CN113111391A - Method for memory integrity protection and memory controller - Google Patents
Method for memory integrity protection and memory controller Download PDFInfo
- Publication number
- CN113111391A CN113111391A CN202110384123.XA CN202110384123A CN113111391A CN 113111391 A CN113111391 A CN 113111391A CN 202110384123 A CN202110384123 A CN 202110384123A CN 113111391 A CN113111391 A CN 113111391A
- Authority
- CN
- China
- Prior art keywords
- node
- integrity protection
- nodes
- version value
- root
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2246—Trees, e.g. B+trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/23—Updating
- G06F16/2365—Ensuring data consistency and integrity
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Embodiments of the present description provide a method and memory controller for memory integrity protection. The method is executed by a memory controller of a trusted system on chip, and comprises the following steps: receiving an access request of a processor of the trusted system on chip to the trusted memory, wherein: the trusted memory is divided into N regions, the N regions respectively correspond to N integrity protection trees for integrity protection, each integrity protection tree at least comprises a root node and a plurality of leaf nodes, each leaf node has a version value for at least one data block in the corresponding region, and the root node has a version value obtained based on the leaf nodes; the access request comprises a target memory address to be accessed; determining a target integrity protection tree corresponding to a target memory address in the N integrity protection trees; and carrying out integrity verification on the target memory address based on the target integrity protection tree.
Description
Technical Field
Embodiments of the present description relate to the field of information technology, and more particularly, to a method, memory controller, and machine-readable storage medium for memory integrity protection.
Background
With the advent of the information age and big data age and the wide application of cloud computing, data information security has become one of the focuses of the industry. For example, private or sensitive data (user private data such as user passwords, data encryption keys, etc.) are typically stored in memory, and attackers tend to steal or tamper with such data through memory attacks, thereby potentially posing a significant risk. Therefore, how to effectively protect the memory becomes one of the problems that needs to be solved urgently.
Disclosure of Invention
In view of the above-identified problems of the prior art, embodiments of the present specification provide a method, memory controller, and machine-readable storage medium for memory integrity protection.
In one aspect, an embodiment of the present specification provides a method for memory integrity protection, where the method is performed by a memory controller of a trusted system on chip, and the method includes: receiving an access request of a processor of the trusted system on chip to a trusted memory, wherein: the trusted memory is divided into N regions, the N regions respectively correspond to N integrity protection trees for integrity protection, N is a positive integer greater than 1, each integrity protection tree at least comprises a root node and a plurality of leaf nodes, each leaf node has a version value for at least one data block in the corresponding region, and the root node has a version value obtained based on the leaf nodes; the access request comprises a target memory address to be accessed; determining a target integrity protection tree corresponding to the target memory address from the N integrity protection trees; and carrying out integrity verification on the target memory address based on the target integrity protection tree.
In another aspect, an embodiment of the present specification provides a memory controller of a trusted system on chip, including: a receiving unit, configured to receive an access request of a processor of the trusted system on chip to a trusted memory, where: the trusted memory is divided into N regions, the N regions respectively correspond to N integrity protection trees for integrity protection, N is a positive integer greater than 1, each integrity protection tree at least comprises a root node and a plurality of leaf nodes, each leaf node has a version value for at least one data block in the corresponding region, and the root node has a version value obtained based on the leaf nodes; the access request comprises a target memory address to be accessed; a determining unit configured to determine a target integrity protection tree corresponding to the target memory address from among the N integrity protection trees; and the verification unit is used for carrying out integrity verification on the target memory address based on the target integrity protection tree.
In another aspect, an embodiment of the present specification provides a memory controller of a trusted system on chip, including: at least one processing module; a storage module in communication with the at least one processor having stored thereon executable instructions that, when executed by the at least one processing module, cause the at least one processing module to implement the above-described method.
In another aspect, embodiments of the present description provide a machine-readable storage medium storing executable instructions that, when executed by a machine, cause the machine to implement the above-described method.
Drawings
The foregoing and other objects, features and advantages of the embodiments of the present specification will become more apparent from the following more particular description of the embodiments of the present specification, as illustrated in the accompanying drawings in which like reference characters generally represent like elements throughout.
FIG. 1 is an example of a trusted architecture that may be used to implement the subject technology.
Fig. 2 is a schematic flow diagram of a method for memory integrity protection in accordance with some embodiments.
Fig. 3A shows an example of the structure of an integrity protection tree.
FIG. 3B illustrates another example of the structure of an integrity protection tree.
Fig. 3C shows an example of the structure of an integrity-protected forest.
Fig. 3D shows another example of a structure of an integrity-protected forest.
FIG. 3E illustrates one example of a mount and uninstall process for an integrity protection tree.
FIG. 4 is a schematic block diagram of a memory controller according to some embodiments.
FIG. 5 is a hardware block diagram of a memory controller according to some embodiments.
Detailed Description
The subject matter described herein will now be discussed with reference to various embodiments. It should be understood that these examples are discussed only to enable those skilled in the art to better understand and implement the subject matter described herein, and are not intended to limit the scope, applicability, or examples set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the scope of the claims. Various embodiments may omit, replace, or add various procedures or components as desired.
As used herein, the term "include" and its variants mean open-ended terms in the sense of "including, but not limited to. The term "based on" means "based at least in part on". The terms "one embodiment" and "an embodiment" mean "at least one embodiment". The term "another embodiment" means "at least one other embodiment". The terms "first," "second," and the like may refer to different or the same object. Other definitions, whether explicit or implicit, may be included below, and a definition of a term is consistent throughout the specification unless the context clearly dictates otherwise.
At present, memory attack is one of the main attack means for tampering or stealing the private or sensitive data stored in the memory, and memory integrity protection is one of the effective ways to defend against memory attack. Through the memory integrity protection, whether private or sensitive data in the memory is replaced or destroyed or not can be identified in time, and the data security is ensured.
In view of this, embodiments herein provide a technical solution for memory integrity protection. In this technical solution, the memory can be integrity protected by an integrity protection tree. Accordingly, such memory may be referred to as trusted memory. The technical solutions herein will be described below with reference to specific embodiments.
FIG. 1 is an example of a trusted architecture that may be used to implement the subject technology. It should be understood that the example of fig. 1 is merely to assist those skilled in the art in better understanding the embodiments herein. In different embodiments, the trusted architecture may be implemented in different ways, which are not limited herein.
As shown in fig. 1, trusted architecture 100 may include a trusted system-on-chip 110 and trusted memory 120. The trusted system-on-chip 110 may include a processor 112 and a memory controller 114. Trusted memory 120 may be used to store various data that needs to be protected, such as the private or sensitive data mentioned herein.
The processor 112 may access the trusted memory 120 through the memory controller 114, such as by reading data from the trusted memory 120 or writing data to the trusted memory 120.
For example, when the processor 112 needs to read data from the trusted memory 120 or write data to the trusted memory 120, the processor 112 may send an access request to the memory controller 114. The access request may include a target memory address to be accessed. Memory controller 114 may parse the access request and read or write the corresponding data based on the target memory address it includes.
In the embodiments herein, in order to protect against various potential attacks such as memory attacks, the trusted memory 120 may be integrity protected by an integrity protection tree. Thus, the memory controller 114 may perform integrity verification for the target memory address before executing the access request.
For example, if the access request is a read request, the memory controller 114 may perform integrity verification on the data stored at the target memory address, and if the verification passes, may return the corresponding data to the processor 114.
If the access request is a write request, the memory controller 114 may perform integrity verification on the old data stored at the target memory address, and if the verification passes, the target memory address may be stated as safe, so the memory controller 114 may write the corresponding new data at the target memory address.
How to perform memory integrity protection by using the technical solution of the present disclosure will be described below with reference to specific embodiments.
Fig. 2 is a schematic flow diagram of a method for memory integrity protection in accordance with some embodiments. The method of FIG. 2 may be performed by a memory controller of a trusted system-on-chip, such as memory controller 114 described above.
As shown in fig. 2, in step 202, a request for access to the trusted memory by a processor of the trusted system on chip may be received. The access request may include a target memory address to be accessed.
As previously described, the trusted memory may be integrity protected by an integrity protection tree. Specifically, the trusted memory may be divided into N regions, and the N regions may correspond to N integrity protection trees for integrity protection, respectively. Here, N may be a positive integer greater than 1.
That is, each region may be integrity protected by an integrity protection tree.
The integrity protection tree may be a tree-shaped data structure. For example, each integrity protection tree may include at least a root node and a plurality of leaf nodes, each leaf node may have a version value of at least one data block in a region to which the integrity protection tree corresponds, and the root node may have a version value derived based on the plurality of leaf nodes.
In step 204, a target integrity protection tree corresponding to the target memory address may be determined among the N integrity protection trees.
Since each integrity protection tree may correspond to a region, its corresponding target integrity protection tree may be determined based on the target memory address.
In step 206, integrity verification may be performed for the target memory address based on the target integrity protection tree.
For example, as previously described, if the access request is a read request, the data block may be integrity verified using the version values of the nodes of the target integrity protection tree, the version values of the leaf nodes corresponding to the data block stored at the target memory address, and the contents of the data block. If the verification passes, the data block may be returned to the processor.
If the access request is a write request, integrity verification may be performed on the old data block using the version values of the nodes of the target integrity protection tree, the version values of the leaf nodes corresponding to the old data block stored at the target memory address, and the contents of the old data block. If the verification passes, indicating that the target memory address is secure, then the new block of data may be written to the target memory address.
In some implementations, a single integrity protection tree may be employed to integrity protect the entire trusted memory. The integrity protection tree is generally a tree-shaped data structure with each leaf node having at least one version value of a data block. Thus, if the capacity of the trusted memory increases, meaning that more data blocks are to be protected, the number of leaf nodes of the integrity protection tree will increase, with a corresponding increase in the number of intermediate nodes. Thus, a single integrity protection tree requires a greater number of layers to protect the entire trusted memory. However, this results in a significantly reduced hit rate for the leaf nodes and intermediate nodes when performing integrity verification, thereby significantly increasing the read-write performance overhead of the trusted memory.
In the embodiment of the present disclosure, the trusted memory may be divided into a plurality of regions, and each region may perform integrity protection through one integrity protection tree, so that when the capacity of the trusted memory changes, the number of integrity protection trees may be flexibly adjusted to implement integrity protection. Furthermore, since each integrity protection tree protects an area, the number of leaf nodes and the number of layers per integrity protection tree can be controlled within an acceptable performance overhead. It can be seen that embodiments herein can efficiently achieve memory integrity protection with limited memory read and write performance overhead.
At present, in the period of rapid development of big data and cloud computing, the data volume of private or sensitive data is also increasing, so there is an urgent need for a large-capacity trusted memory. However, as previously mentioned, simply using a single integrity protection tree to integrity protect trusted memory has several drawbacks. The embodiment of the invention can provide good integrity protection for a large-capacity trusted memory within a controllable performance overhead range, and meet the current requirement of providing security protection for a large amount of data, thereby well adapting to the development trend of current applications.
Of course, it is also critical to protect the integrity of the integrity protection tree itself. For example, the integrity protection tree may be stored in trusted storage space, thereby protecting the integrity of the integrity protection tree. However, in some embodiments, to reduce the resource overhead of the trusted memory space, the integrity protection tree may be stored at the untrusted memory space, while its root node may be cached in the trusted memory space. By ensuring the integrity of the root node of the integrity protection tree, the integrity of the entire integrity protection tree may be ensured.
In embodiments herein, the trusted memory space may be located in the memory controller, since the trusted system-on-chip itself is trusted.
In some embodiments, if the storage space of the memory controller is large enough, the root nodes of the N integrity protection trees may be all cached in the memory controller. In this case, not only can integrity protection be performed on all integrity protection trees, but also the efficiency of integrity verification can be improved.
However, in some cases, memory controller storage space may be limited, and thus caching the root nodes of all integrity protection trees may be less feasible. It is further contemplated that memory access by a processor is typically local, i.e., a processor may access a portion of memory over a period of time, rather than randomly accessing the entire memory. Thus, in some embodiments herein, the root node of the partial integrity protection tree may be cached in the memory controller, thereby accommodating situations where the memory controller's storage space is limited. For example, the root nodes of M integrity protection trees may be cached in the memory controller, M may be a positive integer less than N.
Based on the locality of memory access of the processor, certain constraints may be added to the integrity protection tree in which the root node is cached in the memory controller. For example, the regions corresponding to the M integrity protection trees may be accessed by the processor within a predetermined time period from the current time. That is, the region corresponding to each of the M integrity protection trees may be currently being accessed by the processor or accessed within a certain period of time before. The predetermined period of time here may be set according to various factors such as actual demand.
For the rest of the integrity protection tree whose root node is not cached in the memory controller, it is also necessary to protect its integrity through a certain mechanism. In view of this, in embodiments herein, a forest root tree may be defined. The root nodes of the N integrity protection trees may form leaf nodes of a forest root tree, and the root nodes of the forest root tree may be derived based on the leaf nodes. For example, the version values of the root nodes of the N integrity protection trees may be obtained by performing an operation on the version values of the root nodes of the N integrity protection trees by using a message verification algorithm. To protect the integrity of the N integrity protection trees, the root node of the forest root tree should be resident in the memory controller. That is, the root node of the forest root tree is the trusted base of the entire integrity checking hierarchy and therefore needs to be resident in the memory controller to prevent tampering or replacement by an attacker.
Further, it is to be understood that in some cases, the forest root tree may also include at least one intermediate level, each of which may include a plurality of intermediate nodes. The nodes of each level may be parents of a plurality of nodes of its next level, forming a tree structure. The intermediate nodes of the forest root tree may be stored in the memory controller or in untrusted memory space. If stored in the untrusted memory space, the intermediate nodes of the forest root tree may be cached in the memory controller based on the specific implementation (e.g., the size of the memory space of the memory controller). This is not a limitation herein.
In some cases, the memory controller may also cache other nodes (e.g., middle nodes, leaf nodes, etc.) of the M integrity protection trees, which is not limited herein, depending on various factors such as the size of the memory space of the memory controller and the actual implementation.
It can be seen that in embodiments herein, two states of the integrity protection tree may be defined, namely an active state and an inactive state. An integrity protection tree in which the root node is cached in the memory controller may be considered to be in an active state, while an integrity protection tree in which the root node is not cached in the memory controller may be considered to be in an inactive state. For example, the above M integrity protection trees may be considered to be in an active state, while the remaining integrity protection trees are considered to be in an inactive state.
It can be seen that, in such an embodiment, N integrity protection trees may form integrity protection forests, each integrity protection tree may protect the integrity of a corresponding memory region, and a forest root tree may protect the integrity of the N integrity protection trees, thereby implementing integrity protection on a trusted memory in a simple and efficient manner.
Accordingly, in step 206, integrity verification may be performed in different manners for whether the target integrity protection tree is in an active state or an inactive state.
For example, if the memory controller caches a root node of the target integrity protection tree, integrity verification may be performed for the target memory address based directly on the target integrity protection tree.
If the memory controller does not cache the root node of the target integrity protection tree, the root node of the target integrity protection tree can be verified based on the root node of the forest root tree and the root nodes of the N integrity protection trees.
For example, hash operation may be performed on version values of root nodes of N integrity protection trees to obtain hash values of root nodes of forest root trees, and then the hash values are compared with hash values of root nodes of forest root trees resident in the memory controller, and if the hash values are consistent with the hash values of root nodes of forest root trees resident in the memory controller, it may be determined that the root node of the target integrity protection tree has not been tampered.
After integrity verification of the root node of the target integrity protection tree passes, the root node of the target integrity protection tree may be read from the untrusted storage space and cached in the memory controller. Integrity verification may then be performed for the target memory address based on the target integrity protection tree. This may be referred to as a mount process, i.e., mounting the target integrity protection tree into the memory controller.
In some implementations, the root node of the integrity protection tree may include, in addition to the version value, a storage address of the integrity protection tree in the untrusted storage space. Therefore, when performing integrity verification based on the target integrity protection tree, the nodes (such as the intermediate nodes and the leaf nodes) of the target integrity protection tree may be obtained based on the storage address in the root node, and then integrity verification may be performed based on the nodes and the content of the data block.
In some cases, the root node of one of the M integrity protection trees may be deleted from the memory controller if the remaining storage space of the memory controller is insufficient to cache the root node of the target integrity protection tree. This may be referred to as an offload process, i.e., offloading the integrity protection tree from the memory controller. The root node of the target integrity protection tree may then be read from the untrusted memory space and cached in the memory controller.
This is similar to existing cache eviction mechanisms. Accordingly, various applicable eviction algorithms may be employed to select an integrity protection tree to be deleted from the memory controller.
For example, a Least Recently Used (LRU) algorithm may be employed to delete the root node of one of the M integrity protection trees from the memory controller to set aside the root node of the spatial cache target integrity protection tree.
It can be seen that through the mount process, the target integrity protection tree may transition from an inactive state to an active state. And by the offload process, the integrity protection tree whose root node is removed from the memory controller may transition from the active state to the inactive state. Thus, the integrity protection tree may transition between an active state and an inactive state as a mount process or an offload process.
Additionally, in embodiments herein, the integrity protection tree may be implemented using various suitable structures.
For example, in one embodiment, for any one of the N integrity protection trees:
the integrity protection tree may further include at least one intermediate level between its root node and a plurality of leaf nodes at a lowest level, each intermediate level may include a plurality of intermediate nodes. That is, from the top-down tree structure of the integrity protection tree, the integrity protection tree may include a root node, a middle node, and a leaf node;
each leaf node and each intermediate node comprises a hash value and a plurality of child nodes, each child node may represent a version value, and the leaf nodes and the intermediate nodes may comprise the same number of child nodes;
in each leaf node, each child node may represent a version value of a data block in the region corresponding to the integrity protection tree;
the parent node of each leaf node may be a child node of an intermediate node of the intermediate level immediately above the leaf node, the parent node of each intermediate node of the intermediate level immediately below the root node may be the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels may be child nodes of an intermediate node of the intermediate level immediately above the intermediate node;
for each intermediate node or each leaf node, updating the version value of any child node thereof to update the version value of a parent node thereof;
for each intermediate node or each leaf node, its hash value may be derived based on the version values of all child nodes and the version values of its parent node.
To facilitate understanding of this structure, the following description is made with reference to specific examples. It should be understood that the following examples are intended only to help those skilled in the art better understand the embodiments herein, and are not intended to limit the scope thereof.
Fig. 3A shows an example of the structure of an integrity protection tree.
In the example of fig. 3A, integrity protection tree 300 may include a root node, two intermediate levels, and a plurality of leaf nodes. Each intermediate level may include a plurality of intermediate nodes. Whether a leaf node or an intermediate node, may include a hash value and a plurality of child nodes. In addition, hereinafter, the root node, the intermediate nodes, and the leaf nodes may be collectively referred to as nodes for convenience of description in some cases.
In addition, for convenience of understanding, the intermediate node 301, the intermediate node 302 and the leaf node 303 will be described as an example, and other intermediate nodes and leaf nodes in the same hierarchy are similar, and thus will not be described again.
As shown in fig. 3A, the root node may be a parent node of intermediate node 301. One child node 304 of intermediate node 301 may be the parent node of intermediate node 302. Similarly, one child node 305 of the intermediate node 302 may be a parent node of the leaf node 303, thereby forming the integrity protection tree 300 having a tree structure.
In leaf node 303, each child node may correspond to a data block and may represent a version value for the data block. For example, child node 306 corresponds to data block 307. In the intermediate nodes 302, 301, each child node may represent a version value. In addition, the root node also represents a version value.
Typically, each version value may have some initial value (e.g., 0). When a certain data block is updated, the version value of the child node corresponding to the certain data block in the leaf node is increased, correspondingly, the version value of the parent node of the leaf node is increased, the version value of the parent node of the node to which the parent node belongs is increased, and the like until the root node is increased. For example, when the data block 307 is updated, the version value of the child node 306 is incremented, the version value of the child node 305 is incremented, the version value of the child node 304 is incremented, and then the version value of the root node is incremented.
In addition, by performing a hash operation on the version value of each child node in the leaf node and the content of the corresponding data block, a message authentication code may be obtained, which is used to authenticate the integrity of the data block. For example, by hashing the version value of the child node 306 with the content of the data block 307, a message authentication code for the data block 307 may be obtained.
The hash value of a leaf node 303 may be obtained by hashing the version value of its parent node 305 and the version values of all the child nodes of the leaf node 303. Similarly, the hash value of the intermediate node 302 may be obtained by hashing the version value of its parent node 304 and the version values of all the children nodes of the intermediate node 302. The hash value of the intermediate node 301 may be obtained by hashing the version value of the root node and the version values of all the child nodes of the intermediate node 301.
In addition, in this example, each node may have the same length, each child node may have the same length, and each hash value may also have the same length.
For example, the length of each node may be the size of a cache line, such as 64 bytes. The hash value may be 64 bits in length. Thus, the length of a child node may determine the number of child nodes in each node. For example, the length of a child node may be 56 bits in consideration of efficiency and read-write performance overhead, and thus the number of child nodes in each node may be 8.
It should be understood that the specific number of nodes, number of layers, etc. shown in fig. 3A are merely examples and are not limited thereto herein.
In embodiments herein, the integrity protection tree may also be implemented using other structures. Another example structure of the integrity protection tree will be described below.
For example, for any one of N integrity protection trees:
the integrity protection tree may further include at least one intermediate level between its root node and a plurality of leaf nodes at a lowest level, each intermediate level may include a plurality of intermediate nodes; that is, the integrity protection tree may include a root node, a middle node, and a leaf node, as viewed from a top-down tree structure of the integrity protection tree;
each intermediate node may include at least a hash value and a plurality of child nodes;
each leaf node may include a global version value, a hash value, and a plurality of child nodes;
nodes at the same level may have the same number of children, and the number of children in a leaf node may be different from the number of children in an intermediate node;
in each leaf node, each child node may represent a local version value of a data block in a region corresponding to the integrity protection tree, a global version value in the leaf node may be shared by all child nodes in the leaf node, and a length of the child node may be smaller than a length of the global version value;
in each leaf node, the local version value of each child node may be updated based on an update of the corresponding data block, wherein the global version value is updated when any local version value overflows to return to the initial value;
the parent node of each leaf node may be a child node of an intermediate node in the intermediate hierarchy immediately above the leaf node, and the update of the global version value or any local version value of the leaf node causes the version value of its parent node to be updated;
in each leaf node, the hash value may be derived based on at least its global version value, the version value of its parent node, and the local version values of all its children nodes.
In addition, for the at least one intermediate level, in K intermediate levels above the leaf node, each intermediate node includes a global version value, a hash value, and a plurality of child nodes, each child node represents a local version value, the global version value of the intermediate node is shared by all child nodes in the intermediate node, the length of the child node is smaller than that of the global version value, and when any one of the local version values of the intermediate node overflows to return to an initial value, the global version value of the intermediate node is updated, K being a positive integer;
in this case, in each leaf node, the hash value may be derived based on the global version value of the leaf node, the version value of its parent node, the local version values of all its child nodes, and the global version value of the intermediate node to which its parent node belongs.
Further, the parent node of each intermediate node of the intermediate levels immediately below the root node may be the root node, and the parent node of the intermediate nodes of the remaining intermediate levels may be a child node of an intermediate node of the intermediate levels immediately above the intermediate node.
Additionally, for any intermediate node:
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs has a global version value, the hash value of the intermediate node is derived from the global version value of the intermediate node, the local version values of all child nodes of the intermediate node, the local version value of its parent node and the global version value of the node to which its parent node belongs, and the update of the global version value or any of the local version values of the intermediate node causes the local version value of its parent node to be updated;
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node and the version value of its parent node, and the update of the global version value or any local version value of the intermediate node causes the version value of its parent node to be updated;
if the intermediate node does not have a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the version values of all the child nodes of the intermediate node and the version value of its parent node, and the update of the version value of any one of the child nodes of the intermediate node causes the version value of its parent node to be updated.
In some cases, in a direction from the root node to the leaf nodes (i.e., in a top-down direction of the tree structure), the number of child nodes in the node of each level other than the root node is less than the number of child nodes in the nodes of the levels below the level.
To facilitate understanding of this structure, the following description is made with reference to specific examples. It should be understood that the following examples are intended only to help those skilled in the art better understand the embodiments herein, and are not intended to limit the scope thereof.
FIG. 3B illustrates another example of the structure of an integrity protection tree.
As shown in fig. 3B, integrity protection tree 310 may include a root node, two intermediate levels, and leaf nodes. Each intermediate level may include a plurality of intermediate nodes. Hereinafter, for convenience of description, the root node, the intermediate nodes, and the leaf nodes may be collectively referred to as nodes in some cases.
In addition, for convenience of understanding, the intermediate node 311, the intermediate node 312, and the leaf node 313 will be described as an example, and other intermediate nodes and leaf nodes in the same hierarchy are similar, and thus will not be described again.
As shown in FIG. 3B, the root node may be a parent node of intermediate node 311. One child node 314 of the intermediate node 311 may serve as a parent node of the intermediate node 312. Similarly, a child node 315 of intermediate node 312 may serve as a parent node for leaf node 313. Thereby, the integrity protection tree 310 having a tree structure is formed.
Unlike fig. 3A, the leaf node 313 may include a global version value, a hash value, and a plurality of child nodes. The global version value may be shared by all children of leaf node 313. Each child node may represent a local version value of a data block in the region corresponding to integrity protection tree 310.
Additionally, in the example of fig. 3B, the intermediate node 312 may include a global version value, a hash value, and a plurality of child nodes. Similar to leaf node 313, in intermediate node 312, the global version value may be shared by all children of intermediate node 312, each of which may represent a local version value.
The intermediate node 311 is similar to the intermediate nodes 301, 302 shown in fig. 3A, and includes a hash value and a plurality of child nodes, and may not include a global version value. Each child node may represent a version value.
In the example of fig. 3B, the global version value is added for some levels of nodes, so the update process for the version value may be different from that of fig. 3A.
Typically, the global version value, the local version value, or the version value may have some initial value (such as 0). When a certain data block is updated, the local version value of the child node corresponding to the certain data block in the leaf node is incremented. When the local version values of all children nodes in the leaf node do not overflow, then the global version value remains unchanged, and when any local version value overflows back to its original value, the global version value is incremented.
Whether the leaf node's local version value or global version value is incremented, causes the parent node's version value or local version value to be incremented.
Similarly, if an intermediate node has a global version value, the global version value remains unchanged when none of its child node's local version values overflow, and increments when any local version value overflows back to its original value. And so on until the root node increments.
For example, as the data block 317 is updated, the local version value of the child node 316 is incremented, and if the local version value of the child node 316 does not overflow, the global version value of the leaf node 313 remains unchanged. If the local version value of the child node 316 overflows, the global version value of the leaf node 313 is incremented.
In either case, the local version value of the child node 315 is incremented, and if the local version value of the child node 315 does not overflow, the global version value of the intermediate node 312 remains unchanged. If the local version value of the child node 315 overflows, the global version value of the intermediate node 312 is incremented.
In either case, the version value of the child node 314 is incremented followed by the version value of the root node. Accordingly, the calculation process of the hash value in each node may take the global version value into account.
As shown in fig. 3B, a hash operation may be performed on the global version value of the leaf node 313, the local version value of the child node 316, and the contents of the data block 317 to obtain a message authentication code for the data block 317. A message authentication code may be used to verify the integrity of the data block 317.
The hash value in leaf node 313 may be obtained by hashing its global version value, the local version value of its parent node 315, and the local version values of all the child nodes of leaf node 313.
The hash value of the intermediate node 312 may be obtained by hashing the version value of its parent node 314, the global version value of the intermediate node 312, and the local version values of all its children nodes.
The hash value of the intermediate node 311 may be obtained by hashing the version value of the root node and the version values of all its children nodes.
In addition, since the global version value is added, unlike fig. 3A, in the example of fig. 3B, nodes at the same hierarchy level may have the same number of child nodes, and nodes at different hierarchy levels may have different numbers of child nodes.
For example, each node may have the same length, each global version value may have the same length, and each hash value may also have the same length. While the length of the child nodes may vary in each level, resulting in varying numbers of child nodes in the nodes of the various levels.
For example, assume that the length of each node may be the size of a cache line, such as 64 bytes. The global version value of each node may have 64 bits and the hash value may have 64 bits.
In leaf node 313, leaf node 313 may include 32 child nodes, assuming that each child node may have 12 bits.
In the intermediate node 312, the intermediate node 313 may have 16 child nodes, assuming that each child node may have 24 bits.
In the intermediate node 311, each child node may have 8 child nodes, provided that it may have 56 bits.
It can be seen that the number of child nodes in a node of each level is higher than the number of child nodes in a node of a level above it in the direction from the leaf node to the root node.
As can be seen from the above description, the local version value may overflow during the update process, resulting in the update of the global version value in the node to which the local version value belongs, and these operations may bring about a certain overhead. Furthermore, the closer to the root node, the faster the local version value or update of the version value will be. Thus, to reduce overhead, the local version value or version value may have a longer length closer to the root node.
For example, the local version value of the leaf node 313 may have 12 bits, the local version value of the intermediate node 312 may have 24 bits, and the version value of the intermediate node 311 may have 56 bits. Accordingly, the number of child nodes depends on the length setting of the local version value.
In addition, in the structure of fig. 3B, compared to the structure of fig. 3A, since nodes of at least some levels (e.g., the level where the leaf node 313 and the intermediate node 312 are located) have more child nodes in addition to the root node. Therefore, the structure of fig. 3B can protect more data blocks and maintain a smaller number of layers under the condition that the number of layers of the integrity protection tree is the same, so that a larger capacity of trusted memory can be protected and good read-write performance can be maintained.
Further, it should be understood that the specific number of nodes, number of layers, etc. shown in fig. 3A are merely examples, and the present disclosure is not limited thereto.
No matter which structure is adopted to realize the N integrity protection trees, the N integrity protection trees can form an integrity protection forest. For ease of understanding, the structure of the integrity-protected forest is described below in conjunction with FIG. 3C.
Fig. 3C shows an example of the structure of an integrity-protected forest.
As shown in fig. 3C, the trusted memory may be divided into N regions, for example, region 1 to region N. Each region may correspond to an integrity protection tree. As previously described, each integrity protection tree may include a root node, intermediate nodes, and leaf nodes.
As previously described, all nodes of the N integrity protection trees may be stored in untrusted storage space. In the example of fig. 3C, it is assumed that the memory controller has a large enough storage space, so the memory controller can cache the root nodes of the N integrity protection trees. In this way, when an access request is received from a processor, the memory controller may perform integrity verification directly based on the corresponding integrity protection tree.
It should be understood that the integrity protection tree is shown in a simplified diagram for ease of illustration. Accordingly, the specific number of layers, number of nodes, etc. of the integrity protection tree shown in fig. 3C are merely examples, and the present disclosure is not limited thereto.
Fig. 3D shows another example of a structure of an integrity-protected forest. Also, it should be understood that the integrity protection tree is shown in a simplified diagram for ease of illustration. Accordingly, the specific number of layers, the number of nodes, and the like of the integrity protection tree shown in fig. 3D are merely examples, and the present disclosure is not limited thereto.
Similar to the example of fig. 3C, the trusted memory may be partitioned into N regions, e.g., region 1 through region N. Each region may correspond to an integrity protection tree. As previously described, each integrity protection tree may include a root node, intermediate nodes, and leaf nodes. Likewise, all nodes of the N integrity protection trees may be stored in untrusted memory space.
Unlike the example of fig. 3C, assuming that the memory controller's storage space is limited, the memory controller may only cache the root nodes of partial integrity protection trees, e.g., the root nodes of M integrity protection trees. As previously described, the regions corresponding to the M integrity protection trees may be currently being accessed by the processor or accessed within a predetermined period of time.
It is assumed here that region 2 and region 3 corresponding to integrity protection tree 2 and integrity protection tree 3, respectively, have been recently accessed by the processor, and therefore, the root nodes of integrity protection tree 2 and integrity protection tree 3 may be cached in the memory controller.
In this case, integrity protection tree 2 and integrity protection tree 3 may be considered to be in an active state, while the remaining integrity protection trees may be considered to be in an inactive state.
As previously described, to protect the integrity of the integrity protection tree in an inactive state, a forest root tree may be defined. The root nodes of the N integrity protection trees may be leaf nodes of a forest root tree. The root nodes of the N integrity protection trees can be operated based on a message verification algorithm, so that the root nodes of the forest root trees are obtained.
The root nodes of the forest root tree may reside in the memory controller, thereby protecting the integrity of the N integrity protection trees.
It should be understood that for ease of illustration, only the root nodes of the forest root tree are shown in fig. 3D, and in some embodiments, the forest root tree may also include intermediate nodes. The intermediate nodes of the forest root tree may be cached in the memory controller, or may not be cached in the memory controller, which may depend on various factors such as the storage space of the memory controller, the specific implementation requirements, and the like, and is not limited herein.
As described above, if the root node of the integrity protection tree is found not cached in the memory controller when the integrity verification is performed on the access request, the memory controller may read the root node of the integrity protection tree from the untrusted memory space and cache the root node into the memory controller, which may be referred to as a mount process.
If the memory controller's remaining storage space is insufficient to cache the root node of the integrity protection tree, the memory controller may move the root node of the other integrity protection trees that have been cached in the memory controller out of the memory controller, a process that may be referred to as an offload process. The memory controller may then cache the root node of the integrity protection tree to be mounted in the memory controller.
FIG. 3E illustrates one example of a mount and uninstall process for an integrity protection tree.
As shown in fig. 3E, assume that integrity verification is currently required based on the integrity protection tree N, but the root node of the integrity protection tree N is not cached in the memory controller. Then the memory controller may mount the root node of integrity protection tree N into the memory controller.
If the current storage space is insufficient to cache the root node of integrity protection tree N, the memory controller may move the root node of the integrity protection tree that has been mounted out of the memory controller. For example, assume that the memory controller may offload the root node of integrity protection tree 3 according to the LRU algorithm. The memory controller may then cache the root node of integrity protection tree N in the memory controller.
It should be understood that, when performing the mount, the memory controller may perform integrity verification on the root node of the integrity protection tree N according to the root node of the forest root tree and the root nodes of the N integrity protection trees. If the integrity verification passes, the root node of the integrity protection tree N may be mounted to the memory controller.
Therefore, the storage space of the memory controller can be saved, and the integrity of each integrity protection tree can be ensured.
FIG. 4 is a schematic block diagram of a memory controller according to some embodiments. For example, memory controller 400 may be located in a trusted system-on-chip.
As shown in fig. 4, the memory controller 400 may include a receiving unit 402, a determining unit 404, and a verifying unit 406.
The receiving unit 402 may receive an access request of a processor of the trusted system on chip to the trusted memory. Here, the trusted memory may be divided into N regions, where the N regions may respectively correspond to N integrity protection trees for integrity protection, and N is a positive integer greater than 1.
Each integrity protection tree may include at least a root node and a plurality of leaf nodes, each leaf node having a version value for at least one data block in a corresponding region, the root node having a version value derived based on the plurality of leaf nodes.
The access request may include a target memory address to be accessed.
The determining unit 404 may determine a target integrity protection tree corresponding to the target memory address among the N integrity protection trees.
Verification unit 406 may perform integrity verification for the target memory address based on the target integrity protection tree.
In some embodiments, memory controller 400 may also include a first cache unit 408. The first cache unit 408 may cache at least root nodes of the respective N integrity protection trees.
In some embodiments, memory controller 400 may also include a second cache unit 410. The second caching unit 410 may cache at least root nodes of M integrity protection trees of the N integrity protection trees, where regions corresponding to the M integrity protection trees are accessed by the processor within a predetermined time period from a current time, and M is a positive integer smaller than N.
The root nodes of the N integrity protection trees form leaf nodes of a forest root tree. The root nodes of the forest root tree are obtained based on the leaf nodes of the forest root tree. The root node of the forest root tree resides in the second cache unit 410.
In some embodiments, if the second caching unit 410 caches a root node of the target integrity protection tree, the verifying unit 406 may perform integrity verification for the target memory address directly based on the target integrity protection tree.
In some embodiments, the N integrity protection trees may be stored in untrusted memory space outside of the trusted system-on-chip.
If the second caching unit 410 does not cache the root node of the target integrity protection tree, the verifying unit 406 may perform integrity verification on the root node of the target integrity protection tree based on the root node of the forest root tree and the root nodes of the N integrity protection trees.
If the verification unit 406 verifies the integrity of the root node of the target integrity protection tree, the second caching unit 410 may read the root node of the target integrity protection tree from the untrusted storage space and cache the root node of the target integrity protection tree.
Then, the verification unit 406 may perform integrity verification for the target memory address based on the target integrity protection tree.
In some embodiments, if the remaining storage space of the second caching unit 410 is not enough to cache the root node of the target integrity protection tree, the second caching unit 410 may delete the root node of one of the M integrity protection trees from the second caching unit 410. The second caching unit 410 may then read the root node of the target integrity protection tree from the untrusted memory space and cache the root node of the target integrity protection tree.
In some embodiments, for any of the N integrity protection trees used by the memory controller 400:
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes, each leaf node and each intermediate node comprising a hash value and a plurality of child nodes, each child node representing a version value, and the leaf nodes and the intermediate nodes comprising the same number of child nodes;
in each leaf node, each child node represents the version value of a data block in the region corresponding to the integrity protection tree;
the parent node of each leaf node is a child node of an intermediate node of the intermediate level immediately above the leaf node, the parent node of each intermediate node of the intermediate level immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate level immediately above the intermediate node;
for each intermediate node or each leaf node, updating the version value of any child node thereof to update the version value of a parent node thereof;
for each intermediate node or each leaf node, its hash value is derived based on the version values of all its children nodes and the version value of its parent node.
In some embodiments, for any one of the N integrity protection trees used by the memory controller 400,
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes;
each intermediate node at least comprises a hash value and a plurality of child nodes;
each leaf node comprises a global version value, a hash value and a plurality of child nodes;
the nodes in the same level have the same number of child nodes, and the number of child nodes in the leaf node is different from the number of child nodes in the intermediate node;
in each leaf node, each child node represents a local version value of a data block in a region corresponding to the integrity protection tree, the global version value in the leaf node is shared by all child nodes in the leaf node, and the length of the child node is smaller than that of the global version value;
in each leaf node, the local version value of each child node is updated based on the update of the corresponding data block, wherein the global version value is updated when any local version value overflows to return to the initial value;
the parent node of each leaf node is a child node of an intermediate node of the intermediate hierarchy immediately above the leaf node, and updating of the global version value or any local version value of the leaf node causes the version value of its parent node to be updated;
in each leaf node, a hash value is derived based on at least its global version value, the version value of its parent node, and the local version values of all its children nodes.
In some embodiments, for the at least one intermediate level, in K intermediate levels above the leaf node, each intermediate node includes a global version value, a hash value, and a plurality of child nodes, each child node representing a local version value, the global version value of the intermediate node being shared by all child nodes in the intermediate node, the length of a child node being less than the length of the global version value, and the global version value of the intermediate node being updated when any local version value of the intermediate node overflows back to the initial value, K being a positive integer;
in each leaf node, the hash value is obtained based on the global version value, the version value of the parent node, the local version values of all the child nodes and the global version value of the intermediate node to which the parent node belongs;
the parent node of each intermediate node of the intermediate levels immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate levels immediately above the intermediate node;
for any intermediate node:
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs has a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node, the local version value of its parent node and the global version value of the node to which its parent node belongs, and the update of the global version value or any of the local version values of the intermediate node causes the local version value of its parent node to be updated;
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node and the version value of its parent node, and the update of the global version value or any local version value of the intermediate node causes the version value of its parent node to be updated;
if the intermediate node does not have a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the version values of all the child nodes of the intermediate node and the version value of its parent node, and the update of the version value of any one of the child nodes of the intermediate node causes the version value of its parent node to be updated.
In some embodiments, in a direction from the root node to the leaf nodes, the number of child nodes in the node of each level other than the root node is less than the number of child nodes in the nodes of the levels below the level.
The units of the memory controller 400 may perform the corresponding steps in the method embodiments of fig. 2 to 3E, and therefore, for brevity of description, specific operations and functions of the units of the apparatus 400 are not described herein again.
The memory controller 400 may be implemented in hardware, may be implemented in software, or may be implemented by a combination of hardware and software.
FIG. 5 is a hardware block diagram of a memory controller according to some embodiments. As shown in fig. 5, the memory controller 500 may include at least one processing module 502 and a memory module 504, and the at least one processing module 502 and the memory module 504 may be connected via a bus 506. Memory controller 500 may be located in a trusted system on a chip.
The memory module 504 may store executable code. The executable code stored in the storage module 504, when executed by the at least one processing module 502, causes the memory controller 500 to implement the various processes described above in connection with fig. 2-3E.
In addition, the memory controller 500 may further include a cache unit. The cache unit may be implemented in the storage module 504 or may be implemented independently of the storage module 504. The cache unit may cache related information such as the node of the integrity protection tree, the node of the forest root tree, and the like.
Embodiments of the present specification also provide a machine-readable storage medium. The machine-readable storage medium may store executable code that, when executed by a machine, causes the machine to perform particular processes of the method embodiments described above with reference to fig. 2-3E.
For example, a machine-readable storage medium may include, but is not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), Electrically-Erasable Programmable Read-Only Memory (EEPROM), Static Random Access Memory (SRAM), a hard disk, flash Memory, and so forth.
It should be understood that the embodiments in this specification are described in a progressive manner, and that the same or similar parts in the various embodiments may be mutually referred to, and each embodiment is described with emphasis instead of others. For example, as for the embodiments of the apparatus, the computing device and the machine-readable storage medium, since they are substantially similar to the method embodiments, the description is simple, and the relevant points can be referred to the partial description of the method embodiments.
Specific embodiments of this specification have been described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Not all steps and elements in the above flows and system structure diagrams are necessary, and some steps or elements may be omitted according to actual needs. The apparatus structures described in the above embodiments may be physical structures or logical structures, that is, some units may be implemented by the same physical entity, or some units may be implemented by a plurality of physical entities respectively, or some units may be implemented by some components in a plurality of independent devices together.
The term "exemplary" used throughout this specification means "serving as an example, instance, or illustration," and does not mean "preferred" or "advantageous" over other embodiments. The detailed description includes specific details for the purpose of providing an understanding of the described technology. However, the techniques may be practiced without these specific details. In some instances, well-known structures and devices are shown in block diagram form in order to avoid obscuring the concepts of the described embodiments.
Although the embodiments of the present disclosure have been described in detail with reference to the accompanying drawings, the embodiments of the present disclosure are not limited to the specific details of the embodiments, and various modifications may be made within the technical spirit of the embodiments of the present disclosure, which belong to the scope of the embodiments of the present disclosure.
The previous description of the disclosure is provided to enable any person skilled in the art to make or use the disclosure. Various modifications to the disclosure will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other variations without departing from the scope of the disclosure. Thus, the disclosure is not intended to be limited to the examples and designs described herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (22)
1. A method for memory integrity protection, wherein the method is performed by a memory controller of a trusted system on a chip, the method comprising:
receiving an access request of a processor of the trusted system on chip to a trusted memory, wherein:
the trusted memory is divided into N regions, the N regions respectively correspond to N integrity protection trees for integrity protection, N is a positive integer greater than 1,
each integrity protection tree including at least a root node and a plurality of leaf nodes, each leaf node having a version value for at least one data block in a respective region, the root node having a version value derived based on the plurality of leaf nodes;
the access request comprises a target memory address to be accessed;
determining a target integrity protection tree corresponding to the target memory address from the N integrity protection trees;
and carrying out integrity verification on the target memory address based on the target integrity protection tree.
2. The method of claim 1, wherein the memory controller is cached with at least a root node of each of the N integrity protection trees.
3. The method according to claim 1, wherein the memory controller caches at least root nodes of M integrity protection trees of the N integrity protection trees, regions corresponding to the M integrity protection trees are accessed by the processor within a predetermined time period from a current time, and M is a positive integer smaller than N;
root nodes of the N integrity protection trees form leaf nodes of a forest root tree, the root nodes of the forest root tree are obtained based on the leaf nodes of the forest root tree, and the root nodes of the forest root tree reside in the memory controller.
4. The method of claim 3, wherein performing integrity verification for the target memory address based on the target integrity protection tree comprises:
and if the memory controller caches the root node of the target integrity protection tree, performing integrity verification on the target memory address based on the target integrity protection tree.
5. The method of claim 3, wherein the N integrity protection trees are stored in untrusted storage space outside of the trusted system on a chip;
performing integrity verification on the target memory address based on the target integrity protection tree, including:
if the root node of the target integrity protection tree is not cached by the memory controller, performing integrity verification on the root node of the target integrity protection tree based on the root node of the forest root tree and the root nodes of the N integrity protection trees;
if the integrity verification of the root node of the target integrity protection tree passes, reading the root node of the target integrity protection tree from the untrusted storage space and caching the root node of the target integrity protection tree in the memory controller;
and carrying out integrity verification on the target memory address based on the target integrity protection tree.
6. The method of claim 5, wherein caching a root node of the target integrity protection tree in the memory controller comprises:
deleting a root node of one of the M integrity protection trees from the memory controller if the remaining storage space of the memory controller is insufficient to cache the root node of the target integrity protection tree;
reading a root node of the target integrity protection tree from the untrusted memory space and caching the root node of the target integrity protection tree in the memory controller.
7. The method of any of claims 1-6, wherein, for any one of the N integrity protection trees:
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes, each leaf node and each intermediate node comprising a hash value and a plurality of child nodes, each child node representing a version value, and the leaf nodes and the intermediate nodes comprising the same number of child nodes;
in each leaf node, each child node represents the version value of a data block in the region corresponding to the integrity protection tree;
the parent node of each leaf node is a child node of an intermediate node of the intermediate level immediately above the leaf node, the parent node of each intermediate node of the intermediate level immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate level immediately above the intermediate node;
for each intermediate node or each leaf node, updating the version value of any child node thereof to update the version value of a parent node thereof;
for each intermediate node or each leaf node, its hash value is derived based on the version values of all its children nodes and the version value of its parent node.
8. The method according to any one of claims 1 to 6, wherein for any one of the N integrity protection trees,
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes;
each intermediate node at least comprises a hash value and a plurality of child nodes;
each leaf node comprises a global version value, a hash value and a plurality of child nodes;
the nodes in the same level have the same number of child nodes, and the number of child nodes in the leaf node is different from the number of child nodes in the intermediate node;
in each leaf node, each child node represents a local version value of a data block in a region corresponding to the integrity protection tree, the global version value in the leaf node is shared by all child nodes in the leaf node, and the length of the child node is smaller than that of the global version value;
in each leaf node, the local version value of each child node is updated based on the update of the corresponding data block, wherein the global version value is updated when any local version value overflows to return to the initial value;
the parent node of each leaf node is a child node of an intermediate node of the intermediate hierarchy immediately above the leaf node, and updating of the global version value or any local version value of the leaf node causes the version value of its parent node to be updated;
in each leaf node, a hash value is derived based on at least its global version value, the version value of its parent node, and the local version values of all its children nodes.
9. The method of claim 8, wherein,
for the at least one intermediate level, in K intermediate levels above a leaf node, each intermediate node including a global version value, a hash value, and a plurality of child nodes, each child node representing a local version value, the global version value of the intermediate node being shared by all child nodes in the intermediate node, the length of a child node being less than the length of the global version value, and the global version value of the intermediate node being updated when any local version value of the intermediate node overflows back to the initial value, K being a positive integer;
in each leaf node, the hash value is obtained based on the global version value, the version value of the parent node, the local version values of all the child nodes and the global version value of the intermediate node to which the parent node belongs;
the parent node of each intermediate node of the intermediate levels immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate levels immediately above the intermediate node;
for any intermediate node:
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs has a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node, the local version value of its parent node and the global version value of the node to which its parent node belongs, and the update of the global version value or any of the local version values of the intermediate node causes the local version value of its parent node to be updated;
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node and the version value of its parent node, and the update of the global version value or any local version value of the intermediate node causes the version value of its parent node to be updated;
if the intermediate node does not have a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the version values of all the child nodes of the intermediate node and the version value of its parent node, and the update of the version value of any one of the child nodes of the intermediate node causes the version value of its parent node to be updated.
10. The method of claim 9, wherein the number of child nodes in the nodes of each level other than the root node is less than the number of child nodes in the nodes of the levels below the level in a direction from the root node to the leaf node.
11. A memory controller of a trusted system on a chip, comprising:
a receiving unit, configured to receive an access request of a processor of the trusted system on chip to a trusted memory, where:
the trusted memory is divided into N regions, the N regions respectively correspond to N integrity protection trees for integrity protection, N is a positive integer greater than 1,
each integrity protection tree including at least a root node and a plurality of leaf nodes, each leaf node having a version value for at least one data block in a respective region, the root node having a version value derived based on the plurality of leaf nodes;
the access request comprises a target memory address to be accessed;
a determining unit configured to determine a target integrity protection tree corresponding to the target memory address from among the N integrity protection trees;
and the verification unit is used for carrying out integrity verification on the target memory address based on the target integrity protection tree.
12. The memory controller according to claim 11, further comprising a first cache unit that caches at least root nodes of the respective N integrity protection trees.
13. The memory controller according to claim 11, further comprising a second cache unit that caches at least root nodes of M integrity protection trees of the N integrity protection trees, regions corresponding to the M integrity protection trees are accessed by the processor within a predetermined time period from a current time, where M is a positive integer smaller than N;
root nodes of the N integrity protection trees form leaf nodes of a forest root tree, the root nodes of the forest root tree are obtained based on the leaf nodes of the forest root tree, and the root nodes of the forest root tree reside in the second cache unit.
14. The memory controller of claim 13, wherein the authentication unit is further to:
and if the second cache unit caches the root node of the target integrity protection tree, performing integrity verification on the target memory address based on the target integrity protection tree.
15. The memory controller of claim 13, wherein the N integrity protection trees are stored in untrusted memory space outside of the trusted system on chip;
the authentication unit further performs the following operations:
if the root node of the target integrity protection tree is not cached in the second caching unit, performing integrity verification on the root node of the target integrity protection tree based on the root node of the forest root tree and the root nodes of the N integrity protection trees;
the second cache unit further performs the following operations:
if the integrity of the root node of the target integrity protection tree is verified, reading the root node of the target integrity protection tree from the untrusted storage space, and caching the root node of the target integrity protection tree;
the authentication unit further performs the following operations:
and carrying out integrity verification on the target memory address based on the target integrity protection tree.
16. The memory controller of claim 15, wherein the second cache unit is further to:
deleting a root node of one of the M integrity protection trees from the second cache unit if the remaining storage space of the second cache unit is not sufficient to cache the root node of the target integrity protection tree;
reading a root node of the target integrity protection tree from the untrusted memory space and caching the root node of the target integrity protection tree.
17. The memory controller of any one of claims 11 to 16, wherein for any one of the N integrity protection trees used by the memory controller:
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes, each leaf node and each intermediate node comprising a hash value and a plurality of child nodes, each child node representing a version value, and the leaf nodes and the intermediate nodes comprising the same number of child nodes;
in each leaf node, each child node represents the version value of a data block in the region corresponding to the integrity protection tree;
the parent node of each leaf node is a child node of an intermediate node of the intermediate level immediately above the leaf node, the parent node of each intermediate node of the intermediate level immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate level immediately above the intermediate node;
for each intermediate node or each leaf node, updating the version value of any child node thereof to update the version value of a parent node thereof;
for each intermediate node or each leaf node, its hash value is derived based on the version values of all its children nodes and the version value of its parent node.
18. The memory controller of any one of claims 11-16, wherein for any one of the N integrity protection trees used by the memory controller,
the integrity protection tree further comprises at least one intermediate level between its root node and a plurality of leaf nodes at the lowest level, each intermediate level comprising a plurality of intermediate nodes;
each intermediate node at least comprises a hash value and a plurality of child nodes;
each leaf node comprises a global version value, a hash value and a plurality of child nodes;
the nodes in the same level have the same number of child nodes, and the number of child nodes in the leaf node is different from the number of child nodes in the intermediate node;
in each leaf node, each child node represents a local version value of a data block in a region corresponding to the integrity protection tree, the global version value in the leaf node is shared by all child nodes in the leaf node, and the length of the child node is smaller than that of the global version value;
in each leaf node, the local version value of each child node is updated based on the update of the corresponding data block, wherein the global version value is updated when any local version value overflows to return to the initial value;
the parent node of each leaf node is a child node of an intermediate node of the intermediate hierarchy immediately above the leaf node, and updating of the global version value or any local version value of the leaf node causes the version value of its parent node to be updated;
in each leaf node, a hash value is derived based on at least its global version value, the version value of its parent node, and the local version values of all its children nodes.
19. The memory controller of claim 18,
for the at least one intermediate level, in K intermediate levels above a leaf node, each intermediate node including a global version value, a hash value, and a plurality of child nodes, each child node representing a local version value, the global version value of the intermediate node being shared by all child nodes in the intermediate node, the length of a child node being less than the length of the global version value, and the global version value of the intermediate node being updated when any local version value of the intermediate node overflows back to the initial value, K being a positive integer;
in each leaf node, the hash value is obtained based on the global version value, the version value of the parent node, the local version values of all the child nodes and the global version value of the intermediate node to which the parent node belongs;
the parent node of each intermediate node of the intermediate levels immediately below the root node is the root node, and the parent nodes of the intermediate nodes of the remaining intermediate levels are child nodes of an intermediate node of the intermediate levels immediately above the intermediate node;
for any intermediate node:
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs has a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node, the local version value of its parent node and the global version value of the node to which its parent node belongs, and the update of the global version value or any of the local version values of the intermediate node causes the local version value of its parent node to be updated;
if the intermediate node has a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the global version value of the intermediate node, the local version values of all child nodes of the intermediate node and the version value of its parent node, and the update of the global version value or any local version value of the intermediate node causes the version value of its parent node to be updated;
if the intermediate node does not have a global version value and the node to which the parent node of the intermediate node belongs does not have a global version value, the hash value of the intermediate node is derived based on the version values of all the child nodes of the intermediate node and the version value of its parent node, and the update of the version value of any one of the child nodes of the intermediate node causes the version value of its parent node to be updated.
20. The memory controller of claim 19, wherein the number of child nodes in the nodes of each level other than the root node is less than the number of child nodes in the nodes of the levels below the level in a direction from the root node to the leaf nodes.
21. A memory controller of a trusted system on a chip, comprising:
at least one processing module;
a storage module in communication with the at least one processing module having executable instructions stored thereon that, when executed by the at least one processor, cause the at least one processor to implement the method of any one of claims 1 to 10.
22. A machine-readable storage medium storing executable instructions that, when executed by a machine, cause the machine to implement a method according to any one of claims 1 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110384123.XA CN113111391B (en) | 2021-04-09 | 2021-04-09 | Method for memory integrity protection and memory controller |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110384123.XA CN113111391B (en) | 2021-04-09 | 2021-04-09 | Method for memory integrity protection and memory controller |
Publications (2)
Publication Number | Publication Date |
---|---|
CN113111391A true CN113111391A (en) | 2021-07-13 |
CN113111391B CN113111391B (en) | 2022-07-08 |
Family
ID=76715346
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110384123.XA Active CN113111391B (en) | 2021-04-09 | 2021-04-09 | Method for memory integrity protection and memory controller |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN113111391B (en) |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080140971A1 (en) * | 2006-11-22 | 2008-06-12 | Transitive Limited | Memory consistency protection in a multiprocessor computing system |
CN101894079A (en) * | 2010-07-15 | 2010-11-24 | 哈尔滨工程大学 | Hash tree memory integrity protection method of variable length storage block |
CN102930185A (en) * | 2012-11-28 | 2013-02-13 | 中国人民解放军国防科学技术大学 | Method and device for verifying integrity of security critical data of program in process of running |
CN105022968A (en) * | 2015-07-30 | 2015-11-04 | 哈尔滨工程大学 | Integrity checking method of memory data |
CN105069379A (en) * | 2015-07-29 | 2015-11-18 | 哈尔滨工程大学 | Memory integrity protection method based on write counter |
CN105138478A (en) * | 2015-07-28 | 2015-12-09 | 哈尔滨工程大学 | Memory integrity protection method employing unbalanced hash tree mode |
US20170288874A1 (en) * | 2016-03-31 | 2017-10-05 | Intel Corporation | Cryptographic protection for trusted operating systems |
CN107408080A (en) * | 2015-03-27 | 2017-11-28 | 英特尔公司 | For reset nurse tree without cache separate type tracker framework |
US20190044729A1 (en) * | 2017-12-29 | 2019-02-07 | Intel Corporation | Indirection directories for cryptographic memory protection |
US20190268308A1 (en) * | 2018-02-27 | 2019-08-29 | Rohit Sinha | High-throughput data integrity via trusted computing |
CN111049825A (en) * | 2019-12-12 | 2020-04-21 | 支付宝(杭州)信息技术有限公司 | Secure multi-party computing method and system based on trusted execution environment |
CN111176567A (en) * | 2019-12-25 | 2020-05-19 | 上海沄界信息科技有限公司 | Storage supply amount verification method and device for distributed cloud storage |
-
2021
- 2021-04-09 CN CN202110384123.XA patent/CN113111391B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080140971A1 (en) * | 2006-11-22 | 2008-06-12 | Transitive Limited | Memory consistency protection in a multiprocessor computing system |
CN101894079A (en) * | 2010-07-15 | 2010-11-24 | 哈尔滨工程大学 | Hash tree memory integrity protection method of variable length storage block |
CN102930185A (en) * | 2012-11-28 | 2013-02-13 | 中国人民解放军国防科学技术大学 | Method and device for verifying integrity of security critical data of program in process of running |
CN107408080A (en) * | 2015-03-27 | 2017-11-28 | 英特尔公司 | For reset nurse tree without cache separate type tracker framework |
CN105138478A (en) * | 2015-07-28 | 2015-12-09 | 哈尔滨工程大学 | Memory integrity protection method employing unbalanced hash tree mode |
CN105069379A (en) * | 2015-07-29 | 2015-11-18 | 哈尔滨工程大学 | Memory integrity protection method based on write counter |
CN105022968A (en) * | 2015-07-30 | 2015-11-04 | 哈尔滨工程大学 | Integrity checking method of memory data |
US20170288874A1 (en) * | 2016-03-31 | 2017-10-05 | Intel Corporation | Cryptographic protection for trusted operating systems |
US20190044729A1 (en) * | 2017-12-29 | 2019-02-07 | Intel Corporation | Indirection directories for cryptographic memory protection |
US20190268308A1 (en) * | 2018-02-27 | 2019-08-29 | Rohit Sinha | High-throughput data integrity via trusted computing |
CN111049825A (en) * | 2019-12-12 | 2020-04-21 | 支付宝(杭州)信息技术有限公司 | Secure multi-party computing method and system based on trusted execution environment |
CN111176567A (en) * | 2019-12-25 | 2020-05-19 | 上海沄界信息科技有限公司 | Storage supply amount verification method and device for distributed cloud storage |
Non-Patent Citations (5)
Title |
---|
MENGYA LEI: "An efficient persistency and recovery mechanism for SGX-style integrity tree in secure NVM", 《DATE "20: PROCEEDINGS OF THE 23RD CONFERENCE ON DESIGN, AUTOMATION AND TEST IN EUROPE》 * |
夏庆勋等: "一种基于局部性原理的远程验证机制", 《计算机科学》 * |
岳虹等: "一种基于软硬件协同的程序安全关键数据动态保护机制", 《计算机工程与科学》 * |
杨帆等: "安全持久性内存存储研究综述", 《计算机研究与发展》 * |
董春涛: "SGX应用支持技术研究进展", 《软件学报》 * |
Also Published As
Publication number | Publication date |
---|---|
CN113111391B (en) | 2022-07-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6162652B2 (en) | Memory management apparatus, program, and method | |
US10733313B2 (en) | Counter integrity tree for memory security | |
CN107408081B (en) | Providing enhanced replay protection for memory | |
CN110945509B (en) | Apparatus and method for controlling access to data in a protected memory region | |
US8719580B2 (en) | Data verification method | |
US8769309B2 (en) | Flash memory storage system, and controller and method for anti-falsifying data thereof | |
US8250288B2 (en) | Flash memory storage system and controller and data protection method thereof | |
CN105069379B (en) | It is a kind of based on the memory integrity protection method for writing counter | |
CN111143247B (en) | Storage device data integrity protection method, controller thereof and system on chip | |
US7809958B2 (en) | Method for guaranteeing freshness of results for queries against a non-secure data store | |
CN102103552A (en) | Secure cache memory architecture | |
JP2018506784A (en) | Authenticated control stack | |
WO2020128413A1 (en) | Integrity tree for memory integrity checking | |
CN110832490A (en) | Secure snapshot management for data storage devices | |
Chen et al. | {PEARL}: Plausibly Deniable Flash Translation Layer using {WOM} coding | |
CN115777101A (en) | Memory protection using cached partial hash values | |
CN113111391B (en) | Method for memory integrity protection and memory controller | |
CN114564456B (en) | Distributed storage file recovery method and device | |
CN118245275A (en) | Selective memory repetition control | |
US10831916B2 (en) | Method for blocking access of malicious application and storage device implementing the same | |
CN113536364A (en) | Intel SGX-based construction method of security key value storage system | |
CN114817936B (en) | Memory full encryption management method, device, equipment and medium based on heterogeneous memory | |
CN111125794B (en) | Access control method, system and storage device controller | |
CN117827229A (en) | Method for preventing device firmware version from rolling back | |
CN117666960A (en) | Method, equipment and storage medium for realizing secure storage framework applying NVIDIA CUDA acceleration and improving Merkle hash tree |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |