CN114528603A - Isolation dynamic protection method, device, equipment and storage medium of embedded system - Google Patents

Isolation dynamic protection method, device, equipment and storage medium of embedded system Download PDF

Info

Publication number
CN114528603A
CN114528603A CN202210432725.2A CN202210432725A CN114528603A CN 114528603 A CN114528603 A CN 114528603A CN 202210432725 A CN202210432725 A CN 202210432725A CN 114528603 A CN114528603 A CN 114528603A
Authority
CN
China
Prior art keywords
key
storage space
program
information
chip storage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210432725.2A
Other languages
Chinese (zh)
Other versions
CN114528603B (en
Inventor
董文强
王亮
颜昕明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Wise Security Technology Co Ltd
Original Assignee
Guangzhou Wise Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Wise Security Technology Co Ltd filed Critical Guangzhou Wise Security Technology Co Ltd
Priority to CN202210432725.2A priority Critical patent/CN114528603B/en
Publication of CN114528603A publication Critical patent/CN114528603A/en
Application granted granted Critical
Publication of CN114528603B publication Critical patent/CN114528603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Abstract

The embodiment of the invention discloses an isolation dynamic protection method, device, equipment and storage medium of an embedded system. The scheme loads the current program from the off-chip storage space, and reads and updates the key from the on-chip storage space; generating verification information when data is written into the off-chip storage space through the current program; encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information into an off-chip storage space, and storing the secret key and storage time information into a verification area of the on-chip storage space; reading the encryption check information from the off-chip storage space when the data is read from the off-chip storage space through the current program; reading the key and the storage time information from the verification area, and correspondingly obtaining reference verification information; and comparing the reference verification information with the encrypted verification information to confirm the safety. The independent dynamic protection of the data processed by each program is realized, and the condition that all the information of all the programs is leaked due to the fact that the secret key of one program is leaked is avoided.

Description

Isolation dynamic protection method, device, equipment and storage medium of embedded system
Technical Field
The embodiment of the invention relates to the technical field of embedded systems, in particular to an isolation dynamic protection method, device, equipment and storage medium of an embedded system.
Background
Because the flexibility and the cost performance ratio of the equipment based on the embedded system are more and more widely applied, the development trend of more and more embedded terminals and online interconnection also enables the security of the embedded system to face greater risks, and the security of the embedded system corresponding to the risks is also more and more emphasized.
The common attack modes aiming at the embedded system at present mainly comprise hardware attack and software attack. Overall, the overall idea of performing malicious attack on the embedded system is to obtain program codes and data stored or processed inside the embedded system through various ways, which causes leakage of user privacy information. When dealing with malicious attacks, there are hardware protection strategies and software protection strategies. The software protection strategy is a software-based method, for example, antivirus and anti-intrusion software is operated to resist attacks, the protection strategy brings larger power consumption, meanwhile, security holes may exist in the software, and the integrity cost ratio of protection is lower. Compared with a software protection strategy, the hardware protection strategy has relatively better physical isolation, high operation speed and low resource overhead, and is a preferred strategy for protecting the embedded system.
In the existing hardware protection of the embedded system, a key is configured for a program stored in an off-chip memory, and if the key is leaked, the information of all programs may be exposed.
Disclosure of Invention
The invention provides an isolated dynamic protection method, an isolated dynamic protection device, equipment and a storage medium of an embedded system, which aim to solve the technical problem that information of all programs is exposed when a secret key configured for the whole program is leaked in the prior art.
In a first aspect, an embodiment of the present invention provides an isolated dynamic protection method for an embedded system, including:
loading a current program from an off-chip storage space, reading a key corresponding to the current program from the on-chip storage space, and updating the key read next time;
when data is written into the off-chip storage space through the current program, generating verification information according to storage parameters of the data, wherein the storage parameters comprise storage address information and storage time information of the data in the off-chip storage space;
encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information in the off-chip storage space, and storing the secret key and the storage time information in a verification area of the on-chip storage space;
when the current program reads data from the off-chip storage space, reading the encryption verification information corresponding to the data from the off-chip storage space;
reading a key and storage time information from the verification area, and encrypting the storage address information and the read storage time information obtained when data is read according to the key to obtain reference verification information;
and comparing the reference verification information with the read encrypted verification information, and confirming the safety of the data according to a comparison result.
Furthermore, the off-chip storage space comprises a plurality of program spaces, and the whole program is stored in one program space;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and loading the current program from the off-chip storage space, and reading the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.
Furthermore, the off-chip storage space comprises a plurality of program spaces, and the whole program is stored in one program space;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and loading the current program from the off-chip storage space, and reading the current corresponding key of the program space from the on-chip storage space as the key corresponding to the current program according to the space identifier of the program space where the current program is located.
Further, the on-chip storage space holds a plurality of keys;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and confirming a key different from the currently read key from the plurality of keys according to a random algorithm, and updating the confirmed key to the key read next time.
Furthermore, the on-chip storage space also correspondingly stores the use times corresponding to each key;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, further includes:
and updating the using times.
Further, after updating the number of times of use, the method further includes:
and when the using times of the key reach the preset service life, deleting the key and newly adding a key different from the existing key.
Further, when writing data into the off-chip storage space by the current program, generating check information according to storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space, and the method further includes:
encrypting program storage information according to the secret key to obtain program verification information, storing the program verification information in the off-chip storage space, and storing the program storage information in the verification area;
correspondingly, before loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, the method further includes:
reading program verification information and real-time storage information of the current program from an off-chip storage space, and reading a key and program storage information from the verification area;
encrypting the real-time storage information and the program storage information respectively according to the secret key to obtain real-time verification information and original verification information;
and confirming that the real-time verification information, the original verification information and the program verification information are completely matched.
In a second aspect, an embodiment of the present invention provides an isolated dynamic protection device for an embedded system, including:
the data loading unit is used for loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space and updating the key read next time;
a write initialization unit, configured to generate verification information according to storage parameters of data when writing the data in an off-chip storage space by using the current program, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space;
the data writing unit is used for encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information into the off-chip storage space, and storing the secret key and the storage time information into a verification area of the on-chip storage space;
a data reading unit, configured to read, when data is read from the off-chip storage space by the current program, encryption check information corresponding to the data from the off-chip storage space;
the verification initialization unit is used for reading the key and the storage time information from the verification area, and encrypting the acquired storage address information and the read storage time information during data reading according to the key to obtain reference verification information;
and the data comparison unit is used for comparing the reference verification information with the read encrypted verification information and confirming the safety of the data according to a comparison result.
Furthermore, the off-chip storage space comprises a plurality of program spaces, and the whole program is stored in one program space;
the data loading unit comprises:
and the first loading module is used for loading the current program from the off-chip storage space and reading the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.
Furthermore, the off-chip storage space comprises a plurality of program spaces, and the whole program is stored in one program space;
the data loading unit comprises:
and the second loading module is used for loading the current program from the off-chip storage space and reading the key currently corresponding to the program space from the on-chip storage space as the key corresponding to the current program according to the space identifier of the program space where the current program is located.
Further, the on-chip storage space holds a plurality of keys;
the data loading unit comprises:
and the password updating module is used for confirming a key different from the currently read key from the plurality of keys according to a random algorithm and updating the confirmed key into the key read next time.
Furthermore, the on-chip storage space also correspondingly stores the use times corresponding to each key;
the data loading unit further comprises:
and the number updating module is used for updating the number of the use times.
Further, the isolated dynamic protection device of the embedded system further includes:
and the key replacing unit is used for deleting the key and newly adding a key different from the existing key when the using times of the key reach the preset service life.
Further, the isolated dynamic protection device of the embedded system further includes:
a verification information generating unit, configured to encrypt program storage information according to the secret key to obtain program verification information, store the program verification information in the off-chip storage space, and store the program storage information in the verification area;
correspondingly, the isolation dynamic protection device of the embedded system further comprises:
a program information reading unit, configured to read program verification information and real-time storage information of the current program from an off-chip storage space, and read a key and program storage information from the verification area;
the program information encryption unit is used for respectively encrypting the real-time storage information and the program storage information according to the secret key to obtain real-time verification information and original verification information;
and the program information checking unit is used for confirming that the real-time checking information, the original checking information and the program checking information are completely matched.
In a third aspect, an embodiment of the present invention further provides a computing device, including:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the computing device to implement a method of isolated dynamic protection of an embedded system according to any of the first aspects.
In a fourth aspect, an embodiment of the present invention further provides a storage medium storing computer-executable instructions, which when executed by a computer processor, are configured to perform the isolated dynamic protection method for an embedded system according to any one of the first aspect.
According to the isolation dynamic protection method, the isolation dynamic protection device, the isolation dynamic protection equipment and the isolation dynamic protection storage medium of the embedded system, the current program is loaded from the off-chip storage space, the key corresponding to the current program is read from the on-chip storage space, and the key read next time is updated; when data is written into the off-chip storage space through the current program, generating verification information according to storage parameters of the data, wherein the storage parameters comprise storage address information and storage time information of the data in the off-chip storage space; encrypting the verification information according to the key to obtain encrypted verification information, storing the encrypted verification information in the off-chip storage space, and storing the key and the storage time information in a verification area of the on-chip storage space; when the current program reads data from the off-chip storage space, reading the encryption verification information corresponding to the data from the off-chip storage space; reading a key and storage time information from the verification area, and encrypting the obtained storage address information and the read storage time information when data is read according to the key to obtain reference verification information; and comparing the reference verification information with the read encrypted verification information, and confirming the safety of the data according to a comparison result. The independent dynamic protection of the data processed by each program is realized through the keys which are stored in the chip and are dynamically configured corresponding to different programs, and the condition that all information of all programs is leaked due to the fact that the key of one program is leaked is avoided.
Drawings
Fig. 1 is a flowchart of an isolated dynamic protection method for an embedded system according to an embodiment of the present invention;
fig. 2 is a schematic key configuration diagram of an isolated dynamic protection method for an embedded system according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an isolated dynamic protection device of an embedded system according to a second embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device according to a third embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are for purposes of illustration and not limitation. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
It should be noted that, for the sake of brevity, this description does not exhaust all alternative embodiments, and it should be understood by those skilled in the art after reading this description that any combination of features may constitute an alternative embodiment as long as the features are not mutually inconsistent.
The following examples are described in detail.
Example one
Fig. 1 is a flowchart of an isolated dynamic protection method for an embedded system according to an embodiment of the present invention. The isolation dynamic protection method for the embedded system provided in the embodiment may be performed by various computing devices based on the embedded system, where the computing devices may be implemented by software and/or hardware, and the computing devices may be formed by two or more physical entities or may be formed by one physical entity.
Referring to fig. 1, a method for isolated dynamic protection of an embedded system in an embodiment of the present invention includes:
step S110: and loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time.
In an embedded system-based device, it is generally considered that an on-chip storage space is a trusted space, which can realize attacks occurring outside a chip and on a bus as a whole, and protect confidentiality and integrity of system-on-chip data, but storage and computation resources of an embedded system processor are limited by hardware itself, if a complex security mechanism is added to the embedded system processor, basic function implementation of the whole embedded system is influenced, and unnecessary hardware overhead is brought, so that resource occupation of the system-on-chip outside core services is reduced as much as possible. However, the off-chip storage space usually has more data interaction with the outside, and the readable and writable setting can be regarded as the off-chip storage space as an untrusted space.
In the scheme, the whole program is stored in the off-chip storage space, when the program is required to run, the current program is in the state of the off-chip storage space, and in order to ensure the security of data in the untrusted space, a key is dynamically distributed to the current program in the scheme and is used for ensuring that integrity protection is provided for the data written into the untrusted space and read from the untrusted space, so that the situation that the data in the off-chip storage space is tampered by being attacked can be found, and the security of the embedded system data is improved. The key is stored in the on-chip storage space, the on-chip storage space belongs to a trusted space, so that the security of the key can be effectively guaranteed, the key corresponding to the current program dynamically changes, and the keys corresponding to the operation of the same program twice are different, so that the independent support of the data security requirement of each time can be guaranteed.
Step S120: when data is written into the off-chip storage space through the current program, generating verification information according to storage parameters of the data, wherein the storage parameters comprise storage address information and storage time information of the data in the off-chip storage space.
In the process of writing data into the off-chip storage space by a program, key information of data storage needs to be acquired, the key information is usually unique and sensitive, and malicious attacks are likely to cause changes of the key information, so that the integrity and the safety of the data are ensured based on the key information of the data storage in the scheme, and the scheme mainly comprises storage address information and storage time information of the data.
Step S130: and encrypting the verification information according to the key to obtain encrypted verification information, storing the encrypted verification information in the off-chip storage space, and storing the key and the storage time information in a verification area of the on-chip storage space.
And encrypting the key information stored in the data according to the key to obtain encrypted verification information, wherein the whole is used for recording initial storage state information, and the encrypted verification information is directly stored in an off-chip storage space along with the data. And simultaneously, storing the storage time information and the secret key into a verification area of the storage space in the chip for subsequent comparison and verification with the encrypted verification information.
Step S140: and when the current program reads data from the off-chip storage space, reading the encryption verification information corresponding to the data from the off-chip storage space.
The encryption check information is written when data is written into the off-chip storage space, and the encryption check information stored before is read when the data is read.
Step S150: and reading the key and the storage time information from the verification area, and encrypting the obtained storage address information and the read storage time information when the data is read according to the key to obtain reference verification information.
Step S160: and comparing the reference verification information with the read encrypted verification information, and confirming the safety of the data according to a comparison result.
The data of the storage space in the chip is considered to be credible; for data in the off-chip storage space, if the data is not changed due to attack, the storage address is considered to be the initial storage address, the corresponding storage address information and the storage time information stored in the on-chip storage space are encrypted by the key to obtain the reference verification information, and under the condition that all the information and the key are not changed, the reference verification information and the encryption verification information are completely consistent, so that the safety of the data can be correspondingly confirmed. Of course, if the reference verification information and the encryption verification information are not consistent, it can be correspondingly confirmed that the data changes due to malicious attacks, and a defense mechanism is triggered.
By the scheme, under the condition that the storage and processing burden of the on-chip storage space is not increased basically, each program can be effectively guaranteed to have a dynamic key security mechanism independently, the capability of each program for coping with malicious attacks is effectively improved, and even if the key of one program is leaked, other programs cannot be cracked together.
In a specific implementation process, the off-chip storage space comprises a plurality of program spaces, and the whole program is stored in one program space; step S110 may include step S111:
step S111: and loading the current program from the off-chip storage space, and reading the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.
This embodiment is equivalent to storing each program in a program space as a whole, and each program corresponds to a set of keys, but of course, the set of keys corresponding to different programs may be the same, but are updated in respective ways. As shown in fig. 2, the off-chip storage space 100 has 5 program spaces, each program space stores one program, all the programs correspond to the same set of keys in the on-chip storage space 200, in the latest period of time, the first, second, and fourth of the 5 program spaces are sequentially operated as the current program, and the corresponding keys are the third, second, and first of the set of keys, respectively.
In another specific implementation process, the off-chip storage space includes a plurality of program spaces, and the whole program is stored in one program space; step S110 may include step S112:
step S112: and loading the current program from the off-chip storage space, and reading the current corresponding key of the program space from the on-chip storage space as the key corresponding to the current program according to the space identifier of the program space where the current program is located.
In this embodiment, each program space corresponds to a set of keys, and when a program in one program space runs, the key corresponding to the current program is confirmed according to the whole password updating process of the program space.
As for the key, a plurality of keys may be held in the on-chip memory space; step S110 may include step S113:
step S113: and confirming a key different from the currently read key from the plurality of keys according to a random algorithm, and updating the confirmed key to the key read next time.
The confirmation of the updating of the key according to the random algorithm is an optional implementation mode, and the switching can be performed according to a set rule in the concrete implementation process.
The scheme can also record the use state of the key, namely the on-chip storage space correspondingly stores the use times corresponding to each key; step S110 may include step S114:
step S114: and updating the using times.
The updating of the number of times of use can evaluate the use condition of the key, and further can judge whether the number of times increase caused by the attack is abnormal or not by combining the increase speed of the number of times of use.
On the basis of recording the usage status, the key may also be replaced by step S115:
step S115: and when the using times of the key reach the preset service life, deleting the key and newly adding a key different from the existing key.
In order to ensure the safety of data, the key can be deleted and added based on the using times of the key, so that the safety reduction caused by the service life process of the key is avoided.
In addition to the isolation protection of the data, the isolation protection of the program itself can be performed, after step S130, step S131 is further included, and before step S110, step S101 to step S103 are correspondingly included, so that the isolation protection of the program itself is comprehensively implemented:
step S131: and encrypting program storage information according to the secret key to obtain program verification information, storing the program verification information in the off-chip storage space, and storing the program storage information in the verification area.
Step S101: and reading program verification information and real-time storage information of the current program from an off-chip storage space, and reading a key and program storage information from the verification area.
Step S102: and encrypting the real-time storage information and the program storage information respectively according to the secret key to obtain real-time verification information and original verification information.
Step S103: and confirming that the real-time verification information, the original verification information and the program verification information are completely matched.
The above processing verification process is substantially the same as the data verification process, but the program itself has higher security requirements than the data, so that a comprehensive matching based on the real-time verification information, the original verification information and the program verification information is finally proposed. Only if the confirmation of step S103 is completely matched, there are program loading and running processes in the present scheme. If one of the data is not matched, the subsequent data loading and data reading and writing processes are not performed. In addition, if data verification fails in the data reading and writing process, subsequent processing is not performed, and a corresponding security mechanism is triggered, and a strategy for coping with malicious attacks by a specific embedded system is not a protection focus of the scheme, and is not repeatedly described here.
In the above isolation dynamic protection method of the embedded system, the current program is loaded from the off-chip storage space, the key corresponding to the current program is read from the on-chip storage space, and the key read next time is updated; when data is written into the off-chip storage space through the current program, generating verification information according to storage parameters of the data, wherein the storage parameters comprise storage address information and storage time information of the data in the off-chip storage space; encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information in the off-chip storage space, and storing the secret key and the storage time information in a verification area of the on-chip storage space; when the current program reads data from the off-chip storage space, reading the encryption verification information corresponding to the data from the off-chip storage space; reading a key and storage time information from the verification area, and encrypting the obtained storage address information and the read storage time information when data is read according to the key to obtain reference verification information; and comparing the reference verification information with the read encrypted verification information, and confirming the safety of the data according to a comparison result. The independent dynamic protection of the data processed by each program is realized through the keys which are stored in the chip and are dynamically configured corresponding to different programs, and the condition that all information of all programs is leaked due to the fact that the key of one program is leaked is avoided.
Example two
Fig. 3 is a schematic structural diagram of an isolated dynamic protection device of an embedded system according to a second embodiment of the present invention. Referring to fig. 3, the isolated dynamic protection apparatus of the embedded system includes: a data loading unit 210, a write initialization unit 220, a data writing unit 230, a data reading unit 240, a verification initialization unit 250, and a data comparison unit 260.
The data loading unit 210 is configured to load a current program from an off-chip storage space, read a key corresponding to the current program from the on-chip storage space, and update the key read next time; a write initialization unit 220, configured to generate, when writing data into an off-chip storage space through the current program, verification information according to storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space; a data writing unit 230, configured to encrypt the verification information according to the key to obtain encrypted verification information, store the encrypted verification information in the off-chip storage space, and store the key and the storage time information in a verification area of the on-chip storage space; a data reading unit 240, configured to read, when data is read from the off-chip storage space by the current program, encryption check information corresponding to the data from the off-chip storage space; a verification initialization unit 250, configured to read a key and storage time information from the verification area, and encrypt, according to the key, the obtained storage address information and the read storage time information when data is read to obtain reference verification information; and the data comparison unit 260 is configured to compare the reference verification information with the read encrypted verification information, and confirm the security of the data according to a comparison result.
On the basis of the above embodiment, the off-chip storage space includes a plurality of program spaces, and the whole program is stored in one program space;
the data loading unit 210 includes:
and the first loading module is used for loading the current program from the off-chip storage space and reading the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.
On the basis of the above embodiment, the off-chip storage space includes a plurality of program spaces, and the whole program is stored in one program space;
the data loading unit 210 includes:
and the second loading module is used for loading the current program from the off-chip storage space and reading the key currently corresponding to the program space from the on-chip storage space as the key corresponding to the current program according to the space identifier of the program space where the current program is located.
On the basis of the above embodiment, the on-chip storage space holds a plurality of keys;
the data loading unit 210 includes:
and the password updating module is used for confirming a key different from the currently read key from the plurality of keys according to a random algorithm and updating the confirmed key into the key read next time.
On the basis of the above embodiment, the on-chip storage space further correspondingly stores the number of times of use corresponding to each key;
the data loading unit 210 further includes:
and the times updating module is used for updating the using times.
On the basis of the above embodiment, the isolated dynamic protection device of the embedded system further includes:
and the key replacing unit is used for deleting the key and newly adding a key different from the existing key when the using times of the key reach the preset service life.
On the basis of the above embodiment, the isolated dynamic protection device of the embedded system further includes:
a verification information generating unit, configured to encrypt program storage information according to the key to obtain program verification information, store the program verification information in the off-chip storage space, and store the program storage information in the verification area;
correspondingly, the isolation dynamic protection device of the embedded system further comprises:
a program information reading unit, configured to read program verification information and real-time storage information of the current program from an off-chip storage space, and read a key and program storage information from the verification area;
the program information encryption unit is used for respectively encrypting the real-time storage information and the program storage information according to the secret key to obtain real-time verification information and original verification information;
and the program information checking unit is used for confirming that the real-time checking information, the original checking information and the program checking information are completely matched.
The isolated dynamic protection device of the embedded system provided by the embodiment of the invention is included in the computing equipment, can be used for executing the isolated dynamic protection method of any embedded system provided by the first embodiment of the invention, and has corresponding functions and beneficial effects.
EXAMPLE III
Fig. 4 is a schematic structural diagram of a computing device according to a third embodiment of the present invention, as shown in the figure, the computing device includes a processor 310 and a memory 320, and may further include an input device 330, an output device 340, and a communication device 350; the number of processors 310 in the computing device may be one or more, and one processor 310 is taken as an example in fig. 4; the processor 310, the memory 320, the input device 330, the output device 340, and the communication device 350 in the computing apparatus may be connected by a bus or other means, and fig. 4 illustrates an example of connection by a bus.
The memory 320 is a computer-readable storage medium, and can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the isolated dynamic protection method of the embedded system in the embodiment of the present invention (for example, the data loading unit 210, the write initialization unit 220, the data writing unit 230, the data reading unit 240, the verification initialization unit 250, and the data comparison unit 260 in the isolated dynamic protection apparatus of the embedded system). The processor 310 executes various functional applications and data processing of the terminal device by executing software programs, instructions and modules stored in the memory 320, that is, implements the isolated dynamic protection method of the embedded system described above.
The memory 320 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Further, the memory 320 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 320 may further include memory located remotely from processor 310, which may be connected to the terminal device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 330 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the terminal apparatus. The output device 340 may include a display device such as a display screen.
The terminal equipment comprises the isolation dynamic protection device of the embedded system, can be used for executing the isolation dynamic protection method of any embedded system, and has corresponding functions and beneficial effects.
Example four
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements related operations in the isolated dynamic protection method for an embedded system provided in any embodiment of the present application, and has corresponding functions and beneficial effects.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product.
Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. The isolation dynamic protection method of the embedded system is characterized by comprising the following steps:
loading a current program from an off-chip storage space, reading a key corresponding to the current program from the on-chip storage space, and updating the key read next time;
when data is written into the off-chip storage space through the current program, generating verification information according to storage parameters of the data, wherein the storage parameters comprise storage address information and storage time information of the data in the off-chip storage space;
encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information in the off-chip storage space, and storing the secret key and the storage time information in a verification area of the on-chip storage space;
when the current program reads data from the off-chip storage space, reading the encryption verification information corresponding to the data from the off-chip storage space;
reading a key and storage time information from the verification area, and encrypting the obtained storage address information and the read storage time information when data is read according to the key to obtain reference verification information;
and comparing the reference verification information with the read encrypted verification information, and confirming the safety of the data according to a comparison result.
2. The isolated dynamic protection method for embedded system according to claim 1, wherein the off-chip storage space comprises a plurality of program spaces, and the whole program is saved in one program space;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and loading the current program from the off-chip storage space, and reading the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.
3. The isolated dynamic protection method for embedded system according to claim 1, wherein the off-chip storage space comprises a plurality of program spaces, and the whole program is saved in one program space;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and loading the current program from the off-chip storage space, and reading the current corresponding key of the program space from the on-chip storage space as the key corresponding to the current program according to the space identifier of the program space where the current program is located.
4. The isolated dynamic protection method of an embedded system according to any one of claims 1 to 3, wherein the on-chip memory space holds a plurality of keys;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time includes:
and confirming a key different from the currently read key from the plurality of keys according to a random algorithm, and updating the confirmed key to the key read next time.
5. The isolated dynamic protection method of an embedded system according to claim 4, wherein the on-chip memory space further correspondingly stores the number of times of use corresponding to each key;
the loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, further includes:
and updating the using times.
6. The isolated dynamic protection method for an embedded system according to claim 5, further comprising, after updating the number of uses:
and when the using times of the key reach the preset service life, deleting the key and newly adding a key different from the existing key.
7. The isolated dynamic protection method of an embedded system according to claim 1, wherein when writing data into the off-chip storage space by the current program, generating verification information according to storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space, and further comprising:
encrypting program storage information according to the secret key to obtain program verification information, storing the program verification information in the off-chip storage space, and storing the program storage information in the verification area;
correspondingly, before loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, the method further includes:
reading program verification information and real-time storage information of the current program from an off-chip storage space, and reading a key and program storage information from the verification area;
encrypting the real-time storage information and the program storage information respectively according to the secret key to obtain real-time verification information and original verification information;
and confirming that the real-time verification information, the original verification information and the program verification information are completely matched.
8. The dynamic protection device of isolation of embedded system, characterized by, include:
the data loading unit is used for loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space and updating the key read next time;
a write initialization unit, configured to generate verification information according to storage parameters of data when writing the data in an off-chip storage space by using the current program, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space;
the data writing unit is used for encrypting the verification information according to the secret key to obtain encrypted verification information, storing the encrypted verification information into the off-chip storage space, and storing the secret key and the storage time information into a verification area of the on-chip storage space;
a data reading unit, configured to read, when data is read from the off-chip storage space by the current program, encryption check information corresponding to the data from the off-chip storage space;
the verification initialization unit is used for reading the key and the storage time information from the verification area, and encrypting the acquired storage address information and the read storage time information during data reading according to the key to obtain reference verification information;
and the data comparison unit is used for comparing the reference verification information with the read encrypted verification information and confirming the safety of the data according to a comparison result.
9. A computing device, comprising:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the computing device to implement a method for isolated dynamic protection of an embedded system as recited in any of claims 1-7.
10. A storage medium storing computer-executable instructions for performing the isolated dynamic protection method of an embedded system of any one of claims 1-7 when executed by a computer processor.
CN202210432725.2A 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system Active CN114528603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210432725.2A CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210432725.2A CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Publications (2)

Publication Number Publication Date
CN114528603A true CN114528603A (en) 2022-05-24
CN114528603B CN114528603B (en) 2022-07-15

Family

ID=81627990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210432725.2A Active CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Country Status (1)

Country Link
CN (1) CN114528603B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method
CN116028958A (en) * 2023-02-21 2023-04-28 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2415334A1 (en) * 2002-12-31 2004-06-30 Protexis Inc. System for persistently encrypting critical software data to control operation of an executable software program
US20100281273A1 (en) * 2009-01-16 2010-11-04 Lee Ruby B System and Method for Processor-Based Security
US20140189373A1 (en) * 2011-08-19 2014-07-03 Gemalto Sa Method for hard partitioning the resources of a secure computer system
US20160103994A1 (en) * 2014-10-08 2016-04-14 Nintendo Co., Ltd. Storage medium having stored therein boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and storage medium having stored therein program
CN106778291A (en) * 2016-11-22 2017-05-31 北京奇虎科技有限公司 The partition method and isolating device of application program
CN107220560A (en) * 2017-06-22 2017-09-29 北京航空航天大学 A kind of embedded system data completeness protection method expanded based on data buffer storage
CN109086612A (en) * 2018-07-06 2018-12-25 北京航空航天大学 One kind being based on hard-wired embedded system dynamic data guard method
CN111723383A (en) * 2019-03-22 2020-09-29 阿里巴巴集团控股有限公司 Data storage and verification method and device
CN113946375A (en) * 2021-10-19 2022-01-18 珠海全志科技股份有限公司 Rapid and safe starting method and device of embedded system and electronic equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2415334A1 (en) * 2002-12-31 2004-06-30 Protexis Inc. System for persistently encrypting critical software data to control operation of an executable software program
US20100281273A1 (en) * 2009-01-16 2010-11-04 Lee Ruby B System and Method for Processor-Based Security
US20140189373A1 (en) * 2011-08-19 2014-07-03 Gemalto Sa Method for hard partitioning the resources of a secure computer system
US20160103994A1 (en) * 2014-10-08 2016-04-14 Nintendo Co., Ltd. Storage medium having stored therein boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and storage medium having stored therein program
CN106778291A (en) * 2016-11-22 2017-05-31 北京奇虎科技有限公司 The partition method and isolating device of application program
CN107220560A (en) * 2017-06-22 2017-09-29 北京航空航天大学 A kind of embedded system data completeness protection method expanded based on data buffer storage
CN109086612A (en) * 2018-07-06 2018-12-25 北京航空航天大学 One kind being based on hard-wired embedded system dynamic data guard method
CN111723383A (en) * 2019-03-22 2020-09-29 阿里巴巴集团控股有限公司 Data storage and verification method and device
CN113946375A (en) * 2021-10-19 2022-01-18 珠海全志科技股份有限公司 Rapid and safe starting method and device of embedded system and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邓程方: "基于流密码的安全处理器架构研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method
CN115391845B (en) * 2022-10-28 2023-01-06 摩尔线程智能科技(北京)有限责任公司 Key management apparatus and method
CN116028958A (en) * 2023-02-21 2023-04-28 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium
CN116028958B (en) * 2023-02-21 2024-04-12 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium

Also Published As

Publication number Publication date
CN114528603B (en) 2022-07-15

Similar Documents

Publication Publication Date Title
US11416605B2 (en) Trusted execution environment instances licenses management
CN114528603B (en) Isolation dynamic protection method, device, equipment and storage medium of embedded system
CN102279760B (en) Initial protection assembly is utilized to carry out equipment guiding
CN107679393B (en) Android integrity verification method and device based on trusted execution environment
US20110016330A1 (en) Information leak prevention device, and method and program thereof
US20120216242A1 (en) Systems and Methods for Enhanced Security in Wireless Communication
EP3961974B1 (en) Block content editing methods and apparatuses
US7712135B2 (en) Pre-emptive anti-virus protection of computing systems
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
CN103946856A (en) Encryption and decryption process method, apparatus and device
CN113010856A (en) Dynamic asymmetric encryption and decryption JavaScript code obfuscation method and system
CN107908977A (en) Intelligent mobile terminal trust chain safety transmitting method and system based on TrustZone
CN114662135A (en) Data access method, computer device and readable storage medium
CN114942729A (en) Data safety storage and reading method for computer system
US11704442B2 (en) Instance handling of a trusted execution environment
EP3563548B1 (en) Historic data breach detection
CN115422554B (en) Request processing method, compiling method and trusted computing system
US11755741B2 (en) Trusted boot-loader authentication
CN115062330A (en) TPM-based intelligent cipher key and cipher application interface realization method
WO2019212547A1 (en) Executing sotware
CN114237492A (en) Nonvolatile memory protection method and device
CA3146621A1 (en) Data processing method and device, computer equipment and storage medium
CN108228219B (en) Method and device for verifying BIOS validity during in-band refreshing of BIOS
WO2015131607A1 (en) Method and device for creating trusted environment, and method and device for restoration after base station fault
CN115098227B (en) Method and device for updating dynamic information of security equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant