CN112351022A - Security protection method and device for trust zone - Google Patents
Security protection method and device for trust zone Download PDFInfo
- Publication number
- CN112351022A CN112351022A CN202011191068.4A CN202011191068A CN112351022A CN 112351022 A CN112351022 A CN 112351022A CN 202011191068 A CN202011191068 A CN 202011191068A CN 112351022 A CN112351022 A CN 112351022A
- Authority
- CN
- China
- Prior art keywords
- security
- module
- secpoint
- network device
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The application provides a security protection method and a device for a trust zone, wherein the method is applied to a first security node SecPoint module and comprises the following steps: acquiring first security risk assessment information of first network equipment; receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located; according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located; generating an access control strategy according to the first security risk assessment information and the regional security risk level; and issuing an access control policy to the API access control module so that when the API access control module receives an access request, corresponding processing is executed on the access request according to the access control policy.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security protection method and apparatus for a trust zone.
Background
A Trusted Execution Environment (TEE) refers to an independent and isolated secure area provided by a processor in a network device. In the safety area, a safe and feasible execution environment is provided for the loaded code and data, and the confidentiality and the integrity of the code and the data are protected.
The processor (e.g., ARM) TEE includes three parts: based on hardware-isolated ARM Trusted zones (TrustZones), Trusted boots (Trusted boot), and Trusted operating systems (Trusted OS). As shown in fig. 1, fig. 1 is a schematic diagram of an application of an ARM trust zone in the prior art. In fig. 1, the left side represents a user operating environment, which can run various applications; the right side represents the secure environment of the system, runs the Trusted operating system, and executes a Trusted Application (TA) program on the basis of the Trusted operating system. Such as authentication, authorization management, DRM authentication, etc.
Based on the design concept, the Cortex-A series included in ARM divides hardware resources and software resources of a system on chip (SoC) into two areas, namely a Secure World (Security World) and a non-Secure World (Normal World). The secure world and non-secure world are converted via a Monitor Mode. If the kernel mode program of the non-Secure world needs to enter the Secure world for operation, the kernel mode program needs to call a Secure Monitoring Interrupt (SMI) instruction through an Application Programming Interface (API) function.
ARM includes Cortex-M series, the distinction of the secure world from the non-secure world is based on address mapping and switching is performed automatically by hardware. Access to resources in the secure world is performed through APIs provided by software in the secure world.
In summary, TEE provides security by isolation, and non-secure world cannot directly access secure world, which can only directly enter secure world through API or indirectly through SMI command. Meanwhile, in the secure world, the trusted application program can only access the Trust OS through the API, so that various resources in the secure world can be accessed.
For network devices, isolation is the most effective security scheme, but since ARM is applied in various types of network devices in different scenarios, such as servers, internet of things devices, mobile devices, wireless devices, and so on. The security of the network devices cannot be satisfied only by an isolation mode arranged in a processor of one device, especially the internet of things device. The terminal type of thing networking is various, the quantity is many, network edge distributes, presses close to user and practical application, and the potential safety hazard is very high.
With the arrival of the 5G era and the development of edge computing, the intelligent degree of the Internet of things terminal is higher and higher, but more potential safety hazards are brought. Therefore, how to guarantee the security state of the terminal of the internet of things, the security state in the edge area of the network, and the security state in the API access process is a problem to be considered urgently on the basis of trust area isolation.
Disclosure of Invention
In view of this, the application provides a security protection method and device for a trust zone, which are used for solving the security problem of an internet of things terminal in the internet of things scene in the prior art.
In a first aspect, the present application provides a security protection method for a trust zone, where the method is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include an API access control module, where the method includes:
acquiring first security risk assessment information of the first network equipment;
receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located;
according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located;
generating an access control strategy according to the first security risk assessment information and the regional security risk level;
and issuing the access control strategy to the API access control module so that when the access request received by the API access control module is received, corresponding processing is executed on the access request according to the access control strategy.
In a second aspect, the present application provides a security protection apparatus for a trust zone, where the apparatus is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include an API access control module, where the apparatus includes:
an obtaining unit, configured to obtain first security risk assessment information of the first network device;
a receiving unit, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
and the sending unit is used for issuing the access control strategy to the API access control module so as to execute corresponding processing on the access request according to the access control strategy when the access request is received by the API access control module.
In a third aspect, the present application provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method provided by the first aspect of the present application.
Therefore, by applying the security protection method and device for the trust zone provided by the application, the first SecPoint module obtains the first security risk assessment information of the first network device. And the first SecPoint module receives a first synchronous message sent by the second SecPoint module, wherein the first synchronous message comprises second safety risk evaluation information of the second network equipment. And according to the first security risk assessment information and the second security risk assessment information, the first SecPoint module generates the security risk level of the area where the first network equipment and the second network equipment are located in the same area. And generating an access control strategy by the first SecPoint module according to the first security risk assessment information and the region security risk level. And the first SecPoint module issues an access control strategy to the API access control module, so that when the API access control module receives the access request, the access request is correspondingly processed according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
Drawings
FIG. 1 is a schematic diagram illustrating an application of an ARM trusted zone in the prior art;
fig. 2 is a flowchart of a security protection method for a trust zone according to an embodiment of the present application;
fig. 3 is a schematic diagram of an enhanced trust zone security architecture provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a format of a message interacted between SecPoint modules according to the embodiment of the present application;
fig. 5 is a schematic diagram of a format of a payload field according to an embodiment of the present application;
fig. 6 is a diagram of a security protection device structure of a trust zone according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes in detail a security protection method for a trust zone provided in an embodiment of the present application. Referring to fig. 2, fig. 2 is a flowchart of a security protection method for a trust zone according to an embodiment of the present application. The method is applied to a first Security node (SecurityPoint, for short) module, and the Security protection method for the trust zone provided by the embodiment of the application may include the following steps.
Specifically, the network device includes a processor internally divided into a trusted zone and an unsecured zone. The trust zone comprises a first SecPoint module, an API access control module, a GlobalPlatform TEE Internal API, a Trusted Application (Trusted Application) and a Trusted resource (Trusted Resources). The non-secure area includes an API access control module, a GlobalPlatform TEE Client API, and a Client Application (Client Application).
It is understood that each network device in a networking (e.g., IOT networking) includes a trusted zone and an unsecured zone, and each zone includes the aforementioned modules or components.
In the embodiment of the present application, the SecPoint module is a component in the network device, which is used to detect and evaluate the security state of the network device. Its main functions include: the method comprises the steps of periodically scanning security vulnerabilities of network equipment to generate security vulnerability assessment results of the network equipment, detecting abnormal access to resources (internal memory, peripheral equipment and the like) in a trust zone, synchronizing security risk assessment information of the network equipment to a SecPoint module in the same zone in a networking (the security risk assessment information comprises security risk levels of the network equipment, security score values corresponding to the security risk levels and a risk API), receiving security information sent by a security cloud center, receiving/sending state information of the network equipment and generating an access control strategy (for example, API security access control of the network equipment).
The main functions of the API access control module include: and receiving an access control strategy issued by the SecPoint module, and executing corresponding processing on access requests sent by the Client API and the Internal API according to the access control strategy.
As shown in fig. 3, fig. 3 is a schematic diagram of an enhanced trust zone security architecture provided in the embodiment of the present application. Each network device (each IOT device) in a network (e.g., an IOT network) includes a processor as shown in the first part of fig. 3.
A plurality of network devices in the networking can form a region with synchronous safety information, and the network devices need to meet the following conditions: 1) the network devices of the same type with the same physical form; 2) the same service is operated; 3) the software running environments of the network devices are the same or compatible; 4) a processor of the network equipment deploys an ARM trust zone technology; 5) the processor of the network device deploys a SecPoint module and an API access control module, and the versions of the modules are compatible.
As shown in the second part of fig. 3, three network devices constitute one area in which security information is synchronized. Each network device deploys a SecPoint module and an API access control module. And the SecPoint modules mutually synchronize the security risk assessment information of the network equipment. And each SecPoint module and the security cloud center mutually synchronize security information and alarm information.
The first SecPoint module in fig. 3 is taken as an example for explanation. The first SecPoint module is in a trust zone within a processor comprised by the first network device.
Prior to step 210, the first SecPoint module further performs the step of generating first security risk assessment information for the first network device.
Further, the first SecPoint module periodically scans the security vulnerabilities of the first network device, evaluates the security vulnerabilities, and generates a security vulnerability evaluation result of the first network device. And the security cloud center generates security information and sends the security information to each SecPoint module in the networking. And the first SecPoint module receives the security information sent by the security cloud center.
In one implementation manner, according to the security vulnerability assessment result and the security intelligence of the first network device, the first SecPoint module determines the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
In another implementation, the first SecPoint module monitors the trust zone for an abnormal access request for the existence of resources (memory, external audit). And determining a risk API according to the abnormal access request.
It can be understood that, in the foregoing implementation manner, after the risk API is determined by the first SecPoint module, an API list may be generated, and an identifier of the risk API is stored in the API list.
And generating first security risk evaluation information by the first SecPoint module according to the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API.
Furthermore, first, the first SecPoint module determines a security score value of the first network device according to a security vulnerability assessment result and security intelligence of the first network device. Then, the first SecPoint module searches the interval to which the security score value belongs according to the security score value of the first network device. And according to the interval to which the security score value belongs, the first SecPoint module determines the security risk level of the first network equipment.
In the embodiment of the present application, the security risk levels specifically include three levels, i.e., a low level, a medium level, and a high level, and each level corresponds to a security score interval. For example, the safety score interval corresponding to a low level is 0-40; the safety score interval corresponding to the middle level is 41-70; the safety score interval corresponding to the high level is 71-100.
In one example, if the security score value for the first network device is 39, the first SecPoint module may determine that the security risk level of the first network device is low. If the security score value of the first network device is 50, the first SecPoint module may determine that the security risk level of the first network device is a medium level. If the security score value for the first network device is 89, then the first SecPoint module may determine that the security risk level of the first network device is a high level. And finally, combining the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API into first security risk evaluation information of the first network equipment by the first SecPoint module.
In this step, the first SecPoint module obtains first security risk assessment information of the device, which is generated by the first SecPoint module.
Specifically, according to the description of step 210, each SecPoint module in the networking generates security risk assessment information of the device. For example, a second SecPoint module, a third SecPoint module in fig. 3. The second SecPoint module is in a trust zone in a processor included in the second network device; the third SecPoint module is in a trust zone within a processor comprised by the third network device.
The second network device generates second security risk assessment information of the second network device, and similarly, the third network device generates third security risk assessment information of the third network device.
The second SecPoint module is taken as an example for explanation. And after generating second security risk assessment information of the second network equipment, the second SecPoint module sends a first synchronous message to the first SecPoint module, wherein the first synchronous message comprises the second security risk assessment information.
And after receiving the first synchronous message, the first SecPoint module acquires second security risk assessment information from the first synchronous message.
Further, as shown in fig. 4, fig. 4 is a schematic diagram of a format of a message interacted between SecPoint modules according to the embodiment of the present application. The interactive message between the SecPoint modules comprises a Version (Version) field, a Type (Type) field, a Length (Length) field, an identification (Identifier) field, a source IP address field, a destination IP address field and a Payload (Payload) field.
Wherein, the version field occupies 8 bits and represents the version of the message. The type field occupies 8 bits and represents the type of the message. The length field occupies 16 bits and represents the length of the message, and comprises the total length of a version field, a type field, a length field and a payload field. And the identification field occupies 8 bits and represents the identification of the message, when the message type is a request and a response, the identification field of the message carries the same ID, and the ID is kept unchanged during the retransmission of the message.
Further, the meaning of the type field is shown in table 1.
TABLE 1 meanings of type fields
The payload field carries content to be synchronized, which is specifically in TLV format, as shown in fig. 5, and fig. 5 is a schematic diagram of a format of the payload field provided in the embodiment of the present application.
The TLV format includes a Type (Type) field, a Length (Length) field, and a Value (Value) field. Wherein the type field occupies 8 bits and represents the option type. The length field occupies 8 bits, representing the length of the TLV format, which includes the total length of the type field, the length field, and the value field.
In the embodiment of the present application, the messages exchanged between the SecPoint modules are unicast IP messages, and in the exchange process, the messages may be transmitted in a UDP manner, and may be encrypted or unencrypted. Each of the SecPoint modules configures a fixed port to receive messages sent by other SecPoint modules, and each of the SecPoint modules can periodically monitor the configured port so as to receive messages sent by other SecPoint modules.
Specifically, according to the description of step 220, after the first SecPoint module acquires the second security risk assessment information from the first synchronization message, the second security risk level of the second network device, the security score value corresponding to the second security risk level, and the risk API are extracted from the second security risk assessment information.
The first SecPoint module generates a regional security risk level of the same region where the first network device and the second network device are located according to the first security risk level of the first network device, the security score value and the risk API corresponding to the first security risk level, the second security risk level of the second network device, the security score value and the risk API corresponding to the second security risk level, which are included in the first security risk assessment information acquired in step 210.
It can be understood that the first SecPoint module obtains the security risk assessment information synchronized by the SecPoint modules in the group network. And the first SecPoint module generates the region security risk level of the same region where each network device is located according to the synchronous security risk evaluation information of each SecPoint module.
Further, the first SecPoint module determines the security risk level of the area according to the security risk level of the network device included in each security risk assessment information.
For example 3 network devices in fig. 3. And if the security risk level of the first network device is a medium level, the security risk level of the second network device is a low level, and the security risk level of the third network device is a low level, the first SecPoint module generates that the security risk level of the region where the first network device, the second network device and the third network device are located in the agreed region is a low level.
And 240, generating an access control strategy according to the first security risk assessment information and the regional security risk level.
Specifically, according to the description in step 230, after the first SecPoint module generates the area security risk level, the access control policy of the first network device is generated according to the first security risk assessment information and the area security risk level. The access control policy is used for the API access control module to control the received access request.
Further, in the embodiment of the present application, the access control policy includes four types, which are respectively: all APIs access deny; API access deny of the non-safety area; API access deny of the trust zone; the APIs of the API list access deny.
Further, in this embodiment of the application, the first SecPoint module generates the access control policy of the first network device according to the security risk level of the first network device and the security risk level of the area, which are included in the first security risk assessment information. The access control policy is shown in table 2.
Table 2 access control policy table
And 250, issuing the access control policy to the API access control module, so that when the access request received by the API access control module is received, corresponding processing is performed on the access request according to the access control policy.
Specifically, according to the description in step 240, after the first SecPoint module generates the access control policy of the first network device, the first SecPoint module issues the access control policy to the API access control modules respectively included in the trust zone and the non-security zone of the first network device, so that when the API access control module receives the access request, the API access control module executes corresponding processing on the access request according to the access control policy.
For example, when the access control policy of the first network device is "all API access policy", the first SecPoint module issues the access control policy to the API access control module. And when the API access control module receives an access request sent by any API, according to the access control strategy, deny access requests of all the APIs.
Therefore, by applying the security protection method and device for the trust zone provided by the application, the first SecPoint module obtains the first security risk assessment information of the first network device. And the first SecPoint module receives a first synchronous message sent by the second SecPoint module, wherein the first synchronous message comprises second safety risk evaluation information of the second network equipment. And according to the first security risk assessment information and the second security risk assessment information, the first SecPoint module generates the security risk level of the area where the first network equipment and the second network equipment are located in the same area. And generating an access control strategy by the first SecPoint module according to the first security risk assessment information and the region security risk level. And the first SecPoint module issues an access control strategy to the API access control module, so that when the API access control module receives the access request, the access request is correspondingly processed according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
Optionally, in this embodiment of the present application, a process of mutually interacting messages by the SecPoint modules is further included.
Specifically, in an implementation manner, the second SecPoint module generates a first status request packet to request status information of the network device where the other SecPoint modules are located. And the second SecPoint module sends a first state request message to the first SecPoint module, wherein the first state request message comprises the state information of the second network equipment where the second SecPoint module is positioned.
And the first SecPoint module receives the first state request message and acquires the state information of the second network equipment where the second SecPoint module is positioned from the first state request message. And the first SecPoint module records the state information of the second network equipment.
And the first SecPoint module generates a first state response message, wherein the first state response message comprises the state information of the first network equipment. And the first SecPoint module sends a first state response message to the second SecPoint module so that the second SecPoint module acquires and records the state information of the first network equipment from the first state response message.
Optionally, in another implementation manner, the first SecPoint module generates a second status request packet to request status information of the network device where the other SecPoint modules are located. And the first SecPoint module sends a second state request message to the second SecPoint module, wherein the second state request message comprises the state information of the first network equipment where the first SecPoint module is positioned.
And the second SecPoint module receives the second state request message and acquires the state information of the first network equipment where the first SecPoint module is positioned from the second state request message. And the second SecPoint module records the state information of the first network equipment.
And the second SecPoint module generates a second state response message, wherein the second state response message comprises the state information of the second network equipment. And the second SecPoint module sends a second state response message to the first SecPoint module so that the first SecPoint module acquires and records the state information of the second network equipment from the second state response message.
In this embodiment, the state of the network device specifically includes an Init state or a Normal state. The state information carries an Init state or a Normal state.
Optionally, in this embodiment of the application, a process of sending the warning information to the security cloud center by the first SecPoint module is further included.
Specifically, the first SecPoint module generates alarm information of the first network device, where the alarm information includes a vulnerability alarm, an abnormal API access alarm, an abnormal access alarm to resources (memory, peripheral equipment, etc.) in the trust zone, and the like of the first network device.
And the first SecPoint module sends the alarm information of the first network equipment to the security cloud center so that the security cloud center records the alarm information of the first network equipment.
It can be understood that each SecPoint module in the networking generates alarm information of the network device where the SecPoint module is located, and sends the alarm information to the security cloud center.
Based on the same inventive concept, the embodiment of the application also provides a security protection device of the trust zone corresponding to the security protection method of the trust zone. Referring to fig. 6, fig. 6 is a structural diagram of a security protection apparatus of a trust zone provided in this embodiment of the present application, where the apparatus is applied to a first security node SecPoint module, the first SecPoint module is located in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include API access control modules, and the apparatus includes:
an obtaining unit 610, configured to obtain first security risk assessment information of the first network device;
a receiving unit 620, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit 630, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit 630 is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
a sending unit 640, configured to issue the access control policy to the API access control module, so that when the access request received by the API access control module is received, corresponding processing is performed on the access request according to the access control policy.
Optionally, the receiving unit 620 is further configured to receive a first status request packet sent by the second SecPoint module, where the first status request packet includes status information of a second network device where the second SecPoint module is located;
the device further comprises: a recording unit (not shown in the figure) for recording status information of the second network device;
the sending unit 640 is further configured to send a first status response packet to the second SecPoint module, where the first status response packet includes status information of the first network device.
Optionally, the generating unit 630 is further configured to periodically scan the security vulnerability of the first network device, and generate a security vulnerability assessment result of the first network device;
the receiving unit 620 is further configured to receive security information sent by a security cloud center;
the device further comprises: a determining unit (not shown in the figure), configured to determine, according to the security vulnerability assessment result of the first network device and the security intelligence, a security score value of the first network device, a security risk level of the first network device corresponding to the security score value, and a risk API, or monitor an abnormal access request existing in the trust zone, and determine the risk API;
the generating unit 630 is further configured to generate the first security risk assessment information according to the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
Optionally, the sending unit 640 is further configured to send a second status request packet to the second SecPoint module, where the second status request packet includes status information of the first network device, so that the second SecPoint module records the status information of the first network device and feeds back a second status response packet, where the first status response packet includes the status information of the second network device.
Optionally, the sending unit 640 is further configured to send the alarm information of the first network device to the security cloud center, so that the security cloud center records the alarm information of the first network device.
Therefore, by applying the security protection device for the trust zone provided by the application, the device obtains the first security risk assessment information of the first network device. The device receives a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of second network equipment. According to the first security risk assessment information and the second security risk assessment information, the device generates a regional security risk level of the same region where the first network equipment and the second network equipment are located. And generating an access control strategy by the device according to the first security risk assessment information and the regional security risk level. The device issues an access control strategy to the API access control module, so that when the API access control module receives an access request, corresponding processing is executed on the access request according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
For the safety protection device embodiment of the trust zone, since the content of the method involved is basically similar to that of the foregoing method embodiment, the description is relatively simple, and the relevant points can be referred to the partial description of the method embodiment.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A security protection method of a trust zone is applied to a first security node (SecPoint) module, the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, the trust zone and the insecure zone respectively include an API access control module, and the method includes:
acquiring first security risk assessment information of the first network equipment;
receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located;
according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located;
generating an access control strategy according to the first security risk assessment information and the regional security risk level;
and issuing the access control strategy to the API access control module so that when the access request received by the API access control module is received, corresponding processing is executed on the access request according to the access control strategy.
2. The method of claim 1, further comprising:
receiving a first state request message sent by the second SecPoint module, wherein the first state request message includes state information of a second network device where the second SecPoint module is located;
recording the state information of the second network equipment;
and sending a first state response message to the second SecPoint module, wherein the first state response message comprises the state information of the first network equipment.
3. The method of claim 1, wherein prior to obtaining the first security risk assessment information for the first network device, the method further comprises:
periodically scanning the security vulnerability of the first network equipment to generate a security vulnerability assessment result of the first network equipment;
receiving safety information sent by a safety cloud center;
according to the security vulnerability assessment result of the first network equipment and the security information, determining a security score value of the first network equipment, a security risk level of the first network equipment corresponding to the security score value and a risk API, or monitoring an abnormal access request existing in the trust zone and determining the risk API;
and generating the first security risk assessment information according to the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API.
4. The method of claim 1, further comprising:
and sending a second state request message to the second SecPoint module, where the second state request message includes state information of the first network device, so that the second SecPoint module records the state information of the first network device and feeds back a second state response message, where the first state response message includes the state information of the second network device.
5. The method of claim 3, further comprising:
and sending the alarm information of the first network equipment to the security cloud center so that the security cloud center records the alarm information of the first network equipment.
6. A security protection apparatus for a trust zone, where the apparatus is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include API access control modules, and the apparatus includes:
an obtaining unit, configured to obtain first security risk assessment information of the first network device;
a receiving unit, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
and the sending unit is used for issuing the access control strategy to the API access control module so as to execute corresponding processing on the access request according to the access control strategy when the access request is received by the API access control module.
7. The apparatus according to claim 6, wherein the receiving unit is further configured to receive a first status request packet sent by the second SecPoint module, where the first status request packet includes status information of a second network device where the second SecPoint module is located;
the device further comprises: a recording unit, configured to record status information of the second network device;
the sending unit is further configured to send a first status response packet to the second SecPoint module, where the first status response packet includes status information of the first network device.
8. The apparatus according to claim 6, wherein the generating unit is further configured to periodically scan for a security vulnerability of the first network device, and generate a security vulnerability assessment result of the first network device;
the receiving unit is also used for receiving safety information sent by the safety cloud center;
the device further comprises: a determining unit, configured to determine, according to a security vulnerability assessment result of the first network device and the security intelligence, a security score value of the first network device, a security risk level of the first network device corresponding to the security score value, and a risk API, or monitor an abnormal access request existing in the trust zone, and determine the risk API;
the generating unit is further configured to generate the first security risk assessment information according to the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
9. The apparatus according to claim 6, wherein the sending unit is further configured to send a second status request packet to the second SecPoint module, where the second status request packet includes status information of the first network device, so that the second SecPoint module records the status information of the first network device and feeds back a second status response packet, and the first status response packet includes the status information of the second network device.
10. The apparatus according to claim 8, wherein the sending unit is further configured to send the alarm information of the first network device to the security cloud center, so that the security cloud center records the alarm information of the first network device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011191068.4A CN112351022B (en) | 2020-10-30 | 2020-10-30 | Security protection method and device for trust zone |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011191068.4A CN112351022B (en) | 2020-10-30 | 2020-10-30 | Security protection method and device for trust zone |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112351022A true CN112351022A (en) | 2021-02-09 |
| CN112351022B CN112351022B (en) | 2022-07-12 |
Family
ID=74356146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011191068.4A Active CN112351022B (en) | 2020-10-30 | 2020-10-30 | Security protection method and device for trust zone |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112351022B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113486355A (en) * | 2021-06-29 | 2021-10-08 | 北京紫光展锐通信技术有限公司 | Information storage device, information storage method, communication device, chip and module equipment thereof |
| CN114553554A (en) * | 2022-02-24 | 2022-05-27 | 上海交通大学宁波人工智能研究院 | Terminal trust management and trusted access system and method |
| CN114598541A (en) * | 2022-03-18 | 2022-06-07 | 维沃移动通信有限公司 | Security assessment method and device, electronic equipment and readable storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8255517B1 (en) * | 2006-06-29 | 2012-08-28 | Symantec Corporation | Method and apparatus to determine device mobility history |
| CN106203666A (en) * | 2015-04-30 | 2016-12-07 | 中国南方电网有限责任公司 | A kind of data networking equipment methods of risk assessment and device |
| CN107067157A (en) * | 2017-03-01 | 2017-08-18 | 北京奇艺世纪科技有限公司 | Business risk appraisal procedure, device and air control system |
| WO2017152742A1 (en) * | 2016-03-08 | 2017-09-14 | 中兴通讯股份有限公司 | Risk assessment method and apparatus for network security device |
| CN108200067A (en) * | 2018-01-05 | 2018-06-22 | 国网山东省电力公司聊城供电公司 | Big data information network adaptive security guard system based on trust computing |
| CN109064018A (en) * | 2018-07-31 | 2018-12-21 | 郑州向心力通信技术股份有限公司 | A kind of information security risk evaluation system and method |
| CN110020531A (en) * | 2019-03-20 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Internet of things equipment risk checking method and device |
| CN110555779A (en) * | 2019-07-25 | 2019-12-10 | 深圳壹账通智能科技有限公司 | data processing method, data processing device, computer equipment and storage medium |
| CN110619022A (en) * | 2019-09-20 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Node detection method, device, equipment and storage medium based on block chain network |
| CN110889640A (en) * | 2019-12-04 | 2020-03-17 | 支付宝(杭州)信息技术有限公司 | Risk assessment method for preventing personal data from being leaked, terminal and network center |
| CN111401777A (en) * | 2020-03-30 | 2020-07-10 | 未来地图(深圳)智能科技有限公司 | Enterprise risk assessment method and device, terminal equipment and storage medium |
| CN111815103A (en) * | 2020-05-18 | 2020-10-23 | 深圳市第一反应信息科技有限公司 | Method and equipment for determining outdoor risk assessment information |
-
2020
- 2020-10-30 CN CN202011191068.4A patent/CN112351022B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8255517B1 (en) * | 2006-06-29 | 2012-08-28 | Symantec Corporation | Method and apparatus to determine device mobility history |
| CN106203666A (en) * | 2015-04-30 | 2016-12-07 | 中国南方电网有限责任公司 | A kind of data networking equipment methods of risk assessment and device |
| WO2017152742A1 (en) * | 2016-03-08 | 2017-09-14 | 中兴通讯股份有限公司 | Risk assessment method and apparatus for network security device |
| CN107067157A (en) * | 2017-03-01 | 2017-08-18 | 北京奇艺世纪科技有限公司 | Business risk appraisal procedure, device and air control system |
| CN108200067A (en) * | 2018-01-05 | 2018-06-22 | 国网山东省电力公司聊城供电公司 | Big data information network adaptive security guard system based on trust computing |
| CN109064018A (en) * | 2018-07-31 | 2018-12-21 | 郑州向心力通信技术股份有限公司 | A kind of information security risk evaluation system and method |
| CN110020531A (en) * | 2019-03-20 | 2019-07-16 | 阿里巴巴集团控股有限公司 | Internet of things equipment risk checking method and device |
| CN110555779A (en) * | 2019-07-25 | 2019-12-10 | 深圳壹账通智能科技有限公司 | data processing method, data processing device, computer equipment and storage medium |
| CN110619022A (en) * | 2019-09-20 | 2019-12-27 | 腾讯科技(深圳)有限公司 | Node detection method, device, equipment and storage medium based on block chain network |
| CN110889640A (en) * | 2019-12-04 | 2020-03-17 | 支付宝(杭州)信息技术有限公司 | Risk assessment method for preventing personal data from being leaked, terminal and network center |
| CN111401777A (en) * | 2020-03-30 | 2020-07-10 | 未来地图(深圳)智能科技有限公司 | Enterprise risk assessment method and device, terminal equipment and storage medium |
| CN111815103A (en) * | 2020-05-18 | 2020-10-23 | 深圳市第一反应信息科技有限公司 | Method and equipment for determining outdoor risk assessment information |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113486355A (en) * | 2021-06-29 | 2021-10-08 | 北京紫光展锐通信技术有限公司 | Information storage device, information storage method, communication device, chip and module equipment thereof |
| CN113486355B (en) * | 2021-06-29 | 2023-03-14 | 北京紫光展锐通信技术有限公司 | Information storage device, information storage method, communication device, chip and module equipment thereof |
| CN114553554A (en) * | 2022-02-24 | 2022-05-27 | 上海交通大学宁波人工智能研究院 | Terminal trust management and trusted access system and method |
| CN114553554B (en) * | 2022-02-24 | 2023-09-22 | 上海交通大学宁波人工智能研究院 | Terminal trust management and trusted access system and method |
| CN114598541A (en) * | 2022-03-18 | 2022-06-07 | 维沃移动通信有限公司 | Security assessment method and device, electronic equipment and readable storage medium |
| CN114598541B (en) * | 2022-03-18 | 2024-03-29 | 维沃移动通信有限公司 | Security assessment method and device, electronic equipment and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112351022B (en) | 2022-07-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10169574B2 (en) | Using trusted execution environments for security of code and data | |
| US11075955B2 (en) | Methods and systems for use in authorizing access to a networked resource | |
| CN112351022B (en) | Security protection method and device for trust zone | |
| JP6857193B2 (en) | Systems and methods for decoding network traffic in virtualized environments | |
| Tiburski et al. | Lightweight security architecture based on embedded virtualization and trust mechanisms for IoT edge devices | |
| CN101783801B (en) | Software protection method based on network, client side and server | |
| EP2880589B1 (en) | Trusted execution environment virtual machine cloning | |
| US9948616B2 (en) | Apparatus and method for providing security service based on virtualization | |
| CN108429719B (en) | Key protection method and device | |
| US20230259386A1 (en) | Data processing method based on container engine and related device | |
| US10068068B2 (en) | Trusted timer service | |
| EP2862119B1 (en) | Network based management of protected data sets | |
| US20220094690A1 (en) | Trusted and connected multi-domain node clusters | |
| US20210143984A1 (en) | Security system and method thereof using both kms and hsm | |
| CN114117412A (en) | Virtual encryption machine platform based on trusted technology and creation method thereof | |
| US9240988B1 (en) | Computer system employing dual-band authentication | |
| CN112398792B (en) | Login protection method, client, central control management equipment and storage medium | |
| US20230291558A1 (en) | Trusted computing-based local key escrow method, apparatus, device and medium | |
| Jian et al. | A New Method to Enhance Container with vTPM | |
| CN116257368A (en) | Communication method in computer system and related product | |
| CN115828249A (en) | Computing node based on cloud technology and instance management method based on cloud technology | |
| Flinn | Security and Privacy | |
| CN116933307A (en) | Data privacy protection method in cross-link environment | |
| CN111966458A (en) | Safety management method of virtual cloud desktop | |
| Will et al. | Enclave Management Models for Safe Execution of Software Components |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230616 Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd. Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466 Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right |