CN110750791B - Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption - Google Patents

Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption Download PDF

Info

Publication number
CN110750791B
CN110750791B CN201910979558.1A CN201910979558A CN110750791B CN 110750791 B CN110750791 B CN 110750791B CN 201910979558 A CN201910979558 A CN 201910979558A CN 110750791 B CN110750791 B CN 110750791B
Authority
CN
China
Prior art keywords
security
memory
processor
sensitive task
task
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910979558.1A
Other languages
Chinese (zh)
Other versions
CN110750791A (en
Inventor
张倩颖
张美玉
施智平
关永
李晓娟
王瑞
王国辉
李希萌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Capital Normal University
Original Assignee
Capital Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Capital Normal University filed Critical Capital Normal University
Priority to CN201910979558.1A priority Critical patent/CN110750791B/en
Publication of CN110750791A publication Critical patent/CN110750791A/en
Application granted granted Critical
Publication of CN110750791B publication Critical patent/CN110750791B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Abstract

The embodiment of the disclosure discloses a method and a system for guaranteeing a trusted execution environment against physical attacks based on memory encryption, wherein the system for guaranteeing the trusted execution environment against physical attacks based on memory encryption comprises at least one first memory, at least one second memory, at least one first processor and at least one second processor, wherein: the first memory is an on-chip memory and is used for storing security sensitive tasks; the second memory is an off-chip memory and is used for storing encrypted and integrity-protected ciphertext of the security sensitive task; the first processor is used for acquiring the ciphertext of the security sensitive task from the second memory, carrying out integrity verification and decryption processing, and storing the security sensitive task obtained by successful processing to the first memory; the second processor is to schedule and run the security-sensitive task from the first memory. The technical scheme improves the physical security of the security sensitive task in a security processing mode.

Description

Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption
Technical Field
The disclosure relates to the field of embedded system security, in particular to a method and a system for guaranteeing a trusted execution environment to resist physical attack based on memory encryption.
Background
With the development of the internet of things technology, more and more intelligent devices adopt embedded systems, and valuable sensitive information is stored in the intelligent devices and becomes the target of an attacker, so that the memory data leakage accident is caused.
In order to improve the security of an embedded system, ARM company provides a TrustZone technology for a processor architecture thereof, hardware resources are divided into two parts by a hardware isolation mechanism, the two parts are respectively called a secure world and a common world, the secure world runs a trusted operating system, the common world runs a general operating system, and the two operating systems run on the same hardware platform to form a dual-operating-system architecture. The ARM TrustZone technology enables the secure world to resist attacks from common world malicious software through resource access control and memory isolation, and establishes a Trusted Execution Environment (TEE) for Trusted application programs, so that the security of the embedded system is enhanced. However, this technique is only directed to software attacks from malicious operating systems and malicious applications, and does not allow for protection against physical attacks.
With the development of physical attack technology, some advanced physical attack methods are generated, including cold start attack, bus snooping attack, Direct Memory Access (DMA) attack and the like, and these attack methods have low cost and short attack period, and become a serious security threat for embedded devices. The TEE is mainly used for running security sensitive tasks of an embedded system, such as fingerprint verification, mobile payment and the like, codes and data of the TEE need stronger security protection, and the technologies such as ARM TrustZone and the like can provide an isolated trusted execution environment, but do not forcibly execute memory encryption, and cannot prevent physical attacks such as cold start attack, bus monitoring attack and the like. Thus, even if sensitive information is stored in TEE protected physical memory, an attacker can obtain valuable sensitive information through a physical attack. To defend against physical attacks, research teams at home and abroad have proposed various security solutions, which can be divided into two categories, adding hardware assistance and enhancing software functions. The scheme of adding hardware assistance mainly refers to a method for assisting memory encryption by integrating various special hardware components on a chip. Although the method of adding hardware assistance can improve the system security and ensure the system performance, integrating additional hardware components requires modifying the device hardware, the development period is long, and the method is not suitable for embedded devices which have already entered the market, and ARM has not yet introduced a hardware mechanism for resisting physical attacks to its CPU. The scheme for enhancing the software function mainly refers to a method for encrypting the memory through software, and has the advantages that the memory can be protected only by modifying the software without modifying or adding hardware components in embedded equipment, but the disadvantage is that the performance of a cryptographic algorithm realized by the software is low, and the performance of a system is influenced.
Disclosure of Invention
In order to solve the problems in the related art, embodiments of the present disclosure provide a method and a system for guaranteeing a trusted execution environment against physical attacks based on memory encryption. In the invention, the confidentiality and the integrity of security sensitive tasks in the TEE are protected by adopting a software memory encryption technology based on-chip storage, and the influence of a memory protection mechanism on the system performance is reduced by utilizing a multi-core architecture and adopting a core specialization technology.
In a first aspect, an embodiment of the present disclosure provides a system for securing a trusted execution environment against physical attacks based on memory encryption.
Specifically, the system for securing the trusted execution environment against physical attacks based on memory encryption includes: at least one first memory, at least one second memory, at least one first processor, and at least one second processor, wherein:
the first memory is an on-chip memory and is used for storing security sensitive tasks;
the second memory is an off-chip memory and is used for storing encrypted and integrity-protected ciphertext of the security sensitive task;
the first processor is used for acquiring the ciphertext of the security sensitive task from the second memory, carrying out integrity verification and decryption processing, and storing the security sensitive task obtained by successful processing to the first memory;
the first processor is further configured to encrypt and protect integrity of the security-sensitive task scheduled and executed by the second processor in the first memory, and store the encrypted and protected integrity of the security-sensitive task in the second memory;
the second processor is to schedule and run the security-sensitive task from the first memory.
Optionally, the first memory is allocated to a secure world for storing the security-sensitive task and a trusted operating system.
Optionally, the second memory is divided into a first storage portion and a second storage portion, wherein the first storage portion is allocated to a secure world and used for storing the ciphertext of the security-sensitive task; the second storage part is allocated to the common world and used for storing a general-purpose operating system and non-safety-sensitive tasks.
Optionally, the first processor loads the encrypted and integrity-protected security-sensitive task to a local ready queue of the second processor; the local ready queue comprises task information of a plurality of safety sensitive tasks to be scheduled;
and the second processor schedules and runs the security-sensitive task from the local ready queue through a preset scheduling strategy.
Optionally, the first processor and the second processor are processor cores of a multi-core processor.
In a second aspect, an embodiment of the present disclosure provides a method for securing a trusted execution environment against physical attacks based on memory encryption.
Specifically, the method for guaranteeing the trusted execution environment against physical attacks based on memory encryption comprises the following steps:
acquiring the encrypted and integrity-protected ciphertext of the security sensitive task from the second memory;
carrying out integrity verification and decryption on the ciphertext of the security sensitive task to obtain the security sensitive task;
and storing the security-sensitive task to a first memory for a second processor to schedule and run.
Optionally, the method further comprises:
retrieving the security-sensitive task scheduled and finished by the second processor from a first memory;
and after the acquired security sensitive task is encrypted and integrity protected, the security sensitive task is stored in the second memory.
In a third aspect, an embodiment of the present disclosure provides a method for securing a trusted execution environment against physical attacks based on memory encryption, where the method is executed on a system for securing the trusted execution environment against physical attacks based on memory encryption, and includes:
the first processor acquires the encrypted and integrity-protected ciphertext of the security sensitive task from the second memory;
the first processor performs integrity verification and decryption on the ciphertext of the security sensitive task to obtain the security sensitive task;
the first processor stores the security-sensitive task to a first memory for scheduled operation by a second processor.
The second processor schedules and runs the security-sensitive task from the first memory according to a scheduling policy;
after the security sensitive operation is finished, the first processor encrypts and integrity-protects the security sensitive task which is finished in operation, and then stores the security sensitive task to a second memory.
According to the technical scheme provided by the embodiment of the disclosure, the independent first processor is allocated to run the memory protection engine exclusively and is responsible for confidentiality and integrity protection of the security sensitive task, the security sensitive task is subjected to integrity verification and decryption before running, and then the security sensitive task is allocated to the second processor to run, so that the resource of the first processor cannot be preempted by the task with high priority, the memory protection engine running on the first processor is ensured to be always in a running state, the confidentiality and integrity protection process of the security sensitive task cannot be interrupted, and unnecessary performance overhead caused by frequent task switching is avoided. In addition, under the condition of multitasking, the memory protection engine and the security sensitive task are executed in parallel, and the performance overhead of the memory protection scheme is further reduced. Meanwhile, the technical scheme does not need additional hardware support, does not need to modify an application program, has strong transportability, reduces the influence of a memory protection mechanism on the task operation efficiency by setting a special first processor to operate a memory protection engine, and ensures the operation efficiency while improving the task security.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
Other features, objects, and advantages of the present disclosure will become more apparent from the following detailed description of non-limiting embodiments when taken in conjunction with the accompanying drawings. In the drawings:
FIG. 1 illustrates a schematic diagram of a system for securing a trusted execution environment against physical attacks based on memory encryption, in accordance with an embodiment of the present disclosure;
FIG. 2 illustrates a flow diagram of a method of securing a trusted execution environment against physical attacks based on memory encryption, in accordance with an embodiment of the present disclosure;
FIG. 3 illustrates a flow diagram for deriving security-sensitive tasks in accordance with an embodiment of the present disclosure;
fig. 4 is a flowchart illustrating that the memory protection engine encrypts and integrity-protects the security-sensitive task that has finished running by using the authentication encryption algorithm to obtain a ciphertext of the security-sensitive task, and stores the ciphertext in the second storage 102 according to the embodiment of the disclosure.
Detailed Description
Hereinafter, exemplary embodiments of the present disclosure will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily implement them. Also, for the sake of clarity, parts not relevant to the description of the exemplary embodiments are omitted in the drawings.
In the present disclosure, it is to be understood that terms such as "including" or "having," etc., are intended to indicate the presence of the disclosed features, numbers, steps, behaviors, components, parts, or combinations thereof, and are not intended to preclude the possibility that one or more other features, numbers, steps, behaviors, components, parts, or combinations thereof may be present or added.
It should be further noted that the embodiments and features of the embodiments in the present disclosure may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order to improve the security of the system, in the prior art, all or part of data and codes of a trusted operating system kernel and a trusted application program are stored in an SoC internal memory, when the SoC internal memory is insufficient, part of the data and codes are encrypted and then stored in an external memory, and when the data and codes in a SoC external memory (such as a DRAM) need to be used, the encrypted data and codes are loaded into the SoC internal memory from the external memory, and the encrypted data and codes are decrypted and run after the integrity of the encrypted data and codes is verified. However, the integrity and confidentiality protection of data and code in the above method introduces a large performance load, and also affects the real-time performance of real-time tasks.
As described above, ARM company provides a TrustZone technology for its processor architecture, the technology divides hardware resources into two parts through a hardware isolation mechanism, which are respectively called a secure world and a common world, the secure world runs a Trusted operating system, the common world runs a general operating system, and switching between the secure world and the general operating system can be performed in a security monitoring mode, the secure world of the ARM TrustZone technology can resist attacks from malware in the common world, a Trusted Execution Environment (TEE) is established for Trusted applications, and security of an embedded system is enhanced, but defense against physical attacks is not considered in the technology, and attackers can obtain sensitive information protected by the TEE through physical attacks.
Fig. 1 illustrates a schematic diagram of a system for securing a trusted execution environment against physical attacks based on memory encryption according to an embodiment of the present disclosure. As shown in fig. 1, the system 100 for securing a trusted execution environment against physical attacks based on memory encryption comprises at least one first storage 101, at least one second storage 102, at least one first processor 103, and at least one second processor 104, wherein:
the first memory 101 is an SoC on-chip memory and is used for storing security data requiring high security protection, wherein the security data includes security sensitive tasks;
the second memory 102 is an SoC off-chip memory and is used for storing the encrypted and integrity-protected ciphertext of the security sensitive task;
the first processor 103 is configured to obtain the encrypted and integrity-protected ciphertext of the security-sensitive task from the second memory 102, perform integrity verification and decryption on the ciphertext of the security-sensitive task, and store the security-sensitive task that passes the integrity verification and decryption into the first memory 101, so that the security-sensitive task is scheduled to run by the second processor 104;
the first processor 103 is further configured to encrypt and integrity-protect the security-sensitive task scheduled and executed by the second processor 104 in the first memory 101, and store the encrypted and integrity-protected security-sensitive task in the second memory 102;
the second processor 104 is configured to schedule and run the security-sensitive task from the first memory 101, which passes integrity verification and decryption.
The system for guaranteeing the credible execution environment to resist physical attack based on memory encryption comprises two processing modes: a secure processing mode (secure world) and a normal processing mode (normal world). In the secure processing mode, a trusted operating system is running on the first processor 103 and the second processor 104 for processing security-sensitive tasks. While in the normal processing mode, a general purpose operating system is running on the first processor 103 and the second processor 104 for processing non-security sensitive tasks (normal tasks).
Because the security-sensitive task needs higher security protection, the embodiment of the disclosure provides the system for guaranteeing the physical attack resistance of the trusted execution environment based on the memory encryption, which can provide higher security protection for the security-sensitive task, and can improve the physical security of the security-sensitive task in the security processing mode.
In this embodiment, the first Memory 101 may be a Memory located in the same chip as the first processor 103 and the second processor 104, that is, an on-chip Memory, such as a scan-Pad Memory (SPM), which can resist physical attacks, such as a cold-boot attack and a bus snooping attack, and is allocated to the secure world for storing a security sensitive task and a trusted operating system.
The security sensitive task may be code and data of a trusted application program in the TEE, such as a trusted application program for fingerprint verification, mobile payment, and the like, which processes sensitive information, and the code integrity and data confidentiality of the trusted application program need to be protected to prevent an attacker from acquiring sensitive information therein through software attack or physical attack or tampering the code thereof, i.e. destroying the confidentiality or integrity thereof.
The second memory 102 is a main memory of an embedded device, such as a DRAM; the second memory 102 is an off-chip memory; the second memory 102 is connected to the chips where the first processor 103 and the second processor 104 are located through a bus, and therefore is vulnerable to bus snooping attacks and is not resistant to cold start attacks. The second memory 102 is divided into two parts: the system comprises a first storage part 102A and a second storage part 102B, wherein the first storage part 102A is allocated to the secure world, the second storage part 102B is allocated to the ordinary world, a memory 102A allocated to the secure world is used for storing encrypted and integrity-protected ciphertext of a security sensitive task, and a memory 102B allocated to the ordinary world is used for storing a general operating system and an ordinary task, wherein the ordinary task is a non-security sensitive task.
The first processor 103 is one of special processor cores in a multi-core processor, and is a processor core dedicated to running a memory protection engine in a secure world (i.e. a secure processing mode), and is dedicated to performing integrity verification and decryption on a security-sensitive task, and is also used to perform encryption and integrity protection on a security-sensitive task that is finished running on the second processor 104. It will be appreciated that the first processor 103 outputs the security-sensitive task only after the integrity verification and decryption pass, and otherwise does not output the security-sensitive task. The first processor 103 is used in the normal world (i.e. normal processing mode) for running normal tasks.
The first processor 103 is used for running a memory protection engine, the memory protection engine is used for performing confidentiality and integrity protection on the security-sensitive task, and the security-sensitive task passing integrity verification and decryption is distributed to the second processor 104 to run. The core specialization mode prevents the task with high priority from seizing the resources of the memory protection engine, ensures that the memory protection engine is always in the running state, avoids the overhead generated by task switching, and realizes the parallel execution of the confidentiality and integrity protection process of the security sensitive task and the execution process of the security sensitive task under the condition of multiple tasks. The core specialization technology can reduce the influence of the memory protection mechanism on the system performance and improve the system performance.
The second processor 104 is one or more processor cores of the multi-core processor except the first processor 103, and can run security-sensitive tasks in the secure world (i.e. secure processing mode) through integrity verification and decryption of the memory protection engine; the second processor 104 is used in the normal world (i.e., normal processing mode) for running normal tasks.
The memory protection engine may be a software component of a trusted operating system that runs separately on the first processor 103 and performs confidentiality and integrity protection on the security-sensitive task by using an authenticated encryption algorithm, and is used for protecting confidentiality and integrity of the security-sensitive task when the security-sensitive task is transmitted and stored outside the first storage 101. The security sensitive tasks are stored in the first storage 101 during running, the first storage 101 can resist physical attacks, the storage space of the first storage 101 is limited, after the security sensitive tasks are run, the security sensitive tasks can be encrypted and integrity protected through the memory protection engine and then stored in the second storage 102, the second storage 102 is an off-chip storage and cannot resist physical attacks, before the security sensitive tasks are transmitted to the second storage 102, the memory protection engine performs confidentiality and integrity protection on the security sensitive tasks, the security sensitive tasks are guaranteed not to be transmitted or stored outside the first storage 101 in a plaintext form, and the security sensitive tasks cannot be decrypted and then run in the first storage 101 if the security sensitive tasks are tampered (integrity verification cannot be passed). The method for protecting the confidentiality and the integrity of the security sensitive task in the TEE system by adopting the software memory protection engine based on the first storage 101 can improve the physical security of the TEE system and enable the TEE system to defend physical attacks.
The authentication encryption algorithm may be a cryptographic algorithm for confidentiality and integrity protection of security sensitive tasks. The algorithm comprises 2 stages: encryption and integrity protection, integrity verification and decryption. And in the encryption and integrity protection stage, the security sensitive task is encrypted, the integrity value is calculated, and the ciphertext and the integrity value of the security sensitive task are output. The integrity verification and decryption are the reverse processes of encryption and integrity protection, the integrity value is calculated in the stage, whether the integrity value is the same as the integrity value output in the encryption and integrity protection stage is verified, if the integrity value is the same as the integrity value output in the encryption and integrity protection stage, the verification is passed, the ciphertext is decrypted, namely the security sensitive task is output after the integrity verification is passed, otherwise, the verification is not passed, the decryption is not performed, namely the security sensitive task is not output after the integrity verification is not passed. The algorithm can ensure the confidentiality of the security sensitive task, namely after an attacker obtains the ciphertext of the security sensitive task, the attacker cannot decrypt the security sensitive task without a secret key, and can also ensure the integrity of the security sensitive task, namely if the attacker tampers the ciphertext of the security sensitive task, the algorithm can discover the tampering in the integrity verification and decryption stages and cannot decrypt the ciphertext.
In some embodiments, the integrity value may be a hash value of a security-sensitive task or a ciphertext of a security-sensitive task computed in an authenticated encryption algorithm, which is used to verify the integrity of the security-sensitive task.
A task scheduler may also be run on the second processor 104, where the task scheduler may be a software component of a trusted operating system that schedules the security-sensitive tasks by using a certain scheduling algorithm, and is used to schedule a plurality of security-sensitive tasks to be executed in parallel on the second processor 104 according to a predetermined scheduling policy in a multitasking environment, and allocate processor resources to the security-sensitive tasks, so as to ensure the execution efficiency of the multitasking.
The second storage 102 may further store a cryptographic algorithm library, which is a function library including cryptographic algorithms such as the authentication encryption algorithm and the key derivation function, and is called by the memory protection engine.
The key derivation function may be a cryptographic algorithm that uses a pseudorandom function to derive one or more keys from the secret value.
According to the embodiment of the disclosure, the system for guaranteeing the physical attack resistance of the trusted execution environment based on the memory encryption is an embedded system of a multi-core processor, and the embodiment of the disclosure sets two memories, namely a first memory 101 and a second memory 102, for the embedded system. The first memory 101 is a memory which is located on the same chip with the multi-core processor, can resist physical attack, is completely distributed to a security world, and is specially used for storing security sensitive tasks, trusted operating systems and the like; the second memory 102 is located outside a chip where the multi-core processor is located, and is divided into a first storage portion 102A and a second storage portion 102B, the first storage portion 102A is allocated to the secure world and used for storing ciphertexts of the security sensitive tasks after encryption and integrity protection, and the second storage portion 102B is allocated to the general world and used for storing a general operating system and general tasks. The security sensitive task is stored in the first memory 101 during operation, the memory is capable of resisting physical attacks, and after the operation is finished, the security sensitive task is stored in the first storage portion 102A after being encrypted and integrity protected.
According to an embodiment of the present disclosure, a plurality of processor cores in an embedded system multi-core processor includes at least one first processor 103 and at least one second processor 104. The first processor 103 is dedicated to run a memory protection engine, and the second processor 104 is used to run a security-sensitive task. The number of the first processors 103 and the second processors 104 is not particularly limited in the present disclosure, and may be selected according to practical applications, for example, the number of the first processors 103 is one, and the number of the second processors 104 is two or more. The first processor 103 is dedicated to running the memory protection engine, so as to ensure that the memory protection engine is always in a running state, and under the condition of multitask, the parallel execution of the memory protection engine and the security sensitive task is realized, so that the influence of a memory protection mechanism on the system performance can be reduced, and the system performance is improved.
Fig. 2 illustrates a flowchart of a method for securing a trusted execution environment against physical attacks based on memory encryption according to an embodiment of the present disclosure. As shown in fig. 2, the method for securing the trusted execution environment against physical attacks based on memory encryption includes the following steps S201 to S204:
in step S201, the memory protection engine running in the first processor 103 performs integrity verification and decryption processing on the ciphertext (stored in the first storage portion 102A of the second storage 102) of the security sensitive task by using an authentication and encryption algorithm, and if the processing is successful, the security sensitive task is obtained and stored in the first storage 101;
in step S202, the memory protection engine activates the security-sensitive task, and loads the activated security-sensitive task to the local ready queue of the second processor 104;
in step S203, the task scheduler schedules the security-sensitive task in the local ready queue of the second processor 104 to run according to the adopted scheduling algorithm, and the security-sensitive task stored in the first memory 101 is scheduled once or multiple times in the second processor 104 and then runs over;
in step S204, the memory protection engine encrypts and integrity-protects the security-sensitive task that has finished running by using the authentication encryption algorithm to obtain the ciphertext of the security-sensitive task, and then stores the ciphertext of the security-sensitive task in the first storage portion 102A of the second storage 102.
According to the embodiment of the disclosure, confidentiality and integrity protection is performed on the security-sensitive task by using the authentication encryption algorithm. When the task is loaded from the first storage portion 102A of the second memory 102, the integrity of the task is authenticated, and the decrypted task is loaded into the first memory 101 after the verification is passed. When storing a task from the first memory 101 to the first storage section 102A of the second memory 102, the task is encrypted and integrity calculated using an authenticated encryption algorithm, and an integrity value is stored in the first memory 101. An attacker physically attacks the second memory 102, and can only obtain the ciphertext of the security-sensitive task, and if the attacker tampers with the ciphertext of the security-sensitive task, the tampering can be found in the integrity verification, so that the physical attack on the second memory 102 can be detected.
According to the embodiment of the disclosure, in order to realize the scheduling of a plurality of tasks, allocate processor resources for the plurality of tasks and ensure the execution efficiency of the plurality of tasks, the task scheduler adopts a certain scheduling algorithm to schedule the plurality of security-sensitive tasks. The present disclosure will be exemplified by taking a scheduling algorithm as an example of a multi-stage feedback queue scheduling algorithm, but the present disclosure is not limited thereto. Security sensitive tasks are assigned a certain priority at creation time, e.g. high, medium or low priority etc., and tasks in ready state and having the same priority form a local ready queue. Activating a security-sensitive task refers to the process of converting the state of a security-sensitive task that has a running condition but has no assigned processor time slice from a wait state to a ready state and loading it into the local ready queue of the second processor 104. A local ready queue is stored in the first memory 101, and loading into the local ready queue means putting task information of the security-sensitive task into the queue. When the task scheduler schedules a certain security-sensitive task according to the scheduling strategy, the entry address of the security-sensitive task is found out through the task information of the security-sensitive task in the local ready queue to start execution. According to an embodiment of the present disclosure, security-sensitive tasks loaded into the local ready queue of the second processor 104 wait for the task scheduler's scheduling, thereby obtaining a time slice to run. The task scheduler is responsible for converting a security sensitive task finished by a currently running time slice from a running state to a ready state, putting the security sensitive task to the tail of a local ready queue, then distributing the time slice to the security sensitive task at the head of the local ready queue according to a scheduling algorithm, and converting the security sensitive task from the ready state to the running state. After the security sensitive task obtains the time slice, the state of the security sensitive task is converted from the ready state to the running state, the security sensitive task starts running, and when the time slice is finished, the state of the security sensitive task is converted from the running state to the ready state and is placed at the tail of the local ready queue. And the safety sensitive task is finished after being scheduled for one time or multiple times.
According to the embodiment of the disclosure, the executed security-sensitive task needs to be stored in the first storage portion 102A of the second storage 102 outside the first storage 101, in order to protect the confidentiality and integrity of the security-sensitive task during transmission and storage outside the first storage 101, the memory protection engine uses the authentication encryption algorithm to encrypt and protect the integrity of the executed security-sensitive task, so as to obtain the ciphertext and integrity value of the security-sensitive task, and ensure that the security-sensitive task does not leave the first storage 101 in the form of plaintext, and does not expose the content of the security-sensitive task during transmission, so that even if an attacker obtains the ciphertext of the security-sensitive task, because the security sensitive task cannot be obtained without the secret key, if a physical attacker tampers with the ciphertext of the security sensitive task, the ciphertext can be found in the integrity verification and decryption stage of the authentication encryption algorithm.
According to the technical scheme provided by the embodiment of the disclosure, the independent first processor 103 is allocated to run the memory protection engine exclusively for confidentiality and integrity protection of the security sensitive task, the security sensitive task is subjected to integrity verification and decryption before running, and then the security sensitive task is allocated to the second processor 104 to run, so that the resource of the first processor 103 cannot be preempted by the task with high priority, the memory protection engine running on the first processor 103 is ensured to be in a running state all the time, the confidentiality and integrity protection process of the security sensitive task cannot be interrupted, and unnecessary performance overhead caused by frequent task switching is avoided. In addition, under the condition of multitasking, the memory protection engine and the security sensitive task are executed in parallel, and the performance overhead of the memory protection scheme is further reduced. The first processor 103 then encrypts and integrity-protects the security-sensitive task that has finished running, and finally stores the ciphertext of the security-sensitive task in the first storage portion 102A of the second memory 102. Meanwhile, the technical scheme does not need additional hardware support, does not need to modify an application program, has strong portability, reduces the influence of a memory protection mechanism on the task operation efficiency by setting the special first processor 103 to operate the memory protection engine, and ensures the operation efficiency while improving the task security.
The method for guaranteeing the physical attack resistance of the trusted execution environment based on the memory encryption in the embodiment corresponds to the system for guaranteeing the physical attack resistance of the trusted execution environment based on the memory encryption, and other details can be referred to the description of the system for guaranteeing the physical attack resistance of the trusted execution environment based on the memory encryption, and are not described herein again.
FIG. 3 illustrates a flow diagram for obtaining security-sensitive tasks according to an embodiment of the disclosure. As shown in fig. 3, the step S201 includes steps S301 to S302:
in step S301, the memory protection engine obtains the ciphertext of the security-sensitive task and the related data, where the related data includes: the integrity value, the initial vector and the task key are used for calling the cryptographic algorithm library to carry out integrity verification and decryption on the ciphertext of the security sensitive task by adopting an authentication encryption algorithm;
in step S302, if the integrity verification and decryption are successful, the security sensitive task obtained by decryption is output to the first memory 101; if the integrity verification fails, the security-sensitive task cannot be obtained.
According to an embodiment of the present disclosure, the memory protection engine reads the ciphertext of the security-sensitive task from the first storage portion 102A of the second storage 102, and reads the relevant data of the security-sensitive task, including the integrity value, the initial vector, and the task key, from the first storage 101. The ciphertext of the security sensitive task is output data when the security sensitive task is encrypted and integrity protected by adopting an authentication encryption algorithm; the integrity value is output data when the security sensitive task is encrypted and integrity protected by adopting an authentication encryption algorithm and is used for integrity verification of the security sensitive task; the initial vector is a random number input to the authentication encryption algorithm and stored in the first memory 101; the task key is a key which is generated by a device key through a key derivation function and is exclusive to each security-sensitive task, and the key is stored in the first memory 101 during the existence of the security-sensitive task so as to prevent physical attacks, wherein the device key is a key which is generated by a manufacturer and stored on the device when the embedded device leaves a factory, and the key has high confidentiality and credibility.
According to the embodiment of the disclosure, when integrity verification and decryption are performed on a security sensitive task, an authentication encryption algorithm is adopted, input data comprise a ciphertext, an integrity value, an initial vector and a task key, and output data comprise the security sensitive task or error information. The integrity value is used for verifying the integrity of the security sensitive task, and if the verification is successful, the security sensitive task is output; and if the verification fails, the security sensitive task is not obtained if the attacker is tampered with the security sensitive task.
Fig. 4 is a flowchart illustrating that the memory protection engine encrypts and integrity-protects the security-sensitive task that has finished running by using the authentication encryption algorithm to obtain a ciphertext of the security-sensitive task, and stores the ciphertext in the second storage 102 according to the embodiment of the disclosure. As shown in fig. 4, the step S204 includes steps S401 and S402:
in step S401, the memory protection engine reads the security-sensitive task that has finished running, calls the cryptographic algorithm library, and generates a task key of the security-sensitive task using the device key by using the key derivation function;
in step S402, the memory protection engine calls the cryptographic algorithm library, encrypts and integrity-protects the security-sensitive task using a task key by using the authentication encryption algorithm to obtain a ciphertext and an integrity value of the security-sensitive task, and stores the ciphertext of the security-sensitive task in the first storage portion 102A of the second storage 102; the integrity value, initial vector and task key output by the authenticated encryption algorithm during the encryption and integrity protection phases are still stored in the first memory 101.
According to the embodiment of the disclosure, after the second processor 104 runs the security-sensitive task, the memory protection engine in the first processor 103 reads the running security-sensitive task.
According to the embodiments of the present disclosure, a key derivation function is used to generate a task key, and the present disclosure will exemplify the key derivation function using the HKDF algorithm, but the present disclosure is not limited thereto. The HKDF algorithm generates a task Key based on a Key Derivation Function (KDF) of a Hash-based Message Authentication Code (HMAC) and a device Key. The HKDF function has two input parameters: the device key comprises a device key and a message value, wherein the message value is a taskID given by the security-sensitive task when the security-sensitive task is created, and each security-sensitive task has a unique taskID, so that the task key of each security-sensitive task generated by adopting the HKDF algorithm is unique. The device key has high confidentiality, and only the core of a trusted operating system in the secure world has the authority to read and operate, so that even if one security sensitive task can obtain the task ID of some other security sensitive task, the task key of the other security sensitive task cannot be derived because the security sensitive task cannot operate the device key.
According to the embodiment of the disclosure, when the security sensitive task is encrypted and integrity protection processing is performed, an authentication encryption algorithm is adopted, input data are the security sensitive task, a task key and an initial vector, and output data are a ciphertext and an integrity value of the security sensitive task. Wherein, the initial vector is randomly generated and stored in the first memory 101; the integrity value is used to verify the integrity of the security-sensitive task to determine whether it has been tampered with.
According to the embodiment of the disclosure, the memory protection engine stores the ciphertext of the security-sensitive task separately from the integrity value, the initial vector and the task key output in the encryption and integrity protection stages, wherein the ciphertext of the security-sensitive task is stored in the first storage portion 102A of the second storage 102; the integrity value, the initial vector, and the task key are stored in the first memory 101, and thus, even if an attacker obtains a ciphertext of the security-sensitive task, the security-sensitive task cannot be obtained because the attacker cannot obtain the task key.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the invention in the present disclosure is not limited to the specific combination of the above-mentioned features, but also encompasses other embodiments in which any combination of the above-mentioned features or their equivalents is possible without departing from the inventive concept. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.

Claims (5)

1. A system for guaranteeing a trusted execution environment against physical attacks based on memory encryption is characterized by comprising: at least one first memory, at least one second memory, at least one first processor, and at least one second processor; the system for guaranteeing the trusted execution environment to resist physical attack based on memory encryption comprises two processing modes: a secure processing mode and a normal processing mode; in the safe processing mode, a first processor and a second processor run a trusted operating system for processing a safe sensitive task; in a normal processing mode, a general purpose operating system is running on the first processor and the second processor for processing non-security sensitive tasks, wherein:
the first memory is an SoC on-chip memory and is distributed to a security processing mode for storing security sensitive tasks and a trusted operating system;
the second memory is an SoC off-chip memory and is divided into a first storage part and a second storage part, wherein the first storage part is allocated to a security processing mode and used for storing ciphertexts of security sensitive tasks which are subjected to encryption and integrity protection; the second storage part is allocated to a common processing mode and used for storing a general operating system and non-security sensitive tasks;
the first processor is responsible for confidentiality and integrity protection of the security sensitive task in the security processing mode, the second processor is responsible for scheduling and running the security sensitive task in the security processing mode, and the confidentiality and integrity protection process of the security sensitive task is as follows:
a. the first processor is used for acquiring the ciphertext of the security sensitive task from the first storage part of the second memory in a security processing mode, carrying out integrity verification and decryption processing, storing the security sensitive task obtained by successful processing into the first memory, and adding the security sensitive task into a local ready queue of the second processor; the local ready queue comprises task information of a plurality of safety sensitive tasks to be scheduled;
b. the first processor is further configured to, in a secure processing mode, store the security-sensitive task, which is scheduled and executed by the second processor in the first memory and is ended, in a first storage portion of the second memory after encryption and integrity protection;
c. the processes of integrity verification, decryption, encryption and integrity protection performed by the first processor are all realized by software running in a safe processing mode;
d. and the second processor is used for scheduling and running the security-sensitive task from the local ready queue of the first memory through a preset scheduling strategy in a security processing mode.
2. The system of claim 1, wherein the first processor and the second processor are processor cores of a multi-core processor.
3. A method for securing a trusted execution environment against physical attacks based on memory encryption, the method being executed on a first processor in the system for securing a trusted execution environment against physical attacks based on memory encryption according to any one of claims 1-2, comprising:
acquiring a ciphertext of the encrypted and integrity-protected security sensitive task from the first storage part of the second storage;
carrying out integrity verification and decryption on the ciphertext of the security sensitive task to obtain the security sensitive task;
and storing the security-sensitive task to a first memory for a second processor to schedule and run.
4. The method of claim 3, further comprising:
retrieving the security-sensitive task scheduled and finished by the second processor from a first memory;
and after the acquired security sensitive task is encrypted and integrity protected, the security sensitive task is stored in a first storage part of the second storage.
5. A method for securing a trusted execution environment against physical attacks based on memory encryption, the method being performed on the system for securing a trusted execution environment against physical attacks based on memory encryption according to any one of claims 1-2, the system comprising a first processor, a second processor, a first storage and a second storage, the method comprising:
allocating the first memory to a secure processing mode;
dividing the second memory into a first memory portion and a second memory portion, wherein the first memory portion is divided into a safe processing mode and the second memory portion is divided into a normal processing mode;
the first processor acquires the encrypted and integrity-protected ciphertext of the security-sensitive task from the first storage part of the second memory;
the first processor performs integrity verification and decryption on the ciphertext of the security sensitive task to obtain the security sensitive task;
the first processor stores the security-sensitive task to a first memory for a second processor to schedule operation;
the second processor schedules and runs the security-sensitive task from the first memory according to a scheduling policy;
after the operation of the security sensitive task is finished, the first processor encrypts and protects the integrity of the security sensitive task after the operation is finished, and then stores the security sensitive task to the first storage part of the second storage.
CN201910979558.1A 2019-10-15 2019-10-15 Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption Active CN110750791B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910979558.1A CN110750791B (en) 2019-10-15 2019-10-15 Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910979558.1A CN110750791B (en) 2019-10-15 2019-10-15 Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption

Publications (2)

Publication Number Publication Date
CN110750791A CN110750791A (en) 2020-02-04
CN110750791B true CN110750791B (en) 2022-04-19

Family

ID=69278508

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910979558.1A Active CN110750791B (en) 2019-10-15 2019-10-15 Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption

Country Status (1)

Country Link
CN (1) CN110750791B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069506B (en) * 2020-09-16 2024-02-23 地平线(上海)人工智能技术有限公司 Safe starting method and device
CN117349841A (en) * 2022-06-27 2024-01-05 华为技术有限公司 Information processing method, chip, electronic device, and computer-readable storage medium
CN116226870B (en) * 2023-05-06 2023-09-26 北京清智龙马科技有限公司 Security enhancement system and method

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103825737B (en) * 2013-12-30 2017-05-17 北京金玉衡科技有限责任公司 Security apparatus, system and method for on-line upgrading of industrial control system
US20160350526A1 (en) * 2015-05-27 2016-12-01 John S. Youngquist 3d printer unlock system
CN107391245A (en) * 2017-07-18 2017-11-24 致象尔微电子科技(上海)有限公司 A kind of software systems of multi core chip
CN107332671A (en) * 2017-08-15 2017-11-07 鼎讯网络安全技术有限公司 A kind of safety mobile terminal system and method for secure transactions based on safety chip
CN108197500A (en) * 2018-01-31 2018-06-22 长安大学 A kind of storage system and method based on TrustZone Security and Integrality of Data
CN109086612B (en) * 2018-07-06 2022-01-14 北京航空航天大学 Embedded system dynamic data protection method based on hardware implementation
CN109992992B (en) * 2019-01-25 2021-07-13 中国科学院数据与通信保护研究教育中心 Credible sensitive data protection method and system

Also Published As

Publication number Publication date
CN110750791A (en) 2020-02-04

Similar Documents

Publication Publication Date Title
EP1964316B1 (en) Secure system-on-chip
CN106980794B (en) TrustZone-based file encryption and decryption method and device and terminal equipment
US7500098B2 (en) Secure mode controlled memory
CN109522736B (en) Method and system for carrying out password operation in operating system
EP2711859B1 (en) Secured computing system with asynchronous authentication
CN110750791B (en) Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption
US7457960B2 (en) Programmable processor supporting secure mode
KR101567620B1 (en) Secure memory management system and method
EP3198780B1 (en) Securing audio communications
WO2019104988A1 (en) Plc security processing unit and bus arbitration method thereof
US20100241841A1 (en) System and Method for Securing Executable Code
EP1811415A1 (en) Secure system-on-chip
WO2017000648A1 (en) Authentication method and apparatus for reinforced software
RU2740298C2 (en) Protection of usage of key store content
CN110659458A (en) Central processor design method supporting software code data secret credible execution
CN112182669A (en) System and method for storing data records to be protected
US11615188B2 (en) Executing software
TWI549020B (en) Computing device, method and system
EP3046095B1 (en) A method of protecting diverse applications stored on an integrated circuit using PUFs
US9740837B2 (en) Apparatus and method for preventing cloning of code
JP2019061538A (en) Computer program, device, and suppression method
CN109325343B (en) Java program execution method and device
JP4953385B2 (en) Device for preventing leakage of application execution files and configuration files
CN114520735B (en) User identity authentication method, system and medium based on trusted execution environment
EP3009952A1 (en) System and method for protecting a device against attacks on procedure calls by encrypting arguments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant