CN113868673A - Vulnerability detection method and device - Google Patents

Vulnerability detection method and device Download PDF

Info

Publication number
CN113868673A
CN113868673A CN202111471556.5A CN202111471556A CN113868673A CN 113868673 A CN113868673 A CN 113868673A CN 202111471556 A CN202111471556 A CN 202111471556A CN 113868673 A CN113868673 A CN 113868673A
Authority
CN
China
Prior art keywords
instruction
virtual memory
memory
address
terminal device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111471556.5A
Other languages
Chinese (zh)
Other versions
CN113868673B (en
Inventor
李海山
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Honor Device Co Ltd
Original Assignee
Honor Device Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honor Device Co Ltd filed Critical Honor Device Co Ltd
Priority to CN202111471556.5A priority Critical patent/CN113868673B/en
Publication of CN113868673A publication Critical patent/CN113868673A/en
Application granted granted Critical
Publication of CN113868673B publication Critical patent/CN113868673B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a vulnerability detection method and device, wherein a terminal device can call a first instruction to obtain content in a first virtual memory, and when the terminal device determines that an address written in by the content in the first virtual memory is an address of a second virtual memory, the terminal device can obtain the content in the second virtual memory.

Description

Vulnerability detection method and device
Technical Field
The present application relates to the field of data processing, and in particular, to a vulnerability detection method and apparatus.
Background
With the development of terminal technology, a terminal device may generate different data during operation, and the terminal device may process the different data, for example, the terminal device may process the data through a processor, where an operation environment when the processor processes the data includes a Rich Execution Environment (REE) and a Trusted Execution Environment (TEE), a Client Application (CA) is run in the REE, and a Trusted Application (TA) is run in the TEE, so that after the terminal device acquires the data, the terminal device may process the data in the TEE, or the terminal device may call the TA through the CA, so that the TA processes the data in the TEE.
In a possible situation, when the data acquired by the terminal device is sensitive data, the terminal device may call the TA through the CA, so that the TA processes the sensitive data in the TEE, and the TA writes the processing result into the REE side.
However, since the terminal device cannot find the vulnerability of the TA, the sensitive data stored on the TEE side may be leaked when the terminal device calls the TA to process the sensitive data.
Disclosure of Invention
The embodiment of the application provides a vulnerability detection method and device, wherein a terminal device can call a first instruction to obtain content in a first virtual memory, and when the terminal device determines that an address written in by the content in the first virtual memory is an address of a second virtual memory, the terminal device can obtain the content in the second virtual memory.
In a first aspect, an embodiment of the present application provides a vulnerability detection method, where the method includes: the terminal equipment calls the first instruction to obtain the content in the first virtual memory; the first virtual memory is a memory in a Trusted Execution Environment (TEE), and the first instruction is one of instructions of a target trusted application program (TA); when the terminal equipment determines that the address written by the content in the first virtual memory is the address of the second virtual memory, the terminal equipment obtains the content in the second virtual memory; wherein, the second virtual memory is a memory in the rich execution environment REE; and when the terminal equipment judges that the content in the second virtual memory comprises the address of the first virtual memory, the terminal equipment determines that the first instruction has a bug. Therefore, when the terminal device judges that the content in the second virtual memory comprises the address of the first virtual memory, the memory address of the secure side flows into the memory of the non-secure side, so that the first instruction can be determined to have a bug, the terminal device can find the bug of the instruction of the target TA, and the security of the terminal device when calling the TA to process data is improved.
In a possible implementation manner, the obtaining, by the terminal device, the content in the first virtual memory by calling the first instruction includes: the terminal equipment acquires first data; when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment determines an instruction of a target TA according to the instruction of the first TA; the method comprises the steps that a first client application program CA process is a process in an REE, and an instruction of a target TA comprises a first instruction; the terminal device calls the first instruction to process the first data in the first virtual memory, and the content in the first virtual memory is obtained. In this way, since the first command is one of the commands of the target TA, the terminal device can test the safety of the command of the target TA through the first data, thereby improving the safety when the terminal device calls the TA to process data.
In a possible implementation manner, the TEE includes a TA loader, and when the terminal device writes the first data into the first client application CA process, the terminal device determines, according to an instruction of the first TA, an instruction of a target TA, including: when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment loads a first TA instruction in a first cache space based on a TA loader; the first cache space is a memory space allocated by the TA loader for the instruction of the first TA, and the instruction of the first TA comprises a second instruction; when the second instruction is a memory access instruction, the terminal device determines that the second instruction is a first instruction, caches the first instruction in a second cache space based on the TA loader and inserts an access record instruction before the first instruction; the second cache space is a memory space allocated by the TA loader for the instruction of the target TA, and the first cache space is different from the second cache space; when the second instruction is not a memory access instruction, the terminal device determines that the second instruction is a first instruction, and caches the first instruction in a second cache space based on the TA loader; and the terminal equipment determines the instruction of the second cache space as the instruction of the target TA. Therefore, when the terminal equipment obtains the instruction of the target TA through the TA loader, the first data can be processed through the instruction of the target TA, and the terminal equipment can test the safety of the instruction of the target TA through the first data.
In one possible implementation, the memory access instruction includes: STR instructions, STX instructions, STP instructions, or STUR instructions.
In a possible implementation manner, when the terminal device writes the first data into the first client application CA process, the terminal device loads, based on the TA loader, an instruction of the first TA in the first cache space, including: when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment starts to scan a code segment of the first TA from a code segment entry point of the first TA based on a TA loader; the terminal equipment analyzes the code segment of the first TA into an instruction of the first TA based on the TA loader; and the terminal equipment loads the instruction of the first TA in the first cache space based on the TA loader. In this way, the terminal device may obtain the instruction of the first TA, so that the terminal device obtains the instruction of the target TA through the instruction of the first TA.
In a possible implementation manner, when the terminal device determines that the address where the content in the first virtual memory is written is the address of the second virtual memory, the obtaining, by the terminal device, the content in the second virtual memory includes: the terminal equipment acquires the address range of the second virtual memory; wherein the address range of the second virtual memory is the address range of the memory in the REE; when the terminal equipment judges that the address written in the content in the first virtual memory is in the address range of the second virtual memory based on the access record instruction before the first instruction, the terminal equipment determines that the address written in the content in the first virtual memory is the address of the second virtual memory; and when the terminal equipment determines that the address written in the content in the first virtual memory is the address of the second virtual memory, the terminal equipment obtains the content in the second virtual memory based on the access record instruction before the first instruction. Therefore, when the terminal device obtains the content in the second virtual memory, the terminal device can judge whether the first instruction has a bug or not based on the content in the second virtual memory.
In a possible implementation manner, when the terminal device determines that the content in the second virtual memory includes the address of the first virtual memory, the determining, by the terminal device, that the first instruction has a bug includes: the terminal equipment acquires an address range of the first virtual memory; wherein, the address range of the first virtual memory is the address range of the memory in the TEE; and when the content in the second virtual memory comprises the first address and the first address is in the address range of the first virtual memory, the terminal equipment determines that the first instruction has a bug. In this way, the terminal device may determine whether the first instruction has a bug based on the address range of the first virtual memory, and since the first instruction is one of the target TA instructions, the terminal device may find whether the instruction of the target TA has a bug.
In a second aspect, an embodiment of the present application provides a vulnerability detection apparatus, which may be a terminal device, or a component, a chip, or a chip system in the terminal device. The vulnerability detection may include a processing unit. When the vulnerability detection apparatus is a terminal device, the processing unit may be a processor. The vulnerability detection apparatus may further include a storage unit, which may be a memory. The storage unit is configured to store instructions, and the processing unit executes the instructions stored by the storage unit to enable the terminal device to implement the method described in the first aspect or any one of the possible implementation manners of the first aspect. When the vulnerability detection apparatus is a component, a chip, or a chip system in a terminal device, the processing unit may be a processor, and the processing unit executes instructions stored in the storage unit, so that the terminal device implements the method described in the first aspect or any one of the possible implementation manners of the first aspect. The storage unit may be a storage unit (e.g., a register, a buffer, etc.) within the chip, or may be a storage unit (e.g., a read-only memory, a random access memory, etc.) located outside the chip within the terminal device.
Exemplarily, the processing unit is configured to invoke a first instruction to obtain content in the first virtual memory; the first virtual memory is a memory in a Trusted Execution Environment (TEE), and the first instruction is one of instructions of a target trusted application program (TA); the processing unit is further configured to obtain the content in the second virtual memory when the terminal device determines that the address where the content in the first virtual memory is written is the address of the second virtual memory; wherein, the second virtual memory is a memory in the rich execution environment REE; and the processing unit is further used for determining that the first instruction has a bug when the terminal equipment judges that the content in the second virtual memory comprises the address of the first virtual memory.
In a possible implementation manner, the processing unit is specifically configured to: the terminal equipment acquires first data; when the terminal equipment writes the first data into a first client application program CA process, determining an instruction of a target TA according to the instruction of the first TA; the method comprises the steps that a first client application program CA process is a process in an REE, and an instruction of a target TA comprises a first instruction; and calling a first instruction to process the first data in the first virtual memory to obtain the content in the first virtual memory.
In one possible implementation, the TEE includes a TA loader, and the processing unit is specifically configured to: when the terminal equipment writes the first data into a first client application program CA process, loading a first TA instruction in a first cache space based on a TA loader; the first cache space is a memory space allocated by the TA loader for the instruction of the first TA, and the instruction of the first TA comprises a second instruction; when the second instruction is a memory access instruction, determining that the second instruction is a first instruction, caching the first instruction in a second cache space based on a TA loader and inserting an access record instruction before the first instruction; the second cache space is a memory space allocated by the TA loader for the instruction of the target TA, and the first cache space is different from the second cache space; when the second instruction is not a memory access instruction, determining that the second instruction is a first instruction, and caching the first instruction in a second cache space based on the TA loader; and determining the instruction of the second cache space as the instruction of the target TA.
In one possible implementation, the memory access instruction includes: STR instructions, STX instructions, STP instructions, or STUR instructions.
In a possible implementation manner, the processing unit is specifically configured to: when the terminal equipment writes the first data into a first client application program CA process, scanning a code segment of the first TA from a code segment entry point of the first TA based on a TA loader; instructions to parse a code segment of a first TA into the first TA based on a TA loader; instructions of a first TA are loaded in a first cache space based on a TA loader.
In a possible implementation manner, the processing unit is specifically configured to: acquiring an address range of a second virtual memory; wherein the address range of the second virtual memory is the address range of the memory in the REE; when the terminal equipment judges that the address written in the content in the first virtual memory is in the address range of the second virtual memory based on the access record instruction before the first instruction, determining that the address written in the content in the first virtual memory is the address of the second virtual memory; and when the terminal equipment determines that the address written in the content in the first virtual memory is the address of the second virtual memory, obtaining the content in the second virtual memory based on the access record instruction before the first instruction.
In a possible implementation manner, the processing unit is specifically configured to: acquiring an address range of a first virtual memory; wherein, the address range of the first virtual memory is the address range of the memory in the TEE; and when the content in the second virtual memory comprises the first address and the first address is in the address range of the first virtual memory, determining that the first instruction has a bug.
In a third aspect, an embodiment of the present application provides a vulnerability detection apparatus, which includes a processor and a memory, where the memory is used to store code instructions, and the processor is used to execute the code instructions to perform the method described in the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium, in which a computer program or instructions are stored, and when the computer program or instructions are run on a computer, the computer is caused to execute the method described in the first aspect or any one of the possible implementation manners of the first aspect.
In a fifth aspect, the present application provides a computer program product including a computer program, which when run on a computer causes the computer to perform the method described in the first aspect or any one of the possible implementations of the first aspect.
In a sixth aspect, an embodiment of the present application provides a vulnerability detection system, which includes: the second aspect and various possible implementations of the second aspect.
In a seventh aspect, the present application provides a chip or a chip system, where the chip or the chip system includes at least one processor and a communication interface, where the communication interface and the at least one processor are interconnected by a line, and the at least one processor is configured to execute a computer program or instructions to perform the method described in the first aspect or any one of the possible implementations of the first aspect; the communication interface in the chip may be an input/output interface, a pin, a circuit, or the like.
In one possible implementation, the chip or chip system described above in this application further comprises at least one memory having instructions stored therein. The memory may be a storage unit inside the chip, such as a register, a cache, etc., or may be a storage unit of the chip (e.g., a read-only memory, a random access memory, etc.).
It should be understood that the second to seventh aspects of the present application correspond to the technical solutions of the first aspect of the present application, and the advantageous effects obtained by the aspects and the corresponding possible implementations are similar and will not be described again.
Drawings
Fig. 1 is a schematic diagram of an architecture of an ARM Central Processing Unit (CPU) according to an embodiment of the present disclosure;
fig. 2 is a schematic diagram of a hardware structure of a terminal device according to an embodiment of the present disclosure;
fig. 3 is a schematic diagram of an architecture of a processor according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a vulnerability detection method according to an embodiment of the present application;
FIG. 5 is a diagram illustrating an instruction of a target TA according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a vulnerability detection apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a chip according to an embodiment of the present application.
Detailed Description
In the embodiments of the present application, terms such as "first" and "second" are used to distinguish the same or similar items having substantially the same function and action. For example, the first chip and the second chip are only used for distinguishing different chips, and the sequence order thereof is not limited. Those skilled in the art will appreciate that the terms "first," "second," etc. do not denote any order or quantity, nor do the terms "first," "second," etc. denote any order or importance.
It should be noted that in the embodiments of the present application, words such as "exemplary" or "for example" are used to indicate examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" or "e.g.," is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the word "exemplary" or "such as" is intended to present concepts related in a concrete fashion.
In the embodiments of the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
With the development of terminal technology, different data may be generated by a terminal device during operation, and the terminal device may process the different data, for example, the terminal device may process the data through a processor, where an operating environment when the processor processes the data includes a REE and a TEE, where a CA operates in the REE and a TA operates in the TEE, and thus, after the terminal device acquires the data, the terminal device may process the data in the REE, or the terminal device may call the TA through the CA, so that the TA processes the data in the TEE.
For example, fig. 1 is an architecture schematic diagram of an ARM CPU provided in this embodiment of the present application, as shown in fig. 1, an operating environment of the ARM CPU includes an REE and a TEE, the ARM CPU is divided into 4 privilege levels (ELs) in the REE and the TEE, which are EL0, EL1, EL2, and EL3, respectively, where EL0 corresponds to a user mode of the ARM CPU, EL1 corresponds to a kernel mode of the ARM CPU, EL2 corresponds to a virtual machine monitor (hypervisor) mode of the ARM CPU, and EL3 corresponds to a monitor (monitor) mode of the ARM CPU.
When the CA operates in a user mode of the normal world of the ARM CPU, the CA is configured to receive input data of an application in the terminal device and transmit the received data to the TA operating in the user mode of the secure world of the ARM CPU, so that the TA performs a critical operation, for example, the TA may perform fingerprint verification, Personal Identification Number (PIN) verification, secure storage of a private key or a certificate, and the like.
In fig. 1, after the TA acquires data from the CA, the ARM CPU can process the acquired data through the TA. For example, in EL0 of the ARM CPU, the CA initiates a call TA flow, the CA may send a request message for calling TA to an application layer TEE daemon (ted), the application layer TEE daemon triggers the CPU to enter EL1 from EL0 through a system call (SVC) instruction, so that the application layer TEE daemon may forward the request message to a kernel driver (teedriver) of EL1, the kernel driver is used for processing the request message of the user-mode program, since the request message includes data to be processed by the TA, the ARM CPU can obtain data from the request message through the kernel driver, the kernel driver triggers an ARM trusted firmware (SMC) of EL3 when the CPU enters EL3 from EL1 through a Security Monitor Call (SMC) instruction, since the ARM trusted firmware includes an ATF handler (handler), the CPU may return data to the TEE kernel (kernel) through the ATF SMC handler so that the privilege level of the CPU is switched from EL3 to EL1 of the secure world, e.g., the CPU may switch from EL3 to EL1 of the secure world through an ERET instruction, in the TEE kernel of EL1, the CPU calls the ERET instruction so that the CPU returns data to the TA through the TEE kernel so that the TA can process the data.
After the TA processes the data, the TA may return the processed result to the CA according to the flow shown in fig. 1, and the flow for returning the processed result to the CA is not shown in fig. 1.
Wherein the SVC instruction is for the CPU to enter kernel mode from user mode, e.g., in conjunction with fig. 1, on the REE side, the SVC instruction is for the CPU to enter EL1 from EL 0; the SMC instruction is used to enter the monitor mode from the kernel mode by the CPU, for example, in connection with fig. 1, on the REE side, the SMC instruction is used to enter the EL3 from EL1, and the ERET instruction is used to return the CPU from the monitor mode to the kernel mode, for example, in connection with fig. 1, on the TEE side, the ERET instruction is used to return the CPU from EL3 to EL1, and the ERET instruction is also used to return the CPU from the kernel mode to the user mode, for example, in connection with fig. 1, on the TEE side, the ERET instruction is used to return the CPU from EL1 to EL 0.
It is understood that in the REE side user mode, the processor may include multiple CAs, and the multiple CAs in the processor process data in parallel execution, and likewise, in the TEE side user mode, the processor may include multiple TAs, and the multiple TAs in the processor process data in parallel execution.
In a possible situation, when the data acquired by the terminal device is sensitive data, the terminal device may call the TA through the CA, so that the TA processes the sensitive data in the TEE, and writes the processing result into the REE side, so that the terminal device may perform a corresponding operation after calling the processing result on the REE side; the sensitive data may include fingerprint data, face data, screen password data, Personal Identification Number (PIN) data, and the like.
For example, when a user unlocks the terminal device through the screen password, the terminal device can acquire the screen password input by the user through the CA, the terminal device can process information such as the screen password input by the user through the CA, send the processed password information to the TA for verification, receive the password information sent by the CA through the TA, compare the password information with a hash value calculated by the TA and a key derived from the device unique key in the TEE, and if the two are the same, the terminal device returns the verification information to the REE side through the TA.
It can be understood that, when the terminal device processes the sensitive data through the TA in the TEE, because the TEE is isolated from the physical resource of the REE, even if the attacker acquires the ROOT authority of the terminal device, the attacker cannot acquire the data related to the sensitive data on the TEE side.
However, since the terminal device cannot find the vulnerability of the TA, when the terminal device calls the TA to process the sensitive data, the sensitive data stored on the TEE side may be leaked, and address information on the TEE side may also be leaked, where the address information on the TEE side is used to indicate the memory address space layout of the TA, so that the security of the terminal device when processing the sensitive data in the TEE cannot be guaranteed.
It should be noted that, with reference to fig. 1, an operating system when the ARM CPU processes data on the TEE side may be referred to as a TEE Operating System (OS), and since the TA does not have an operating environment of a conventional operating system such as Linux, etc., and the TA operates depending on the TEE, the fuzzy (fuzz) test means cannot directly test the program security of the TA, or it is understood that there is no effective test means for the TA at present.
In view of this, an embodiment of the present application provides a vulnerability detection method and apparatus, where a terminal device may call a first instruction to obtain content in a first virtual memory, and when the terminal device determines that an address written in the content in the first virtual memory is an address of a second virtual memory, the terminal device may obtain the content in the second virtual memory, so that when the terminal device determines that the content in the second virtual memory includes the address of the first virtual memory, since a memory address on a secure side flows into a memory on a non-secure side, the terminal device may determine that a vulnerability exists in the first instruction.
Exemplarily, fig. 2 is a schematic diagram of a hardware structure of a terminal device 100 according to an embodiment of the present disclosure, and as shown in fig. 2, the terminal device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a power management module 141, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, a sensor module 180, a key 190, a camera 193, a display screen 194, a user interface 130, a charging management module 140, and the like; among them, the sensor module 180 may include: a pressure sensor 180A, an acceleration sensor 180E, a fingerprint sensor 180H, and a touch sensor 180K, etc.
It should be noted that the illustrated structure of the embodiment of the present application does not constitute a specific limitation to the terminal device 100; it will be appreciated that terminal device 100 may include more or fewer components than illustrated, or combine certain components, or split certain components, or a different arrangement of components; where the illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The processor 110 may be an ARM processor, wherein the processor 110 includes one or more processing units, such as: the processor 110 may include an Application Processor (AP), a modem processor, a Graphics Processor (GPU), an Image Signal Processor (ISP), a controller, a video codec, a Digital Signal Processor (DSP), a baseband processor, and/or a neural-Network Processing Unit (NPU), etc.; the different processing units may be separate devices or may be integrated into one or more processors.
A memory may also be provided in processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 may be a cache memory that may hold instructions or data that have just been used or recycled by the processor 110.
In some embodiments, the processor 110 may include one or more interfaces, which may include an inter-integrated circuit (I2C) interface, an inter-integrated circuit built-in audio (I2S) interface, a Pulse Code Modulation (PCM) interface, and/or a Universal Serial Bus (USB) interface, among others.
In this embodiment of the application, the terminal device may process the first data through the processor, so that the terminal device may test the security of the first instruction through the first data, and because the first instruction is one of the instructions of the target TA, the first terminal may test the security of the target TA through the first data, or understand that the terminal device may test whether the instruction of the target TA has a bug through the first data.
The user interface 130 is used for transmitting data between the terminal device 100 and a peripheral device, and may also be used for connecting an earphone and playing audio through the earphone; the user interface 130 may also be used to connect other devices, such as Augmented Reality (AR) devices and the like.
The power management module 141 receives the input of the charging management module 140, and the power management module 141 supplies power to the processor 110, the internal memory 121, the display 194, the camera 193, the wireless communication module 160, and the like.
The wireless communication function of the terminal device 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, and the like; wherein the antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. The antennas in terminal device 100 may be used to cover a single or multiple communication bands. Different antennas can also be multiplexed to improve the utilization of the antennas. For example, the antenna 1 may be multiplexed as a diversity antenna of a wireless local area network.
The mobile communication module 150 may provide a solution including wireless communication of 2G/3G/4G/5G, etc. applied to the terminal device 100; the wireless communication module 160 may provide a solution for wireless communication applied to the terminal device 100, including Wireless Local Area Networks (WLANs) (e.g., wireless fidelity (Wi-Fi) networks), bluetooth (bluetooth, BT), Global Navigation Satellite System (GNSS), Frequency Modulation (FM), Near Field Communication (NFC), Infrared (IR), and the like.
In some embodiments, the antenna 1 of the terminal device 100 is coupled to the mobile communication module 150 and the antenna 2 is coupled to the wireless communication module 160, so that the terminal device 100 can communicate with the network and other devices through wireless communication technology; the wireless communication technology may include global system for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Long Term Evolution (LTE), BT, GNSS, WLAN, NFC, FM, and/or IR technology, etc.
The terminal device 100 realizes a display function through the display screen 194, the display screen 194 is used to display images, videos, and the like, and the display screen 194 includes a display panel. In some embodiments, the terminal device 100 may include 1 or N display screens 194, where N is a positive integer greater than 1.
The terminal device 100 may implement a shooting function by a camera 193 or the like, and the camera 193 is used to capture a still image or video.
The external memory interface 120 may be used to connect an external memory card to extend the memory capability of the terminal device 100. The external memory card communicates with the processor 110 through the external memory interface 120 to implement a data storage function.
The internal memory 121 may be used to store computer-executable program code, which includes instructions. The internal memory 121 may include a program storage area and a data storage area. The storage program area may store an operating system, an application program (such as a sound playing function, an image playing function, etc.) required by at least one function, and the like.
The pressure sensor 180A is used for sensing a pressure signal, and converting the pressure signal into an electrical signal. In some embodiments, the pressure sensor 180A may be disposed on the display screen 194.
The acceleration sensor 180E may detect the magnitude of acceleration of the terminal device 100 in various directions (generally, three axes); the fingerprint sensor 180H is used to collect a fingerprint. The terminal device 100 can utilize the collected fingerprint characteristics to realize fingerprint unlocking, access to an application lock, fingerprint photographing, fingerprint incoming call answering and the like.
The touch sensor 180K is also called a "touch device". The touch sensor 180K may be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, which is also called a "touch screen". The touch sensor 180K is used to detect a touch operation applied thereto or nearby.
Referring to fig. 2, exemplarily, fig. 3 is a schematic architecture diagram of a processor according to an embodiment of the present invention, as shown in fig. 3, different from fig. 1, in fig. 3, when an operating environment of an ARM CPU is REE and a working mode of the ARM CPU is a user mode, a log analysis module and a data variation injection module are added in the user mode, and the user mode further includes a first CA and a target CA; when the operating environment of the ARM CPU is the TEE and the operating mode of the ARM CPU is the user mode, the mode includes a first TA, a TA loader, and a memory access recording module, the first CA corresponds to the first TA, the TA loader includes an instruction of the first TA and an instruction of a target TA, the instruction of the target TA is obtained by the TA loader according to the instruction of the first TA, and an implementation process of obtaining the instruction of the target TA by the TA loader according to the instruction of the first TA will be described later, which is not described herein again.
In possible implementation, the data variation injection module is used for the terminal equipment to acquire first data and write the first data into a target CA process; when the terminal device calls the first instruction to process the first data in the first virtual memory, because the first instruction is one of the target TA instructions, and the first instruction includes an access recording instruction, the terminal device can judge whether the address written by the content in the first virtual memory is the address of the second virtual memory by accessing the recording instruction, and when it is determined that the address written by the content in the first virtual memory is the address of the second virtual memory, the terminal device can record the content in the second virtual memory by accessing the recording instruction, and further, the terminal device can store the recorded content in the shared memory, so that the log analysis module can read the recorded content from the shared memory and analyze the recorded content, and the specific analysis process will be described in the following, and no further description is provided herein; the shared memory is a memory which is allowed to be accessed by both the REE side and the TEE side.
The interaction process between the REEs and the ELs on the TEE side may refer to the content adaptation description shown in fig. 1, and is not described herein again.
With reference to the content shown in fig. 3, for example, fig. 4 is a schematic flowchart of a vulnerability detection method provided in the embodiment of the present application, and as shown in fig. 4, the method may include the following steps:
s401: the terminal device acquires the first data.
In this embodiment of the present application, the first data is used for testing the security of the target TA, or is understood as that the first data is used for testing the security of an instruction of the target TA, where the first data may be normal data, the first data may also be abnormal data, and specific content of the first data is not limited in this embodiment of the present application.
When the first data is abnormal data, with reference to fig. 3, the terminal device may generate the first data through the data mutation injection module, for example, after the terminal device performs data mutation on the test data through the data mutation injection module, the terminal device may obtain the first data; wherein, the data variation can be understood as that the terminal device modifies all or part of the parameters in the test data.
S402: and when the terminal equipment writes the first data into the first CA process, the terminal equipment determines the instruction of the target TA according to the instruction of the first TA.
In this embodiment of the application, with reference to fig. 3, because the terminal device includes a TA loader, and the terminal device determines the instruction of the target TA according to the instruction of the first TA, it can be understood that the TA loader determines the instruction of the target TA according to the instruction of the first TA, and the TA loader includes a loading module, a scanning module, and an execution module, where the TA loader determines the instruction of the target TA according to the instruction of the first TA, and a possible implementation manner is:
the method comprises the steps that a loading module loads an instruction of a first TA (trusted application) in a first cache space, wherein the instruction of the first TA comprises a second instruction, when the second instruction is a memory access instruction, a scanning module determines that the second instruction is the first instruction, caches the first instruction in the second cache space and inserts an access record instruction before the first instruction; when the second instruction is not a memory access instruction, the scanning module determines that the second instruction is a first instruction, caches the first instruction in the second cache space, and determines the instruction in the second cache space as an instruction of the target TA.
It should be noted that the memory access instruction may include an STR instruction, an STX instruction, an STP instruction, and a variant instruction, where the variant instruction of the STR instruction is an STUR instruction, the memory access instruction may be understood as a memory write instruction, and the memory access instruction is an instruction in the ARM instruction set.
It can be understood that the specific content of the memory access instruction may be set according to an actual application scenario, and the embodiment of the present application is not limited.
It should be noted that the first cache space is a memory space allocated by the TA loader for an instruction of the first TA, the second cache space is a memory space allocated by the TA loader for an instruction of the target TA, and the first cache space and the second cache space are memory spaces on the TEE side, or it is understood that the first cache space and the second cache space are secure memory spaces, the first cache space is used by the TA loader for loading an instruction of the first TA, the second cache space is used by the TA loader for caching an instruction of the target TA, and the first cache space is different from the second cache space.
The loading module loads the instruction of the first TA in the first cache space, and possible implementation manners are as follows: the loading module scans the code segment of the first TA from the entry point of the code segment of the first TA, the loading module analyzes the code segment of the first TA into the instruction of the first TA through the decompiler, and the loading module loads the instruction of the first TA in the first cache space; the number of the instructions of the first TA is plural.
It should be noted that the code segment of the first TA is machine code, the instruction of the first TA is an instruction in assembly language, and a process of the terminal device parsing the code segment of the first TA into the instruction of the first TA is a decompilation process.
For example, fig. 5 is a schematic diagram of an instruction of a target TA provided in an embodiment of the present application, and as shown in fig. 5, a scan module loads an instruction of a first TA in a first cache space, where the instruction of the first TA includes a second instruction, and when the second instruction is a STUR instruction, the scan module determines that the second instruction is the first instruction, caches the first instruction in the second cache space, and inserts an access record instruction before the first instruction.
The instruction in the second cache space is an instruction of a target TA, the instruction of the target TA includes a plurality of first instructions, and an access record instruction is preceded by the first instruction, and the access record instruction is "LOG _ TRACE" as shown in fig. 5.
It can be understood that the specific content of the command of the first TA, the specific content of the command of the target TA, and the specific content of the memory access command may be set according to an actual application scenario, and the embodiment of the present application is not limited.
In this embodiment, referring to fig. 3, a terminal device may write first data into a target CA process through a data variation injection module, where the target CA process is a process in an REE, and the target CA process may be a preset CA process for testing a target TA or one of CA processes in a white list, and the white list includes a CA process supporting calling the target TA; the specific content of the target CA process may also be set according to an actual application scenario, and the embodiment of the present application is not limited.
It can be understood that, with reference to fig. 3, the terminal device may write the test data into the target CA process through the ptrace mechanism by using the data mutation injection module, and intercept the TEEC _ invoke command function, so as to mutate the operation parameter of the test data, thereby obtaining the first data, where the first data is written into the target CA process, and therefore, the terminal device also implements writing of the first data into the target CA process; wherein, the Operation parameter is a parameter of a TEEC _ Operation pointer type.
It can be understood that the specific implementation manner of the terminal device writing the first data into the target CA process may also be set according to an actual application scenario, and the embodiment of the present application is not limited.
S403: the terminal equipment calls a first instruction to process first data in the first virtual memory.
In the embodiment of the application, a first virtual memory is a memory occupied by the terminal device when processing first data through a first instruction, and the first virtual memory is a memory on a TEE side; the first instruction is a plurality of instructions, and the addresses of different instructions when the first virtual memory processes the first data are also a plurality of instructions.
S404: and when the terminal equipment determines that the address written by the content in the first virtual memory is the address of the second virtual memory, the terminal equipment records the content in the second virtual memory.
In this embodiment of the application, the second virtual memory is a memory on an REE side, or it is understood that the second virtual memory is a non-secure memory, and the terminal device determines that the address where the content in the first virtual memory is written is an address of the second virtual memory, where possible implementation manners are as follows: the terminal device obtains an address range of a second virtual memory, and when the terminal device judges that the address written by the content in the first virtual memory is in the address range of the second virtual memory based on the access record instruction before the first instruction, the terminal device determines that the address written by the content in the first virtual memory is the address of the second virtual memory; the address range of the second virtual memory may be understood as the address range of the memory in the REE.
It can be understood that, when the terminal device determines, based on the access recording instruction before the first instruction, that the address where the content in the first virtual memory is written is the address of the second virtual memory, the terminal device may record the content in the second virtual memory based on the access recording instruction before the first instruction, so that the terminal device obtains the content in the second virtual memory; the content in the first virtual memory may include a processing result of the first data.
With reference to fig. 5, the terminal device may determine, through the access recording instruction before the first instruction, whether the address where the content in the first virtual memory is written is the address of the second virtual memory, and record the content in the second virtual memory through the access recording instruction before the first instruction when it is determined that the address where the content in the first virtual memory is written is the address of the second virtual memory.
Illustratively, the embodiment of the present application shows a code of an access record instruction, where the code includes:
Int LOG_TRACE(addr1, content)
{
addr1 = r5;
if ( addr1 >0 && addr1 <0x80000)
{
record(content);
}
}
in the code described above, addr1 is used to indicate the address of content writing in the first virtual memory, addr1= r5, [0,0x80000] is used to indicate the address range of the second virtual memory, if is used to determine whether the address of content writing in the first virtual memory is within the address range of the first virtual memory, for example, when if determines that the address indicated by r5 is within the address range indicated by [0,0x80000], the terminal device may record the content in the second virtual memory by record, for example, when the content is used to indicate the content in the second virtual memory, the terminal device records the content by record.
It can be understood that, since the first instruction is multiple, and the address of different instructions when the first virtual memory processes the first data is multiple, the address of the content written in the first virtual memory is multiple, so that the terminal device determines, by accessing the record instruction, that one of the addresses where the content is written in the first virtual memory is the address of the second virtual memory, and when the process of recording the content in the second virtual memory is finished, the terminal device will continue to call other instructions in the target TA to process the first data.
S405: and when the content in the second virtual memory comprises the first address and the first address is in the address range of the first virtual memory, the terminal equipment determines that the first instruction has a bug.
In this embodiment, the first address is a memory address of the TEE side, or it is understood that the first address is a memory address of the security side, and with reference to fig. 3, when the terminal device extracts content in the second virtual memory from the shared memory through the log analysis module, and the content in the second virtual memory includes the first address, the terminal device may compare a relationship between the first address and an address range of the first virtual memory through the log analysis module, and the address range of the first virtual memory may be understood as an address range of a memory in the TEE, and further, the terminal device may determine whether the first instruction has a bug.
For example, when the first address is within the address range of the first virtual memory, this indicates that there is an information leakage hole when the first instruction processes the first data, so that the data on the TEE side flows into the memory on the non-secure side, for example, the memory address on the TEE side flows into the memory on the REE side; when the first address is not in the address range of the first virtual memory, it indicates that the data on the TEE side does not flow into the memory on the REE side, and therefore, the terminal device determines that the first instruction does not have a bug.
It can be appreciated that the log analysis module can invoke the log analysis instructions and determine whether the first instruction has a vulnerability through the log analysis instructions.
By way of example, the embodiment of the present application shows a code of a log analysis instruction, where the content of the code is:
Log_ Analysis(content_addr2)
{
if ( content_addr2 <0x80000 && content_addr2 > 0x90000 )
{
output ("suspected problem");
}
}
in the above-described code, content _ addr2 is used to indicate a first address, [0x80000,0x90000] is used to indicate an address range of the first virtual memory, if is used to determine whether the first address is within the address range of the first virtual memory, for example, when if determines that the address indicated by content _ addr2 is within the address range indicated by [0x80000,0x90000], the terminal device may Output a "plausible problem" through Output, where the "plausible problem" may be understood as that the terminal device determines that there is a bug in the first instruction, and more specifically, the address indicated by content _ addr2 is an address within the target TA or an address in the stack space, which flows into the memory on the REE side.
It can be understood that when the terminal device determines that the first instruction has a bug, the terminal device may repair the instruction, so that security of the terminal device processing data using the instruction of the target TA may be improved; the implementation manner of the instruction for the terminal device to repair the target TA may be set according to an actual application scenario, and the embodiment of the present application is not limited.
The method of the embodiment of the present application is explained above, and the apparatus for performing the method provided by the embodiment of the present application is described below. Those skilled in the art can understand that the method and the apparatus may be combined and referred to each other, and the vulnerability detection apparatus provided in the embodiments of the present application may perform the steps in the vulnerability detection method.
For example, fig. 6 is a schematic structural diagram of a vulnerability detection apparatus provided in the embodiment of the present application, and as shown in fig. 6, the apparatus 600 may be a terminal device, or a chip system applied to the terminal device; the apparatus 600 comprises: a processing unit 601, where the processing unit 601 is configured to support the vulnerability detection apparatus to perform the step of information processing.
Exemplarily, the processing unit 601 is configured to invoke a first instruction to obtain content in the first virtual memory; the first virtual memory is a memory in a Trusted Execution Environment (TEE), and the first instruction is one of instructions of a target trusted application program (TA); the processing unit 601 is further configured to obtain the content in the second virtual memory when the terminal device determines that the address where the content in the first virtual memory is written is the address of the second virtual memory; wherein, the second virtual memory is a memory in the rich execution environment REE; the processing unit 601 is further configured to determine that a bug exists in the first instruction when the terminal device determines that the content in the second virtual memory includes the address of the first virtual memory.
In a possible implementation manner, the processing unit 601 is specifically configured to: the terminal equipment acquires first data; when the terminal equipment writes the first data into a first client application program CA process, determining an instruction of a target TA according to the instruction of the first TA; the method comprises the steps that a first client application program CA process is a process in an REE, and an instruction of a target TA comprises a first instruction; and calling a first instruction to process the first data in the first virtual memory to obtain the content in the first virtual memory.
In a possible implementation manner, the TEE includes a TA loader, and the processing unit 601 is specifically configured to: when the terminal equipment writes the first data into a first client application program CA process, loading a first TA instruction in a first cache space based on a TA loader; the first cache space is a memory space allocated by the TA loader for the instruction of the first TA, and the instruction of the first TA comprises a second instruction; when the second instruction is a memory access instruction, determining that the second instruction is a first instruction, caching the first instruction in a second cache space based on a TA loader and inserting an access record instruction before the first instruction; the second cache space is a memory space allocated by the TA loader for the instruction of the target TA, and the first cache space is different from the second cache space; when the second instruction is not a memory access instruction, determining that the second instruction is a first instruction, and caching the first instruction in a second cache space based on the TA loader; and determining the instruction of the second cache space as the instruction of the target TA.
In one possible implementation, the memory access instruction includes: STR instructions, STX instructions, STP instructions, or STUR instructions.
In a possible implementation manner, the processing unit 601 is specifically configured to: when the terminal equipment writes the first data into a first client application program CA process, scanning a code segment of the first TA from a code segment entry point of the first TA based on a TA loader; instructions to parse a code segment of a first TA into the first TA based on a TA loader; instructions of a first TA are loaded in a first cache space based on a TA loader.
In a possible implementation manner, the processing unit 601 is specifically configured to: acquiring an address range of a second virtual memory; wherein the address range of the second virtual memory is the address range of the memory in the REE; when the terminal equipment judges that the address written in the content in the first virtual memory is in the address range of the second virtual memory based on the access record instruction before the first instruction, determining that the address written in the content in the first virtual memory is the address of the second virtual memory; and when the terminal equipment determines that the address written in the content in the first virtual memory is the address of the second virtual memory, obtaining the content in the second virtual memory based on the access record instruction before the first instruction.
In a possible implementation manner, the processing unit 601 is specifically configured to: acquiring an address range of a first virtual memory; wherein, the address range of the first virtual memory is the address range of the memory in the TEE; and when the content in the second virtual memory comprises the first address and the first address is in the address range of the first virtual memory, determining that the first instruction has a bug.
In a possible embodiment, the vulnerability detection apparatus may further include: a memory unit 602. The processing unit 601 and the storage unit 602 are connected by a communication bus.
The storage unit 602 may include one or more memories, which may be devices in one or more devices or circuits for storing programs or data.
The storage unit 602 may exist independently, and is connected to the processing unit 601 of the vulnerability detection apparatus through a communication bus; the memory unit 602 may also be integrated with the processing unit 601.
The vulnerability detection apparatus may be used in vulnerability detection devices, circuits, hardware components, or chips.
Exemplarily, fig. 7 is a schematic structural diagram of a chip provided in an embodiment of the present application. Chip 700 includes one or more (including two) processors 710 and a communication interface 730.
In some embodiments, memory 740 stores the following elements: an executable module or a data structure, or a subset thereof, or an expanded set thereof.
In the illustrated embodiment, memory 740 may include both read-only memory and random-access memory, and provides instructions and data to processor 710. A portion of memory 740 may also include non-volatile random access memory (NVRAM).
In the illustrated embodiment, memory 740, communication interface 730, and memory 740 are coupled via bus system 720. The bus system 720 may include a power bus, a control bus, a status signal bus, and the like, in addition to the data bus. For ease of description, the various buses are labeled as bus system 720 in FIG. 7.
The method described in the embodiments of the present application may be applied to the processor 710 or implemented by the processor 710. Processor 710 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 710. The processor 710 may be a general-purpose processor (e.g., a microprocessor or a conventional processor), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an FPGA (field-programmable gate array) or other programmable logic device, discrete gate, transistor logic device or discrete hardware component, and the processor 710 may implement or execute the methods, steps and logic blocks disclosed in the embodiments of the present invention.
The steps of the method combined with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium mature in the field, such as a random access memory, a read only memory, a programmable read only memory, or a charged erasable programmable memory (EEPROM). The storage medium is located in the memory 740, and the processor 710 reads the information in the memory 740 and performs the steps of the above method in combination with the hardware thereof.
In the above embodiments, the instructions stored by the memory for execution by the processor may be implemented in the form of a computer program product. The computer program product may be written in the memory in advance, or may be downloaded in the form of software and installed in the memory.
The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. Computer instructions may be stored in, or transmitted from, a computer-readable storage medium to another computer-readable storage medium, e.g., from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optics, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.), the computer-readable storage medium may be any available medium that a computer can store or a data storage device including one or more available media integrated servers, data centers, etc., the available media may include, for example, magnetic media (e.g., floppy disks, hard disks, or magnetic tape), optical media (e.g., digital versatile disks, DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), etc.
The embodiment of the application also provides a computer readable storage medium. The methods described in the above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. Computer-readable media may include computer storage media and communication media, and may include any medium that can communicate a computer program from one place to another. A storage medium may be any target medium that can be accessed by a computer.
As one possible design, the computer-readable medium may include a compact disk read-only memory (CD-ROM), RAM, ROM, EEPROM, or other optical disk storage; the computer readable medium may include a disk memory or other disk storage device. Also, any connecting line may also be properly termed a computer-readable medium. For example, if the software is transmitted from a website, server, or other remote source using a coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave, then the coaxial cable, fiber optic cable, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of medium. Disk and disc, as used herein, includes Compact Disc (CD), laser disc, optical disc, Digital Versatile Disc (DVD), floppy disk and blu-ray disc where disks usually reproduce data magnetically, while discs reproduce data optically with lasers.
Combinations of the above should also be included within the scope of computer-readable media. The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A vulnerability detection method, the method comprising:
the terminal equipment calls the first instruction to obtain the content in the first virtual memory; the first virtual memory is a memory in a Trusted Execution Environment (TEE), and the first instruction is one of instructions of a target trusted application program (TA);
when the terminal equipment determines that the address written by the content in the first virtual memory is the address of a second virtual memory, the terminal equipment obtains the content in the second virtual memory; wherein the second virtual memory is a memory in a rich execution environment REE;
and when the terminal equipment judges that the content in the second virtual memory comprises the address of the first virtual memory, the terminal equipment determines that the first instruction has a bug.
2. The method according to claim 1, wherein the terminal device calls a first instruction to obtain the content in the first virtual memory, and the method comprises:
the terminal equipment acquires first data;
when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment determines an instruction of a target TA according to the instruction of the first TA; wherein the first client application CA process is a process in the REE, and the instruction of the target TA comprises the first instruction;
and the terminal equipment calls the first instruction to process the first data in the first virtual memory to obtain the content in the first virtual memory.
3. The method of claim 2, wherein the TEE includes a TA loader, and wherein the instructions for the terminal device to determine the target TA according to the instructions for the first TA when the terminal device writes the first data to the first client application CA process comprise:
when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment loads an instruction of the first TA in a first cache space based on the TA loader; the first cache space is a memory space allocated by the TA loader for an instruction of the first TA, and the instruction of the first TA includes a second instruction;
when the second instruction is a memory access instruction, the terminal device determines that the second instruction is the first instruction, caches the first instruction in a second cache space based on the TA loader, and inserts an access record instruction before the first instruction; the second cache space is a memory space allocated by the TA loader for the instruction of the target TA, and the first cache space is different from the second cache space;
when the second instruction is not the memory access instruction, the terminal device determines that the second instruction is the first instruction, and caches the first instruction in the second cache space based on the TA loader;
and the terminal equipment determines the instruction of the second cache space as the instruction of the target TA.
4. The method of claim 3, wherein the memory access instruction comprises: STR instructions, STX instructions, STP instructions, or STUR instructions.
5. The method according to claim 3 or 4, wherein the instruction of the terminal device to load the first TA in the first cache space based on the TA loader when the terminal device writes the first data into the first client application CA process comprises:
when the terminal equipment writes the first data into a first client application program CA process, the terminal equipment scans a code segment of the first TA from a code segment entry point of the first TA based on the TA loader;
the terminal equipment analyzes the code segment of the first TA into an instruction of the first TA based on the TA loader;
and the terminal equipment loads the instruction of the first TA in the first cache space based on the TA loader.
6. The method according to claim 5, wherein when the terminal device determines that the address where the content in the first virtual memory is written is an address of a second virtual memory, the obtaining, by the terminal device, the content in the second virtual memory includes:
the terminal equipment acquires the address range of the second virtual memory; wherein the address range of the second virtual memory is the address range of the memory in the REE;
when the terminal device judges that the address written in the content in the first virtual memory is within the address range of the second virtual memory based on the access record instruction before the first instruction, the terminal device determines that the address written in the content in the first virtual memory is the address of the second virtual memory;
and when the terminal equipment determines that the address written in by the content in the first virtual memory is the address of the second virtual memory, the terminal equipment obtains the content in the second virtual memory based on the access record instruction before the first instruction.
7. The method according to claim 6, wherein when the terminal device determines that the content in the second virtual memory includes the address of the first virtual memory, the terminal device determines that a vulnerability exists in the first instruction, including:
the terminal equipment acquires the address range of the first virtual memory; wherein the address range of the first virtual memory is the address range of the memory in the TEE;
and when the content in the second virtual memory comprises a first address and the first address is in the address range of the first virtual memory, the terminal equipment determines that the first instruction has a bug.
8. A vulnerability detection apparatus comprising a processor and a memory, the memory for storing code instructions; the processor is configured to execute the code instructions to perform the method of any one of claims 1-7.
9. A computer-readable storage medium having instructions stored thereon that, when executed, cause a computer to perform the method of any of claims 1-7.
10. A computer program product, comprising a computer program which, when executed, causes a computer to perform the method of any one of claims 1-7.
CN202111471556.5A 2021-12-06 2021-12-06 Vulnerability detection method and device Active CN113868673B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111471556.5A CN113868673B (en) 2021-12-06 2021-12-06 Vulnerability detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111471556.5A CN113868673B (en) 2021-12-06 2021-12-06 Vulnerability detection method and device

Publications (2)

Publication Number Publication Date
CN113868673A true CN113868673A (en) 2021-12-31
CN113868673B CN113868673B (en) 2022-04-19

Family

ID=78985885

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111471556.5A Active CN113868673B (en) 2021-12-06 2021-12-06 Vulnerability detection method and device

Country Status (1)

Country Link
CN (1) CN113868673B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116484438A (en) * 2022-01-17 2023-07-25 荣耀终端有限公司 Information processing method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010043176A1 (en) * 2008-10-17 2010-04-22 华为技术有限公司 Memory leak detecting method and device
CN101814049A (en) * 2010-03-23 2010-08-25 北京大学 Memory leak detection method
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN104268484A (en) * 2014-09-24 2015-01-07 科云(上海)信息技术有限公司 Cloud environment data leakage prevention method based on virtual isolation mechanism
US20180367989A1 (en) * 2016-02-29 2018-12-20 Huawei Technologies Co., Ltd. Secure data transmission apparatus and method
CN109766164A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of access control method, EMS memory management process and relevant apparatus
CN113569244A (en) * 2021-09-18 2021-10-29 成都数默科技有限公司 Memory malicious code detection method based on processor tracking
WO2021218278A1 (en) * 2020-04-28 2021-11-04 华为技术有限公司 Method for processing data, and computing device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010043176A1 (en) * 2008-10-17 2010-04-22 华为技术有限公司 Memory leak detecting method and device
CN101814049A (en) * 2010-03-23 2010-08-25 北京大学 Memory leak detection method
CN102651060A (en) * 2012-03-31 2012-08-29 北京奇虎科技有限公司 Method and system for detecting vulnerability
CN104268484A (en) * 2014-09-24 2015-01-07 科云(上海)信息技术有限公司 Cloud environment data leakage prevention method based on virtual isolation mechanism
US20180367989A1 (en) * 2016-02-29 2018-12-20 Huawei Technologies Co., Ltd. Secure data transmission apparatus and method
CN109766164A (en) * 2018-11-22 2019-05-17 海光信息技术有限公司 A kind of access control method, EMS memory management process and relevant apparatus
WO2021218278A1 (en) * 2020-04-28 2021-11-04 华为技术有限公司 Method for processing data, and computing device
CN113569244A (en) * 2021-09-18 2021-10-29 成都数默科技有限公司 Memory malicious code detection method based on processor tracking

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
傅建明等: "内存地址泄漏分析与防御", 《计算机研究与发展》 *
陈可昕等: "一种基于内存隔离的关键数据保护机制", 《计算机与现代化》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116484438A (en) * 2022-01-17 2023-07-25 荣耀终端有限公司 Information processing method and device

Also Published As

Publication number Publication date
CN113868673B (en) 2022-04-19

Similar Documents

Publication Publication Date Title
US11443034B2 (en) Trust zone-based operating system and method
US7730545B2 (en) Test access control for secure integrated circuits
KR101483839B1 (en) Protecting video content using virtualization
US10068068B2 (en) Trusted timer service
CN113032766B (en) Application authority management method and device
CN113821803B (en) Security architecture system, security management method and computing device
WO2013081623A1 (en) Secure provision of a digital content protection scheme
CN113569245A (en) Processing device, embedded system, system on chip and security control method
CN111459673A (en) Secure memory expansion and release method and device and electronic equipment
US11995471B2 (en) Resource integration system and resource integration method
CN112287357B (en) Control flow verification method and system for embedded bare computer system
CN111783165B (en) Safe and trusted system chip architecture based on hardware isolation calling mode
CN113868673B (en) Vulnerability detection method and device
JP2008234248A (en) Program execution device and program execution method
CN112329005A (en) Boot measurement method, device, electronic equipment and medium for starting operating system
CN114154163B (en) Vulnerability detection method and device
CN114996719B (en) Security analysis method for private data and financial private data of trusted processing unit
CN116661693A (en) Secure data reading and writing method and device
CN113051542A (en) Two-dimensional code processing method and equipment
CN114443147B (en) Trusted hardware technology-based super monitoring type unmanned aerial vehicle trusted detection method
CN111666579B (en) Computer device, access control method thereof and computer readable medium
CN113821841A (en) Resource management method, computing device and readable storage medium
CN116257368A (en) Communication method in computer system and related product
CN115016886B (en) Service processing method and device
CN116484438B (en) Information processing method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220617

Address after: 100095 floors 2-14, building 3, yard 5, honeysuckle Road, Haidian District, Beijing

Patentee after: Beijing Honor Device Co.,Ltd.

Address before: Unit 3401, unit a, building 6, Shenye Zhongcheng, No. 8089, Hongli West Road, Donghai community, Xiangmihu street, Futian District, Shenzhen, Guangdong 518040

Patentee before: Honor Device Co.,Ltd.