CN112351022A - Security protection method and device for trust zone - Google Patents

Security protection method and device for trust zone Download PDF

Info

Publication number
CN112351022A
CN112351022A CN202011191068.4A CN202011191068A CN112351022A CN 112351022 A CN112351022 A CN 112351022A CN 202011191068 A CN202011191068 A CN 202011191068A CN 112351022 A CN112351022 A CN 112351022A
Authority
CN
China
Prior art keywords
security
module
secpoint
network device
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011191068.4A
Other languages
Chinese (zh)
Other versions
CN112351022B (en
Inventor
黄凤贤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Information Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN202011191068.4A priority Critical patent/CN112351022B/en
Publication of CN112351022A publication Critical patent/CN112351022A/en
Application granted granted Critical
Publication of CN112351022B publication Critical patent/CN112351022B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a security protection method and a device for a trust zone, wherein the method is applied to a first security node SecPoint module and comprises the following steps: acquiring first security risk assessment information of first network equipment; receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located; according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located; generating an access control strategy according to the first security risk assessment information and the regional security risk level; and issuing an access control policy to the API access control module so that when the API access control module receives an access request, corresponding processing is executed on the access request according to the access control policy.

Description

Security protection method and device for trust zone
Technical Field
The present application relates to the field of communications technologies, and in particular, to a security protection method and apparatus for a trust zone.
Background
A Trusted Execution Environment (TEE) refers to an independent and isolated secure area provided by a processor in a network device. In the safety area, a safe and feasible execution environment is provided for the loaded code and data, and the confidentiality and the integrity of the code and the data are protected.
The processor (e.g., ARM) TEE includes three parts: based on hardware-isolated ARM Trusted zones (TrustZones), Trusted boots (Trusted boot), and Trusted operating systems (Trusted OS). As shown in fig. 1, fig. 1 is a schematic diagram of an application of an ARM trust zone in the prior art. In fig. 1, the left side represents a user operating environment, which can run various applications; the right side represents the secure environment of the system, runs the Trusted operating system, and executes a Trusted Application (TA) program on the basis of the Trusted operating system. Such as authentication, authorization management, DRM authentication, etc.
Based on the design concept, the Cortex-A series included in ARM divides hardware resources and software resources of a system on chip (SoC) into two areas, namely a Secure World (Security World) and a non-Secure World (Normal World). The secure world and non-secure world are converted via a Monitor Mode. If the kernel mode program of the non-Secure world needs to enter the Secure world for operation, the kernel mode program needs to call a Secure Monitoring Interrupt (SMI) instruction through an Application Programming Interface (API) function.
ARM includes Cortex-M series, the distinction of the secure world from the non-secure world is based on address mapping and switching is performed automatically by hardware. Access to resources in the secure world is performed through APIs provided by software in the secure world.
In summary, TEE provides security by isolation, and non-secure world cannot directly access secure world, which can only directly enter secure world through API or indirectly through SMI command. Meanwhile, in the secure world, the trusted application program can only access the Trust OS through the API, so that various resources in the secure world can be accessed.
For network devices, isolation is the most effective security scheme, but since ARM is applied in various types of network devices in different scenarios, such as servers, internet of things devices, mobile devices, wireless devices, and so on. The security of the network devices cannot be satisfied only by an isolation mode arranged in a processor of one device, especially the internet of things device. The terminal type of thing networking is various, the quantity is many, network edge distributes, presses close to user and practical application, and the potential safety hazard is very high.
With the arrival of the 5G era and the development of edge computing, the intelligent degree of the Internet of things terminal is higher and higher, but more potential safety hazards are brought. Therefore, how to guarantee the security state of the terminal of the internet of things, the security state in the edge area of the network, and the security state in the API access process is a problem to be considered urgently on the basis of trust area isolation.
Disclosure of Invention
In view of this, the application provides a security protection method and device for a trust zone, which are used for solving the security problem of an internet of things terminal in the internet of things scene in the prior art.
In a first aspect, the present application provides a security protection method for a trust zone, where the method is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include an API access control module, where the method includes:
acquiring first security risk assessment information of the first network equipment;
receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located;
according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located;
generating an access control strategy according to the first security risk assessment information and the regional security risk level;
and issuing the access control strategy to the API access control module so that when the access request received by the API access control module is received, corresponding processing is executed on the access request according to the access control strategy.
In a second aspect, the present application provides a security protection apparatus for a trust zone, where the apparatus is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include an API access control module, where the apparatus includes:
an obtaining unit, configured to obtain first security risk assessment information of the first network device;
a receiving unit, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
and the sending unit is used for issuing the access control strategy to the API access control module so as to execute corresponding processing on the access request according to the access control strategy when the access request is received by the API access control module.
In a third aspect, the present application provides a network device comprising a processor and a machine-readable storage medium storing machine-executable instructions executable by the processor, the processor being caused by the machine-executable instructions to perform the method provided by the first aspect of the present application.
Therefore, by applying the security protection method and device for the trust zone provided by the application, the first SecPoint module obtains the first security risk assessment information of the first network device. And the first SecPoint module receives a first synchronous message sent by the second SecPoint module, wherein the first synchronous message comprises second safety risk evaluation information of the second network equipment. And according to the first security risk assessment information and the second security risk assessment information, the first SecPoint module generates the security risk level of the area where the first network equipment and the second network equipment are located in the same area. And generating an access control strategy by the first SecPoint module according to the first security risk assessment information and the region security risk level. And the first SecPoint module issues an access control strategy to the API access control module, so that when the API access control module receives the access request, the access request is correspondingly processed according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
Drawings
FIG. 1 is a schematic diagram illustrating an application of an ARM trusted zone in the prior art;
fig. 2 is a flowchart of a security protection method for a trust zone according to an embodiment of the present application;
fig. 3 is a schematic diagram of an enhanced trust zone security architecture provided in an embodiment of the present application;
fig. 4 is a schematic diagram of a format of a message interacted between SecPoint modules according to the embodiment of the present application;
fig. 5 is a schematic diagram of a format of a payload field according to an embodiment of the present application;
fig. 6 is a diagram of a security protection device structure of a trust zone according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the corresponding listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
The following describes in detail a security protection method for a trust zone provided in an embodiment of the present application. Referring to fig. 2, fig. 2 is a flowchart of a security protection method for a trust zone according to an embodiment of the present application. The method is applied to a first Security node (SecurityPoint, for short) module, and the Security protection method for the trust zone provided by the embodiment of the application may include the following steps.
Step 210, obtaining first security risk assessment information of the first network device.
Specifically, the network device includes a processor internally divided into a trusted zone and an unsecured zone. The trust zone comprises a first SecPoint module, an API access control module, a GlobalPlatform TEE Internal API, a Trusted Application (Trusted Application) and a Trusted resource (Trusted Resources). The non-secure area includes an API access control module, a GlobalPlatform TEE Client API, and a Client Application (Client Application).
It is understood that each network device in a networking (e.g., IOT networking) includes a trusted zone and an unsecured zone, and each zone includes the aforementioned modules or components.
In the embodiment of the present application, the SecPoint module is a component in the network device, which is used to detect and evaluate the security state of the network device. Its main functions include: the method comprises the steps of periodically scanning security vulnerabilities of network equipment to generate security vulnerability assessment results of the network equipment, detecting abnormal access to resources (internal memory, peripheral equipment and the like) in a trust zone, synchronizing security risk assessment information of the network equipment to a SecPoint module in the same zone in a networking (the security risk assessment information comprises security risk levels of the network equipment, security score values corresponding to the security risk levels and a risk API), receiving security information sent by a security cloud center, receiving/sending state information of the network equipment and generating an access control strategy (for example, API security access control of the network equipment).
The main functions of the API access control module include: and receiving an access control strategy issued by the SecPoint module, and executing corresponding processing on access requests sent by the Client API and the Internal API according to the access control strategy.
As shown in fig. 3, fig. 3 is a schematic diagram of an enhanced trust zone security architecture provided in the embodiment of the present application. Each network device (each IOT device) in a network (e.g., an IOT network) includes a processor as shown in the first part of fig. 3.
A plurality of network devices in the networking can form a region with synchronous safety information, and the network devices need to meet the following conditions: 1) the network devices of the same type with the same physical form; 2) the same service is operated; 3) the software running environments of the network devices are the same or compatible; 4) a processor of the network equipment deploys an ARM trust zone technology; 5) the processor of the network device deploys a SecPoint module and an API access control module, and the versions of the modules are compatible.
As shown in the second part of fig. 3, three network devices constitute one area in which security information is synchronized. Each network device deploys a SecPoint module and an API access control module. And the SecPoint modules mutually synchronize the security risk assessment information of the network equipment. And each SecPoint module and the security cloud center mutually synchronize security information and alarm information.
The first SecPoint module in fig. 3 is taken as an example for explanation. The first SecPoint module is in a trust zone within a processor comprised by the first network device.
Prior to step 210, the first SecPoint module further performs the step of generating first security risk assessment information for the first network device.
Further, the first SecPoint module periodically scans the security vulnerabilities of the first network device, evaluates the security vulnerabilities, and generates a security vulnerability evaluation result of the first network device. And the security cloud center generates security information and sends the security information to each SecPoint module in the networking. And the first SecPoint module receives the security information sent by the security cloud center.
In one implementation manner, according to the security vulnerability assessment result and the security intelligence of the first network device, the first SecPoint module determines the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
In another implementation, the first SecPoint module monitors the trust zone for an abnormal access request for the existence of resources (memory, external audit). And determining a risk API according to the abnormal access request.
It can be understood that, in the foregoing implementation manner, after the risk API is determined by the first SecPoint module, an API list may be generated, and an identifier of the risk API is stored in the API list.
And generating first security risk evaluation information by the first SecPoint module according to the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API.
Furthermore, first, the first SecPoint module determines a security score value of the first network device according to a security vulnerability assessment result and security intelligence of the first network device. Then, the first SecPoint module searches the interval to which the security score value belongs according to the security score value of the first network device. And according to the interval to which the security score value belongs, the first SecPoint module determines the security risk level of the first network equipment.
In the embodiment of the present application, the security risk levels specifically include three levels, i.e., a low level, a medium level, and a high level, and each level corresponds to a security score interval. For example, the safety score interval corresponding to a low level is 0-40; the safety score interval corresponding to the middle level is 41-70; the safety score interval corresponding to the high level is 71-100.
In one example, if the security score value for the first network device is 39, the first SecPoint module may determine that the security risk level of the first network device is low. If the security score value of the first network device is 50, the first SecPoint module may determine that the security risk level of the first network device is a medium level. If the security score value for the first network device is 89, then the first SecPoint module may determine that the security risk level of the first network device is a high level. And finally, combining the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API into first security risk evaluation information of the first network equipment by the first SecPoint module.
In this step, the first SecPoint module obtains first security risk assessment information of the device, which is generated by the first SecPoint module.
Step 220, receiving a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located.
Specifically, according to the description of step 210, each SecPoint module in the networking generates security risk assessment information of the device. For example, a second SecPoint module, a third SecPoint module in fig. 3. The second SecPoint module is in a trust zone in a processor included in the second network device; the third SecPoint module is in a trust zone within a processor comprised by the third network device.
The second network device generates second security risk assessment information of the second network device, and similarly, the third network device generates third security risk assessment information of the third network device.
The second SecPoint module is taken as an example for explanation. And after generating second security risk assessment information of the second network equipment, the second SecPoint module sends a first synchronous message to the first SecPoint module, wherein the first synchronous message comprises the second security risk assessment information.
And after receiving the first synchronous message, the first SecPoint module acquires second security risk assessment information from the first synchronous message.
Further, as shown in fig. 4, fig. 4 is a schematic diagram of a format of a message interacted between SecPoint modules according to the embodiment of the present application. The interactive message between the SecPoint modules comprises a Version (Version) field, a Type (Type) field, a Length (Length) field, an identification (Identifier) field, a source IP address field, a destination IP address field and a Payload (Payload) field.
Wherein, the version field occupies 8 bits and represents the version of the message. The type field occupies 8 bits and represents the type of the message. The length field occupies 16 bits and represents the length of the message, and comprises the total length of a version field, a type field, a length field and a payload field. And the identification field occupies 8 bits and represents the identification of the message, when the message type is a request and a response, the identification field of the message carries the same ID, and the ID is kept unchanged during the retransmission of the message.
Further, the meaning of the type field is shown in table 1.
TABLE 1 meanings of type fields
Figure BDA0002752794390000081
The payload field carries content to be synchronized, which is specifically in TLV format, as shown in fig. 5, and fig. 5 is a schematic diagram of a format of the payload field provided in the embodiment of the present application.
The TLV format includes a Type (Type) field, a Length (Length) field, and a Value (Value) field. Wherein the type field occupies 8 bits and represents the option type. The length field occupies 8 bits, representing the length of the TLV format, which includes the total length of the type field, the length field, and the value field.
In the embodiment of the present application, the messages exchanged between the SecPoint modules are unicast IP messages, and in the exchange process, the messages may be transmitted in a UDP manner, and may be encrypted or unencrypted. Each of the SecPoint modules configures a fixed port to receive messages sent by other SecPoint modules, and each of the SecPoint modules can periodically monitor the configured port so as to receive messages sent by other SecPoint modules.
Step 230, generating a regional security risk level of the same region where the first network device and the second network device are located according to the first security risk assessment information and the second security risk assessment information.
Specifically, according to the description of step 220, after the first SecPoint module acquires the second security risk assessment information from the first synchronization message, the second security risk level of the second network device, the security score value corresponding to the second security risk level, and the risk API are extracted from the second security risk assessment information.
The first SecPoint module generates a regional security risk level of the same region where the first network device and the second network device are located according to the first security risk level of the first network device, the security score value and the risk API corresponding to the first security risk level, the second security risk level of the second network device, the security score value and the risk API corresponding to the second security risk level, which are included in the first security risk assessment information acquired in step 210.
It can be understood that the first SecPoint module obtains the security risk assessment information synchronized by the SecPoint modules in the group network. And the first SecPoint module generates the region security risk level of the same region where each network device is located according to the synchronous security risk evaluation information of each SecPoint module.
Further, the first SecPoint module determines the security risk level of the area according to the security risk level of the network device included in each security risk assessment information.
For example 3 network devices in fig. 3. And if the security risk level of the first network device is a medium level, the security risk level of the second network device is a low level, and the security risk level of the third network device is a low level, the first SecPoint module generates that the security risk level of the region where the first network device, the second network device and the third network device are located in the agreed region is a low level.
And 240, generating an access control strategy according to the first security risk assessment information and the regional security risk level.
Specifically, according to the description in step 230, after the first SecPoint module generates the area security risk level, the access control policy of the first network device is generated according to the first security risk assessment information and the area security risk level. The access control policy is used for the API access control module to control the received access request.
Further, in the embodiment of the present application, the access control policy includes four types, which are respectively: all APIs access deny; API access deny of the non-safety area; API access deny of the trust zone; the APIs of the API list access deny.
Further, in this embodiment of the application, the first SecPoint module generates the access control policy of the first network device according to the security risk level of the first network device and the security risk level of the area, which are included in the first security risk assessment information. The access control policy is shown in table 2.
Table 2 access control policy table
Figure BDA0002752794390000101
And 250, issuing the access control policy to the API access control module, so that when the access request received by the API access control module is received, corresponding processing is performed on the access request according to the access control policy.
Specifically, according to the description in step 240, after the first SecPoint module generates the access control policy of the first network device, the first SecPoint module issues the access control policy to the API access control modules respectively included in the trust zone and the non-security zone of the first network device, so that when the API access control module receives the access request, the API access control module executes corresponding processing on the access request according to the access control policy.
For example, when the access control policy of the first network device is "all API access policy", the first SecPoint module issues the access control policy to the API access control module. And when the API access control module receives an access request sent by any API, according to the access control strategy, deny access requests of all the APIs.
Therefore, by applying the security protection method and device for the trust zone provided by the application, the first SecPoint module obtains the first security risk assessment information of the first network device. And the first SecPoint module receives a first synchronous message sent by the second SecPoint module, wherein the first synchronous message comprises second safety risk evaluation information of the second network equipment. And according to the first security risk assessment information and the second security risk assessment information, the first SecPoint module generates the security risk level of the area where the first network equipment and the second network equipment are located in the same area. And generating an access control strategy by the first SecPoint module according to the first security risk assessment information and the region security risk level. And the first SecPoint module issues an access control strategy to the API access control module, so that when the API access control module receives the access request, the access request is correspondingly processed according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
Optionally, in this embodiment of the present application, a process of mutually interacting messages by the SecPoint modules is further included.
Specifically, in an implementation manner, the second SecPoint module generates a first status request packet to request status information of the network device where the other SecPoint modules are located. And the second SecPoint module sends a first state request message to the first SecPoint module, wherein the first state request message comprises the state information of the second network equipment where the second SecPoint module is positioned.
And the first SecPoint module receives the first state request message and acquires the state information of the second network equipment where the second SecPoint module is positioned from the first state request message. And the first SecPoint module records the state information of the second network equipment.
And the first SecPoint module generates a first state response message, wherein the first state response message comprises the state information of the first network equipment. And the first SecPoint module sends a first state response message to the second SecPoint module so that the second SecPoint module acquires and records the state information of the first network equipment from the first state response message.
Optionally, in another implementation manner, the first SecPoint module generates a second status request packet to request status information of the network device where the other SecPoint modules are located. And the first SecPoint module sends a second state request message to the second SecPoint module, wherein the second state request message comprises the state information of the first network equipment where the first SecPoint module is positioned.
And the second SecPoint module receives the second state request message and acquires the state information of the first network equipment where the first SecPoint module is positioned from the second state request message. And the second SecPoint module records the state information of the first network equipment.
And the second SecPoint module generates a second state response message, wherein the second state response message comprises the state information of the second network equipment. And the second SecPoint module sends a second state response message to the first SecPoint module so that the first SecPoint module acquires and records the state information of the second network equipment from the second state response message.
In this embodiment, the state of the network device specifically includes an Init state or a Normal state. The state information carries an Init state or a Normal state.
Optionally, in this embodiment of the application, a process of sending the warning information to the security cloud center by the first SecPoint module is further included.
Specifically, the first SecPoint module generates alarm information of the first network device, where the alarm information includes a vulnerability alarm, an abnormal API access alarm, an abnormal access alarm to resources (memory, peripheral equipment, etc.) in the trust zone, and the like of the first network device.
And the first SecPoint module sends the alarm information of the first network equipment to the security cloud center so that the security cloud center records the alarm information of the first network equipment.
It can be understood that each SecPoint module in the networking generates alarm information of the network device where the SecPoint module is located, and sends the alarm information to the security cloud center.
Based on the same inventive concept, the embodiment of the application also provides a security protection device of the trust zone corresponding to the security protection method of the trust zone. Referring to fig. 6, fig. 6 is a structural diagram of a security protection apparatus of a trust zone provided in this embodiment of the present application, where the apparatus is applied to a first security node SecPoint module, the first SecPoint module is located in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include API access control modules, and the apparatus includes:
an obtaining unit 610, configured to obtain first security risk assessment information of the first network device;
a receiving unit 620, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit 630, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit 630 is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
a sending unit 640, configured to issue the access control policy to the API access control module, so that when the access request received by the API access control module is received, corresponding processing is performed on the access request according to the access control policy.
Optionally, the receiving unit 620 is further configured to receive a first status request packet sent by the second SecPoint module, where the first status request packet includes status information of a second network device where the second SecPoint module is located;
the device further comprises: a recording unit (not shown in the figure) for recording status information of the second network device;
the sending unit 640 is further configured to send a first status response packet to the second SecPoint module, where the first status response packet includes status information of the first network device.
Optionally, the generating unit 630 is further configured to periodically scan the security vulnerability of the first network device, and generate a security vulnerability assessment result of the first network device;
the receiving unit 620 is further configured to receive security information sent by a security cloud center;
the device further comprises: a determining unit (not shown in the figure), configured to determine, according to the security vulnerability assessment result of the first network device and the security intelligence, a security score value of the first network device, a security risk level of the first network device corresponding to the security score value, and a risk API, or monitor an abnormal access request existing in the trust zone, and determine the risk API;
the generating unit 630 is further configured to generate the first security risk assessment information according to the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
Optionally, the sending unit 640 is further configured to send a second status request packet to the second SecPoint module, where the second status request packet includes status information of the first network device, so that the second SecPoint module records the status information of the first network device and feeds back a second status response packet, where the first status response packet includes the status information of the second network device.
Optionally, the sending unit 640 is further configured to send the alarm information of the first network device to the security cloud center, so that the security cloud center records the alarm information of the first network device.
Therefore, by applying the security protection device for the trust zone provided by the application, the device obtains the first security risk assessment information of the first network device. The device receives a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of second network equipment. According to the first security risk assessment information and the second security risk assessment information, the device generates a regional security risk level of the same region where the first network equipment and the second network equipment are located. And generating an access control strategy by the device according to the first security risk assessment information and the regional security risk level. The device issues an access control strategy to the API access control module, so that when the API access control module receives an access request, corresponding processing is executed on the access request according to the access control strategy.
Therefore, the safety problem of the Internet of things terminal in the Internet of things scene in the prior art is solved. The security state of the terminal of the Internet of things, the security state in the edge area of the network and the security state in the API access process are guaranteed.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
For the safety protection device embodiment of the trust zone, since the content of the method involved is basically similar to that of the foregoing method embodiment, the description is relatively simple, and the relevant points can be referred to the partial description of the method embodiment.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (10)

