CN102375947A - Method and system for isolating computing environment - Google Patents
Method and system for isolating computing environment Download PDFInfo
- Publication number
- CN102375947A CN102375947A CN2010102623831A CN201010262383A CN102375947A CN 102375947 A CN102375947 A CN 102375947A CN 2010102623831 A CN2010102623831 A CN 2010102623831A CN 201010262383 A CN201010262383 A CN 201010262383A CN 102375947 A CN102375947 A CN 102375947A
- Authority
- CN
- China
- Prior art keywords
- protected process
- protected
- memory headroom
- strategies
- secure access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method for isolating and protecting a computing environment in a protected process by using root trusted computing base (RTCB), which comprises an initialized protected process; controlling the dynamic computing environment in a protected process to prevent the dynamic computing environment from being used illegally; monitoring the use of a memory management unit (MMU) and isolating and protecting the memory space in a protected process; and monitoring the use of an input/output memory management unit (IOMMU), and controlling the interaction operation conducted by peripheral equipment with the protected process through the IOMMU. When the method is used, other processes beyond a safe access policy collection of the protected process are prevented from accessing the memory space through the MMU or any input/output (IO) equipment from accessing the memory space according to the memory space distributed to the protected process when the protected process is run, and thus, real safe isolation can be formed.
Description
Technical field
The present invention relates to the security fields of computing environment, more specifically, relate to and be used for isolated computing environment to protect the method and system of the software application of carrying out in this segregate computing environment.
Background technology
Current, as everyone knows, in computing environment, preserve the software code and the data of a large amount of plaintext forms usually.In order to prevent to be caused complete property and/or data confidentiality to be damaged with any undelegated form visit, some software codes and data need be moved in the safe isolation computing environment.The strong isolation is the important safety requirement of stand-by equipment service configuration platform, and said stand-by equipment service configuration platform is such as being the server in the cloud computing.
Virtual machine (VM) is widely used as isolation platform, in application, through the natural separation between each virtual machine safe isolation is provided.In Amazon Web Services (AWS), EC2 machine instance (AMI) is a virtual machine, and AWS recommends the user to use the strong authentication means to visit this virtual machine strongly.Yet; Because operating system (OS) itself can be used as the attack source, in this case, for example the direct IO through peripherals visits; Just can be easy to break up this isolation, isolate so the isolation between this so-called virtual machine can not form real safety.
In existing research, some researchists have proposed the virtual method of platform safety.For example, at X.Chen, T.Garfinkel; E.C.Lewis, P.Subrahmanyam, C.A.Waldspurger; D.Boneh; In " Overshadow:a virtualization-basedapproach to retrofitting protection in commodity operating systems " that J.Dwoskin and D.R.Ports deliver, discussed through covering (overshadow) CPU Intel Virtualization Technology and controlled memory management unit (MMU); Thereby even when serving the OS kernel of application, the isolation between also can implementation process.The principle of the mode that this implementation process is isolated is; Being used for virtualized monitor of virtual machine of CPU (VMM) or system supervisor is the highest software of computing platform authority; They can be intervened between any other process of the OS kernel of serving application, thus the isolation between implementation process.
Yet in the implementation method of above-mentioned Overshadow, for the IO equipment that is transmitted in the calculating on the different platform, this monitor of virtual machine can not be confirmed the shading memory page or leaf is used for PERCOM peripheral communication simply.
In addition, input-output apparatus can be visited main memory through separate connection with from the asynchronous control of CPU.Design I/O MMU (IOMMU) before in processor manufacturer, these input-output apparatus are access memory quite freely.Industry has realized that if the input-output apparatus access memory is not managed, then possibly bring serious threat to server virtualization.For example, the software error of device driver possibly cause the paralysis of server and all application of its service.
In some prior art schemes, IO processor manufacturer is connected to all IO equipment the IOMMU of north bridge again.This connects again makes CPU can control the core position, and equipment is through this core position of strategy visit.For example, the scheme of Intel Company is that the IOMMU in monitor of virtual machine table is programmed, and whether can let device access to confirm certain position in the internal memory.It is the core position of forbidding IO device access kernel place that other scheme is also arranged.Yet these IO prohibited methods can not be applied to application software because application software have need be by the data of equipment I/O, this I/O is directly, and can not be forbidden simply.
Summary of the invention
In view of the above problems; The purpose of this invention is to provide the method and system that a kind of RTCB of utilization comes the computing environment of protected process is carried out insulation blocking; It can be when the protected process of operation; To the memory headroom of distributing to this protected process, cancel the authority that is assigned this memory headroom and all other these memory headrooms of process visit outside the security procedure strategy of this protected process and/or forbid any this memory headroom of IO device access, thereby real safety is isolated.
According to an aspect of the present invention, provide a kind of root that utilizes to trust the method that calculating base (RTCB) comes the computing environment of protected process is carried out insulation blocking, comprising: the protected process of initialization; Dynamic calculation environment to said protected process is controlled, and is used by illegal to prevent said dynamic calculation environment; The use of monitoring memory management unit (MMU) is carried out insulation blocking to the memory headroom of said protected process; And the use of monitoring I/O memory management unit (IOMMU), the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled.
In addition, in one or more embodiments, the step of the protected process of initialization can also comprise the secure access set of strategies of the said protected process of initialization, makes the identity that only comprises said protected process in the said secure access set of strategies.
In addition; In one or more embodiments; The dynamic calculation environment of controlling said protected process can also be comprised by the illegal step of using to prevent said dynamic calculation environment: when said protected process requires in its secure access set of strategies, to add the identity of another other process; The identity of this other process is added in the secure access set of strategies of said protected process, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process; And the secure access set of strategies of the secure access set of strategies of this other process and the employed memory headroom of this other process is set to identical with the secure access set of strategies of said protected process.
In addition; In one or more embodiments; The use of monitoring memory management unit (MMU) can also comprise the step that the memory headroom of said protected process carries out insulation blocking: when any process requires to distribute a new memory headroom, only do not have the new memory headroom of secure access set of strategies for one of this course allocation.
In addition, preferably, in one or more embodiments, when this any process was protected process, said method can also comprise that the secure access set of strategies of this new memory headroom is set to the secure access set of strategies as this any process of protected process; Cancel the authority of other process through the employed memory headroom of MMU this protected process of visit; And notice IOMMU does not allow the memory headroom of any this protected process of peripheral access.
In addition; In one or more embodiments; The use of monitoring memory management unit (MMU); The step of the memory headroom of said protected process being carried out insulation blocking can also comprise: when said protected process requires to discharge a memory headroom, the identity of said protected process is deleted from the secure access set of strategies of this memory headroom; When the secure access set of strategies of this memory headroom is sky, wipe all information that write down in this memory headroom; And remove the secure access set of strategies of this memory headroom.
In addition; In one or more embodiments; The use of monitoring memory management unit (MMU); The step of the memory headroom of said protected process being carried out insulation blocking can also comprise: when memory headroom that said protected process discharged is its employed last memory headroom, can also removes the secure access set of strategies of said protected process, and stop said protected process.
In addition, in one or more embodiments, the use of monitoring memory management unit (MMU), the step that the memory headroom of said protected process is carried out insulation blocking can also comprise forbids that this other process loads the MMU of this protection process and show.
In addition; In one or more embodiments; The use of monitoring memory management unit (MMU); The step that the memory headroom of said protected process is carried out insulation blocking can also comprise when this other process be kernel, and this protected process is loaded the pseudo-MMU that only contains the kernel memory information for this other process and is shown when being absorbed in this other process.
In addition; In one or more embodiments; The use of monitoring memory management unit (MMU); The step of the memory headroom of said protected process being carried out insulation blocking can also comprise: if when other process of pre-treatment is a protected process, and this other process is in the secure access set of strategies of the memory headroom of said protected process, other process that then allows to deserve pre-treatment is visited the memory headroom of said protected process through MMU; Otherwise, stop other process of deserving pre-treatment to visit the memory headroom of said protected process through MMU.
In addition; In one or more embodiments, the step of using the interactive operation between that I/O memory management unit (IOMMU) carries out through IOMMU any peripherals and said protected process to control can comprise: forbid that any peripherals visits the memory headroom of the computing environment of said protected process through IOMMU; And need carry out IO when mutual with peripherals in said protected process, allow this peripherals to use the IOMMU said protected process of showing to cooperate to accomplish the IO operation.
In addition; In one or more embodiments; Forbid that all peripherals visit the computing environment of said protected process through IOMMU the step of memory headroom can also comprise: when utilizing MMU is after said protected process becomes memory headroom of the distribution of work; Notice IOMMU upgrades the IOMMU table of any peripherals, to cancel and the authority of any peripherals of permanent ban through the newly assigned memory headroom of the said protected process of IOMMU table access.
In addition; In one or more embodiments; Need carry out IO when mutual with peripherals in said protected process; Step that said protected process accomplishes the IO operation can also comprise to allow this peripherals to use IOMMU to show to cooperate: need be when peripherals inputs to the memory headroom of computing environment of this protected process in said protected process with information, with the information stores of this peripherals input in IO buffer area corresponding with this peripherals and setting in the IOMMU table; Utilize the key that is provided with in the key set of strategies of this protected process, the information of buffer memory in this said IO buffer area is carried out imported password conversion; And will pass through information stores after the conversion of imported password in the input-buffer district of said protected process, use for said protected process.
In addition; In one or more embodiments; Need carry out IO when mutual with peripherals in said protected process; Step that said protected process accomplishes the IO operation can also comprise to allow this peripherals to use IOMMU to show to cooperate: to the periphery during equipment output information, utilize the Password Policy of this protected process to concentrate the key that is provided with at these protected process needs, to said protected process the information that will export carry out the conversion of output type password; To pass through information stores after the output type password conversion in IO buffer area corresponding with this peripherals and setting in the IOMMU table; The content information that is stored in the said IO buffer area is outputed to this peripherals.
In addition, the concentrated key that is provided with of said Password Policy in this protected process is process key or system key.
According to a further aspect in the invention; Provide a kind of root trust calculating base (RTCB) that utilizes to come the computing environment of protected process is carried out the system of insulation blocking; Comprise: initialization unit; The secure access set of strategies that is used for the protected process of initialization makes this secure access set of strategies only comprise the identity of this protected process; Dynamic calculation environmental protection unit is used for the dynamic calculation environment of said protected process is controlled, and is used by illegal to prevent said dynamic calculation environment; Memory management unit (MMU) monitoring unit is used to monitor the use of MMU, and the memory headroom of said protected process is carried out insulation blocking; And input and output memory management unit (IOMMU) monitoring unit, being used to monitor the use of IOMMU, the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled.
In addition; Said dynamic calculation environmental protection unit further comprises: secure access set of strategies adding device; Be used for requiring when its secure access set of strategies adds the identity of another other process when said protected process; The identity of this other process is added in the secure access set of strategies of said protected process, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process; And the secure access set of strategies is provided with the unit, is used for the secure access set of strategies of this other process and the secure access set of strategies of the employed memory headroom of this other process and is set to identical with the secure access set of strategies of said protected process.
In addition, said MMU monitoring unit can also comprise the memory headroom allocation units, is used for when any process requires to distribute a new memory headroom, does not only have the new memory headroom of secure access set of strategies for one of this course allocation; And the memory headroom delete cells, be used for when said protected process requires memory headroom of deletion, deleting this memory headroom.
In addition; Said memory headroom allocation units can also comprise: the secure access set of strategies is provided with the unit; Be used for when this any process is protected process, the secure access set of strategies of this new memory headroom is set to the secure access set of strategies as this any process of protected process; Cancel the unit, be used to cancel the authority of other process through the employed memory headroom of MMU this protected process of visit; And notification unit, be used to notify IOMMU not allow the memory headroom of any this protected process of peripheral access.
In addition, said memory headroom delete cells can also comprise the identity delete cells, is used for when said protected process requires to discharge a memory headroom, the identity of said protected process being deleted from the secure access set of strategies of this memory headroom; The information erasing unit is used for when the secure access set of strategies of this memory headroom is sky, wiping all information that write down in this memory headroom; And the secure access set of strategies removes the unit, is used to remove the secure access set of strategies of this memory headroom.
In addition, when memory headroom that said protected process discharged was its employed last memory headroom, said secure access set of strategies was removed the secure access set of strategies that said protected process is removed in the unit.In this case, said system can also comprise the termination unit, is used to stop said protected process.
In addition, said MMU monitoring unit can also comprise that MMU shows loading and forbids the unit, is used to forbid the MMU table of this other this protected process of process loading.
In addition, preferably, said MMU monitoring unit can also comprise pseudo-MMU table load units, be used for when this other process be kernel, and this protected process is loaded the pseudo-MMU that only contains the kernel memory information for this other process and is shown when being absorbed in this other process.
In addition; Said MMU monitoring unit can also comprise the MMU access control unit; If other process that is used for when pre-treatment is a protected process; And this other process is in the secure access set of strategies of the memory headroom of said protected process, and other process that then allows to deserve pre-treatment is visited the memory headroom of said protected process through MMU; Otherwise, stop other process of deserving pre-treatment to visit the memory headroom of said protected process through MMU.
In addition, said IOMMU monitoring unit can comprise that memory headroom visit forbids the unit, is used to forbid that any peripherals visits the memory headroom of the computing environment of said protected process through IOMMU; And IO interaction process unit, be used for need carrying out IO when mutual with peripherals in said protected process, allow this peripherals to use the IOMMU said protected process of showing to cooperate to accomplish the IO operation.
In addition, preferably, IO interaction process unit further comprises: I/O type password converting unit is used for equipment is to the periphery write or exports/imported password conversion from the information that peripherals reads; And IO buffer area; Be used to store the information that equipment to the periphery writes or read from peripherals; And write information to peripherals or read from peripherals, wherein, when equipment writing information to the periphery; Be utilized in the key that is provided with in the key set of strategies of this protected process, the information that will output to peripherals to said protected process is carried out the conversion of output type password; To pass through information stores after the output type password conversion in IO buffer area corresponding with this peripherals and setting in the IOMMU table; And the information that will be stored in the said IO buffer area outputs to this peripherals; And when peripherals reads information, the information stores that will read through this exterior I O equipment is in IO buffer area corresponding with this peripherals and that in the IOMMU table, be provided with; Utilize and the key that in the key set of strategies of this protected process, is provided with, the information of buffer memory in said IO buffer area is carried out imported password conversion; And will pass through information stores after the conversion of imported password in the input-buffer district of said protected process, use for said protected process.
In addition, the concentrated key that is provided with of said Password Policy in this protected process is process key or system key.
In order to realize above-mentioned and relevant purpose, one or more aspects of the present invention comprise the characteristic that the back will specify and in claim, particularly point out.Following explanation and accompanying drawing have specified some illustrative aspects of the present invention.Yet, the indication of these aspects only be some modes that can use in the variety of way of principle of the present invention.In addition, the present invention is intended to comprise all these aspects and their equivalent.
Description of drawings
Through with reference to below in conjunction with the explanation of accompanying drawing and the content of claims, and along with to more complete understanding of the present invention, other purpose of the present invention and result will understand more and reach easy to understand.In the accompanying drawings:
Fig. 1 is that the RTCB that utilizes according to the embodiment of the invention carries out the overview flow chart of the method for insulation blocking to protected process computing environment;
Fig. 2 shows the process flow diagram according to the process of the identity of in the secure access set of strategies of protected process, adding another process of the embodiment of the invention;
The process flow diagram of the process of the processing that the MMU monitoring unit carried out when Fig. 3 showed according to the new memory headroom of any process requirement distribution of the embodiment of the invention;
Fig. 4 shows the process flow diagram of the process of the memory headroom that uses according to the protected process of the release of the embodiment of the invention;
Fig. 5 shows the process flow diagram about the process of the operation of MMU table that other process is carried out according to the MMU monitoring unit of the embodiment of the invention;
Fig. 6 shows the process flow diagram according to the process of the operation that the MMU monitoring unit carries out when other process is visited the memory headroom of protected process of the embodiment of the invention;
The use IOMMU that Fig. 7 shows according to the embodiment of the invention comes the process flow diagram to the process of communication program control between peripherals and said protected process;
Fig. 8 shows and carries out the process flow diagram of an example that IO carries out the process of input and output control when mutual according to the embodiment of the invention at needs and peripherals;
The RTCB that utilizes that Fig. 9 illustrates according to the embodiment of the invention carries out the block diagram of the system of insulation blocking to the computing environment of protected process;
Figure 10 shows the block diagram according to the dynamic calculation environmental protection unit of the embodiment of the invention;
Figure 11 shows the block diagram according to the MMU monitoring unit of the embodiment of the invention;
Figure 12 shows the block diagram according to the IOMMU monitoring unit of the embodiment of the invention;
Figure 13 is the block diagram according to the IO interaction process unit in the IOMMU monitoring unit shown in Figure 12 of the embodiment of the invention.
Identical label is indicated similar or corresponding feature or function in institute's drawings attached.
Embodiment
At first introduce according to computing environment of the present invention, computing environment according to the present invention generally includes computing hardware with open architecture (such as but not limited to, Intel X86 framework) and software stack.
Usually, said hardware structure comprises trusted platform module architecture module (TPM), procedure control unit (PCU), memory management unit (MMU) and I/O memory management unit (IOMMU).
When starting the software stack of computing platform, this trusted platform module architecture module can be measured root and trust calculating base (RTCB, Root Trusted Computing Base), and measurement result is stored in the trusted platform module architecture module, for checking in the future.The trusted platform module architecture module is measured, is stored and the method and apparatus of checking RTCB is the ordinary skill in the art, no longer describes here.For example, the U.S. Patent application of submitting to referring to the applicant (application attorney docket is EMC08-17 (08182)).
Procedure control unit (PCU) comprises one or more CPU (CPU) and a series of micro-order.Procedure control unit can be carried out said program code according to the instruction of program code on said platform.
Memory management unit (MMU) is used for when the operation process, carrying out the physical memory Access Management Access.If start a process P, then memory management unit makes procedure control unit can utilize the middle address stored information of memory management unit table (MMU table) to visit the physical memory position.I/O memory management unit (IOMMU) makes input-output apparatus can utilize address stored message reference physical memory position in the I/O memory management unit table (IOMMU table).
Software stack in the said computing environment generally includes root and trusts calculating base (RTCB), memory management unit table (MMU table), I/O memory management unit table (IOMMU table), I/O buffer area (IOB), key cache district (KB), protected process (PP) and secure access set of strategies (AP).
It is the maximum software stack of authority in the whole software bag on the computing platform that root is trusted calculating base (RTCB), and it is directly carried out on hardware, can control and carry out each protection step by hook procedure.
For each process P, RTCB can safeguard a memory management unit table (MMU table), its data structure normally P.MT=(P.MT.Self, P.MT.Others).When procedure control unit executive process P, the basic authorization process P of root trust calculating monopolizes and uses the memory management unit table to visit the core position.This core position is set in P.MT as follows: P.MT.Self points to code and the data of process P, and P.MT.Others points to the code and the data of other process that does not belong to process P.
Have the IO equipment D of internal storage access function for each, RTCB can also safeguard an I/O memory management unit table (IOMMU table), and this IOMMU indumentum is expressed as D.IOT.In given interval, RTCB authorizes IO equipment D to monopolize use I/O memory management unit table and visits the core position, and this core position is set in D.IOT.
For each input-output apparatus D, RTCB can also safeguard an I/O buffer area (IOB), stores a plurality of pages in this buffer area.When protected process PP carries out input-output operation, use this buffer area, it is marked as D.IOB.The physical address of D.IOB is stored among the D.IOT.D.IOB can be upgraded by RTCB or IO equipment D.
For each protected process PP, RTCB can maintenance key buffer area (KB), and this key cache district is used to preserve PP.KB.Sys and PP.KB.self.PP.KB.Sys preserves by RTCB control and the key that uses, and promptly RTCB is used for system key that data are encrypted.When for the first time moving process, PP.KB.Sys can generate at random, and when repeatedly moving, this PP.KB.Sys does not generate at random, but from existing file load.PP.KB.self is the process key, and RTCB generally is set as null value to this key, this means if with this key of PP.KB.self, any protection is not done in the input and output of protected process PP.
Protected process (PP) is the software application of request RTCB insulation blocking.For each protected process PP, RTCB can distribute a secure access set of strategies AP to PP, the identity of storage process in this secure access set of strategies AP.In the process of its identity in same " secure access set of strategies ", have can shared memory space attribute.RTCB can safeguard a plurality of secure access set of strategies.General this secure access set of strategies can be divided into these two kinds: (1) each protected process has unique " the secure access set of strategies " that RTCB is provided with; (2), corresponding " secure access set of strategies " is set according to the set membership of process.Wherein, in strategy (2), for example, if a protection process PP has duplicated a subprocess PP, then this subprocess PP belongs to the secure access set of strategies at parent process PP place.
Describe each embodiment referring now to accompanying drawing, wherein in whole accompanying drawing, identical reference marker is used to refer to similar elements.In the following description, for purposes of illustration,, many details have been set forth for the complete understanding to one or more embodiment is provided.Yet, clearly, can not have to realize these embodiment under the situation of these details yet.In other example, for the ease of describing one or more embodiment, known structure and equipment illustrate with the form of block scheme.
The RTCB that utilizes that Fig. 1 shows according to the embodiment of the invention is the overview flow chart of method of the computing environment process isolation protection of protected process.
As shown in Figure 1, at first, in step S110, the protected process of initialization.For example, the secure access set of strategies of the said protected process of initialization makes the identity that only comprises said protected process in the said secure access set of strategies.Here, said identity for example can be Process identifier or other sign that is used for this process of unique identification.Particularly, after process of input, be protected process if hope this process, then need utilize RTCB is protected process PP with this process creation.Then, RTCB is secure access set of strategies of this protected course allocation.In addition, according to this secure access set of strategies, RTCB is the identifier (GID) of this secure access set of strategies of this process creation.In addition, for memory headroom, each page for example, RTCB also safeguards following two kinds of attribute: PAGE_OWNER and REFFERENCE_COUNT.Wherein, PAGE_OWNER shows which secure access set of strategies this page belongs to, and the value of this PAGE_OWNER is the identifier GID of this secure access set of strategies, and its default value for example is-1.And REFFERENCE_COUNT shows the number of times that this page is quoted by the process in the secure access set of strategies, and its default value is 0.
In addition; RTCB is also according to the definition of this protected process PP, is provided with respectively that MMU shows, code, data and the data structure corresponding with this protected process PP among the secure access strategy AP of key cache district KB and this secure access set of strategies, for example; Generate the data structure PP.MT in the MMU table corresponding with this protected process PP; Wherein, and PP.MT=(PP.MT.Self, PP.MT.Others); PP.MT.Self points to code and the data of protected process PP, and PP.MT.Others points to the not code and the data of other process in the secure access set of strategies of protected process PP.At this moment; RTCB is unique Process identifier PID of this course allocation; Preserve the true base address REAL_CR3 of the MMU table of this process PP; And the MMU table shadow_CR3 that creates a vacation for each PP, a storage is by the page mapping of the kernel portion of serving this PP among this false MMU table shadow_CR3.
The result is to utilize RTCB to write down the following relevant information of protected process PP: the ID of (1) protected process PP, and it mainly is to utilize the base address of the MMU table of protected process PP to identify; (2) system key of protected process PP, that is, and the key information among the PP.KB.Sys that above-mentioned RTCB safeguards.This key information can produce when protected process PP moves for the first time at random, and when this protected process is repeatedly moved, from a known file, loads, and can normally move pellucidly to guarantee protected process PP; (3) the secure access set of strategies of protected process PP; (4) how many pages the memory headroom that takies of protected process PP has for example taken, and it is represented by a field.
Wherein, the definition of secure access set of strategies is configurable, and two kinds of strategies below it adopts usually: (1) each PP belongs to an independent secure access set of strategies; (2) according to the set membership of process, it is the secure access set of strategies of subprocess PP that the secure access set of strategies of parent process PP is confirmed as.For example, if a process PP has duplicated a subprocess, then the secure access set of strategies of this parent process PP be the secure access set of strategies of duplicated subprocess.
Then, in step S120, utilize the secure access set of strategies to come the dynamic calculation environment of said protected process is controlled, used by illegal to prevent said dynamic environment.About utilizing the secure access set of strategies to come to be described in detail with reference to Fig. 2 below to the process that the dynamic calculation environment of said protected process is controlled.
Subsequently, in step S130, the use of monitoring memory management unit (MMU) is carried out insulation blocking to the memory headroom of said protected process.About the use of monitoring memory management unit (MMU), the detailed process of the memory headroom of said protected process being carried out insulation blocking will be described in detail to Fig. 6 with reference to Fig. 3 below.
In addition, in step S140, the use of monitoring I/O memory management unit (IOMMU), the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled.About the use of monitoring I/O memory management unit (IOMMU), the detailed process that the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled will be described in detail with reference to Fig. 7 and Fig. 8 below.
After the computing environment of protected process was carried out above-mentioned isolation, protected process can be carried out computing in the isolation Calculation environment, thereby can prevent to receive illegal invasion.
Fig. 2 shows the process flow diagram according to the process of the identity of in the secure access set of strategies of protected process, adding another process of the embodiment of the invention.
As shown in Figure 2; When said protected process requires in its secure access set of strategies, to add the identity of another other process; At first; In step S210, the identity of this another other process is added in the secure access set of strategies of said protected process, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process.For example, if before the process of carrying out 2 is added, the secure access set of strategies of protected process 1 is { identity of process 1 }; The secure access set of strategies of employed memory headroom is { identity of process 1 }; Then after adding, the secure access set of strategies of protected process 1 becomes { identity of process 1, the identity of process 2 }; The secure access set of strategies of employed memory headroom is { identity of process 1, the identity of process 2 }.
Then, in step S220, the secure access set of strategies of this other process and the employed secure access set of strategies of this other process are set to identical with the secure access set of strategies of said protected process.For example, under the situation of above-mentioned example, the secure access set of strategies of process 2 is set to { identity of process 1, the identity of process 2 }, and the secure access set of strategies of process 2 employed memory headrooms is set to { identity of process 1, the identity of process 2 }.
To specifically describe the use about monitoring memory management unit (MMU), the detailed process of the memory headroom of said protected process being carried out insulation blocking to Fig. 6 with reference to Fig. 3 below.
The process flow diagram of the process of the processing that the MMU monitoring unit carried out when Fig. 3 showed according to the new memory headroom of any process requirement distribution of the embodiment of the invention.
As shown in Figure 3, at first, in step S310, when any process requires to distribute a new memory headroom, only do not have the new memory headroom of secure access set of strategies for one of this course allocation.
Then, in step S320, judge whether this any process is a protected process.If this any process is protected process, then proceed to step S330.Otherwise flow process finishes.
In step S330, the secure access set of strategies of this new memory headroom is set to the secure access set of strategies as this any process of protected process.
Then, in step S340, cancel other process is distributed to the memory headroom of this any process use through the MMU visit authority.Particularly, for the memory headroom that distributes of ask, page PA for example, the MMU table of all the process Qs of RTCB traversal outside the secure access set of strategies of this any process obtains those processes Q that has used this page PA.Then, the mapping of RTCB deletion memory headroom in the MMU of said process Q table, thus forbid that other process distributes to the memory headroom that this any process is used through the MMU visit.
Then, in step S350, notice IOMMU does not allow the memory headroom of any peripherals through this protected process of IOMMU visit.Then, flow process finishes.
Fig. 4 shows the process flow diagram of the process of the memory headroom that uses according to the protected process of the release of the embodiment of the invention.
As shown in Figure 4, when said protected process requires to discharge a memory headroom, at first, in step S410, the identity of said protected process is deleted from the secure access set of strategies of this memory headroom that will discharge.
Then, in step S420, judge whether the secure access set of strategies of this memory headroom is empty set.When the secure access set of strategies of this memory headroom was empty set, flow process proceeded to step S430.Otherwise flow process finishes.
In step S430, wipe all information that in this memory headroom, write down.Then, in step S440, remove the secure access set of strategies of this memory headroom, that is to say, make this memory headroom have the secure access set of strategies no longer, thereby recover the authority of all other processes through this memory headroom of MMU visit.In addition, after the authority of all other processes of recovery, can also comprise from all information of RTCB deletion memory headroom through this page of MMU visit.Particularly, deletion is corresponding to this memory headroom, the information of for example PA of page PA number, PP.ID, process Q and/or IO equipment D.
In addition, preferably, can also in step S450, judge whether the memory headroom that said protected process requires to discharge is its employed last memory headroom.If last memory headroom then proceeds to step S460.Otherwise flow process finishes.
Here be noted that and judge whether the memory headroom that said protected process requires to discharge is that employed last memory headroom of this protected process can adopt multiple mode to realize.For example, can at first the employed memory headroom number of the protected process that requires the releasing memory space be subtracted 1, judge then whether the employed memory headroom number that subtracts after 1 is 0.If this value is 0, the memory headroom that then is judged as this requirement release is employed last memory headroom of this protected process.Otherwise then being judged as this memory headroom that will discharge is not employed last memory headroom of this protected process.In addition; Whether the memory headroom number that can also directly judge the current use of protected process that this requires the releasing memory space is 1; At presently used memory headroom number is 1 o'clock, and the memory headroom that is judged as this requirement release is employed last memory headroom of this protected process.Whether the memory headroom that perhaps, can also adopt other known manner to be judged as this requirement release is employed last memory headroom of this protected process.
In step S460, remove the secure access set of strategies of this protected process, just, this protected process of making is had the secure access set of strategies no longer.Then, in step S470, stop said protected process, that is, make that this process no longer is protected process.
Fig. 5 shows the process flow diagram about the process of the operation of MMU table that other process is carried out according to the MMU monitoring unit of the embodiment of the invention.
As shown in Figure 5, at first, in step S510, forbid that other process loads the MMU table of protected process.That is to say, forbid utilizing the information in the MMU table of protected process to replace the MMU table of other process.
Then, preferably, can judge in step S520 whether this other process is whether kernel process and this protected process are absorbed in this other process.Be absorbed in this other process if this other process is kernel process and this protected process, then flow process proceeds to step S530.Otherwise flow process finishes.
In step S530, load the pseudo-MMU table that only contains kernel information for this other process, should conduct interviews by puppet MMU table thereby make this other process to utilize.That is to say, can utilize with the MMU of protected process table in the different information of information replace the information in the MMU table of this other process, utilize information in the MMU table to visit the memory headroom of this protected process to forbid this other process.The base address shadow_CR3 of the page table of the vacation that for example, RTCB will this protected process PP (that is the MMU table that, has only a kernel spacing mapping) is loaded among the MMU of process Q.And, allow this other process to utilize the base address shadow_CR3 of this vacation page table to conduct interviews.
This be because; When the process Q that can visit this memory headroom that is obtained is that kernel process and this protected process are when being absorbed in this process Q; That is to say, when this protected process is absorbed in kernel process, because said process Q is a kernel process; When protected process PP was absorbed in kernel requests system call service, the page table that MMU loaded of this process Q can not change.In this case, when PCU when protected process PP switches to process Q, the base address shadow_CR3 (that is the MMU table that, has only a kernel spacing mapping) of the page table of the vacation that RTCB will this protected process PP is loaded among the MMU of process Q.Like this, when process Q call operation was loaded into the MMU table with new page table, because this page table is not the true page table of protected process, thereby the aforesaid operations of process Q was rejected.Thus, process Q can not visit the memory headroom of distributing to protected process PP.In addition, luggage carries the base address real_CR3 of the true page table of protected process if Q is eager to excel, and can be intercepted and captured and refuse this operation by RTCB.At last, when PCU when process Q turns back to protected process PP, the MMU of memory headroom (for example, page) can be replaced by the true MMU table of protected process PP oneself.In this manner, can forbid distributing to the memory headroom of protected process PP as the process Q visit of kernel process.
Fig. 6 shows the process flow diagram according to the process of the operation that the MMU monitoring unit carries out when other process is visited the memory headroom of protected process of the embodiment of the invention.
As shown in Figure 6, at first, in step S610, judge whether this other process is a protected process.If protected process then proceeds to step S620.Otherwise, proceed to step S640, in step S640, stop this other this memory headroom of process visit, flow process finishes.
In step S620, judge that this other process is whether in the secure access set of strategies of protected process.Whether the identity that for example, can check this other process is in the secure access set of strategies of this protected process.When being judged as in the secure access set of strategies, then proceed to step S620, allow the memory headroom of this other this protected process of process visit.Otherwise, in step S640, stop the memory headroom of this other this protected process of process visit.
The use IOMMU that Fig. 7 shows according to the embodiment of the invention comes the process flow diagram to the process of communication program control between peripherals and said protected process.
As shown in Figure 7, at first, in step S710, at any time, forbid that all any peripherals visits the memory headroom of the computing environment of this protected process through IOMMU.For example; When utilizing MMU is after said protected process becomes memory headroom of the distribution of work; Notice IOMMU upgrades the IOMMU table of any peripherals, to cancel and the authority of any peripherals of permanent ban through the newly assigned memory headroom of the said protected process of IOMMU table access.
In addition, need carry out IO when mutual with peripherals, then in step S720, allow this peripherals to use the IOMMU table to visit the IO buffer area of said protected process in said protected process.
Fig. 8 shows and carries out the process flow diagram of an example that IO carries out the process of input and output control when mutual according to the embodiment of the invention at needs and peripherals.
Carry out after computing environment isolates in protected process, to carry out input and output mutual with the peripherals of for example IO equipment if desired, then as shown in Figure 8, at first, in step S810, judges that said protected process is to carry out read operation or write operation.
In step S810, be judged as in the time of will carrying out read operation, promptly when exterior I O equipment read information, flow process proceeded to step S820.In step S810, be judged as in the time of will carrying out write operation, promptly when outside IO equipment writing information, flow process proceeds to step S850.
In step S820, the information stores that will read through exterior I O equipment is in IO buffer area corresponding with this exterior I O equipment and that in the IOMMU table, be provided with.Then, flow process proceeds to step S830.
In step S830, utilize the key that is provided with in the key set of strategies of protected process that the information of buffer memory in said IO buffer area is carried out imported password conversion.Wherein, the key that in the key set of strategies, is provided with can be process key or system key.Said process key for example is the key that is used by process control, that is, and and the P.KB.self that stores in the key cache district.Said system key for example is the key that is used by RTCN control, that is, and and the P.KB.sys that stores in the key cache district.Here, said imported password conversion for example can be a decrypting process etc.Then, flow process proceeds to step S840.
In step S840, will pass through information stores after the conversion of imported password in the input-buffer district of said protected process, use for said protected process.
When being judged as at step S810 will carry out write operation the time; In step S850; Be utilized in the key that is provided with in the key set of strategies of protected process, the information that will output to exterior I O equipment in the output buffers district that is stored in said protected process is carried out the conversion of output type password.Wherein, the key that in the key set of strategies, is provided with can be process key or system key.Said process key for example is the key that is used by process control, that is, and and the PP.KB.self that stores in the key cache district.Said system key for example is the key that is used by RTCB control, that is, and and the PP.KB.sys that stores in the key cache district.Here, said output type password conversion for example can be a ciphering process etc.Then, flow process proceeds to step S860.
In step S860, will pass through content stores after the output type password conversion in IO buffer area corresponding with this exterior I O equipment and setting in the IOMMU table.Then, in step S870, will pass through content after the output type password conversion from outputing to this exterior I O equipment with the corresponding IO buffer area of this exterior I O equipment.
Here be noted that in the process that reads or write content information can confirm to be to use the process key based on the Password Policy collection of using still is the using system key.
As above the method that the RTCB of utilization according to the present invention comes to carry out for the computing environment of protected process insulation blocking has been described with reference to Fig. 1-Fig. 8.Above-mentioned use RTCB of the present invention comes to carry out for the computing environment of protected process the method for insulation blocking, can adopt software to realize, also can adopt hardware to realize, or adopts the mode of software and hardware combination to realize.
The RTCB that utilizes that Fig. 9 shows according to the embodiment of the invention carries out the block diagram of the computing environment shielding system 900 of insulation blocking to protected process computing environment.
As shown in Figure 9, said system 900 comprises initialization unit 910, dynamic calculation environmental protection unit 920, MMU monitoring unit 930 and IOMMU monitoring unit 940.
In when operation, initialization unit 910 is the secure access set of strategies of the said protected process of beginningization at first, makes the identity that only comprises said protected process in the said secure access set of strategies.For example, after process of input, be protected process if hope this process, then need utilize RTCB is protected process PP with this process creation.Then, RTCB is the identifier (GID) of this protected course allocation secure access set of strategies, and has write down the following relevant information of protected process PP: the ID of (1) protected process PP, and it mainly is to utilize the base address of the MMU table of protected process PP to represent; (2) system key of protected process PP; Promptly; Key information among the PP.KB.Sys that above-mentioned RTCB safeguards, this key information can produce when protected process PP moves for the first time at random, and when this protected process is repeatedly moved; From a known file, load, can normally move pellucidly to guarantee protected process PP; (3) the secure access set of strategies of protected process PP; (4) how many pages the memory headroom that takies of protected process PP has for example taken, and it is represented by a field.
Then, dynamic calculation environmental protection unit 920 uses the secure access set of strategies of protected process to come the dynamic calculation environment of said protected process is controlled, and is used by illegal to prevent said dynamic calculation environment.
Memory management unit (MMU) managing process is to the access rights of the memory headroom of the computing environment of said protected process; And input and output memory management unit (IOMMU) management input and output (IO) equipment is to the access rights of the memory headroom of the computing environment of said protected process.
MMU monitoring unit 930 is used to monitor the use of memory management unit (MMU), and the memory headroom of the computing environment of this protected process is carried out insulation blocking.
IOMMU monitoring unit 940 is used to monitor the use of I/O memory management unit (IOMMU), and insulation blocking is carried out in the interactive operation between protected process that peripherals is carried out through IOMMU and said.
Figure 10 shows the block diagram according to the dynamic calculation environmental protection unit 1000 of the embodiment of the invention.Shown in figure 10, dynamic calculation environmental protection unit 1000 comprises that secure access set of strategies adding device 1010 and secure access set of strategies are provided with unit 1020.
When said protected process requires in its secure access set of strategies, to add the identity of another other process; Secure access set of strategies adding device 1010 adds the identity of this other process in the secure access set of strategies of said protected process to, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process.
The secure access set of strategies is provided with the secure access set of strategies of unit 1020 these other processes and the secure access set of strategies of the employed memory headroom of this other process is set to identical with the secure access set of strategies of said protected process.
Figure 11 shows the block diagram according to the MMU monitoring unit 1100 of the embodiment of the invention.
Shown in figure 11, said MMU monitoring unit 1100 can comprise memory headroom allocation units 1110 and memory headroom deletion 1120.When any process required to distribute a new memory headroom, memory headroom allocation units 1010 did not only have the new memory headroom of secure access set of strategies for one of this course allocation.When said protected process requires memory headroom of deletion, memory headroom delete cells 1120 these memory headrooms of deletion.
In addition, in one or more embodiments, said memory headroom allocation units 1110 can also comprise that the secure access set of strategies is provided with unit 1111, cancels unit 1112 and notification unit 1113.When this any process was protected process, the secure access set of strategies that the secure access set of strategies is provided with unit 1111 these new memory headrooms was set to the secure access set of strategies as this any process of protected process.Then, cancel unit 1112 and cancel the authority of other process through the employed memory headroom of MMU this any process of visit.For example, for the memory headroom that distributes of ask, page PA for example, the MMU table of all the process Qs of RTCB traversal outside the secure access set of strategies of this any process obtains those processes Q that has used this page PA.Then, the mapping of RTCB deletion memory headroom in the MMU of said process Q table, thus forbid that other process distributes to the memory headroom that this any process is used through the MMU visit.
After cancelling the access rights of all other processes, notification unit 1113 notice IOMMU do not allow the memory headroom of any this protected process of peripheral access.
In addition, in one or more embodiments, said memory headroom delete cells 1120 can also comprise identity delete cells 1121, information erasing unit 1122 and secure access set of strategies removing unit 1123.
When said protected process required to discharge a memory headroom, identity delete cells 1121 was deleted the identity of said protected process from the secure access set of strategies of this memory headroom.
When the secure access set of strategies of this memory headroom was sky, all information that write down in this memory headroom were wiped in information erasing unit 1122.And the secure access set of strategies is removed the secure access set of strategies that this memory headroom is removed in unit 1123.In addition, when memory headroom that said protected process discharged was last memory headroom, the secure access set of strategies was removed the secure access set of strategies that protected process is also removed in unit 1123.In this case, said system can also comprise the termination unit, is used to stop said protected process.
In addition, in one or more embodiments, said MMU monitoring unit 1100 can also comprise that MMU shows loading and forbids unit 1130, is used to forbid the MMU table of this other this protected process of process loading.That is to say, forbid utilizing the information in the MMU table of protected process to replace the MMU table of other process.
In addition; In one or more embodiments, said MMU monitoring unit can also comprise pseudo-MMU table load units 1140, and being used for working as this other process is kernel; And when this protected process is absorbed in this other process, load the pseudo-MMU table that only contains the kernel memory information for this other process.
In addition; In one or more embodiments; Said MMU monitoring unit can also comprise MMU access control unit 1150; If other process that is used for when pre-treatment is a protected process, and this other process is in the secure access set of strategies of the memory headroom of said protected process, and other process that then allows to deserve pre-treatment is visited the memory headroom of said protected process through MMU; Otherwise, stop other process of deserving pre-treatment to visit the memory headroom of said protected process through MMU.
Figure 12 shows the block diagram according to the IOMMU monitoring unit 1200 of the embodiment of the invention.As shown in Figure 12, IOMMU monitoring unit 1200 comprises that memory headroom visit forbids unit 1210 and IO interaction process unit 1220.
The memory headroom visit forbids that unit 1210 is used to forbid that any peripherals visits the memory headroom of the computing environment of said protected process through IOMMU.IO interaction process unit 1220 is used for need carrying out IO when mutual with peripherals in said protected process, allows this peripherals to use the IOMMU said protected process of showing to cooperate to accomplish the IO operation.
Figure 13 is the block diagram according to the IO interaction process unit 1220 in the IOMMU monitoring unit 1200 shown in Figure 12 of the embodiment of the invention.Shown in figure 12, IO interaction process unit 1220 can comprise I/O type password converting unit 1221 and IO buffer area 1222.
I/O type password converting unit 1221 is used for equipment is to the periphery write or exports/imported password conversion from the information that peripherals reads.IO buffer area 1222 is used to store the information that equipment to the periphery writes or read from peripherals, and writes information to peripherals or read from peripherals.
When equipment writing information to the periphery, be utilized in the key that is provided with in the key set of strategies of this protected process, the information that 1221 pairs of said protected processes of I/O type password converting unit will output to peripherals is carried out the conversion of output type password; To pass through information stores after the output type password conversion in IO buffer area 1222 corresponding with this peripherals and setting in the IOMMU table, and the information that will be stored in the said IO buffer area 1222 outputs to this peripherals.
When peripherals reads information, the information stores that will read through this exterior I O equipment is in IO buffer area 1222 corresponding with this peripherals and that in the IOMMU table, be provided with.Then, I/O type password converting unit 1221 is utilized and the key that in the key set of strategies of this protected process, is provided with, and the information of buffer memory in said IO buffer area 1222 is carried out imported password conversion; And will pass through information stores after the conversion of imported password in the input-buffer district of said protected process, use for said protected process.
In addition, preferably, said IO interaction process unit 1220 can also comprise key selected cell 1223, is used in said process at output or input information, and confirming to be to use the process key based on the Password Policy collection of using still is the using system key.
Method and system according to this example; Can be when protected process be calculated; To the memory headroom of distributing to protected process; Cancel all other processes of distributing this memory headroom of use and visit the authority of this memory headroom and/or forbid any this page of IO device access, thereby the memory headroom that has guaranteed protected process PP all can not be realized real safety isolation by other process Q and any IO device access thus through MMU.Here other processes of mentioning are meant the process of not concentrating in protected process secure access.
In addition; Utilization is the method that the computing environment of protected process is isolated according to the RTCB that utilizes of the embodiment of the invention; Can prevent to reveal the content information in the memory headroom of protected process PP; And when protected process PP runs abort, discharge the shared memory headroom of this protected process PP, thereby make these pages being used by other process Q and any IO equipment D again sometime.
In addition, utilize method and system, can prevent the information leakage that is input to protected process PP and when protected process PP outputs to exterior I O equipment, causes from exterior I O equipment according to the embodiment of the invention.
As above describing according to the RTCB of utilization of the present invention referring to figs. 1 through Figure 13 with the mode of example is the method and system that the computing environment of protected process is carried out insulation blocking.
But those skilled in the art should be understood that, can use the code of being carried out by computer processor to realize according to technology described herein.For example; Embodiment can use following code to realize the technology here; Wherein said code is carried out by the processor of data-storage system on any computer-readable medium, and said computer-readable medium has multiple multi-form any, comprises volatibility and non-volatile, removable and non-removable medium; Said code is with any method or technology realization, for example computer-readable instruction, data structure, program module or other data of information stores.Computer-readable storage medium includes but not limited to RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, DVD or other optical memory, tape, magnetic holder, disk storage or other magnetic storage apparatus, perhaps can be used for storing expectation information and can be by any other medium of data-storage system processor access.
It being understood that embodiment described herein can adopt hardware, software, firmware, middleware, microcode or above-mentioned combination to realize.Realize that for hardware processing unit can be realized in one or more following parts: special IC (ASIC), digital signal processing (DSP), digital signal processing appts (DSPD), programmable logic device (PLD), field programmable gate array (FPGA), processor, controller, microcontroller, microprocessor, be designed and carry out here other electronic unit of described function or the combination of above-mentioned parts.
When said embodiment realized with software, firmware, middleware or microcode, program code or code segment, they can be stored in the machine readable media, in memory module.Code segment can be represented any combination of process, function, subroutine, program, routine, subroutine, module, software package, class or instruction, data structure or program statement.A code segment can be coupled to another code segment or hardware circuit through transmitting and/or reception information, data, independent variable, parameter or memory content.Information, independent variable, parameter, data etc. can be via any suitable mechanism transmission, forwarding or transmissions, and said any suitable mechanism comprises memory sharing, message transmission, token transmission, Network Transmission etc.
Realize that for software technology described herein can utilize the module (for example, process, function etc.) of carrying out function as herein described to realize.Said software code can be stored in the memory cell, and is carried out by processor.Said memory cell can be in the inner or outside realization of said processor, and under the situation about externally realizing, said memory cell can be coupled to said processor communicatedly through various means as known in the art.
Persons of ordinary skill in the art will recognize that and to use any in the multiple different technologies to come representative information and signal.For example, data, instruction, order, information, signal, bit, symbol and the chip quoted in the top instructions can be represented with voltage, electric current, electromagnetic wave, magnetic field or particle, light field or particle or their combination in any.
In addition, persons of ordinary skill in the art will recognize that the various exemplary logical block, module, circuit and the algorithm steps that combine embodiment disclosed herein to describe may be implemented as electronic hardware, computer software or the combination of the two.For the transformational each other of clear diagram hardware and software, various exemplary assembly, piece, module, circuit and step broadly are described with regard to its function at preceding text.These functions are implemented as the design limit that hardware or software depend on concrete application and total system.Experienced technician can realize function described herein in many ways to each concrete application, but these are implemented decision and should not be understood that to cause departing from the scope of the embodiment of the invention.
Various exemplary logical block, module and the circuit described in conjunction with embodiment disclosed herein may be implemented as general processor, digital signal processor (DSP), special IC (ASIC), field programmable gate array (FPGA) or other PLDs, discrete gate or transistor logic, discrete hardware components or their any combination that is designed to carry out function described herein, perhaps carry out with above-mentioned form.Can also use the combination (for example, the combination of DSP and microprocessor, a plurality of microprocessor or any other such configuration) of computing equipment to realize logic.
The software module that method, sequence and/or the algorithm of describing in conjunction with embodiment disclosed herein can be directly carried out with hardware, by processor or the form realization of the two combination.Software module can reside in RAM storer, flash memory, ROM storer, eprom memory, eeprom memory, register, hard disk, removable dish, CD-ROM, or the storage medium of any other form well known in the art in.Exemplary storage medium is coupled in the processor, makes that processor can be from read information, and to the storage medium writing information.In replacement scheme, storage medium can be integrated into processor.Processor and storage medium can reside among the ASIC.
Although the disclosed content in front shows exemplary embodiment of the present invention, should be noted that under the prerequisite of the scope of the present invention that does not deviate from the claim qualification, can carry out multiple change and modification.Function, step and/or action according to the claim to a method of inventive embodiments described herein do not need to carry out with any particular order.In addition, although element of the present invention can be with individual formal description or requirement, also it is contemplated that a plurality of, only if clearly be restricted to odd number.
Although the preferred embodiment that has combined to be shown specifically and to describe discloses the present invention; But those skilled in the art are to be understood that; For the method and system that utilizes RTCB that the computing environment of protected process is carried out insulation blocking that the invention described above proposed, can also on the basis that does not break away from content of the present invention, make various improvement.Therefore, protection scope of the present invention should be confirmed by the content of appending claims.
Claims (27)
1. one kind is utilized root to trust the method that calculating base (RTCB) comes the computing environment of protected process is carried out insulation blocking, comprising:
The protected process of initialization;
Dynamic calculation environment to said protected process is controlled, and is used by illegal to prevent said dynamic calculation environment;
The use of monitoring memory management unit (MMU) is carried out insulation blocking to the memory headroom of said protected process; And
The use of monitoring I/O memory management unit (IOMMU), the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled.
2. the method for claim 1, wherein the step of the protected process of initialization also comprises:
The secure access set of strategies of the said protected process of initialization makes the identity that only comprises said protected process in the said secure access set of strategies.
3. the method for claim 1, wherein control the dynamic calculation environment of said protected process, also comprised by the illegal step of using to prevent said dynamic calculation environment:
When said protected process requires in its secure access set of strategies, to add the identity of another other process; The identity of this other process is added in the secure access set of strategies of said protected process, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process; And
The secure access set of strategies of the secure access set of strategies of this other process and the employed memory headroom of this other process is set to identical with the secure access set of strategies of said protected process.
4. the method for claim 1, wherein monitor the use of memory management unit (MMU), the step of the memory headroom of said protected process being carried out insulation blocking also comprises:
When any process requires to distribute a new memory headroom, only do not have the new memory headroom of secure access set of strategies for one of this course allocation.
5. method as claimed in claim 4 also comprises:
When this any process was protected process, the secure access set of strategies of this new memory headroom was set to the secure access set of strategies as this any process of protected process;
Cancel the authority of other process through the employed memory headroom of MMU this protected process of visit; And
Notice IOMMU does not allow the memory headroom of any this protected process of peripheral access.
6. the method for claim 1, wherein monitor the use of memory management unit (MMU), the step of the memory headroom of said protected process being carried out insulation blocking also comprises:
When said protected process requires to discharge a memory headroom,
The identity of said protected process is deleted from the secure access set of strategies of this memory headroom;
When the secure access set of strategies of this memory headroom is sky, wipe all information that write down in this memory headroom; And
Remove the secure access set of strategies of this memory headroom.
7. method as claimed in claim 6 also comprises:
When memory headroom that said protected process discharged is its employed last memory headroom, removes the secure access set of strategies of said protected process, and stop said protected process.
8. the method for claim 1, wherein monitor the use of memory management unit (MMU), the step of the memory headroom of said protected process being carried out insulation blocking also comprises:
The MMU table of forbidding this other this protection process of process loading.
9. method as claimed in claim 8 also comprises:
When this other process is a kernel, and this protected process is loaded the pseudo-MMU table that only contains the kernel memory information when being absorbed in this other process for this other process.
10. the method for claim 1, wherein monitor the use of memory management unit (MMU), the step of the memory headroom of said protected process being carried out insulation blocking also comprises:
If when other process of pre-treatment is a protected process; And the identity of this other process is in the secure access set of strategies of the memory headroom of said protected process, and other process that then allows to deserve pre-treatment is visited the memory headroom of said protected process through MMU;
Otherwise, stop other process of deserving pre-treatment to visit the memory headroom of said protected process through MMU.
11. the method for claim 1, wherein using interactive operation between that I/O memory management unit (IOMMU) comes any peripherals is carried out through IOMMU and said protected process to control comprises:
Forbid that any peripherals visits the memory headroom of the computing environment of said protected process through IOMMU; And
Need carry out IO when mutual with peripherals in said protected process, allow this peripherals to use the IOMMU said protected process of showing to cooperate to accomplish the IO operation.
12. method as claimed in claim 11 wherein, forbids that all peripherals visit the computing environment of said protected process through IOMMU the step of memory headroom also comprises:
When utilizing MMU is after said protected process becomes memory headroom of the distribution of work; Notice IOMMU upgrades the IOMMU table of any peripherals, to cancel and the authority of any peripherals of permanent ban through the newly assigned memory headroom of the said protected process of IOMMU table access.
13. method as claimed in claim 11 wherein, need be carried out IO when mutual with peripherals in said protected process, step that said protected process accomplishes the IO operation also comprises to allow this peripherals to use IOMMU to show to cooperate:
Need be when peripherals input to the memory headroom of computing environment of this protected process in said protected process with information,
With the information stores of this peripherals input in IO buffer area corresponding with this peripherals and setting in the IOMMU table;
Utilize the key that is provided with in the key set of strategies of this protected process, the information of buffer memory in this said IO buffer area is carried out imported password conversion; And
To pass through information stores after the conversion of imported password in the input-buffer district of the employed memory headroom of said protected process, use for said protected process.
14. method as claimed in claim 11 wherein, need be carried out IO when mutual with peripherals in said protected process, step that said protected process accomplishes the IO operation also comprises to allow this peripherals to use IOMMU to show to cooperate:
When this protected process needs to the periphery equipment output information,
The key that utilizes the Password Policy of this protected process concentrate to be provided with carries out the conversion of output type password to the information that said protected process institute will export;
To pass through information stores after the output type password conversion in IO buffer area corresponding with this peripherals and setting in the IOMMU table;
The content information that is stored in the said IO buffer area is outputed to this peripherals.
15. like claim 13 or 14 described methods, wherein, it is process key or system key that said Password Policy in this protected process is concentrated the key that is provided with.
16. one kind is utilized root to trust calculating base (RTCB) and comes the computing environment of protected process is carried out the system of insulation blocking, comprising:
Initialization unit is used for the secure access set of strategies of the protected process of initialization, makes this secure access set of strategies only comprise the identity of this protected process;
Dynamic calculation environmental protection unit is used for the dynamic calculation environment of said protected process is controlled, and is used by illegal to prevent said dynamic calculation environment;
Memory management unit (MMU) monitoring unit is used to monitor the use of MMU, and the memory headroom of said protected process is carried out insulation blocking; And
Input and output memory management unit (IOMMU) monitoring unit is used to monitor the use of IOMMU, and the interactive operation between protected process that peripherals is carried out through IOMMU and said is controlled.
17. system as claimed in claim 16, wherein, said dynamic calculation environmental protection unit also comprises:
Secure access set of strategies adding device; Be used for requiring when its secure access set of strategies adds the identity of another other process when said protected process; The identity of this other process is added in the secure access set of strategies of said protected process, and the identity of this other process is added in the secure access set of strategies of the employed memory headroom of said protected process; And
The secure access set of strategies is provided with the unit, is used for the secure access set of strategies of this other process and the secure access set of strategies of the employed memory headroom of this other process and is set to identical with the secure access set of strategies of said protected process.
18. system as claimed in claim 16, wherein, said MMU monitoring unit also comprises:
The memory headroom allocation units are used for when any process requires to distribute a new memory headroom, only do not have the new memory headroom of secure access set of strategies for one of this course allocation; And
The memory headroom delete cells is used for when said protected process requires memory headroom of deletion, deleting this memory headroom.
19. system as claimed in claim 18, wherein, said memory headroom allocation units also comprise:
The secure access set of strategies is provided with the unit, is used for when this any process is protected process, and the secure access set of strategies of this new memory headroom is set to the secure access set of strategies as this any process of protected process;
Cancel the unit, be used to cancel the authority of other process through the employed memory headroom of MMU this protected process of visit; And
Notification unit is used to notify IOMMU not allow the memory headroom of any this protected process of peripheral access.
20. the system of claim 1, wherein, said memory headroom delete cells also comprises:
The identity delete cells is used for when said protected process requires to discharge a memory headroom, the identity of said protected process being deleted from the secure access set of strategies of this memory headroom;
The information erasing unit is used for when the secure access set of strategies of this memory headroom is sky, wiping all information that write down in this memory headroom; And
The secure access set of strategies is removed the unit, is used to remove the secure access set of strategies of this memory headroom.
21. system as claimed in claim 20; Wherein, when memory headroom that said protected process discharged was its employed last memory headroom, said secure access set of strategies was removed the secure access set of strategies that said protected process is removed in the unit; And said system also comprises:
Stop the unit, be used to stop said protected process.
22. system as claimed in claim 16, wherein, said MMU monitoring unit also comprises:
The MMU table loads forbids the unit, is used to forbid the MMU table of this other this protected process of process loading.
23. the system of claim 22, wherein, said MMU monitoring unit also comprises:
Pseudo-MMU table load units, be used for when this other process be kernel, and this protected process is loaded the pseudo-MMU that only contains the kernel memory information for this other process and is shown when being absorbed in this other process.
24. system as claimed in claim 16, wherein, said MMU monitoring unit also comprises:
The MMU access control unit; If other process that is used for when pre-treatment is a protected process; And this other process is in the secure access set of strategies of the memory headroom of said protected process, and other process that then allows to deserve pre-treatment is visited the memory headroom of said protected process through MMU; Otherwise, stop other process of deserving pre-treatment to visit the memory headroom of said protected process through MMU.
25. system as claimed in claim 16, wherein, said IOMMU monitoring unit comprises:
The unit is forbidden in the memory headroom visit, is used to forbid that any peripherals visits the memory headroom of the computing environment of said protected process through IOMMU; And
IO interaction process unit is used for need carrying out IO when mutual with peripherals in said protected process, allows this peripherals to use the IOMMU said protected process of showing to cooperate to accomplish the IO operation.
26. system as claimed in claim 25, wherein, IO interaction process unit also comprises:
I/O type password converting unit is used for equipment is to the periphery write or exports/imported password conversion from the information that peripherals reads;
The IO buffer area is used to store the information that equipment to the periphery writes or read from peripherals, and writes information to peripherals or read from peripherals,
Wherein, when equipment writing information to the periphery, be utilized in the key that is provided with in the key set of strategies of this protected process, the information that will output to peripherals to said protected process is carried out the conversion of output type password; To pass through information stores after the output type password conversion in IO buffer area corresponding with this peripherals and setting in the IOMMU table, and the information that will be stored in the said IO buffer area outputs to this peripherals, and
When peripherals reads information, the information stores that will read through this exterior I O equipment is in IO buffer area corresponding with this peripherals and that in the IOMMU table, be provided with; Utilize and the key that in the key set of strategies of this protected process, is provided with, the information of buffer memory in said IO buffer area is carried out imported password conversion; And will pass through information stores after the conversion of imported password in the input-buffer district of said protected process, use for said protected process.
27. system as claimed in claim 26, wherein, it is process key or system key that said Password Policy in this protected process is concentrated the key that is provided with.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102623831A CN102375947A (en) | 2010-08-16 | 2010-08-25 | Method and system for isolating computing environment |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010254194 | 2010-08-16 | ||
| CN201010254194.X | 2010-08-16 | ||
| CN2010102623831A CN102375947A (en) | 2010-08-16 | 2010-08-25 | Method and system for isolating computing environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102375947A true CN102375947A (en) | 2012-03-14 |
Family
ID=45794541
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102623831A Pending CN102375947A (en) | 2010-08-16 | 2010-08-25 | Method and system for isolating computing environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102375947A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880815A (en) * | 2012-08-21 | 2013-01-16 | 上海华御信息技术有限公司 | Application program temporary storage space-based protection method and system |
| CN103488588A (en) * | 2013-10-09 | 2014-01-01 | 中国科学院计算技术研究所 | Memory protection method and system and network interface controller |
| CN104508641A (en) * | 2012-08-02 | 2015-04-08 | 高通股份有限公司 | Multiple sets of attribute fields within a single page table entry |
| CN105760233A (en) * | 2016-02-24 | 2016-07-13 | 北京金山安全软件有限公司 | Process processing method and device |
| CN104508641B (en) * | 2012-08-02 | 2016-11-30 | 高通股份有限公司 | Many groups attribute field in single page table entry |
| CN106485159A (en) * | 2015-08-28 | 2017-03-08 | 腾讯科技(深圳)有限公司 | network security storage method and device |
| CN106778291A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | The partition method and isolating device of application program |
| CN107562515A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | A kind of method of the managing internal memory in virtualization technology |
| CN108073441A (en) * | 2016-11-14 | 2018-05-25 | 阿里巴巴集团控股有限公司 | A kind of virutal machine memory monitoring and managing method and equipment |
| TWI648649B (en) * | 2013-09-12 | 2019-01-21 | 波音公司 | Mobile communication device and method of operating same |
| CN109426742A (en) * | 2017-08-23 | 2019-03-05 | 深圳市中兴微电子技术有限公司 | A kind of secure memory dynamic management system and method based on credible performing environment |
| WO2019101050A1 (en) * | 2017-11-27 | 2019-05-31 | 华为技术有限公司 | Method for multi-terminal cooperative and secure working, and device |
| CN109842658A (en) * | 2017-11-27 | 2019-06-04 | 华为技术有限公司 | The method and apparatus of multiple terminals Cooperative Security work |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| CN112395601A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for monitoring memory access in application layer |
| WO2022199560A1 (en) * | 2021-03-24 | 2022-09-29 | 华为技术有限公司 | Memory management method and device |
| CN116150740A (en) * | 2023-04-17 | 2023-05-23 | 杭州鸿钧微电子科技有限公司 | Resource isolation method and device, chip system and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6629187B1 (en) * | 2000-02-18 | 2003-09-30 | Texas Instruments Incorporated | Cache memory controlled by system address properties |
| CN1623143A (en) * | 2002-03-27 | 2005-06-01 | 先进微装置公司 | Input/output permission bitmaps for compartmentalized security |
| CN101131677A (en) * | 2006-08-23 | 2008-02-27 | 联想(北京)有限公司 | Hard disk data protecting method based on virtual technology and protecting system thereof |
-
2010
- 2010-08-25 CN CN2010102623831A patent/CN102375947A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6629187B1 (en) * | 2000-02-18 | 2003-09-30 | Texas Instruments Incorporated | Cache memory controlled by system address properties |
| CN1623143A (en) * | 2002-03-27 | 2005-06-01 | 先进微装置公司 | Input/output permission bitmaps for compartmentalized security |
| CN101131677A (en) * | 2006-08-23 | 2008-02-27 | 联想(北京)有限公司 | Hard disk data protecting method based on virtual technology and protecting system thereof |
Cited By (28)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104508641A (en) * | 2012-08-02 | 2015-04-08 | 高通股份有限公司 | Multiple sets of attribute fields within a single page table entry |
| CN104508641B (en) * | 2012-08-02 | 2016-11-30 | 高通股份有限公司 | Many groups attribute field in single page table entry |
| CN102880815B (en) * | 2012-08-21 | 2016-02-03 | 上海华御信息技术有限公司 | Based on means of defence and the system of application program temporary memory space |
| CN102880815A (en) * | 2012-08-21 | 2013-01-16 | 上海华御信息技术有限公司 | Application program temporary storage space-based protection method and system |
| TWI648649B (en) * | 2013-09-12 | 2019-01-21 | 波音公司 | Mobile communication device and method of operating same |
| CN103488588A (en) * | 2013-10-09 | 2014-01-01 | 中国科学院计算技术研究所 | Memory protection method and system and network interface controller |
| CN106485159A (en) * | 2015-08-28 | 2017-03-08 | 腾讯科技(深圳)有限公司 | network security storage method and device |
| WO2017036220A1 (en) * | 2015-08-28 | 2017-03-09 | 腾讯科技(深圳)有限公司 | Secure network storage method and device |
| US10915646B2 (en) | 2015-08-28 | 2021-02-09 | Tencent Technology (Shenzhen) Company Limited | Method and apparatus for network secure storage |
| CN105760233A (en) * | 2016-02-24 | 2016-07-13 | 北京金山安全软件有限公司 | Process processing method and device |
| CN108073441B (en) * | 2016-11-14 | 2022-05-10 | 阿里巴巴集团控股有限公司 | Virtual machine memory supervision method and equipment |
| CN108073441A (en) * | 2016-11-14 | 2018-05-25 | 阿里巴巴集团控股有限公司 | A kind of virutal machine memory monitoring and managing method and equipment |
| CN106778291A (en) * | 2016-11-22 | 2017-05-31 | 北京奇虎科技有限公司 | The partition method and isolating device of application program |
| CN106778291B (en) * | 2016-11-22 | 2019-09-17 | 北京安云世纪科技有限公司 | The partition method and isolating device of application program |
| CN107562515A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | A kind of method of the managing internal memory in virtualization technology |
| CN109426742A (en) * | 2017-08-23 | 2019-03-05 | 深圳市中兴微电子技术有限公司 | A kind of secure memory dynamic management system and method based on credible performing environment |
| CN109426742B (en) * | 2017-08-23 | 2022-04-22 | 深圳市中兴微电子技术有限公司 | Trusted execution environment-based dynamic management system and method for secure memory |
| CN109842658A (en) * | 2017-11-27 | 2019-06-04 | 华为技术有限公司 | The method and apparatus of multiple terminals Cooperative Security work |
| CN109842658B (en) * | 2017-11-27 | 2020-11-10 | 华为技术有限公司 | Method and device for multi-terminal collaborative safe work |
| CN112398812A (en) * | 2017-11-27 | 2021-02-23 | 华为技术有限公司 | Method and device for multi-terminal collaborative safe work |
| US11246039B2 (en) | 2017-11-27 | 2022-02-08 | Huawei Technologies Co., Ltd. | Method and apparatus for secure multi-terminal cooperative working |
| WO2019101050A1 (en) * | 2017-11-27 | 2019-05-31 | 华为技术有限公司 | Method for multi-terminal cooperative and secure working, and device |
| WO2019237866A1 (en) * | 2018-06-12 | 2019-12-19 | 杨力祥 | Method for controlling access at runtime and computing device |
| CN112395601A (en) * | 2019-08-15 | 2021-02-23 | 奇安信安全技术(珠海)有限公司 | Method and device for monitoring memory access in application layer |
| CN112395601B (en) * | 2019-08-15 | 2024-03-01 | 奇安信安全技术(珠海)有限公司 | Method and device for monitoring memory access of application layer |
| WO2022199560A1 (en) * | 2021-03-24 | 2022-09-29 | 华为技术有限公司 | Memory management method and device |
| CN116150740A (en) * | 2023-04-17 | 2023-05-23 | 杭州鸿钧微电子科技有限公司 | Resource isolation method and device, chip system and electronic equipment |
| CN116150740B (en) * | 2023-04-17 | 2023-12-12 | 杭州鸿钧微电子科技有限公司 | Resource isolation method and device, chip system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102375947A (en) | Method and system for isolating computing environment | |
| US20230128711A1 (en) | Technologies for trusted i/o with a channel identifier filter and processor-based cryptographic engine | |
| US9684898B2 (en) | Securing personal identification numbers for mobile payment applications by combining with random components | |
| CN106462708B (en) | Authenticate the management method and device of variable | |
| US10536274B2 (en) | Cryptographic protection for trusted operating systems | |
| US9898624B2 (en) | Multi-core processor based key protection method and system | |
| CN109901911A (en) | A kind of information setting method, control method, device and relevant device | |
| CN110998545B (en) | Computer system software/firmware and processor unit with security module | |
| JP6695885B2 (en) | Hack resistant computer design | |
| US10691627B2 (en) | Avoiding redundant memory encryption in a cryptographic protection system | |
| CN105612715A (en) | Security processing unit with configurable access control | |
| EP3271828B1 (en) | Cache and data organization for memory protection | |
| CN101218609A (en) | Portable data carrier featuring secure data processing | |
| CN104092743A (en) | User data protecting method and system in cloud environment | |
| US20150074820A1 (en) | Security enhancement apparatus | |
| US20150074824A1 (en) | Secure data storage apparatus and secure io apparatus | |
| CN104468712A (en) | Lightweight class trusted calculating platform, communication method of lightweight class trusted calculating platform and trust chain establishing method | |
| WO2015154469A1 (en) | Database operation method and device | |
| CN104955043A (en) | Intelligent terminal safety protection system | |
| CN104915597A (en) | Physical isolation type USB port protection system and method | |
| US20100088770A1 (en) | Device and method for disjointed computing | |
| CN103699434B (en) | A kind of method being had secure access between the MPU for being suitable for having secure access between more applications and its more applications | |
| CN105760164A (en) | Method for achieving ACL permission in user space file system | |
| CN114912138A (en) | Architecture, system, and method for secure computing using hardware security levels | |
| CN115098227B (en) | Method and device for updating dynamic information of security equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120314 |