CN113127871A - Intelligent terminal control system based on trusted security environment - Google Patents
Intelligent terminal control system based on trusted security environment Download PDFInfo
- Publication number
- CN113127871A CN113127871A CN202110409299.6A CN202110409299A CN113127871A CN 113127871 A CN113127871 A CN 113127871A CN 202110409299 A CN202110409299 A CN 202110409299A CN 113127871 A CN113127871 A CN 113127871A
- Authority
- CN
- China
- Prior art keywords
- intelligent terminal
- secure
- terminal control
- environment
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The invention belongs to the technical field of information security, and particularly relates to an intelligent terminal control system based on a trusted security environment. The intelligent terminal control system based on the trusted security environment comprises an intelligent terminal control module and a security payment module; the intelligent terminal control module is used for establishing a trusted security environment for the intelligent terminal, and the secure payment module is used for providing a secure payment environment for the intelligent terminal. The invention uses a multilayer safety protection method, each layer adopts different safety modes to ensure that the intelligent terminal can deal with unknown threats, and the safety of the mobile terminal and the threats existing in the safety terminal are ensured by a series of protection means.
Description
Technical Field
The invention belongs to the technical field of information security, and particularly relates to an intelligent terminal control system based on a trusted security environment.
Background
Due to the technical characteristics and the service mode of the cloud computing, the security problem existing in the traditional network service is more prominent, so that a user has higher requirements on the credibility of the cloud service. On one hand, compared with the traditional distributed network service, the cloud computing generally adopts a virtualization technology, an outsourcing service mode and a multi-user architecture to improve the resource utilization rate and save the user investment, and simultaneously provides a large number of using and developing interfaces to facilitate the user to customize the cloud service, but simultaneously introduces a new safety short board, weakens the control of the user on the data of the user, and weakens the boundary of different user applications and a cloud computing system; on the other hand, cloud computing is still in explosive development, and effective supervision and long-term planning are still lacked in the aspects of technology and management, so that the credibility requirement of cloud computing is increasingly strong. The security issues faced in cloud computing are three:
(1) problem of lack of trust of user to cloud administrator
The service outsourcing is an application mode of cloud services, and in the mode, the data of the user side entrusts the full authority to cloud management. For users, a large amount of manpower and material resources can be saved in data maintenance and resource purchase; for a cloud administrator, data resources can be highly centralized, and unified management can be conveniently performed. However, this service model completely separates ownership, administration, and usage of user data, so that the user loses direct control over the data. Due to the fact that storage, use and deletion reuse of data in the cloud computing environment are out of the control range of users, confidentiality, integrity and service availability of the data in the cloud are threatened.
(2) Virtualization security issues
The service characteristics of the cloud computing dynamic allocation on demand are realized by supporting upper-layer services through the assistance of a virtualization technology in partitioning and dynamic allocation of physical resources. Thus, virtualization technology is one of the fundamental and key technologies for providing cloud services to users. Because the virtualization technology realizes physical resource sharing, once a security problem occurs, all users in the cloud environment are affected.
From the viewpoint of virtualization technology architecture, a virtual machine system is composed of three different functional components: each component of the virtual machine monitor, the virtual machine management tool and the client operating system Guest OS may introduce a new security risk, and the attack surface of the original information system is enlarged, so that serious consequences such as damage, abuse, leakage and tampering of cloud computing resources and user data are caused.
(3) Problem for which user operation in cloud environment is unknown
The user uses the cloud service resources in a renting mode, but the use motivation of the user and the use purpose of the virtual machine resources are unknown. Bad users in the cloud environment may have behaviors of destroying the cloud environment and stealing cloud service resources. Meanwhile, multiple users are a typical application architecture of cloud computing, and the cloud computing utilizes a resource high sharing mode brought by the multiple users, so that the resource utilization rate is improved, and the unit resource cost is reduced. However, sharing of resources by different users reduces application isolation, which may cause malicious users to attack other users or cloud computing infrastructure through shared resources.
Disclosure of Invention
The invention aims to solve the problems and provide an intelligent terminal control system based on a trusted security environment.
The technical scheme of the invention is as follows:
the intelligent terminal control system based on the trusted security environment is characterized by comprising an intelligent terminal control module and a security payment module; the intelligent terminal control module is used for establishing a trusted security environment for the intelligent terminal, and the secure payment module is used for providing a secure payment environment for the intelligent terminal.
Furthermore, the intelligent terminal control module takes an intelligent terminal operating system as a core and provides safe guidance, safe verification, network attack detection, real-time antivirus scanning, disk encryption, application management, voice and message encryption, safe communication and remote maintenance for the intelligent terminal.
Further, a specific method for providing a secure payment environment for the intelligent terminal by the secure payment module is as follows:
the method comprises the steps that hot spot information of a base station and wifi is analyzed through data characteristics, a pseudo base station and pseudo wifi are identified, and the intelligent terminal is enabled to avoid dangerous access;
identifying legal website information through a secure browser;
the method comprises the steps of carrying out effective verification on a preset APP and an APP of a third party;
preventing malicious software from reading the input of the mobile phone screen and the soft keyboard;
updating firmware of the intelligent terminal operating system in a real-time updating mode;
the safety of the data of the payment application in the physical storage is ensured through an enhanced disk encryption mode;
the binary short messages and multimedia messages are shielded, so that the risk caused by clicking the short messages is avoided;
data backup for intelligent terminal through credible security platform
The method has the advantages that the method adopts a multi-layer safety protection method, each layer adopts different safety modes to ensure that the intelligent terminal can deal with unknown threats, and the safety of the mobile terminal and the threats existing in the safety terminal are ensured by a series of protection means.
Drawings
FIG. 1 protective covering level for a secure handset
FIG. 2 architecture of a secure handset
FIG. 3 program structure for eliminating surface layer attack
FIG. 4 System resource protection
FIG. 5 software for preventing network layer attacks
FIG. 6 network security detection
FIG. 7 disk encryption method
FIG. 8 application management
FIG. 9 Voice and message encryption Process
FIG. 10 secure communication architecture
FIG. 11 secure communication flow
FIG. 12 remote maintenance
Detailed Description
The technical solution of the present invention will be described in detail below with reference to the embodiments and the accompanying drawings.
The details of the present invention will be described by taking an example in which the present invention is applied to a smartphone.
S1, ensuring the safety of the mobile terminal
As shown in fig. 1, the protection layer of a secure handset includes trojan horse shielding, encrypted communication, surface attack eradication, unknown threat detection, resource intrusion, and data protection. In addition, the handset-based security architecture includes a secure OS, a secure handset, a secure session, a secure application, and a secure help as shown in fig. 2. Therefore, the safety environment developed by the invention is a comprehensive protection scheme based on software design, and is defined as DOOV-OS. It guarantees the security of the mobile terminal through a series of protection means:
1. secure boot
The process of the secure boot is that the trusted boot at each step in the boot needs to be verified by the boot at the previous step first, and the boot loader is locked. As shown in fig. 3, the configuration can check in real time that the hardware is executing an officially authorized driver, full access and use of the original boot loader and driver, and use of a secure boot program, which is a security mechanism that ensures that only authorized programs are used by the boot program. Thus, surface layer attack can be eliminated, and credible terminals can be ensured.
2. Security verification
The kernel needs to be verified locally after the latest firmware upgrade when running to ensure that no change exists, and the kernel, the preinstalled application and the third-party application are verified through data analysis.
In order to eliminate surface attacks, it is an effective measure to secure the terminal components by controlling the resources, i.e. protecting the system resources, and an additional layer of protection is constructed, through its deep understanding of the working principles of malware and spyware and the principle of tracking which data, DOOV-OS creates a series of barriers to better protect the important resources of the system by underlying access to hardware and driver software. As shown in fig. 4: protection for some resources, such as microphones (headphones and bluetooth), cameras, screen shots, bluetooth, USB, wifi, etc.
3. Network attack detection
A cyber attack refers to any type of offensive action directed to a computer information system, infrastructure, computer network, or personal computer device. To detect network attacks, the DOOV-OS may cooperate with a control center to monitor the network and devices connected to the network. Network layer based attacks are revealed by detecting network anomalies. As shown in FIG. 5, the DOOV-OS may monitor and track the device's abnormal behavior and perceive the source of the abnormality.
4. Firmware OTA upgrade
To more effectively prevent network attacks, the DOOV-OS can perform network security detection in real time, as shown in fig. 6, which mainly includes three parts, i.e., anti-virus software, monitoring network and remote firmware upgrade. The built-in online antivirus engine can be updated to the latest virus library in time, scan all applications in the terminal equipment and provide warnings, and prompt and warn unsafe websites.
5. Disk encryption
In the implementation of terminal security, user data needs to be encrypted to prevent the possibility of stealing information from outside, as shown in fig. 7, DOOV-OS provides a disk encryption method, i.e. an active independent cryptographic mechanism protects a disk based on general terminal encryption, so that it is extremely difficult to attempt to store data on a disk of a decoding device. In addition, the DOOV-OS also provides functions of enhanced disk encryption, a secure application store, a secure browser and the like.
6. Application management
From the viewpoint of terminal management, the surface attack can be effectively eliminated, as shown in fig. 8, the DOOV-OS has a console which can enforce enterprise mobile policy, including some resource management, usage rights, access control, and the like. The method can be matched with a control center to realize management of the mobile equipment and the application (such as application blacklist, white list and the like).
7. Voice and message encryption
DOOV-OS includes encrypted voice communications and message and attachment file transfers for voice and message encryption. (note: the encryption algorithm can be changed as required) the encoding and protocol of the encrypted communication and the encryption algorithm as shown in fig. 9, the secure real-time transport protocol is a protocol defined on the basis of the real-time transport protocol, and is intended to provide encryption, message authentication, integrity assurance, and replay protection for data of the real-time transport protocol in unicast and multicast applications. The encryption mechanism consists of a ZRTP protocol key exchange and AES256 encrypted sound.
8. Secure communication system
Secure communication architecture as shown in fig. 10, a secure communication architecture is embodied in fully secure communication, user experience, a stable VPN, and any IP system communication. The complete safety communication comprises end-to-end safety communication and message transmission between two pieces of Interactive communication application software, the formed safety communication is half-way safety communication between the Interactive communication application software and a common panic, and user experience is embodied in conference calls: the information is self-destructed, and the stable VPN is the secure communication of the whole system containing communication policy management and the stable VPN, namely any IP system based on any IP system. The secure communication process is shown in fig. 11, which includes a management end, a cloud end, an act control center, a VPN, an HTTPS/TLS protocol, a Push system, a secure mobile phone, and the like.
9. Remote maintenance
DOOV-OS provides remote maintenance (remote control, device diagnostics, etc.) of mobile devices, which includes three aspects, self-healing application software, security assurance application programs, and remote control application, as shown in fig. 12. The self-repairing application software can seamlessly and automatically diagnose the connection and operation performance problems, the safety guarantee application program can be configured in a maximum safety verification mode, the remote control application can realize safety inspection and performance guarantee through a complete remote control device, and extra external support requirements are eliminated.
S2 threat and countermeasure of safety payment
1. And intercepting the network payment information in a man-in-the-middle mode by the pseudo base station and the pseudo wifi network fishing.
A unique characteristic of the DOOV-OS is that the hot spot information of the base station and wifi can be analyzed through data characteristics, and the pseudo base station and the pseudo wifi can be identified. Thereby circumventing these dangerous accesses.
2. The trojan horse virus is implanted by browsing a phishing website or a malicious website.
The DOOV-OS provides a secure browser to identify legitimate website information and can provide warnings for dangerous websites through embedded antivirus software.
3. Payment software APP tampered
The DOOV-OS can effectively verify the preset APP and the APP of the third party during the operation. Meanwhile, the built-in antivirus software also monitors the behavior of scanning all APPs.
4. And acquiring mobile phone screen information by installing malicious software, and acquiring a user account and a password.
The DOOV-OS improves the management mode of resources and prevents malicious software from reading the input of a mobile phone screen and a soft keyboard.
5. Vulnerability of operating system, system security problem
The DOOV-OS supports OTA mode to update the firmware in time, and ensures that the updated firmware is updated on the mobile phone in time.
6. Payment data on mobile phone is stolen
The DOOV-OS provides an enhanced disk encryption mode to ensure the security of the data of the payment application in the physical storage.
7. Implanting virus by short message (or multimedia message)
The DOOV-OS supports shielding treatment on binary short messages and multimedia messages, and avoids risks brought by clicking the short messages.
And 8, the DOOV-OS is matched with the DOOV-CC of the control center to effectively realize the management of the equipment (such as data backup, mobile phone loss processing, application and resource management and the like). And the sensitive data and the payment information are ensured not to be acquired by others after the mobile phone is lost.
Claims (3)
1. The intelligent terminal control system based on the trusted security environment is characterized by comprising an intelligent terminal control module and a security payment module; the intelligent terminal control module is used for establishing a trusted security environment for the intelligent terminal, and the secure payment module is used for providing a secure payment environment for the intelligent terminal.
2. The intelligent terminal control system based on the trusted secure environment according to claim 1, wherein the intelligent terminal control module takes an intelligent terminal operating system as a core, and provides secure boot, secure authentication, network attack detection, real-time antivirus scanning, disk encryption, application management, voice and message encryption, secure communication and remote maintenance for the intelligent terminal.
3. The intelligent terminal control system based on the trusted secure environment according to claim 1, wherein the specific method for the secure payment module to provide the secure payment environment for the intelligent terminal is as follows:
the method comprises the steps that hot spot information of a base station and wifi is analyzed through data characteristics, a pseudo base station and pseudo wifi are identified, and the intelligent terminal is enabled to avoid dangerous access;
identifying legal website information through a secure browser;
the method comprises the steps of carrying out effective verification on a preset APP and an APP of a third party;
preventing malicious software from reading the input of the mobile phone screen and the soft keyboard;
updating firmware of the intelligent terminal operating system in a real-time updating mode;
the safety of the data of the payment application in the physical storage is ensured through an enhanced disk encryption mode;
the binary short messages and multimedia messages are shielded, so that the risk caused by clicking the short messages is avoided;
and backing up data of the intelligent terminal through the credible security platform.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110409299.6A CN113127871A (en) | 2021-04-16 | 2021-04-16 | Intelligent terminal control system based on trusted security environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110409299.6A CN113127871A (en) | 2021-04-16 | 2021-04-16 | Intelligent terminal control system based on trusted security environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113127871A true CN113127871A (en) | 2021-07-16 |
Family
ID=76777454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110409299.6A Pending CN113127871A (en) | 2021-04-16 | 2021-04-16 | Intelligent terminal control system based on trusted security environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113127871A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103714459A (en) * | 2013-12-26 | 2014-04-09 | 电子科技大学 | Secure payment system and method of intelligent terminal |
| CN106686544A (en) * | 2016-09-06 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Position based information early-warning method and system and terminal |
| CN107332671A (en) * | 2017-08-15 | 2017-11-07 | 鼎讯网络安全技术有限公司 | A kind of safety mobile terminal system and method for secure transactions based on safety chip |
-
2021
- 2021-04-16 CN CN202110409299.6A patent/CN113127871A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103714459A (en) * | 2013-12-26 | 2014-04-09 | 电子科技大学 | Secure payment system and method of intelligent terminal |
| CN106686544A (en) * | 2016-09-06 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Position based information early-warning method and system and terminal |
| CN107332671A (en) * | 2017-08-15 | 2017-11-07 | 鼎讯网络安全技术有限公司 | A kind of safety mobile terminal system and method for secure transactions based on safety chip |
Non-Patent Citations (3)
| Title |
|---|
| 中共中央网络安全和信息化委员会办公室: "移动终端安全指南", 《WWW.CAC.GOV.CN/2016-12/26/C_1120190457.HTM》 * |
| 焦四辈: "智能终端可信执行环境安全性分析", 《互联网天地》 * |
| 罗净: "基于智能终端可信操作系统的安全支付研究与实现", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Shabtai et al. | Google android: A comprehensive security assessment | |
| US11184392B2 (en) | Detecting lateral movement by malicious applications | |
| Singh et al. | Cloud security issues and challenges: A survey | |
| Shabtai et al. | Google android: A state-of-the-art review of security mechanisms | |
| Modi et al. | A survey on security issues and solutions at different layers of Cloud computing | |
| US8909930B2 (en) | External reference monitor | |
| US9514300B2 (en) | Systems and methods for enhanced security in wireless communication | |
| AU2016369460A1 (en) | Dual memory introspection for securing multiple network endpoints | |
| US8601580B2 (en) | Secure operating system/web server systems and methods | |
| US20180247055A1 (en) | Methods for protecting a host device from untrusted applications by sandboxing | |
| Kumar et al. | Exploring security issues and solutions in cloud computing services–a survey | |
| Wong et al. | On the security of containers: Threat modeling, attack analysis, and mitigation strategies | |
| Walls et al. | A review of free cloud-based anti-malware apps for android | |
| Mikhaylov et al. | Review of malicious mobile applications, phone bugs and other cyber threats to mobile devices | |
| CN117494144A (en) | Cloud platform-based safety environment protection method | |
| KR101265474B1 (en) | Security service providing method for mobile virtualization service | |
| Adăscăliţei | Smartphones and IoT security | |
| Fledel et al. | Google android: an updated security review | |
| CN113127871A (en) | Intelligent terminal control system based on trusted security environment | |
| Powers et al. | Whitelist malware defense for embedded control system devices | |
| Nowfeek et al. | A Review of Android operating system security issues | |
| El-Serngawy et al. | Securing business data on android smartphones | |
| Ruha | Cybersecurity of computer networks | |
| Guo et al. | Research on risk analysis and security testing technology of mobile application in power system | |
| CN116796332A (en) | Trusted computing platform system based on double-system architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210716 |
|
| RJ01 | Rejection of invention patent application after publication |