1. A security protection method of a trust zone is applied to a first security node (SecPoint) module, the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, the trust zone and the insecure zone respectively include an API access control module, and the method includes:
acquiring first security risk assessment information of the first network equipment;
receiving a first synchronous message sent by a second SecPoint module, wherein the first synchronous message comprises second security risk assessment information of a second network device where the second SecPoint module is located;
according to the first security risk assessment information and the second security risk assessment information, generating a regional security risk level of the same region where the first network equipment and the second network equipment are located;
generating an access control strategy according to the first security risk assessment information and the regional security risk level;
and issuing the access control strategy to the API access control module so that when the access request received by the API access control module is received, corresponding processing is executed on the access request according to the access control strategy.
2. The method of claim 1, further comprising:
receiving a first state request message sent by the second SecPoint module, wherein the first state request message includes state information of a second network device where the second SecPoint module is located;
recording the state information of the second network equipment;
and sending a first state response message to the second SecPoint module, wherein the first state response message comprises the state information of the first network equipment.
3. The method of claim 1, wherein prior to obtaining the first security risk assessment information for the first network device, the method further comprises:
periodically scanning the security vulnerability of the first network equipment to generate a security vulnerability assessment result of the first network equipment;
receiving safety information sent by a safety cloud center;
according to the security vulnerability assessment result of the first network equipment and the security information, determining a security score value of the first network equipment, a security risk level of the first network equipment corresponding to the security score value and a risk API, or monitoring an abnormal access request existing in the trust zone and determining the risk API;
and generating the first security risk assessment information according to the security score value of the first network equipment, the security risk level of the first network equipment corresponding to the security score value and the risk API.
4. The method of claim 1, further comprising:
and sending a second state request message to the second SecPoint module, where the second state request message includes state information of the first network device, so that the second SecPoint module records the state information of the first network device and feeds back a second state response message, where the first state response message includes the state information of the second network device.
5. The method of claim 3, further comprising:
and sending the alarm information of the first network equipment to the security cloud center so that the security cloud center records the alarm information of the first network equipment.
6. A security protection apparatus for a trust zone, where the apparatus is applied to a first security node SecPoint module, where the first SecPoint module is in a trust zone in a processor included in a first network device, the processor further includes an insecure zone, and the trust zone and the insecure zone respectively include API access control modules, and the apparatus includes:
an obtaining unit, configured to obtain first security risk assessment information of the first network device;
a receiving unit, configured to receive a first synchronization packet sent by a second SecPoint module, where the first synchronization packet includes second security risk assessment information of a second network device where the second SecPoint module is located;
a generating unit, configured to generate, according to the first security risk assessment information and the second security risk assessment information, a regional security risk level of a same region where the first network device and the second network device are located;
the generating unit is further configured to generate an access control policy according to the first security risk assessment information and the regional security risk level;
and the sending unit is used for issuing the access control strategy to the API access control module so as to execute corresponding processing on the access request according to the access control strategy when the access request is received by the API access control module.
7. The apparatus according to claim 6, wherein the receiving unit is further configured to receive a first status request packet sent by the second SecPoint module, where the first status request packet includes status information of a second network device where the second SecPoint module is located;
the device further comprises: a recording unit, configured to record status information of the second network device;
the sending unit is further configured to send a first status response packet to the second SecPoint module, where the first status response packet includes status information of the first network device.
8. The apparatus according to claim 6, wherein the generating unit is further configured to periodically scan for a security vulnerability of the first network device, and generate a security vulnerability assessment result of the first network device;
the receiving unit is also used for receiving safety information sent by the safety cloud center;
the device further comprises: a determining unit, configured to determine, according to a security vulnerability assessment result of the first network device and the security intelligence, a security score value of the first network device, a security risk level of the first network device corresponding to the security score value, and a risk API, or monitor an abnormal access request existing in the trust zone, and determine the risk API;
the generating unit is further configured to generate the first security risk assessment information according to the security score value of the first network device, the security risk level of the first network device corresponding to the security score value, and the risk API.
9. The apparatus according to claim 6, wherein the sending unit is further configured to send a second status request packet to the second SecPoint module, where the second status request packet includes status information of the first network device, so that the second SecPoint module records the status information of the first network device and feeds back a second status response packet, and the first status response packet includes the status information of the second network device.
10. The apparatus according to claim 8, wherein the sending unit is further configured to send the alarm information of the first network device to the security cloud center, so that the security cloud center records the alarm information of the first network device.
CN202011191068.4A 2020-10-30 2020-10-30 Security protection method and device for trust zone Active CN112351022B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011191068.4A CN112351022B (en) 2020-10-30 2020-10-30 Security protection method and device for trust zone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011191068.4A CN112351022B (en) 2020-10-30 2020-10-30 Security protection method and device for trust zone

Publications (2)

Publication Number Publication Date
CN112351022A true CN112351022A (en) 2021-02-09
CN112351022B CN112351022B (en) 2022-07-12

Family

ID=74356146

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011191068.4A Active CN112351022B (en) 2020-10-30 2020-10-30 Security protection method and device for trust zone

Country Status (1)

Country Link
CN (1) CN112351022B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113486355A (en) * 2021-06-29 2021-10-08 北京紫光展锐通信技术有限公司 Information storage device, information storage method, communication device, chip and module equipment thereof
CN114553554A (en) * 2022-02-24 2022-05-27 上海交通大学宁波人工智能研究院 Terminal trust management and trusted access system and method
CN114598541A (en) * 2022-03-18 2022-06-07 维沃移动通信有限公司 Security assessment method and device, electronic equipment and readable storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8255517B1 (en) * 2006-06-29 2012-08-28 Symantec Corporation Method and apparatus to determine device mobility history
CN106203666A (en) * 2015-04-30 2016-12-07 中国南方电网有限责任公司 A kind of data networking equipment methods of risk assessment and device
CN107067157A (en) * 2017-03-01 2017-08-18 北京奇艺世纪科技有限公司 Business risk appraisal procedure, device and air control system
WO2017152742A1 (en) * 2016-03-08 2017-09-14 中兴通讯股份有限公司 Risk assessment method and apparatus for network security device
CN108200067A (en) * 2018-01-05 2018-06-22 国网山东省电力公司聊城供电公司 Big data information network adaptive security guard system based on trust computing
CN109064018A (en) * 2018-07-31 2018-12-21 郑州向心力通信技术股份有限公司 A kind of information security risk evaluation system and method
CN110020531A (en) * 2019-03-20 2019-07-16 阿里巴巴集团控股有限公司 Internet of things equipment risk checking method and device
CN110555779A (en) * 2019-07-25 2019-12-10 深圳壹账通智能科技有限公司 data processing method, data processing device, computer equipment and storage medium
CN110619022A (en) * 2019-09-20 2019-12-27 腾讯科技(深圳)有限公司 Node detection method, device, equipment and storage medium based on block chain network
CN110889640A (en) * 2019-12-04 2020-03-17 支付宝(杭州)信息技术有限公司 Risk assessment method for preventing personal data from being leaked, terminal and network center
CN111401777A (en) * 2020-03-30 2020-07-10 未来地图(深圳)智能科技有限公司 Enterprise risk assessment method and device, terminal equipment and storage medium
CN111815103A (en) * 2020-05-18 2020-10-23 深圳市第一反应信息科技有限公司 Method and equipment for determining outdoor risk assessment information

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8255517B1 (en) * 2006-06-29 2012-08-28 Symantec Corporation Method and apparatus to determine device mobility history
CN106203666A (en) * 2015-04-30 2016-12-07 中国南方电网有限责任公司 A kind of data networking equipment methods of risk assessment and device
WO2017152742A1 (en) * 2016-03-08 2017-09-14 中兴通讯股份有限公司 Risk assessment method and apparatus for network security device
CN107067157A (en) * 2017-03-01 2017-08-18 北京奇艺世纪科技有限公司 Business risk appraisal procedure, device and air control system
CN108200067A (en) * 2018-01-05 2018-06-22 国网山东省电力公司聊城供电公司 Big data information network adaptive security guard system based on trust computing
CN109064018A (en) * 2018-07-31 2018-12-21 郑州向心力通信技术股份有限公司 A kind of information security risk evaluation system and method
CN110020531A (en) * 2019-03-20 2019-07-16 阿里巴巴集团控股有限公司 Internet of things equipment risk checking method and device
CN110555779A (en) * 2019-07-25 2019-12-10 深圳壹账通智能科技有限公司 data processing method, data processing device, computer equipment and storage medium
CN110619022A (en) * 2019-09-20 2019-12-27 腾讯科技(深圳)有限公司 Node detection method, device, equipment and storage medium based on block chain network
CN110889640A (en) * 2019-12-04 2020-03-17 支付宝(杭州)信息技术有限公司 Risk assessment method for preventing personal data from being leaked, terminal and network center
CN111401777A (en) * 2020-03-30 2020-07-10 未来地图(深圳)智能科技有限公司 Enterprise risk assessment method and device, terminal equipment and storage medium
CN111815103A (en) * 2020-05-18 2020-10-23 深圳市第一反应信息科技有限公司 Method and equipment for determining outdoor risk assessment information

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113486355A (en) * 2021-06-29 2021-10-08 北京紫光展锐通信技术有限公司 Information storage device, information storage method, communication device, chip and module equipment thereof
CN113486355B (en) * 2021-06-29 2023-03-14 北京紫光展锐通信技术有限公司 Information storage device, information storage method, communication device, chip and module equipment thereof
CN114553554A (en) * 2022-02-24 2022-05-27 上海交通大学宁波人工智能研究院 Terminal trust management and trusted access system and method
CN114553554B (en) * 2022-02-24 2023-09-22 上海交通大学宁波人工智能研究院 Terminal trust management and trusted access system and method
CN114598541A (en) * 2022-03-18 2022-06-07 维沃移动通信有限公司 Security assessment method and device, electronic equipment and readable storage medium
CN114598541B (en) * 2022-03-18 2024-03-29 维沃移动通信有限公司 Security assessment method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN112351022B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
EP3937424B1 (en) Blockchain data processing methods and apparatuses based on cloud computing
US11075955B2 (en) Methods and systems for use in authorizing access to a networked resource
CN112351022B (en) Security protection method and device for trust zone
JP6857193B2 (en) Systems and methods for decoding network traffic in virtualized environments
Tiburski et al. Lightweight security architecture based on embedded virtualization and trust mechanisms for IoT edge devices
EP3235161B1 (en) Using trusted execution environments for security of code and data
CN112073400B (en) Access control method, system, device and computing equipment
EP2880589B1 (en) Trusted execution environment virtual machine cloning
CN108429719B (en) Key protection method and device
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
US20230259386A1 (en) Data processing method based on container engine and related device
US20220094690A1 (en) Trusted and connected multi-domain node clusters
US10068068B2 (en) Trusted timer service
EP2862119B1 (en) Network based management of protected data sets
US11411719B2 (en) Security system and method thereof using both KMS and HSM
CN114117412A (en) Virtual encryption machine platform based on trusted technology and creation method thereof
US20150212810A1 (en) Method and apparatus for executing integrated application program
CN116257368A (en) Communication method in computer system and related product
US9240988B1 (en) Computer system employing dual-band authentication
CN111966458A (en) Safety management method of virtual cloud desktop
CN112398792B (en) Login protection method, client, central control management equipment and storage medium
Han et al. Improving drone mission continuity in rescue operations with secure and efficient task migration
US20230291558A1 (en) Trusted computing-based local key escrow method, apparatus, device and medium
Will et al. Enclave Management Models for Safe Execution of Software Components.
Jian et al. A New Method to Enhance Container with vTPM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230616

Address after: 310052 11th Floor, 466 Changhe Road, Binjiang District, Hangzhou City, Zhejiang Province

Patentee after: H3C INFORMATION TECHNOLOGY Co.,Ltd.

Address before: 310052 Changhe Road, Binjiang District, Hangzhou, Zhejiang Province, No. 466

Patentee before: NEW H3C TECHNOLOGIES Co.,Ltd.

TR01 Transfer of patent right