CN114048502A - Lightweight trusted channel and communication control method thereof - Google Patents

Lightweight trusted channel and communication control method thereof Download PDF

Info

Publication number
CN114048502A
CN114048502A CN202111202062.7A CN202111202062A CN114048502A CN 114048502 A CN114048502 A CN 114048502A CN 202111202062 A CN202111202062 A CN 202111202062A CN 114048502 A CN114048502 A CN 114048502A
Authority
CN
China
Prior art keywords
shared memory
domain
domain shared
mode
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111202062.7A
Other languages
Chinese (zh)
Other versions
CN114048502B (en
Inventor
王跃武
雷灵光
周荃
史昊天
王杰
寇春静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202111202062.7A priority Critical patent/CN114048502B/en
Publication of CN114048502A publication Critical patent/CN114048502A/en
Application granted granted Critical
Publication of CN114048502B publication Critical patent/CN114048502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a lightweight trusted channel and a communication control method thereof, wherein the lightweight trusted channel comprises a security control system, a mode switching hook and a domain sharing memory manager; the mode switching hook and the domain sharing memory manager run in a common world kernel mode, and the safety control system runs in a safety world; the mode switching hook is used for monitoring the switching of the operation mode of the common world, and when the operation mode is switched from a user mode to a kernel mode, the security control system is called to close the access authority of the shared memory of all domains; when the operation mode is switched from the kernel mode to the user mode, calling a security control system to open the access authority of a domain shared memory; the domain shared memory is a memory shared by a communication channel between the CA and the TA; the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system; the safety control system is used for controlling the domain shared memory and ensuring that the domain shared memory is only accessed by a legal CA and a safety world.

Description

Lightweight trusted channel and communication control method thereof
Technical Field
The invention relates to a lightweight trusted channel and a communication control method thereof, belonging to the field of information security.
Background
The ARM TrustZone mechanism is widely applied to protect sensitive services of mobile terminals. The general protection mode is to operate sensitive application as a safety service in a hardware isolated safety world and provide safety support for application programs in the common world. The secure service running in the secure world is called Trusted Application (TA), and the corresponding Application running in the common world calls the secure service is called Client Application (CA). However, data transmission between the CA and the TA must be realized through an operating system in the common world, but the operating system is not trusted, and an attacker can acquire the execution authority of the operating system through kernel vulnerabilities and initiate man-in-the-middle attacks in the communication process between the CA and the TA, so that constructing a secure channel for the communication between the CA and the TA is a key factor for guaranteeing the security and effectiveness of the Trust Zone isolation mechanism.
Disclosure of Invention
Aiming at a multi-core platform, a lightweight trusted channel is constructed for communication between CA and TA by dynamically controlling the access control attribute of a shared memory (hereinafter referred to as a domain shared memory) used by the channel, so that malicious attacks from the common world (including common world kernels and malicious application programs) can be effectively resisted.
The technical scheme of the invention is as follows:
a lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain sharing memory manager; the mode switching hook and the domain shared memory manager both operate in a kernel mode of a common world, and the safety control system operates in a safety world; wherein:
the mode switching hook is used for monitoring the switching of the operation modes of the common world, including the switching from a user mode to a kernel mode and the switching from the kernel mode to the user mode; when the operation mode is switched from a user mode to a kernel mode, calling the security control system to close the access authority of all the domain shared memories; when the operation mode is switched from the kernel mode to the user mode, calling the security control system to open the access authority of a domain shared memory; the domain shared memory is a memory shared by a communication channel between the CA and the TA; TA is a safety service running in the safety world, CA is an application program running in the common world and calling the safety service;
the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system;
the security control system is used for controlling the domain shared memory and ensuring that the domain shared memory is only accessed by a legal CA and a secure world; and the safety control system carries out data integrity check on the CA transmitted by the domain shared memory manager, and if the CA passes the check, the CA is a legal CA.
Further, the security control system checks the domain shared memory corresponding relation, and if the CA transmitted by the domain shared memory manager has a corresponding domain shared memory area and the domain shared memory area is not allocated to other CAs, it determines that the CA transmitted by the domain shared memory manager is legal.
Further, the safety control system comprises a domain sharing memory controller, a mapping manager and a safety protector; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the distribution condition of the domain shared memory; the security protector is used for calling the domain sharing memory controller to dynamically open or close the access right of the domain sharing memory based on the domain sharing memory allocation condition maintained by the mapping manager, and ensuring that each domain sharing memory is only accessed by the corresponding CA or security domain.
Further, the security guard checks the integrity of the mode switch hook and the corresponding CA program before invoking the domain shared memory controller to open the access right of the domain shared memory.
Further, the access right of the domain shared memory is opened or closed through the register configuration of the TZASC.
A communication control method of a lightweight trusted channel comprises the following steps:
1) the safety control system initializes all the domain shared memories to be unreadable in the common world; wherein, the domain shared memory is a memory shared by a communication channel between the CA and the TA; TA is a safety service running in the safety world, CA is an application program running in the common world and calling the safety service;
2) when a CA applies to allocate a section of domain shared memory, the domain shared memory manager allocates a domain shared memory area for the CA, and transmits the mapping relation between the CA and the domain shared memory allocated for the CA to the security control system;
3) the safety control system checks whether the CA in the mapping relation is a legal CA, and if the CA is a legal CA and the corresponding domain shared memory is not allocated to other CAs, the corresponding relation of the CA and the corresponding domain shared memory is recorded;
4) the security control system sends the domain shared memory allocation result to the CA, and the operation mode of the common world is switched from a kernel mode to a user mode;
5) when the mode switching hook detects that the operation mode of the common world is from a kernel mode to a user mode, calling a security control system to open the access authority of the domain shared memory region corresponding to the CA;
6) the security control system opens the access control authority of the domain shared memory region corresponding to the CA;
7) the CA reads and writes the corresponding domain shared memory area, and generates a mode switching from a user mode to a kernel mode when the CA finishes reading and writing and informs the physical address of the domain shared memory area written by the corresponding TA;
8) when capturing the mode switching of the operation mode of the common world from a user mode to a kernel mode, the mode switching hook calls a safety control system to set all the domain shared memories to be unreadable in the common world;
9) the TA processes the data transmitted by the CA, transfers the control right to the CA after the processing is finished, and triggers the mode switching of the running mode of the common world from the kernel mode to the user mode; when the mode switching hook detects that the operation mode of the common world is from a kernel mode to a user mode, calling a security control system to open the access authority of the domain shared memory region corresponding to the CA; the security control system transfers the access control authority of the domain shared memory region corresponding to the CA;
10) the CA reads and writes data returned by the TA, initiates a request for releasing the domain shared memory to the security control system after the data are processed, and triggers the mode switching of the operation mode of the common world from the user mode to the kernel mode; when capturing the mode switching of the operation mode of the common world from a user mode to a kernel mode, the mode switching hook calls a safety control system to set all the domain shared memories to be unreadable in the common world;
11) and the domain shared memory manager calls the security control system to remove the mapping relation between the domain shared memory and the CA.
Further, in step 11), the security control system determines whether the domain shared memory area is recorded in the map, and if the domain shared memory area is recorded in the map and the CA is legal, removes the mapping relationship corresponding to the CA, and clears the data in the domain shared memory area.
Further, the safety control system comprises a domain sharing memory controller, a mapping manager and a safety protector; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the distribution condition of the domain shared memory; the security protector is used for calling the domain sharing memory controller to dynamically open or close the access right of the domain sharing memory based on the domain sharing memory allocation condition maintained by the mapping manager, and ensuring that each domain sharing memory is only accessed by the corresponding CA or security domain.
Further, the security guard checks the integrity of the mode switch hook and the corresponding CA program before invoking the domain shared memory controller to open the access right of the domain shared memory.
Further, the access right of the domain shared memory is opened or closed through the register configuration of the TZASC.
The invention has the following advantages:
by adopting the lightweight trusted channel and the communication control method thereof, the access attribute of the domain shared memory is controlled, namely the access attribute of the corresponding domain shared memory area is set to be readable in the common world when the common world runs in a user mode, and the access attribute of all the domain shared memory areas is set to be unreadable in the common world when the common world runs in a kernel mode; performance overhead caused by a protection mode of encryption and decryption in the existing scheme is avoided, and higher operation efficiency is achieved. Meanwhile, the scheme ensures that the access attribute is opened only when all cores are in the user state, and is suitable for a multi-core platform.
Drawings
Fig. 1 is a system architecture diagram of a lightweight trusted channel and a communication control method thereof.
Detailed Description
The invention will be described in further detail with reference to the following drawings, which are given by way of example only for the purpose of illustrating the invention and are not intended to limit the scope of the invention.
A lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain shared memory manager. The mode switching hook and the domain sharing memory manager run in a kernel mode of a common world, wherein:
the mode switching hook is used for monitoring the switching of the operation modes of the common world, including switching from a user mode to a kernel mode and switching from the kernel mode to the user mode, and calling a security control system of the secure world to dynamically open or close the access authority of the domain shared memory when monitoring the mode switching; by adding corresponding codes (namely adding corresponding hooks) in the exception handling function, the switching of the monitoring and hijacking common world operation modes can be realized;
further, when the common world is switched from the user mode to the kernel mode, the mode switching hook calls a security control system to close the access authority of all the domain shared memories; and when the common world is switched from the kernel mode to the user mode, calling the security control system to open the access authority of the domain shared memory.
The domain shared memory manager is used for distributing a domain shared memory with a proper size for the CA and informing the security control system in the security world of the corresponding relation between the CA and the domain shared memory.
Further, when the CA process starts, code and data integrity checks are performed, and a legal CA execution code is set to be unwritable by a rich operating system (i.e., a common world operating system) through register configuration of a TZASC (TrustZone address space controller), thereby ensuring validity at the time of CA start and in operation. In addition, the context information of the CA process is recorded and hidden in the process of switching from the user mode to the kernel mode in the ordinary world, and the information is recovered when the kernel mode is switched to the user mode, so that the control flow of the CA process is not controlled by a malicious kernel.
The safety control system runs in a safety world isolated and protected by TrustZone and is used for controlling a domain to share the memory and ensuring that the domain is only accessed by a legal CA and the safety world in the common world; the security control system comprises a domain sharing memory controller, a mapping manager and a security guard, wherein:
the domain shared memory controller is used for opening or closing the access authority of the domain shared memory, namely dynamically configuring the access control attribute of a certain domain shared memory to allow the common world access or not to allow the common world access;
further, the domain shared memory is configured by a register of a tzsc (TrustZone address space controller) to open or close access rights of the domain shared memory.
The mapping manager is used for maintaining the distribution condition of the domain shared memory (namely, the mapping relation between the domain shared memory and the CA), and when one domain shared memory is distributed to a certain CA, the mapping relation is established between the domain shared memory and the CA;
further, the mapping manager may check that the mapping relationship between the CA and the domain shared memory transmitted by the domain shared memory manager is indeed legal, that is, the CA is indeed a legal CA, and the allocated domain shared memory area is not allocated to other CAs.
The safety protector is used for calling the domain sharing memory controller to dynamically open or close the access authority of the domain sharing memory based on the domain sharing memory distribution condition maintained by the mapping manager, and ensuring that each domain sharing memory is only accessed by the corresponding CA or the safety domain;
further, the security protector checks the integrity of the mode switching hook and the corresponding CA program before calling the domain shared memory controller to open the access right of the domain shared memory; and if the verification is passed, opening the corresponding domain shared memory, and if the verification is not passed, unlocking the region.
Further, after the access right of the shared memory of a certain domain is opened, the security control system directly transfers the control right to a legal CA in the ordinary world, namely, a user mode of the ordinary world.
In another aspect of the present invention, a communication control method for a lightweight trusted channel is further provided, where the method includes:
the method comprises the following steps: when the system is started, the safety control system sets all the domain shared memories to be unreadable in the common world.
Step two: when a certain CA program applies to allocate a section of domain shared memory by calling a domain shared memory allocation API (DsM Alloc API), the request triggers a common world operation mode to be switched from a user mode to a kernel mode, a domain shared memory manager captures the request through a mode switching hook, records and hides context information of a CA process, the domain shared memory allocates a domain shared memory area for the domain shared memory, and the mapping relation of the CA-domain shared memory is transmitted to a safety control system;
step three: the security protector of the security control system checks whether the CA in the mapping relation is legal CA and whether the domain shared memory area is already allocated, if the CA is legal and the corresponding domain shared memory is not allocated, the mapping manager is called to record the corresponding relation between the CA and the domain shared memory, and then the control right is transferred to the domain shared memory manager; when the CA process is started, the integrity of the execution code and data of the CA process is checked, and the execution code of the legal CA is set to be unwritable by a rich operating system through TZASC after the check is passed;
step four: the domain sharing memory manager informs the CA of the distribution result, and then returns the control flow to the DsM Alloc API, so that the operation mode of the common world is triggered to be switched from a kernel mode to a user mode, a mode switching hook is triggered, and the context information of the CA process is recovered;
step five: the mode switching hook detects mode switching from a kernel mode to a user mode, and calls a security control system to open the access authority of the domain shared memory region distributed for the CA in the second step;
step six: the security control system opens the access control authority of the corresponding domain shared memory under the condition that the CA is determined to be legal, the domain shared memory area of the applied opening authority is indeed allocated to the CA, all the cores are operated in a user state at present, and the integrity of the mode switching hook is not damaged;
step seven: the CA program reads and writes the corresponding domain shared memory area, and after finishing reading and writing and informing the corresponding TA to write the physical address of the domain shared memory area, the operation can generate mode switching from a user mode to a kernel mode;
step eight: and capturing the mode switching from the user mode to the kernel mode by the mode switching hook, and calling the security control system to set all the domain shared memories to be unreadable in the common world.
Step nine: the TA program in the secure world processes the data transmitted by the CA program, and after the processing is finished, the control right is transferred to the common world CA program, and the operation triggers the mode switching from a kernel mode to a user mode; after the CA reads and writes the shared domain memory, it notifies the physical address of the shared domain memory area written by the corresponding TA program, and the TA can read corresponding data (i.e., data sent by the CA to the TA) from the shared domain memory according to the physical address.
Then, step five and step six are carried out again, and the authority of the domain shared memory area processed by the TA program is opened;
step ten: the CA program reads and writes the data returned by the TA and initiates a request for releasing the domain shared memory together after the processing is finished; the request is transmitted to a domain shared memory manager in a kernel mode, and mode switching from a user mode to the kernel mode is triggered;
subsequently, the step eight is entered again;
step eleven: the CA program calls a shared memory release API (DsM Free API) to release the domain shared memory area, and the domain shared memory manager calls the security control system to release the mapping relation between the domain shared memory and the CA program.
Step twelve: the security control system judges whether the domain shared memory area is recorded in the mapping and whether the CA is legal, then removes the corresponding mapping and clears the data in the segment of the shared domain memory.
Although specific embodiments of the invention have been disclosed for purposes of illustration, and for purposes of aiding in the understanding of the contents of the invention and its implementation, those skilled in the art will appreciate that: various substitutions, changes and modifications are possible without departing from the spirit and scope of the present invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include all embodiments falling within the scope of the appended claims.

Claims (10)

1. A lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain sharing memory manager; the mode switching hook and the domain shared memory manager both operate in a kernel mode of a common world, and the safety control system operates in a safety world; wherein:
the mode switching hook is used for monitoring the switching of the operation modes of the common world, including the switching from a user mode to a kernel mode and the switching from the kernel mode to the user mode; when the operation mode is switched from a user mode to a kernel mode, calling the security control system to close the access authority of all the domain shared memories; when the operation mode is switched from the kernel mode to the user mode, calling the security control system to open the access authority of a domain shared memory; the domain shared memory is a memory shared by a communication channel between the CA and the TA; TA is a safety service running in the safety world, CA is an application program running in the common world and calling the safety service;
the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system;
the security control system is used for controlling the domain shared memory and ensuring that the domain shared memory is only accessed by a legal CA and a secure world; and the safety control system carries out data integrity check on the CA transmitted by the domain shared memory manager, and if the CA passes the check, the CA is a legal CA.
2. The lightweight trusted channel of claim 1, wherein the security control system checks the domain shared memory mapping relationship and determines that the CA transmitted by the domain shared memory manager is valid if the CA transmitted by the domain shared memory manager has a corresponding domain shared memory region and the domain shared memory region is not allocated to other CAs.
3. The lightweight trusted channel of claim 1, wherein said security control system comprises a domain sharing memory controller, a mapping manager, and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the distribution condition of the domain shared memory; the security protector is used for calling the domain sharing memory controller to dynamically open or close the access right of the domain sharing memory based on the domain sharing memory allocation condition maintained by the mapping manager, and ensuring that each domain sharing memory is only accessed by the corresponding CA or security domain.
4. The lightweight trusted channel of claim 3, wherein said security guard checks the integrity of mode switch hooks and corresponding CA programs before invoking a domain shared memory controller to open access rights to a domain shared memory.
5. The lightweight trusted channel of claim 1, wherein the domain shared memory opens or closes access to the domain shared memory through register configuration of the TZASC.
6. A communication control method of a lightweight trusted channel comprises the following steps:
1) the safety control system initializes all the domain shared memories to be unreadable in the common world; wherein, the domain shared memory is a memory shared by a communication channel between the CA and the TA; TA is a safety service running in the safety world, CA is an application program running in the common world and calling the safety service;
2) when a CA applies to allocate a section of domain shared memory, the domain shared memory manager allocates a domain shared memory area for the CA, and transmits the mapping relation between the CA and the domain shared memory allocated for the CA to the security control system;
3) the safety control system checks whether the CA in the mapping relation is a legal CA, and if the CA is a legal CA and the corresponding domain shared memory is not allocated to other CAs, the corresponding relation of the CA and the corresponding domain shared memory is recorded;
4) the security control system sends the domain shared memory allocation result to the CA, and the operation mode of the common world is switched from a kernel mode to a user mode;
5) when the mode switching hook detects that the operation mode of the common world is from a kernel mode to a user mode, calling a security control system to open the access authority of the domain shared memory region corresponding to the CA;
6) the security control system opens the access control authority of the domain shared memory region corresponding to the CA;
7) the CA reads and writes the corresponding domain shared memory area, and generates a mode switching from a user mode to a kernel mode when the CA finishes reading and writing and informs the physical address of the domain shared memory area written by the corresponding TA;
8) when capturing the mode switching of the operation mode of the common world from a user mode to a kernel mode, the mode switching hook calls a safety control system to set all the domain shared memories to be unreadable in the common world;
9) the TA processes the data transmitted by the CA, transfers the control right to the CA after the processing is finished, and triggers the mode switching of the running mode of the common world from the kernel mode to the user mode; when the mode switching hook detects that the operation mode of the common world is from a kernel mode to a user mode, calling a security control system to open the access authority of the domain shared memory region corresponding to the CA; the security control system transfers the access control authority of the domain shared memory region corresponding to the CA;
10) the CA reads and writes data returned by the TA, initiates a request for releasing the domain shared memory to the security control system after the data are processed, and triggers the mode switching of the operation mode of the common world from the user mode to the kernel mode; when capturing the mode switching of the operation mode of the common world from a user mode to a kernel mode, the mode switching hook calls a safety control system to set all the domain shared memories to be unreadable in the common world;
11) and the domain shared memory manager calls the security control system to remove the mapping relation between the domain shared memory and the CA.
7. The method as claimed in claim 6, wherein in step 11), the security control system determines whether the domain shared memory area is recorded in the mapping, and if the domain shared memory area is recorded in the mapping and the CA is legal, removes the mapping relationship corresponding to the CA, and clears the data in the domain shared memory area.
8. The method of claim 6, wherein the security control system comprises a domain shared memory controller, a mapping manager, and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the distribution condition of the domain shared memory; the security protector is used for calling the domain sharing memory controller to dynamically open or close the access right of the domain sharing memory based on the domain sharing memory allocation condition maintained by the mapping manager, and ensuring that each domain sharing memory is only accessed by the corresponding CA or security domain.
9. The method of claim 8, wherein the security guard checks the integrity of the mode switch hook and the corresponding CA program before invoking the domain shared memory controller to open the access right of a domain shared memory.
10. The method of claim 6, wherein the domain shared memory opens or closes access rights to the domain shared memory through a register configuration of the TZASC.
CN202111202062.7A 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof Active CN114048502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111202062.7A CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111202062.7A CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Publications (2)

Publication Number Publication Date
CN114048502A true CN114048502A (en) 2022-02-15
CN114048502B CN114048502B (en) 2023-08-15

Family

ID=80205067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111202062.7A Active CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Country Status (1)

Country Link
CN (1) CN114048502B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103034544A (en) * 2012-12-04 2013-04-10 杭州迪普科技有限公司 Management method and device for user mode and kernel mode to share memory
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN107194284A (en) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 A kind of method and system based on the user-isolated data of TrustZone
CN107729159A (en) * 2017-09-29 2018-02-23 华为技术有限公司 The address mapping method and device of a kind of shared drive
CN108062253A (en) * 2017-12-11 2018-05-22 北京奇虎科技有限公司 The communication means of a kind of kernel state and User space, device and terminal
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109697140A (en) * 2018-11-19 2019-04-30 深圳市腾讯信息技术有限公司 Data back up method and device, data reconstruction method and device, storage medium
US20190294798A1 (en) * 2018-03-22 2019-09-26 Huazhong University Of Science And Technology Trustzone-based security isolation method for shared library and system thereof
US20200364101A1 (en) * 2019-05-19 2020-11-19 International Business Machines Corporation Executing system calls in isolated address space in operating system kernel

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103034544A (en) * 2012-12-04 2013-04-10 杭州迪普科技有限公司 Management method and device for user mode and kernel mode to share memory
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN107194284A (en) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 A kind of method and system based on the user-isolated data of TrustZone
CN107729159A (en) * 2017-09-29 2018-02-23 华为技术有限公司 The address mapping method and device of a kind of shared drive
CN108062253A (en) * 2017-12-11 2018-05-22 北京奇虎科技有限公司 The communication means of a kind of kernel state and User space, device and terminal
US20190294798A1 (en) * 2018-03-22 2019-09-26 Huazhong University Of Science And Technology Trustzone-based security isolation method for shared library and system thereof
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109697140A (en) * 2018-11-19 2019-04-30 深圳市腾讯信息技术有限公司 Data back up method and device, data reconstruction method and device, storage medium
US20200364101A1 (en) * 2019-05-19 2020-11-19 International Business Machines Corporation Executing system calls in isolated address space in operating system kernel

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DIMING ZHANG等: "iFlask: Isolate flask security system from dangerous execution environment by using ARM TrustZone", vol. 109 *
张英骏;冯登国;秦宇;杨波;: "基于Trustzone的强安全需求环境下可信代码执行方案", vol. 52, no. 10 *
牛德姣等: "APMSS:一种具有非对称接口的固态存储系统", vol. 55, no. 55 *

Also Published As

Publication number Publication date
CN114048502B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
CN109766165B (en) Memory access control method and device, memory controller and computer system
CN105447406B (en) A kind of method and apparatus for accessing memory space
CN106462708B (en) Authenticate the management method and device of variable
CN104951409B (en) A kind of hardware based full disk encryption system and encryption method
JP5114617B2 (en) Secure terminal, program, and method for protecting private key
CN101006433B (en) Information communication device, and program execution environment control method
US20100241841A1 (en) System and Method for Securing Executable Code
US10922402B2 (en) Securing secret data embedded in code against compromised interrupt and exception handlers
CN104318176B (en) Data management method and device for terminal and terminal
CN109086620B (en) Physical isolation dual-system construction method based on mobile storage medium
US8627069B2 (en) System and method for securing a computer comprising a microkernel
US20080052709A1 (en) Method and system for protecting hard disk data in virtual context
WO2005081115A1 (en) Application-based access control system and method using virtual disk
CN110069935B (en) Internal sensitive data protection method and system based on tagged memory
US20120137372A1 (en) Apparatus and method for protecting confidential information of mobile terminal
CN112818327A (en) TrustZone-based user-level code and data security credibility protection method and device
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
Dubrulle et al. Blind hypervision to protect virtual machine privacy against hypervisor escape vulnerabilities
JP4375980B2 (en) Multitask execution system and multitask execution method
CN114048502A (en) Lightweight trusted channel and communication control method thereof
CN111143900A (en) Data processing method, data access control method, data processing system, data access control system, data processing device, data processing apparatus, and storage medium
CN107169375B (en) System data security enhancement method
US20110258397A1 (en) Method of protection of data during the execution of a software code in an electronic device
CN107087003B (en) System anti-attack method based on network
CN116226870B (en) Security enhancement system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Lei Lingguang

Inventor after: Wang Yuewu

Inventor after: Zhou Chuo

Inventor after: Shi Haotian

Inventor after: Wang Jie

Inventor after: Kou Chunjing

Inventor before: Wang Yuewu

Inventor before: Lei Lingguang

Inventor before: Zhou Chuo

Inventor before: Shi Haotian

Inventor before: Wang Jie

Inventor before: Kou Chunjing

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant