 2; Bus fire wall 2 comprises following and connectivity port rule base 4: rule base storage write signal connectivity port 46, rule base storage read signal connectivity port 47, rule base storage 1 chip selection signal connectivity port 48, rule base storage chip selection signal connectivity port 49, rule base storage address bus connectivity port 50, rule base storage data bus connectivity port 51, and above-mentioned port is connected with rule learning module 6;
It is as follows that bus fire wall 2 inner signals of being correlated with bus message are connected situation:
Be subjected to monitoring and reset signal 52, monitored peripheral access useful signal 53, monitored read signal 54, monitored write signal 55, be subjected to monitored address bus signals 56, be subjected to monitor data bus signals 57: select module 5 to output to monitoring bus module 7 by mode of operation;
Buffering reset signal 58, buffering peripheral access useful signal 59, buffering read signal 60, buffer write signal 61, buffer address bus signals 62, buffered data bus signals 63: output to signal damping module 8 by monitoring bus module 7;
Coding reset signal 64, coding peripheral access useful signal 65, coding read signal 66, coding write signal 67, coded address bus signals 68, coded data bus signals 69: output to state encoding module 9 by signal damping module 8;
Classes of instructions state encoding 28, port address state encoding 29, operand state encoding 30: output to detected state machine module 10 by state encoding module 9;
Rule feature sign indicating number 23, classes of instructions rule 24, port address rule 25, operand upper limit rule 26, operand lower limit rule 27: output to detected state machine module 10 by rule learning module 6;
It is as follows that bus fire wall 2 inner each module handshake connect situation:
Mode of operation is selected signal 15 (1 expression filtered model, 0 expression direct mode operation): by 7 outputs of monitoring bus module, be input to mode of operation and select module 5;
Signal damping begins to read to indicate 21 (being that 1 o'clock FIFO read pointer resets): output to signal damping module 8 by detected state machine module 10;
Signal damping write signal 17 (0 expression is with imitating): output to rule learning module 6 by monitoring bus module 7;
Signal damping read signal 18 (0 expression is read effectively): output to state encoding module 9 and rule learning module 6 by detected state machine module 10, be connected with signal damping module 8 simultaneously;
Buffer empty marking signal 19 (1 expression buffer empty, 0 expression buffer zone non-NULL): output to detected state machine module 10 by signal damping module 8;
Isolation/release mark signal 14 (1 expression release signal, 0 expression disabling signal): output to signal damping module 8 by detected state machine module 10;
The detection signal 20 (1 expression detects and to finish, and 0 expression detects) that finishes: output to signal damping module 8 by detected state machine module 10;
Firewall system reset signal 22 (1 expression resets):, be connected to monitoring bus module 7, signal damping module 8 and detected state machine module 10 by reseting module 71 outputs;
Rule base position indicator pointer 70: output to rule learning module 6 by detected state machine module 10.
Wherein, the F-rule mapping method is to monitor in real time by 7 pairs of embedded system key port instructions of monitoring bus module, carries out buffered through signal damping module 8, outputs to state encoding module 9 and encodes; Bus state machine module 10 is the read bus coded signal from state encoding module 9, and scheduling rule study module 6 is read rule mapping sign indicating number from normal command signal rule base 4 simultaneously, and both relatively allow instruction to carry out when meeting, and does not meet then blocking-up instruction and carries out.
Wherein, bus fire wall 2 is by following principle work: at first carry out rule learning, the status information of interface bus when carrying out key instruction carried out the h coding during with the embedded system operate as normal, writes rule base 4 through bus adaptable interface 1 by rule learning module 6 by the embedded system main frame;
When the embedded system actual motion, bus fire wall 2 is worked as follows:
Step 1: mode of operation selects module 5 to select bus fire wall 2 mode of operations: the bus fire wall is only brought into play the signal effect of transmitting under the direct mode operation, 11 work of direct mode operation module, execution in step 7; Bus fire wall 2 starts under the filtered model, 12 work of filtered model module, execution in step 2;
Step 2: 7 pairs of bus signals of monitoring bus module are implemented monitoring, in case find key instruction, its interface signal are caught execution in step 3; Non-key instruction is then let pass, and the notice mode of operation selects module 5 to enter direct mode operation;
Step 3: press first in first out, signal damping module 8 is arranged in order the key instruction interface signal that captures, and the interface signal that waits release with making number one imports state encoding module 9 into;
Step 4: state encoding module 9 is encoded interface signal by certain rule;
Step 5: detected state machine module 10 with rule encoding in state encoding and the rule base 4 is relatively sent the signal release command to signal damping module 8 when meeting, and detected state machine module 10 switches to NextState, execution in step 6; Do not send the Signal Spacing order to signal damping module 8 when meeting, send out interruption to system simultaneously, fault handling operations such as program rollback, system reset are carried out in prompting;
Step 6: if receive the signal release command, signal damping module 8 discharges execution in step 7 with the interface signal of waiting in line; If receive the Signal Spacing instruction, signal damping module 8 disabling signals flow out;
Step 7: bus fire wall 2 signals export Standard bus interface 3 to.
A kind of embedded system bus of the present invention fire wall has following good effect and advantage:
1. by the monitoring of flush bonding processor interface bus enforcement to the embedded system key instruction, before invasion instruction or overproof instruction initiating system actual act, carry out blocking-up and isolate, the invasion discrimination of following several port commands is reached 100%: as: instruction, delete instruction, modify instruction operational code, modify instruction address, modify instruction constant inserted;
2. because employing FPGA hardware technology and F-rule mapping method are realized the analysis and filter to parallel information streams, speed postpones expense and is controlled in the microsecond level;
3. be embedded in the system bottom framework, can start flexibly or shield;
4. can adapt to the same system changes in demand by the update rule storehouse; By revising the architecture platform that the bus adaptable interface can be applicable to different systems;
5. advantages such as this bus fire wall has that embedded property, speed are fast, good confidentiality, storage overhead are little.
(4) description of drawings:
Fig. 1 is bus IP kernel of the present invention and bus fire wall organisational chart.
Fig. 2 is a bus fireguard circuit block scheme of the present invention.
Fig. 3 is a bus fireguard circuit schematic diagram of the present invention.
Fig. 4 is a bus fire wall workflow diagram of the present invention.
(5) embodiment:
A kind of embedded system bus of the present invention fire wall is further described the present invention below in conjunction with accompanying drawing and embodiment; The bus fire wall is an advantage such as utilize that hardware technology has that embedded property, speed are fast, good confidentiality, storage overhead are little, the immunologic function after realizing on the system bottom framework that malicious intrusions shot system.This fire wall exists with special function modular form in the bus IP kernel, realizes that with the programming of Verilog hardware description language working material is FPGA.
See also shown in Figure 1, its technical scheme is: connecting between flush bonding processor interface bus 100 and its Peripheral Interface 200 into one and utilizing FPGA{FPGA is the abbreviation of Field Programmable Gate Array (field programmable gate array) } the bus IP kernel realized of logic integrated technology, enforcement adopts the F-rule mapping method to discern normal port command and tackle unusual port command to the real-time monitoring of embedded system key port instruction.
The bus IP kernel is divided into the three-layer weave framework: be made up of bus adaptable interface 1, the bus fire wall 2 and the Standard bus interface 3 that are located in the fireprotection layer; The function of this bus fire wall 2 realizes that by the special module that is embedded in bus fire wall 2 inside special module includes: mode of operation is selected module 5 (this mode of operation selects module to comprise direct mode operation module 11 and filtered model module 12), rule learning module 6, monitoring bus module 7, signal damping module 8, state encoding module 9, detected state machine module 10;
It is as follows that 2 pairs of external port of bus fire wall connect situation:
Bus adaptable interface 1 is realized the flush bonding processor interface bus signal is delivered to bus fire wall 2 corresponding ports, and this bus adaptable interface 1 is an open interface, can define as the case may be; Now definition situation of the present invention is described below: with the total bus reset signal of most of flush bonding processor interface buss, port reads signal, port write signal, peripheral access useful signal, address bus, data bus, look-at-me transmission signal as bus adaptable interface 1.For cooperating the work of bus fire wall 2, bus adaptable interface 1 also provides an external timing signal (realizing by adding crystal oscillator) and a main frame read-write rule base to allow signal (being realized by outside wire jumper) to bus fire wall 2.Correspondingly, bus fire wall 2 comprises following and connectivity port (seeing also shown in Figure 3) bus adaptable interface 1: bus adaptable interface reset signal connectivity port 31, bus adaptable interface peripheral access useful signal connectivity port 32, bus adaptable interface read signal connectivity port 33, bus adaptable interface write signal connectivity port 34, bus adaptable interface data bus connectivity port 35, bus adaptable interface address bus connectivity port 36, bus adaptable interface main frame read-write rule base allows signal connection end mouth 37, bus adaptable interface external timing signal connectivity port 38, bus adaptable interface system interrupt signals connectivity port 39; Wherein, port 31, port 32, port 33, port 34, port 35, port 36 and mode of operation select module 5, rule learning module 6 to be connected; Port 38 provides clock signal 16, this clock signal 16 buffer input signal modules 8 and detected state machine module 10; Port 37 is connected with rule learning module 6.Port 39 receiving system look-at-mes 13 are connected with detected state machine module 10;
Standard bus interface 3 realizes that the bus signals after 2 processing of bus fire wall is passed to Peripheral Interface and bus adaptable interface 1 is similar, and this Peripheral Interface also is an open interface, defines according to real needs; Similar with aforementioned bus adaptable interface 1 port definition, bus fire wall 2 of the present invention comprises following and connectivity port (seeing also shown in Figure 3) Standard bus interface 3: Standard bus interface reset signal connectivity port 40, Standard bus interface peripheral access useful signal connectivity port 41, Standard bus interface read signal connectivity port 42, Standard bus interface write signal connectivity port 43, Standard bus interface address bus connectivity port 44, Standard bus interface data bus connectivity port 45; Above-mentioned port selects module 5, signal damping module 8 corresponding end to be connected with mode of operation respectively;
Rule base 4 is realized by outer extension memory in order to the rule of memory bus fire wall 2; Bus fire wall 2 comprises following and connectivity port (seeing also shown in Figure 3) rule base 4: rule base storage write signal connectivity port 46, rule base storage read signal connectivity port 47, rule base storage 1 chip selection signal connectivity port 48, rule base storage chip selection signal connectivity port 49, rule base storage address bus connectivity port 50, rule base storage data bus connectivity port 51, and above-mentioned port is connected with rule learning module 6;
Bus fire wall 2 inner signals of being correlated with bus message are connected situation following (seeing also shown in Figure 3):
Be subjected to monitoring and reset signal 52, monitored peripheral access useful signal 53, monitored read signal 54, monitored write signal 55, be subjected to monitored address bus signals 56, be subjected to monitor data bus signals 57: select module 5 to output to monitoring bus module 7 by mode of operation;
Buffering reset signal 58, buffering peripheral access useful signal 59, buffering read signal 60, buffer write signal 61, buffer address bus signals 62, buffered data bus signals 63: output to signal damping module 8 by monitoring bus module 7;
Coding reset signal 64, coding peripheral access useful signal 65, coding read signal 66, coding write signal 67, coded address bus signals 68, coded data bus signals 69: output to state encoding module 9 by signal damping module 8;
Classes of instructions state encoding 28, port address state encoding 29, operand state encoding 30: output to detected state machine module 10 by state encoding module 9;
Rule feature sign indicating number 23, classes of instructions rule 24, port address rule 25, operand upper limit rule 26, operand lower limit rule 27: output to detected state machine module 10 by rule learning module 6;
It is as follows that bus fire wall 2 inner each module handshake connect situation:
Mode of operation is selected signal 15 (1 expression filtered model, 0 expression direct mode operation): by 7 outputs of monitoring bus module, be input to mode of operation and select module 5;
Signal damping begins to read to indicate 21 (being that 1 o'clock FIFO read pointer resets): output to signal damping module 8 by detected state machine module 10;
Signal damping write signal 17 (0 expression is with imitating): output to rule learning module 6 by monitoring bus module 7;
Signal damping read signal 18 (0 expression is read effectively): output to state encoding module 9 and rule learning module 6 by detected state machine module 10, be connected with signal damping module 8 simultaneously;
Buffer empty marking signal 19 (1 expression buffer empty, 0 expression buffer zone non-NULL): output to detected state machine module 10 by signal damping module 8;
Isolation/release mark signal 14 (1 expression release signal, 0 expression disabling signal): output to signal damping module 8 by detected state machine module 10;
The detection signal 20 (1 expression detects and to finish, and 0 expression detects) that finishes: output to signal damping module 8 by detected state machine module 10;
Firewall system reset signal 22 (1 expression resets):, be connected to monitoring bus module 7, signal damping module 8 and detected state machine module 10 by reseting module 71 outputs;
Rule base position indicator pointer 70: output to rule learning module 6 by detected state machine module 10.
Wherein, the F-rule mapping method is to monitor in real time by 7 pairs of embedded system key port instructions of monitoring bus module, carries out buffered through signal damping module 8, outputs to state encoding module 9 and encodes; Bus state machine module 10 is the read bus coded signal from state encoding module 9, and scheduling rule study module 6 is read rule mapping sign indicating number from normal command signal rule base 4 simultaneously, and both relatively allow instruction to carry out when meeting, and does not meet then blocking-up instruction and carries out.
The realization of bus fire wall is based upon on the following mathematical model definition basis:
The total line feature of embedded system is divided into software key element and hardware key element two parts, and domain is made as S and H separately.Wherein, S={ instruction, sequential, data ..., H={ port address, read-write operation, bus bandwidth, transfer rate ....
The mutual formation embedded system bus behavior of software key element and hardware key element.Provide as giving a definition:
(1) access matrix of definition embedded system instruction manipulation peripheral port is as follows:
Definition 1:
Figure C20061011430100111
Instruction sequence I ⋐ S , The port sequence A ⋐ H , With I i(i=1,2 ... m) be row vector, A j(j=1,2 ... .n) constitute m * n dimension access matrix V for column vector M * n:
V m × n = I m × 1 × A 1 × n = v 11 v 12 · · · · · · v 1 n v 21 v 22 · · · · · · v 2 n · · · · · · · · v m 1 v m 2 · · · · · · v mn
Wherein, V IjThe I of presentation directives iTo port A jAccess rights
Figure C20061011430100115
(2), define a switch matrix compression access matrix scale for saving the monitoring bus cost:
Definition 2:
Figure C20061011430100116
Instruction sequence I ⋐ S , ∃ m × n Dimension matrix S W,
SW=[w 1 * nw 2 * n... ..w M * n] T, to i bar instruction among the I, be tied to form upright just like ShiShimonoseki:
Figure C20061011430100119
Claim that matrix S W is access matrix V M * nSwitch matrix.
(3) embedded system bus real-time status is defined as follows:
Definition 3: ∀ I i ∈ I , ∃ Port A i∈ A, data D i∈ D, bus behavior each time can be expressed as S i(I i, A i, D i), wherein, i=1,2 ... m.(I, A D) are called the bus state tlv triple to S.
To define 1 access matrix V M * nWith definition 2 switch matrix SW M * nAfter each corresponding element carries out point multiplication operation, the capable vector that is zero is entirely extracted, residue row vector is formed the compression battle array of access matrix, the key instruction set that expression need be monitored.
The F-rule mapping method is to check by the signal instructions storehouse of setting up normal instruction flowed by monitored instruction, is monitored that key instruction must meet set sequential in the rule base, both the signal map sign indicating number of allocation just was allowed to carry out.For this reason, definition bus rule five-tuple R (C, I, A, DL, DU), each tuple is explained as follows:
C: condition code, 4 bit wides, different coding is indicated rule feature, for example linear program instruction, interrupt routine instruction, constant operand, variable operand etc.;
I: classes of instructions, 4 bit wides, different coding is indicated the key instruction type, for example 0000 (warm reset), 0001 (reading peripheral hardware), 0010 (writing peripheral hardware) etc.;
A: port address, 16 bit wides, IO addressing space 64K can expand;
DL: the operand lower limit, 16 bit wides can be expanded;
DU: the operand upper limit, 16 bit wides can be expanded.
According to the rule feature sign indicating number, rule base 4 is divided into linear program routine storage RL and interrupt routine routine storage RP (if the n level is interrupted, the RP zone is subdivided into the n section again), by rule learning module 6 input end rule base position indicator pointers 70 its reference positions of decision.This position indicator pointer is one 4 bit wide (can an expand) variable, and codified is as 16 memory block start address signs, and each indicates the physical access start address of a corresponding rule base storage.Rule base 4 realizes that carrier is the preservable flash memory flash of data power down (or EPROM).Flash memory Flash (or EPROM) specification is 64K * 32, and each is with two.Wherein a slice is used to store C, I, A, another sheet storage DL, DU realize its control by rule learning module 6 following output ports: rule base storage write signal connectivity port 46, rule base storage read signal connectivity port 47, rule base storage 1 chip selection signal connectivity port 48, rule base storage chip selection signal connectivity port 49, rule base storage address bus connectivity port 50, rule base storage data bus connectivity port 51.Along with the development of FPGA technology, another kind of embodiment is, rule base can be realized by the ROM that becomes at the FPGA chip integration, thereby it is built-in that rule base is able to, and circuit will obtain simplifying, and access speed also will further improve.
Rule base 4 read-writes adopt main frame read-write and bus IP kernel to read and write dual controlling mechanism.Read and write by main frame in the rule learning stage, be convenient to the user and can revise rule flexibly.When the embedded system commencement of commercial operation, the bus fire wall disconnects the main frame read-write capability, by the control of bus IP kernel, guarantees the independence and the credibility of rule base.The switching of above-mentioned functions allows signal connection end mouth 37 to realize by bus adaptable interface main frame read-write rule base, the external wire jumper socket of this port, refer to determine its high-low level input (during by the host computer control rule base, during by bus IP kernel control law storehouse) by short circuit for high level 1 for low level 0.
The rule base data source is by manually obtaining Program Static Analysis.At first be the row vector with the programmed instruction, peripheral port is that column vector is set up embedded system access matrix V M * n, then according to system security assurance requirements definition switch matrix SW M * n, two matrixes carry out setting up the key instruction set that need monitor behind the point multiplication operation.
Rule base is set up and is finished, and embedded system can enter the actual motion stage.
Wherein, bus fire wall 2 is by following principle work: see also shown in Figure 4, at first carry out rule learning, the status information of interface bus when carrying out key instruction carried out the h coding during with the embedded system operate as normal, writes rule base 4 through bus adaptable interface 1 by rule learning module 6 by the embedded system main frame;
Its fire wall principle of work and steps flow chart details are as follows see also shown in Figure 4:
Step 1: mode of operation selects module 5 to select signal 15 incoming levels decision bus firewall operation mode according to mode of operation: the bus fire wall is only brought into play the signal effect of transmitting when signal 15 input low levels 0,11 work of direct mode operation module, execution in step 7; The bus fire wall starts fire-proof function when signal 15 input high levels 1,12 work of filtered model module, execution in step 2.During the system initial reset, monitoring bus module 5 is changed to 1 with signal 15 and outputs to mode of operation and select module 5, makes it be in filtered model.
Step 2: monitoring bus module 5 is to be subjected to monitoring and reset signal 52, monitored peripheral access useful signal 53, monitored read signal 54, monitored write signal 55, be subjected to monitored address bus signals 56, be subjected to monitor data bus signals 57 to be sensitive signal, bus signals is monitored, in case find the signal of embedded system main frame key instruction operation port, with the address on the bus, data, control signal is latched as following signal: buffering reset signal 58, buffering peripheral access useful signal 59, buffering read signal 60, buffer write signal 61, buffer address bus signals 62, buffered data bus signals 63.Simultaneously signal damping write signal 17 is changed to 0 (being that 0 expression is with imitating) and outputs to signal damping module 8 together with above-mentioned signal.If do not find the signal of embedded system main frame key instruction operation port, then mode of operation is selected signal 15 to be changed to 0 and outputed to mode of operation selection module 5, make it be in direct mode operation, simultaneously signal damping write signal 17 is changed to 1 (being 1 expression write invalidate).
Step 3: fifo structure of signal damping module 8 inner realizations, the degree of depth is 4, bit wide 40 is in order to the buffering bus signals.If interface bus is a low speed bus, for example in the 10MHz, this FIFO degree of depth can be made as 1, promptly hardly with buffering.The bus transfer rate is high more, and the FIFO degree of depth should be bigger.Signal damping module 8 receives the negative edge of signal damping write signal 17, confirm the space non-full after, to cushion reset signal 58, buffering peripheral access useful signal 59, buffering read signal 60, buffer write signal 61, buffer address bus signals 62, buffered data bus signals 63 and write FIFO, simultaneously signal damping write signal 17 is changed to 1 again, arrives to wait for next negative edge.At the rising edge of signal damping write signal 17, the FIFO write pointer increases 1.Detected state machine module 10 is to signal damping module 8 output signals buffering read signal 18, at this signal negative edge, after signal damping module 8 is confirmed FIFO space non-NULLs, from FIFO, takes out and be latched as following signal by will the make number one signal that waits release of first in first out: coding reset signal 64, coding peripheral access useful signal 65, coding read signal 66, encode write signal 67, coded address bus signals 68, coded data bus signals 69.Above-mentioned signal outputs to state encoding module 9.At signal damping read signal 18 rising edges, signal damping module 8 interpretation signal dampings begin to read to indicate 21 that the FIFO read pointer resets to 0 when it is 1, is not that 1 o'clock FIFO read pointer increases 1.
Step 4: when state encoding module 9 receives the rising edge of signal damping read signal 18, encode according to the bus signals that rule base institute definition rule form is imported into signal damping module 8, read signal 66 low levels of for example encoding effectively and coding peripheral access useful signal 65 low levels when effective, classes of instructions is encoded to 0010, outputs to classes of instructions state encoding 28.Coded address bus signals 68, coded data bus signals 69 are directly delivered to port address state encoding 29, operand state encoding 30 when the rising edge of signal damping read signal 18 arrives.Coding 28,29,30 outputs to detected state machine module 10.
Step 5: detected state machine module 10 compares with state encoding 28,29,30 and by the rule encoding that rule learning module 6 is read from rule base 4, to isolate/release mark signal 14 (1 expression release signal when meeting, 0 expression disabling signal) is changed to 1, the signal 20 (1 expression detects and finishes, and 0 expression detects) that simultaneously detection finished is changed to 1.Signal 14, signal 20 output to signal damping module 8.State machine switches to NextState, and signal damping read signal 18 is changed to 0, sends the read signal of next bar instruction, changes execution in step 6 over to.When rule does not relatively meet, to isolate/release mark signal 14 is changed to 0, output to signal damping module 8, simultaneously system interrupt signals 13 is changed to 1 (supposing that the look-at-me high level is effective), output to bus adaptable interface system interrupt signals connectivity port 39, prompting is carried out main frame and is carried out fault handling operations such as program rollback, system reset.
It is i that the wall with flues of setting up defences is worked as pre-treatment key instruction sequence number, and firewall rule is described below:
(1) if (R (C i) ﹠amp; 0x8==0x8) the then/* condition code separate out linear instruction feature */
R(I i,A i,DL i,DU i)=RL(I i,A i,DL i,DU i)
(2) if (R (C i) ﹠amp; 0x8==0x0) the then/* condition code separate out interrupt instruction feature */
R(I i,A i,DL i,DU i)=RP(I i,A i,DL i,DU i)
(3) if (R (C i) ﹠amp; 0x4==0x4) the then/* condition code separate out constant feature */
R(DL i,DU i)=R(DL i,0xffff)
(4) if (R (C i) ﹠amp; 0x4==0x0) the then/* condition code separate out characteristics of variables */
R(DL i,DU i)=R(λL i×DL i,λU i×DU i),
λ L i, λ U iBe interval stringent factor, 0≤λ L i, λ U i≤ 1
(5)if(S(I i,A i)==R(I i,A i))then
(rule (3) satisfies if, S (D iR (the DL of)== i) then
Instruction is normal, grants current.
(rule (4) satisfies else if, R (DL i)≤S (D i)≤R (DU i)) then
Instruction is normal, grants current.
The else instruction exception is isolated blocking-up.
The else instruction exception is isolated blocking-up.
When embedded system is carried out linear program, establish the detected state machine and be in LSi (i=1,2n) state.The detected state machine takes out regular five-tuple RL (C by rule learning module 6 from rule base 4RL zone to rule learning module 6 output rule base position indicator pointers 70 i, I i, A i, DL i, DU i), output to rule feature sign indicating number 23, classes of instructions rule 24, port address rule 25, operand lower limit rule 27, operand upper limit rule 26 respectively.Simultaneously under high frequency clock signal 16 scheduling, responsive Si (I i, A i, D i) variation of each tuple (corresponding classes of instructions state encoding 28, port address state encoding 29, operand state encoding 30) parameter.When the current parameter of state tlv triple satisfies rule (5), think that the instruction of this function of state value correspondence is passed through to detect.After this, the detected state machine is transformed into the LSi+1 state, detects next bar instruction.When not satisfying above-mentioned condition, the detected state machine switches to the blocking-up attitude.
If linear program is embedded with interruption, process source program earlier, interrupting sign instruction from write operation to the particular port address that carry out of the executive routine first row interpolation, the detected state machine is jumped into the Interrupt Process state when this command signal appears in interface bus, and detected state machine working condition and linear program are similar.Detected state machine module status transition diagram is seen Fig. 5, and Istate is used to preserve interruption and returns the NextState that should carry out.
Step 6: signal damping module 8 receives and detects the signal 20 that finishes (1 expression detects and finishes, 0 expression detects) behind the rising edge, judge isolation/release mark signal 14 (1 expression release signal, 0 expression disabling signal) state, the coding reset signal 64 that signal damping module 8 will latch when it is 1, coding peripheral access useful signal 65, coding read signal 66, coding write signal 67, coded address bus signals 68, coded data bus signals 69 discharge, and output to execution in step 7.If receive the Signal Spacing instruction, signal damping module disabling signal flows out, and output signal is changed to three-state.
Step 7: the fire wall signal exports following Standard bus interface to: Standard bus interface reset signal connectivity port 40, Standard bus interface peripheral access useful signal connectivity port 41, Standard bus interface read signal connectivity port 42, Standard bus interface write signal connectivity port 43, Standard bus interface address bus connectivity port 44, Standard bus interface data bus connectivity port 45.

Claims (3)

1. embedded system bus fire wall, it is characterized in that: the into bus IP kernel that utilizes the fpga logic integrated technology to realize of between flush bonding processor interface bus (100) and its Peripheral Interface (200), connecting, enforcement adopts the F-rule mapping method to discern normal port command and tackle unusual port command to the real-time monitoring of embedded system key port instruction;
This bus IP kernel is divided into the three-layer weave framework: be made up of bus adaptable interface (1), the bus fire wall (2) and the Standard bus interface (3) that are located in the fireprotection layer;
The function of this bus fire wall (2) is to realize that by the accommodation function module in the bus fire wall (2) that is embedded in the IP kernel fireprotection layer this accommodation function module includes direct mode operation module (11), filtered model module (12), rule learning module (6), monitoring bus module (7), signal damping module (8), state encoding module (9), detected state machine module (10); Annexation between the module is as follows:
Bus fire wall (2) comprises following and connectivity port bus adaptable interface (1): bus adaptable interface reset signal connectivity port (31), bus adaptable interface peripheral access useful signal connectivity port (32), bus adaptable interface read signal connectivity port (33), bus adaptable interface write signal connectivity port (34), bus adaptable interface data bus connectivity port (35), bus adaptable interface address bus connectivity port (36), bus adaptable interface main frame read-write rule base allows signal connection end mouth (37), bus adaptable interface external timing signal connectivity port (38), bus adaptable interface system interrupt signals connectivity port (39); This bus adaptable interface reset signal connectivity port (31), bus adaptable interface peripheral access useful signal connectivity port (32), bus adaptable interface read signal connectivity port (33), bus adaptable interface write signal connectivity port (34), bus adaptable interface data bus connectivity port (35), bus adaptable interface address bus connectivity port (36) and mode of operation select module (5), rule learning module (6) to be connected; Bus adaptable interface external timing signal connectivity port (38) provides clock signal (16), this clock signal buffer input signal module (8) and detected state machine module (10); Bus adaptable interface main frame read-write rule base allows signal connection end mouth (37) to be connected with rule learning module (6); Bus adaptable interface system interrupt signals connectivity port (39) receiving system look-at-me (13) is connected with detected state machine module (10);
Bus fire wall (2) comprises connectivity port following and Standard bus interface (3): Standard bus interface reset signal connectivity port (40), Standard bus interface peripheral access useful signal connectivity port (41), Standard bus interface read signal connectivity port (42), Standard bus interface write signal connectivity port (43), Standard bus interface address bus connectivity port (44), Standard bus interface data bus connectivity port (45); The connectivity port of Standard bus interface (3) selects module (5), signal damping module (8) corresponding end to be connected with mode of operation respectively;
Bus fire wall (2) comprises connectivity port following and rule base (4): rule base storage write signal connectivity port (46), rule base storage read signal connectivity port (47), rule base storage chip selection signal connectivity port (48), rule base storage chip selection signal connectivity port (49), rule base storage address bus connectivity port (50), rule base storage data bus connectivity port (51); The connectivity port of rule base (4) is connected with rule learning module (6);
It is as follows that the inner signal of being correlated with bus message of bus fire wall (2) is connected situation;
Be subjected to monitoring and reset signal (52), monitored peripheral access useful signal (53), monitored read signal (54), monitored write signal (55), be subjected to monitored address bus signals (56), be subjected to monitor data bus signals (57): select module (5) to output to monitoring bus module (7) by mode of operation;
Buffering reset signal (58), buffering peripheral access useful signal (59), buffering read signal (60), buffer write signal (61), buffer address bus signals (62), buffered data bus signals (63): output to signal damping module (8) by monitoring bus module (7);
Coding reset signal (64), coding peripheral access useful signal (65), coding read signal (66), coding write signal (67), coded address bus signals (68), coded data bus signals (69): output to state encoding module (9) by signal damping module (8);
Classes of instructions state encoding (28), port address state encoding (29), operand state encoding (30): output to detected state machine module (10) by state encoding module (9);
Rule feature sign indicating number (23), classes of instructions rule (24), port address rule (25), operand upper limit rule (26), operand lower limit rule (27): output to detected state machine module (10) by rule learning module (6);
It is as follows that inner each the module handshake of bus fire wall (2) connects situation:
Mode of operation is selected signal (15): by monitoring bus module (7) output, be input to mode of operation and select module (5);
Signal damping begins to read sign (21): output to signal damping module (8) by detected state machine module (10);
Signal damping write signal (17): output to rule learning module (6) by monitoring bus module (7);
Signal damping read signal (18): output to state encoding module (9) and rule learning module (6) by detected state machine module (10), be connected with signal damping module (8) simultaneously;
Buffer empty marking signal (19): output to detected state machine module (10) by signal damping module (8);
Isolation/release mark signal (14): output to signal damping module (8) by detected state machine module (10);
The detection signal (20) that finishes: output to signal damping module (8) by detected state machine module (10);
Firewall system reset signal (22):, be connected to monitoring bus module (7), signal damping module (8) and detected state machine module (10) by reseting module (71) output;
Rule base position indicator pointer (70): output to rule learning module (6) by detected state machine module (10).
2. a kind of embedded system bus fire wall according to claim 1, it is characterized in that: described F-rule mapping method is by monitoring bus module (7) the embedded system key port to be instructed to monitor in real time, carry out buffered through signal damping module (8), output to state encoding module (9) and encode; Detected state machine module (10) is the read bus coded signal from state encoding module (9), and scheduling rule study module (6) is read rule mapping sign indicating number from rule base (4) simultaneously, and both relatively allow instruction to carry out when meeting, and does not meet then blocking-up instruction and carries out.
3. a kind of embedded system bus fire wall according to claim 1, it is characterized in that: described bus fire wall (2) is by following principle work: at first carry out rule learning, the status information of interface bus when carrying out key instruction carried out the h coding during with the embedded system operate as normal, writes rule base (4) through bus adaptable interface (1) by rule learning module (6) by the embedded system main frame;
When the embedded system actual motion, bus fire wall (2) is worked as follows:
Step 1: mode of operation selects module (5) to select bus fire wall (2) mode of operation: the bus fire wall is only brought into play the signal effect of transmitting under the direct mode operation, direct mode operation module (11) work, execution in step 7; Bus fire wall (2) starts under the filtered model, filtered model module (12) work, execution in step 2;
Step 2: monitoring bus module (7) is implemented monitoring to bus signals, in case find key instruction, its interface signal is caught execution in step 3; Non-key instruction is then let pass, and the notice mode of operation selects module (5) to enter direct mode operation;
Step 3: press first in first out, signal damping module (8) is arranged in order the key instruction interface signal that captures, and the interface signal that waits release with making number one imports state encoding module (9) into;
Step 4: state encoding module (9) is encoded interface signal by certain rule;
Step 5: detected state machine module (10) is relatively sent the signal release command to signal damping module (8) when meeting with rule encoding in state encoding and the rule base (4), and detected state machine module (10) switches to NextState, execution in step 6; Do not send the Signal Spacing order to signal damping module (8) when meeting, send out interruption to system simultaneously, the fault handling operation of program rollback, system reset is carried out in prompting;
Step 6: if receive the signal release command, signal damping module (8) discharges execution in step 7 with the interface signal of waiting in line; If receive the Signal Spacing instruction, signal damping module (8) disabling signal flows out;
Step 7: bus fire wall (2) signal exports Standard bus interface (3) to.
CN 200610114301 2006-11-03 2006-11-03 Bus line fire wall of embedded system Expired - Fee Related CN100530212C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200610114301 CN100530212C (en) 2006-11-03 2006-11-03 Bus line fire wall of embedded system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200610114301 CN100530212C (en) 2006-11-03 2006-11-03 Bus line fire wall of embedded system

Publications (2)

Publication Number Publication Date
CN101174285A CN101174285A (en) 2008-05-07
CN100530212C true CN100530212C (en) 2009-08-19

Family

ID=39422799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200610114301 Expired - Fee Related CN100530212C (en) 2006-11-03 2006-11-03 Bus line fire wall of embedded system

Country Status (1)

Country Link
CN (1) CN100530212C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105429835B (en) * 2015-11-11 2018-11-06 南车株洲电力机车研究所有限公司 A kind of local bus circuit based on FPGA
CN108206826B (en) * 2017-11-29 2020-07-14 华东师范大学 Lightweight intrusion detection method for integrated electronic system
CN108446557B (en) * 2018-03-12 2020-07-14 江苏中天科技软件技术有限公司 Security threat active sensing method based on honeypot defense
CN109274648A (en) * 2018-08-28 2019-01-25 西安工业大学 A kind of movable type cable firewall device
CN110891063B (en) * 2019-11-30 2022-04-29 信联科技(南京)有限公司 Safe industrial control system based on safe intelligent control ware
CN112181865A (en) * 2020-09-09 2021-01-05 北京爱芯科技有限公司 Address coding method, address coding device, address decoding method, address decoding device and computer storage medium
CN112995220A (en) * 2021-05-06 2021-06-18 广东电网有限责任公司佛山供电局 Security data security system for computer network
CN114826781A (en) * 2022-06-24 2022-07-29 国家管网集团北方管道有限责任公司 Serial port firewall system and implementation method thereof

Also Published As

Publication number Publication date
CN101174285A (en) 2008-05-07

Similar Documents

Publication Publication Date Title
CN100530212C (en) Bus line fire wall of embedded system
CN103399632B (en) The method and mobile terminal of a kind of gesture control
CN105045085B (en) The control method and intelligent watch of a kind of intelligent watch
CN103279203B (en) Key reuse method and multifunctional key
CN104199791A (en) Mobile terminal and dual-system file transfer method and device thereof
WO2017032010A1 (en) Unlocking method and mobile terminal
CN203456071U (en) LED display screen asynchronous control card and LED display screen system
CN107085380A (en) A kind of intelligent domestic system customer location determination methods and electronic equipment
CN105095564B (en) data processing method and device based on building information model
CN105404829B (en) Equipment for selectively discharging debugging interface
CN102325099A (en) Gateway system of Internet of things
CN102662782A (en) Method and device for monitoring system bus
CN104320677A (en) Audit server, a master control server and a video detection system
CN107729972A (en) A kind of data guard method of intellective IC card
CN203271342U (en) Internet of Things coded lock
CN103605597B (en) Configurable computer protection system and method
CN108009426A (en) Acquisition methods, device, medium and the electronic equipment of trusted area log information
CN107358123A (en) A kind of safety detection method and device
CN105868616A (en) Terminal control method and apparatus
CN206341269U (en) Mobile terminal
CN109709849A (en) Single-chip microcontroller safety operating control method and device
CN109255291A (en) A kind of machining center breaking alarm system
CN104537797A (en) Intelligent security and protection experiment equipment
CN209248685U (en) A kind of financial self-service equipment communication security control system
CN101534313A (en) A method for realizing electronic apparatus connection topological security control

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090819

Termination date: 20111103