CN112384923A - Memory access method, microprocessor, client and computer storage medium - Google Patents

Memory access method, microprocessor, client and computer storage medium Download PDF

Info

Publication number
CN112384923A
CN112384923A CN201980039310.5A CN201980039310A CN112384923A CN 112384923 A CN112384923 A CN 112384923A CN 201980039310 A CN201980039310 A CN 201980039310A CN 112384923 A CN112384923 A CN 112384923A
Authority
CN
China
Prior art keywords
memory
access
address
request
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201980039310.5A
Other languages
Chinese (zh)
Inventor
陈星�
房玲江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhuoyu Technology Co ltd
Original Assignee
SZ DJI Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SZ DJI Technology Co Ltd filed Critical SZ DJI Technology Co Ltd
Publication of CN112384923A publication Critical patent/CN112384923A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A memory access method, a microprocessor, a client and a computer storage medium are provided. The method comprises the following steps: obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key (S101); determining a memory area and a standard key corresponding to an address to be accessed (S102); when the access key matches the standard key, the memory protection unit is used to adjust the memory attribute of the memory region to the access-allowed state (S103). By obtaining the memory access request, when the access key passes the verification, the memory attribute of the memory area is adjusted to the access permission state, so that the user can execute corresponding data processing operation aiming at the memory area, thereby not only preventing the memory from being accessed or modified accidentally, but also realizing the effective protection of the memory.

Description

Memory access method, microprocessor, client and computer storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a memory access method, a microprocessor, a client and a computer storage medium.
Background
In the field of microprocessors, memory protection is a necessary security means. The memory access methods in the prior art have respective advantages and disadvantages, are easily limited by hardware structures such as a microprocessor and the like, are complex to operate, are easy to reduce the system efficiency, can only realize the protection function, and cannot provide a detection means for abnormal access.
Disclosure of Invention
The embodiment of the invention provides a memory access method, a microprocessor, a client and a computer storage medium, which can prevent a memory from being accessed or modified accidentally, and can also find abnormal operation of a protected area in real time, thereby improving the security of memory access.
A first aspect of the present invention is to provide a method for accessing a memory, including:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to the address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to an access permission state by using a memory protection unit.
A second aspect of the present invention is to provide a microprocessor comprising:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory to implement:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to the address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to an access permission state by using a memory protection unit.
A third aspect of the present invention is to provide a memory access method, including:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
A fourth aspect of the present invention is to provide a client, including:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
A fifth aspect of the present invention is to provide a computer-readable storage medium, where the storage medium is a computer-readable storage medium, and program instructions are stored in the computer-readable storage medium, and the program instructions are used in the memory access method according to the first aspect.
A sixth aspect of the present invention is to provide a computer-readable storage medium, where the storage medium is a computer-readable storage medium, and program instructions are stored in the computer-readable storage medium, and the program instructions are used in the memory access method according to the third aspect.
According to the memory access method, the microprocessor, the client and the computer storage medium provided by the embodiment of the invention, the memory area and the standard key corresponding to the address to be accessed are determined by obtaining the memory access request, when the access key is matched with the standard key, the memory attribute of the memory area is adjusted to the access permission state by using the memory protection unit, and the memory access state is adjusted by using the memory protection unit based on the key, so that the memory can be prevented from being accessed or modified accidentally, the effective protection of the memory is realized, the safety and reliability of the memory access are ensured, and the practicability of the method is effectively improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of an upper and lower bound protection method provided by the prior art;
FIG. 2 is a diagram illustrating a process stack protection method provided in the prior art;
fig. 3 is a first flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 4 is a second flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 5 is a third flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 6 is a fourth schematic flowchart of a memory access method according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of identifying an illegal accessing user for the memory area according to an embodiment of the present invention;
fig. 8 is a fifth flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 9 is a sixth schematic flowchart of a memory access method according to an embodiment of the present invention;
fig. 10 is a first flowchart illustrating another memory access method according to an embodiment of the present invention;
fig. 11 is a second flowchart illustrating another memory access method according to an embodiment of the present invention;
fig. 12 is a first flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 13 is a first schematic diagram illustrating a memory access method according to an embodiment of the present invention;
fig. 14 is a second flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 15 is a second schematic diagram illustrating a memory access method according to an embodiment of the present invention;
FIG. 16 is a block diagram illustrating a microprocessor according to an embodiment of the present invention;
fig. 17 is a schematic structural diagram of a client according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to facilitate understanding of a specific implementation process of the technical solution in this embodiment, the following description is made on a working principle of a microprocessor:
in the field of microprocessor technology, memory protection is a long-standing proposition. And whatever type of memory protection mode, all have respective advantages and disadvantages: some are limited by the hardware structure of the microprocessor, and some memory protection processes are complex to operate, so that the data processing efficiency is reduced; some can only realize the protection function, but can not provide detection for abnormal access.
For a microprocessor, the microprocessor may include a high-end microprocessor and a low-end microprocessor, where the high-end microprocessor includes a Memory Management Unit (MMU), and the MMU is used to implement virtual Memory Management, so as to divide a Memory address into a virtual address and a physical address. For the user, the user can see the virtual address, and the virtual address is isolated from the actual physical address, so as to achieve the purpose of memory protection.
The low-end microprocessor is not provided with an MMU, but is provided with a Memory Protection Unit (MPU), and specifically, the MPU is a hardware structure that provides Memory area attribute setting by taking an area as a Unit. Typically, an MPU may have 8 or more zones. Each region is correspondingly provided with a memory region and memory attributes, wherein the memory attributes comprise attributes of reading and writing (whether the region can be read and written), execution (whether the region can be directly accessed and executed), caching, writing caching and the like. Meanwhile, different regions are allowed to overlap when the memory regions are set, different regions may have different priorities, and when the memory regions of the regions overlap, the region with the high priority will cover the attribute set by the region with the low priority. When the attributes of the memory operation and the region setting are different, the abnormal operation of the hardware is immediately generated and the microprocessor is informed. Therefore, the memory can be protected by setting the read-write attribute, and the illegal operation of the memory can be found by using the abnormal operation.
For a low-end microprocessor, two memory protection modes can be adopted, one mode is a memory protection method which is realized by only utilizing a software processing algorithm without using an MPU (microprocessor unit), such as an upper and lower boundary protection method; another way is to use a protection method of the MPU, such as a process stack protection method in conjunction with an Operating System (OS).
Specifically, the process of the upper and lower boundary protection method comprises the following steps: the method comprises the steps that an upper and lower bound register is preset, wherein the upper and lower bound register stores the initial address and the end address of a memory used by a program which is being executed, in the data execution process, the memory operation is checked through a unified software processing algorithm, and whether the accessed address is in the range of the upper and lower bound is judged. If not, determining that the current access is illegal access; otherwise, it is a legal access. Referring to fig. 1, the memory access addresses of "1 #" and "3 #" exceed the upper and lower bound addresses defined by the memory region, so that the memory access operations of "1 #" and "3 #" can be determined as illegal operations; and the memory access address of '2 #' meets the address requirement, the successful access can be carried out.
In addition, the process stack protection method is a stack memory protection method which combines an Operating System (OS) and hardware, and can realize the protection between the stack memory of the currently running process and the stack memories of other processes, thereby effectively preventing the occurrence of stack overflow and realizing the protection of space in the stack. As shown in fig. 2, the specific implementation principle is as follows:
(1) a block of memory space is allocated in advance and used for stack background space of a process stack, and stacks of all processes are allocated in the space.
(2) The stack space is set to be unreadable and non-executable using a low-priority area (background area) of the MPU.
(3) When a process is started, a high-priority area (process area) of the MPU is used for a stack space of the process to be started, and the process is set to be readable and writable and not executable. At this time, due to the principle that the high priority of the MPU covers the low priority, only the started process stack space can be read and written, and other process stacks cannot be read and written, so that the protection of other process stacks is realized, and stack overflow or abnormal pointer modification is prevented.
(4) When the process is switched, the process area is set as a stack space to be switched, so that the next process to be started becomes readable and writable, and the process which is switched out becomes unreadable and writable.
However, the memory protection method has the following defects:
(1) most memory protection approaches in the field of microprocessors are mostly based on software level protection, such as: the above upper and lower boundary protection method. However, the software-layer-based protection method has a risk of abnormal operation, which may cause failure of the protection function.
(2) For software level protection, the access efficiency is reduced because the address of each operation needs to be checked.
(3) The software level protection measures are implemented based on the inspection of access addresses (e.g., upper and lower bound protection methods), so that access is required to be performed through a fixed software channel during memory access. Thus, when an abnormal access of the system does not pass through its fixed memory channel, its protection will fail. Such as: a widely existing exception pointer memory access. When the exception pointer points to a protected area, it is not protected because it does not go through a fixed memory channel.
(4) Most protection methods using the MPU only realize protection of the process stack, and are difficult to realize protection of arbitrary memory addresses.
(5) The memory protection method is basically based on the memory protection of the process, and no effective measure is provided for the protection of the interior of the process.
(6) The memory protection is a protection means for a single process or a single user, and the memory sharing among multiple users is difficult to realize and share protection.
Some embodiments of the invention are described in detail below with reference to the accompanying drawings. The features of the embodiments and examples described below may be combined with each other without conflict between the embodiments.
Fig. 3 is a schematic flowchart of a memory access method according to an embodiment of the present invention; referring to fig. 3, in order to solve the above problem, the present embodiment provides a memory access method, which can prevent a memory from being accidentally accessed or modified, and can also discover an abnormal operation of a protected area in real time, thereby improving the security of memory access. In a specific application, the main execution body of the memory access method may be a microprocessor, the microprocessor may be a low-end microprocessor, and the microprocessor may be implemented as software, or a combination of software and hardware. Specifically, the method may include:
s101: and acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key.
The memory access request may be sent by a first virtual user. The first virtual user can be any one of the following expressions: the number of the first virtual users can be one or more, and it can be understood that the first virtual users can have different expressions in different application scenarios. Specifically, when the first virtual user sends a memory access request to the microprocessor, the microprocessor may obtain the memory access request, where the memory access request includes an address to be accessed and an access key, and the access key is used to implement a memory access operation for the address to be accessed.
S102: and determining a memory area and a standard key corresponding to the address to be accessed.
After the address to be accessed is obtained, the address to be accessed may be analyzed to determine a memory area and a standard key corresponding to the address to be accessed. Specifically, in this embodiment, a specific implementation manner for determining the memory area and the standard key corresponding to the address to be accessed is not limited, and a person skilled in the art may set the determination manner according to a specific application scenario and an application requirement, for example: acquiring address identification information corresponding to an address to be accessed, and determining a memory area and a standard key corresponding to the address to be accessed according to the address identification information, wherein the standard key is used for carrying out validity verification on a memory access request; when the standard key is matched with an access key included in the memory access request, determining that the memory access request is a legal request; and when the standard key is not matched with the access key included in the memory access request, determining that the memory access request is an illegal request.
S103: and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to be in an access permission state by using the memory protection unit.
The access permission state includes: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
In another alternative embodiment, other virtual users associated with the first virtual user identity may be allowed to access the memory region and perform corresponding data processing operations.
When the access key matches the standard key, it is determined that the memory access request is a legal request, and at this time, the memory protection unit may be used to adjust the memory attribute in the memory area to an access-allowed state, where the memory attribute may include at least one of the following: reading and writing attributes, address fetching execution attributes and cache attributes, so that a first virtual user can execute data processing operation corresponding to the memory access request aiming at the memory area; the memory protection unit in this embodiment may be integrated in a microprocessor.
For example: before receiving a memory access request, the memory attribute of the memory area is in a forbidden access state, when the memory access request is a read-write request sent aiming at a first address, a first access key included in the read-write request can be obtained, a standard key corresponding to the first address is determined, and when the first access key is matched with the standard key, the read-write attribute of the memory area is adjusted to be in a permission state by using a memory protection unit, so that a first virtual user executes data read-write operation corresponding to the read-write request aiming at the memory area. Or, when the memory access request is an address retrieval execution request sent for the second address, the second access key included in the address retrieval execution request may be acquired, the standard key corresponding to the second address is determined, and when the second access key matches the standard key, the memory protection unit is used to adjust the address retrieval execution attribute of the memory area to an allowed state, so that the first virtual user executes the address retrieval execution operation corresponding to the address retrieval execution request for the memory area.
In the memory access method provided by this embodiment, a memory area and a standard key corresponding to the address to be accessed are determined by obtaining a memory access request, when the access key matches the standard key, a memory protection unit is used to adjust the memory attribute of the memory area to an allowed access state, and a memory protection unit is further used to adjust the memory access state based on the secret key, so that the memory is prevented from being accidentally accessed or modified, and the memory is effectively protected, thereby ensuring the security and reliability of the memory access and effectively improving the practicability of the method.
Fig. 4 is a schematic flowchart of another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 4, before obtaining the memory access request, the method in this embodiment may further include:
s201: and acquiring a memory protection request sent by the second virtual user, wherein the memory protection request comprises address information to be protected.
The second virtual user may be any one of the following expressions: processes, software modules running independently on the central processor, application programs, etc., and the number of the second virtual users may be one or more, it is understood that the second virtual users may have different expressions in different application scenarios. In a particular application scenario, the second virtual user may be the same as or different from the first virtual user.
Before obtaining the memory access request, in order to implement effective protection of the memory, the second virtual user may send a memory protection request to the microprocessor, where the memory protection request may include address information to be protected, and specifically, the address information to be protected may include one of: address information of a process stack and address information of a non-process stack; the memory area corresponding to the address information of the non-process stack is used for storing at least one of the following: authentication information, device information, configuration information, operational information, status information.
S202: and distributing a corresponding memory area for the address information according to the memory protection request.
After the memory protection request is obtained, a corresponding memory region may be allocated for the address information to be protected based on the memory protection request, where the memory region may correspond to a memory attribute, and the memory attribute may include at least one of the following: read-write attributes, fetch execution attributes, cache attributes, and the like,
s203: and adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit.
After allocating the corresponding memory area for the address information, the memory protection unit may be used to adjust the memory attribute of the memory area to the access prohibition state, and it can be understood that, after adjusting the memory attribute of the memory area to the access prohibition state, any user cannot perform an access operation on the memory area, for example: the user can not execute the read-write operation of the data, can not execute the cache operation of the data, and can not realize the address-fetching execution operation; therefore, the memory area is effectively protected.
S204: and generating key information corresponding to the address information, and sending the key information to the second virtual user.
After the memory attribute of the memory area is adjusted to the access prohibited state, in order to enable a legitimate user to perform an access operation on the memory area, key information corresponding to the address information may be generated, and specifically, generating the key information corresponding to the address information may include:
s2041: random key information corresponding to the address information is generated using a random number generator.
Specifically, a random number generator is preset, and the random number generator may be integrated into the microprocessor, and after the memory attribute of the memory area of the address information is adjusted to the access prohibition state, the random number generator may be used to generate random key information corresponding to the address information. It is conceivable that, since the random key information is generated by the random number generator, it is effectively ensured that the key information corresponding to the address information is not fixed and unchanged, and the strength of protecting the memory area is further ensured.
After the key information is obtained, the key information can be sent to the second virtual user, so that the second virtual user can realize legal access operation to the memory area based on the key information. In addition, after the second virtual user acquires the correspondence between the key information and the address information, the correspondence between the key information and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the key information and the address information to the first virtual user, so that the first virtual user may perform a legitimate access operation to the memory area based on the shared key information. Specifically, the first virtual user may send a memory access request to the microprocessor, where the memory access request includes an access key, and at this time, the access key of the first virtual user may be determined according to key information shared by the second virtual user to the first virtual user, so that it is effectively achieved that the first virtual user performs a legal access operation on the memory area based on the key information shared by the second virtual user under the authorization of the second virtual user. When other virtual users do not send memory access requests to the microprocessor by using correct key information, the microprocessor can identify the virtual users as illegal users, so that illegal access operation to the memory area can be found.
In this embodiment, a memory protection request sent by a second virtual user is obtained, a corresponding memory area is allocated for address information according to the memory protection request, a memory protection unit is used to adjust a memory attribute of the memory area to an access prohibition state, key information corresponding to the address information is generated, and the key information is sent to the second virtual user, so that effective protection of the memory area corresponding to the address information to be protected is effectively achieved, the second virtual user can perform legal access operation on the memory area based on the key information, the situation that the memory is accidentally accessed or modified is effectively prevented, abnormal access operation of the protected area can be found in real time, that is, the illegal access operation of the virtual user can be obtained, and the security of accessing the memory is improved.
On the basis of the foregoing embodiment, with reference to fig. 3, a specific implementation manner of obtaining the memory access request in this embodiment is not limited, and a person skilled in the art may set the memory access request according to a specific application requirement and a design requirement, and preferably, the obtaining the memory access request in this embodiment includes:
s1011: and acquiring a memory access request sent by a first virtual user through a memory access channel.
The memory access channel can be a pre-configured legal access channel corresponding to the address information, and when the first virtual user sends the memory access request, the first virtual user can send the memory access request through the memory access channel corresponding to the address information, so that the microprocessor can obtain the memory access request sent by the first virtual user through the memory access channel, and the legality of the memory access request is effectively guaranteed.
Fig. 5 is a schematic flowchart of another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 5, before acquiring the memory access request sent by the first virtual user through the memory access channel, the method in this embodiment may further include:
s301: and distributing corresponding memory access channels for the address information according to the memory protection request.
S302: and sending the memory access channel to a second virtual user.
After the memory protection request is obtained, corresponding memory access channels may be allocated for address information in the memory protection request, and it is conceivable that different address information may correspond to the same or different memory access channels; and then the memory access channel is sent to a second virtual user, so that the second virtual user can realize legal access to the memory area through the memory access channel.
In addition, after the second virtual user obtains the correspondence between the memory access channel and the address information, the correspondence between the memory access channel and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the memory access channel and the address information to the first virtual user, so that the first virtual user may perform a legal access operation on the memory area based on the shared memory access channel. Specifically, the first virtual user may send a memory access request to the microprocessor through the memory access channel for the address information, and at this time, the memory access channel of the first virtual user is the memory access channel shared by the second virtual user to the first virtual user, so that the first virtual user may implement a legal access operation on the memory area based on the memory access channel shared by the second virtual user.
It can be understood that, when the second virtual user performs an access operation on the memory area, the memory area needs to be accessed by using the key information and the memory access channel corresponding to the address information, and only after the memory access channel and the key information are both verified, the legal access operation on the memory area can be realized. On the contrary, the second virtual user cannot realize the legal access operation to the memory area under the condition that the key information is not verified, the memory access channel is verified, or the memory access channel is not verified and the key information is verified.
In this embodiment, the corresponding memory access channel is allocated to the address information according to the memory protection request, and the memory access channel is sent to the second virtual user, so that the strength of protecting the memory region corresponding to the address information to be protected is effectively increased, the second virtual user can perform a legal access operation on the memory region based on the memory access channel, the memory is effectively prevented from being accidentally accessed or modified, meanwhile, an abnormal access operation of the protected region can be found in real time, that is, an illegal access operation of the virtual user can be obtained, and the security of accessing the memory is improved.
On the basis of any one of the above embodiments, after generating the key information corresponding to the address information, the method in this embodiment may further include:
s205: and storing the key information into a preset area.
The preset area may include an area located before the address information in the memory area; alternatively, the predetermined area may be adjacent to the memory area. For example, the predetermined area is a0-a10, where the a0 area is the area before the address information, and after the key information is obtained, the key information may be stored in the a0 area. Or, the preset area is a, the area adjacent to the preset area a includes an area B and an area C, and after the key information is obtained, the key information may be stored in the area B or the area C.
Of course, a person skilled in the art may select other preset areas according to a specific application scenario, as long as the key information can be stored in the preset area, which is convenient for obtaining the stored key information through the preset area.
Fig. 6 is a fourth schematic flowchart of a memory access method according to an embodiment of the present invention; on the basis of any one of the above embodiments, referring to fig. 6, the method in this embodiment may further include:
s401: an illegal access user to the memory region is identified.
S402: and generating illegal access information corresponding to the illegal access user.
For the microprocessor, the virtual user accessing the memory area may be a legal access user or an illegal access user, where the legal access user may be a virtual user whose access key in the transmitted memory access request matches the standard key and whose access channel matches the preset memory access channel; the illegal access user may refer to a virtual user whose access key in the sent memory access request does not match the standard key, and/or whose access channel does not match the preset memory access channel. Specifically, a way to identify an illegal access user to a memory area may include:
s500: and when the access key is not matched with the standard key, determining the first virtual user as an illegal access user.
Specifically, after a memory access request sent by a first virtual user is obtained, an access key included in the memory access request may be obtained, and then the access key is analyzed and matched with a standard key, when the access key is not matched with the standard key, that is, when the access key sent by the first virtual user is different from a preset standard key, it may be determined that the first virtual user at this time is an illegal access user.
In addition, referring to fig. 7, another way for identifying an illegal access user to a memory area is provided in the present embodiment, specifically, the method includes:
s501: and identifying an access channel of the first virtual user for sending the memory access request by using the memory protection unit.
S502: and when the access channel is not matched with the preset memory access channel, determining that the first virtual user is an illegal access user.
Specifically, after the memory access request sent by the first virtual user is obtained, the memory protection unit may be used to identify an access channel of the memory access request sent by the first virtual user, and then the access channel is analyzed and matched with a preset memory access channel, when the access channel is not matched with the memory access channel, that is, when the access channel of the memory access request sent by the first virtual user is different from the preset memory access channel, it may be determined that the first virtual user at this time is an illegal access user.
On the contrary, when the access channel is matched with the memory access channel, the access key included in the memory access request can be acquired, then the access key is analyzed and matched with the standard key, and when the access key is matched with the standard key, that is, the access key sent by the first virtual user is the same as the preset standard key, the first virtual user at the moment can be determined to be a legal access user.
After the illegal accessing user is identified, illegal accessing information corresponding to the illegal accessing user can be generated, and the illegal accessing information can comprise user identification, accessing record, accessing time and the like of the illegal accessing user; the user can be prompted through the generated illegal access information, so that the user can acquire abnormal access operation accessing the microprocessor in time, the memory is effectively prevented from being accessed or modified accidentally, meanwhile, the abnormal operation of the protected area can be found in real time, and the quality and the effect of protecting the memory area are further improved.
Fig. 8 is a fifth flowchart illustrating a memory access method according to an embodiment of the present invention; based on any of the above embodiments, with continued reference to fig. 8, the memory protection request includes a first request and a second request, the first request includes a first access address, the second request includes a second access address, and an overlapping address exists between the first access address and the second access address; at this time, the allocating the corresponding memory area and the memory attribute corresponding to the memory area to the address information according to the memory protection request in this embodiment may include:
s601: and allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area for the first access address according to the first request.
S602: and allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request.
S603: and acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area.
S604: and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be sent to the microprocessor by two different virtual users, at this time, after the microprocessor receives the first request and the second request, a corresponding first memory region may be allocated to the first access address according to the first request, at this time, the first memory region may correspond to the first memory attribute, and a corresponding second memory region may be allocated to the second access address according to the second request, at this time, the second memory region may correspond to the second memory attribute. Because an overlapping address exists between a first access address to be protected and a second access address, an overlapping area also exists between a first memory area allocated for the first access address and a second memory area allocated for the second access address; for the memory attributes of the overlapping region, the attribute priority between the first memory region and the second memory attribute needs to be identified, that is, the first attribute priority of the first memory region and the second attribute priority of the second memory region can be determined according to a preset rule; an overlapping memory attribute for the overlapping address is then determined based on the first attribute priority and the second attribute priority. Specifically, determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority may include:
s6041: and when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute. Or,
s6042: and when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
When the first attribute priority and the second attribute priority are obtained, the higher attribute priority can be determined, and then the overlapping memory attribute of the overlapping address is determined to be consistent with the higher attribute priority. Specifically, when the priority of the first attribute is higher than the priority of the second attribute, the overlapping memory attribute of the overlapping address is determined as the first memory attribute, or when the priority of the first attribute is lower than the priority of the second attribute, the overlapping memory attribute of the overlapping address is determined as the second memory attribute.
For example: the first access address included in the first request is: 192.168.1.1-192.168.1.154; the second access address included in the second request is: 192.168.1.100-192.168.1.254; at this time, the overlapping address existing between the first access address and the second access address is: 192.168.1.100-192.168.1.154. Then, a first memory area allocated to the first access address is an area A, a second memory area allocated to the second access address is an area B, wherein an overlapping area C exists between the area A and the area B, and the overlapping area C is used for storing the overlapping address; at this time, all the area constituted by the area a and the area B may be divided into three parts: a region a1 for storing non-overlapping address parts in the first access address, an overlapping region C for storing overlapping addresses, and a region B1 for non-overlapping address parts in the second access address, wherein region a1 and overlapping region C constitute region a and region B1 and overlapping region C constitute region B.
For region A1, overlap region C, and region B1, the memory attributes of region A1 correspond to a first attribute priority and the memory attributes of region B1 correspond to a second attribute priority, wherein the first attribute priority corresponds to a first request and the second attribute priority corresponds to a second request. The memory attribute of the overlapping region C conforms to the attribute information with higher priority in the first attribute priority and the second attribute priority, so that a virtual user with high priority can access the overlapping region, while a virtual user with low priority cannot access the overlapping region, different memory protection strategies are set for the virtual users with different priorities, and the flexibility and reliability of the use of the memory protection method are further improved.
Fig. 9 is a sixth schematic flowchart of a memory access method according to an embodiment of the present invention; on the basis of any of the foregoing embodiments, with reference to fig. 9 continuously, the memory protection request includes a first request and a second request, where the first request includes a first access address and an identifier of a first virtual user, and the second request includes a second access address and an identifier of a second virtual user; at this time, generating key information corresponding to the address information in the present embodiment may include:
s701: and determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user.
S702: first key information corresponding to the first access address is generated, the first key information satisfying the first access priority.
S703: second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be respectively sent by a first virtual user and a second virtual user to the microprocessor, at this time, after the microprocessor receives the first request and the second request, an identity of the first virtual user included in the first request may be recognized, then a first access priority corresponding to the first access address is determined according to the identity of the first virtual user, similarly, an identity of the second virtual user included in the second request may be recognized, then a second access priority corresponding to the second access address is determined according to the identity of the second virtual user, when there is no overlapping address between the first access address and the second access address, first key information corresponding to the first access address may be directly generated, the first key information satisfies a first access priority; second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
When an overlapping address exists between the first access address and the second access address, the overlapping address part corresponds to first key information meeting the first access priority and second key information meeting the second access priority, and at the moment, the key information with higher access priority covers the key information with lower access priority. For example: the overlapping area corresponds to the first key information with higher access priority and the second key information with lower access priority, and the key information corresponding to the overlapping area is the first key information, so that the virtual user with high priority can access the overlapping area, while the virtual user with low priority cannot access the overlapping area, thereby realizing setting different memory protection strategies for the virtual users with different priority levels, and further improving the flexible reliability of the memory protection method.
Fig. 10 is a flowchart illustrating another memory access method according to an embodiment of the present invention; referring to fig. 10, in order to solve the above problem, the present embodiment provides a memory access method, which can prevent a memory from being accidentally accessed or modified, and can also discover abnormal operations of a protected area in real time, thereby improving the security of memory access. In a specific application, an execution subject of the memory access method may be a client, and it is understood that the client may be implemented as software or a combination of software and hardware. Specifically, the method may include:
s801: and sending a memory protection request to the microprocessor, wherein the memory protection request comprises address information to be protected.
S802: and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
Specifically, when the client has a memory protection requirement for the address information to be protected, a memory protection request for the address information to be protected can be generated, and then the memory protection request can be sent to the microprocessor, so that the microprocessor can allocate a corresponding memory area to the address information to be protected based on the memory protection request, perform memory protection operation on the memory area, and then return key information and a memory access channel corresponding to the address information to be protected, so that the client can receive the key information and the memory access channel corresponding to the memory protection request, and the key information and the memory access channel at this time correspond to the address information to be protected, thereby realizing that the client can perform legal data access operation through the memory access channel and the key information.
According to the memory access method provided by the embodiment, the memory protection request is sent to the microprocessor, and the key information and the memory access channel sent by the microprocessor according to the memory protection request are received, so that the client can effectively perform legal data access operation based on the memory access channel and the key information, and the memory is further prevented from being accessed or modified accidentally, so that the memory access safety is improved, and the practicability of the memory access method is effectively guaranteed.
On the basis of the foregoing embodiment, with continuing reference to fig. 10, in order to improve the flexible reliability of the method, the method in this embodiment may further include:
s901: and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
Specifically, after the client acquires the corresponding relationship between the key information and the address information, the key information and the address information can be shared to other clients, so that the other clients can execute corresponding data access operation aiming at the memory area corresponding to the address information under the authorization of the client, the client with legal authority can effectively execute corresponding data access operation on the memory area, the client without legal authority cannot execute corresponding data access operation on the memory area, the condition that the memory is accessed or modified accidentally is further prevented, and the quality and the effect of protecting the memory access are improved.
Fig. 11 is a second flowchart illustrating another memory access method according to an embodiment of the present invention; on the basis of the foregoing embodiment, with reference to fig. 11, the method in this embodiment may further include:
s1001: and sending a memory access request to the microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of the memory area corresponding to the address to be accessed to an access permission state according to the access key.
S1002: and executing data processing operation corresponding to the memory access request aiming at the memory area.
Specifically, after requesting the microprocessor to execute a corresponding memory protection operation on address information to be protected, the client may also request to access the corresponding memory area through the microprocessor, specifically, the client may send a memory access request to the microprocessor based on the memory access channel, where the memory access request includes an address to be accessed and an access key, after the microprocessor receives the memory access request, the legitimacy of the client may be identified based on the access key included in the memory access request, and after determining that the client is a valid access user, the client may adjust the memory attribute of the memory area corresponding to the address to be accessed to an operating access state according to the access key, so that the client may execute a data processing operation corresponding to the memory access request for the memory area.
In this embodiment, a memory access request is sent to a microprocessor based on a memory access channel, and after the microprocessor adjusts the memory attribute of a memory region corresponding to an address to be accessed to an access-allowed state according to an access key, a client executes a data processing operation corresponding to the memory access request for the memory region, so that the client with a legal right can execute the data processing operation corresponding to the memory access request for the memory region, which can prevent the memory from being accessed or modified accidentally, and also realize effective protection for the memory, thereby ensuring the safety and reliability of application to the memory, and effectively improving the practicability of the method.
In specific application, the present application embodiment provides a memory access method, which implements protection of a memory by combining software and hardware, has high reliability, high performance, small granularity, and sharable functions, and can retain information of an illegally accessed memory, find a cause of an illegal access, and prevent an illegal address fetching operation in a protected area. In addition, the method can realize the setting of the memory attribute and the write cache attribute while realizing the legal access to the memory, and is favorable for solving the problem of memory data synchronization. Specifically, as shown in fig. 12, the method includes the following steps:
step 1: and acquiring a memory protection request sent by a user, wherein the memory protection request comprises address information to be protected.
step 2: and distributing a corresponding memory area for the address information according to the memory protection request.
step 3: and configuring address information of the memory area.
step 4: and adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit.
step 5: and generating key information corresponding to the address information, and sending the key information to the user.
Specifically, a user may apply for a memory area from the memory protection unit MPU by using an address that needs to be protected, and after the memory area is successfully allocated, the memory attribute of the address may be adjusted to an access prohibition state, for example: the read-write authority is closed (namely locking), the cache authority is closed and the like, the memory area in the access forbidden state cannot be accessed, and if the access occurs, the abnormal access information is immediately generated, so that the positioning of the illegal access information is realized. Then, a random key is generated by using the random number generator, and the random key is bound with the address, that is, key information corresponding to the address information is obtained, and the key information can be stored in a position before the address of the memory area, and meanwhile, the obtained key information can be sent to the user, as shown in fig. 13, so that the user can perform unlocking access on the memory area according to the held key information, thereby implementing legal access operation on the memory area.
Further, after the user acquires the key information, the user may share the key information, as shown in fig. 14, the user may give the own key information to another user, so as to implement memory sharing in a protected state, and thereby enable another authorized user to perform a legal access operation on the memory area through the shared key information.
Specifically, referring to fig. 15, when a user accesses a memory area, the method includes the following steps:
step 11: and acquiring the sent memory access request, wherein the memory access request comprises an address to be accessed and an access key.
step 12: and determining a memory area and a standard key corresponding to the address to be accessed, and verifying the access key by using the standard key.
step 13: when the standard key is not matched with the access key, the access key is not verified, and feedback information can be sent to the user; when the standard key is matched with the access key, the access key is proved to be verified.
step 14: after the access key is verified, the memory attribute of the memory area may be adjusted to the access-allowed state. At this time, the user may perform an access operation on the memory area through the access key.
step 15: after the access operation is performed on the memory area, the memory attribute of the memory area can be adjusted to the access prohibition state again, so that the safe access operation on the memory area is realized.
According to the memory access method provided by the application embodiment, after a memory protection request sent by a virtual user is received, a memory area is protected based on the memory protection request, so that the memory protection area is applied by taking the request of the virtual user as a unit, the memory protection with small granularity is realized, and the memory division and protection in a process can be realized; in addition, the microprocessor in the embodiment adopts the MPU hardware unit to perform memory protection, and compared with the memory protection measure in a software layer, the microprocessor has higher read-write efficiency because the check of secondary read-write addresses is reduced; and the MPU is used for setting read-write attributes to realize memory protection, and the memory protection is equivalent and reliable compared with the memory protection in a software layer. In addition, the method can also find the memory abnormal operation caused by the abnormal access operation, has stronger protection effect, and particularly, when the memory illegal access operation occurs, the MPU can immediately trigger the abnormal access operation and can inform the microprocessor, so that the microprocessor can perform the abnormal processing, and the memory abnormal operation is positioned. In another aspect, the method in this embodiment may implement sharing of key information, thereby implementing sharing of data in the protected memory, and further improving flexibility and reliability of the method.
FIG. 16 is a block diagram illustrating a microprocessor according to an embodiment of the present invention; referring to fig. 16, the present embodiment provides a microprocessor for performing the memory access method of fig. 3. Specifically, the microprocessor may include:
a first memory 12 for storing a computer program;
a first processor 11 for executing the computer program stored in the first memory 12 to implement:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to an address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to be in an access permission state by using the memory protection unit.
Further, the memory access request is sent by a first virtual user, and the access permission state includes: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
The microprocessor may further include a first communication interface 13 for communicating the electronic device with other devices or a communication network.
Further, the memory attribute includes at least one of: read-write attribute, address execution attribute, and cache attribute.
Further, before obtaining the memory access request, the first processor 11 is further configured to: acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected; distributing a corresponding memory area for the address information according to the memory protection request; adjusting the memory attribute of the memory area to a forbidden access state by using a memory protection unit; and generating key information corresponding to the address information, and sending the key information to the second virtual user.
Further, the access key of the first virtual user is determined according to the key information shared by the second virtual user to the first virtual user.
Further, the address information to be protected includes one of: address information of a process stack, address information of a non-process stack.
Further, when the first processor 11 generates the key information corresponding to the address information, the first processor 11 is configured to: random key information corresponding to the address information is generated using a random number generator.
Further, when the first processor 11 obtains the memory access request, the first processor 11 is configured to: and acquiring a memory access request sent by a first virtual user through a memory access channel.
Further, before obtaining the memory access request sent by the first virtual user through the memory access channel, the first processor 11 is further configured to: distributing corresponding memory access channels for the address information according to the memory protection request; and sending the memory access channel to a second virtual user.
Further, the memory access channel of the first virtual user is a memory access channel shared by the second virtual user to the first virtual user.
Further, after generating the key information corresponding to the address information, the first processor 11 is further configured to: and storing the key information into a preset area.
Further, the preset area includes an area located before the address information in the memory area.
Further, the preset area is adjacent to the memory area.
Further, the first processor 11 is further configured to: identifying an illegal access user aiming at the memory area; and generating illegal access information corresponding to the illegal access user.
Further, when the first processor 11 identifies an illegal access user to the memory area, the first processor 11 is configured to: and when the access key is not matched with the standard key, determining the first virtual user as an illegal access user.
Further, when the first processor 11 identifies an illegal access user to the memory area, the first processor 11 is configured to: identifying an access channel of a first virtual user for sending a memory access request by using a memory protection unit; and when the access channel is not matched with the preset memory access channel, determining that the first virtual user is an illegal access user.
Further, the memory protection request comprises a first request and a second request, the first request comprises a first access address, the second request comprises a second access address, and an overlapping address exists between the first access address and the second access address; when the first processor 11 allocates a corresponding memory area and a memory attribute corresponding to the memory area to the address information according to the memory protection request, the first processor 11 is further configured to: allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area to the first access address according to the first request; allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area to the second access address according to the second request; acquiring a first attribute priority of a first memory area and a second attribute priority of a second memory area; and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
Further, when the first processor 11 determines the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority, the first processor 11 is further configured to: when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute; or when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
Further, the memory protection request includes a first request and a second request, the first request includes a first access address and an identity of a first virtual user, and the second request includes a second access address and an identity of a second virtual user; when the first processor 11 generates the key information corresponding to the address information, the first processor 11 is further configured to: determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user; generating first key information corresponding to the first access address, wherein the first key information meets the first access priority; second key information corresponding to the second access address is generated, the second key information satisfying the second access priority.
The microprocessor shown in fig. 16 can execute the method of the embodiments shown in fig. 3-9 and 12-15, and the detailed description of the embodiment can refer to the related descriptions of the embodiments shown in fig. 3-9 and 12-15. The implementation process and technical effect of the technical solution are described in the embodiments shown in fig. 3-9 and 12-15, and are not described again here.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, which includes programs for executing the memory access method in the method embodiments shown in fig. 3 to 9 and 12 to 15.
Fig. 17 is a schematic structural diagram of a client according to an embodiment of the present invention; referring to fig. 17, the present embodiment provides a client, which is configured to execute the memory access method shown in fig. 10. Specifically, the client may include:
a second memory 22 for storing a computer program;
a second processor 21 for executing the computer program stored in the second memory 22 to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
The client may further include a second communication interface 23, which is used for the electronic device to communicate with other devices or a communication network.
Further, the second processor 21 is further configured to: and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
Further, the second processor 21 is further configured to: sending a memory access request to the microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the address to be accessed to an access-allowed state according to the access key; and executing data processing operation corresponding to the memory access request aiming at the memory area.
The client shown in fig. 17 may execute the method of the embodiment shown in fig. 10 to fig. 15, and reference may be made to the related description of the embodiment shown in fig. 10 to fig. 15 for a part not described in detail in this embodiment. The implementation process and technical effect of the technical solution are described in the embodiments shown in fig. 10 to fig. 15, and are not described herein again.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, which includes a program for executing the memory access method in the method embodiments shown in fig. 10 to 15.
The technical solutions and the technical features in the above embodiments may be used alone or in combination in case of conflict with the present disclosure, and all embodiments that fall within the scope of protection of the present disclosure are intended to be equivalent embodiments as long as they do not exceed the scope of recognition of those skilled in the art.
In the embodiments provided in the present invention, it should be understood that the disclosed related remote control device and method can be implemented in other ways. For example, the above-described remote control device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, remote control devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (44)

1. A method of memory access, comprising:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to the address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to an access permission state by using a memory protection unit.
2. The method of claim 1, wherein the memory access request is sent by a first virtual user, and wherein the allowing access state comprises: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
3. The method of claim 2, wherein prior to obtaining the memory access request, the method further comprises:
acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected;
distributing a corresponding memory area for the address information according to the memory protection request;
adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit;
and generating key information corresponding to the address information, and sending the key information to the second virtual user.
4. The method of claim 3, wherein the access key for the first virtual user is determined based on key information shared by the second virtual user to the first virtual user.
5. The method of claim 3, wherein the address information to be protected comprises one of: address information of a process stack, address information of a non-process stack.
6. The method of claim 3, wherein the generating key information corresponding to the address information comprises:
generating a random key information corresponding to the address information using a random number generator.
7. The method of claim 3, wherein obtaining the memory access request comprises:
and acquiring a memory access request sent by a first virtual user through a memory access channel.
8. The method of claim 7, wherein prior to obtaining the memory access request sent by the first virtual user over the memory access channel, the method further comprises:
distributing a corresponding memory access channel for the address information according to the memory protection request;
and sending the memory access channel to the second virtual user.
9. The method of claim 8, wherein the memory access channel of the first virtual user is a memory access channel shared by the second virtual user to the first virtual user.
10. The method according to any one of claims 3 to 9, wherein after generating key information corresponding to the address information, the method further comprises:
and storing the key information into a preset area.
11. The method according to claim 10, wherein the predetermined area includes an area located before the address information in the memory area.
12. The method of claim 10, wherein the predetermined area is adjacent to the memory area.
13. The method according to any one of claims 2-9, further comprising:
identifying an illegal access user aiming at the memory area;
and generating illegal access information corresponding to the illegal access user.
14. The method of claim 13, wherein the identifying the illegitimate access user to the memory region comprises:
and when the access key is not matched with the standard key, determining that the first virtual user is an illegal access user.
15. The method of claim 13, wherein the identifying the illegitimate access user to the memory region comprises:
identifying an access channel of the first virtual user for sending the memory access request by using the memory protection unit;
and when the access channel is not matched with a preset memory access channel, determining that the first virtual user is an illegal access user.
16. The method according to any one of claims 3 to 9, wherein the memory protection request comprises a first request and a second request, the first request comprises a first access address, the second request comprises a second access address, and an overlapping address exists between the first access address and the second access address; the allocating, according to the memory protection request, a corresponding memory region and a memory attribute corresponding to the memory region for the address information includes:
allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area to the first access address according to the first request;
allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area to the second access address according to the second request;
acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area;
and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
17. The method of claim 16, wherein determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority comprises:
when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute; or,
and when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
18. The method according to any one of claims 3 to 9, wherein the memory protection request includes a first request and a second request, the first request includes a first access address and an identifier of the first virtual user, and the second request includes a second access address and an identifier of the second virtual user; generating key information corresponding to the address information, including:
determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user;
generating first key information corresponding to the first access address, the first key information satisfying the first access priority;
generating second key information corresponding to the second access address, the second key information satisfying the second access priority.
19. A memory access method, comprising:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
20. The method of claim 19, further comprising:
and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
21. The method of claim 19, further comprising:
sending a memory access request to a microprocessor based on the memory access channel, wherein the memory access request comprises a to-be-accessed address and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the to-be-accessed address to an access-allowed state according to the access key;
and executing data processing operation corresponding to the memory access request aiming at the memory area.
22. A microprocessor, comprising:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory to implement:
obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard key corresponding to the address to be accessed;
and when the access key is matched with the standard key, adjusting the memory attribute of the memory area to an access permission state by using a memory protection unit.
23. The microprocessor of claim 22, wherein the memory access request is sent by a first virtual user, and wherein the allow access state comprises: a state that allows the first virtual user to perform a corresponding data processing operation with respect to the memory region.
24. The microprocessor of claim 23, wherein prior to obtaining the memory access request, the processor is further configured to:
acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected;
distributing a corresponding memory area for the address information according to the memory protection request;
adjusting the memory attribute of the memory area to a forbidden access state by using the memory protection unit;
and generating key information corresponding to the address information, and sending the key information to the second virtual user.
25. The microprocessor of claim 24, wherein the access key for the first virtual user is determined based on key information shared by the second virtual user to the first virtual user.
26. The microprocessor of claim 24, wherein the address information to be protected comprises one of: address information of a process stack, address information of a non-process stack.
27. The microprocessor of claim 24, wherein when the processor generates key information corresponding to the address information, the processor is configured to:
generating a random key information corresponding to the address information using a random number generator.
28. The microprocessor of claim 24, wherein when the processor is fetching a memory access request, the processor is configured to:
and acquiring a memory access request sent by a first virtual user through a memory access channel.
29. The microprocessor of claim 28, wherein prior to obtaining the memory access request sent by the first virtual user over the memory access channel, the processor is further configured to:
distributing a corresponding memory access channel for the address information according to the memory protection request;
and sending the memory access channel to the second virtual user.
30. The microprocessor of claim 29, wherein the memory access channel of the first virtual user is a memory access channel shared by the second virtual user to the first virtual user.
31. The microprocessor of any one of claims 24-30, wherein after generating key information corresponding to the address information, the processor is further configured to:
and storing the key information into a preset area.
32. The microprocessor of claim 31, wherein the predetermined area comprises an area in the memory area preceding the address information.
33. The microprocessor of claim 31, wherein the predetermined area is adjacent to the memory area.
34. The microprocessor of any one of claims 23-30, wherein the processor is further configured to:
identifying an illegal access user aiming at the memory area;
and generating illegal access information corresponding to the illegal access user.
35. The microprocessor of claim 34, wherein when the processor identifies an illegitimate access user to the memory region, the processor is configured to:
and when the access key is not matched with the standard key, determining that the first virtual user is an illegal access user.
36. The microprocessor of claim 34, wherein when the processor identifies an illegitimate access user to the memory region, the processor is configured to:
identifying an access channel of the first virtual user for sending the memory access request by using the memory protection unit;
and when the access channel is not matched with a preset memory access channel, determining that the first virtual user is an illegal access user.
37. The microprocessor of any one of claims 24-30, wherein the memory protection request comprises a first request comprising a first access address and a second request comprising a second access address, wherein an overlapping address exists between the first access address and the second access address; when the processor allocates a corresponding memory region and a memory attribute corresponding to the memory region to the address information according to the memory protection request, the processor is further configured to:
allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area to the first access address according to the first request;
allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area to the second access address according to the second request;
acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area;
and determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
38. The microprocessor of claim 37, wherein when the processor determines the overlapping memory attributes for the overlapping address based on the first attribute priority and the second attribute priority, the processor is further configured to:
when the first attribute priority is higher than the second attribute priority, determining the overlapping memory attribute of the overlapping address as the first memory attribute; or,
and when the priority of the first attribute is lower than that of the second attribute, determining the overlapping memory attribute of the overlapping address as the second memory attribute.
39. The microprocessor of any one of claims 24-30, wherein the memory protection request comprises a first request and a second request, wherein the first request comprises a first access address and an identifier of the first virtual user, and the second request comprises a second access address and an identifier of the second virtual user; when the processor generates key information corresponding to the address information, the processor is further configured to:
determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user;
generating first key information corresponding to the first access address, the first key information satisfying the first access priority;
generating second key information corresponding to the second access address, the second key information satisfying the second access priority.
40. A client, comprising:
a memory for storing a computer program;
a processor for executing the computer program stored in the memory to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
41. The client of claim 40, wherein the processor is further configured to:
and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation aiming at the memory area corresponding to the address information.
42. The client of claim 40, wherein the processor is further configured to:
sending a memory access request to a microprocessor based on the memory access channel, wherein the memory access request comprises a to-be-accessed address and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the to-be-accessed address to an access-allowed state according to the access key;
and executing data processing operation corresponding to the memory access request aiming at the memory area.
43. A computer-readable storage medium, characterized in that the storage medium is a computer-readable storage medium in which program instructions for implementing the memory access method according to any one of claims 1 to 18 are stored.
44. A computer-readable storage medium, characterized in that the storage medium is a computer-readable storage medium in which program instructions for implementing the memory access method according to any one of claims 19 to 21 are stored.
CN201980039310.5A 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium Pending CN112384923A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/121216 WO2021102729A1 (en) 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium

Publications (1)

Publication Number Publication Date
CN112384923A true CN112384923A (en) 2021-02-19

Family

ID=74586596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980039310.5A Pending CN112384923A (en) 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium

Country Status (2)

Country Link
CN (1) CN112384923A (en)
WO (1) WO2021102729A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis
CN115587348A (en) * 2022-11-24 2023-01-10 中国人民解放军国防科技大学 Configurable security control method, device and medium for memory access of PCIE (peripheral component interface express) equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020124148A1 (en) * 2001-03-01 2002-09-05 Ibm Corporation Using an access key to protect and point to regions in windows for infiniband
US20030018860A1 (en) * 2001-06-29 2003-01-23 Krueger Steven D. System protection map
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety
CN101281459A (en) * 2007-04-03 2008-10-08 Arm有限公司 Protected function calling

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5901311A (en) * 1996-12-18 1999-05-04 Intel Corporation Access key protection for computer system data
WO2016072999A1 (en) * 2014-11-07 2016-05-12 Hewlett Packard Enterprise Development Lp Data conversion using an address space identifier
US10671546B2 (en) * 2015-09-30 2020-06-02 Hewlett Packard Enterprise Development Lp Cryptographic-based initialization of memory content
CN109766165B (en) * 2018-11-22 2022-07-08 海光信息技术股份有限公司 Memory access control method and device, memory controller and computer system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020124148A1 (en) * 2001-03-01 2002-09-05 Ibm Corporation Using an access key to protect and point to regions in windows for infiniband
US20030018860A1 (en) * 2001-06-29 2003-01-23 Krueger Steven D. System protection map
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety
CN101281459A (en) * 2007-04-03 2008-10-08 Arm有限公司 Protected function calling

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115292697A (en) * 2022-10-10 2022-11-04 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis
CN115587348A (en) * 2022-11-24 2023-01-10 中国人民解放军国防科技大学 Configurable security control method, device and medium for memory access of PCIE (peripheral component interface express) equipment

Also Published As

Publication number Publication date
WO2021102729A1 (en) 2021-06-03

Similar Documents

Publication Publication Date Title
CN109766165B (en) Memory access control method and device, memory controller and computer system
CN105447406B (en) A kind of method and apparatus for accessing memory space
US8452934B2 (en) Controlled data access to non-volatile memory
US8301911B2 (en) Key storage administration
KR101273900B1 (en) Application dependent storage control
US9141810B2 (en) Architecture for virtual security module
US8365294B2 (en) Hardware platform authentication and multi-platform validation
CA2400940C (en) Controlling access to a resource by a program using a digital signature
US20050177724A1 (en) Authentication system and method
CN104318176B (en) Data management method and device for terminal and terminal
CN105631293A (en) Data access method, data access system and terminal
US11706209B2 (en) Method and apparatus for securely managing computer process access to network resources through delegated system credentials
EP3336734B1 (en) Fingerprint information secure call method, apparatus, and mobile terminal
CN112384923A (en) Memory access method, microprocessor, client and computer storage medium
CN108881218A (en) A kind of data safety Enhancement Method and system based on cloud storage management platform
CN117254969A (en) Registration authentication method for intelligent equipment accessing to Internet of things system
CN112363800B (en) Network card memory access method, security processor, network card and electronic equipment
CN112507302B (en) Calling party identity authentication method and device based on execution of cryptographic module
EP4155957A1 (en) Method for managing access by a thread to a slave device
CN114580005B (en) Data access method, computer device and readable storage medium
WO2013004854A2 (en) Processing system
KR102542007B1 (en) Method and apparatus for portecting files of external storage
KR100823631B1 (en) Key storage administration
EP2138946A1 (en) Secure memory management system
CN118445226A (en) Memory access control method, controller, system on chip and computer system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20240522

Address after: Building 3, Xunmei Science and Technology Plaza, No. 8 Keyuan Road, Science and Technology Park Community, Yuehai Street, Nanshan District, Shenzhen City, Guangdong Province, 518057, 1634

Applicant after: Shenzhen Zhuoyu Technology Co.,Ltd.

Country or region after: China

Address before: 518057 Shenzhen Nanshan District, Shenzhen, Guangdong Province, 6/F, Shenzhen Industry, Education and Research Building, Hong Kong University of Science and Technology, No. 9 Yuexingdao District, Nanshan District, Shenzhen City, Guangdong Province

Applicant before: SZ DJI TECHNOLOGY Co.,Ltd.

Country or region before: China

TA01 Transfer of patent application right