CN114357514A - Multi-user partition isolation method based on security chip - Google Patents
Multi-user partition isolation method based on security chip Download PDFInfo
- Publication number
- CN114357514A CN114357514A CN202111671696.7A CN202111671696A CN114357514A CN 114357514 A CN114357514 A CN 114357514A CN 202111671696 A CN202111671696 A CN 202111671696A CN 114357514 A CN114357514 A CN 114357514A
- Authority
- CN
- China
- Prior art keywords
- partition
- user
- cell
- directory
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a multi-user partition isolation method based on a security chip.A master user uses a primary flow, all data are stored in data partitions, when a new user is created, the system divides an independent partition cells from a hardware level, all data of all newly created users are stored under the independent partitions, and the users cannot perform mutual data access across physical partitions, so that the data security is ensured. The invention has the beneficial effects that: the technical scheme is that an independent system partition is set by combining a security chip and a multi-user technology and is physically separated from a system, so that data are physically isolated, user data are prevented from being leaked, access permission is limited, the data security of the system partition is guaranteed, data encryption service is provided, the security level of the data is improved, a self-destruction function is set, the data of the partition can be fundamentally prevented from being stolen, and the security of user information is guaranteed.
Description
Technical Field
The invention relates to the technical field of intelligent terminals, in particular to a multi-user partition isolation method based on a security chip.
Background
With the high-speed development of information technology and continuous iteration of an Android system, more than Android8.0 is continuously optimized, the system is more stable and smooth, and various safety problems still exist. The Android operating system is an open-source system, and compared with closed mobile operating systems such as IOS (internet operating system), the Android operating system is more easily attacked and infected by viruses, and a perfect protection mechanism for data leakage is also lacked. Under the current situation that a terminal system faces huge security risks, the dual-operation system is in the process of operation except for the solution of adding security applications to the Android native system.
Currently, there are four main major dual operating system schemes: the method comprises the steps of a double-operating system scheme (for short, double users) based on a Linux account technology, a multi-system scheme (for short, security domain) based on an android service transformation technology, a double-operating system scheme (for short, double operating systems) based on a container technology and a double-operating system scheme (for short, virtual machines) based on a virtual machine technology. The dual operating systems achieve the purpose of internal system data information security through a data isolation strategy at the software or hardware level.
At present, multiple users in the multi-user function of the dual-operation system use the same partition, physical isolation is not achieved, all data including system data and application data use the same partition/data, the data are easy to leak, and the safety is extremely low. Meanwhile, a multi-user system is not designed with strong concealment, and is not reinforced and protected by any other means in the aspect of data security, any data in a file can be operated, data encryption processing is not performed, and the risk of data leakage is extremely high.
Disclosure of Invention
The invention physically isolates the data of each user in multiple users by combining a security chip and a multi-user partition technology, stores non-0 user data in an independent partition, ensures that the requirements of the users on partition isolation from software to a hardware layer are met, encrypts and protects partition files for the independent partition by the encryption and decryption technology of the security chip, and improves the security level of the user data. The security chip adopts a domestic cryptographic algorithm, so that the security of the algorithm can be guaranteed, and the security of user data is ensured. Meanwhile, the system is also designed with a self-destruction mode, and when a limited condition is met, the system calls the self-destruction module to format the partition data related to the new user, including the personal data and the partition file system, so that the leakage of the private data of the user can be fundamentally prevented, and the safety of the private information of the user is protected. The invention is realized by the following technical scheme.
A multi-user partition isolation method based on a security chip is characterized in that a primary user uses a primary flow, all data are stored in data partitions, when a new user is created, the system divides an independent partition cell from a hardware layer, all data of all newly created users are stored under the independent partitions, mutual data access cannot be carried out among the users across physical partitions, and the security of the data is guaranteed.
The invention has the beneficial effects that: compared with the prior art, the method and the device have the advantages that independent partitions are created for multiple users, the system users are isolated from each other from the physical bottom layer, the data security of the users is protected, meanwhile, the mounting of the partitions is verified through the encryption verification technology provided by the security chip, and the safe mounting of the partitions is guaranteed.
The invention realizes dual-operating system environment based on a trusted computing technology, an SElinux technology, a system-level application running environment isolation technology, a multi-user technology and an equipment security management technology taking information leakage prevention as a core, and achieves the purpose of application and data security isolation.
The system can be triggered and destroyed through the password, the use trace of the system partition storage and the partition system can be quickly cleared, the system is protected from being leaked safely, and data is protected from being stolen.
The algorithm capability in the security chip is provided by the encryption chip hardware IP core, all encryption operations are completed in the IP core, and various forms of attacks can be effectively resisted.
Drawings
FIG. 1 is a prior art partitioning architecture diagram of native multi-users.
Figure 2 is a block diagram of an independently partitioned multi-user of the present invention.
FIG. 3 is a schematic diagram of the independent partition of the present invention.
FIG. 4 is a schematic diagram of the native Selinux security framework of the present invention.
FIG. 5 is a diagram of the Selinux security framework after the use of independent partitions in accordance with the present invention.
FIG. 6 is a flow chart of the startup and verification of the system independent partition of the present invention.
Fig. 7 is a flow chart of the zone destruction of the present invention.
Fig. 8 is a flow chart of the FBE of the present invention.
Detailed Description
The embodiments of the invention will be described in detail below with reference to the drawings, but the invention can be implemented in many different ways as defined and covered by the claims.
As shown in fig. 1, in the prior art, when a native multi-user creates a multi-user, data of all users (including a primary user No. 0) are stored in the same data partition, a respective directory is created through userid, and data generated by respective applications and shared data are both stored in the data directory (for example, shared data is stored in a/data/media directory). All users use the same partition, data is not isolated, and in this mode, the data security is not high, which easily causes the user data leakage to be stolen.
As shown in fig. 2, the partition structure diagram of multiple users after independent partitioning is used in the present invention to perform partition isolation and division on multiple native users, the primary user No. 0 uses a native flow, all data is stored in a data partition, and independent partitions (cells) are provided in addition, when a new user is created, the system divides an independent partition from a hardware level, all new users (taking 10 users as an example) store all data of 10 users under the independent partition, and each user cannot perform mutual data access across physical partitions, thereby ensuring data security.
Fig. 3 is a schematic diagram of partition usage. Non-0 users different from the primary user # 0 use independent partition cells, cell.img (partition image) is generated during compiling system source codes, required size is allocated during partition allocation, and a cell partition initialization directory is configured in init.rc (initialization start file).
The cells/user | user _ de user directory stores the apps and data of the new partition user
The cells/system _ ce _ system _ de directory stores the relevant system setup data for the new partition user
The cells/vendor _ ce | vendor _ de catalog stores the relevant data customized by the manufacturer
cells/misc | misc _ ce | misc _ de catalog for storing guidance recovery information and key setting data
The cells/media directory stores shared storage directories of applications, such as pictures, videos, downloads, and other media contents.
When the Android system is started and the init.rc file is analyzed, the relevant directories are created, and the corresponding selinux (security policy) is configured.
Taking an Android system as an example, in order to realize normal use of a new partition based on Android11, key processes at each part of the system need to be modified, and the specific implementation is as follows:
system layer of the Android System:
adding a related structure of a cell directory in a rootdirectory, adding creation of related directories such as a cell/media user system vendor and the like in an init.rc, adding a global attribute to point to the cell root directory in an init.environ.rc.in (an initialization environment configuration file), wherein logic modification is mainly used for creating the related directories of the cells when an init process is pulled up to perform system initialization and rc file analysis after a kernel is started.
Rc, related logic is added, so that the interactive function between the init and the security chip when the init is mounted in the cells.img is realized, after the verification and the verification of the security chip are successful, the mounting of the cells.img can be carried out, meanwhile, the security policy verification is added in the selinux (security policy) logic of the init, and the security inspection is carried out on the security context of the cells directory.
A cell root directory interface is newly added in the vold (storage management service), a system main user (user 0) returns/data as a file path of the root directory, all newly-built non-0 users return a file path with/cells as the root directory, such as a media directory, and the newly-built user 10 returns/cells/media/10. Meanwhile, a user mounting cell/media shared media directory is newly established when the volume is mounted, and aiming at mounting of the emulated volume, a set of self-used directory/mnt/cell time and related subdirectories are established by the new user to adapt to the new user so as to be distinguished from the main user.
For the FBE function of the android system, the relevant logic needs to be modified since the key of the FBE function cannot perform cross-partition locking and unlocking. Logic is modified in fscrypt, and a set of locking and unlocking processes of the logic are realized aiming at a new partition so as to adapt to the FBE (File-Based Encryption and decryption) function of the partition.
An Sdcard (external storage management) adds relevant logic to the relevant mount of an mnt (cache) directory, and when a partition directory mount of a new user is performed, an Sdcard fs (external storage file management service) mechanism uses a relevant directory such as "/mnt/cellsrunttime/default/" "/mnt/cellsrunttime/read/"/mnt/cellsrunttime/write/""/mnt/cellsrunttime/full/"to adapt to the new partition, and finally the relevant directories are mounted to a cell/media shared media directory.
The file _ context (file context entity) of the cell directory is added in the Android system, the cell _ file is used as a context to control the security contexts of all directory files in the newly-built partition, and meanwhile, a single security context is added for a plurality of related main directories (system user directories and the like) of the cell directory. And add an allow rule to the cell _ file in the associated te (policy entity) file (system _ server zygote volume install et al te).
In the version apology (security policy)/media/apology), corresponding block _ device (/ dev/block/format/mtk- \ b (msdc | ufs) \ b \ 0/[0-9] + \\ b (msdc0| ufs0) \ b/by-name/cells and/dev/block/by-name/cells) are added for the partition, rules related to the block _ device are configured, and related rule support for the cell block _ device is added in related tes such as initfse 2fs reset.
In libselinux (security policy library) in External (android source code extension), security policy processing logic of a partition related directory such as a directory of cells/user and the like is added.
Framework layer of Android system:
when the change is made in the multi-user logic related to the zygate (hatching process) and the zygate performs the isolateAppData (application data separation method), according to the userid, the ce and de catalogues of the new user return to the partition catalogues (cells/user cells/user _ de), and simultaneously the context of the relabel partition catalogues is changed.
In environment variables of environment system, a getcell directory method is added to return a partition root directory, and meanwhile, when a newly-built non-0 user acquires a directory (system user _ de and the like), a corresponding directory and a subdirectory which take cells as a root are returned.
The installd service (installation service) is synchronously modified with the vold service, the new user returns the root directory and related directories and subdirectories of the new partition, and the logic related to the new user is synchronously modified in the installnative service to adapt to the new partition.
Build (Build) correlation of Android system:
adding related logic in the Build to generate a catalog of cells and cells, and adding a rule for generating a cell image in a related script such as a Makefile Build _ image.
Adding global parameters of partition cells in Borard _ Config of a current version (such as device/media/mtxxxx), adding authority and owner homing of partition directories of the partition cells in version rc files init.mtxxxx.rc and factory _ init.rcmeta _ init.rc, and simultaneously performing restore _ recovery on the partition directories of the partition cells.
The mounting of DEVPATH (cells)/cells root directory is added in the fstab of the current version, and the format of the configuration partition is ext 4.
Adding a cell partition, cells, EXT4,61457280, EMMC _ USER, UFS _ LU2, N, Y, cell.img, N, N, Y, AUTO into a ptgen partition (partition) table partition _ table _ emmc.csv, and configuring the size of a partition according to actual needs (the cell partition must be configured in front of a data main partition).
FBE (File-Based Encryption Based on File Encryption and decryption) of the Android system is related:
for the FBE function of the android system, the relevant logic needs to be modified since the key of the FBE function cannot perform cross-partition locking and unlocking.
As shown in fig. 8, the FBE (File-Based Encryption and decryption) flow needs to be modified correspondingly for the new partition, and when a cell partition is mounted in the fstab of the current version, a related FBE Encryption mode is configured.
Adding installkey to the cell partition in init.rc, when an init process analyzes an rc file, analyzing the encryption mode of the cell partition according to installkey of the cell, encrypting and generating global keys (a user key of No. 0 is stored in/data/encrypted/key, a new user 10 is stored in/cell/encrypted/key) of the cell partition by using keymaster key, and adding the generated keys into a key ring (keyring).
When the init process carries out user initialization, a user-mode CE DE key (a key for user authentication association and equipment encryption) is generated, the key is stored in a corresponding directory (different directories are used for a user number 0 and a new user 10, the user number 0 uses a native/data directory and sub-directories, the user number 10 uses a new partition directory/cells and related sub-directories), and the key is added into the keyering after being generated.
Relevant changes are made to the multi-user processing flow in Fscrypt (file encryption and decryption), when a newly-built user uses an independent partition cell, a relevant CE DE directory (for example, relevant directories such as/cell/media/10/cell/system _ CE/10/cell/user _ DE/10/cell/system _ DE/10 and the like) is created, and a relevant encryption strategy (key ref) is set.
And in the starting and running process of the new user, decrypting and using the CE DE space by using the key generated by the flow.
4-5, are Selinux security framework comparisons of native and independent partitions
As shown in fig. 4, the native Android system Selinux security framework configures related security context and rules through a security policy module in a user space, and meanwhile, a security service initiates security check and context check matching to a libselinux library (security policy library) in a zygote attribute install and other service operation processes through a whole framework layer, and finally enters a kernel space security policy file system to perform final security check.
Native multiple users, all of which are under the data partition, need to use separate security contexts after using independent partitions. As shown in fig. 5, in a user space security context configuration policy (cell _ file related to a new partition is added in a policy module, and meanwhile, since a cell partition is an independent block device, a related cell _ block _ device needs to be configured), and at the same time of configuring a context, a series of security rules need to be added on different te entities for a newly added security context.
Meanwhile, based on multiple users of a new partition, corresponding process changes need to be made for the new partition in the creating and starting processes of the new user, relabel of relevant directories such as cells/users needs to be added when the new user is created in zygate (hatching process) (application directory is re-labeled when the new user creates the application directory), setfile (setting file security context) and restore (reloading file security context) need to be added when project lock and unlock are performed in vold, and restore _ app _ data needs to be performed based on the new partition directory when the new user creates application data in the installd service.
The libselinux core security service library provides relevant security context operation methods (setfilecorerestorecon and the like) for the services such as zygate, vold, installd and the like, and the processing method of the modification method (pkgdir _ selabel _ lookup) on the cells of the new partition in the libselinux is adapted to the operations of creating a multi-user application directory and the like in the new partition.
As shown in fig. 6, it is a flowchart of the independent partition starting and using, including the following steps:
when a system establishes multiple users, the starting processes of the systems of the users are basically consistent, and the main difference is that the positions of mounted file systems are different and the mounting of independent partitions needs to be checked through a security chip, so that the security of non-0 users is ensured. The specific process is as follows:
and in the Android starting process, after init.rc is analyzed, a cell folder is created under the Android system root directory.
Img image of the Ext4 file format is read from the corresponding cell partition location of the ROM (read only memory). And the work system partition loading program calculates the cell.img hash value, compares the cell.img hash value with the hash (hash) stored in the safety chip, verifies the signature value of the cell.img after the comparison is successful, and analyzes the cell image if the verification passes. And analyzing the format of the cell.img image file, and reading cell.img image related information from the super block, wherein the cell.img image related information comprises the state of a file system, the type of the file system, the size, the number of blocks, the number of index nodes and the like.
After successfully analyzing the cell.img image, mounting the cell.img image to a cell directory, after successfully mounting the cell, creating a directory related to a working system in the cell directory, and simultaneously configuring a security context of the cell by using the cell as a rootfs and configuring the security context of each subdirectory in the cell directory according to rules by a system selinux (security policy) service.
The steps are completed, the related work of the partition directory is completed, and after the user operates a new user on the UI interface, the user enters a user creating process.
In the process of creating a user (for example, creating a user id of 10), a user dedicated directory is created by calling an installd service by the UMS (user/10 cells/user _ de/10cells/media/10 and the like), and finally, creation of each user directory is completed by the vold, and the Apps are started to be installed in the corresponding directory after creation of each user directory is completed.
After the application installation is completed, the UMS starts to pull up each application through system _ server, and starts the desktop to enter the user system.
As shown in fig. 7, the partition destruction process includes the following steps:
a multi-user system designed based on a system security policy can be destroyed in a special scene, and personal private data of a user is protected from being stolen.
And designing a destruction triggering mode, providing related settings on a system setting interface, setting a destruction password, and triggering destruction when a user inputs a corresponding destruction password on a screen locking interface.
When the data is destroyed, the user directory and application data of the system are cleared, the whole partition of the system partition cells is formatted, and all data is cleared and can not be reused.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A multi-user partition isolation method based on a security chip is characterized in that a master user uses a primary flow, all data are stored in data partitions, when a new user is created, an independent partition cell is divided by a system from a hardware layer, all data of all newly created users are stored under the independent partitions, mutual data access cannot be carried out among the users across physical partitions, and the security of the data is guaranteed.
2. The multi-user partition isolating method based on security chip as claimed in claim 1, wherein the new user uses independent partition cells, generates cells.img when compiling system source code and allocates the required size when partition allocation is performed, and the cell partition initialization directory is configured in init.rc, wherein:
the cell/user | user _ de user directory stores apps and data of the new partition users;
the cells/system | system _ ce | system _ de directory stores the related system setting data of the new partition user;
the cells/vendor _ ce | vendor _ de catalog stores part of relevant data customized by a manufacturer;
the cells/misc | misc _ ce | misc _ de catalog stores the shared storage catalog of the guidance recovery information and the key setting data cells/media catalog storage application.
3. The method according to claim 2, wherein the related directories are created and configured with a corresponding selinux when the init.
4. The multi-user partition isolating method based on the security chip as claimed in claim 2, wherein when a new user creates, the partition cells creates a directory: adding a related structure of a cell directory in the rootdir, creating a cell/media user system vendor related directory in the init.rc, and adding a global attribute in the init.environ.rc.in to point to a cell root directory;
rc, related logic is added, so that the interactive function between the init and the security chip when cell.img mounting is carried out is realized, and cell.img mounting can be carried out only after the verification and verification of the security chip are successful;
adding a cell root directory interface in Vold, returning/data by a system master user as a file path of the root directory, and returning the file path taking/cells as the root directory by all new users;
modifying logic in fscrypt to adapt to the FBE flow of the partition;
adding relevant logic for relevant mounting of an mnt directory in the Sdcard, and when mounting a partition directory of a new user, using a relevant directory of "/mnt/cellsrunttime/default/" "/mnt/cellsrunttime/read/" "/mnt/cellsrunttime/write/"/mnt/cellsrunttime/full/";
adding file _ context of a cell directory in a system topology, managing and controlling the security contexts of all directory files in a newly-built partition by taking the cell _ file as a context, simultaneously adding separate security contexts for a plurality of related main directories of the cell directory, and adding an allow rule for the cell _ file in a related te file;
newly adding a corresponding block _ device for the partition in the version topology, and configuring a rule related to the block _ device;
adding related rule support for cell block _ device in initfsck e2fs resize related te;
in libselinux of External, security policy handling logic for partition related directories such as cells/user directories is added.
5. The multi-user partition isolation method based on the security chip as claimed in claim 1, wherein when a new user is created, the method further comprises modifying in the multi-user logic related to zygate, when zygate performs the isolateAppData, according to userid, the ce and de directories of the new user return to the partition directories (cell/user cells/user _ de), and the context of the relabel partition directory;
in environment variables of an environment system, adding a getCellsDirectory method to return a partition root directory, and simultaneously returning a corresponding directory and a subdirectory which take cells as roots when a newly-built non-master user acquires the directory;
the Installd service is synchronously modified with the vold service, the new user returns the root directory and related directories and subdirectories of the new partition, and the logic related to the new user is synchronously modified in the installnative service to adapt to the new partition.
6. The multi-user partition isolation method based on the security chip as claimed in claim 1, wherein when a new user is created, the method further comprises modification in system Build, adding related logic to generate a catalog of cells and cells.img, and adding a rule for generating a cells image in a related script such as Makefile Build _ image.py common _ add _ img _ to _ target _ files.py according to a rule of a current version, so that after the whole system is compiled, an independent cells image is generated;
adding global parameters of partition cells in the current version, adding authority and owner attribution of a partition directory of the partition cells in a version rc file init.mtxxxx.rc and a factory _ init.rcmeta _ init.rc, and simultaneously performing restore _ recovery on the partition directory of the cell;
adding DEVPATH (cells)/cell root directory mount in the fstab of the current version, and configuring the format of a partition as ext 4;
adding cell partitions, cells, EXT4,61457280, EMMC _ USER, UFS _ LU2, N, Y, cells, img, N, N, Y and AUTO in a ptgen partition table partition _ table _ emmc.csv, and configuring the size of the partitions according to actual needs.
7. The multi-user partition isolation method based on the security chip as claimed in claim 1, wherein when a new user is created, further comprising the modification of FBE flow:
adding installkey to the cell partition in init.rc, when an init process analyzes an rc file, analyzing the encryption mode of the cell partition according to the installkey of the cell, encrypting and generating global keys of the cell partition by using a keymaster key, and adding the generated keys into a key ring (keying);
generating a CE DE key in a user state when an init process carries out user initialization, storing a key in a corresponding directory, and adding keyring after the key is generated;
relevant changes are made to the processing flow of multiple users in Fscrypt, when a newly-built user uses an independent partition cell, a relevant CE DE directory is created, and a relevant encryption strategy (key ref) is set.
8. The method as claimed in claim 4, wherein when a new user is created, configuring security context and rules in a policy module, and simultaneously, the security service running through the whole framework layer initiates security check and context check matching to libselinux in the process of zygate initvold install service running, and finally enters a kernel space Selinux file system for final security check.
9. The multi-user partition isolating method based on the security chip as claimed in claim 8, wherein a security context and rules are configured in a new user space, a security context cell _ file related to a new partition is added in a policy module, meanwhile, as a cell partition is an independent block device, a related cell _ block _ device needs to be configured, and a series of security rules need to be added on different te entities for a newly added security context when the context is configured;
meanwhile, based on multiple users of a new partition, corresponding process changes need to be made for the new partition in the creating and starting processes of the new user, relabel of a directory related to cells/users needs to be added when the new user is created in zygate, setfilecon and restorecon need to be added when project lock and unlock are performed in vold, and restorecon _ app _ data needs to be performed based on the new partition directory when the new user creates application data in the installd service;
the libselinux core security service library provides related security context operation methods for the services such as zygate, vold and installd, and a processing method of pkgdir _ selabel _ lookup for cells of the new partition is added to the libselinux so as to adapt to the creation of a multi-user application directory in the new partition.
10. The method according to claim 1, wherein the specific process of creating multiple users in the system is as follows:
in the system starting process, after init.rc is analyzed, a cell folder is created under an Android system root directory;
reading the cell.img image of the Ext4 file format from the cell partition position corresponding to the ROM;
after successfully analyzing the cell.img mirror image, mounting the cell.img to a cell directory, after successfully mounting the cell, creating a directory related to a working system under the cell directory, and simultaneously configuring the subcontext of the cell by using the cell as rootfs and configuring the subcontext of each subdirectory under the cell directory according to rules by using the system selinux service.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111671696.7A CN114357514A (en) | 2021-12-31 | 2021-12-31 | Multi-user partition isolation method based on security chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111671696.7A CN114357514A (en) | 2021-12-31 | 2021-12-31 | Multi-user partition isolation method based on security chip |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114357514A true CN114357514A (en) | 2022-04-15 |
Family
ID=81105296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111671696.7A Pending CN114357514A (en) | 2021-12-31 | 2021-12-31 | Multi-user partition isolation method based on security chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114357514A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116756785A (en) * | 2023-08-16 | 2023-09-15 | 中国兵器装备集团兵器装备研究所 | Self-destruction method and system of intelligent terminal system |
| CN117034330A (en) * | 2023-10-10 | 2023-11-10 | 广州市溢信科技股份有限公司 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
-
2021
- 2021-12-31 CN CN202111671696.7A patent/CN114357514A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116756785A (en) * | 2023-08-16 | 2023-09-15 | 中国兵器装备集团兵器装备研究所 | Self-destruction method and system of intelligent terminal system |
| CN116756785B (en) * | 2023-08-16 | 2023-11-10 | 中国兵器装备集团兵器装备研究所 | Self-destruction method and system of intelligent terminal system |
| CN117034330A (en) * | 2023-10-10 | 2023-11-10 | 广州市溢信科技股份有限公司 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
| CN117034330B (en) * | 2023-10-10 | 2024-01-30 | 广州市溢信科技股份有限公司 | macOS-based safety protection method, macOS-based safety protection equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107003866B (en) | Secure creation of encrypted virtual machines from encrypted templates | |
| US20180189300A1 (en) | Method and system for providing restricted access to a storage medium | |
| US9300640B2 (en) | Secure virtual machine | |
| CN109800050B (en) | Memory management method, device, related equipment and system of virtual machine | |
| CN103516728B (en) | A kind of mirror image encipher-decipher method preventing cloud platform virtual machine from illegally starting | |
| CN114357514A (en) | Multi-user partition isolation method based on security chip | |
| EP3265949B1 (en) | Operating system management | |
| EP2474932A1 (en) | Efficient volume encryption | |
| EP3866041B1 (en) | Secure group file sharing | |
| CN104318176B (en) | Data management method and device for terminal and terminal | |
| EP3847568B1 (en) | Protecting selected disks on a computer system | |
| US20210306304A1 (en) | Method and apparatus for distributing confidential execution software | |
| CN114402295A (en) | Secure runtime system and method | |
| WO2021148863A1 (en) | Process-based virtualization system for executing secure application process | |
| CN104732140A (en) | Program data processing method | |
| Yalew et al. | Hail to the Thief: Protecting data from mobile ransomware with ransomsafedroid | |
| CN112182560A (en) | Efficient isolation method, system and medium for Intel SGX interior | |
| US20140041053A1 (en) | Data block access control | |
| US9398019B2 (en) | Verifying caller authorization using secret data embedded in code | |
| WO2021188716A1 (en) | Systems and methods for protecting a folder from unauthorized file modification | |
| CN115186269A (en) | Vulnerability mining method and device, storage medium and electronic equipment | |
| Zhao et al. | The application of virtual machines on system security | |
| WO2019209893A1 (en) | Operating system on a computing system | |
| FanJiao et al. | A high efficiency encryption scheme of dual data partitions for android devices | |
| US20240086550A1 (en) | Zero-Trust Cloud Development |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |