CN107087003B - System anti-attack method based on network - Google Patents

System anti-attack method based on network Download PDF

Info

Publication number
CN107087003B
CN107087003B CN201710342720.XA CN201710342720A CN107087003B CN 107087003 B CN107087003 B CN 107087003B CN 201710342720 A CN201710342720 A CN 201710342720A CN 107087003 B CN107087003 B CN 107087003B
Authority
CN
China
Prior art keywords
block
trusted platform
application
kernel
application data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710342720.XA
Other languages
Chinese (zh)
Other versions
CN107087003A (en
Inventor
许驰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SHANGHAI GONGCHUANG INFORMATION TECHNOLOGY Co.,Ltd.
Original Assignee
Shanghai Gongchuang Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Gongchuang Information Technology Co ltd filed Critical Shanghai Gongchuang Information Technology Co ltd
Priority to CN201710342720.XA priority Critical patent/CN107087003B/en
Publication of CN107087003A publication Critical patent/CN107087003A/en
Application granted granted Critical
Publication of CN107087003B publication Critical patent/CN107087003B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a system anti-attack method based on a network, which comprises the following steps: the trusted platform forbids the blocks in the holding state to be mapped by the kernel block table or the safety block table of other applications by verifying the SID; the trusted platform transmits the application data by constructing a trusted application data stream in the untrusted kernel, and the application data is guaranteed to be accessible only by the owner of the trusted platform by verifying the SUID. The invention provides a system anti-attack method based on a network, which is completely isolated from an untrusted operating system, avoids frequent and low-efficiency encryption and decryption, and provides comprehensive protection for application.

Description

System anti-attack method based on network
Technical Field
The invention relates to computer security, in particular to a system anti-attack method based on a network.
Background
With the development of information technology, computer systems are widely used in important fields such as politics, economy, culture, national defense, and security. The operating system kernel is the basis for the work and security of the whole computer system. The kernel runs on the highest authority layer of the whole system, manages and controls bottom hardware resources, and provides a safe and isolated resource abstraction and access interface for upper files. More and more security reports show that a large number of bugs and errors still exist in the kernel of the operating system, and an attacker can obtain the highest authority and implement any attack behavior in the kernel authority, including malicious operation of underlying hardware, execution of any code in the system, reading and writing of any data on a memory and a disk, and the like. In the prior art, based on the VMM, the kernel permission operation is intercepted and verified, and the file is comprehensively protected. On the other hand, however, the VMM runs at a higher privilege level, and frequent inter-layer switching between the operating system kernel and the VMM also results in higher performance overhead.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a system anti-attack method based on a network, which comprises the following steps:
copying application data from the block of the application addressing area to a cache block of the kernel, and then transmitting the application data from the cache block to a disk block; when the application data is transmitted in the kernel, the application data is isolated from the kernel and cannot be accessed by the kernel; when a block is allocated to an application by the kernel, the trusted platform authorizes the kernel to use only the block in the isolated state; when the trusted platform maps the block to the applied safety block table, verifying the mapping state of the block and rejecting all non-isolated blocks; then, the block is securely assigned to the application, marked as an occupied state, and marked by the applied SID; the trusted platform forbids the blocks in the occupied state to be mapped by the kernel block table or the safety block tables of other applications by verifying the SID, and ensures the memory isolation of the applications; while prohibiting the application blocks from being remapped in the application addressing area;
the application data enters the kernel in a plaintext form, and the trusted platform transmits the application data by constructing a trusted application data stream in the untrusted kernel; the application data is identified by a secure user ID, i.e. SUID; each user possesses own SUID, and the SUID is given to the application when the user starts the application; the trusted platform ensures that the application data can only be accessed by the owner of the trusted platform by verifying the SUID; the SUID marks a user group for file sharing among users and appointing different read-write and execution authorities;
when the file block is mapped to be in an occupied state, the application data cannot be accessed by the kernel; when the kernel needs to copy the application data from the file block to the cache block, only a request can be sent to the trusted platform, and the trusted platform finishes data copying; the trusted platform only authorizes the kernel to provide the cache block in the isolation state, and refuses to copy the application data for the cache block in the non-isolation state;
the trusted platform defines the states of two disk blocks, namely idle state and occupied state, and uses a disk block array to track the states; in the disk block array, one bit of the memory corresponds to the state of one disk block; the trusted platform verifies all I/O commands sent to the disk; if the command is to write application data to a disk block, the trusted platform ensures that the written disk block can only be in an idle state; after the data transmission is finished, the disk block is changed into an occupied state, and the SUID and the application data are stored on the disk block together for identifying the owner of the disk block; then, the trusted platform only allows the memory blocks with the same SUID to perform data transmission with the occupied disk block, so as to ensure application data isolation and access control on the disk block;
when reading the file, the trusted platform only allows the application data occupying the disk block to be transmitted to the cache block in the isolated state, and the cache block is given the SUID occupying the disk block; thereafter, the trusted platform only allows the data of the cache block to be copied to a file block with the same SUID, to be accessed by its file owner;
the user authentication of the trusted platform is realized based on an authentication user password; the trusted platform uses a public key/private key pair to ensure that the untrusted kernel cannot steal the user password; encrypting and decrypting a private key of the trusted platform using a storage key in the TPM; when a user starts the application of the user, the user password of the user is placed in an executable file of the application and is encrypted by using a public key of a trusted platform; the trusted platform obtains a user password from the application executable file and decrypts the user password by using a private key of the trusted platform; and then, the trusted platform gives the corresponding SUID to the application by verifying the user password to identify the identity of the application.
Compared with the prior art, the invention has the following advantages:
the invention provides a system anti-attack method based on a network, which is completely isolated from an untrusted operating system, avoids frequent and low-efficiency encryption and decryption, and provides comprehensive protection for application.
Drawings
Fig. 1 is a flowchart of a method for preventing attacks on a network-based system according to an embodiment of the present invention.
Detailed Description
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.
One aspect of the present invention provides a network-based system attack prevention method. Fig. 1 is a flowchart of a method for preventing attacks on a network-based system according to an embodiment of the present invention.
The invention introduces a trusted platform in the secure addressing area, and the application runs in the secure environment protected by the trusted platform. The untrusted kernel and the application are respectively operated in two different addressing areas, namely a kernel addressing area and a safe addressing area. The block table used in the kernel addressing area is referred to as a kernel block table, and the block table used in the secure addressing area is referred to as a secure block table. When the application in the safe addressing area interacts with the kernel, the application firstly enters a trusted platform of the safe addressing area, the trusted platform stores the application context, and then the application context is switched to the kernel addressing area to enter the kernel for execution. When the kernel returns the application, the kernel must first return to the trusted platform in the secure addressing area, and the trusted platform recovers the application context and then returns to the application in the secure addressing area to continue executing.
The trusted platform directly limits the target value of the control register by using hardware virtualization; meanwhile, the trusted platform intercepts and verifies all block table updating operations in the system, and memory protection is realized. The use of hardware virtualization ensures that the entire system (kernel, applications and trusted platform) can only run in the kernel addressing area and the secure addressing area. Target values of a maximum of 4 control registers are set in the control register target list. When software modifies a control register and the target value is one of the control register target lists, the control register modification may be done directly. The invention only uses 2 target values to write the kernel block table in the kernel addressing area and the base address of the safety block table in the safety addressing area into the control register target list, therefore, the whole system can only modify the control register into two values in the operation process. If attempts to modify other target values cause the CPU to enter a secure mode, any operation that causes entry into the secure mode is considered malicious and can cause a reboot of the entire system. In the kernel addressing area, the entire block table is mapped as read-only. Any software running in the kernel addressing area must first map a block entry as writable if it is to be modified. The way software in the kernel-addressed area tries to unlock the block table is: 1) modifying the control register and switching the addressing area. 2) And modifying the mode flag bit of the control register to disable the read-only protection of the block table. Aiming at the mode, the invention uses hardware virtualization to prohibit all software in the common mode from modifying the mode flag bit of the control register, and any operation of modifying the mode flag bit enables the system to enter the safe mode, thereby causing the system to restart.
In the secure addressing area, the invention limits that only layer 0 software can modify the block table. The block table is mapped as invisible at other layers. Therefore, only the software of the secure addressing area in the whole system can modify the block table. All block table update operations can only be done by the trusted platform. When the kernel needs to update the block table, the kernel can only send a request to the trusted platform, and the trusted platform can intercept and verify all block table update operations, so that memory protection is realized. Therefore, the invention eliminates the authority of modifying the block table by the kernel of the kernel addressing area based on the control register control and block table locking technology.
The trusted platform controls all entry points entering the secure addressing area, and ensures that once the CPU enters the secure addressing area, the trusted platform obtains system control right. The trusted platform completes the execution flow of the trusted platform in the secure addressing area, and when the trusted platform returns to an external component, the CPU is switched back to the kernel addressing area or the layer 3 of the secure addressing area, so that only the trusted platform in the secure addressing area is ensured to run. Therefore, the external component can only run in the kernel addressing area or the layer 3 of the safe addressing area at all times, and the data code of the trusted platform in the safe addressing area cannot be damaged.
After entering the layer 0 of the secure addressing area from the entry point, the trusted platform is prohibited from interruption in the whole execution process, and the execution stream cannot be hijacked by an external component: the trusted platform resumes interrupts only when the external component is returned. Meanwhile, the trusted platform switches the CPU back to the kernel addressing area or the layer 3 of the safe addressing area, and only the trusted platform in the layer 0 of the safe addressing area is ensured to run. When the unmasked interrupt occurs in the trusted platform, the trusted platform temporarily blocks the unmasked interrupt, and prevents an external component from hijacking the trusted platform execution stream by using the unmasked interrupt. When returning to the kernel, the trusted platform forwards the unmasked interrupt to the kernel for processing. The kernel running in the kernel addressing area or the application running in the layer 3 of the secure addressing area cannot damage the integrity of the data codes of the trusted platform, and cannot modify the block table and perform malicious mapping on the data codes of the trusted platform.
The block table is composed of a 4-level structure (denoted by L1, L2, L3, and L4), the control register points to the L4 block table of the secure block table (referred to as S-L4), and block table switching is achieved by copying the L4 block table of the target file to S-L4 in its entirety. Like other block tables, S-L4 can only be modified by trusted platforms in the secure addressing area. Therefore, when the process is switched, the kernel can only send a request to the trusted platform, and the trusted platform switches the file block table.
When the application is interrupted and enters the trusted platform, the trusted platform stores the application security environment, forwards the interruption to the kernel in the kernel addressing area, places the specific content updated by the block table in a shared memory, completes all processing until the kernel completes all processing, and allocates the corresponding physical block when the operating system completes the interruption processing. And the trusted platform reads the update request from the shared memory, completes the update of the block table and then returns to the kernel. And the kernel completes the rest interrupt processing work and finally returns to the trusted platform. And the trusted platform recovers the application security environment and returns the application.
The trusted platform intercepts and verifies all I/O commands sent to the disk peripheral in the system, and the whole I/O verification process is realized in a common mode. The invention can intercept the I/O command sent to the disk peripheral only by intercepting the memory mapping I/O. Specifically, based on the memory protection mechanism of the trusted platform, the trusted platform maps the I/O memory allocated to the disk manager as read-only. When the kernel needs to send an I/O command to the disk, the kernel can only forward the command to the trusted platform, the trusted platform accesses the I/O memory, when the system is started, the PCI configuration space set by the BIOS is verified, and the kernel is prohibited from accessing the whole PCI configuration space in the running process of the system. Disabling software in the normal mode from accessing the segment of the I/O port by using hardware virtualization; mapping the address area existing in the reserved system to be invisible, and forbidding kernel access.
How the trusted platform protects the memory in the application addressing area to achieve the isolation and integrity protection of the addressing area is described in detail below. In order to isolate the application addressing area from the kernel, the trusted platform uses an array to track the mapping of each physical block in the system. Each block can be defined as 3 mapping states: normal, isolated and occupied. Blocks in the normal state are mapped by both the kernel block table and the secure block table so that both the kernel and trusted platforms can access them. The blocks in the isolated state are only mapped by the secure block table and can only be accessed by the trusted platform. The blocks where the trusted platform and the block table are located are both mapped to an isolated state. Blocks of possession status have been allocated to an application, mapped only by the secure block table and the secure block table of its application owner, so that only trusted platforms and their owners have access to them. The trusted platform uses a unique security identifier SID to identify the occupants of the possession block. SIDs are assigned to each process by the trusted platform at process creation time.
The following describes the transformation process of the block mapping status and the address area isolation, taking the block allocation of application a as an example. When a block is assigned to application a by the kernel, the trusted platform authorizes the kernel to use only the block in the isolated state. When the trusted platform maps the block to the secure block table of A, the mapping state of the block is verified, and all non-isolated blocks are rejected. The block is then securely assigned to a, marked as in possession, and marked with the SID of a. And the trusted platform prohibits the block in the holding state from being mapped by the kernel block table or the safety block table of other applications by verifying the SID, so that the memory isolation of the A is ensured. While prohibiting the application blocks from being remapped in the application addressing area.
The trusted platform maintains a linked list by the application itself, describing the mapping state of the addressing area of the trusted platform itself. This linked list, like the other data of the application-addressed area, cannot be modified by the kernel. When the trusted platform updates the application block table, the linked list is checked. And if the block table updating request of the kernel is inconsistent with the mapping state of the addressing area described by the linked list, the trusted platform refuses the request. This mechanism is described below using a file mapping function as an example.
On the disk, different files are marked differently, and different data blocks of the same file are marked by file offsets, indicating the location of the data block in the file. When the application calls the file mapping function, the state linked list of the addressing area maintained by the application is updated at the same time, and the state linked list comprises the ID and the offset corresponding to the file to be read. The linked list is checked when the trusted platform performs a block table update verification. If the corresponding addressing area mapping file is updated, the trusted platform compares the ID and the offset in the linked list with the ID and the offset of the file. If not, the trusted platform refuses to map the file to the addressing area and notifies the application.
In the invention, the application data of the application enters the kernel in a plaintext form, and the trusted platform transmits the application data by constructing a trusted application data stream in the untrusted kernel, so that the application data is prevented from being stolen or tampered. In the access control model based on the trusted platform, the application data is identified by the safety user ID, namely the SUID. Each user possesses its own SUID, and when starting its own application, the user gives the SUID to the application. The trusted platform ensures that the application data can only be accessed by its owner by verifying the SUID. The SUID may mark a group of users for file sharing among the users; the SUID may specify different read and write and execution rights.
Application data is copied from blocks of the application addressing area to cache blocks of the kernel and then transferred from the cache blocks to disk blocks. The trusted application data flow ensures that when the application data is transmitted in the kernel, the application data is isolated from the kernel and cannot be accessed by the kernel. First, the file blocks are mapped to an occupied state in which application data is not accessible by the kernel. When the kernel needs to copy the application data from the file block to the cache block, only a request can be sent to the trusted platform, and the trusted platform finishes data copying. The trusted platform authorizes the kernel to provide the cache block in the isolation state only, and refuses to copy the application data for the cache block in the non-isolation state.
The trusted platform defines the states of two disk blocks, free and occupied, and uses an array (called disk block array) for state tracking. In an array of disk blocks, one bit of memory corresponds to the state of one disk block. The trusted platform validates all I/O commands sent to disk. If the command is to write application data to a disk block, the trusted platform ensures that the disk block being written can only be in an idle state. After the data transfer is complete, the disk block is changed to an occupied state, and the SUID is stored on the disk block with the application data to identify the owner of the disk block. Then, the trusted platform only allows the memory block with the same SUID to perform data transmission with the occupied disk block, so that application data isolation and access control on the disk block are guaranteed.
When reading a file, the trusted platform only allows application data on occupied disk blocks to be transferred to cache blocks in the sequestered state, while the cache blocks are given SUIDs that occupy the disk blocks. Thereafter, the trusted platform only allows the data of the cache block to be copied to file blocks with the same SUID, accessed by its file owner.
User authentication of the trusted platform is achieved based on authenticating a user password. The trusted platform further uses a public/private key pair to ensure that the untrusted kernel cannot steal the user password. The present invention uses the storage key in the TPM to encrypt and decrypt the private key of the trusted platform. When the user starts the application of the user, the user password of the user is placed in an executable file of the application, and the public key of the trusted platform is used for encryption. The trusted platform obtains the user password from the application executable file and decrypts the user password by using the private key of the trusted platform. And then, the trusted platform gives the corresponding SUID to the application by verifying the user password to identify the identity of the application. In the whole identity verification process, the invention ensures the credible chain: TPM storage key → trusted platform private key → user password → SUID.
In summary, the invention provides a network-based system attack prevention method, which is completely isolated from an untrusted operating system, avoids frequent and inefficient encryption and decryption, and provides comprehensive protection for applications.
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented in a general purpose computing system, centralized on a single computing system, or distributed across a network of computing systems, and optionally implemented in program code that is executable by the computing system, such that the program code is stored in a storage system and executed by the computing system. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.

Claims (1)

1. A system anti-attack method based on network is characterized by comprising the following steps:
copying application data from an application block of an application addressing area to a cache block of a kernel, and then transmitting the application data from the cache block to a disk block; when the application data is transmitted in the kernel, the application data is isolated from the kernel and cannot be accessed by the kernel; when an application block is allocated to an application by the kernel, the trusted platform authorizes the kernel to use the application block in the isolation state only; when the trusted platform maps the application block to the applied safety block table, verifying the mapping state of the application block and rejecting all non-isolated blocks; then, the application block is safely distributed to the application, and is marked as an occupation state and is marked by the applied SID; the trusted platform forbids the blocks in the occupied state to be mapped by the kernel block table or the safety block tables of other applications by verifying the SID, and ensures the memory isolation of the applications; while prohibiting the application blocks from being remapped in the application addressing area;
the application data enters the kernel in a plaintext form, and the trusted platform transmits the application data by constructing a trusted application data stream in the untrusted kernel; the application data is identified by a secure user ID, i.e. SUID; each user possesses own SUID, and the SUID is given to the application when the user starts the application; the trusted platform ensures that the application data can only be accessed by the owner of the trusted platform by verifying the SUID; the SUID marks a user group for file sharing among users and appointing different read-write and execution authorities;
when the file block is mapped to be in an occupied state, the application data cannot be accessed by the kernel; when the kernel needs to copy the application data from the file block to the cache block, only a request can be sent to the trusted platform, and the trusted platform finishes data copying; the trusted platform only authorizes the kernel to provide the cache block in the isolation state, and refuses to copy the application data for the cache block in the non-isolation state;
the trusted platform defines the states of two disk blocks, namely idle state and occupied state, and uses a disk block array to track the states; in the disk block array, one bit of the memory corresponds to the state of one disk block; the trusted platform verifies all I/O commands sent to the disk; if the command is to write application data to a disk block, the trusted platform ensures that the written disk block can only be in an idle state; after the data transmission is finished, the disk block is changed into an occupied state, and the SUID and the application data are stored on the disk block together for identifying the owner of the disk block; then, the trusted platform only allows the memory blocks with the same SUID to perform data transmission with the occupied disk block, so as to ensure application data isolation and access control on the disk block;
when reading the file, the trusted platform only allows the application data occupying the disk block to be transmitted to the cache block in the isolated state, and the cache block is given the SUID occupying the disk block; thereafter, the trusted platform only allows the data of the cache block to be copied to a file block with the same SUID, to be accessed by its file owner;
the user authentication of the trusted platform is realized based on an authentication user password; the trusted platform uses a public key/private key pair to ensure that the untrusted kernel cannot steal the user password; encrypting and decrypting a private key of the trusted platform using a storage key in the TPM; when a user starts the application of the user, the user password of the user is placed in an executable file of the application and is encrypted by using a public key of a trusted platform; the trusted platform obtains a user password from the application executable file and decrypts the user password by using a private key of the trusted platform; and then, the trusted platform gives the corresponding SUID to the application by verifying the user password to identify the identity of the application.
CN201710342720.XA 2017-05-16 2017-05-16 System anti-attack method based on network Active CN107087003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710342720.XA CN107087003B (en) 2017-05-16 2017-05-16 System anti-attack method based on network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710342720.XA CN107087003B (en) 2017-05-16 2017-05-16 System anti-attack method based on network

Publications (2)

Publication Number Publication Date
CN107087003A CN107087003A (en) 2017-08-22
CN107087003B true CN107087003B (en) 2020-10-02

Family

ID=59609003

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710342720.XA Active CN107087003B (en) 2017-05-16 2017-05-16 System anti-attack method based on network

Country Status (1)

Country Link
CN (1) CN107087003B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109218304B (en) * 2018-09-12 2020-09-25 北京理工大学 Network risk blocking method based on attack graph and co-evolution

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
JP2013536505A (en) * 2010-08-06 2013-09-19 インテル・コーポレーション Secure readable memory area support for pre-boot and secure mode operations

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7716494B2 (en) * 2004-07-15 2010-05-11 Sony Corporation Establishing a trusted platform in a digital processing system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101226577A (en) * 2008-01-28 2008-07-23 南京大学 Method for protecting microkernel OS integrality based on reliable hardware and virtual machine
JP2013536505A (en) * 2010-08-06 2013-09-19 インテル・コーポレーション Secure readable memory area support for pre-boot and secure mode operations

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
对Linux内核进程上下文和中断上下文的理解;chen_chuang;《China Unix 博客》;20140731;全文 *

Also Published As

Publication number Publication date
CN107087003A (en) 2017-08-22

Similar Documents

Publication Publication Date Title
US20230128711A1 (en) Technologies for trusted i/o with a channel identifier filter and processor-based cryptographic engine
CN109766165B (en) Memory access control method and device, memory controller and computer system
CN110928646B (en) Method, device, processor and computer system for accessing shared memory
CN109522754B (en) Core control method for trusted isolation environment of mobile terminal
CN111651778B (en) Physical memory isolation method based on RISC-V instruction architecture
RU2679721C2 (en) Attestation of host containing trusted execution environment
US7380049B2 (en) Memory protection within a virtual partition
CN105184147B (en) User safety management method in cloud computing platform
KR101052400B1 (en) Methods for Delegating Access, Machine-readable Storage Media, Devices, and Processing Systems
CN104318176B (en) Data management method and device for terminal and terminal
KR102105760B1 (en) Heterogeneous isolated execution for commodity gpus
CN105184164B (en) A kind of data processing method
US20040205203A1 (en) Enforcing isolation among plural operating systems
Schneider et al. Sok: Hardware-supported trusted execution environments
CN101006433A (en) Information communication device, and program execution environment control method
WO2014153635A1 (en) Method and system for platform and user application security on a device
KR102579861B1 (en) In-vehicle software update system and method for controlling the same
CN107169375B (en) System data security enhancement method
CN107087003B (en) System anti-attack method based on network
Dubrulle et al. Blind hypervision to protect virtual machine privacy against hypervisor escape vulnerabilities
CN108345804B (en) Storage method and device in trusted computing environment
CN107103257B (en) Computer intrusion prevention method
CN111949995B (en) Host CPU architecture system and method for safely managing hardware resources
WO2021238294A1 (en) Data processing method and data processing apparatus
KR102623168B1 (en) Data protection system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20200610

Address after: 201516 Shanghai city Jinshan District Langxia Town Landscape Road No. 228 room 7 C457

Applicant after: SHANGHAI GONGCHUANG INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 510000 Guangzhou High-tech Industrial Development Zone Science Avenue 231, 233 Skirt Building B1B2, 1st, 2nd, 3rd and 4th floors

Applicant before: BOAO ZONGHENG NETWORK TECHNOLOGY Co.,Ltd.

Effective date of registration: 20200610

Address after: 510000 Guangzhou High-tech Industrial Development Zone Science Avenue 231, 233 Skirt Building B1B2, 1st, 2nd, 3rd and 4th floors

Applicant after: BOAO ZONGHENG NETWORK TECHNOLOGY Co.,Ltd.

Address before: The middle Tianfu Avenue in Chengdu city Sichuan province 610000 No. 1388 1 7 storey building No. 772

Applicant before: CHENGDU DINGZHIHUI TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant