CN112241309A - Data security method and device, CPU, chip and computer equipment - Google Patents

Data security method and device, CPU, chip and computer equipment Download PDF

Info

Publication number
CN112241309A
CN112241309A CN202011131321.7A CN202011131321A CN112241309A CN 112241309 A CN112241309 A CN 112241309A CN 202011131321 A CN202011131321 A CN 202011131321A CN 112241309 A CN112241309 A CN 112241309A
Authority
CN
China
Prior art keywords
sandbox
virtual address
data
address space
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011131321.7A
Other languages
Chinese (zh)
Other versions
CN112241309B (en
Inventor
涂海波
应志伟
杜辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Haiguang Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haiguang Information Technology Co Ltd filed Critical Haiguang Information Technology Co Ltd
Priority to CN202011131321.7A priority Critical patent/CN112241309B/en
Publication of CN112241309A publication Critical patent/CN112241309A/en
Application granted granted Critical
Publication of CN112241309B publication Critical patent/CN112241309B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data security method, a data security device, a CPU, a chip and computer equipment, wherein the method comprises the following steps: acquiring a sandbox creating instruction, creating a sandbox based on the sandbox creating instruction, and mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox; applying for a second host virtual address space in the host virtual address, the second host virtual address space being different from the first host virtual address space; and copying the sandbox data, and mapping the copied sandbox data to the second host virtual address space, wherein the sandbox uses the sandbox data mapped by the first host virtual address space in a host mode, and the sandbox is encrypted by a first secret key of the sandbox in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in a client mode. The embodiment of the application can ensure the normal realization of the function of the sandbox in the guest mode on the basis of ensuring the data security of the sandbox.

Description

Data security method and device, CPU, chip and computer equipment
Technical Field
The embodiment of the application relates to the technical field of data processing, in particular to a data security method, a data security device, a CPU, a chip and computer equipment.
Background
As an operating system level virtualization technology, a Container (Container) technology can effectively divide resources of a single operating system into isolated groups so as to balance conflicting resource use requirements among the isolated groups; however, the containers are built on the operating system, and each container shares an operating system kernel, executes files, libraries and the like, so that the same kernel is shared among the containers when system calls are carried out, and a large attack surface is provided for hackers to attack the containers; based on this, most system calls of the container can be limited in the Sandbox through the Sandbox (Sandbox) technology at present, so that the operation of the container is limited in the Sandbox, the attack face of a hacker on the container is reduced, and the safety of the container is improved.
As a security mechanism, a Sandbox (Sandbox) can provide an isolation environment for a container in a container virtualization technology, but when system bugs, side channel attacks and other situations exist, Sandbox data is likely to escape from the Sandbox, so that the Sandbox data is stolen; therefore, how to provide a data security scheme to improve the security of sandbox data becomes a technical problem that needs to be solved urgently by those skilled in the art.
Disclosure of Invention
In view of this, embodiments of the present application provide a data security method, apparatus, CPU, chip, and computer device, so as to improve the security of sandbox data.
In order to achieve the above purpose, the embodiments of the present application provide the following technical solutions:
a data security method, comprising:
acquiring a sandbox creating instruction, creating a sandbox based on the sandbox creating instruction, and mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox;
applying for a second host virtual address space in the host virtual address, the second host virtual address space being different from the first host virtual address space;
and copying the sandbox data, and mapping the copied sandbox data to the second host virtual address space, wherein the sandbox uses the sandbox data mapped by the first host virtual address space in a host mode, and the sandbox is encrypted by a first secret key of the sandbox in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in a client mode.
Optionally, after mapping the first host virtual address space in the host virtual address for the sandboxed data of the sandbox, the method further comprises:
establishing page table mapping of the guest virtual address of the sandboxed data to the first host virtual address space, and mapping a first host physical address space corresponding to the first host virtual address space in a nested page table.
Optionally, after mapping the copied sandboxed data to the second host virtual address space, the method further includes:
establishing page table mapping of the guest virtual address of the copied sandbox data to the second host virtual address space, and mapping a second host physical address space corresponding to the second host virtual address space in a nested page table.
Optionally, after mapping the copied sandboxed data to the second host virtual address space, the method further includes:
and encrypting the sandbox data mapped by the first host virtual address space by using a first secret key of the sandbox in the host mode.
Optionally, the method further includes:
acquiring a sandbox starting instruction, and starting the sandbox based on the sandbox starting instruction, wherein the sandbox is in a client mode when being started;
and encrypting the sandboxed data mapped by the second host virtual address space by using a second key of the sandbox in the client mode.
Optionally, the second host virtual address space includes: a third host virtual address space for higher order addresses and a fourth host virtual address space for lower order addresses; said mapping the copied sandboxed data to the second host virtual address space comprises:
mapping the high-order address data in the copied sandbox data to the virtual address space of the third host; and mapping the lower address data in the copied sandbox data to the fourth host virtual address space.
An embodiment of the present application further provides a data security device, including:
the sandbox creating module is used for acquiring a sandbox creating instruction, creating a sandbox based on the sandbox creating instruction, and mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox;
a virtual address space application module, configured to apply for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space;
and the copy mapping module is used for copying the sandbox data and mapping the copied sandbox data to the second host virtual address space, wherein the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode and is encrypted by a first secret key of the sandbox in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in the client mode.
Optionally, the apparatus further comprises:
the first encryption module is used for encrypting the sandbox data mapped by the first host virtual address space by using a first secret key of the sandbox in the host mode after the copied sandbox data is mapped to the second host virtual address space by the copy mapping module.
Optionally, the apparatus further comprises:
the sandbox starting module is used for acquiring a sandbox starting instruction and starting the sandbox based on the sandbox starting instruction, wherein the sandbox is in a client mode when being started;
and the second encryption module is used for encrypting the sandbox data mapped by the virtual address space of the second host by using a second secret key of the sandbox in the client mode.
An embodiment of the present application further provides a CPU, and the CPU is configured to execute any one of the data security methods described above.
An embodiment of the present application further provides a chip, including: such as the CPU described above.
An embodiment of the present application further provides a computer device, including: such as the chip described above.
According to the data security method provided by the embodiment of the application, when the sandbox is created based on the sandbox creation instruction, the sandbox data of the sandbox is mapped into the host virtual address space, and the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode; before starting the sandbox to enter the guest mode, the embodiment of the application can apply for a second host virtual address space different from a first host virtual address space in the host virtual address, copy the sandbox data, and map the copied sandbox data to the second host virtual address space, so that the sandbox uses the copied sandbox data mapped by the second host virtual address space in the guest mode, wherein the sandbox data mapped by the first host virtual address space can be encrypted based on a first secret key of the sandbox in the host mode. Based on the above processing, when the sandbox data is encrypted by using different keys in the host mode and the guest mode of the sandbox, because the sandbox uses the same content in the host mode and the guest mode, but the sandbox data mapped by different host virtual address spaces does not need to be analyzed in the guest mode, the sandbox data encrypted in the host mode does not need to be encrypted by using the corresponding key in the host mode in the present embodiment, so as to ensure the security of the sandbox data, and enable the sandbox to use the sandbox data mapped by the second host virtual address space in the guest mode to complete the normal implementation of the function in the guest mode. Therefore, the data security method provided by the embodiment of the application can guarantee normal realization of functions of the sandbox in the guest mode on the basis of guaranteeing data security of the sandbox.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a diagram of an exemplary container virtualization technology architecture;
FIG. 2 is an exemplary diagram of a container virtualization technology architecture incorporating sandboxing;
FIG. 3 is an exemplary diagram of a container virtualization technology architecture based on secure virtualization;
FIG. 4 is an example architecture diagram of a sandbox based on secure virtualization;
FIG. 5 is an example process diagram of sandbox creation and initiation;
FIG. 6 is an exemplary diagram of an address mapping layout for a sandbox;
FIG. 7 is a flow chart of a data security method provided by an embodiment of the present application;
FIG. 8 is another flow chart of a data security method provided by an embodiment of the present application;
FIG. 9 is a flowchart of a data security method according to an embodiment of the present application;
FIG. 10 is an exemplary diagram of hva addresses for sandboxes;
FIG. 11 is a block diagram of a data security device provided by an embodiment of the present application;
FIG. 12 is another block diagram of a data security device provided by an embodiment of the present application;
fig. 13 is a further block diagram of a data security device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
To facilitate understanding of the container virtualization technology, fig. 1 illustrates a container virtualization technology architecture, and as shown in fig. 1, the container virtualization technology architecture mainly includes: a CPU (Central Processing Unit) 10, a memory controller 20, and a physical memory 30;
among them, the CPU10 may create the container 12 through a container engine (Docker)11 and implement resource partitioning and virtualization at the operating system level by partitioning the resources of the operating system into isolated groups; in an optional specific implementation, under a container virtualization technology, a container engine may issue an image of an application program onto a physical host, so that a container is quickly created and run by using the image of the application program, and an operating system resource is divided for the container by the container technology to complete virtualization;
when a container is created, gvm (Secure virtual Machine) 13 in the CPU may allocate a memory space for the container in the physical memory 30, where the memory space of the container is mainly used for task consumption and supporting virtualization; it should be noted that gvm is a virtualization module supporting hardware, gvm can provide hardware resources on the processor, allowing a single machine to run multiple operating systems more efficiently and maintain security and resource isolation;
the memory controller 20 is hardware that controls the physical memory 30 and causes data exchange between the physical memory 30 and the CPU 10; in a typical computer system, the memory controller 20 is responsible for processing the memory access request, for example, the memory controller 20 may detect whether the cache records an address corresponding to the memory access request, if so, read data corresponding to the address from the cache, otherwise, traverse a page table of the memory to find the address and read data corresponding to the address.
In the container virtualization technology, containers are built on an operating system, so that the same kernel of the operating system is shared between the containers when system call is carried out, a hacker can attack the containers based on the kernel shared by the containers, and a large attack surface is provided for the hacker to attack the containers; based on this, the container virtualization technology can be combined with the sandbox technology, for the convenience of understanding, fig. 2 illustrates a container virtualization technology architecture combined with the sandbox technology, and as shown in fig. 1 and fig. 2, on the basis of the exemplary architecture of fig. 1, the exemplary architecture of fig. 2 further includes: sandbox (Sandbox) 14;
as can be seen from fig. 2, the CPU configures the sandbox for the container, so that the operation of the container is limited to the isolated environment provided by the sandbox, thereby reducing the attack surface of hackers on the container; in an alternative specific implementation of a sandbox, the sandbox may be implemented by the secure sandbox solution gVisor; it should be noted that the gvosor is a novel sandbox solution, and can provide a secure isolation environment for the container, specifically, the gvosor limits the container operation inside the sandbox by matching with a Kernel-based Virtual Machine (kvm), isolates the container inside from a physical host, and ensures data security inside the container and the physical host, and the gvosor isolates the container inside the sandbox from a Virtual Machine manager (Hypervisor) page table by using a nested page table mechanism with the help of the kvm;
under the sandbox mechanism, the sandbox is divided into two modes, namely a guest mode and a host mode, wherein the guest mode can be used for running a virtualized guest operating system, and in the guest mode, part of instructions change the characteristics of the instruction to facilitate the realization of virtualization; the host mode is an operating mode corresponding to the guest mode, and is set when the processor is reset or the guest mode is exited.
Although sandboxes can provide an isolation environment for container operation, current sandbox technology lacks confidentiality protection for sandbox data (including sandbox code segments, page table data, etc.), and when a sandbox has a system bug, side channel attack, etc., the sandbox data is likely to escape from the sandbox limit and be stolen.
In order to solve the technical problems, a secret key can be distributed to the sandbox by taking the sandbox as a unit by utilizing a safe virtualization thought, so that the sandbox data can be encrypted and protected by using the secret key of the sandbox, and even if the sandbox data escapes from the limitation of the sandbox due to system loopholes, side channel attacks and the like, the sandbox data cannot be decrypted and stolen by hackers due to encryption protection; however, since there are two modes of sandbox, the keys assigned by the sandbox in the guest mode and the host mode are different, which causes a further problem in the case where the sandbox shares sandbox data in the guest mode and the host mode; this will be explained in detail below.
For the sake of understanding, fig. 3 illustrates a container virtualization technology architecture based on secure virtualization, and in conjunction with fig. 2 and fig. 3, the container virtualization technology architecture shown in fig. 3 further provides that, in conjunction with the sandbox technology, the container virtualization technology architecture further includes: the safety processor 40, the safety processor 40 is a specially configured processor responsible for data safety based on the safety virtualization technology;
as shown in FIG. 3, gvm13 in the CPU may communicate with the secure processor 40, while the secure processor 40 may assign and manage keys for sandboxes; specifically, in two modes of the sandbox mechanism, the secure processor may use the sandbox as a unit to respectively allocate keys to a guest mode and a host mode of the sandbox; that is, the secure processor may assign different keys to different sandboxes, and one sandbox may assign different keys in the guest mode and the host mode.
Further, based on the example architecture of fig. 3, fig. 4 illustrates an example architecture of a sandbox based on secure virtualization, as shown in fig. 4:
a security processor can be set based on a security virtualization technology, the security processor can be responsible for data security, a secret key is distributed to the sandbox when the sandbox is created, and the secret keys of the sandbox in a host mode and a guest mode are different; the svm of the kernel is a virtualization module supporting hardware, the kvm carries out kernel driving and is responsible for hardware resource management of the svm, and the CPU is in a host mode and runs on a ring0 layer;
in a sandbox solution, the container engine may create a sandbox and start a sandbox for the container via a sandbox control component (e.g., a gVisor component) to provide an isolated environment for the container to run via the created and started sandbox; specifically, when creating a sandbox, a sandbox control component (e.g., a gVisor component) starts two sub-processes: gofer operating at ring3 level in host mode, and Sentry operating at ring3 level in host mode; the Gofer is responsible for uniformly controlling the authority of the inside of the sandbox for accessing the system files;
when the sandbox is started after being created, the container is limited in the sandbox and runs at the ring3 level in a gust mode, and the Sentry is switched to the gust mode and runs at the ring0 level, at this time, the Sentry can be used for providing a system call for the sandbox internal container for support, specifically, the Sentry is in the gust mode, if the system call of the sandbox internal container is detected, the Sentry is switched to a host mode to interact with gvm, and therefore the system call of the sandbox internal container is executed through a kernel;
it should be further noted that the processor performs access control through a multi-level ring layer, the ring layer is generally divided into 4 levels, and according to the sequence of the access rights from high to low, the ring layer is divided into a ring0 layer to a ring3 layer, the ring0 layer has the highest access right, and the ring3 layer has the lowest access right; generally, an application program runs on a ring3 layer and can only access data of a ring3 layer, an operating system runs on a ring0 and can access data of all layers, other drivers run on ring1 and ring2 layers, and each layer can only access data of the layer and data of lower layers.
Based on the Container encryption system software architecture illustrated in fig. 4, for example, a sandbox solution (e.g., gvosor) is written in accordance with the OCI (Open Container Initiative) standard, and fig. 5 illustrates an exemplary process of sandbox creation and startup, as illustrated in fig. 5:
when the gVisor component receives a sandbox creation instruction (such as a CREATE instruction) sent by a container engine (such as a Docker), the gVisor component starts the processes Gofer and Sentry, and at the moment, the Gofer and the Sentry run in a host mode; meanwhile, when the sandbox is created, the secure processor may allocate a key to the created sandbox, specifically, may allocate a key in a host mode and a key in a guest mode to the sandbox;
sentry running in the host mode can encrypt the sandbox data based on the key of the sandbox in the host mode; after the sandbox is created, the sandbox already has a corresponding virtual processor (vCPU), and at the moment, the container engine can wait for sending a sandbox starting instruction, so that the sandbox enters a guest mode to continue running;
as shown in fig. 5, after the sandbox is created, the gviso component receives a sandbox starting instruction (e.g., a START instruction) sent by the container engine, and at this time, Sentry in host mode switches to guest mode operation; sentry in guest mode may switch to host mode operation again upon detecting a system call to the sandbox internal container to interact with gvm to execute the system call to the sandbox internal container through the kernel.
According to the process of creating and starting the sandbox, when the sandbox is created, the data of the sandbox is encrypted by using a secret key of the sandbox in a host mode, and when the sandbox is started after the sandbox is created, the sandbox runs in a guest mode to provide system call for an internal container of the sandbox;
however, the key of the sandbox in the guest mode is different from the key of the sandbox in the host mode, and the sandbox shares the sandbox data in the guest mode and the host mode, which results in that the sandbox cannot decrypt the sandbox data encrypted in the host mode in the guest mode, thereby causing the abnormal function of the sandbox in the guest mode; specifically, in the example architecture of fig. 4 and the example process of fig. 5, if Sentry encrypts sandboxed data by using a key in the host mode, after Sentry switches to the guest mode, because the key of the sandbox in the host mode is different from that in the guest mode, Sentry cannot decrypt the sandboxed data encrypted in the host mode in advance, so that the system calling function of Sentry in the guest mode cannot be realized, and the function of the sandbox in the guest mode is abnormal;
therefore, although the sandbox encrypts the sandbox data by using the key in the host mode, the encryption protection of the sandbox data can be realized, but since the sandbox guest mode and the host mode share the sandbox data, the functional abnormality problem of the sandbox in the guest mode is derived.
To facilitate explanation of the case where sandbox shares sandbox data in both guest and host modes, FIG. 6 illustrates an example of an address mapping layout of the sandbox, as shown in FIG. 6, text (code segment), data (data segment), bss (bss segment, for holding global un-initialized data, initialized at 0), and heap (heap) as part of the sandbox data whose address layout in the guest virtual address (gva) and the host virtual address (hva) is the same; meanwhile, the address space layouts of mmap (file mapping region, which represents the mapping relationship between a file disk address and a section of virtual address in a process virtual address space), stack (stack region) and kernel (kernel) in gva and hva are also the same; that is, the sandbox shares the sandbox data in the guest mode and the host mode based on hva laid out at the same address;
it should be noted that the data mapping of the sandbox relates to the mapping of gva to hva (gpa), hva to hpa; wherein gva (guest virtual address) represents a guest virtual address, gpa (guest physical address) represents a guest physical address, hva (host virtual address) represents a host virtual address, and hpa (host physical address) represents a host physical address; that is, the sandbox guest virtual address (gva) to host physical address (hpa) needs to go through a 2-layer page table mapping, i.e. the sandbox internally establishes a mapping from the guest virtual address to the host virtual address, and the nested page table is responsible for converting the host virtual address to the host physical address, wherein the guest physical address (gpa) and the host virtual address (hva) have a fixed correspondence, i.e. one guest physical address corresponds to a certain host virtual address.
It can be seen from the above description that, under the idea of secure virtualization, the host mode and the guest mode of the sandbox have different keys, although the sandbox is created, the sandbox data is encrypted by using the key of the host mode, so that the security of the sandbox data can be guaranteed, and even if the sandbox data escapes from the limitation of the sandbox due to system loopholes, side channel attacks and other reasons, the sandbox data cannot be decrypted and stolen by hackers due to encryption protection; however, in the case where the host mode and the guest mode of the sandbox share sandbox data, the sandbox cannot decrypt the data in the guest mode, and the encrypted sandbox data in the host mode causes a functional abnormality of the sandbox in the guest mode; based on this, the embodiment of the application provides an improved data security scheme, and on the basis of carrying out encryption protection on sandbox data, normal realization of the sandbox function is ensured, so that data security of the sandbox and functional reliability of the sandbox are ensured.
One idea for achieving the above object in the embodiment of the present application is: after the sandbox is created and before the sandbox is started, copying the sandbox data, and applying for a new host virtual address space in the host virtual address to map the copied sandbox data; therefore, the sandbox uses the original sandbox data and encrypts the sandbox data by the key of the host mode in the host mode, and the sandbox uses the copied sandbox data and encrypts the sandbox data by the key of the guest mode in the guest mode, so that the sandbox uses sandbox data which has the same content but is mapped by different host virtual address spaces in the host mode and the guest mode, the sandbox does not need to analyze the sandbox data encrypted by the host mode in the guest mode, and the normal realization of the functions of the sandbox in the guest mode is guaranteed on the basis of guaranteeing the data security of the sandbox.
Based on the above thought, in an alternative implementation, fig. 7 illustrates an alternative flow of the data security method provided in the embodiment of the present application, where the flow may be implemented by being executed by a CPU, and referring to fig. 7, the flow may include:
step S10, a sandbox creating instruction is obtained, a sandbox is created based on the sandbox creating instruction, and a first host virtual address space is mapped in a host virtual address for sandbox data of the sandbox.
Optionally, in the embodiment of the present application, a sandbox may be created based on a sandbox creation instruction of a container engine (Docker); in a specific alternative implementation, the embodiment of the present application may start Gofer (in host mode, running at the ring3 level) and Sentry (in host mode, running at the ring3 level) based on a sandbox creation instruction, so as to implement sandbox creation.
When a sandbox is created, address mapping needs to be performed on sandbox data of the sandbox, and at this time, in the embodiment of the application, a first host virtual address space can be mapped in a host virtual address for the sandbox data of the sandbox;
in an alternative implementation, the full address mapping of sandboxed data may be implemented by 2-level page table mapping, i.e. establishing a page table mapping of guest virtual addresses (gva) to host virtual addresses (hva) of the sandboxed data, and establishing a mapping of host virtual addresses (hva) to host physical addresses (hpa) at nested pages, where the guest physical addresses (gpa) and host virtual addresses (hva) have a fixed correspondence, i.e. one guest physical address corresponds to a certain one host virtual address.
Optionally, step S10 may map the first host virtual address space for the sandboxed data in the host virtual address in the host mode.
Step S11, applying for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space.
Step S12, copying the sandbox data, and mapping the copied sandbox data to the second host virtual address space, where the sandbox uses the sandbox data mapped by the first host virtual address space in a host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in a guest mode.
In order to avoid the sandbox sharing the sandbox data mapped by the same host virtual address space in the host mode and the guest mode, in the embodiment of the application, a second host virtual address space different from the first host virtual address space can be applied in the host virtual address, and the second host virtual address space can be a host virtual address space which is free in the host virtual address and different from the first host virtual address space;
furthermore, in the embodiment of the present application, the sandbox may copy the sandbox data in the host mode based on the sandbox data of the sandbox created in step S10, and map the copied sandbox data to the requested second host virtual address space; the copied sandboxed data of the second host virtual address space mapping is thus used by the sandbox in the guest mode such that the sandbox uses sandboxed data of the same content, but different host virtual address space mappings, in the host mode and the guest mode.
Through the processing, even if the sandbox is in the host mode, the sandbox data mapped by the virtual address space of the first host is encrypted by using the first secret key of the sandbox in the host mode, and when the subsequent sandbox is started to enter the guest mode, the sandbox can also use the sandbox data mapped by the virtual address space of the second host in the guest mode without decrypting the encrypted sandbox data in the host mode, so that the normal function of the sandbox in the guest mode can be guaranteed; optionally, after the sandbox is started to enter the guest mode, the sandbox data mapped by the virtual address space of the second host may be encrypted based on the second key of the sandbox in the guest mode in the embodiment of the present application. For ease of illustration, the key of the sandbox in the host mode may be referred to as the first key, the key of the sandbox in the guest mode may be referred to as the second key,
alternatively, steps S11 and S12 may be performed in the host mode of the sandbox, i.e., steps S11 through S12 are performed before the sandbox is created and started (if the sandbox is started, the sandbox enters the guest mode).
According to the data security method provided by the embodiment of the application, when the sandbox is created based on the sandbox creation instruction, the sandbox data of the sandbox is mapped into the host virtual address space, and the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode; before starting the sandbox to enter the guest mode, the embodiment of the application can apply for a second host virtual address space different from a first host virtual address space in the host virtual address, copy the sandbox data, and map the copied sandbox data to the second host virtual address space, so that the sandbox uses the copied sandbox data mapped by the second host virtual address space in the guest mode, wherein the sandbox data mapped by the first host virtual address space can be encrypted based on a first secret key of the sandbox in the host mode. Based on the above processing, when the sandbox data is encrypted by using different keys in the host mode and the guest mode of the sandbox, because the sandbox uses the same content in the host mode and the guest mode, but the sandbox data mapped by different host virtual address spaces does not need to be analyzed in the guest mode, the sandbox data encrypted in the host mode does not need to be encrypted by using the corresponding key in the host mode in the present embodiment, so as to ensure the security of the sandbox data, and enable the sandbox to use the sandbox data mapped by the second host virtual address space in the guest mode to complete the normal implementation of the function in the guest mode. Therefore, the data security method provided by the embodiment of the application can guarantee normal realization of functions of the sandbox in the guest mode on the basis of guaranteeing data security of the sandbox.
In a further alternative implementation, embodiments of the present application may implement a 2-level page table mapping for sandboxed data of the created sandbox, such that the sandboxed data of the created sandbox has a complete mapping of guest virtual addresses to host physical addresses; in addition, the embodiment of the application can also realize the mapping of a 2-layer page table aiming at the copied sandbox data, so that the copied sandbox data has the complete mapping from the virtual address of the client to the physical address of the host; optionally, fig. 8 shows another optional flow of the data security method provided in the embodiment of the present application, where the flow may be implemented by being executed by a CPU, and referring to fig. 8, the flow may include:
and step S20, obtaining a sandbox creating instruction, and creating the sandbox based on the sandbox creating instruction.
Step S21, mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox, establishing page table mapping from a guest virtual address of the sandbox data to the first host virtual address space, and mapping a first host physical address space corresponding to the first host virtual address space in a nested page table.
According to the method and the device, after the sandbox is created based on the sandbox creating instruction, and the sandbox data of the sandbox is mapped to the first host virtual address space in the host virtual address space, 2-layer page table mapping can be established for the sandbox data of the sandbox, namely page table mapping from the client virtual address of the sandbox data to the first host virtual address space is established, and the first host physical address space corresponding to the first host virtual address space is mapped in the nested page table, so that complete mapping from the client virtual address of the sandbox data to the host physical address is achieved.
Step S22, applying for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space.
Step S23, copying the sandbox data, mapping the copied sandbox data to the second host virtual address space, establishing a page table mapping from the guest virtual address of the copied sandbox data to the second host virtual address space, and mapping the second host physical address space corresponding to the second host virtual address space in a nested page table.
In the embodiment of the application, after the used sandbox data is copied in the guest mode of the sandbox and the copied sandbox data is mapped to the newly applied second host virtual address space, 2-layer page table mapping can be established for the copied sandbox data, namely page table mapping from the client virtual address of the copied sandbox data to the second host virtual address space is established, and the second host physical address space corresponding to the second host virtual address space is mapped in the nested page table, so that complete mapping from the client virtual address of the copied sandbox data to the host physical address is realized. Alternatively, the client virtual addresses of the original sandboxed data and the copied sandboxed data may be the same.
After the processing is completed, the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in the guest mode.
Furthermore, after mapping the copied sandbox data to the virtual address space of the second host, aiming at the originally created sandbox data of the sandbox, the embodiment of the application can use the first key of the sandbox in the host mode to encrypt and protect the created sandbox data of the sandbox, so that the safe protection of the sandbox data used by the sandbox in the host mode is realized; when the sandbox is started and enters the guest mode, the second secret key of the sandbox in the guest mode can be used for carrying out encryption protection on copied sandbox data, and therefore the security protection of the sandbox data used by the sandbox in the guest mode is achieved;
based on the above description, in an alternative implementation, fig. 9 illustrates yet another alternative flow of the data security method provided in the embodiment of the present application, where the flow may be implemented by being executed by a CPU, and as shown in fig. 9, the flow may include:
step S30, a sandbox creating instruction is obtained, a sandbox is created based on the sandbox creating instruction, and a first host virtual address space is mapped in a host virtual address for sandbox data of the sandbox.
Step S31, applying for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space.
And step S32, copying the sandbox data, and mapping the copied sandbox data to the virtual address space of the second host.
Optionally, the descriptions of step S30 to step S32 may be according to the corresponding parts above, and are not repeated here.
Step S33, encrypting the sandbox data mapped by the first host virtual address space using the first key of the sandbox in host mode.
After the sandbox data is copied and mapped to the second host virtual address space, the sandbox already has a basis for using the copied sandbox data in the guest mode, and in order to perform security protection on the sandbox data used by the sandbox in the host mode, the sandbox data mapped to the first host virtual address space can be encrypted by using the first key of the sandbox in the host mode in the embodiment of the application.
Alternatively, step S33 may be performed in the host mode of the sandbox.
And step S34, obtaining a sandbox starting instruction, and starting the sandbox based on the sandbox starting instruction.
Optionally, in the embodiment of the present application, the sandbox may be started based on a sandbox starting instruction of the container engine; and the sandbox is started, and a guest mode of the sandbox is entered.
And step S35, encrypting the sandbox data mapped by the virtual address space of the second host by using the second key of the sandbox in the guest mode.
The sandbox is started, and under the condition that the sandbox enters the guest mode, the sandbox can use sandbox data mapped by a virtual address space of the second host, and for performing security protection on the sandbox data used by the sandbox in the guest mode, the sandbox data mapped by the virtual address space of the second host can be encrypted by using a second secret key of the sandbox in the guest mode in the embodiment of the application.
Optionally, when the sandbox process is finished, the sandbox may actively call the sandbox resource release interface to release the sandbox resource.
In an alternative implementation, the sandbox data of the sandbox may include high order address data and low order address data, for example, mmap (file mapping area, representing the mapping relationship between a file disk address and a segment of a virtual address in a process virtual address space) and stack (stack area) in the sandbox data are located at the high order address, and text (code segment) and other data may be located at the low order address; for higher order address data and lower order address data in sandbox data, in an optional implementation, in the embodiment of the present application, when a second host virtual address space is applied, a host virtual address space of a higher order address and a host virtual address space of a lower order address are applied, and for convenience of description, the embodiment of the present application may divide the second host virtual address space into a third host virtual address space and a fourth host virtual address space, where the third host virtual address space is the host virtual address space of the applied higher order address and is used for mapping the higher order address data in the copied sandbox data, and the fourth host virtual address space is the host virtual address space of the applied lower order address and is used for mapping the lower order address data in the copied sandbox data; after the sandbox data is copied, the embodiment of the application can map the high-order address data and the low-order address data in the copied sandbox data to a third host virtual address space of the high-order address and a fourth host virtual address space of the low-order address respectively; it should be noted that, in the guest mode of the sandbox, the high-order address data mapped by the virtual address space of the third host and the low-order address data mapped by the virtual address space of the fourth host are encrypted based on the second key of the sandbox in the guest mode;
to facilitate understanding, as shown in the example of fig. 10, for a text (code segment) of a lower address, a new host virtual address space may be applied for in the lower address of hva (host virtual address), so that the copied text is mapped to the new host virtual address space; for the stack of higher order addresses, a new host virtual address space may be applied for the higher order address of hva (host virtual address) to map the copied stack to the new host virtual address space.
It should be further noted that the embodiment of the present application is not limited to the form of the encryption algorithm, for example, the encryption algorithms such as SM2, SM3, SM4, etc. may be used, and may also be extended to any other encryption algorithm; the virtualization technology adopted in the embodiment of the application can also be extended to other hardware or software virtualization technologies, and the kernel gvm module can be extended to any kernel module capable of normally starting the virtual machine.
In the embodiment of the application, before the sandbox is started to enter the guest mode, sandbox data such as a code segment of the sandbox and guest page table data can be copied, the copied sandbox data is mapped to a second host virtual address space newly applied in the host virtual address, and the second host virtual address space can correspond to a shadow space of the copied sandbox data, so that after the sandbox data is copied to the shadow space and mapping of a virtual address inside the virtual machine to a physical address of the shadow space is completed through 2-layer page table mapping, the sandbox can use the sandbox data of the originally created sandbox in the host mode, and can use the sandbox data copied by the shadow space in the guest mode, and the purpose that the sandbox uses sandbox data with the same content in the host mode and the guest mode but mapped by different host virtual address spaces is achieved;
furthermore, when the sandbox data is encrypted according to the requirement of safe virtualization, the sandbox data used by the sandbox in the host mode can be encrypted by using a first secret key of the sandbox in the host mode, the copied sandbox data used by the sandbox in the guest mode can be encrypted by using a second secret key of the sandbox in the guest mode, and the sandbox does not need to analyze the sandbox data encrypted in the host mode in the guest mode, so that the sandbox data can be encrypted by using the secret key to ensure the security of the sandbox data, and the sandbox can also use the sandbox data mapped by a second host virtual address space in the guest mode to normally realize the function in the guest mode.
Therefore, the data security method provided by the embodiment of the application can guarantee normal realization of functions of the sandbox in the guest mode on the basis of guaranteeing data security of the sandbox.
While various embodiments have been described above in connection with what are presently considered to be the embodiments of the disclosure, the various alternatives described in the various embodiments can be readily combined and cross-referenced without conflict to extend the variety of possible embodiments that can be considered to be the disclosed and disclosed embodiments of the disclosure.
In the following, a data security apparatus provided in the embodiment of the present application is described, where the data security apparatus described below may be considered as a functional module that is required to be provided by a CPU to implement the data security method provided in the embodiment of the present application. The contents of the data security device described below may be referred to in correspondence with the contents of the data security method described above.
In an alternative implementation, fig. 11 shows an alternative block diagram of a data security apparatus provided in an embodiment of the present application, and as shown in fig. 11, the apparatus may include:
a sandbox creating module 100, configured to obtain a sandbox creating instruction, create a sandbox based on the sandbox creating instruction, and map a first host virtual address space in a host virtual address for sandbox data of the sandbox;
a virtual address space application module 110, configured to apply for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space;
a copy mapping module 120, configured to copy the sandbox data, and map the copied sandbox data to the second host virtual address space, where the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode, and encrypts the sandbox data with the first key in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in the client mode.
Optionally, fig. 12 shows another optional block diagram of the data security apparatus provided in the embodiment of the present application, and in combination with fig. 11 and 12, the apparatus may further include:
a first page table mapping module 130, configured to establish a page table mapping from a guest virtual address of the sandbox data to a first host virtual address space after the sandbox creating module 100 maps the first host virtual address space in the host virtual address for the sandbox data of the sandbox, and map a first host physical address space corresponding to the first host virtual address space in a nested page table;
a second page table mapping module 140, configured to establish a page table mapping from the guest virtual address of the copied sandboxed data to the second host virtual address space after the copy mapping module 120 maps the copied sandboxed data to the second host virtual address space, and map a second host physical address space corresponding to the second host virtual address space in a nested page table.
Optionally, fig. 13 shows a further alternative block diagram of the data security apparatus provided in the embodiment of the present application, and in combination with fig. 11 and 13, the apparatus may further include:
a first encryption module 150, configured to encrypt the sandboxed data mapped by the first host virtual address space using the first key of the sandbox in host mode after the copied sandboxed data is mapped to the second host virtual address space by the copy mapping module 120;
the sandbox starting module 160 is configured to obtain a sandbox starting instruction, and start a sandbox based on the sandbox starting instruction, where the sandbox is in a client mode when being started;
a second encryption module 170, configured to encrypt the sandboxed data mapped by the second host virtual address space using a second key of the sandbox in client mode.
Optionally, the second host virtual address space includes: a third host virtual address space for higher order addresses and a fourth host virtual address space for lower order addresses;
the copy mapping module 120 is configured to map the copied sandboxed data to the second host virtual address space, and may specifically include:
mapping the high-order address data in the copied sandbox data to the virtual address space of the third host; and mapping the lower address data in the copied sandbox data to the fourth host virtual address space.
The data safety device that this application embodiment provided can guarantee the sandbox function normal realization under the guest mode on the basis of the data security of assurance sandbox.
The embodiment of the present application further provides a CPU, and the CPU can implement the data security method provided by the embodiment of the present application by loading the data security device described above. The CPU provided in the embodiments of the present application may be configured to execute the data security method provided in the embodiments of the present application.
The embodiment of the present application further provides a chip, such as an SOC (system on chip) chip, and the chip may include the CPU described above.
The embodiment of the present application further provides a computer device, and the computer device may include the chip described above.
Although the embodiments of the present application are disclosed above, the present application is not limited thereto. Various changes and modifications may be effected therein by one of ordinary skill in the pertinent art without departing from the scope or spirit of the present disclosure, and it is intended that the scope of the present disclosure be defined by the appended claims.

Claims (12)

1. A method of data security, comprising:
acquiring a sandbox creating instruction, creating a sandbox based on the sandbox creating instruction, and mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox;
applying for a second host virtual address space in the host virtual address, the second host virtual address space being different from the first host virtual address space;
and copying the sandbox data, and mapping the copied sandbox data to the second host virtual address space, wherein the sandbox uses the sandbox data mapped by the first host virtual address space in a host mode, and the sandbox is encrypted by a first secret key of the sandbox in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in a client mode.
2. The data security method of claim 1, wherein after mapping the first host virtual address space in the host virtual address for sandboxed data of the sandbox, the method further comprises:
establishing page table mapping of the guest virtual address of the sandboxed data to the first host virtual address space, and mapping a first host physical address space corresponding to the first host virtual address space in a nested page table.
3. The data security method of claim 1, wherein after mapping the copied sandboxed data to the second host virtual address space, the method further comprises:
establishing page table mapping of the client virtual address of the copied sandbox data to the second host virtual address space, and mapping a second host physical address space corresponding to the second host virtual address space in a nested page table.
4. The data security method of claim 1, wherein after mapping the copied sandboxed data to the second host virtual address space, the method further comprises:
and encrypting the sandbox data mapped by the first host virtual address space by using a first secret key of the sandbox in the host mode.
5. The data security method of any one of claims 1-4, further comprising:
acquiring a sandbox starting instruction, and starting the sandbox based on the sandbox starting instruction, wherein the sandbox is in a client mode when being started;
and encrypting the sandboxed data mapped by the second host virtual address space by using a second key of the sandbox in the client mode.
6. The data security method of claim 1, wherein the second host virtual address space comprises: a third host virtual address space for higher order addresses and a fourth host virtual address space for lower order addresses; said mapping the copied sandboxed data to the second host virtual address space comprises:
mapping the high-order address data in the copied sandbox data to the virtual address space of the third host; and mapping the lower address data in the copied sandbox data to the fourth host virtual address space.
7. A data security apparatus, comprising:
the sandbox creating module is used for acquiring a sandbox creating instruction, creating a sandbox based on the sandbox creating instruction, and mapping a first host virtual address space in a host virtual address for sandbox data of the sandbox;
a virtual address space application module, configured to apply for a second host virtual address space in the host virtual address, where the second host virtual address space is different from the first host virtual address space;
and the copy mapping module is used for copying the sandbox data and mapping the copied sandbox data to the second host virtual address space, wherein the sandbox uses the sandbox data mapped by the first host virtual address space in the host mode and is encrypted by a first secret key of the sandbox in the host mode, and the sandbox uses the sandbox data mapped by the second host virtual address space in the client mode.
8. The data security device of claim 7, further comprising:
the first encryption module is used for encrypting the sandbox data mapped by the first host virtual address space by using a first secret key of the sandbox in the host mode after the copied sandbox data is mapped to the second host virtual address space by the copy mapping module.
9. The data security device of claim 7 or 8, further comprising:
the sandbox starting module is used for acquiring a sandbox starting instruction and starting the sandbox based on the sandbox starting instruction, wherein the sandbox is in a client mode when being started;
and the second encryption module is used for encrypting the sandbox data mapped by the virtual address space of the second host by using a second secret key of the sandbox in the client mode.
10. A CPU, characterized in that the CPU is configured to execute the data security method of any one of claims 1-6.
11. A chip, comprising: the CPU of claim 10.
12. A computer device, comprising: the chip of claim 11.
CN202011131321.7A 2020-10-21 2020-10-21 Data security method and device, CPU, chip and computer equipment Active CN112241309B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011131321.7A CN112241309B (en) 2020-10-21 2020-10-21 Data security method and device, CPU, chip and computer equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011131321.7A CN112241309B (en) 2020-10-21 2020-10-21 Data security method and device, CPU, chip and computer equipment

Publications (2)

Publication Number Publication Date
CN112241309A true CN112241309A (en) 2021-01-19
CN112241309B CN112241309B (en) 2022-04-01

Family

ID=74169418

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011131321.7A Active CN112241309B (en) 2020-10-21 2020-10-21 Data security method and device, CPU, chip and computer equipment

Country Status (1)

Country Link
CN (1) CN112241309B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115470506A (en) * 2022-10-28 2022-12-13 山东华翼微电子技术股份有限公司 Homomorphic mapping-based secure file system implementation method

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106030602A (en) * 2014-03-28 2016-10-12 英特尔公司 Virtualization based intra-block workload isolation
CN106557701A (en) * 2016-11-28 2017-04-05 北京奇虎科技有限公司 kernel leak detection method and device based on virtual machine
CN106778244A (en) * 2016-11-28 2017-05-31 北京奇虎科技有限公司 Kernel Hole Detection process protection method and device based on virtual machine
CN106845270A (en) * 2017-01-17 2017-06-13 北京奇虎科技有限公司 A kind of seamless browsing method and device
CN108133153A (en) * 2017-11-29 2018-06-08 北京京航计算通讯研究所 Cloud storage safety access method based on sandbox technology
CN108234526A (en) * 2018-04-12 2018-06-29 厦门安胜网络科技有限公司 A kind of method, apparatus, equipment and readable medium that https data are obtained in sandbox
CN109343937A (en) * 2018-10-07 2019-02-15 张维加 A kind of distributed computing system of striding equipment deployment
CN109413189A (en) * 2018-11-05 2019-03-01 张维加 A kind of electronic trading system based on bottom translation
CN110059453A (en) * 2019-03-13 2019-07-26 中国科学院计算技术研究所 A kind of container virtualization safety reinforced device and method
US20190294779A1 (en) * 2018-03-23 2019-09-26 International Business Machines Corporation Secure system state extraction software extensibility via plugin sandboxing
CN111523114A (en) * 2020-03-11 2020-08-11 国网辽宁省电力有限公司大连供电公司 Mobile service application data anti-disclosure system based on security sandbox technology
CN111708660A (en) * 2020-06-17 2020-09-25 山东山大电力技术股份有限公司 Container sandbox-based backup system, recovery system and method

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106030602A (en) * 2014-03-28 2016-10-12 英特尔公司 Virtualization based intra-block workload isolation
CN106557701A (en) * 2016-11-28 2017-04-05 北京奇虎科技有限公司 kernel leak detection method and device based on virtual machine
CN106778244A (en) * 2016-11-28 2017-05-31 北京奇虎科技有限公司 Kernel Hole Detection process protection method and device based on virtual machine
CN106845270A (en) * 2017-01-17 2017-06-13 北京奇虎科技有限公司 A kind of seamless browsing method and device
CN108133153A (en) * 2017-11-29 2018-06-08 北京京航计算通讯研究所 Cloud storage safety access method based on sandbox technology
US20190294779A1 (en) * 2018-03-23 2019-09-26 International Business Machines Corporation Secure system state extraction software extensibility via plugin sandboxing
CN108234526A (en) * 2018-04-12 2018-06-29 厦门安胜网络科技有限公司 A kind of method, apparatus, equipment and readable medium that https data are obtained in sandbox
CN109343937A (en) * 2018-10-07 2019-02-15 张维加 A kind of distributed computing system of striding equipment deployment
CN109413189A (en) * 2018-11-05 2019-03-01 张维加 A kind of electronic trading system based on bottom translation
CN110059453A (en) * 2019-03-13 2019-07-26 中国科学院计算技术研究所 A kind of container virtualization safety reinforced device and method
CN111523114A (en) * 2020-03-11 2020-08-11 国网辽宁省电力有限公司大连供电公司 Mobile service application data anti-disclosure system based on security sandbox technology
CN111708660A (en) * 2020-06-17 2020-09-25 山东山大电力技术股份有限公司 Container sandbox-based backup system, recovery system and method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115470506A (en) * 2022-10-28 2022-12-13 山东华翼微电子技术股份有限公司 Homomorphic mapping-based secure file system implementation method
CN115470506B (en) * 2022-10-28 2023-03-10 山东华翼微电子技术股份有限公司 Homomorphic mapping-based secure file system implementation method

Also Published As

Publication number Publication date
CN112241309B (en) 2022-04-01

Similar Documents

Publication Publication Date Title
US11100253B2 (en) Enforcing restrictions related to a virtualized computer environment
CN109783188B (en) Cryptographic memory ownership table for secure public cloud
CN107077428B (en) Method, electronic system and computer storage medium for protecting application secret
US9300640B2 (en) Secure virtual machine
EP2913956B1 (en) Management control method and device for virtual machines
EP3281146B1 (en) Isolating guest code and data using multiple nested page tables
US9342343B2 (en) Wrapped nested virtualization
EP3326104B1 (en) Technologies for secure trusted i/o access control
CN110348204B (en) Code protection system, authentication method, authentication device, chip and electronic equipment
KR101323858B1 (en) Apparatus and method for controlling memory access in virtualized system
US11714895B2 (en) Secure runtime systems and methods
US20210306304A1 (en) Method and apparatus for distributing confidential execution software
US20200409740A1 (en) Systems, methods, and media for trusted hypervisors
US11327782B2 (en) Supporting migration of virtual machines containing enclaves
US20230403299A1 (en) Providing Access to Data in a Secure Communication
CN112241309B (en) Data security method and device, CPU, chip and computer equipment
WO2015148834A1 (en) Virtualization based intra-block workload isolation
US20170331627A1 (en) Key material management
CN112256394B (en) Process security method and device, CPU, chip and computer equipment
US20190303305A1 (en) Systems and methods for providing secure memory
JP2004272816A (en) System and method for performing multitask
WO2019209893A1 (en) Operating system on a computing system
CN112540833B (en) Process running method and device, processor, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant