CN110874468A

CN110874468A - Application program safety protection method and related equipment

Info

Publication number: CN110874468A
Application number: CN201811019549.XA
Authority: CN
Inventors: 夏虞斌; 古金宇; 翟征德
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2018-08-31
Filing date: 2018-08-31
Publication date: 2020-03-10
Anticipated expiration: 2038-08-31
Also published as: CN110874468B

Abstract

The application provides an application program security protection method and equipment, wherein the method is applied to a server, the server comprises a virtual machine operating system and an application program, the virtual machine operating system and the application program run in a virtual machine VM, and the method comprises the following steps: establishing a first enclave running a virtual machine operating system of a VM and a second enclave running an application of the VM; the virtual machine operating system is a user mode operating system; acquiring a first springboard, wherein the first springboard runs in a memory area outside a first enclave and a second enclave; transferring the call of the application program to the virtual machine operating system by utilizing the first springboard; and transmitting the call return result of the virtual machine operating system to the application program. By implementing the method and the device, the security protection of the application program during the operation can be realized by utilizing the enclave, meanwhile, a small attack interface is kept, the increase of TCB is avoided, and the operation security of the application program is improved.

Description

Application program safety protection method and related equipment

Technical Field

The present invention relates to the field of virtualization technologies, and in particular, to a method for protecting application program security and a related device.

Background

Virtualization technology is widely used due to the advantages of reasonable resource sharing, good isolation mechanism, easy maintenance, low cost and the like. A server architecture that applies virtualization technology typically includes server hardware, a Virtual Machine Monitor (VMM), a running virtual machine operating system (Guest operating system, which may be referred to herein simply as an OS), and virtual machine operating system-based applications. The virtual machine monitor may also be referred to as hypervisor, which is an intermediate software layer running between the server hardware and the virtual machine operating system and allows multiple virtual machines to share the server hardware, where the virtual machines include the virtual machine operating system and the application programs. Applications in the virtual machine may process sensitive data of the user, such as medical health data, credit card data, and the like, and such applications may also be referred to as sensitive applications. Users have a strong desire that the sensitive data processed by these sensitive applications be protected from leakage.

In a conventional security hierarchical architecture, an application is usually designed to run at a low privilege level (e.g., ring 3), an OS runs at a high privilege level (e.g., ring 0), and a hypervisor runs at a higher privilege level (Root operation), and the high privilege level object has full control over the low privilege level object, and the high privilege level object can arbitrarily read and modify code and data in an address space of the low privilege level object. Such architectures can present security threats, for example, an OS directly threatens confidentiality or code integrity of sensitive application data because it may contain malicious code or contain vulnerabilities. Hypervisors also pose a security threat to the integrity of the OS by possibly containing malicious code or containing bugs. This security threat from high privilege level software to low privilege level software is very serious and difficult to defend. Aiming at the safety problem, the CPU can construct an enclave (enclave) and place sensitive application codes and data in the enclave for execution, wherein the enclave is a protected software code execution area (or memory safety area) in a memory and can be used for protecting the safe operation of the application codes and data at the privilege level of ring3, the CPU can prevent software except the enclave from directly accessing the application codes and data in the enclave, and the CPU is in an enclave execution mode when executing the program codes in the enclave; and when the CPU exits from enclave (enclave execution is completed or a program in enclave generates a system call and the like), the CPU is in a non-enclave execution mode. In this way, the isolation of the execution environment in enclave is realized, so that the confidentiality and integrity of sensitive application codes and sensitive data can be protected.

The Enclave technology has a significant problem in real application: only a portion of the code logic (e.g., encryption or data analysis) of an application may be protected by enclave, which may have difficulty achieving complete protection during the entire application run. The Libc function library on which the application runs, the OS function on which the application runs, and the application code outside enclave. This means that the residual attack surface of the application at runtime is large and an attacker can apply code by attacking it outside the OS, LIBC, and enclave. Therefore, how to use enclave to protect the complete running period of the application becomes an important technical problem.

In one implementation, the Scone solution is proposed by the empire of the United kingdom and the German university of Dreuston, as shown in FIG. 1. The scheme encapsulates the application program and the application Libc (function library of C under Linux) into enclave to be executed (such as a grey area shown in the figure), and both the application and the Libc are protected by the enclave.

However, many system functions that the application depends on are completed through system calls, such as memory management, I/O, thread scheduling, and the like, while the scan scheme does not protect the OS system that the application runs on, and if the OS system is maliciously tampered by an attacker or invaded with a hypervisor vulnerability, the security of the application can still be threatened. So the scheme still leaves a large application attack interface.

In yet another implementation, microsoft in the united states proposed a Haven scheme, as shown in fig. 2, in which various operating system functions relied on by an application program are implemented again as a Library OS (lib OS for short), and the lib OS is packaged with the application program and Libc to run in enclave (as shown in the gray area). Therefore, the application program and the system call on which the application program runs can be protected by enclave.

However, the Haven scheme may cause the Trusted Computing Base (TCB) of the application program to be too large, for example, Lib OS code in enclave is huge in size, and the code usually has millions of lines, and it is difficult to guarantee that no bug exists therein. While enclave can prevent software codes outside enclave from directly accessing program codes and data inside enclave, but cannot prevent security holes contained in Lib OS codes located in enclave from being unutilized, because the software outside enclave can call enclave exposure methods and provide specially constructed input to maliciously execute the codes containing the holes, and therefore the security of the application program is threatened. In addition, the TCB with a large scale also generates resource pressure on enclaves, because the size of the memory occupied by one enclave is limited in practice.

In summary, in the prior art, the scheme of protecting the application program running by using enclave of the CPU has a large application attack interface, or results in a large TCB. Currently, how to achieve protection during the complete running of an application program is still a great technical challenge.

Disclosure of Invention

The embodiment of the invention provides an application program safety protection method, which can keep a small attack interface while realizing safety protection on an application program in the running period by utilizing an enclave, avoid increasing TCB and improve the running safety of the application program.

In a first aspect, an embodiment of the present invention provides an application security protection method, where the method is applied to a server, where the server includes a virtual machine operating system and an application running in a virtual machine; the method comprises the following steps: establishing a first enclave (namely, a first enclave) for running the operating system of the virtual machine and a second enclave (namely, a second enclave) for running the application program in a memory; the first enclave is a memory security area used for protecting the running of the virtual machine operating system, the second enclave is a memory security area used for protecting the running of the application program, the virtual machine operating system is a user mode operating system (user mode OS for short), the user mode OS runs at the privilege level of ring3, the application program runs at the privilege level of ring3, and the first enclave can protect program code running at the privilege level of ring3, so that the user mode OS designed by the embodiment of the invention can run in the first enclave, and the application program can run in the second enclave. In order to implement that the virtual machine operating system in the first enclave and the application program in the second enclave can perform communication interaction in the framework of the embodiment of the present invention, a first springboard is designed in the embodiment of the present invention, and the first springboard is used as a communication channel between the virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave. During the running of an application program, when the application program needs to carry out system calling, acquiring a first springboard, and transmitting the calling of the application program to the virtual machine operating system by using the first springboard; and then, transmitting a calling return result of the virtual machine operating system to the application program by utilizing the first springboard. The application program may be a sensitive application program, that is, an application program for processing sensitive data of a user.

It can be seen that different sensitive applications and user mode OSs in the embodiment of the present invention may all run in respective enclaves. The application program and the user-mode OS proxy control flow transmission between the application program and the user-mode OS through a first springboard between the application program and the user-mode OS, and the user-mode OS runs in a first enclave which carries out safety protection and isolation on the user-mode OS, so that the outside cannot directly acquire or tamper codes and data in the user-mode OS. Different sensitive application programs can be operated in respective second enclaves, and the second enclaves perform security protection and isolation on the sensitive applications, so that the sensitive applications can resist external attacks. By implementing the embodiment of the invention, the attack interface to the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation obtains higher and better safety protection.

Based on the first aspect, in a specific implementation, an individual enclave (first enclave) package is created to run a user-mode OS, and a system call required for running the application program is provided for the application program in a protected manner; a separate enclave (second enclave) is created to protect the code and data of at least one sensitive application itself and the function library (e.g., Libc library) used by the sensitive application. In addition, when the application program in the virtual machine further includes the non-sensitive application, the non-sensitive application does not need to provide extra application protection, so that the non-sensitive application can be executed without being packaged in a single enclave, and only needs to be executed in a common memory address space.

Based on the first aspect, in a possible embodiment, the server further includes a virtual machine monitor (Hypervisors) and server hardware, where the virtual machine monitor is configured to implement shared access of the virtual machine to the server hardware; in order to implement communication interaction between a virtual machine operating system (i.e., a user-mode OS) and a virtual machine monitor, an embodiment of the present invention designs a second springboard, where the second springboard operates in a memory area outside the first enclave and the second enclave as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave; when a virtual machine operating system (or an application program) needs to access the server hardware (for example, access all physical devices including a memory, a network card, a disk and the like on a server), acquiring a second springboard, and transmitting the call of the virtual machine operating system to the virtual machine monitor by using the second springboard; and then, transmitting a call return result of the virtual machine monitor to the virtual machine operating system by using the second springboard.

Specifically, since the user mode OS is in the envelope, the user mode OS cannot directly execute the ring0 instruction, and the second springboard designed for the user mode OS in the embodiment of the present invention not only assists the user mode OS to call the underlying virtual machine monitor service (e.g., the user mode OS can complete operations of high privilege level such as modifying a page table based on the service of the virtual machine monitor), i.e., hypercall, but also assists the virtual machine monitor to pass control flow and execute upcall.

It can be seen that in the embodiment of the present invention, since the user-state OS runs in the first enclave, and the first enclave performs security protection and isolation on the user-state OS, both the application program and the virtual machine monitor cannot directly acquire or tamper with the code and data in the user-state OS. Since different sensitive applications can run in respective second enclaves, the second enclaves secure and isolate the sensitive applications, so that the sensitive applications can resist attacks from untrusted or possibly leaky virtual machine operating systems, virtual machine monitors, and other applications. Through the first springboard and the second springboard, normal system calling of the application program and calling of the operating system to the Hypervisors service cannot be influenced, and normal working operation in the virtual machine is guaranteed while safe operation of the application program is guaranteed.

Based on the first aspect, in a specific embodiment, the first springboard includes a first springboard code, and shared data between the application program and the user-mode operating system; wherein the first springboard code is to implement a function of a communication channel of the first springboard. Shared data between the application program and the user-mode operating system is data which may need to be used by both the application program and the user-mode operating system in normal working operation, and if the shared data is placed in an envelope, normal operation of the application program and/or the user-mode operating system may be affected.

Similarly, the second springboard comprises second springboard codes and shared data between the user-mode operating system and the virtual machine monitor; the second springboard code is used for realizing the function of a communication channel of the second springboard, and the shared data between the user-mode operating system and the virtual machine monitor is data that may be used by both the user-mode operating system and the virtual machine monitor in normal operation, and if such shared data is placed in enclave, normal operation of the user-mode operating system and/or the virtual machine monitor may be affected.

Based on the first aspect, in a possible embodiment, the establishing a second enclave running the application includes: establishing, by the virtual machine operating system, a second enclave to run the application when the application is to be run.

In specific implementation, when the application to be started is sensitive, the user-mode OS in the first enclave calls a corresponding newly added hypercall service to create a second enclave of the sensitive application, so that the sensitive application can be started and run in the second enclave.

It should be noted that, if the non-sensitive application program needs to be started, the user-mode OS in the first enclave starts the non-sensitive application program in the memory address space of the non-enclave by calling the corresponding newly added hypercall service.

Based on the first aspect, in a possible embodiment, the server system architecture designed in the embodiment of the present invention may also implement an authentication security verification mechanism. an attesting security protection mechanism is a verification mechanism supported by a CPU for mutually proving respective integrality among enclaves on the same physical host, such as an attesting security verification mechanism in a platform of intel SGX

In a specific embodiment, the sensitive application can verify the integrity of the user mode OS through an attesting security verification mechanism in a platform provided by CPU Enclave. Specifically, the sensitive application verifies the integrity metric value of the OS in the second enclave in which the sensitive application is located, and if the integrity metric value of the user-mode OS meets the policy requirement predetermined by the application (for example, the value is the same as the preset value in the application), the sensitive application is normally started. And if the integrity metric value of the user-state OS does not meet the policy requirement preset by the application, the sensitive application refuses to start or enters a non-working mode. In the non-operational mode, sensitive applications will not process sensitive data that needs to be protected.

In a specific implementation, in the Intel SGX technology, the integrity metric value is embodied as MRENCLAVE, that is, the CPU measures the integrity metric value generated by Enclave page content and Enclave metadata through a Hash method in the Enclave creation process.

In a specific embodiment, if the integrity metric value of the user-state OS meets the policy requirement predetermined by the application, the user-state OS of the first enclave and the sensitive application of the second enclave securely exchange keys to establish a secure channel, and negotiate to generate an encryption key and an integrity protection key. And then, when the sensitive application calls the system provided by the calling OS, the sensitive application uses the encryption key and the integrity protection key to carry out encryption protection on the calling parameter, and then the calling parameter is transmitted to the user state OS through the first springboard. And after the user state OS finishes the system call, the return value is encrypted and protected through the encryption key and the integrity protection key, and then the return value is transmitted to the sensitive application through the first springboard.

It can be seen that, in the embodiment of the present invention, based on an enclave attention mechanism in the platform, the sensitive application may verify the integrity of the user-mode OS, identify the tampered or user-mode OS with a too low version, and refuse to start the sensitive application or refuse to execute the sensitive data processing when the user-mode OS does not meet the requirements, thereby preventing data leakage. A secure channel may also be established between a sensitive application of a first enclave and a user-mode OS enclave of a second enclave, and negotiate an encryption key and an integrity protection key for guaranteeing secure communication, so that parameters and return values of system call are encrypted and integrity protection is added before the parameters and the return values are submitted to the springboard code, thereby, the safety protection of the system calling and returning value is realized, and the leakage to other entities (such as a virtual machine monitor) outside the sensitive application and the operating system is avoided, in addition, because the first springboard and the second springboard designed by the embodiment of the invention both run outside enclave, the embodiment of the invention protects the confidentiality and integrity of the system calling parameter and the return value, is favorable for preventing the system calling parameter and the return value from being obtained by external through changing the springboard code, and ensures the safety of data in the process of forwarding the data by the first springboard and the second springboard.

Based on the first aspect, in a possible embodiment, the virtual machine monitor may employ a modified Xen, and the user-mode OS in the virtual machine may employ a modified mini-OS.

In the embodiment of the present invention, modified Xen can implement mapping of EPC memories required by the first enclave and the second enclave to support creation of the first enclave and the second enclave, and also establish a communication connection between a user mode OS and the first springboard and/or the second springboard, so as to be applicable to the system architecture of the embodiment of the present invention.

The Mini-OS is a semi-virtualized OS kernel provided by Xen, the user-mode OS can be obtained by modification on the basis of the Mini-OS, and the modified Mini-OS can establish communication connection with the first springboard and the second springboard and is suitable for the system architecture of the embodiment of the invention. Accordingly, the application program of the embodiment of the present invention may be a Mini-OS based application.

In a possible embodiment of the invention, the modified Mini-OS is operated by using a first enclave package, and the system call required by the operation of the application program is provided for the application program in a protected mode; a second enclave is used to protect the code and data of the sensitive application itself as well as the function library used. In the embodiment of the invention, a first springboard between the first enclave and the second enclave comprises springboard codes and shared data between the Mini-OS and the application program, and the first springboard can be used for realizing forwarding and result returning of system call to the Mini-OS, which is sent by sensitive application; specifically, the first springboard may be used to complete the forwarding of the system call to the Mini-OS and the result return generated by the function library (e.g., Libc) used by the application. The second springboard between the Mini-OS and Xen includes the springboard code and the shared data between the Mini-OS and Xen. A second springboard may be used to implement the forwarding of calls by the Mini-OS to Xen and the return of notifications by Xen to the user mode OS. Specifically, the second springboard not only assists the Mini-OS in calling the underlying Xen system service (hypercall), but also assists Xen in passing control flow and executing upcall when Xen needs to notify an event to the virtual machine.

In a second aspect, an embodiment of the present invention provides a server device, where the server device includes a processor and a memory, where the processor is connected to the memory through a bus; the memory is used for storing program codes and data, and the processor is used for running a virtual machine, wherein the virtual machine comprises a virtual machine operating system (the virtual machine operating system is a user-state operating system) and an application program; the processor is specifically configured to establish a first enclave running the virtual machine operating system and a second enclave running the application program; and acquiring a first springboard, wherein the first springboard runs in a memory area outside the first enclave and the second enclave, the first springboard is utilized to transfer the call of the application program to the virtual machine operating system, and the first springboard is utilized to transfer the call return result of the virtual machine operating system to the application program. The processor may be specifically adapted to implement the method of the first aspect.

In a third aspect, an embodiment of the present invention provides an apparatus, where the apparatus includes a virtual machine VM, where the virtual machine VM includes a virtual machine operating system and an application program that run in the virtual machine VM; the virtual machine is to: establishing a first enclave running the virtual machine operating system and a second enclave running the application program; the first enclave is a memory security area used for protecting the running of the virtual machine operating system, the second enclave is a memory security area used for protecting the running of the application program, and the virtual machine operating system is a user mode operating system; obtaining a first springboard; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave; transferring the call of the application program to the virtual machine operating system by utilizing the first springboard; and transmitting a calling return result of the virtual machine operating system to the application program by utilizing the first springboard. The virtual machine entity may be adapted to implement the method of the first aspect.

In a fourth aspect, embodiments of the present invention provide a non-volatile computer-readable storage medium; the computer readable storage medium is used for storing code for implementing the method of the first aspect. The program code, when executed by a computing device, is for use by the user device in the method of the first aspect.

In a fifth aspect, an embodiment of the present invention provides a computer program product; the computer program product comprising program instructions which, when executed by a computing device, cause the controller to perform the method of the first aspect as set forth above. The computer program product may be a software installation package, which, in case it is required to use the method provided by any of the possible designs of the first aspect described above, may be downloaded and executed on a controller to implement the method of the first aspect.

It can be seen that different application programs (sensitive applications) and virtual machine operating systems (user mode OSs) in the embodiment of the present invention may all be run in respective enclaves. The application program and the user mode OS proxy the control flow transfer between each other through a first springboard positioned between the application program and the user mode OS, and the user mode OS and the virtual machine monitor proxy the control flow transfer between each other through a second springboard positioned between the application program and the user mode OS. Because the user-state OS runs in the first enclave, and the first enclave performs security protection and isolation on the user-state OS, both the application program and the virtual machine monitor cannot directly acquire or tamper with the code and data in the user-state OS. Since different sensitive applications can run in respective second enclaves, the second enclaves secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from untrusted or potentially leaky virtual machine operating systems, virtual machine monitors, and other applications. By implementing the embodiment of the invention, the attack interface to the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation obtains higher and better safety protection.

Drawings

In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present invention, the drawings required to be used in the embodiments or the background art of the present invention will be described below.

FIG. 1 is a system architecture diagram of a physical server in the prior art;

FIG. 2 is a system architecture diagram of yet another physical server in the prior art;

FIG. 3 is a system architecture diagram of a physical server according to an embodiment of the present invention;

FIG. 4 is a system architecture diagram of another physical server provided by an embodiment of the present invention;

fig. 5 is a flowchart illustrating an application security protection method according to an embodiment of the present invention;

FIG. 6 is a flowchart illustrating a further method for securing an application according to an embodiment of the present invention;

FIG. 7 is a flowchart illustrating a further method for securing an application according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.

Detailed Description

The embodiments of the present invention will be described below with reference to the drawings. The terminology used in the description of the embodiments of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.

First, a system architecture of a physical server according to an embodiment of the present invention is described. Referring to fig. 3, a server system architecture applying virtualization technology includes server hardware, at least one virtual machine running in a virtual environment, and virtual machine monitors (Hypervisors) running between the server hardware and the virtual machine. Wherein:

the virtual machine in turn includes a virtual machine operating system and a virtual machine operating system based application program. In the embodiment of the present invention, the virtual machine operating system is a user mode operating system (may be referred to as a user mode OS for short), and is different from a kernel mode OS running in a ring0 level, and the user mode OS runs in a privilege level of ring 3. Specifically, a paravirtualized user-mode OS, one or more application programs based on the user-mode OS and a used function library (for example, Libc) run in the virtual machine, where the one or more application programs include at least one sensitive application, and the sensitive application is an application program for processing sensitive data of a user.

The virtual machine monitor may allow multiple virtual machines to share server hardware (e.g., access all physical devices on the server including memory, CPUs, network cards, disks, etc.), and implement an abstraction of the physical hardware. The virtual machine monitor not only coordinates shared access of these hardware resources, but also enforces protections between the various virtual machines.

As shown in fig. 3, in the embodiment of the present invention, a single enclave (may be referred to as a first enclave) is created to encapsulate and run a user-mode OS, so as to provide a system call required for running an application program in a protected manner; a separate enclave (which may be referred to as a second enclave) is created to protect the code and data of at least one sensitive application and the used function library (for example, fig. 3 includes two sensitive applications, and each sensitive application and the used function library are protected by a separate enclave). In addition, when the application program in the virtual machine further includes the non-sensitive application, the non-sensitive application does not need to provide extra application protection, so that the non-sensitive application can be executed without being packaged in a single enclave, and only needs to be executed in a common memory address space.

In specific implementation, the virtual machine monitor is also responsible for implementing mapping of epc (exception page cache) memories required by the first exception and the second exception, so as to support creation of the first exception and the second exception.

In the embodiment of the invention, a layer of springboard (which may be called as a first springboard) is introduced between the first enclave and the second enclave, the first springboard is used as a communication channel between a user mode OS in the first enclave and an application program in the second enclave, and the first springboard comprises springboard codes and shared data between the user mode OS and the application program. The first springboard can be used for realizing the transmission of system calls and call return results of the user state OS, such as the transmission of sensitive application; specifically, the first springboard can be used for completing the system call to the user-state OS generated by forwarding a function library (such as Libc) used by the application program and the call return result provided by the user-state OS to the application program.

In the embodiment of the invention, another layer of springboard (which can be called as a second springboard) is introduced between the user mode OS and the virtual machine monitors (Hypervisors), and the second springboard comprises springboard codes and shared data between the user mode OS and the virtual machine monitors. The second springboard is used as a communication channel between the user mode OS in the first enclave and the virtual machine monitor, and the second springboard can be used for forwarding the call of the user mode OS to the virtual machine monitor and returning the notification of the virtual machine monitor to the user mode OS. Specifically, since the user mode OS is in the envelope, the user mode OS cannot directly execute the ring0 instruction, and the second springboard designed for the user mode OS in the embodiment of the present invention not only assists the user mode OS to call the underlying virtual machine monitor service (e.g., the user mode OS can complete operations of high privilege level such as modifying a page table based on the service of the virtual machine monitor), i.e., hypercall, but also assists the virtual machine monitor to pass control flow and execute upcall.

In specific implementation, the embodiment of the present invention may modify the user-mode OS by using a paravirtualization technology, so that the user-mode OS is suitable for the system architecture of the embodiment of the present invention, and establishes a communication connection between the user-mode OS and the first springboard and the second springboard. It can be seen that, in the embodiment of the present invention, the virtual machine operating system adopts the user-mode OS, and the characteristic that the user-mode OS runs at the ring3 privilege level is utilized, so that the virtual machine operating system can run in the first enclave designed in the embodiment of the present invention, and further, the first enclave is utilized to protect the security and isolation of the virtual machine operating system (the user-mode OS), thereby preventing a system vulnerability from being utilized by the outside world to threaten the security of an application program (a sensitive application). The embodiment of the invention can keep the original normal communication interaction (such as system call) between the user mode OS, the application program and the virtual machine monitor through the designed first springboard and the second springboard, thereby ensuring the normal work of the virtual machine.

For example, referring to fig. 4, in one possible implementation of the server system architecture described in the embodiment of the present invention, the virtual machine monitor may employ a modified Xen, and the user mode OS in the virtual machine may employ a modified mini-OS.

Where Xen is an open source code virtual machine monitor based on X86 architecture, Xen can execute multiple virtual machines securely on a set of physical hardware, and in Xen environment, a virtual machine may be called "domain". Domain0 has high privilege in the virtual machines created by the Xen environment. The administrator may utilize domain0 and some Xen tools to create other virtual machines (domain us). In the embodiment of the present invention, the modified Xen can implement mapping of EPC memories required by the first enclave and the second enclave, so as to support creation of the first enclave and the second enclave, and creation of the first springboard and the second springboard, and the modified Xen also establishes communication connection between the user-mode OS and the first springboard and/or the second springboard, so as to be applicable to the system architecture of the embodiment of the present invention.

Similarly, in the embodiment of the present invention, the modified Mini-OS is operated by using the first enclave package, and the system call required for the operation of the application program is provided to the application program in a protected manner; a second enclave is used to protect the code and data of the sensitive application itself as well as the function library used. In the embodiment of the invention, a first springboard between the first enclave and the second enclave comprises springboard codes and shared data between the Mini-OS and the application program, and the first springboard can be used for realizing forwarding and result returning of system call to the Mini-OS, which is sent by sensitive application; specifically, the first springboard may be used to complete the forwarding of the system call to the Mini-OS and the result return generated by the function library (e.g., Libc) used by the application. The second springboard between the Mini-OS and Xen includes the springboard code and the shared data between the Mini-OS and Xen. A second springboard may be used to implement the forwarding of calls by the Mini-OS to Xen and the return of notifications by Xen to the user mode OS. Specifically, the second springboard not only assists the Mini-OS in calling the underlying Xen system service (hypercall), but also assists Xen in passing control flow and executing upcall when Xen needs to notify an event to the virtual machine.

It can be seen that different sensitive applications and user mode OSs in the embodiment of the present invention may all run in respective enclaves. The application program and the user mode OS proxy the control flow transfer between each other through a first springboard positioned between the application program and the user mode OS, and the user mode OS and the virtual machine monitor proxy the control flow transfer between each other through a second springboard positioned between the application program and the user mode OS. Because the user-state OS runs in the first enclave, and the first enclave performs security protection and isolation on the user-state OS, both the application program and the virtual machine monitor cannot directly acquire or tamper with the code and data in the user-state OS. Since different sensitive applications can run in respective second enclaves, the second enclaves secure and isolate the sensitive applications, so that the sensitive applications can resist attacks from untrusted or possibly leaky virtual machine operating systems, virtual machine monitors, and other applications. By implementing the embodiment of the invention, the attack interface to the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation obtains higher and better safety protection.

Based on the system architecture described in the embodiment of fig. 3, the application security protection method of the embodiment of the present invention is further described below, please refer to fig. 5, and the method is applied to a physical server, where the physical server includes server hardware, at least one virtual machine running in a virtual environment, and virtual machine monitors (hypervisors) running between the server hardware and the virtual machine. The virtual machine, in turn, includes a user-state OS and an application, function library (e.g., Libc library) based on the user-state OS. The method includes, but is not limited to, the steps of:

step 101, creating a first enclave for protecting the user mode OS.

In the embodiment of the present invention, the first enclave is a protected software code execution area constructed by a CPU of the physical server, and is used to provide security protection and isolation for the user-mode OS, that is, the user-mode OS runs in the first enclave. Software code running outside the first enclave cannot directly access the code and data of the user-mode OS within the first enclave, but the external software code can interact with it through an interface provided by the user-mode OS within the first enclave.

Specifically, the virtual machine monitor may be responsible for implementing mapping of an Enclave memory page (EPC) required by the first Enclave to support creation of the first Enclave.

And 102, creating a second enclave, wherein the second enclave is used for providing security protection and isolation for the application program and the function library used by the application program, namely the application program and the function library used by the application program run in the second enclave.

In the embodiment of the present invention, the second enclave is a protected software code execution area constructed by a CPU of the physical server, and is used to provide security protection and isolation for the application program and the function library used by the application program, that is, the application program and the function library run in the second enclave. Software code running outside the second enclave cannot directly access the code and data of the application program and the function library in the second enclave, but the external software code can interact with the application program and the function library in the second enclave through an interface provided by the application program and the function library in the second enclave.

In a specific embodiment, the application program protected by the second enclave is a sensitive application, so as to protect sensitive code and sensitive data related to the sensitive application from leakage and attack.

Specifically, the virtual machine monitor may be responsible for implementing mapping of an EPC memory required by the second enclave to support creation of the second enclave. When the sensitive application is to be executed, further creating the second enclave for executing the sensitive application according to the user mode OS.

It should be noted that, based on the design of the embodiment of the present invention, since the sensitive application and the virtual machine operating system both operate in the user mode and each operate in a separate enclave, the isolation between the two does not need to be implemented in the conventional page table isolation manner. That is, the sensitive application and the virtual machine operating system (user mode OS) can share the same address space directly, switching between the two does not require switching page tables.

And 103, determining a first springboard, wherein the first springboard runs outside the first enclave and the second enclave. Specifically, the first springboard may run between the first enclave and the second enclave to proxy control flow transfer between the application/function library and the user-mode OS.

Wherein the determining the first springboard comprises: when the first springboard is needed to be used, the first springboard is clarified by establishing or acquiring or searching or defining or calling or loading and the like. In the embodiment of the present invention, the first springboard runs in a memory space region other than the first enclave and the second enclave, and the CPU running mode corresponding to the first springboard is a non-enclave running mode, and the first springboard includes a springboard code and shared data between software codes (application programs and/or function libraries) in the user mode OS and the second enclave. The first springboard may be used to implement the passing of control flow, such as forwarding the system call and return value to the user-mode OS issued by the software code in the second enclave, and the specific interaction process is as described in steps 104 and 105 below.

And step 104, when the application program in the second enclave needs to perform system call, acquiring the system call of the application program in the second enclave to the user mode OS in the first enclave by using the first springboard, and transmitting the system call to the user mode OS.

And step 105, correspondingly, acquiring a call return result of the user mode OS to the application program by using the first springboard, and transmitting the call return result to the application program.

And 106, determining a second springboard, wherein the second springboard runs outside the first enclave and the second enclave. Specifically, the second springboard may run between the first enclave and the virtual machine monitors (hypervisors) to proxy control flow transfer between the user-state OS and the hypervisors.

Wherein the determining the second springboard comprises: when the second springboard is needed to be used, the second springboard is clarified by establishing or acquiring or searching or defining or calling or loading and the like.

In the embodiment of the present invention, the second springboard runs in a memory space region other than the first enclave and the second enclave, and the CPU running mode corresponding to the second springboard is a non-enclave running mode, and the second springboard includes a springboard code and shared data between the user mode OS and the virtual machine monitor. The second springboard may be used to implement the transfer of control flow, such as forwarding calls from the user mode OS to the virtual machine monitor and notifications from the virtual machine monitor to the user mode OS, and the specific interaction process is described in steps 107 and 108 below.

And step 107, when the user-mode OS in the first enclave needs to implement privileged operation or access the server hardware resource through the virtual machine monitor, obtaining, by using the second springboard, the call of the user-mode OS in the first enclave to the virtual machine monitor, and transmitting the call to the virtual machine monitor, so as to implement privileged operation or call the server hardware resource through the virtual machine monitor.

For example, a user-mode OS based on para-virtualization technology relies on the services of a virtual machine monitor to accomplish privileged operations such as modifying page tables. Because the user-state OS is in the first enclave, the user-state OS cannot directly execute the ring0 instruction, the embodiment of the present invention designs the second springboard for the user-state OS, and the second springboard assists the user-state OS to call the virtual machine monitor to serve hypercall, thereby implementing the privileged operation through the virtual machine monitor.

Step 108, correspondingly, a notification or call return result of the virtual machine monitor to the user mode OS can be obtained by using the second springboard, and the notification or call return result is transmitted to the user mode OS. For example, a second springboard assists the virtual machine monitor in passing control flow and executing upcalls to the user-mode OS.

In addition, in a specific implementation of the embodiment of the present invention, the first springboard and the second springboard may be integrated into one functional entity, and the functional entity operates in a memory space region other than the first enclave and the second enclave, and is used for implementing functions of the first springboard and the second springboard. For example, a lightweight shell layer may be designed for the user-mode OS. The shell layer contains both the springboard code and shared data between the application (sensitive application) and the user-state OS (i.e., the first springboard), and the springboard code and the required shared data between the user-state OS and the virtual machine monitor (i.e., the second springboard). The shell layer serves as a function agent and realizes control flow transmission between the user mode OS and the application program and between the user mode OS and the virtual machine monitor.

It should be noted that: there is no necessary sequence between the steps 103-105 and 106-108, the steps 103-105 may be performed before or after the steps 106-108, and the steps 103-105 and 106-108 may be performed simultaneously.

It can be seen that different sensitive applications and user mode OSs in the embodiment of the present invention may all run in respective enclaves. The application program and the user mode OS proxy the control flow transfer between each other through a first springboard positioned between the application program and the user mode OS, and the user mode OS and the virtual machine monitor proxy the control flow transfer between each other through a second springboard positioned between the application program and the user mode OS. Because the user-state OS runs in the first enclave, and the first enclave performs security protection and isolation on the user-state OS, both the application program and the virtual machine monitor cannot directly acquire or tamper with the code and data in the user-state OS. Since different sensitive applications can run in respective second enclaves, the second enclaves secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from untrusted or potentially leaky virtual machine operating systems, virtual machine monitors, and other applications. By implementing the embodiment of the invention, the attack interface to the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation obtains higher and better safety protection.

Based on the system architecture described in the embodiment of fig. 4, the application security protection method of the embodiment of the present invention is further described below, please refer to fig. 6, and the method is applied to a physical server, where the physical server includes server hardware, at least one virtual machine (domain) running in a virtual environment, and Xen running between the server hardware and the virtual machine. The virtual machine comprises a modified semi-virtualized kernel Mini-OS running in a user mode and an application program based on the Mini-OS, a function library (such as a Libc library), and the method comprises the following steps:

in step 201, when Xen is started, mapping is required to be performed on the secure memory EPC, specifically, Xen maps the EPC physical memory into its own virtual address space.

Step 202, creating a privileged virtual machine of Xen (i.e. domain0), and then transferring image files (including virtual machine images and application program images) and metadata related to the first enclave and the second enclave to Xen through domain 0.

Specifically, each virtual machine (domain) in the physical server is created by Xen, but the Xen does not directly access to the drive of the disk, so that the image file needs to be loaded from the disk into the memory through the domain0 created in advance, and then transferred to Xen. Therefore, the embodiment of the invention adds a corresponding hypercall service in Xen, and provides a loader, which can load a virtual machine image and an application program image according to domain0, wherein the virtual machine image contains codes and data for constructing the first springboard and the second springboard.

Step 203, creating a target virtual machine through Xen based on the virtual machine image and the application image. In specific implementation, the embodiment of the present invention is compatible with a main stream Xen tools-based virtual machine starting process, that is, an administrator may use a Xen tool (Xentools) to create a target virtual machine, and the target virtual machine is deployed with a modified Mini-OS, an application program, a function library, and the like. In addition, the shell layer of the Mini-OS can be started, the shell layer of the Mini-OS runs in a normal memory space region (namely, runs in a non-exclusive memory space region), and the shell layer of the Mini-OS comprises the springboard codes and the shared data of the first springboard and the second springboard.

Step 204, create a first enclave for the protected run of the Mini-OS.

In the specific implementation, a shell layer of the Mini-OS maps a start information page provided by Xen, initializes a page table, and then calls a newly added hypercall service to create a first enclave of the Mini-OS. In the newly added hypercall service, Xen will firstly set a corresponding enclave page table for the target virtual machine, i.e. map a segment of EPC memory, and then use the instruction to create the first enclave of the Mini-OS according to the metadata related to the first enclave.

After the first enclave is created, in step 205, Xen may pass a control flow to the mini-OS inside the first enclave through the shell layer, where the control flow includes a start instruction for the mini-OS.

Step 206, the mini-OS starts boot based on the boot instruction in the control flow, and calls Xen's service by forwarding hypercall to Xen through the shell layer during boot.

In the specific implementation of the invention, the second springboard in the shell layer is responsible for forwarding hypercall and corresponding call return results. When the mini-OS running in the first enclave needs to call hypercall, related call parameters are transmitted to a shared memory outside the first enclave, control flow is transmitted to the second springboard, and the second springboard is used as an agent to call the real hypercall to Xen. When hypercall is done, the second springboard will pass the return value of Xen along with the control flow to the mini-OS in the first enclave.

In a specific application scenario, before the mini-OS in the first enclave passes the control flow to the second springboard, its context may be saved in a specific buffer area, and then, after the second springboard returns the control flow, the mini-OS in the first enclave may restore its state according to the context.

In the specific implementation of the invention, the semi-virtualized core mini-OS can distinguish own shared data from private data. In particular, the mini-OS's own shared data refers to data that needs to be shared with the virtual machine monitor, such as event-channels, page tables, etc., and if such shared data is placed in the first enclave, it may affect the virtual machine monitor's use of the shared data, and such shared data may be placed outside the first enclave (e.g., outside the shell layer, or within the shell layer). The mini-OS private data refers to data which is generally only used by the mini-OS itself, such as stack data and the like, and such private data can be distributed in the first enclave.

If an event such as an interrupt is generated during the running of the target virtual machine, Xen may notify the mini-OS to process the corresponding event through the shell layer, step 207.

In a specific implementation, during the running of a target virtual machine, if an event such as an interrupt occurs, a control flow may be directly dropped (trap) into a virtual machine monitor Xen, and Xen may use an event channel and update mechanism to notify the target virtual machine to process the corresponding event. Specifically, Xen first passes control flow to a second springboard in the shell layer, and then the control flow is passed to the mini-OS via the second springboard, and the mini-OS processes the relevant events. Thus, the mini-OS may be re-entered to handle events after the interrupt execution. To this end, the first entry provides the mini-OS with a plurality of State Storage Areas (SSA) for saving states, thereby enabling the mini-OS to re-enter the states according to the SSA. In addition, the reentrant state can also cause nested hypercalls, and the SSA mechanism can ensure that the used memory between the nested hypercalls has isolation.

Step 208, when the application (sensitive application) needs to be started, a second enclave for running the application in a protected way is created.

In specific implementation, when the application needing to be started is sensitive, the mini-OS in the first enclave calls a corresponding newly-added hypercall service to create a second enclave of the sensitive application, so that the sensitive application can be started and run in the second enclave.

It should be noted that, if the non-sensitive application program needs to be started, the mini-OS in the first enclave starts the non-sensitive application program in the memory address space of the non-enclave by calling the corresponding newly added hypercall service.

It can be understood that, when multiple sensitive applications need to be run in the virtual machine, each sensitive application has a second enclave, and the enclaves of different sensitive applications are isolated from each other and can be protected by the CPU hardware.

And step 209, when the application program (sensitive application) in the second enclave needs to perform system call, the application program in the second enclave and the mini-OS in the first enclave can perform control flow transfer based on the proxy of the inner shell layer.

In the embodiment of the invention, the application program and the mini-OS are respectively operated in different enclaves, so that the application program and the mini-OS need to rely on a first springboard in an inner shell layer for control flow interaction. Specifically, the first springboard in the shell layer is responsible for forwarding the system call and the corresponding call return result. When the application program running in the second enclave needs system call, the related call parameters are transmitted to a shared memory outside the second enclave, and a control flow is transmitted to the first springboard, so that the first springboard is used as an agent to transmit the system call to the mini-OS in the first enclave. When the system call is executed, the first springboard transmits the return value and the control flow of the mini-OS to the application program in the second enclave.

Compared with the Scone scheme, the embodiment of the invention designs that enclave is used for packaging and protecting the user mode OS so as to protect the security of system call required by the operation of the sensitive application, greatly reduces the attack interface of the sensitive application and provides better security. Compared with a Haven scheme, the embodiment of the invention designs that two different enclaves are used for respectively protecting the sensitive application and the user-state OS in running, system call forwarding and result returning are realized between the first enclave of the user-state OS and the second enclave of the sensitive application through the first springboard, call issuing and notification calling (upcall) are realized between the first enclave of the user-state OS and the Hypervisor through the second springboard, so that security holes in the OS cannot be used for attacking the sensitive application, a smaller TCB is realized on the premise of not increasing an attack interface, the number of potential holes in the TCB is reduced, and better security is further provided.

In the embodiment of the present invention, the system architecture based on the embodiment of fig. 3 or fig. 4 may also implement an authentication security verification mechanism. The authentication security protection mechanism is a verification mechanism supported by a CPU for mutually proving respective integrity among enclaves on the same physical host, such as an authentication security verification mechanism in a platform of intel SGX. On the basis of the above embodiment of fig. 5 or fig. 6, a process for implementing an authentication security verification mechanism in a platform according to an embodiment of the present invention is described below, referring to fig. 7, where the process includes, but is not limited to, the following steps:

step 301, performing intra-platform attesting on the user mode OS of the first enclave to the sensitive application of the second enclave to prove the integrity of the user mode OS.

In the embodiment of the invention, the sensitive application can verify the integrity of the user-mode OS through an attesting security verification mechanism in a platform provided by CPU Enclose. Specifically, the sensitive application verifies the integrity metric value of the OS in the second enclave in which the sensitive application is located, and if the integrity metric value of the user-mode OS meets the policy requirement predetermined by the application (for example, the value is the same as the preset value in the application), the sensitive application is normally started. And if the integrity metric value of the user-state OS does not meet the policy requirement preset by the application, the sensitive application refuses to start or enters a non-working mode. In the non-operational mode, sensitive applications will not process sensitive data that needs to be protected.

Step 302, the user mode OS of the first enclave securely exchanges a key with the sensitive application of the second enclave to establish a secure channel, and negotiates to generate an encryption key and an integrity protection key.

Specifically, if the integrity metric value of the user-state OS meets the policy requirement predetermined by the application, the sensitive application of the second enclave securely exchanges a key with the user-state OS of the first enclave based on an Attestation mechanism in the platform to establish a secure channel, and negotiates to generate an encryption key and an integrity protection key.

And step 303, when the sensitive application calls the system provided by the calling OS, the sensitive application uses the encryption key and the integrity protection key to perform encryption protection on the calling parameter, and then transmits the calling parameter to the user-mode OS through the first springboard.

Specifically, the sensitive application may encrypt system call related data such as a call parameter and the like using the encryption key generated in the negotiation in step 303, add an integrity protection value using the integrity protection key generated in the negotiation in step 303, and then send the integrity protection value to a first springboard between the sensitive application and the user mode OS, and the first springboard is further forwarded to the user mode OS. The user-mode OS verifies the integrity protection value of the data in enclave using the integrity protection key generated in the negotiation in step 303, and decrypts the relevant data of the system call using the encryption key generated in the negotiation in step 303.

And step 304, after the user-mode OS finishes the system call, encrypting and protecting the return value through an encryption key and an integrity protection key, and transmitting the return value to the sensitive application through a first springboard.

After the user-mode OS finishes executing the system call, the return value is encrypted using the encryption key generated by negotiation in step 303, the integrity protection value is added using the integrity protection key generated by negotiation in step 303, and then the integrity protection value is sent to a first springboard between the sensitive application and the user-mode OS, and the first springboard is further forwarded to the sensitive application. The sensitive application verifies the integrity-protected value of the return value using the integrity-protected key negotiated in step 303 and decrypts the return value using the encryption key negotiated in step 303.

It can be seen that, by implementing the embodiment of the present invention, based on an enclave attention mechanism in the platform, the sensitive application can verify the integrity of the user-mode OS, identify the tampered user-mode OS or the user-mode OS with a too low version, and refuse to start the sensitive application or refuse to execute the sensitive data processing when the user-mode OS does not meet the requirements, thereby preventing data leakage. A secure channel can also be established between the sensitive application of the first enclave and the user-mode OS enclave of the second enclave, and an encryption key and an integrity protection key for ensuring secure communication are negotiated, so that the parameters and the return values of the system call are encrypted and integrity protection is added before being submitted to the springboard code, thereby realizing secure protection of the system call and the return values and avoiding disclosure to other entities (such as a virtual machine monitor) outside the sensitive application and the operating system. In addition, because the first springboard and the second springboard designed in the embodiment of the invention are both operated outside the envelope, that is, exposed in the external environment, the embodiment of the invention protects the confidentiality and integrity of the system calling parameter and the return value, is favorable for preventing the system calling parameter and the return value from being obtained by the external world through changing the springboard code, and ensures the safety of data in the process of forwarding data by the first springboard and the second springboard.

The system architecture and method of the embodiments of the present invention are described in detail above, and based on the same inventive concept, the following provides related apparatuses of the embodiments of the present invention.

Referring to fig. 8, fig. 8 is a schematic structural diagram of a device 40 according to an embodiment of the present invention, the device 40 may be a server device, the device 40 includes a processor 401, a memory 402, and an interface circuit 404, and the processor 401, the memory 402, and the interface circuit 404 are connected by a bus 403. Wherein:

the number of the Memory 402 is one or more, and may include a Volatile Memory (Volatile Memory), such as a Random Access Memory (RAM); the Memory 402 may also include a Non-Volatile Memory (Non-Volatile Memory), such as a Read-Only Memory (ROM), a flash Memory (flash Memory), a Hard Disk Drive (HDD), or a Solid-State Drive (SSD); the memory 402 may also comprise a combination of memories of the kind described above. The memory 402 may be used to store a set of program codes for facilitating the processor 401 to call the program codes stored in the memory 402 to implement the application security protection method of an embodiment of the present invention. The storage 402 is further configured to store code and data of one or more virtual machines (including code data of a user-mode operating system and code data of an application program), code and data of a virtual machine monitor, a springboard code, shared data, and the like, and the storage 402 is further configured with one or more memory area spaces and a memory secure area (i.e., enclave) that can be configured in the memory area spaces.

Processor 401 may be comprised of one or more general-purpose processors, such as a Central Processing Unit (CPU). Processor 401 may be configured to run a virtual machine and a virtual machine monitor (hypervisor) to invoke program code to implement the method for application security protection of embodiments of the present invention.

The interface circuit 404 may be used to connect to server hardware, such as physical devices including hardware memory, network cards, disks, etc., and the interface circuit 404 is used to implement shared access of virtual machines to the server hardware.

In the present invention, the processor 401 is specifically configured to: establishing a first enclave (namely, a first enclave) for running the operating system of the virtual machine and a second enclave (namely, the first enclave) for running the application program in a memory area; the first enclave is a memory security area used for protecting the running of the virtual machine operating system, the second enclave is a memory security area used for protecting the running of the application program, and the virtual machine operating system is a user mode operating system; acquiring a first springboard preset by a processor; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave; transferring the call of the application program to the virtual machine operating system by utilizing the first springboard; and transmitting a calling return result of the virtual machine operating system to the application program by utilizing the first springboard. The application program is a sensitive application program, and the sensitive application program is used for processing user sensitive data.

In a specific embodiment, the device 40 further includes server hardware and a virtual machine monitor running on the processor, the server device is connected to the interface circuit 404 and is connected to the processor 401 and the memory 402 through the bus 403, and the virtual machine monitor is configured to implement shared access of the virtual machine to the server hardware through the interface circuit 404; the processor 401 is specifically configured to: acquiring a second springboard preset by the processor; the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave and runs in a memory area outside the first enclave and the second enclave; transferring, by the second springboard, a call of the virtual machine operating system to the virtual machine monitor; and transmitting the calling return result of the virtual machine monitor to the virtual machine operating system by utilizing the second springboard.

Wherein the first springboard comprises first springboard code and shared data between the application program and the user-mode operating system; wherein the first springboard code is used to implement a function of a communication channel of the first springboard; the second springboard comprises second springboard codes and shared data between the user-mode operating system and the virtual machine monitor; wherein the second springboard code is used to implement a function of a communication channel of the second springboard.

In a specific embodiment, the processor is specifically configured to: establishing, by the virtual machine operating system, a second enclave to run the application when the application is to be run.

In a specific embodiment, the processor is specifically configured to: verifying the integrity metric value of the virtual machine operating system to the application program through a preset security verification authentication mechanism of the virtual machine; and running the application program in the second enclave under the condition that the integrity metric value of the virtual machine operating system meets a preset value. Then, through the security authentication mechanism, a cryptographic key and an integrity protection key used when data is transferred between the virtual machine operating system in the first enclave and the application program in the second enclave are negotiated and determined. Then, in the second enclave, encrypting a calling parameter by using the encryption key, and performing integrity protection on the calling parameter by using the integrity protection key; transmitting the calling parameter to the virtual machine operating system by using the first springboard; then, within the first enclave, encrypting the call return result using the encryption key, and integrity protecting the call return result using the integrity protection key. And transmitting the return result to the application program by utilizing the first springboard.

In practice, the apparatus 40 may also include more or less components, and is not limited herein. The detailed functions and implementation procedures of the different components (such as the processor 401, the memory 402, and the like) of the device 4 can refer to the detailed description of the embodiments in fig. 5 to fig. 7, which are not described herein again.

In the above embodiments, all or part may be implemented by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer program instructions which, when loaded and executed on a computer, cause a process or function according to an embodiment of the invention to be performed, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one network site, computer, server, or data center to another network site, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer and can be a data storage device, such as a server, a data center, etc., that includes one or more of the available media. The available media may be magnetic media (e.g., floppy disks, hard disks, tapes, etc.), optical media (e.g., DVDs, etc.), or semiconductor media (e.g., solid state drives), among others.

In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.

Claims

1. The application program safety protection method is applied to a server, wherein the server comprises a virtual machine operating system and an application program which run in a virtual machine; the method comprises the following steps:

establishing a first enclave running the virtual machine operating system and a second enclave running the application program; the first enclave is a memory security area used for protecting the running of the virtual machine operating system, the second enclave is a memory security area used for protecting the running of the application program, and the virtual machine operating system is a user mode operating system;

obtaining a first springboard; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave;

transferring the call of the application program to the virtual machine operating system by utilizing the first springboard;

and transmitting a calling return result of the virtual machine operating system to the application program by utilizing the first springboard.

2. The method of claim 1, wherein the server comprises a virtual machine monitor and server hardware, the virtual machine monitor for enabling shared access of the virtual machine to the server hardware; the method further comprises the following steps:

obtaining a second springboard; the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave and runs in a memory area outside the first enclave and the second enclave;

transferring, by the second springboard, a call of the virtual machine operating system to the virtual machine monitor;

and transmitting the calling return result of the virtual machine monitor to the virtual machine operating system by utilizing the second springboard.

3. The method of claim 2, wherein establishing a second enclave to run the application comprises:

establishing, by the virtual machine operating system, a second enclave to run the application when the application is to be run.

4. The method of claim 2 or 3, wherein the application is a sensitive application, and wherein the sensitive application is configured to process user sensitive data.

5. The method according to any one of claims 2 to 4,

the first springboard comprises first springboard codes and shared data between the application program and the user-mode operating system; wherein the first springboard code is used to implement a function of a communication channel of the first springboard;

the second springboard comprises second springboard codes and shared data between the user-mode operating system and the virtual machine monitor; wherein the second springboard code is used to implement a function of a communication channel of the second springboard.

6. The method according to any one of claims 1-5, further comprising:

verifying the integrity metric value of the virtual machine operating system to the application program through a preset security verification authentication mechanism of the virtual machine;

and running the application program in the second enclave under the condition that the integrity metric value of the virtual machine operating system meets a preset value.

7. The method of claim 6, further comprising:

negotiating to determine, via the security authentication mechanism, a cryptographic key and an integrity protection key for use in transferring data between a virtual machine operating system within the first enclave and an application within the second enclave

Before the transferring, by the first springboard, the call of the application program in the second enclave to the virtual machine operating system in the first enclave to the virtual machine operating system, the method includes: within the second enclave, encrypting a call parameter using the encryption key and integrity protecting the call parameter using the integrity protection key;

before the transmitting, by using the first springboard, a return result of the call of the virtual machine operating system to the application program, the method includes: and encrypting the call return result by using the encryption key and performing integrity protection on the call return result by using the integrity protection key in the first enclave.

8. A server apparatus, characterized in that the server apparatus comprises a processor and a memory, the processor and the memory being connected by a bus; the memory is used for storing program codes and data, and the processor is used for running a virtual machine, wherein the virtual machine comprises a virtual machine operating system and an application program; the processor is specifically configured to:

9. The apparatus according to claim 8, wherein the server apparatus further comprises server hardware and a virtual machine monitor running on the processor, the server apparatus is connected to the processor and the memory through the bus, and the virtual machine monitor is configured to implement shared access of the virtual machine to the server hardware;

the processor is specifically configured to:

10. The device of claim 9, wherein the processor is specifically configured to:

11. The device of claim 9 or 10, wherein the application is a sensitive application, and wherein the sensitive application is configured to process user sensitive data.

12. The apparatus according to any one of claims 9 to 11,

13. The apparatus of any one of claims 8-12, wherein the processor is specifically configured to:

14. The device of claim 13, wherein the processor is specifically configured to: