CN101290646B - Apparatus and method for protecting system in virtualized environment - Google Patents

Apparatus and method for protecting system in virtualized environment Download PDF

Info

Publication number
CN101290646B
CN101290646B CN2008100911004A CN200810091100A CN101290646B CN 101290646 B CN101290646 B CN 101290646B CN 2008100911004 A CN2008100911004 A CN 2008100911004A CN 200810091100 A CN200810091100 A CN 200810091100A CN 101290646 B CN101290646 B CN 101290646B
Authority
CN
China
Prior art keywords
territories
territory
access
control module
device driver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2008100911004A
Other languages
Chinese (zh)
Other versions
CN101290646A (en
Inventor
李圣民
郑福得
徐尚范
牟相德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of CN101290646A publication Critical patent/CN101290646A/en
Application granted granted Critical
Publication of CN101290646B publication Critical patent/CN101290646B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

Provided is an apparatus and method for protecting a system in a virtualized environment. The apparatus includes a domain unit including a plurality of domains, each having one or more device drivers; a system resource unit forming hardware of the system; a direct memory access (DMA) driver; and a control unit including an access control module which controls the access of the domain unit to the system resource unit in the virtualized environment.

Description

The equipment of protection system and method in virtual environment
The application require on April 16th, 2007 United States Patent (USP) trademark office submit to the 60/911st, No. 930 U.S. Provisional Applications and on October 31st, 2007, this application all was disclosed in this for reference in the right of priority of the 10-2007-0110296 korean patent application of Korea S Department of Intellectual Property submission.
Technical field
Equipment and the method consistent with the present invention relate to system protection, more particularly, relate to protection system in virtual environment, and wherein, protecting system resources is not subjected to the malice access, and guarantees reliable security service in virtual environment.
Background technology
Usually, the device such as personal computer (PC), personal digital assistant (PDA), wireless terminal and Digital Television (DTV) strengthens security and realizes various application and service with Intel Virtualization Technology.For security context is provided, Intel Virtualization Technology need to be such as the function of safe guidance, fail-safe software and access control.
Fig. 1 is the block diagram of relevant virtualization system equipment.With reference to Fig. 1, relevant virtualization system equipment uses monitor of virtual machine (VMM) 10 to create virtual environment.Relevant virtualization system equipment comprises: unit, territory 20, have a plurality of territories 21,22 ...; System resource unit 30 has ROM (read-only memory) (ROM), CPU (central processing unit) (CPU), storer, battery and I/O (I/O) device.
The territory 21,22 of unit, territory 20 ... each comprise one or more device driver 21a, 22a ....In addition, territory 21,22 ... at least one (for example, the territory 21) comprise direct memory access (DMA) driver 21b.In relevant virtualization system equipment, DMA are processed in unit, territory 20, and to territory 21,22 ... between the not restriction of formation of channel.In addition, when territory 21,22 ... each when attempting access system resources unit 30, unit, territory 20 or VMM 10 carry out simple access control.
Yet because DMA are processed in unit, territory 20, and 10 pairs of system resource unit 30 of VMM do not carry out be used to the access control that may maliciously access that prevents unit, territory 20, so above-mentioned relevant virtualization system equipment has safety issue.
More particularly, DMA is processed in territory 21, and uncontrolled to the access of physical storage.Therefore, if exist uneasy universe or existence to comprise the territory of the defective device driver of tool, the then physical storage of the addressable VMM 10 in described territory or another territory, and steal confidential data or override sky data (dummy data), thereby the system failure caused.
If special domain excessively uses system storage, then the system failure may appear, like this, reduced system availability.
The quantity of the event channel that can form between two territories is restricted.Therefore, if all available event channels are used in the malice territory, then between residue field, can not form event channel.Therefore, the system failure may appear.
Summary of the invention
It is a kind of for equipment and method in the virtual environment protection system that each aspect of the present invention provides, and wherein, protecting system resources is not accessed by the malice of Malware for example, has solved the system failure, and guarantee reliable security service in virtual environment.
Yet each aspect of the present invention is not limited to an aspect set forth herein.By with reference to detailed description of the present invention given below, for a those of ordinary skill in field under the present invention, above-mentioned and other side of the present invention will become more obvious.
According to an aspect of the present invention, provide a kind of in virtual environment the equipment of protection system.Described equipment comprises: the unit, territory, comprise a plurality of territories, and each territory has one or more device drivers; The system resource unit, the hardware of formation system; Direct memory access (DMA) driver; And control module, comprise being controlled in the virtual environment unit, territory to the access control module of the access of system resource unit.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: I/O (I/O) space that the request access control module is required with the access system resources unit and interrupt request (IRQ) quantity are distributed to the device driver among of a plurality of territories; Determine whether scheduled visit strategy allows the domain access system Resource Unit of actuating unit driver; And if scheduled visit strategy allows described domain access system Resource Unit, then input/output space and the IRQ quantity of request are distributed to device driver in the described territory, if scheduled visit strategy does not allow described domain access system Resource Unit, then input/output space and the IRQ quantity of request are not distributed to device driver in the described territory.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: allow storer by DMA driver access system resources unit by using device driver request access control module among of a plurality of territories; Determine whether scheduled visit control strategy allows the domain browsing storer of actuating unit driver; And if scheduled visit control strategy allows described domain browsing storer, then allow the device driver reference-to storage in the described territory, if scheduled visit control strategy does not allow described domain browsing storer, then do not allow the device driver reference-to storage in the described territory.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: a request access control module distributing system resource using a plurality of territories; Whether the amount of determining the request of described territory surpasses the allowance limit that scheduled visit control strategy arranges; And if the amount of described territory request is less than allowance limit, then allow will request system resource allocation to described territory, if the amount of described territory request surpasses allowance limit, then do not allow will request system resource allocation to described territory.
Description of drawings
By the description that the reference accompanying drawing carries out certain exemplary embodiments of the present invention, above-mentioned and other side of the present invention will become more apparent, wherein:
Fig. 1 is the block diagram of relevant virtualization system equipment;
Fig. 2 is the block diagram of the equipment of protection system in virtual environment that illustrates according to exemplary embodiment of the present invention;
Fig. 3 illustrates the process flow diagram of I/O (I/O) allocation of space to the processing of device driver, and wherein, described processing is included in the method for protection system in virtual environment according to exemplary embodiment of the present invention;
Fig. 4 be illustrate the control device driver by direct memory access (DMA) driver to the process flow diagram of the processing of the access of system storage, wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention; And
Fig. 5 illustrates control domain to the process flow diagram of the processing of the access of system resource, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
Embodiment
Now describe more all sidedly with reference to the accompanying drawings the present invention, exemplary embodiment of the present invention shows in the accompanying drawings.Yet the present invention can embody by different forms, and is not limited to embodiment set forth herein.In addition, thereby provide these embodiment disclosure will be thoroughly and complete and fully design of the present invention is conveyed to those skilled in the art, and the present invention be only limited by claim.In the accompanying drawings, identical label refers to identical parts, therefore will omit their description.
Below, describe in further detail with reference to the accompanying drawings according to of the present invention in virtual environment equipment and the method for protection system.
When the detailed description of determining prior art or structure may unnecessarily make the present invention blur, may omit detailed description.
Fig. 2 is the block diagram of the equipment of protection system in virtual environment that illustrates according to exemplary embodiment of the present invention.
With reference to Fig. 2, described equipment comprises: unit, territory 100, system resource unit 200 and control module 300.
Unit, territory 100 comprises: a plurality of territories 110,120 ..., each have one or more device drivers 111,121 ....Unit, territory 100 comprise at least one security domain (for example, the territory 110) and a plurality of common territory (for example, territory 120 ...).Here, security domain is very safe, and common territory is dangerous to a certain extent.
Term " territory " refers to such environment as used herein: can carry out one or more related device drivers in one or more corresponding operating systems (OS) respectively.
System resource unit 200 forms the hardware of system.System resource unit 200 comprises: ROM (read-only memory) (ROM) 210, central processing unit (CPU) 220, battery 230, storer 240, event channel 250 and I/O (I/O) device 260.
ROM 210 is the unalterable storage spaces of unauthorized user or system.
Storer 240 is storage data storage spaces.Storer 240 can be the nonvolatile memory such as flash memory.
Storer 240 comprises for after a while with physical storage and the system storage of the direct memory access (DMA) described.
Storer 240 is divided into a plurality of memory blocks, according to type and safe class various data messages being classified, and correspondingly stores described data message.Correspondingly, can in a memory block, be encrypted and store important data message.
Use monitor of virtual machine (VMM), the access of control module 300 (for example, in wireless internet environment) 100 pairs of system resource unit 200, control domain unit in virtual environment.
Control module 300 comprises DMA driver 310 and access control module 320.The access of access control module 320 100 pairs of system resource unit 200, control domain unit in virtual environment.
DMA driver 310 is modules of carrying out dma operation.
Access control module 320 control domains 110,120 ... each device driver 111,121 ... each access by 310 pairs of system resource unit 200 of DMA driver.Particularly, access control module 320 restriction be installed in unsafe common territory 120 ... in one (for example, territory 120) the malicious device driver in (for example, device driver 121) is to the input/output space relevant with DMA driver 310 and the access of interrupt request (IRQ).More specifically, when the territory 110,120 that allows access system resources unit 200 according to scheduled visit control strategy ... one in device driver when attempting by DMA driver 310 access system resources unit 200, access control module 320 allows the relevant input/output space of this device drivers access and DMA driver 310.Yet, if do not allow to attempt device driver access system resources unit 200 by DMA driver 310 access system resources unit 200 according to scheduled visit control strategy, then access control module 320 limits the relevant input/output space of this device driver pair and DMA driver 310 and the access of IRQ.
Access control module 320 be territory 110,120 ... each the option of different access system resources unit 200 is set, and based on the option that arranges, for territory 110,120 ... each in device driver 111,121 ... each, control described device driver 111,121 ... the input/output space of each request and the distribution of IRQ quantity.More particularly, if scheduled visit control strategy allow device driver 111,121 ... in an access system resources unit 200, then access control module 320 is distributed to device driver in the territory with the input/output space of request and IRQ quantity.If scheduled visit control strategy does not allow device driver access system resources unit 200, then access control module 320 is not distributed to device driver with input/output space and the IRQ quantity of request.
Access control module 320 restriction of domains 110,120 ... each excessively use system resource unit 200.More particularly, when territory 110,120 ... each in device driver 111,121 ... in a storer 240 that uses system resource unit 200 when surpassing the limit that allows according to scheduled visit control strategy, access control module 320 limits this device driver to the access of storer 240.In addition, access control module 320 forbid territory 110,120 ... each and territory 110,120 ... another form the event channel of the greater number that surpasses the quantity that allows according to scheduled visit control strategy.
Below, with reference to Fig. 3 to Fig. 5 the method for protection system in virtual environment according to exemplary embodiment of the present invention is described.
Fig. 3 illustrates the process flow diagram of input/output space being distributed to the processing of device driver, and wherein, described processing is included in the method for protection system in virtual environment according to exemplary embodiment of the present invention.
With reference to Fig. 3, the access control module 320 of control module 300 be territory 110,120 ... each be provided for the different options of access system resources unit 200, and based on the option that arranges, for territory 110,120 ... each in device driver 111,121 ... each, control described device driver 111,121 ... the input/output space of each request and the distribution of IRQ quantity.
More particularly, territory 110,120 ... one in device driver 111,121 ... the required input/output space (operation S101) of a request access control module 320 allocation access system Resource Units 200.Next, determine whether allow domain access system Resource Unit 200 (operation S102) by the access control policy that the access control module 320 of control module 300 is determined.If access control policy allows domain access system Resource Unit 200, then access control module 320 is distributed to device driver (operation S103) in the territory with the input/output space of request and IRQ quantity.Yet if access control policy does not allow domain access system Resource Unit 200, access control module 320 is not distributed to device driver in the territory with input/output space and the IRQ quantity of request.
Fig. 4 is the process flow diagram that the processing of the access of control device driver by 310 pairs of system storages of DMA driver is shown, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
With reference to Fig. 4, access control module 320 control domains 110,120 of control module 300 ... each in device driver 111,121 ... each access by 310 pairs of system resource unit 200 of DMA driver.
More particularly, territory 110,120 ... one in device driver 111,121 ... a request access control module 320 allow its storer 240 by DMA driver 310 access system resources unit 200 (operation S201).Next, determine whether access control policy allows the domain browsing storer 240 of actuating unit driver (operation S202).If access control policy allows domain browsing storer 240, then access control module 320 allows device driver reference-to storage 240 (operation S203).Yet if access control policy does not allow domain browsing storer 240, access control module 320 restraint device drivers are to the access of storer 240.
Fig. 5 illustrates control domain to the process flow diagram of the processing of the access of system resource, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
With reference to Fig. 5, access control module 320 restriction of domains 110,120 ... each excessively use system resource unit 200.
More particularly, territory 110,120 ... at least one request access control module 320 distributing system resource (operation S301).Next, determine whether the amount of described territory request surpasses the allowance limit of access control policy setting (operation S302).If the amount of described territory request is less than allowance limit, then access control module 320 allow will request system resource allocation to territory (operation S303).Yet if the amount of described territory request surpasses allowance limit, access control module 320 does not allow system resource allocation to the territory.For example, when territory 110,120 ... each device driver 111,121 ... a use storer 240 during more than allowance limit, access control module 320 restriction of domains are to the access of storer 240.In addition, access control module 320 forbid territory 110,120 ... each and territory 110,120 ... another form and surpass the greater number event channel that allows quantity.
As mentioned above, be used in the equipment and method of virtual environment protection system, not accessed by the malice of Malware, and can the resolution system fault.Therefore, can provide reliable security service.
Although reference exemplary embodiment demonstration of the present invention has also been described the present invention, but it should be appreciated by those skilled in the art that, in the situation that does not break away from the spirit and scope of the present invention that are defined by the claims, can carry out to it change of various forms and details.It only is descriptive that described exemplary embodiment should be considered to, rather than to be restricted to purpose.

Claims (16)

1. the equipment of a protection system in virtual environment, described equipment comprises:
The unit, territory comprises a plurality of territories, and a plurality of territories comprise device driver;
The system resource unit; And
Control module comprises direct memory access (DMA) driver and access control module, and described access control module is controlled at unit, territory in the virtual environment by the access of DMA driver to the system resource unit,
Wherein, access control module is forbidden that each territory in described a plurality of territory and another territory in described a plurality of territory form and is surpassed a plurality of event channels that allow quantity.
2. equipment as claimed in claim 1, wherein, described a plurality of territories comprise at least one security domain.
3. equipment as claimed in claim 1, wherein, described system resource unit comprises at least one in following: the event channel between at least two territories in system storage, the physical storage that is used for the DMA driver and described a plurality of territories.
4. equipment as claimed in claim 1, wherein, control module uses the monitor of virtual machine executivecontrol function.
5. equipment as claimed in claim 1, wherein, access control module control device driver in each of described a plurality of territories each by the access of DMA driver to the system resource unit.
6. equipment as claimed in claim 5, wherein, access control module restriction is installed in malicious device driver pair I/O (I/O) space relevant with the DMA driver in any one of uneasy universe among described a plurality of territory and the access of interrupt request (IRQ).
7. equipment as claimed in claim 1, wherein, access control module is that each territory in described a plurality of territories arranges the different options that is used for the access system resources unit.
8. equipment as claimed in claim 7 wherein, based on the option that arranges, for the device driver among of described a plurality of territories, is controlled the input/output space relevant with the DMA driver of described device driver request and the distribution of IRQ quantity.
9. equipment as claimed in claim 8, wherein, if allow device driver access system resources unit, then access control module is distributed to device driver among of described a plurality of territories with the input/output space of request and IRQ quantity, if do not allow device driver access system resources unit, then access control module is not distributed to the input/output space of request and IRQ quantity the device driver among of described a plurality of territories.
10. equipment as claimed in claim 1, wherein, access control module limits described a plurality of territory and excessively uses the system resource unit.
11. equipment as claimed in claim 10, wherein, if the device driver in of described a plurality of territories uses storer more than allowance limit, then access control module limits described device driver among of described a plurality of territories to the access of the storer of system resource unit.
12. the method for a protection system in virtual environment, described method comprises:
I/O (I/O) space relevant with DMA that the request access control module is required with the access system resources unit and interrupt request (IRQ) quantity are distributed to the device driver among of a plurality of territories;
Determine whether scheduled visit strategy allows to comprise the domain access system Resource Unit of device driver; And
If scheduled visit strategy allows an access system resources unit in described a plurality of territories, then the input/output space of request and IRQ quantity are distributed to the device driver among of described a plurality of territories, if scheduled visit strategy does not allow an access system resources unit in described a plurality of territories, then the input/output space of request and IRQ quantity are not distributed to the device driver among of described a plurality of territories
Wherein, access control module is forbidden that each territory in described a plurality of territory and another territory in described a plurality of territory form and is surpassed a plurality of event channels that allow quantity.
13. method as claimed in claim 12, wherein, access control policy is determined by the access control module that is included among the VMM.
14. the method for a protection system in virtual environment, described method comprises:
By using device driver request access control module among of a plurality of territories to allow storer by direct memory access (DMA) driver access system resources unit;
Determine whether scheduled visit control strategy allows to comprise a reference-to storage in described a plurality of territories of device driver; And
If scheduled visit control strategy allows a reference-to storage in described a plurality of territories, then allow the device driver reference-to storage among of described a plurality of territories, if scheduled visit control strategy does not allow a reference-to storage in described a plurality of territories, then do not allow the device driver reference-to storage among of described a plurality of territories
Wherein, access control module is forbidden that each territory in described a plurality of territory and another territory in described a plurality of territory form and is surpassed a plurality of event channels that allow quantity.
15. the method for a protection system in virtual environment, described method comprises:
Use a request access control module distributing system resource in a plurality of territories;
Whether the amount of determining the request of described territory surpasses the allowance limit that scheduled visit control strategy arranges; And
If the amount of a request in described a plurality of territories is less than allowance limit, then allow will request system resource allocation give of described a plurality of territories, if the amount of a request in described a plurality of territories surpasses allowance limit, then do not allow will request system resource allocation give of described a plurality of territories
Wherein, the amount of described a plurality of territories request is included in a plurality of event channels that form between at least two territories in described a plurality of territories.
16. method as claimed in claim 15, wherein, the amount of a request in described a plurality of territories comprises the use amount of storer.
CN2008100911004A 2007-04-16 2008-04-16 Apparatus and method for protecting system in virtualized environment Expired - Fee Related CN101290646B (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US91193007P 2007-04-16 2007-04-16
US60/911,930 2007-04-16
KR1020070110296A KR101405319B1 (en) 2007-04-16 2007-10-31 Apparatus and method for protecting system in virtualization
KR10-2007-0110296 2007-10-31

Publications (2)

Publication Number Publication Date
CN101290646A CN101290646A (en) 2008-10-22
CN101290646B true CN101290646B (en) 2013-05-01

Family

ID=40034900

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008100911004A Expired - Fee Related CN101290646B (en) 2007-04-16 2008-04-16 Apparatus and method for protecting system in virtualized environment

Country Status (2)

Country Link
KR (1) KR101405319B1 (en)
CN (1) CN101290646B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103370715B (en) * 2010-10-31 2017-04-12 时间防御系统有限责任公司 System and method for securing virtual computing environments
KR101323858B1 (en) * 2011-06-22 2013-11-21 한국과학기술원 Apparatus and method for controlling memory access in virtualized system
KR101469894B1 (en) * 2011-08-12 2014-12-08 한국전자통신연구원 Method and apparatus for providing secure execution environment based on domain separation
KR101710684B1 (en) 2015-09-10 2017-03-02 (주) 세인트 시큐리티 System and method of recovering operating system anayzing malicious code not operating in virtual environment
US9992212B2 (en) * 2015-11-05 2018-06-05 Intel Corporation Technologies for handling malicious activity of a virtual network driver
US9984009B2 (en) * 2016-01-28 2018-05-29 Silicon Laboratories Inc. Dynamic containerized system memory protection for low-energy MCUs
KR20190021673A (en) * 2017-08-23 2019-03-06 주식회사 수산아이앤티 Apparatus and method for preventing ransomware

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1254424A (en) * 1997-04-30 2000-05-24 Arm有限公司 Memory access protection
US7036122B2 (en) * 2002-04-01 2006-04-25 Intel Corporation Device virtualization and assignment of interconnect devices
CN1920797A (en) * 2005-08-26 2007-02-28 株式会社东芝 Memory access control apparatus

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002041304A (en) 2000-07-28 2002-02-08 Hitachi Ltd Automatic imparting method of backup resource of logical section and logical section based computer system
AU2003278350A1 (en) * 2002-11-18 2004-06-15 Arm Limited Secure memory for protecting against malicious programs
JP4119239B2 (en) 2002-12-20 2008-07-16 株式会社日立製作所 Computer resource allocation method, resource management server and computer system for executing the method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1254424A (en) * 1997-04-30 2000-05-24 Arm有限公司 Memory access protection
US7036122B2 (en) * 2002-04-01 2006-04-25 Intel Corporation Device virtualization and assignment of interconnect devices
CN1920797A (en) * 2005-08-26 2007-02-28 株式会社东芝 Memory access control apparatus

Also Published As

Publication number Publication date
KR20080093359A (en) 2008-10-21
KR101405319B1 (en) 2014-06-10
CN101290646A (en) 2008-10-22

Similar Documents

Publication Publication Date Title
CN101290646B (en) Apparatus and method for protecting system in virtualized environment
CN108073816B (en) Information processing apparatus
WO2019104988A1 (en) Plc security processing unit and bus arbitration method thereof
US20110078760A1 (en) Secure direct memory access
US8955056B2 (en) Terminal and method for assigning permission to application
KR101425621B1 (en) Method and system for sharing contents securely
US9208313B2 (en) Protecting anti-malware processes
CN101842784A (en) Hardware device interface supporting transaction authentication
CN104881596A (en) Modifying memory permissions in a secure processing environment
US10242194B2 (en) Method and apparatus for trusted execution of applications
CN112817780B (en) Method and system for realizing safety and high-performance interprocess communication
EP1983460B1 (en) Apparatus and method for protecting system in virtualized environment
CN112446032B (en) Trusted execution environment construction method, system and storage medium
US10250595B2 (en) Embedded trusted network security perimeter in computing systems based on ARM processors
CN110851188A (en) Domestic PLC trusted chain implementation device and method based on binary architecture
CN103348355A (en) Method and apparatus for managing security state transitions
US11334258B2 (en) System and method for memory region protection
CN109446847B (en) Configuration method of dual-system peripheral resources, terminal equipment and storage medium
CN114722404B (en) Method and system for realizing any number of EAPP based on RISC-V
CN115422554A (en) Request processing method, compiling method and trusted computing system
JP5496464B2 (en) Apparatus and method for secure system protection in a virtualized environment
CN114065257A (en) Address space protection method, protection device, equipment and storage medium
EP3667525B1 (en) Playing memory management method
CN107533515A (en) Prevent the fine granulation memory protection of memory flooding
KR20240040006A (en) Method, device, and electronic apparatus for securely passing data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130501

CF01 Termination of patent right due to non-payment of annual fee