CN102629236B - Memory protection method based on unequal-length counter - Google Patents
Memory protection method based on unequal-length counter Download PDFInfo
- Publication number
- CN102629236B CN102629236B CN201210040960.1A CN201210040960A CN102629236B CN 102629236 B CN102629236 B CN 102629236B CN 201210040960 A CN201210040960 A CN 201210040960A CN 102629236 B CN102629236 B CN 102629236B
- Authority
- CN
- China
- Prior art keywords
- counter
- zone
- hot
- write
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a memory protection method based on an unequal-length counter. Data are encrypted on the basis of counter mode encryption; the length of the counter is dynamically adjusted according to the internal memory access frequency; when the internal memory block access frequency is very high, the length of the counter is increased; when the internal memory block access frequency is very low, the length of the counter is decreased; and to realize a memory protection mechanism based on the unequal-length counter, three main processes, namely initialization, data block reading and writing, and data page migration need to be conducted. By adopting the memory protection method, the expense needed for storing the counter is reduced, and meanwhile, the overflowing time of the counter is decreased.
Description
Technical field
What the present invention relates to is a kind of computer safety protective method, specifically a kind of memory-protection method based on Length discrepancy counter.
Background technology
Data confidentiality refers to and stops assailant to the illegal acquisition of data and understanding, and data integrity refers to antagonism opponent active attack, and prevent information from being distorted by unwarranted, they are the important research contents in Security Architecture and storage security field.
Protected data confidentiality is mainly by encryption, and encryption method is mainly divided into symmetric key cryptography and asymmetric-key encryption method.The former encryption and decryption use identical secret key; The latter's encryption and decryption use different secret key, i.e. side's PKI, side's private key.Symmetric key cryptography is divided into stream encryption and block encryption, stream encryption take position as the base unit encrypted, by key stream and expressly by turn XOR (XOR) obtain ciphertext, typical stream encryption method is numbering directory (OTP, the one-time pad) encryption of one-time pad; The latter is encrypted in units of data block, the pattern of canonical blocks enciphered method has electronic code book (ECB, electronic codebook), cryptographic block chain (CBC, Cipher Block Chaining) sum counter pattern (counter mode) encryption etc.Counter mode encryption is that the counter generation counter safeguarded by CPU carrys out encrypted data chunk, with AES (Advanced EncryptionStandard) for the ciphering process of crypto engine is: when new generation or Update Table block, counter+1, by its with data block address etc. information carry out AES encryption with the symmetric key of maintaining secrecy in CPU after being connected, generate the pad of encryption, obtain ciphertext by after capable for pad and cache XOR again, finally ciphertext and counter are kept in internal memory; From internal memory, take out counter during deciphering and and the information such as data block address is connected, with CPU private spoon, AES encryption is carried out again to it, starts from interior access ciphertext simultaneously, when AES encryption with get after ciphertext all completes, pad and ciphertext XOR is obtained the capable plaintext of cache.The mode directly to data encryption such as relative ECB and CBC, counter mode encryption can hide decryption latency, is the main stream approach of encrypting at present, applies wider, but the method requires that each data block has unique counter value, and this wants the primary memory space of at substantial.The mechanism of some protected storage integralities also applies counter mode encryption.
Summary of the invention
The object of the present invention is to provide and a kind ofly reduce the main memory expense of preserving required for counter, reduce the memory-protection method based on Length discrepancy counter of the possibility of spilling simultaneously.
The object of the present invention is achieved like this:
Carry out data encryption based on counter mode encryption, carry out the length of dynamic conditioning counter according to internal storage access frequency, when memory block access frequency height, increase counter length; When memory block access frequency is low, reduce counter length; Realize the storage protection mechanism based on Length discrepancy counter, have three main process: initialization, data block read-write and data page migration;
(1) initialization
In internal memory, mark off hot-zone and non-thermal region, what hot-zone was preserved is the data block and corresponding counter that access frequency is high; Non-thermal region preserves the low block of access frequency and corresponding counter; For each page in internal memory arranges a local counters, when the block in page often writes one time, corresponding counter adds 1;
(2) data block read-write
Data block read-write will carry out encryption and decryption, and encryption mode is based on counter mode encryption; When the new cache produced is capable write back internal memory time, non-thermal region be write; When amended data block is write back internal memory, write the district of its reading, that is: read from non-thermal region, then write non-thermal region, read from hot-zone, then write hot-zone;
(3) data page migration
Data page migrates into hot-zone and to move out non-thermal region two processes, safeguard within a processor a structure add up each page write back frequency, and the threshold value of moving into is set, threshold value be artificial setting write back frequency; When page in non-thermal region write back frequency reach threshold value time, move into; When space, hot-zone is full, the page will being selected to write back frequency minimum in hot-zone before moving into is moved out.
The counter length of described hot-zone is long, and the counter length of described non-thermal region is short, and hot-zone and non-thermal region have different keys.
The principal feature of method of the present invention is as follows:
(1) expense storing counter is less.Because although counter is longer in hot-zone, hot-zone accounts for that the whole ratio of memory headroom of will protecting is very little, and most of space is non-thermal region, and counter is wherein shorter, and therefore the main memory expense of counter is less generally.
(2) number of times of counter spilling is less.The block higher because of access frequency is all moved to hot-zone, and by local access's characteristic of program, within certain period, most access concentrates on hot-zone, and the counter nominal growth of hot-zone is very fast, but counter length long enough, be not easy to overflow; Data block access times simultaneously outside hot-zone are less, and the counter of non-thermal region increases comparatively slow, though therefore short being also not easy of counter is overflowed.
Accompanying drawing explanation
Fig. 1 is Length discrepancy counter protection mechanism structural drawing;
Fig. 2 Length discrepancy counter protection mechanism is moved into process;
Fig. 3 Length discrepancy counter protection mechanism is moved out process.
Embodiment
Composition graphs 1.Figure middle and upper part is processor, it is confidence region, can prevent software and hardware from attacking, have the parts such as processor core, L2-cache, crypto engine and counter in processor, figure bottom is internal memory, it is suspected region, may be subject to hardware attack, and it comprises non-thermal region and hot-zone, there is multiple page (Page) in each district, page has multiple ciphertext blocks (EB) and Counter Value (ctr or ctr '), and hot-zone takes up space little, and ctr is long; Non-thermal region takes up space greatly, and ctr is short.
Composition graphs 2.The Counter Value (ctr) of page and correspondence is read from non-thermal region; By non-thermal region secret key, counter mode deciphering is carried out to page and obtain Plaintext block; The counter (C) of hot-zone generates refresh counter value (ctr ') to Plaintext block each in page; By the encryption seed of hot-zone secret key, ctr ' and addr composition, counter mode encryption is carried out to Plaintext block; Page will be encrypted and ctr ' is mapped to hot-zone.
Composition graphs 3.The Counter Value (ctr ') of page and correspondence is read from hot-zone; By hot-zone secret key, counter mode deciphering is carried out to page and obtain Plaintext block; The counter of non-thermal region (C ') refresh counter value (ctr) is generated to Plaintext block each in page; By the encryption seed of non-thermal region secret key, ctr and addr composition, counter mode encryption is carried out to Plaintext block; Encryption page and ctr are mapped to non-thermal region.
Claims (1)
1. based on a memory-protection method for Length discrepancy counter, it is characterized in that: carry out data encryption based on counter mode encryption, carry out the length of dynamic conditioning counter according to internal storage access frequency, when memory block access frequency height, increase counter length; When memory block access frequency is low, reduce counter length; Realize the storage protection mechanism based on Length discrepancy counter, have three main process: initialization, data block read-write and data page migration;
(1) initialization
In internal memory, mark off hot-zone and non-thermal region, what hot-zone was preserved is the data block and corresponding counter that access frequency is high; Non-thermal region preserves the low block of access frequency and corresponding counter; For each page in internal memory arranges a local counters, when the block in page often writes one time, the corresponding counter of the data block in page adds 1;
(2) data block read-write
Data block read-write will carry out encryption and decryption, and encryption mode is based on counter mode encryption; When the new cache produced is capable write back internal memory time, non-thermal region be write; When amended data block is write back internal memory, write the district of its reading, that is: read from non-thermal region, then write non-thermal region, read from hot-zone, then write hot-zone;
(3) data page migration
Data page migrates into hot-zone and to move out non-thermal region two processes, safeguard within a processor a structure add up each page write back frequency, and the threshold value of moving into is set, threshold value be artificial setting write back frequency; When page in non-thermal region write back frequency reach threshold value time, move into; When space, hot-zone is full, the page will being selected to write back frequency minimum in hot-zone before moving into is moved out;
The counter length of described hot-zone is long, and the counter length of described non-thermal region is short, and hot-zone and non-thermal region have different keys.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210040960.1A CN102629236B (en) | 2012-02-22 | 2012-02-22 | Memory protection method based on unequal-length counter |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210040960.1A CN102629236B (en) | 2012-02-22 | 2012-02-22 | Memory protection method based on unequal-length counter |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102629236A CN102629236A (en) | 2012-08-08 |
| CN102629236B true CN102629236B (en) | 2015-02-25 |
Family
ID=46587496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210040960.1A Expired - Fee Related CN102629236B (en) | 2012-02-22 | 2012-02-22 | Memory protection method based on unequal-length counter |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102629236B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104636276B (en) * | 2015-01-07 | 2017-06-13 | 大连理工大学 | A kind of method for protecting memory storage data confidentiality and integrality |
| CN105069379B (en) * | 2015-07-29 | 2017-11-21 | 哈尔滨工程大学 | It is a kind of based on the memory integrity protection method for writing counter |
| CN105022968B (en) * | 2015-07-30 | 2017-12-19 | 哈尔滨工程大学 | A kind of integrity checking method of internal storage data |
| CN107330336B (en) * | 2017-05-23 | 2020-02-14 | 中国人民解放军信息工程大学 | Instant encryption and decryption method and system for memory page of Linux operating system |
| CN116171443A (en) * | 2020-09-30 | 2023-05-26 | 华为技术有限公司 | Resource allocation device, device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949288A (en) * | 2006-11-24 | 2007-04-18 | 苏州市华芯微电子有限公司 | Variable length coding method and circuit thereof |
| CN101788995A (en) * | 2009-12-31 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Hotspot data identification method and device |
| CN102355352A (en) * | 2011-07-24 | 2012-02-15 | 哈尔滨工程大学 | Data confidentiality and integrity protection method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101321359B (en) * | 2007-06-06 | 2011-05-25 | 中兴通讯股份有限公司 | Performance data transmission method of mobile communication system |
| US20100303229A1 (en) * | 2009-05-27 | 2010-12-02 | Unruh Gregory | Modified counter mode encryption |
-
2012
- 2012-02-22 CN CN201210040960.1A patent/CN102629236B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1949288A (en) * | 2006-11-24 | 2007-04-18 | 苏州市华芯微电子有限公司 | Variable length coding method and circuit thereof |
| CN101788995A (en) * | 2009-12-31 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Hotspot data identification method and device |
| CN102355352A (en) * | 2011-07-24 | 2012-02-15 | 哈尔滨工程大学 | Data confidentiality and integrity protection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102629236A (en) | 2012-08-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102355352B (en) | Data confidentiality and integrity protection method | |
| TWI567557B (en) | A tweakable encrypion mode for memory encryption with protection against replay attacks | |
| US10102390B2 (en) | Memory authentication with redundant encryption | |
| US9811478B2 (en) | Self-encrypting flash drive | |
| US10896267B2 (en) | Input/output data encryption | |
| US20140164793A1 (en) | Cryptographic information association to memory regions | |
| CN101782956B (en) | Method and device for protecting data on basis of AES real-time encryption | |
| CN102750233B (en) | Encryption and storage confidential data | |
| CN100424611C (en) | Method and central processing unit for processing encryption software | |
| CN102629236B (en) | Memory protection method based on unequal-length counter | |
| CN108229215A (en) | A kind of scrambled storage device in address and method | |
| US20120260106A1 (en) | System and method for binary layout randomization | |
| JP2015532549A (en) | System for generating an encryption key from memory used as a physical non-clonal function | |
| US20120124392A1 (en) | System and method for stream/block cipher with internal random states | |
| CN107908574A (en) | The method for security protection of solid-state disk data storage | |
| CN103258172A (en) | Off-chip Nor Flash bus interface hardware encryption device | |
| CN106209346B (en) | White-box cryptography interleaving lookup table | |
| US20140108818A1 (en) | Method of encrypting and decrypting session state information | |
| CN103246852A (en) | Enciphered data access method and device | |
| Liu et al. | An energy-efficient encryption mechanism for NVM-based main memory in mobile systems | |
| CN103154967A (en) | Modifying a length of an element to form an encryption key | |
| CN103491384A (en) | Encrypting method and device of video and decrypting method and device of video | |
| CN103679066A (en) | Implement method of dependable security disk | |
| Abdullah et al. | Plutus: Bandwidth-efficient memory security for gpus | |
| CN105205411A (en) | Method and system for randomly storing symmetrical encryption file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20201231 Address after: 572024 area A129, 4th floor, building 4, Baitai Industrial Park, yazhouwan science and Technology City, Yazhou District, Sanya City, Hainan Province Patentee after: Nanhai innovation and development base of Sanya Harbin Engineering University Address before: 150001 Intellectual Property Office, Harbin Engineering University science and technology office, 145 Nantong Avenue, Nangang District, Harbin, Heilongjiang Patentee before: HARBIN ENGINEERING University |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150225 |