Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to facilitate understanding of a specific implementation process of the technical solution in this embodiment, the following description is made on a working principle of a microprocessor:
in the field of microprocessor technology, memory protection is a long-standing proposition. And whatever type of memory protection mode, all have respective advantages and disadvantages: some are limited by the hardware structure of the microprocessor, and some memory protection processes are complex to operate, so that the data processing efficiency is reduced; some can only realize the protection function, but can not provide detection for abnormal access.
For a microprocessor, the microprocessor may include a high-end microprocessor and a low-end microprocessor, where the high-end microprocessor includes a Memory Management Unit (MMU), and the MMU is used to implement virtual Memory Management, so as to divide a Memory address into a virtual address and a physical address. For the user, the user can see the virtual address, and the virtual address is isolated from the actual physical address, so as to achieve the purpose of memory protection.
The low-end microprocessor is not provided with an MMU, but is provided with a Memory Protection Unit (MPU), and specifically, the MPU is a hardware structure that provides Memory area attribute setting by taking an area as a Unit. Typically, an MPU may have 8 or more zones. Each region is correspondingly provided with a memory region and memory attributes, wherein the memory attributes comprise attributes of reading and writing (whether the region can be read and written), execution (whether the region can be directly accessed and executed), caching, writing caching and the like. Meanwhile, different regions are allowed to overlap when the memory regions are set, different regions may have different priorities, and when the memory regions of the regions overlap, the region with the high priority will cover the attribute set by the region with the low priority. When the attributes of the memory operation and the region setting are different, the abnormal operation of the hardware is immediately generated and the microprocessor is informed. Therefore, the memory can be protected by setting the read-write attribute, and the illegal operation of the memory can be found by using the abnormal operation.
For a low-end microprocessor, two memory protection modes can be adopted, one mode is a memory protection method which is realized by only utilizing a software processing algorithm without using an MPU (microprocessor unit), such as an upper and lower boundary protection method; another way is to use a protection method of the MPU, such as a process stack protection method in conjunction with an Operating System (OS).
Specifically, the process of the upper and lower boundary protection method comprises the following steps: the method comprises the steps that an upper and lower bound register is preset, wherein the upper and lower bound register stores the initial address and the end address of a memory used by a program which is being executed, in the data execution process, the memory operation is checked through a unified software processing algorithm, and whether the accessed address is in the range of the upper and lower bound is judged. If not, determining that the current access is illegal access; otherwise, it is a legal access. Referring to fig. 1, the memory access addresses of "1 #" and "3 #" exceed the upper and lower bound addresses defined by the memory region, so that the memory access operations of "1 #" and "3 #" can be determined as illegal operations; and the memory access address of '2 #' meets the address requirement, the successful access can be carried out.
In addition, the process stack protection method is a stack memory protection method which combines an Operating System (OS) and hardware, and can realize the protection between the stack memory of the currently running process and the stack memories of other processes, thereby effectively preventing the occurrence of stack overflow and realizing the protection of space in the stack. As shown in fig. 2, the specific implementation principle is as follows:
(1) a block of memory space is allocated in advance and used for stack background space of a process stack, and stacks of all processes are allocated in the space.
(2) The stack space is set to be unreadable and non-executable using a low-priority area (background area) of the MPU.
(3) When a process is started, a high-priority area (process area) of the MPU is used for a stack space of the process to be started, and the process is set to be readable and writable and not executable. At this time, due to the principle that the high priority of the MPU covers the low priority, only the started process stack space can be read and written, and other process stacks cannot be read and written, so that the protection of other process stacks is realized, and stack overflow or abnormal pointer modification is prevented.
(4) When the process is switched, the process area is set as a stack space to be switched, so that the next process to be started becomes readable and writable, and the process which is switched out becomes unreadable and writable.
However, the memory protection method has the following defects:
(1) most memory protection approaches in the field of microprocessors are mostly based on software level protection, such as: the above upper and lower boundary protection method. However, the software-layer-based protection method has a risk of abnormal operation, which may cause failure of the protection function.
(2) For software level protection, the access efficiency is reduced because the address of each operation needs to be checked.
(3) The software level protection measures are implemented based on the inspection of access addresses (e.g., upper and lower bound protection methods), so that access is required to be performed through a fixed software channel during memory access. Thus, when an abnormal access of the system does not pass through its fixed memory channel, its protection will fail. Such as: a widely existing exception pointer memory access. When the exception pointer points to a protected area, it is not protected because it does not go through a fixed memory channel.
(4) Most protection methods using the MPU only realize protection of the process stack, and are difficult to realize protection of arbitrary memory addresses.
(5) The memory protection method is basically based on the memory protection of the process, and no effective measure is provided for the protection of the interior of the process.
(6) The memory protection is a protection means for a single process or a single user, and the memory sharing among multiple users is difficult to realize and share protection.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The features of the embodiments and examples described below may be combined with each other without conflict between the embodiments.
Fig. 3 is a schematic flowchart of a memory access method according to an embodiment of the present invention; referring to fig. 3, in order to solve the above problem, the present embodiment provides a memory access method, which can prevent a memory from being accidentally accessed or modified, and can also discover an abnormal operation of a protected area in real time, thereby improving the security of memory access. In a specific application, the main execution body of the memory access method may be a microprocessor, the microprocessor may be a low-end microprocessor, and the microprocessor may be implemented as software, or a combination of software and hardware. Specifically, the method may include:
s101: and acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key.
The memory access request may be sent by a first virtual user. The first virtual user can be any one of the following expressions: the number of the first virtual users can be one or more, and it can be understood that the first virtual users can have different expressions in different application scenarios. Specifically, when the first virtual user sends a memory access request to the microprocessor, the microprocessor may obtain the memory access request, where the memory access request includes an address to be accessed and an access key, and the access key is used to implement a memory access operation for the address to be accessed.
S102: and determining a memory area and a standard key corresponding to the address to be accessed.
After the address to be accessed is obtained, the address to be accessed may be analyzed to determine a memory area and a standard key corresponding to the address to be accessed. Specifically, in this embodiment, a specific implementation manner for determining the memory area and the standard key corresponding to the address to be accessed is not limited, and a person skilled in the art may set the determination manner according to a specific application scenario and an application requirement, for example: acquiring address identification information corresponding to an address to be accessed, and determining a memory area and a standard key corresponding to the address to be accessed according to the address identification information, wherein the standard key is used for carrying out validity verification on a memory access request; when the standard key is matched with an access key included in the memory access request, determining that the memory access request is a legal request; and when the standard key is not matched with the access key included in the memory access request, determining that the memory access request is an illegal request.
S103: and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to be in an access permission state by using the memory protection unit.
The access permission state includes: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
In another alternative embodiment, other virtual users associated with the first virtual user identity may be allowed to access the memory region and perform corresponding data processing operations.
When the access key matches the standard key, it is determined that the memory access request is a legal request, and at this time, the memory protection unit may be used to adjust the memory attribute in the memory area to an access-allowed state, where the memory attribute may include at least one of the following: reading and writing attributes, address fetching execution attributes and cache attributes, so that a first virtual user can execute data processing operation corresponding to the memory access request aiming at the memory area; the memory protection unit in this embodiment may be integrated in a microprocessor.
For example: before receiving a memory access request, the memory attribute of the memory area is in a forbidden access state, when the memory access request is a read-write request sent aiming at a first address, a first access key included in the read-write request can be obtained, a standard key corresponding to the first address is determined, and when the first access key is matched with the standard key, the read-write attribute of the memory area is adjusted to be in a permission state by using a memory protection unit, so that a first virtual user executes data read-write operation corresponding to the read-write request aiming at the memory area. Or, when the memory access request is an address retrieval execution request sent for the second address, the second access key included in the address retrieval execution request may be acquired, the standard key corresponding to the second address is determined, and when the second access key matches the standard key, the memory protection unit is used to adjust the address retrieval execution attribute of the memory area to an allowed state, so that the first virtual user executes the address retrieval execution operation corresponding to the address retrieval execution request for the memory area.
In the memory access method provided by this embodiment, a memory area and a standard key corresponding to the address to be accessed are determined by obtaining a memory access request, when the access key matches the standard key, a memory protection unit is used to adjust the memory attribute of the memory area to an allowed access state, and a memory protection unit is further used to adjust the memory access state based on the secret key, so that the memory is prevented from being accidentally accessed or modified, and the memory is effectively protected, thereby ensuring the security and reliability of the memory access and effectively improving the practicability of the method.
Fig. 4 is a schematic flowchart of another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 4, before obtaining the memory access request, the method in this embodiment may further include:
s201: and acquiring a memory protection request sent by the second virtual user, wherein the memory protection request comprises address information to be protected.
The second virtual user may be any one of the following expressions: processes, software modules running independently on the central processor, application programs, etc., and the number of the second virtual users may be one or more, it is understood that the second virtual users may have different expressions in different application scenarios. In a particular application scenario, the second virtual user may be the same as or different from the first virtual user.
Before obtaining the memory access request, in order to implement effective protection of the memory, the second virtual user may send a memory protection request to the microprocessor, where the memory protection request may include address information to be protected, and specifically, the address information to be protected may include one of: address information of a process stack and address information of a non-process stack; the memory area corresponding to the address information of the non-process stack is used for storing at least one of the following: authentication information, device information, configuration information, operational information, status information.
S202: and distributing a corresponding memory area for the address information according to the memory protection request.
After the memory protection request is obtained, a corresponding memory region may be allocated for the address information to be protected based on the memory protection request, where the memory region may correspond to a memory attribute, and the memory attribute may include at least one of the following: read-write attributes, fetch execution attributes, cache attributes, and the like,
s203: and adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit.
After allocating the corresponding memory area for the address information, the memory protection unit may be used to adjust the memory attribute of the memory area to the access prohibition state, and it can be understood that, after adjusting the memory attribute of the memory area to the access prohibition state, any user cannot perform an access operation on the memory area, for example: the user can not execute the read-write operation of the data, can not execute the cache operation of the data, and can not realize the address-fetching execution operation; therefore, the memory area is effectively protected.
S204: and generating key information corresponding to the address information, and sending the key information to the second virtual user.
After the memory attribute of the memory area is adjusted to the access prohibited state, in order to enable a legitimate user to perform an access operation on the memory area, key information corresponding to the address information may be generated, and specifically, generating the key information corresponding to the address information may include:
s2041: random key information corresponding to the address information is generated using a random number generator.
Specifically, a random number generator is preset, and the random number generator may be integrated into the microprocessor, and after the memory attribute of the memory area of the address information is adjusted to the access prohibition state, the random number generator may be used to generate random key information corresponding to the address information. It is conceivable that, since the random key information is generated by the random number generator, it is effectively ensured that the key information corresponding to the address information is not fixed and unchanged, and the strength of protecting the memory area is further ensured.
After the key information is obtained, the key information can be sent to the second virtual user, so that the second virtual user can realize legal access operation to the memory area based on the key information. In addition, after the second virtual user acquires the correspondence between the key information and the address information, the correspondence between the key information and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the key information and the address information to the first virtual user, so that the first virtual user may perform a legitimate access operation to the memory area based on the shared key information. Specifically, the first virtual user may send a memory access request to the microprocessor, where the memory access request includes an access key, and at this time, the access key of the first virtual user may be determined according to key information shared by the second virtual user to the first virtual user, so that it is effectively achieved that the first virtual user performs a legal access operation on the memory area based on the key information shared by the second virtual user under the authorization of the second virtual user. When other virtual users do not send memory access requests to the microprocessor by using correct key information, the microprocessor can identify the virtual users as illegal users, so that illegal access operation to the memory area can be found.
In this embodiment, a memory protection request sent by a second virtual user is obtained, a corresponding memory area is allocated for address information according to the memory protection request, a memory protection unit is used to adjust a memory attribute of the memory area to an access prohibition state, key information corresponding to the address information is generated, and the key information is sent to the second virtual user, so that effective protection of the memory area corresponding to the address information to be protected is effectively achieved, the second virtual user can perform legal access operation on the memory area based on the key information, the situation that the memory is accidentally accessed or modified is effectively prevented, abnormal access operation of the protected area can be found in real time, that is, the illegal access operation of the virtual user can be obtained, and the security of accessing the memory is improved.
On the basis of the foregoing embodiment, with reference to fig. 3, a specific implementation manner of obtaining the memory access request in this embodiment is not limited, and a person skilled in the art may set the memory access request according to a specific application requirement and a design requirement, and preferably, the obtaining the memory access request in this embodiment includes:
s1011: and acquiring a memory access request sent by a first virtual user through a memory access channel.
The memory access channel can be a pre-configured legal access channel corresponding to the address information, and when the first virtual user sends the memory access request, the first virtual user can send the memory access request through the memory access channel corresponding to the address information, so that the microprocessor can obtain the memory access request sent by the first virtual user through the memory access channel, and the legality of the memory access request is effectively guaranteed.
Fig. 5 is a schematic flowchart of another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 5, before acquiring the memory access request sent by the first virtual user through the memory access channel, the method in this embodiment may further include:
s301: and distributing corresponding memory access channels for the address information according to the memory protection request.
S302: and sending the memory access channel to a second virtual user.
After the memory protection request is obtained, corresponding memory access channels may be allocated for address information in the memory protection request, and it is conceivable that different address information may correspond to the same or different memory access channels; and then the memory access channel is sent to a second virtual user, so that the second virtual user can realize legal access to the memory area through the memory access channel.
In addition, after the second virtual user obtains the correspondence between the memory access channel and the address information, the correspondence between the memory access channel and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the memory access channel and the address information to the first virtual user, so that the first virtual user may perform a legal access operation on the memory area based on the shared memory access channel. Specifically, the first virtual user may send a memory access request to the microprocessor through the memory access channel for the address information, and at this time, the memory access channel of the first virtual user is the memory access channel shared by the second virtual user to the first virtual user, so that the first virtual user may implement a legal access operation on the memory area based on the memory access channel shared by the second virtual user.
It can be understood that, when the second virtual user performs an access operation on the memory area, the memory area needs to be accessed by using the key information and the memory access channel corresponding to the address information, and only after the memory access channel and the key information are both verified, the legal access operation on the memory area can be realized. On the contrary, the second virtual user cannot realize the legal access operation to the memory area under the condition that the key information is not verified, the memory access channel is verified, or the memory access channel is not verified and the key information is verified.
In this embodiment, the corresponding memory access channel is allocated to the address information according to the memory protection request, and the memory access channel is sent to the second virtual user, so that the strength of protecting the memory region corresponding to the address information to be protected is effectively increased, the second virtual user can perform a legal access operation on the memory region based on the memory access channel, the memory is effectively prevented from being accidentally accessed or modified, meanwhile, an abnormal access operation of the protected region can be found in real time, that is, an illegal access operation of the virtual user can be obtained, and the security of accessing the memory is improved.
On the basis of any one of the above embodiments, after generating the key information corresponding to the address information, the method in this embodiment may further include:
s205: and storing the key information into a preset area.
The preset area may include an area located before the address information in the memory area; alternatively, the predetermined area may be adjacent to the memory area. For example, the predetermined area is a0-a10, where the a0 area is the area before the address information, and after the key information is obtained, the key information may be stored in the a0 area. Or, the preset area is a, the area adjacent to the preset area a includes an area B and an area C, and after the key information is obtained, the key information may be stored in the area B or the area C.
Of course, a person skilled in the art may select other preset areas according to a specific application scenario, as long as the key information can be stored in the preset area, which is convenient for obtaining the stored key information through the preset area.
Fig. 6 is a fourth schematic flowchart of a memory access method according to an embodiment of the present invention; on the basis of any one of the above embodiments, referring to fig. 6, the method in this embodiment may further include:
s401: an illegal access user to the memory region is identified.
S402: and generating illegal access information corresponding to the illegal access user.
For the microprocessor, the virtual user accessing the memory area may be a legal access user or an illegal access user, where the legal access user may be a virtual user whose access key in the transmitted memory access request matches the standard key and whose access channel matches the preset memory access channel; the illegal access user may refer to a virtual user whose access key in the sent memory access request does not match the standard key, and/or whose access channel does not match the preset memory access channel. Specifically, a way to identify an illegal access user to a memory area may include:
s500: and when the access key is not matched with the standard key, determining the first virtual user as an illegal access user.
Specifically, after a memory access request sent by a first virtual user is obtained, an access key included in the memory access request may be obtained, and then the access key is analyzed and matched with a standard key, when the access key is not matched with the standard key, that is, when the access key sent by the first virtual user is different from a preset standard key, it may be determined that the first virtual user at this time is an illegal access user.
In addition, referring to fig. 7, another way for identifying an illegal access user to a memory area is provided in the present embodiment, specifically, the method includes:
s501: and identifying an access channel of the first virtual user for sending the memory access request by using the memory protection unit.
S502: and when the access channel is not matched with the preset memory access channel, determining that the first virtual user is an illegal access user.
Specifically, after the memory access request sent by the first virtual user is obtained, the memory protection unit may be used to identify an access channel of the memory access request sent by the first virtual user, and then the access channel is analyzed and matched with a preset memory access channel, when the access channel is not matched with the memory access channel, that is, when the access channel of the memory access request sent by the first virtual user is different from the preset memory access channel, it may be determined that the first virtual user at this time is an illegal access user.
On the contrary, when the access channel is matched with the memory access channel, the access key included in the memory access request can be acquired, then the access key is analyzed and matched with the standard key, and when the access key is matched with the standard key, that is, the access key sent by the first virtual user is the same as the preset standard key, the first virtual user at the moment can be determined to be a legal access user.
After the illegal accessing user is identified, illegal accessing information corresponding to the illegal accessing user can be generated, and the illegal accessing information can comprise user identification, accessing record, accessing time and the like of the illegal accessing user; the user can be prompted through the generated illegal access information, so that the user can acquire abnormal access operation accessing the microprocessor in time, the memory is effectively prevented from being accessed or modified accidentally, meanwhile, the abnormal operation of the protected area can be found in real time, and the quality and the effect of protecting the memory area are further improved.
Fig. 8 is a fifth flowchart illustrating a memory access method according to an embodiment of the present invention; based on any of the above embodiments, with continued reference to fig. 8, the memory protection request includes a first request and a second request, the first request includes a first access address, the second request includes a second access address, and an overlapping address exists between the first access address and the second access address; at this time, the allocating the corresponding memory area and the memory attribute corresponding to the memory area to the address information according to the memory protection request in this embodiment may include:
s601: and allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area for the first access address according to the first request.
S602: and allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request.
S603: and acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area.
S604: and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be sent to the microprocessor by two different virtual users, at this time, after the microprocessor receives the first request and the second request, a corresponding first memory region may be allocated to the first access address according to the first request, at this time, the first memory region may correspond to the first memory attribute, and a corresponding second memory region may be allocated to the second access address according to the second request, at this time, the second memory region may correspond to the second memory attribute. Because an overlapping address exists between a first access address to be protected and a second access address, an overlapping area also exists between a first memory area allocated for the first access address and a second memory area allocated for the second access address; for the memory attributes of the overlapping region, the attribute priority between the first memory region and the second memory attribute needs to be identified, that is, the first attribute priority of the first memory region and the second attribute priority of the second memory region can be determined according to a preset rule; an overlapping memory attribute for the overlapping address is then determined based on the first attribute priority and the second attribute priority. Specifically, determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority may include:
s6041: and when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute. Or,
s6042: and when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
When the first attribute priority and the second attribute priority are obtained, the higher attribute priority can be determined, and then the overlapping memory attribute of the overlapping address is determined to be consistent with the higher attribute priority. Specifically, when the priority of the first attribute is higher than the priority of the second attribute, the overlapping memory attribute of the overlapping address is determined as the first memory attribute, or when the priority of the first attribute is lower than the priority of the second attribute, the overlapping memory attribute of the overlapping address is determined as the second memory attribute.
For example: the first access address included in the first request is: 192.168.1.1-192.168.1.154; the second access address included in the second request is: 192.168.1.100-192.168.1.254; at this time, the overlapping address existing between the first access address and the second access address is: 192.168.1.100-192.168.1.154. Then, a first memory area allocated to the first access address is an area A, a second memory area allocated to the second access address is an area B, wherein an overlapping area C exists between the area A and the area B, and the overlapping area C is used for storing the overlapping address; at this time, all the area constituted by the area a and the area B may be divided into three parts: a region a1 for storing non-overlapping address parts in the first access address, an overlapping region C for storing overlapping addresses, and a region B1 for non-overlapping address parts in the second access address, wherein region a1 and overlapping region C constitute region a and region B1 and overlapping region C constitute region B.
For region A1, overlap region C, and region B1, the memory attributes of region A1 correspond to a first attribute priority and the memory attributes of region B1 correspond to a second attribute priority, wherein the first attribute priority corresponds to a first request and the second attribute priority corresponds to a second request. The memory attribute of the overlapping region C conforms to the attribute information with higher priority in the first attribute priority and the second attribute priority, so that a virtual user with high priority can access the overlapping region, while a virtual user with low priority cannot access the overlapping region, different memory protection strategies are set for the virtual users with different priorities, and the flexibility and reliability of the use of the memory protection method are further improved.
Fig. 9 is a sixth schematic flowchart of a memory access method according to an embodiment of the present invention; on the basis of any of the foregoing embodiments, with reference to fig. 9 continuously, the memory protection request includes a first request and a second request, where the first request includes a first access address and an identifier of a first virtual user, and the second request includes a second access address and an identifier of a second virtual user; at this time, generating key information corresponding to the address information in the present embodiment may include:
s701: and determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user.
S702: first key information corresponding to the first access address is generated, the first key information satisfying the first access priority.
S703: second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be respectively sent by a first virtual user and a second virtual user to the microprocessor, at this time, after the microprocessor receives the first request and the second request, an identity of the first virtual user included in the first request may be recognized, then a first access priority corresponding to the first access address is determined according to the identity of the first virtual user, similarly, an identity of the second virtual user included in the second request may be recognized, then a second access priority corresponding to the second access address is determined according to the identity of the second virtual user, when there is no overlapping address between the first access address and the second access address, first key information corresponding to the first access address may be directly generated, the first key information satisfies a first access priority; second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
When an overlapping address exists between the first access address and the second access address, the overlapping address part corresponds to first key information meeting the first access priority and second key information meeting the second access priority, and at the moment, the key information with higher access priority covers the key information with lower access priority. For example: the overlapping area corresponds to the first key information with higher access priority and the second key information with lower access priority, and the key information corresponding to the overlapping area is the first key information, so that the virtual user with high priority can access the overlapping area, while the virtual user with low priority cannot access the overlapping area, thereby realizing setting different memory protection strategies for the virtual users with different priority levels, and further improving the flexible reliability of the memory protection method.
Fig. 10 is a flowchart illustrating another memory access method according to an embodiment of the present invention; referring to fig. 10, in order to solve the above problem, the present embodiment provides a memory access method, which can prevent a memory from being accidentally accessed or modified, and can also discover abnormal operations of a protected area in real time, thereby improving the security of memory access. In a specific application, an execution subject of the memory access method may be a client, and it is understood that the client may be implemented as software or a combination of software and hardware. Specifically, the method may include:
s801: and sending a memory protection request to the microprocessor, wherein the memory protection request comprises address information to be protected.
S802: and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
Specifically, when the client has a memory protection requirement for the address information to be protected, a memory protection request for the address information to be protected can be generated, and then the memory protection request can be sent to the microprocessor, so that the microprocessor can allocate a corresponding memory area to the address information to be protected based on the memory protection request, perform memory protection operation on the memory area, and then return key information and a memory access channel corresponding to the address information to be protected, so that the client can receive the key information and the memory access channel corresponding to the memory protection request, and the key information and the memory access channel at this time correspond to the address information to be protected, thereby realizing that the client can perform legal data access operation through the memory access channel and the key information.
According to the memory access method provided by the embodiment, the memory protection request is sent to the microprocessor, and the key information and the memory access channel sent by the microprocessor according to the memory protection request are received, so that the client can effectively perform legal data access operation based on the memory access channel and the key information, and the memory is further prevented from being accessed or modified accidentally, so that the memory access safety is improved, and the practicability of the memory access method is effectively guaranteed.
On the basis of the foregoing embodiment, with continuing reference to fig. 10, in order to improve the flexible reliability of the method, the method in this embodiment may further include:
s901: and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
Specifically, after the client acquires the corresponding relationship between the key information and the address information, the key information and the address information can be shared to other clients, so that the other clients can execute corresponding data access operation aiming at the memory area corresponding to the address information under the authorization of the client, the client with legal authority can effectively execute corresponding data access operation on the memory area, the client without legal authority cannot execute corresponding data access operation on the memory area, the condition that the memory is accessed or modified accidentally is further prevented, and the quality and the effect of protecting the memory access are improved.
Fig. 11 is a second flowchart illustrating another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 11, the method in this embodiment may further include:
s1001: and sending a memory access request to the microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of the memory area corresponding to the address to be accessed to an access permission state according to the access key.
S1002: and executing data processing operation corresponding to the memory access request aiming at the memory area.
Specifically, after requesting the microprocessor to execute a corresponding memory protection operation on address information to be protected, the client may also request to access the corresponding memory area through the microprocessor, specifically, the client may send a memory access request to the microprocessor based on the memory access channel, where the memory access request includes an address to be accessed and an access key, after the microprocessor receives the memory access request, the legitimacy of the client may be identified based on the access key included in the memory access request, and after determining that the client is a valid access user, the client may adjust the memory attribute of the memory area corresponding to the address to be accessed to an operating access state according to the access key, so that the client may execute a data processing operation corresponding to the memory access request for the memory area.
In this embodiment, a memory access request is sent to a microprocessor based on a memory access channel, and after the microprocessor adjusts the memory attribute of a memory region corresponding to an address to be accessed to an access-allowed state according to an access key, a client executes a data processing operation corresponding to the memory access request for the memory region, so that the client with a legal right can execute the data processing operation corresponding to the memory access request for the memory region, which can prevent the memory from being accessed or modified accidentally, and also realize effective protection for the memory, thereby ensuring the safety and reliability of application to the memory, and effectively improving the practicability of the method.
In specific application, the present application embodiment provides a memory access method, which implements protection of a memory by combining software and hardware, has high reliability, high performance, small granularity, and sharable functions, and can retain information of an illegally accessed memory, find a cause of an illegal access, and prevent an illegal address fetching operation in a protected area. In addition, the method can realize the setting of the memory attribute and the write cache attribute while realizing the legal access to the memory, and is favorable for solving the problem of memory data synchronization. Specifically, as shown in fig. 12, the method includes the following steps:
step 1: and acquiring a memory protection request sent by a user, wherein the memory protection request comprises address information to be protected.
step 2: and distributing a corresponding memory area for the address information according to the memory protection request.
step 3: and configuring address information of the memory area.
step 4: and adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit.
step 5: and generating key information corresponding to the address information, and sending the key information to the user.
Specifically, a user may apply for a memory area from the memory protection unit MPU by using an address that needs to be protected, and after the memory area is successfully allocated, the memory attribute of the address may be adjusted to an access prohibition state, for example: the read-write authority is closed (namely locking), the cache authority is closed and the like, the memory area in the access forbidden state cannot be accessed, and if the access occurs, the abnormal access information is immediately generated, so that the positioning of the illegal access information is realized. Then, a random key is generated by using the random number generator, and the random key is bound with the address, that is, key information corresponding to the address information is obtained, and the key information can be stored in a position before the address of the memory area, and meanwhile, the obtained key information can be sent to the user, as shown in fig. 13, so that the user can perform unlocking access on the memory area according to the held key information, thereby implementing legal access operation on the memory area.
Further, after the user acquires the key information, the user may share the key information, as shown in fig. 14, the user may give the own key information to another user, so as to implement memory sharing in a protected state, and thereby enable another authorized user to perform a legal access operation on the memory area through the shared key information.
Specifically, referring to fig. 15, when a user accesses a memory area, the method includes the following steps:
step 11: and acquiring the sent memory access request, wherein the memory access request comprises an address to be accessed and an access key.
step 12: and determining a memory area and a standard key corresponding to the address to be accessed, and verifying the access key by using the standard key.
step 13: when the standard key is not matched with the access key, the access key is not verified, and feedback information can be sent to the user; when the standard key is matched with the access key, the access key is proved to be verified.
step 14: after the access key is verified, the memory attribute of the memory area may be adjusted to the access-allowed state. At this time, the user may perform an access operation on the memory area through the access key.
step 15: after the access operation is performed on the memory area, the memory attribute of the memory area can be adjusted to the access prohibition state again, so that the safe access operation on the memory area is realized.
According to the memory access method provided by the application embodiment, after a memory protection request sent by a virtual user is received, a memory area is protected based on the memory protection request, so that the memory protection area is applied by taking the request of the virtual user as a unit, the memory protection with small granularity is realized, and the memory division and protection in a process can be realized; in addition, the microprocessor in the embodiment adopts the MPU hardware unit to perform memory protection, and compared with the memory protection measure in a software layer, the microprocessor has higher read-write efficiency because the check of secondary read-write addresses is reduced; and the MPU is used for setting read-write attributes to realize memory protection, and the memory protection is equivalent and reliable compared with the memory protection in a software layer. In addition, the method can also find the memory abnormal operation caused by the abnormal access operation, has stronger protection effect, and particularly, when the memory illegal access operation occurs, the MPU can immediately trigger the abnormal access operation and can inform the microprocessor, so that the microprocessor can perform the abnormal processing, and the memory abnormal operation is positioned. In another aspect, the method in this embodiment may implement sharing of key information, thereby implementing sharing of data in the protected memory, and further improving flexibility and reliability of the method.
FIG. 16 is a block diagram illustrating a microprocessor according to an embodiment of the present invention; referring to fig. 16, the present embodiment provides a microprocessor for performing the memory access method of fig. 3. Specifically, the microprocessor may include:
a first memory 12 for storing a computer program;
a first processor 11 for executing the computer program stored in the first memory 12 to implement:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to an address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to be in an access permission state by using the memory protection unit.
Further, the memory access request is sent by a first virtual user, and the access permission state includes: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
The microprocessor may further include a first communication interface 13 for communicating the electronic device with other devices or a communication network.
Further, the memory attribute includes at least one of: read-write attribute, address execution attribute, and cache attribute.
Further, before obtaining the memory access request, the first processor 11 is further configured to: acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected; distributing a corresponding memory area for the address information according to the memory protection request; adjusting the memory attribute of the memory area to a forbidden access state by using a memory protection unit; and generating key information corresponding to the address information, and sending the key information to the second virtual user.
Further, the access key of the first virtual user is determined according to the key information shared by the second virtual user to the first virtual user.
Further, the address information to be protected includes one of: address information of a process stack, address information of a non-process stack.
Further, when the first processor 11 generates the key information corresponding to the address information, the first processor 11 is configured to: random key information corresponding to the address information is generated using a random number generator.
Further, when the first processor 11 obtains the memory access request, the first processor 11 is configured to: and acquiring a memory access request sent by a first virtual user through a memory access channel.
Further, before obtaining the memory access request sent by the first virtual user through the memory access channel, the first processor 11 is further configured to: distributing corresponding memory access channels for the address information according to the memory protection request; and sending the memory access channel to a second virtual user.
Further, the memory access channel of the first virtual user is a memory access channel shared by the second virtual user to the first virtual user.
Further, after generating the key information corresponding to the address information, the first processor 11 is further configured to: and storing the key information into a preset area.
Further, the preset area includes an area located before the address information in the memory area.
Further, the preset area is adjacent to the memory area.
Further, the first processor 11 is further configured to: identifying an illegal access user aiming at the memory area; and generating illegal access information corresponding to the illegal access user.
Further, when the first processor 11 identifies an illegal access user to the memory area, the first processor 11 is configured to: and when the access key is not matched with the standard key, determining the first virtual user as an illegal access user.
Further, when the first processor 11 identifies an illegal access user to the memory area, the first processor 11 is configured to: identifying an access channel of a first virtual user for sending a memory access request by using a memory protection unit; and when the access channel is not matched with the preset memory access channel, determining that the first virtual user is an illegal access user.
Further, the memory protection request comprises a first request and a second request, the first request comprises a first access address, the second request comprises a second access address, and an overlapping address exists between the first access address and the second access address; when the first processor 11 allocates a corresponding memory area and a memory attribute corresponding to the memory area to the address information according to the memory protection request, the first processor 11 is further configured to: allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area to the first access address according to the first request; allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area to the second access address according to the second request; acquiring a first attribute priority of a first memory area and a second attribute priority of a second memory area; and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
Further, when the first processor 11 determines the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority, the first processor 11 is further configured to: when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute; or when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
Further, the memory protection request includes a first request and a second request, the first request includes a first access address and an identity of a first virtual user, and the second request includes a second access address and an identity of a second virtual user; when the first processor 11 generates the key information corresponding to the address information, the first processor 11 is further configured to: determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user; generating first key information corresponding to the first access address, wherein the first key information meets the first access priority; second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
The microprocessor shown in fig. 16 can execute the method of the embodiments shown in fig. 3-9 and 12-15, and the detailed description of the embodiment can refer to the related descriptions of the embodiments shown in fig. 3-9 and 12-15. The implementation process and technical effect of the technical solution are described in the embodiments shown in fig. 3-9 and 12-15, and are not described again here.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, which includes programs for executing the memory access method in the method embodiments shown in fig. 3 to 9 and 12 to 15.
Fig. 17 is a schematic structural diagram of a client according to an embodiment of the present invention; referring to fig. 17, the present embodiment provides a client, which is configured to execute the memory access method shown in fig. 10. Specifically, the client may include:
a second memory 22 for storing a computer program;
a second processor 21 for executing the computer program stored in the second memory 22 to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
The client may further include a second communication interface 23, which is used for the electronic device to communicate with other devices or a communication network.
Further, the second processor 21 is further configured to: and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
Further, the second processor 21 is further configured to: sending a memory access request to the microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the address to be accessed to an access-allowed state according to the access key; and executing data processing operation corresponding to the memory access request aiming at the memory area.
The client shown in fig. 17 may execute the method of the embodiment shown in fig. 10 to fig. 15, and reference may be made to the related description of the embodiment shown in fig. 10 to fig. 15 for a part not described in detail in this embodiment. The implementation process and technical effect of the technical solution are described in the embodiments shown in fig. 10 to fig. 15, and are not described herein again.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, which includes a program for executing the memory access method in the method embodiments shown in fig. 10 to 15.
The technical solutions and the technical features in the above embodiments may be used alone or in combination in case of conflict with the present disclosure, and all embodiments that fall within the scope of protection of the present disclosure are intended to be equivalent embodiments as long as they do not exceed the scope of recognition of those skilled in the art.
In the embodiments provided in the present invention, it should be understood that the disclosed related remote control device and method can be implemented in other ways. For example, the above-described remote control device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, remote control devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.