CN114048502B - Lightweight trusted channel and communication control method thereof - Google Patents

Lightweight trusted channel and communication control method thereof Download PDF

Info

Publication number
CN114048502B
CN114048502B CN202111202062.7A CN202111202062A CN114048502B CN 114048502 B CN114048502 B CN 114048502B CN 202111202062 A CN202111202062 A CN 202111202062A CN 114048502 B CN114048502 B CN 114048502B
Authority
CN
China
Prior art keywords
shared memory
domain
mode
domain shared
control system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111202062.7A
Other languages
Chinese (zh)
Other versions
CN114048502A (en
Inventor
雷灵光
王跃武
周荃
史昊天
王杰
寇春静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202111202062.7A priority Critical patent/CN114048502B/en
Publication of CN114048502A publication Critical patent/CN114048502A/en
Application granted granted Critical
Publication of CN114048502B publication Critical patent/CN114048502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a lightweight trusted channel and a communication control method thereof, wherein the lightweight trusted channel comprises a safety control system, a mode switching hook and a domain shared memory manager; the mode switching hook and the domain shared memory manager run in the kernel mode of the common world, and the safety control system runs in the safety world; the mode switching hook is used for monitoring the switching of the operation mode of the common world, and when the operation mode is switched from a user mode to a kernel mode, the safety control system is called to close the access rights of all the domain shared memories; when the operation mode is switched from the kernel mode to the user mode, the security control system is called to open the access right of a domain shared memory; the domain shared memory is a memory shared by communication channels between the CA and the TA; the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system; the security control system is used for controlling the domain shared memory to ensure that the domain shared memory is only accessed by legal CA and the secure world.

Description

Lightweight trusted channel and communication control method thereof
Technical Field
The invention relates to a lightweight trusted channel and a communication control method thereof, belonging to the field of information security.
Background
The ARM trust zone mechanism is widely used to protect sensitive traffic of mobile terminals. The general protection mode is to run the sensitive application as a security service in a hardware isolated security world, and provide security support for application programs in the common world. The security service running in the secure world is called Trusted Application (TA), and the corresponding application running in the ordinary world that invokes the security service is called Client Application (CA). However, data transmission must be realized between the CA and the TA through an operating system in the common world, while the operating system is not trusted, an attacker can acquire the execution authority of the operating system through a kernel vulnerability and initiate man-in-the-middle attack in the communication process of the CA and the TA, so that constructing a secure channel for communication between the CA and the TA is a key factor for guaranteeing the security and effectiveness of the Trust Zone isolation mechanism.
Disclosure of Invention
The invention aims to provide a lightweight trusted channel and a communication control method thereof, which are used for constructing a lightweight trusted channel for communication between a CA and a TA by dynamically controlling access control attributes of a shared memory (hereinafter referred to as a domain shared memory) used by the channel aiming at a multi-core platform, so as to effectively resist malicious attacks from the common world (including a common world kernel and malicious application programs).
The technical scheme of the invention is as follows:
the lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain shared memory manager; the mode switching hook and the domain shared memory manager are both operated in a kernel mode of the common world, and the safety control system is operated in the safety world; wherein:
the mode switching hook is used for monitoring the switching of the operation mode of the common world, and comprises the switching from a user mode to a kernel mode and the switching from the kernel mode to the user mode; when the operation mode is switched from the user mode to the kernel mode, the security control system is called to close the access rights of the shared memory of all domains; when the operation mode is switched from the kernel mode to the user mode, the security control system is called to open the access right of a domain shared memory; the domain shared memory is a memory shared by communication channels between the CA and the TA; the TA is a security service running in the security world, and the CA is an application program running in the common world and calling the security service;
the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system;
the safety control system is used for controlling the domain shared memory to ensure that the domain shared memory is only accessed by legal CA and the safety world; the security control system performs data integrity check on the CA transmitted by the domain shared memory manager, and if the CA passes the check, the CA is legal.
Further, the security control system checks the domain shared memory correspondence, and if the CA transmitted by the domain shared memory manager has a corresponding domain shared memory area and the domain shared memory area is not allocated to other CAs, it is determined that the CA transmitted by the domain shared memory manager is legal.
Further, the security control system comprises a domain shared memory controller, a mapping manager and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the allocation condition of the domain shared memory; the safety protector is used for calling the domain shared memory controller to dynamically open or close the access authority of the domain shared memory based on the domain shared memory allocation condition maintained by the mapping manager, so as to ensure that each domain shared memory is only accessed by the corresponding CA or safety domain.
Further, the security guard checks the integrity of the mode switch hooks and corresponding CA programs before invoking the domain shared memory controller to open access rights to a domain shared memory.
Further, the domain shared memory opens or closes the access right of the domain shared memory through the register configuration of the TZASC.
A communication control method of a lightweight trusted channel comprises the following steps:
1) The security control system sets all domain shared memories as unreadable in the common world in an initialized way; the domain shared memory is a memory shared by communication channels between CA and TA; the TA is a security service running in the security world, and the CA is an application program running in the common world and calling the security service;
2) When a CA applies for distributing a section of domain shared memory, a domain shared memory manager distributes a section of domain shared memory area for the CA and transmits the mapping relation between the CA and the distributed domain shared memory to a security control system;
3) The security control system checks whether the CA in the mapping relation is legal CA, if the CA is legal CA and the corresponding domain shared memory is not allocated to other CA, the corresponding relation of the CA and the corresponding domain shared memory is recorded;
4) The security control system sends the domain shared memory allocation result to the CA, and the running mode of the common world is switched from a kernel mode to a user mode;
5) When the mode switching hook detects that the running mode of the common world is from a kernel mode to a user mode, a security control system is called to open the access right of the domain shared memory area corresponding to the CA;
6) The security control system opens the access control authority of the domain shared memory area corresponding to the CA;
7) The CA reads and writes the corresponding domain shared memory area, and generates a mode switch from a user mode to a kernel mode when finishing reading and writing notification of the physical address of the domain shared memory area written by the corresponding TA;
8) When the mode switching hook captures the mode switching of the running mode of the common world from the user mode to the kernel mode, a security control system is called to set all domain shared memories as unreadable in the common world;
9) The TA processes the data transmitted by the CA, and after the processing is finished, the control right is transferred to the CA to trigger the mode switching of the running mode of the common world from the kernel mode to the user mode; when the mode switching hook detects that the running mode of the common world is from a kernel mode to a user mode, a security control system is called to open the access right of the domain shared memory area corresponding to the CA; the security control system transfers the access control authority of the domain shared memory area corresponding to the CA;
10 The CA reads and writes the data returned by the TA, initiates a request for releasing the domain shared memory to the security control system after the processing is completed, and triggers the mode switching of the running mode of the common world from the user mode to the kernel mode; when the mode switching hook captures the mode switching of the running mode of the common world from the user mode to the kernel mode, a security control system is called to set all domain shared memories as unreadable in the common world;
11 The domain shared memory manager invokes the security control system to remove the mapping relationship between the domain shared memory and the CA.
Further, in step 11), the security control system determines whether the domain shared memory area is recorded in the map, and if the domain shared memory area is recorded in the map and the CA is legal, removes the mapping relationship corresponding to the CA and clears the data in the domain shared memory area.
Further, the security control system comprises a domain shared memory controller, a mapping manager and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the allocation condition of the domain shared memory; the safety protector is used for calling the domain shared memory controller to dynamically open or close the access authority of the domain shared memory based on the domain shared memory allocation condition maintained by the mapping manager, so as to ensure that each domain shared memory is only accessed by the corresponding CA or safety domain.
Further, the security guard checks the integrity of the mode switch hooks and corresponding CA programs before invoking the domain shared memory controller to open access rights to a domain shared memory.
Further, the domain shared memory opens or closes the access right of the domain shared memory through the register configuration of the TZASC.
The invention has the following advantages:
by adopting the lightweight trusted channel and the communication control method thereof, the access attribute of the domain shared memory is controlled, namely, the access attribute of the corresponding domain shared memory area is set to be readable in the common world when the common world operates in a user mode, and the access attribute of all domain shared memory areas is set to be unreadable in the common world when the common world operates in a kernel mode; the performance cost brought by the encryption and decryption protection mode in the existing scheme is avoided, and the operation efficiency is higher. Meanwhile, the scheme ensures that the access attribute is only opened when all cores are in the user mode, and is suitable for the multi-core platform.
Drawings
FIG. 1 is a diagram of a lightweight trusted channel and a communication control method thereof.
Detailed Description
The invention will now be described in further detail with reference to the accompanying drawings, which are given by way of illustration only and are not intended to limit the scope of the invention.
The lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain shared memory manager. The mode switching hook and domain shared memory manager operates in a kernel mode in the general world, wherein:
the mode switching hook is used for monitoring the switching of the running mode of the common world, and comprises the switching from a user mode to a kernel mode and the switching from the kernel mode to the user mode, and when the mode switching is monitored, a safety control system of the safety world is called to dynamically open or close the access authority of the domain shared memory; the switching of the monitoring and hijacking common world operation modes can be realized by adding corresponding codes (namely corresponding hooks) in the exception handling function;
further, when the mode switching hook switches from a user mode to a kernel mode in the common world, the safety control system is called to close the access rights of all the domain shared memories; when the common world is switched from the kernel mode to the user mode, the security control system is called to open the access right of the shared memory of one domain.
The domain shared memory manager is used for distributing domain shared memory with proper size for the CA and informing the corresponding relation between the CA and the domain shared memory to a security control system in the security world.
Further, at the time of CA process start-up, code and data integrity check is performed, and legal CA execution code is set to be unwritable by a rich operating system (i.e., a common world operating system) through a register configuration of a TZASC (trust zone address space controller), thereby ensuring validity at the time of CA start-up and in operation. In addition, the context information of the CA process is recorded and hidden in the process of switching from the user state to the kernel state in the common world, and the information is recovered when the kernel state is switched to the user state, so that the control flow of the CA process is not controlled by a malicious kernel.
The security control system operates in a security world isolated and protected by the TrustZone and is used for controlling the domain shared memory to ensure that the domain shared memory is only accessed by legal CA and the security world in the common world; the security control system comprises a domain shared memory controller, a mapping manager and a security guard, wherein:
the domain shared memory controller is used for opening or closing the access authority of the domain shared memory, namely, the access control attribute of a certain domain shared memory is dynamically configured to allow the access of the common world or not allow the access of the common world;
further, the domain shared memory opens or closes the access right of the domain shared memory through the register configuration of the TZASC (trust zone address space controller).
The mapping manager is used for maintaining the allocation condition of the domain shared memory (namely, the mapping relation between the domain shared memory and the CA), and when one domain shared memory is allocated to a certain CA, the mapping relation is established between the domain shared memory and the CA;
further, the mapping manager checks that the CA transmitted by the domain shared memory manager is indeed legal with respect to the domain shared memory, i.e. the CA is indeed legal, and the allocated domain shared memory area is not allocated to other CAs.
The safety protector is used for calling the domain shared memory controller to dynamically open or close the access authority of the domain shared memory based on the domain shared memory allocation condition maintained by the mapping manager, so as to ensure that each domain shared memory is only accessed by the corresponding CA or safety domain;
further, the security guard checks the integrity of the mode switching hook and the corresponding CA program before invoking the domain shared memory controller to open the access right of a certain domain shared memory; if the verification is passed, the corresponding domain shared memory is opened, and if the verification is not passed, the region is not unlocked.
Further, the security control system directly transfers the control right to legal CA in the common world, i.e. the user mode of the common world, after opening the access right of the shared memory of a certain domain.
The invention also provides a communication control method of the lightweight trusted channel, which is characterized by comprising the following steps:
step one: when the system is started, the security control system sets all domain shared memory as unreadable in the common world.
Step two: when a certain CA program applies for distributing a section of domain shared memory by calling domain shared memory distribution API (DsM Alloc API), the request triggers the common world operation mode to switch from a user mode to a kernel mode, the context information of the CA process is captured by a domain shared memory manager through a mode switching hook, the domain shared memory distributes a section of domain shared memory area for the domain shared memory, and the mapping relation of the CA-domain shared memory is transmitted to a safety control system;
step three: the security protector of the security control system checks whether the CA in the mapping relation is legal CA, whether the domain shared memory area is allocated, if the CA is legal and the corresponding domain shared memory is not allocated, the mapping manager is called to record the corresponding relation between the CA and the domain shared memory, and then the control right is transferred to the domain shared memory manager; when the CA process is started, the integrity of the execution codes and data of the CA process is checked, and after the CA process passes the check, the execution codes of the legal CA are set to be unwritable by a rich operating system through TZASC;
step four: the domain shared memory manager informs the CA of the allocation result, and returns the control flow to the DsM Alloc API, which triggers the running mode of the common world to switch from the kernel mode to the user mode, the mode switching hook is triggered, and the context information of the CA process is recovered;
step five: the mode switching hook detects the mode switching from a kernel mode to a user mode, and calls the security control system to open the access right of the domain shared memory area allocated for the CA in the second step;
step six: the security control system opens the access control authority of the domain shared memory corresponding to the CA when confirming that the CA is legal and the domain shared memory area of the applied opening authority is really allocated to the CA, all cores currently run in a user state, and the integrity of the mode switching hook is not destroyed;
step seven: the CA program reads and writes the corresponding domain shared memory area, and completes the read and write notification of the physical address of the domain shared memory area written by the corresponding TA, and the operation can generate mode switching from a user mode to a kernel mode;
step eight: the mode switching hook captures the mode switching from the user mode to the kernel mode, and calls the security control system to set all the domain shared memory as unreadable in the common world.
Step nine: the TA program in the secure world processes the data transmitted by the CA program, and after the processing is finished, the control right is transferred to the CA program in the common world, and the operation triggers the mode switching from a kernel mode to a user mode; after the CA reads and writes the shared domain memory, it will notify the physical address of the shared domain memory area written by the corresponding TA program, and the TA can read the corresponding data (i.e. the data sent by the CA to the TA) from the shared domain memory according to the physical address.
Then, step five and step six are carried out again, and the domain shared memory region authority processed by the TA program is opened;
step ten: the CA program reads and writes the data returned by the TA and initiates a request for releasing the domain shared memory together after the processing is completed; the request is transmitted to a domain shared memory manager in a kernel mode, and a mode switching from a user mode to the kernel mode is triggered;
subsequently, step eight is entered again;
step eleven: the CA program invokes the shared domain memory release API (DsM Free API) to release the domain shared memory region and the domain shared memory manager invokes the security control system to release the mapping relationship between the domain shared memory and the CA program.
Step twelve: the security control system judges whether the domain shared memory area is recorded in the mapping, and simultaneously, whether the CA is legal or not, then removes the corresponding mapping, and clears the data in the segment shared domain memory.
Although specific embodiments of the invention have been disclosed for illustrative purposes, it will be appreciated by those skilled in the art that the invention may be implemented with the help of a variety of examples: various alternatives, variations and modifications are possible without departing from the spirit and scope of the invention and the appended claims. Therefore, it is intended that the invention not be limited to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will have the scope indicated by the scope of the appended claims.

Claims (10)

1. The lightweight trusted channel is characterized by comprising a security control system, a mode switching hook and a domain shared memory manager; the mode switching hook and the domain shared memory manager are both operated in a kernel mode of the common world, and the safety control system is operated in the safety world; wherein:
the mode switching hook is used for monitoring the switching of the operation mode of the common world, and comprises the switching from a user mode to a kernel mode and the switching from the kernel mode to the user mode; when the operation mode is switched from the user mode to the kernel mode, the security control system is called to close the access rights of the shared memory of all domains; when the operation mode is switched from the kernel mode to the user mode, the security control system is called to open the access right of a domain shared memory; the domain shared memory is a memory shared by communication channels between the CA and the TA; the TA is a security service running in the security world, and the CA is an application program running in the common world and calling the security service;
the domain shared memory manager is used for distributing a domain shared memory for the CA and sending the corresponding relation between the CA and the domain shared memory to the security control system;
the safety control system is used for controlling the domain shared memory to ensure that the domain shared memory is only accessed by legal CA and the safety world; the security control system performs data integrity check on the CA transmitted by the domain shared memory manager, and if the CA passes the check, the CA is legal.
2. The lightweight trusted channel of claim 1, wherein said security control system checks domain-shared memory correspondence, and determines that a CA transmitted by a domain-shared memory manager is legitimate if the CA transmitted by the domain-shared memory manager has a corresponding domain-shared memory region and the domain-shared memory region is not allocated to other CAs.
3. The lightweight trusted channel of claim 1, wherein said security control system comprises a domain-shared memory controller, a mapping manager, and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the allocation condition of the domain shared memory; the safety protector is used for calling the domain shared memory controller to dynamically open or close the access authority of the domain shared memory based on the domain shared memory allocation condition maintained by the mapping manager, so as to ensure that each domain shared memory is only accessed by the corresponding CA or safety domain.
4. The lightweight trusted channel of claim 3, wherein said security guard checks the integrity of the mode switch hooks and corresponding CA programs before invoking the domain shared memory controller to open access rights to a domain shared memory.
5. The lightweight trusted channel of claim 1, wherein said domain shared memory opens or closes access rights to the domain shared memory through register configuration of an address space controller.
6. A communication control method of a lightweight trusted channel comprises the following steps:
1) The security control system sets all domain shared memories as unreadable in the common world in an initialized way; the domain shared memory is a memory shared by communication channels between CA and TA; the TA is a security service running in the security world, and the CA is an application program running in the common world and calling the security service;
2) When a CA applies for distributing a section of domain shared memory, a domain shared memory manager distributes a section of domain shared memory area for the CA and transmits the mapping relation between the CA and the distributed domain shared memory to a security control system;
3) The security control system checks whether the CA in the mapping relation is legal CA, if the CA is legal CA and the corresponding domain shared memory is not allocated to other CA, the corresponding relation of the CA and the corresponding domain shared memory is recorded;
4) The security control system sends the domain shared memory allocation result to the CA, and the running mode of the common world is switched from a kernel mode to a user mode;
5) When the mode switching hook detects that the running mode of the common world is from a kernel mode to a user mode, a security control system is called to open the access right of the domain shared memory area corresponding to the CA;
6) The security control system opens the access control authority of the domain shared memory area corresponding to the CA;
7) The CA reads and writes the corresponding domain shared memory area, and notifies the corresponding TA of the physical address of the domain shared memory area written by the CA after the read and write are completed, so as to generate a mode switch from a user mode to a kernel mode;
8) When the mode switching hook captures the mode switching of the running mode of the common world from the user mode to the kernel mode, a security control system is called to set all domain shared memories as unreadable in the common world;
9) The TA processes the data transmitted by the CA, and after the processing is finished, the control right is transferred to the CA to trigger the mode switching of the running mode of the common world from the kernel mode to the user mode; when the mode switching hook detects that the running mode of the common world is from a kernel mode to a user mode, a security control system is called to open the access right of the domain shared memory area corresponding to the CA; the security control system transfers the access control authority of the domain shared memory area corresponding to the CA;
10 The CA reads and writes the data returned by the TA, initiates a request for releasing the domain shared memory to the security control system after the processing is completed, and triggers the mode switching of the running mode of the common world from the user mode to the kernel mode; when the mode switching hook captures the mode switching of the running mode of the common world from the user mode to the kernel mode, a security control system is called to set all domain shared memories as unreadable in the common world;
11 The domain shared memory manager invokes the security control system to remove the mapping relationship between the domain shared memory and the CA.
7. The method of claim 6 wherein in step 11), the security control system determines whether the domain-shared memory area is recorded in a map, removes the mapping relationship corresponding to the CA if the domain-shared memory area is recorded in the map and the CA is legal, and clears the data in the domain-shared memory area.
8. The method of claim 6, wherein the security control system comprises a domain-shared memory controller, a mapping manager, and a security guard; the domain shared memory controller is used for opening or closing the access authority of the domain shared memory; the mapping manager is used for maintaining the allocation condition of the domain shared memory; the safety protector is used for calling the domain shared memory controller to dynamically open or close the access authority of the domain shared memory based on the domain shared memory allocation condition maintained by the mapping manager, so as to ensure that each domain shared memory is only accessed by the corresponding CA or safety domain.
9. The method of claim 8, wherein the security guard checks the integrity of the mode switch hooks and corresponding CA programs before invoking the domain shared memory controller to open access rights to a domain shared memory.
10. The method of claim 6, wherein the domain shared memory opens or closes access rights to the domain shared memory through register configuration of an address space controller.
CN202111202062.7A 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof Active CN114048502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111202062.7A CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111202062.7A CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Publications (2)

Publication Number Publication Date
CN114048502A CN114048502A (en) 2022-02-15
CN114048502B true CN114048502B (en) 2023-08-15

Family

ID=80205067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111202062.7A Active CN114048502B (en) 2021-10-15 2021-10-15 Lightweight trusted channel and communication control method thereof

Country Status (1)

Country Link
CN (1) CN114048502B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103034544A (en) * 2012-12-04 2013-04-10 杭州迪普科技有限公司 Management method and device for user mode and kernel mode to share memory
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN107194284A (en) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 A kind of method and system based on the user-isolated data of TrustZone
CN107729159A (en) * 2017-09-29 2018-02-23 华为技术有限公司 The address mapping method and device of a kind of shared drive
CN108062253A (en) * 2017-12-11 2018-05-22 北京奇虎科技有限公司 The communication means of a kind of kernel state and User space, device and terminal
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109697140A (en) * 2018-11-19 2019-04-30 深圳市腾讯信息技术有限公司 Data back up method and device, data reconstruction method and device, storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108647513B (en) * 2018-03-22 2020-04-28 华中科技大学 TrustZone-based shared library security isolation method and system
US11194639B2 (en) * 2019-05-19 2021-12-07 International Business Machines Corporation Executing system calls in isolated address space in operating system kernel

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103034544A (en) * 2012-12-04 2013-04-10 杭州迪普科技有限公司 Management method and device for user mode and kernel mode to share memory
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN107194284A (en) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 A kind of method and system based on the user-isolated data of TrustZone
CN107729159A (en) * 2017-09-29 2018-02-23 华为技术有限公司 The address mapping method and device of a kind of shared drive
CN108062253A (en) * 2017-12-11 2018-05-22 北京奇虎科技有限公司 The communication means of a kind of kernel state and User space, device and terminal
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109697140A (en) * 2018-11-19 2019-04-30 深圳市腾讯信息技术有限公司 Data back up method and device, data reconstruction method and device, storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
牛德姣等.APMSS:一种具有非对称接口的固态存储系统.计算机研究与发展.2018,第55卷(第55期),全文. *

Also Published As

Publication number Publication date
CN114048502A (en) 2022-02-15

Similar Documents

Publication Publication Date Title
CN109766165B (en) Memory access control method and device, memory controller and computer system
EP1761837B1 (en) System and method for secure inter-platform and intra-platform communications
EP3314808B1 (en) Binding a trusted input session to a trusted output session
CN104392188B (en) A kind of secure data store method and system
CN108055133B (en) Key security signature method based on block chain technology
JP4392241B2 (en) Method and system for promoting safety protection in a computer system employing an attached storage device
JP4089171B2 (en) Computer system
JP5114617B2 (en) Secure terminal, program, and method for protecting private key
WO2019192344A1 (en) Trust zone-based operating system and method
CN104335549A (en) Secure data processing
CN101084504A (en) Integrated circuit with improved device security
US20120137372A1 (en) Apparatus and method for protecting confidential information of mobile terminal
CN110069935B (en) Internal sensitive data protection method and system based on tagged memory
WO2015117523A1 (en) Access control method and device
US20160335433A1 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
US20060005015A1 (en) System and method for secure inter-platform and intra-platform communications
JP6951375B2 (en) Information processing equipment, information processing methods and programs
CN110750791A (en) Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption
CN105809043A (en) Data security protection method of computer
CN114048502B (en) Lightweight trusted channel and communication control method thereof
JP4375980B2 (en) Multitask execution system and multitask execution method
CN107169375B (en) System data security enhancement method
CN115374483A (en) Data secure storage method and device, electronic equipment, medium and chip
CN107087003B (en) System anti-attack method based on network
CN116226870B (en) Security enhancement system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Lei Lingguang

Inventor after: Wang Yuewu

Inventor after: Zhou Chuo

Inventor after: Shi Haotian

Inventor after: Wang Jie

Inventor after: Kou Chunjing

Inventor before: Wang Yuewu

Inventor before: Lei Lingguang

Inventor before: Zhou Chuo

Inventor before: Shi Haotian

Inventor before: Wang Jie

Inventor before: Kou Chunjing

GR01 Patent grant
GR01 Patent grant