CN116226870A - Security enhancement system and method - Google Patents
Security enhancement system and method Download PDFInfo
- Publication number
- CN116226870A CN116226870A CN202310500696.3A CN202310500696A CN116226870A CN 116226870 A CN116226870 A CN 116226870A CN 202310500696 A CN202310500696 A CN 202310500696A CN 116226870 A CN116226870 A CN 116226870A
- Authority
- CN
- China
- Prior art keywords
- memory
- memory space
- trusted
- module
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention relates to the technical field of Internet, and provides a security enhancement system and a security enhancement method, wherein the system comprises a processor and an external memory, a trusted operating system is operated on the processor, and the processor comprises a built-in memory; the memory space of the external memory comprises a first external memory space of the trusted operating system, and the memory space of the built-in memory comprises an internal memory space of the trusted operating system; the internal memory space of the trusted operating system is used to store a security enhancement module of the first trusted application. The invention can effectively prevent physical attack with the capability of controlling the external interface of the chip and realize safe storage of confidential data in a trusted execution environment.
Description
Technical Field
The invention relates to the technical field of Internet, in particular to a security enhancement system and method.
Background
With the development of internet technology, trusted computing technology has evolved. Currently, in the common trusted computing technology, two protection environments with different rights, namely a rich execution environment (Rich Execution Environment, REE) and a trusted execution environment (Trusted Execution Environment, TEE), are generally introduced by modifying the original hardware architecture. Applications or operating systems running in the REEs are severely restricted from accessing the resources of the TEE, which in turn can be accessed normally by programs running in the TEE. The hardware isolation and different rights attributes between the two environments provide an efficient mechanism for protecting the code and data of the application.
The physical attack with the capability of controlling the external interface of the chip is an attack mode for acquiring information through the external interface of the control chip. The existing trusted computing technology based on ARM trust zone can only avoid illegal access of REE to TEE, but cannot prevent physical attack from outside the processor with the capability of controlling the external interface of the chip, so that the security of confidential data stored in the TEE is reduced.
Disclosure of Invention
The invention provides a security enhancement system and a security enhancement method, which are used for solving the defect that confidential data is easy to leak due to the fact that physical attacks with the capability of controlling an external interface of a chip cannot be defended in the prior art, and realizing the secure storage of the confidential data in a trusted execution environment.
The invention provides a security enhancement system, which comprises a processor and an external memory, wherein a trusted operating system runs on the processor, and the processor comprises a built-in memory; the memory space of the external memory comprises a first external memory space of the trusted operating system, and the memory space of the built-in memory comprises an internal memory space of the trusted operating system; the internal memory space of the trusted operating system is used for storing a security enhancement module of a first trusted application program;
The security enhancement module is configured to allocate a first target memory space in the first external memory space for running the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
and the first trusted application program is also used for decrypting the first encrypted application data and running the first trusted application program based on the decryption result of the first encrypted application data.
According to the security enhancement system provided by the invention, the security enhancement module comprises a memory security enhancer module, an application data processing sub-module and a security application program sub-module of the first trusted application program;
the memory security enhancer module is configured to allocate the first target memory space in the first external memory space; the method is also used for carrying out decryption processing on the first encrypted application data and carrying out encryption processing on the first encrypted application data which is not encrypted;
the application data processing sub-module is used for running the first trusted application program based on the decryption result of the first encrypted application data.
According to the security enhancement system provided by the invention, the program complexity of the security application program sub-module is smaller than a first threshold value, and the application specification of the security application program sub-module is smaller than a second threshold value.
According to the security enhancement system provided by the invention, the processor is further provided with an open operating system, and the memory space of the external memory further comprises a second external memory space of the open operating system; a first memory expansion module is stored in a memory space of a second trusted application in the first external memory space, and a second memory expansion module is stored in a memory space of the second trusted application in the second external memory space;
the first memory expansion module is configured to request, from the second memory expansion module, a memory required by the second trusted application;
the second memory expansion module is configured to allocate a second target memory space in the second external memory space for running the second trusted application; the second target memory space is used for storing second encrypted application data of the second trusted application program.
According to the security enhancement system provided by the invention, the first memory expansion module is further used for performing the decryption processing on the second encrypted application data and performing encryption processing on the unencrypted second encrypted application data.
According to the security enhancement system provided by the invention, an open operating system is also operated on the processor, the memory space of the external memory also comprises a second external memory space of the open operating system, and a memory page module is arranged in the system memory space of the trusted operating system in the first external memory space;
the memory page changing module is configured to encrypt third application data stored in the first external memory space to obtain third encrypted application data when the first external memory space is saturated;
the method is also used for applying a target disk space to the open operating system, wherein the target disk space is used for storing the third encrypted application data;
and the memory space storing the third application data in the first external memory space is subjected to memory release.
The present invention also provides a security enhancement method applied to any security enhancement system, the method comprising:
the security enhancement module allocates a first target memory space in the first external memory space for running the first trusted application in response to an application memory operation instruction of the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
The security enhancement module decrypts the first encrypted application data in response to a read data operation instruction of the first trusted application;
the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
According to the security enhancement method provided by the invention, before the security enhancement module decrypts the first encrypted application data, the method further comprises:
and responding to a data writing operation instruction of the first trusted application program, the security enhancement module encrypts application data of the first trusted application program to obtain the first encrypted application data, and stores the first encrypted application data of the first trusted application program into the first target memory space.
According to the security enhancement method provided by the invention, after the security enhancement module decrypts the first encrypted application data, the method further comprises:
and responding to a memory release operation instruction of the first trusted application program, and releasing the first target memory space by the security enhancement module.
According to the security enhancement method provided by the invention, the method further comprises the following steps:
Responding to an application memory operation instruction of a second trusted application program, and sending an application memory request of a memory required by the second trusted application program to the second memory expansion module by the first memory expansion module;
the second memory expansion module allocates a second target memory space in a second external memory space for running the second trusted application based on the application memory request, and sends a memory identifier of the second target memory space to the first memory expansion module;
the second target memory space is used for storing second encrypted application data of the second trusted application program, the processor is also operated with an open operating system, and the memory space of the external memory also comprises a second external memory space of the open operating system; the memory space of the second trusted application in the first external memory space is stored with a first memory expansion module, and the memory space of the second trusted application in the second external memory space is stored with a second memory expansion module.
According to the security enhancement method provided by the invention, the method further comprises the following steps:
the first memory expansion module encrypts application data of the second trusted application program in response to a data writing operation instruction of the second trusted application program to obtain second encrypted application data, and sends the second encrypted application data and a memory identifier of the second target memory space to the second memory expansion module;
The second memory expansion module stores the second encrypted application data in the second target memory space based on the memory identification.
According to the security enhancement method provided by the invention, the method further comprises the following steps:
responding to a read data operation instruction of the second trusted application program, and sending a memory identifier and a read data request of the second target memory space to the second memory expansion module by the first memory expansion module;
the second memory expansion module sends the second encryption application data stored in the second target memory space to the first memory expansion module based on the memory identifier and the read data request;
the first memory expansion module decrypts the second encrypted application data to obtain a decryption result of the second encrypted application data, and sends the decryption result to the second trusted application program.
According to the security enhancement method provided by the invention, the method further comprises the following steps:
responding to a memory release operation instruction of the second trusted application program, and sending a memory identifier and a memory release data request of the second target memory space to the second memory expansion module by the first memory expansion module;
And the second memory expansion module releases the second target memory space based on the memory identifier and the memory data release request.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the security enhancement method as described in any of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a security enhancement method as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a security enhancement method as described in any of the above.
According to the security enhancement system and the security enhancement method, the security enhancement module is arranged in the processor, and the secret key for encrypting and decrypting the application data is also stored in the processor, so that even if an attacker obtains the encrypted data stored in the external memory through physical attack with the capability of controlling the external interface of the chip, the secret key is lacking, the encrypted data still cannot be decrypted. Therefore, the invention can effectively improve the protection capability of physical attack with the capability of controlling the external interface of the chip.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a security enhancement system provided by the present invention;
FIG. 2 is a schematic diagram of a security enhancement module according to the present invention;
fig. 3 is a schematic structural diagram of a first expansion module and a second expansion module provided by the present invention;
FIG. 4 is a schematic diagram of a memory page module according to the present invention;
FIG. 5 is a flow chart of the security enhancement method provided by the present invention;
FIG. 6 is a flow chart of a memory expansion method based on security enhancement provided by the invention;
fig. 7 is a schematic structural diagram of an electronic device according to the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present description. The word "if" as used herein may be interpreted as "at … …" or "at … …" or "responsive to a determination", depending on the context.
First, some terms of art appearing in the embodiments of the present invention will be explained:
trusted applications (Trusted Application, TA), which are classified in trusted computing technology into trusted applications (Trusted Application, TA) and normal applications, where normal applications refer to applications that run only in open operating systems without permission restrictions, and trusted applications refer to applications that run in trusted operating systems. Thus, an application using trusted computing technology is divided into two parts, including a trusted application part and a generic application part. The trusted application portion contains security related functionality to be stored in the total memory space of the trusted operating system.
The arm trust zone architecture, a hardware architecture for equipment security development, divides the system into REE and TEE by means of hardware isolation. The software that can run in the REEs is relatively rich and complex, such as Linux. The software running in the REEs is small in scale and provides limited functionality.
The complexity of the program, the complexity of the application itself, is determined based on the amount of computation and the memory space required during execution of the application, including the temporal complexity and the spatial complexity.
Application specification, size of data volume to be processed by application program simultaneously.
1-4, the security enhancement system of the embodiment of the present invention, as shown in FIG. 1, includes a processor and an external memory, where the processor runs a trusted operating system, and the processor includes a built-in memory; the memory space of the external memory includes a first external memory space 110 of the trusted operating system, and the memory space of the internal memory includes an internal memory space 120 of the trusted operating system; the internal memory space 120 of the trusted operating system is used to store the security enhancement module 130 of the first trusted application;
a security enhancement module 130, configured to allocate a first target memory space 140 in a first external memory space for running a first trusted application; wherein the first target memory space 140 is used for storing first encrypted application data of a first trusted application;
And the first trusted application program is operated based on the decryption result of the first encrypted application data.
It should be noted that, the first external memory space 110 and the internal memory space 120 of the trusted operating system form a total memory space corresponding to the trusted operating system. Since the hardware limitations of the internal memory 120 are often small, and only can be used to store a portion of the data, a large portion of the total memory will be stored in the first external memory 110, such as the system data of the trusted operating system itself, and the program data of various trusted applications that are expected to run on the trusted operating system itself. The first target memory space 140 is a free memory space allocated by the trusted operating system from the first external memory space 110 according to the amount of data required to run the first trusted application.
The security enhancement module 130 is an algorithm module integrating encryption and decryption functions and an operation engine, and the security enhancement module 130 is arranged in the built-in memory and can isolate physical attacks of the external side of the processor on application data in the memory space, wherein the physical attacks have the capability of controlling the external interface of the chip. This is because the key for performing the encryption and decryption functions is also stored in the built-in memory of the processor, and all application data transmitted by the first trusted application need to be encrypted in the processor before it is stored through the first external memory space 110 of the external memory. Even if an external attacker obtains the encrypted application data, the encrypted application data cannot be decrypted due to lack of encryption modes and keys, so that the security enhancement module 130 greatly enhances the capability of the system to resist physical attacks with the capability of controlling the external interface of the chip.
As an example, the security enhancement system of the embodiment of the present invention may be constructed based on a trust zone architecture by ARM corporation, the processor (CPU) of the embodiment of the present invention may be an ARM chip, the external Memory may support an unlimited type of Memory chip or Memory bank of the architecture, and the built-in Memory is a Static Random-Access Memory (SRAM). The trusted operating system is TEE OS, and the open operating system is REE OS. The operation of the trusted application running on the TEE OS includes: fingerprint identification, password processing, data encryption and decryption and security authentication. The application program can be run on the REE OS without secret operation. In addition, the security enhancement system of the embodiment of the invention can be mounted on a terminal device, for example, a mobile phone.
According to the security enhancement system provided by the embodiment of the invention, the security enhancement module is built in the processor, so that first encrypted application data can be stored in the corresponding first target memory space in the first external space, and security leakage caused by directly attacking the encrypted application data in the external memory is prevented. And secondly, the security enhancement module has an engine function for running the first trusted application program, so that unencrypted application data is prevented from being obtained from the running engine after the running engine is attacked. Therefore, the system of the embodiment of the invention can effectively improve the protection capability of physical attack and the like with the capability of controlling the external interface of the chip.
In some embodiments, as shown in FIG. 2, the security enhancement module 130 includes a memory security enhancer module 210, an application data processing sub-module 220, and a security application sub-module 230 of a first trusted application;
a memory security enhancer module 210 for allocating a first target memory space 140 in the first external memory space 110; the method is also used for decrypting the first encrypted application data and encrypting the unencrypted first encrypted application data;
the application data processing sub-module 220 is configured to run a first trusted application based on a decryption result of the first encrypted application data.
It should be noted that the memory security enhancer module 210 mainly includes two functions, one is a memory management function and the other is a security enhancement function. The memory management functions include apply memory, write memory, read memory, and release memory functions. The security enhancement functions include an encryption processing function and a decryption processing function.
For the memory management function, the processor chip and the operating system firmware thereof in the embodiment of the invention can be changed and configured, namely, the system firmware modification authority is provided. Therefore, when the memory security enhancer module 210 receives the application memory command of the first trusted application, all the memory space required by the first trusted application can be allocated in the first external memory space 110, and when the memory required by the first trusted application is greater than all the free memory that can be allocated by the memory security enhancer module 210, the first external memory space is enlarged to provide enough memory.
For the security enhancement function, an initialization key operation should be performed during system initialization for subsequent encryption and decryption operations. The memory security enhancer module 210 performs an encryption operation on the application data while performing a write command operation, and performs a decryption operation on the received first encrypted application data after performing a read command operation. After the read/write instruction operation is completed, the memory security enhancer module 210 may release the first target memory space. Flexible management of flexible memory space is achieved.
In addition, it should be noted that, the application data processing sub-module 220 corresponds to an operation engine of an application program, and when the application data processing sub-module 220 runs a first trusted application program, the application data processing sub-module 230 needs algorithm logic provided by the security application program sub-module 230, such as a face recognition algorithm program, and further needs a decryption result of the first encrypted application data output by the memory security enhancer module 210, such as face feature data. The security application sub-module 230 is a part of a first trusted application, for example, the first trusted application is a chat software and provides a security verification function for user login, and then the security application sub-module 230 is a part of an application corresponding to the security verification function, for example, a fingerprint recognition program, a voiceprint recognition program, or a face recognition program.
According to the security enhancement system provided by the embodiment of the invention, the memory security enhancer module is used for performing memory management and security enhancement on the application data sent by the first trusted application program, and then the application data processing sub-module can be used for transmitting the decryption result of the first encrypted application data and the security application program by combining with the memory security enhancer sub-module to run the first trusted application program. The system of the embodiment of the invention ensures that the whole flow of the safety operation storage, fetching and using is realized in the processor, and effectively improves the prevention capability of physical attack and the like with the capability of controlling the external interface of the chip.
In some embodiments, the program complexity of the secure application sub-module 230 is less than a first threshold and the application specification of the secure application sub-module 230 is less than a second threshold.
It should be noted that, the part of the security operation program itself in the first trusted application is stored in the security application sub-module, and the increase of the program complexity of the security application increases the space occupied by the binary system, for example, the security application is a fingerprint identification program, and the program complexity determines the number of features of the analysis fingerprint.
The larger the application specification of the security application, the larger the data amount that the processor simultaneously processes, which also increases the memory space required by the processor, for example, the security application is a fingerprint identification program, and the application specification determines whether to process one fingerprint at a time or 100 fingerprints at a time. Since the internal memory space of the internal memory is small, such as SRAM. Therefore, in order to ensure that the system can store the memory security enhancer module 210, the application data processing sub-module 220, and the security application sub-module 230 in the SRAM, a corresponding constraint needs to be applied to the first trusted application, so that the program complexity of the security application is smaller than the first threshold and the application specification is smaller than the second threshold. The values of the first threshold and the second threshold are determined according to the model selection of the specification SRAM of the processor chip.
If the total memory of the memory security enhancer module 210, the application data processing sub-module 220, and the security application program sub-module 230 exceeds the free memory capacity of the SRAM space, the method can be solved by replacing the CPU of the larger SRAM configuration, replacing the algorithm, reducing the complexity, reducing the application specification, and the like.
According to the security enhancement system provided by the embodiment of the invention, the requirements of low complexity and small application specification are met by the security application program submodule, so that the possibility of data information leakage of the first trusted application program from the program is prevented, and the capability of preventing physical attack with the capability of controlling the external interface of the chip is further improved.
In addition to the need to prevent physical attacks with the capability of controlling the external interfaces of the chip, the security enhancement system of the embodiments of the present invention also faces the problem of memory expansion.
The memory that a trusted application can use is limited by the overall memory size of the TEE OS, which in some cases is smaller than the memory size that the trusted application needs to use, making the application unable to run on the TEE OS. The different processor chips and their operating system firmware have different limits on the size of the TEE total memory when shipped, but most of the processor chips and their operating system firmware support the TEE OS total memory, which is much smaller than the external server total memory. For example, the overall memory of the TEE OS default set by the TEE operating system is 32M, which is far smaller than the total memory size of the current mainstream server. In this case, the trusted application does not have enough running space and therefore cannot start up normally.
Based on the capacity expansion requirement, in some embodiments, as shown in fig. 3, the processor further runs an open operating system, and the memory space of the external memory further includes a second external memory space 310 of the open operating system; the first memory expansion module 320 is stored in the memory space of the second trusted application in the first external memory space 110, and the second memory expansion module 330 is stored in the memory space of the second trusted application in the second external memory space 310;
A first memory expansion module 320, configured to request, from the second memory expansion module, a memory required by the second trusted application;
a second memory expansion module 330, configured to allocate a second target memory space in a second external memory space 340 for running a second trusted application; the second target memory space is used for storing second encrypted application data of a second trusted application program.
It should be noted that, the first memory expansion module 320 is disposed in a secure portion of the TEE application, that is, in a memory space in the TEE OS where the TEE application is stored, in the TEE application, which is a second trusted application, i.e., the TEE application. The second memory expansion module 330 is disposed in an unsafe portion of the TEE application, that is, in a memory space in the reeos where the TEE application is stored. For a second, different trusted application, if there is a capacity expansion requirement, the first memory expansion module 320 and the second memory expansion module 330 need to be respectively disposed in their respective memory spaces. Different applications can construct two memory expansion modules using the same logic algorithm.
In addition, it should be noted that, when the first memory expansion module 320 applies for the memory from the second memory expansion module 330, it indicates that the free memory in the TEE OS is insufficient to meet the memory required by the second trusted application. Thus, the memory space requested by the first memory expansion module 320 is located entirely in the second external memory space 310, which corresponds to the memory space of the REE OS. The second external memory space 340 is the memory space for which the second external memory space 310 is intended for the second trusted application.
According to the security enhancement system provided by the embodiment of the invention, the first memory expansion module is added into the memory space of the second trusted application program, and when the second trusted application program needs to acquire a large memory and the idle total memory of the TEE OS cannot be met, the memory expansion module applies for the memory of the REE OS to the unsafe world. And the application data is stored in an encrypted manner. In this way, the second trusted application may run on a system where the free memory of the TEE OS is small, but the total memory is available, while ensuring data security. Meanwhile, since the capacity expansion module of the embodiment of the invention is arranged in the memory space where the application program is located and does not modify the firmware, the safety enhancement system of the embodiment of the invention can realize capacity expansion under the condition that the system firmware modification authority is not available.
In some embodiments, the first memory expansion module 320 is further configured to decrypt the second encrypted application data and encrypt the unencrypted second encrypted application data.
It should be noted that, during system initialization, an initialization key operation should be performed for the subsequent encryption and decryption operations of the first memory expansion module 320. In addition, the integrity of the data may be ensured by maintaining the hash value of the ciphertext corresponding to the encrypted application data stored in the first external memory space 110 at the TEE OS side and verifying the hash value when the ciphertext is read from the TEE OS side.
In addition, the first memory expansion module 320 may be further configured to release the second target memory space 340 that has already been subjected to the read/write operation, so as to ensure timely release of the occupied reememory.
In some embodiments, another capacity expansion manner is provided, as shown in fig. 4, the processor further runs an open operating system, the memory space of the external memory further includes a second external memory space 310 of the open operating system, and a memory page module 410 is disposed in a system memory space of the trusted operating system in the first external memory space 110;
the memory page changing module 410 is configured to encrypt third application data stored in the first external memory space 110 to obtain third encrypted application data when the first external memory space 110 is saturated with memory;
and further for applying a target disk space 420 to the open operating system, the target disk space 420 being for storing third encrypted application data, the target disk space 420 being located in the open operating system disk space 430;
and is further configured to send the third encrypted application data to the open operating system, and perform memory release on a memory space storing the third application data in the first external memory space 110.
It should be noted that, in some scenarios, the trusted application in the TEE OS is not loaded with the capacity expansion module, and at this time, the system itself needs to determine whether there is a capacity expansion requirement currently and expand the capacity in time according to the set corresponding conditions, so as to ensure that the trusted application can run on the TEE OS smoothly. Therefore, the firmware of the TEE OS is modified, the memory page module 410 is added, and the third application data already stored in the first external memory space 110 can be written into the reeside persistent storage. In order to secure data, the third application data needs to be encrypted and stored before being written to the target disk space 420. The third application data is selected part of the application data stored in the first external memory space 110. When the third application data is used, it is necessary to read out from the REE-side persistent storage and decrypt and put back into the first external memory space 110, and release the corresponding REE-side persistent storage.
In addition, it should be noted that, when the memory page module 410 determines whether the first external memory space 110 is saturated with memory, for example, a real-time detector of the TEE OS total memory may be set in the memory page module 410, and when the occupancy rate of the total memory reaches a preset value, it is determined that the first external memory space 110 is saturated with memory, and the preset value may be set according to a requirement of a system layout environment or a requirement of an application running on the processor.
According to the security enhancement system provided by the embodiment of the invention, the memory page module is arranged to write the data into the disk space of the REE side to realize persistent storage. In the conventional capacity expansion mode, a portion of application data must be run on the TEE OS, and the memory space of the TEE OS expanded by modifying the firmware is still limited by the total memory of the whole system. However, by the capacity expansion mode of the embodiment of the invention, the limit of the total memory of the system is broken through, the memory page changing module expands the capacity in time when the system memory is saturated, and more TEE OS free memory spaces are obtained by temporarily storing data in the REE disk space.
The security enhancement method provided by the invention is described below, and the security enhancement method described below and the security enhancement device described above can be referred to correspondingly.
As shown in fig. 5, an embodiment of the present invention discloses a security enhancement method, which is applied to any one of the above security enhancement systems, and the method includes:
in step 503, the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
As an example, the process of applying for memory by the first TEE application includes the following operations:
step 1a, a first TEE application initiates a memory allocation request;
step 1b, a security enhancement module initiates a request to a TEE OS;
step 1c, the TEE OS returns to the corresponding memory;
and step 1d, the security enhancement module returns a memory identifier to the first TEE application.
It should be noted that the memory identifier is a memory identifier, and is used to indicate a memory address of the memory space.
As an example, the process of the first TEE application reading data includes the following operations:
step 2a, a first TEE application initiates a memory request corresponding to a memory identifier;
step 2b, the security enhancement module decrypts the corresponding ciphertext data to obtain plaintext data;
and 2c, returning the plaintext data to the first TEE application by the security enhancement module.
According to the security enhancement method provided by the embodiment of the invention, the first target memory space is allocated in the first external memory space for running the first trusted application program, so that the encryption and decryption codes and the data including the encryption key are stored in the built-in memory of the processor, and the data processing codes are set to run in the built-in memory of the processor, so that the sensitive data in the external memory of the processor can be ensured to be in an encrypted form. Meanwhile, since the built-in memory of the processor is generally limited in size. Some of the non-sensitive data, such as some of the state data of the firmware operation, may remain in the clear in the external memory. Therefore, the method of the embodiment of the invention can lead the system to have the capability of preventing the attack of checking the sensitive data content in the memory chip by the methods such as physical attack with the capability of controlling the external interface of the chip, and the like.
In some embodiments, before the security enhancement module decrypts the first encrypted application data, the method further comprises:
and responding to a data writing operation instruction of the first trusted application program, carrying out encryption processing on the application data of the first trusted application program by the security enhancement module to obtain first encrypted application data, and storing the first encrypted application data of the first trusted application program into a first target memory space.
As an example, the process of the first TEE application writing data includes the following operations:
step 3a, the first TEE application sends data and a memory identifier to the security enhancement module;
step 3b, encrypting the data by the security enhancement module;
and 3c, writing the ciphertext into the corresponding memory by the security enhancement module.
As an example, the process of the first TEE application releasing the memory includes the following operations:
step 4a, a first TEE application initiates a memory release request and transmits a memory identifier;
step 4b, the security enhancement module initiates a request to the TEE OS;
and 4c, releasing the corresponding memory by the TEE OS.
The security enhancement method of the embodiment of the invention encrypts the application data before writing the application data into the internal memory outside the CPU. When specific data is required to be accessed for calculation, the specific data is read into the SRAM from the internal memory outside the CPU and decrypted, and then an application data processing code is operated to process the data. This ensures that the sensitive data plaintext is only visible inside the CPU and not in the memory outside the CPU.
In some embodiments, after the security-enhancement module decrypts the first encrypted application data, the method further comprises:
and responding to a memory release operation instruction of the first trusted application program, and releasing the first target memory space by the security enhancement module.
In some embodiments, the method further comprises a memory expansion method based on security enhancement, as shown in fig. 6:
step 601, responding to an application memory operation instruction of a second trusted application program, and sending an application memory request of a memory required by the second trusted application program to the second memory expansion module by the first memory expansion module;
step 602, the second memory expansion module allocates a second target memory space in a second external memory space for running a second trusted application based on the application memory request, and sends a memory identifier of the second target memory space to the first memory expansion module;
the second target memory space is used for storing second encrypted application data of a second trusted application program, an open operating system is also operated on the processor, and the memory space of the external memory also comprises a second external memory space of the open operating system; the first memory expansion module is stored in the memory space of the second trusted application in the first external memory space, and the second memory expansion module is stored in the memory space of the second trusted application in the second external memory space.
As an example, the process of applying for memory by the second TEE application includes the following operations:
step 5a, a second TEE application initiates a memory allocation request;
step 5b, the first memory expansion module (TEE) initiates a request to the second memory expansion module (REE);
step 5c, a first memory expansion module (REE) initiates a memory request to the REE OS;
step 5d, the REE OS returns to the corresponding memory;
step 5e, the second memory expansion module (REE) returns a memory identifier to the first memory expansion module (TEE);
step 5f, the first memory expansion module (TEE) returns the memory identifier to the second TEE application.
In some embodiments, the memory expansion method based on security enhancement further comprises:
the method comprises the steps that in response to a data writing operation instruction of a second trusted application program, a first memory expansion module encrypts application data of the second trusted application program to obtain second encrypted application data, and sends the second encrypted application data and a memory identifier of a second target memory space to the second memory expansion module;
the second memory expansion module stores second encrypted application data in a second target memory space based on the memory identification.
By way of example, the process of the second TEE application writing data includes the following operations:
Step 6a, the second TEE application sends the data and the memory identifier to a first memory expansion module (TEE);
step 6b, encrypting the data by a first memory expansion module (TEE);
step 6c, the first memory expansion module (TEE) sends the data ciphertext and the memory identifier to the second memory expansion module (REE);
and 6d, the second memory expansion module (REE) writes the ciphertext into the corresponding memory.
In some embodiments, the memory expansion method based on security enhancement further comprises:
responding to a data reading operation instruction of a second trusted application program, and sending a memory identification and a data reading request of a second target memory space to a second memory expansion module by a first memory expansion module;
the second memory expansion module sends second encrypted application data stored in a second target memory space to the first memory expansion module based on the memory identifier and the read data request;
the first memory expansion module decrypts the second encrypted application data to obtain a decryption result of the second encrypted application data, and sends the decryption result to the second trusted application program.
As an example, the process of the second TEE application reading data includes the following operations:
step 7a, the second TEE application initiates a memory request corresponding to a memory identifier;
Step 7b, the first memory expansion module (TEE) initiates a request to the second memory expansion module (REE) to transmit the memory identifier;
step 7c, the second memory expansion module (REE) returns a data ciphertext to the first memory expansion module (TEE);
step 7d, decrypting the data by the first memory expansion module (TEE);
step 7e, the first memory expansion module (TEE) returns the plaintext to the second TEE application.
In some embodiments, the method further comprises:
responding to a memory release operation instruction of a second trusted application program, and sending a memory identifier of a second target memory space and a memory data release request to a second memory expansion module by the first memory expansion module;
the second memory expansion module releases the second target memory space based on the memory identification and the release memory data request.
As an example, the process of releasing the memory by the second TEE application includes the following operations:
step 8a, a second TEE application initiates a memory release request and transmits a memory identifier;
step 8b, the first memory expansion module (TEE) initiates a request to the second memory expansion module (REE);
step 8c, the second memory expansion module (REE) initiates a memory release request to the REE OS.
In some embodiments, there is also provided a capacity expansion method based on security enhancement, at least comprising the steps of:
the memory page module 410 encrypts the third application data stored in the first external memory space 110 under the condition that the first external memory space 110 is saturated in memory, to obtain third encrypted application data;
the memory page module 410 applies for the target disk space 420 from the open operating system, sends the third encrypted application data to the open operating system, and performs memory release on the memory space storing the third application data in the first external memory space 110.
Fig. 7 illustrates a physical schematic diagram of an electronic device, as shown in fig. 7, which may include: processor 710, communication interface (Communications Interface) 720, memory 730, and communication bus 740, wherein processor 710, communication interface 720, memory 730 communicate with each other via communication bus 740. Processor 710 may invoke logic instructions in memory 730 to perform a security enhancement method comprising:
the security enhancement module allocates a first target memory space in the first external memory space for running the first trusted application in response to an application memory operation instruction of the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
The security enhancement module decrypts the first encrypted application data in response to a read data operation instruction of the first trusted application;
the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
Further, the logic instructions in the memory 730 described above may be implemented in the form of software functional units and may be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, is capable of performing the security enhancement method provided by the methods as described above, the method comprising:
the security enhancement module allocates a first target memory space in the first external memory space for running the first trusted application in response to an application memory operation instruction of the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
the security enhancement module decrypts the first encrypted application data in response to a read data operation instruction of the first trusted application;
the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a security enhancement method provided by the above methods, the method comprising:
The security enhancement module allocates a first target memory space in the first external memory space for running the first trusted application in response to an application memory operation instruction of the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
the security enhancement module decrypts the first encrypted application data in response to a read data operation instruction of the first trusted application;
the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A security enhancement system, comprising a processor and an external memory, wherein the processor has a trusted operating system running thereon, and wherein the processor comprises a built-in memory; the memory space of the external memory comprises a first external memory space of the trusted operating system, and the memory space of the built-in memory comprises an internal memory space of the trusted operating system; the internal memory space of the trusted operating system is used for storing a security enhancement module of a first trusted application program;
the security enhancement module is configured to allocate a first target memory space in the first external memory space for running the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
and the first trusted application program is also used for decrypting the first encrypted application data and running the first trusted application program based on the decryption result of the first encrypted application data.
2. The security enhancement system of claim 1, wherein the security enhancement module comprises a memory security enhancer module, an application data processing sub-module, and a security application sub-module of the first trusted application;
The memory security enhancer module is configured to allocate the first target memory space in the first external memory space; the method is also used for carrying out decryption processing on the first encrypted application data and carrying out encryption processing on the first encrypted application data which is not encrypted;
the application data processing sub-module is used for running the first trusted application program based on the decryption result of the first encrypted application data.
3. The security enhancement system according to claim 1 or 2, wherein an open operating system is further running on the processor, the memory space of the external storage further comprising a second external memory space of the open operating system; a first memory expansion module is stored in a memory space of a second trusted application in the first external memory space, and a second memory expansion module is stored in a memory space of the second trusted application in the second external memory space;
the first memory expansion module is configured to request, from the second memory expansion module, a memory required by the second trusted application;
the second memory expansion module is configured to allocate a second target memory space in the second external memory space for running the second trusted application; the second target memory space is used for storing second encrypted application data of the second trusted application program.
4. The security enhancement system of claim 3, wherein the first memory expansion module is further configured to perform the decryption process on the second encrypted application data and to perform the encryption process on the unencrypted second encrypted application data.
5. The security enhancement system according to claim 1 or 2, wherein an open operating system is further running on the processor, the memory space of the external memory further comprises a second external memory space of the open operating system, and a memory page module is disposed in a system memory space of the trusted operating system in the first external memory space;
the memory page changing module is configured to encrypt third application data stored in the first external memory space to obtain third encrypted application data when the first external memory space is saturated;
the method is also used for applying a target disk space to the open operating system, wherein the target disk space is used for storing the third encrypted application data;
and the memory space storing the third application data in the first external memory space is subjected to memory release.
6. A security enhancement method, characterized in that the method is applied to the security enhancement system of any one of claims 1 to 5, the method comprising:
the security enhancement module allocates a first target memory space in the first external memory space for running the first trusted application in response to an application memory operation instruction of the first trusted application; the first target memory space is used for storing first encrypted application data of the first trusted application program;
the security enhancement module decrypts the first encrypted application data in response to a read data operation instruction of the first trusted application;
the security enhancement module runs the first trusted application based on the decryption result of the first encrypted application data.
7. The security enhancement method of claim 6, wherein the security enhancement module decrypts the first encrypted application data prior to the method further comprising:
and responding to a data writing operation instruction of the first trusted application program, the security enhancement module encrypts application data of the first trusted application program to obtain the first encrypted application data, and stores the first encrypted application data of the first trusted application program into the first target memory space.
8. The security enhancement method of claim 6, wherein the method further comprises:
responding to an application memory operation instruction of a second trusted application program, and sending an application memory request of a memory required by the second trusted application program to the second memory expansion module by the first memory expansion module;
the second memory expansion module allocates a second target memory space in a second external memory space for running the second trusted application based on the application memory request, and sends a memory identifier of the second target memory space to the first memory expansion module;
the second target memory space is used for storing second encrypted application data of the second trusted application program, the processor is also operated with an open operating system, and the memory space of the external memory also comprises a second external memory space of the open operating system; the memory space of the second trusted application in the first external memory space is stored with a first memory expansion module, and the memory space of the second trusted application in the second external memory space is stored with a second memory expansion module.
9. The security enhancement method of claim 8, wherein the method further comprises:
The first memory expansion module encrypts application data of the second trusted application program in response to a data writing operation instruction of the second trusted application program to obtain second encrypted application data, and sends the second encrypted application data and a memory identifier of the second target memory space to the second memory expansion module;
the second memory expansion module stores the second encrypted application data in the second target memory space based on the memory identification.
10. The security enhancement method of claim 8, wherein the method further comprises:
responding to a read data operation instruction of the second trusted application program, and sending a memory identifier and a read data request of the second target memory space to the second memory expansion module by the first memory expansion module;
the second memory expansion module sends the second encryption application data stored in the second target memory space to the first memory expansion module based on the memory identifier and the read data request;
the first memory expansion module decrypts the second encrypted application data to obtain a decryption result of the second encrypted application data, and sends the decryption result to the second trusted application program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310500696.3A CN116226870B (en) | 2023-05-06 | 2023-05-06 | Security enhancement system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310500696.3A CN116226870B (en) | 2023-05-06 | 2023-05-06 | Security enhancement system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116226870A true CN116226870A (en) | 2023-06-06 |
| CN116226870B CN116226870B (en) | 2023-09-26 |
Family
ID=86577184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310500696.3A Active CN116226870B (en) | 2023-05-06 | 2023-05-06 | Security enhancement system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116226870B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118880A1 (en) * | 2005-11-18 | 2007-05-24 | Mauro Anthony P Ii | Mobile security system and method |
| CN110750791A (en) * | 2019-10-15 | 2020-02-04 | 首都师范大学 | Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption |
| CN113051572A (en) * | 2020-12-10 | 2021-06-29 | 中国银联股份有限公司 | Control method and device of trusted application, computer storage medium and terminal |
| CN114936373A (en) * | 2022-04-25 | 2022-08-23 | 国电南瑞南京控制系统有限公司 | Trusted security chip, trusted data processing system and method |
-
2023
- 2023-05-06 CN CN202310500696.3A patent/CN116226870B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070118880A1 (en) * | 2005-11-18 | 2007-05-24 | Mauro Anthony P Ii | Mobile security system and method |
| CN110750791A (en) * | 2019-10-15 | 2020-02-04 | 首都师范大学 | Method and system for guaranteeing physical attack resistance of trusted execution environment based on memory encryption |
| CN113051572A (en) * | 2020-12-10 | 2021-06-29 | 中国银联股份有限公司 | Control method and device of trusted application, computer storage medium and terminal |
| CN114936373A (en) * | 2022-04-25 | 2022-08-23 | 国电南瑞南京控制系统有限公司 | Trusted security chip, trusted data processing system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116226870B (en) | 2023-09-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109766165B (en) | Memory access control method and device, memory controller and computer system | |
| US8479264B2 (en) | Architecture for virtual security module | |
| CN105447406B (en) | A kind of method and apparatus for accessing memory space | |
| KR100629069B1 (en) | Control function based on requesting master id and a data address within an integrated system | |
| US7657754B2 (en) | Methods and apparatus for the secure handling of data in a microcontroller | |
| KR100737628B1 (en) | Attestation using both fixed token and portable token | |
| US20130205139A1 (en) | Scrambling An Address And Encrypting Write Data For Storing In A Storage Device | |
| US20150317495A1 (en) | Protecting Critical Data Structures in an Embedded Hypervisor System | |
| WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
| CN106997439A (en) | TrustZone-based data encryption and decryption method and device and terminal equipment | |
| US20090064273A1 (en) | Methods and systems for secure data entry and maintenance | |
| CN111459673A (en) | Secure memory expansion and release method and device and electronic equipment | |
| CN115374483B (en) | Data security storage method and device, electronic equipment, medium and chip | |
| US7694154B2 (en) | Method and apparatus for securely executing a background process | |
| WO2017163204A1 (en) | A memory management system and method | |
| CN116226870B (en) | Security enhancement system and method | |
| CN116126463A (en) | Memory access method, configuration method, computer system and related devices | |
| KR20160019780A (en) | System on chip, electronic apparatus including system on chip and operation method of system on chip | |
| WO2010070506A1 (en) | Establishing a secure memory path in a unitary memory architecture | |
| CN113742657A (en) | Software protection method and system | |
| CN114048502B (en) | Lightweight trusted channel and communication control method thereof | |
| US11783095B2 (en) | System and method for managing secure files in memory | |
| CN116094767A (en) | Terminal data security model based on trusted execution environment | |
| JP4953385B2 (en) | Device for preventing leakage of application execution files and configuration files | |
| CN115292727A (en) | TrustZone-based root file system encryption method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |