CN117149439B - Method and system for reducing frequency and frequency of trusted computing static measurement - Google Patents

Method and system for reducing frequency and frequency of trusted computing static measurement Download PDF

Info

Publication number
CN117149439B
CN117149439B CN202311374543.5A CN202311374543A CN117149439B CN 117149439 B CN117149439 B CN 117149439B CN 202311374543 A CN202311374543 A CN 202311374543A CN 117149439 B CN117149439 B CN 117149439B
Authority
CN
China
Prior art keywords
attribute
measurement
policy file
frequency
time
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311374543.5A
Other languages
Chinese (zh)
Other versions
CN117149439A (en
Inventor
胡波
汤福
管磊
翟小君
王宾
吴龙飞
李卓
张勇
李心怡
杨柳
李亚都
孙浩沩
冯震震
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Gaohong Xin'an Zhejiang Information Technology Co ltd
Xian Thermal Power Research Institute Co Ltd
Original Assignee
Datang Gaohong Xin'an Zhejiang Information Technology Co ltd
Xian Thermal Power Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Datang Gaohong Xin'an Zhejiang Information Technology Co ltd, Xian Thermal Power Research Institute Co Ltd filed Critical Datang Gaohong Xin'an Zhejiang Information Technology Co ltd
Priority to CN202311374543.5A priority Critical patent/CN117149439B/en
Publication of CN117149439A publication Critical patent/CN117149439A/en
Application granted granted Critical
Publication of CN117149439B publication Critical patent/CN117149439B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/32Means for saving power
    • G06F1/3203Power management, i.e. event-based initiation of a power-saving mode
    • G06F1/3234Power saving characterised by the action undertaken
    • G06F1/3243Power saving in microcontroller unit
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method and a system for reducing the frequency and the frequency of trusted computing static measurement, belonging to the technical field of information security. Aiming at the problem that the CPU resource consumption is excessive because the cryptographic signature algorithm is required to be frequently applied to measure the strategy file in the trusted computing process, before the measurement is executed on the strategy file, judging according to the attribute vector cache table of the strategy file in the memory, and judging whether the content of the strategy file is changed or not on the basis of the last measurement; if not, the credible measurement is not needed, and the measurement result of the last time is taken as the basis; if the change occurs, the credible measurement is needed, and meanwhile, the attribute vector cache table of the strategy file in the memory is updated according to the measurement result. The invention reduces the frequency and the frequency of the trusted measurement while ensuring the integrity and the correctness of the trusted measurement, thereby reducing the occupation and the consumption of the trusted measurement on CPU resources and ensuring the smooth operation of the whole operation system service.

Description

一种降低可信计算静态度量频率和频次的方法和系统A method and system for reducing the frequency and frequency of trusted computing static measurements

技术领域Technical field

本发明属于信息安全技术领域,涉及一种降低可信计算静态度量频率和频次的方法和系统。The invention belongs to the technical field of information security and relates to a method and system for reducing the frequency and frequency of static measurement of trusted calculations.

背景技术Background technique

可信计算(Trusted Computing,通称TC)是一项由可信计算组(TrustedComputing Group,通称TCG)促进和开发设计的技术。可信计算的关键目标之一是保证操作系统和应用的完整性,从而确定操作系统或者应用能够按照预期的目标,在预定的范围内运行。可信和安全性是紧密联系的,可信是安全性的基本,掌握可信才能够更好地掌握安全性,才可以为搭建更牢固的安全管理体系固本强基。Trusted Computing (TC) is a technology promoted and developed by the Trusted Computing Group (TCG). One of the key goals of trusted computing is to ensure the integrity of the operating system and applications, thereby ensuring that the operating system or application can run as expected and within a predetermined range. Trustworthiness and security are closely related. Trustworthiness is the basis of security. Only by mastering trustworthiness can we better grasp security and lay a solid foundation for building a stronger safety management system.

可信度量作为可信计算的核心,是可信计算环节中不可或缺的关键环节。可信度量分为静态度量和动态度量两种。静态度量一般指在系统引导、操作系统启动、应用程序执行以及文件系统访问等环节,基于哈希或者密码学签名算法对静态文件进行可信度量的过程,静态文件包括系统镜像、可执行程序以及依赖库等。在对文件进行可信度量的过程中,需要用到密码学签名算法或者哈希算法,哈希算法或者密码学签名算法使用过程中比较消耗操作系统的CPU资源,尤其是当被可信度量的文件自身比较大时,会对CPU资源造成较大的负担。因此,如何降低可信度量过程对CPU资源消耗的问题,已经成为可信计算领域绕不开的课题。Trustworthiness, as the core of trusted computing, is an indispensable key link in trusted computing. Credibility measurement is divided into two types: static measurement and dynamic measurement. Static measurement generally refers to the process of trustworthy measurement of static files based on hash or cryptographic signature algorithms during system boot, operating system startup, application execution, and file system access. Static files include system images, executable programs, and Dependent libraries, etc. In the process of authenticating files, a cryptographic signature algorithm or a hash algorithm needs to be used. The use of a hash algorithm or a cryptographic signature algorithm consumes CPU resources of the operating system, especially when the file is authenticated. When the file itself is relatively large, it will put a greater burden on CPU resources. Therefore, how to reduce the consumption of CPU resources by the trustworthiness process has become an unavoidable issue in the field of trusted computing.

发明内容Contents of the invention

本发明的目的在于克服上述现有技术的缺点,提供一种降低可信计算静态度量频率和频次的方法和系统,以解决静态度量文件时,对CPU资源消耗过大,给操作系统的CPU资源造成较大负担的问题。The purpose of the present invention is to overcome the shortcomings of the above-mentioned prior art and provide a method and system for reducing the frequency and frequency of static measurement of trusted calculations, so as to solve the problem of excessive consumption of CPU resources when static measurement files are used, which in turn reduces the CPU resources of the operating system. Issues that cause a greater burden.

为达到上述目的,本发明采用以下技术方案予以实现:In order to achieve the above objectives, the present invention adopts the following technical solutions to achieve:

一种降低可信计算静态度量频率和频次的方法,包括以下步骤:A method to reduce the frequency and frequency of trusted computing static measurements, including the following steps:

S1,查询属性向量缓存表,判断策略文件是否为首次可信度量,如果是,执行S2;如果不是,比较策略文件的实际属性与缓存属性是否一致,如果一致,结束判断,如果不一致,执行S2;所述缓存属性为策略文件缓存在属性向量缓存表中的属性,所述实际属性为策略文件的自带属性;S1, query the attribute vector cache table to determine whether the policy file is the first trustworthy measure. If so, execute S2; if not, compare whether the actual attributes of the policy file are consistent with the cached attributes. If they are consistent, end the judgment. If they are inconsistent, execute S2. ; The cached attributes are the attributes of the policy file cached in the attribute vector cache table, and the actual attributes are the built-in attributes of the policy file;

S2,可信度量策略文件,并将当前度量值和最后一次度量时间写入在策略文件的属性向量缓存表中。S2, trusts the measurement policy file, and writes the current measurement value and the last measurement time in the attribute vector cache table of the policy file.

本发明的进一步改进在于:Further improvements of the present invention are:

优选的,S1中,所述判断策略文件是否为首次可信度量,包括:在属性向量缓存表中查询策略文件的属性,如果查询不到,则策略文件是首次可信度量。Preferably, in S1, determining whether the policy file is a first-time trustworthy measure includes: querying the attributes of the policy file in the attribute vector cache table. If the attribute cannot be queried, the policy file is a first-time trustworthy measure.

优选的,S1在执行过程中,在操作系统的内核层中实时监控策略文件的属性变化。Preferably, during execution of S1, the attribute changes of the policy file are monitored in real time in the kernel layer of the operating system.

优选的,S1中,缓存属性与实际属性均包括索引节点、时间信息变量和最后一次磁盘回写时间。Preferably, in S1, both cache attributes and actual attributes include index nodes, time information variables and the last disk writeback time.

优选的,S1中,比较策略文件的实际属性和缓存属性是否一致的具体过程为:判断策略文件的索引节点是否发生变化,如果发生变化,认定不一致,执行S2;如果未发生变化,判断策略文件的时间信息变量是否发生变化,如果未发生变化,不需要可信度量;如果时间信息变量发生变化,判断策略文件的最后一次磁盘回写时间是否发生变化,如果未发生变化,不需要可信度量,否则执行S2。Preferably, in S1, the specific process of comparing whether the actual attributes of the policy file are consistent with the cached attributes is: determine whether the index node of the policy file has changed. If it has changed, determine that it is inconsistent and execute S2; if it has not changed, determine whether the policy file has changed. Whether the time information variable of the policy file has changed. If it has not changed, no credibility measurement is required. If the time information variable has changed, determine whether the last disk write-back time of the policy file has changed. If it has not changed, no credibility measurement is required. , otherwise execute S2.

优选的,所述时间信息变量包括最后一次度量时间、最后一次修改时间和最后一次属性变化时间。Preferably, the time information variable includes the last measurement time, the last modification time and the last attribute change time.

优选的,最后一次度量时间、最后一次修改时间和最后一次属性变化时间中的任意一个发生变化,认为时间信息变量发生变化。Preferably, if any one of the last measurement time, the last modification time and the last attribute change time changes, it is considered that the time information variable has changed.

优选的,S1中,不需要可信度量时,从属性向量缓存表中提取出上一次度量结果作为本次的度量结果。Preferably, in S1, when no reliability measurement is required, the last measurement result is extracted from the attribute vector cache table as the current measurement result.

一种降低可信计算静态度量频率和频次的系统,包括:A system that reduces the frequency and frequency of trusted computing static measurements, including:

度量判断模块,用于查询属性向量缓存表,判断策略文件是否为首次可信度量,如果是,执行度量模块;如果不是,比较策略文件的实际属性与缓存属性是否一致,如果一致,结束判断,如果不一致,执行度量模块;所述缓存属性为策略文件缓存在属性向量缓存表中的属性,所述实际属性为策略文件的自带属性;The measurement judgment module is used to query the attribute vector cache table to determine whether the policy file is the first reliable measurement. If so, execute the measurement module; if not, compare the actual attributes of the policy file with the cached attributes to see if they are consistent. If they are consistent, end the judgment. If inconsistent, execute the measurement module; the cached attributes are the attributes of the policy file cached in the attribute vector cache table, and the actual attributes are the built-in attributes of the policy file;

度量模块,用于可信度量策略文件,将当前度量值和最后一次度量时间写入在策略文件的属性向量缓存表中。The measurement module is used in the trusted measurement policy file to write the current measurement value and the last measurement time in the attribute vector cache table of the policy file.

优选的,还包括:Preferably, it also includes:

属性变化监控模块,用于实时监控属性向量缓存表中策略文件的属性变化。The attribute change monitoring module is used to monitor attribute changes of policy files in the attribute vector cache table in real time.

与现有技术相比,本发明具有以下有益效果:Compared with the prior art, the present invention has the following beneficial effects:

本发明公开了一种降低可信计算静态度量频率和频次的方法,针对可信计算技术中需要频繁应用密码算法对文件进行可信度量,导致CPU资源消耗大的问题,在对策略文件执行可信度量之前,先依据内存中策略文件的属性向量缓存表,判断策略文件在上一次可信度量的基础上,策略文件的属性是否发生了变化;如果未变,本次不需要进行度量,以上一次的度量结果为依据;如果变化了,需要进行可信度量,同时更新内存中策略文件的属性向量缓存表。在保证可信度量完整性和正确性的同时,降低可信度量的频率和频次,从而降低可信度量对CPU资源的占用和消耗,保证操作系统业务的顺利运行。本发明最大限度地降低可信度量的频率和频次,做到“非必要不度量”,同时保证可信度量的完整性和正确性,进而降低可信度量对CPU资源的占用和消耗。本发明的方法实现简单,安全可靠,能够广泛应用于网络服务器、工业控制、云计算和数据中心等多个领域。The present invention discloses a method for reducing the frequency and frequency of static measurement of trusted computing. In view of the problem that cryptographic algorithms need to be frequently applied to perform trustworthy measurement on files in trusted computing technology, resulting in large consumption of CPU resources, the method can be used to perform policy files when executing policy files. Before trust measurement, first determine whether the attributes of the policy file have changed based on the last trust measurement based on the attribute vector cache table of the policy file in the memory; if they have not changed, there is no need to measure this time. The above Based on the measurement results once; if it changes, trust measurement needs to be performed, and the attribute vector cache table of the policy file in memory is updated at the same time. While ensuring the integrity and correctness of trustworthiness, the frequency and frequency of trustworthiness are reduced, thereby reducing the occupation and consumption of CPU resources by trustworthiness and ensuring the smooth operation of operating system services. The present invention minimizes the frequency and frequency of trustworthiness, achieves "no measurement unless necessary", and at the same time ensures the integrity and correctness of trustworthiness, thereby reducing the occupation and consumption of CPU resources by trustworthiness. The method of the invention is simple to implement, safe and reliable, and can be widely used in many fields such as network servers, industrial control, cloud computing and data centers.

进一步的,本发明在操作系统内核层实时监控策略文件的属性变化,同时在内存中构建策略文件的属性向量缓存表。Further, the present invention monitors the attribute changes of the policy file in real time at the operating system kernel layer, and at the same time builds the attribute vector cache table of the policy file in the memory.

附图说明Description of the drawings

图1为本发明的降低可信计算静态度量频率和频次的方法流程图;Figure 1 is a flow chart of the method of reducing the frequency and frequency of trusted calculation static measurements according to the present invention;

图2为本发明的降低可信计算静态度量频率和频次的方法流程细节图;Figure 2 is a detailed flow chart of the method of reducing the frequency and frequency of trusted calculation static measurements according to the present invention;

图3为本发明中降低可信计算静态度量频率和频次的系统模块图。Figure 3 is a system module diagram for reducing the frequency and frequency of trusted calculation static measurements in the present invention.

具体实施方式Detailed ways

需要说明的是,本发明的说明书及附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second", etc. in the description and drawings of the present invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the invention described herein are capable of being practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.

为了能够清晰的说明本发明的方案,对下列名词给予解释:In order to clearly explain the solution of the present invention, the following terms are explained:

CPU:中央处理器,全称为Central Processing Unit,作为计算机系统的运算和控制核心,是信息处理和程序运行的最终执行单元。CPU: Central Processing Unit, the full name is Central Processing Unit. As the computing and control core of the computer system, it is the final execution unit for information processing and program execution.

AVC:属性向量缓存表,全称为Attribute Vector Cache,用于缓存策略文件的属性信息和度量信息。AVC: Attribute vector cache table, the full name is Attribute Vector Cache, used to cache attribute information and metric information of policy files.

可信度量作为可信计算的核心,是可信计算环节中不可或缺的关键环节。可信度量一般是基于密码学签名算法或者哈希算法对文件或进程进行可信度量。哈希算法包含位运算和哈希函数,位运算一般不会占用过高的CPU资源,但是哈希函数是强CPU消耗型操作,使得哈希算法使用比较密集的时候,CPU资源的占用率一定会居高不下。密码学签名算法相比于哈希算法来说,对于CPU资源的消耗性更强,当操作系统中需要可信度量的文件数量较多或文件较大时,必然会导致操作系统的CPU资源占用率过高,影响正常业务的运行。因此需要设计一种有效的方法,在保证可信度量的完整性和正确性的同时,降低可信度量对CPU资源的占用和消耗。Trustworthiness, as the core of trusted computing, is an indispensable key link in trusted computing. Trustworthiness is generally based on cryptographic signature algorithms or hash algorithms to trust files or processes. The hash algorithm includes bit operations and hash functions. Bit operations generally do not occupy too much CPU resources, but the hash function is a strong CPU-consuming operation, so when the hash algorithm is used intensively, the CPU resource occupancy rate is certain. Will remain high. Compared with hashing algorithms, cryptographic signature algorithms are more consuming of CPU resources. When the number of files that require trustworthiness in the operating system is large or the files are large, it will inevitably lead to the CPU resources of the operating system being occupied. The rate is too high, affecting normal business operations. Therefore, it is necessary to design an effective method to reduce the occupation and consumption of CPU resources by trustworthy quantities while ensuring the integrity and correctness of trustworthy quantities.

为了解决上述问题,参见图1,本发明第一个目的是提供一种降低可信计算静态度量频率和频次的方法,包括以下步骤:In order to solve the above problems, referring to Figure 1, the first purpose of the present invention is to provide a method for reducing the frequency and frequency of trusted computing static measurements, which includes the following steps:

S1,查询属性向量缓存表,判断策略文件是否为首次可信度量,如果是,执行S2;如果不是,比较策略文件的实际属性与缓存属性是否一致,缓存属性为策略文件缓存在属性向量缓存表中的属性,实际属性为策略文件的自带属性;如果一致,则认定实际属性相对于缓存属性未发生变化,不需要可信度量,判断结束;如果不一致,执行S2。S1, query the attribute vector cache table to determine whether the policy file is the first trustworthy measure. If so, execute S2; if not, compare whether the actual attributes of the policy file are consistent with the cached attributes. The cached attribute is that the policy file is cached in the attribute vector cache table. The actual attributes are the attributes of the policy file; if they are consistent, it is deemed that the actual attributes have not changed relative to the cached attributes, no trustworthiness is required, and the judgment ends; if they are inconsistent, S2 is executed.

S2,可信度量策略文件,将当前度量值和最后一次度量时间写入在策略文件的属性向量缓存表中。S2, the trusted measurement policy file, writes the current measurement value and the last measurement time in the attribute vector cache table of the policy file.

该方法在操作系统内核层实时监控策略文件的属性变化情况,在内存中构建策略文件的属性向量缓存表,在可信度量之前先基于属性向量缓存表中的缓存属性判定是否需要度量,做到“非必要不度量”,从而最大限度地降低可信度量的频率和频次。This method monitors the attribute changes of the policy file in real time at the operating system kernel layer, builds the attribute vector cache table of the policy file in the memory, and determines whether measurement is needed based on the cached attributes in the attribute vector cache table before trustworthy measurement. "Do not measure unless necessary", thereby minimizing the frequency and frequency of reliable measurements.

参见图2,本发明的实施例之一为公开了一种降低可信计算静态度量频率和频次的方法,具体的,该方法包括以下步骤:Referring to Figure 2, one embodiment of the present invention discloses a method for reducing the frequency and frequency of trusted calculation static measurements. Specifically, the method includes the following steps:

S1,当策略文件触发了可信度量后,首先在属性向量缓存表查询策略文件缓存的属性信息,即缓存属性。如果查询不到,说明当前文件属于首次度量,需要调用度量模块对策略文件进行可信度量,即执行S2;可信度量完成之后将策略文件的度量值,最后一次度量时间存入属性向量缓存表中。如果可以在属性向量缓存表中查询到策略文件的缓存属性,比较策略文件自带的实际属性和缓存属性,判断策略文件在上一次度量的基础之上策略文件内容是否发生了变化。如果策略文件内容未发生变化,本次不需要进行度量,以上一次的度量结果为依据;如果策略文件内容变化了,需要进行度量,根据度量结果同步更新属性向量缓存表中策略文件的缓存属性。S1, when the policy file triggers trustworthiness, first query the attribute vector cache table for the cached attribute information of the policy file, that is, cached attributes. If the query cannot be found, it means that the current file is measured for the first time, and the measurement module needs to be called to perform trust measurement on the policy file, that is, execute S2; after the trust measurement is completed, the measurement value and the last measurement time of the policy file will be stored in the attribute vector cache table. middle. If the cached attributes of the policy file can be queried in the attribute vector cache table, compare the actual attributes and cached attributes of the policy file to determine whether the content of the policy file has changed based on the last measurement. If the content of the policy file has not changed, there is no need to measure this time, and the last measurement result will be used as the basis; if the content of the policy file has changed, measurement needs to be performed, and the cached attributes of the policy file in the attribute vector cache table will be updated synchronously based on the measurement results.

具体的,需要比较当前策略文件自带的实际属性与属性向量缓存表中的缓存属性是否发生变化。策略文件在上一次度量的基础上,策略文件中内容是否发生变化的判定依据如下:Specifically, it is necessary to compare the actual attributes that come with the current policy file with the cached attributes in the attribute vector cache table to see whether there have been changes. Based on the last measurement of the policy file, the basis for determining whether the content in the policy file has changed is as follows:

(1) 首先判断策略文件的索引节点(即inode)是否发生了变化,如果策略文件的索引节点发生了变化,说明该策略文件可能是一个全新的文件,无需判断策略文件的其它属性,直接进行可信度量;可信度量完成之后,将当前的度量值和最后一次度量时间存入属性向量缓存表中,最后一次度量时间即为当前度量值的度量时间。(1) First determine whether the index node (i.e. inode) of the policy file has changed. If the index node of the policy file has changed, it means that the policy file may be a brand new file. There is no need to judge other attributes of the policy file and proceed directly. Trusted measurement; after the trusted measurement is completed, the current measurement value and the last measurement time are stored in the attribute vector cache table. The last measurement time is the measurement time of the current measurement value.

(2) 如果策略文件的索引节点未发生变化,判断实际属性与缓存属性中的时间信息变量是否一致。具体的时间信息变量包括最后一次度量时间、最后一次修改时间、最后一次属性变化时间。如果缓存属性和实际属性中这三个时间信息变量均一致,则认为策略文件在上一次度量的基础上内容未发生变化,本次不需要度量,从属性向量缓存表中提取策略文件的上一次度量结果作为本次的度量结果。其中,最后一次修改时间指策略文件内容发生变化的时间;最后一次属性变化时间包括最后一次访问时间、索引节点编号变化时间和文件大小等属性的变化时间,这些时间中的任意一个变化,则需要修改最后一次属性变化时间。(2) If the index node of the policy file has not changed, determine whether the actual attributes are consistent with the time information variables in the cache attributes. Specific time information variables include the last measurement time, the last modification time, and the last attribute change time. If the three time information variables in the cached attributes and the actual attributes are consistent, it is considered that the content of the policy file has not changed based on the last measurement. There is no need to measure this time. The last time of the policy file is extracted from the attribute vector cache table. The measurement results are used as the measurement results this time. Among them, the last modification time refers to the time when the content of the policy file changes; the last attribute change time includes the last access time, index node number change time, file size and other attribute change times. Any change in these times requires Modify the last attribute change time.

(3)如果上一步中,策略文件的最后一次度量时间、最后一次修改时间和最后一次属性变化时间中任意一个发生了变化,并不能代表文件的内容发生了变化。还需进一步判断策略文件的磁盘回写时间是否发生了变化,如果磁盘回写时间没有变化,则认为策略文件在上一次度量的基础上,内容未发生变化,本次不需要度量,从属性向量缓存表中提取策略文件的上一次度量结果作为本次的度量结果;反之,如果磁盘回写时间也发生了变化,需要进行可信度量并更新文件的属性向量缓存表。(3) If any of the last measurement time, last modification time and last attribute change time of the policy file changes in the previous step, it does not mean that the content of the file has changed. It is also necessary to further determine whether the disk write-back time of the policy file has changed. If the disk write-back time has not changed, it is considered that the content of the policy file has not changed based on the last measurement. There is no need to measure this time. The dependent attribute vector The last measurement result of the policy file is extracted from the cache table as the current measurement result; conversely, if the disk writeback time also changes, trust measurement needs to be performed and the attribute vector cache table of the file needs to be updated.

作为优选的方案之一,若操作系统中没有属性向量缓存表;在进行S1前,在操作系统的内存中构建策略文件的属性向量缓存表,用于存储策略文件的度量值、度量时间和属性。As one of the preferred solutions, if there is no attribute vector cache table in the operating system; before performing S1, build the attribute vector cache table of the policy file in the memory of the operating system to store the measurement value, measurement time and attributes of the policy file. .

S2,对策略文件进行可信度量,当策略文件执行完一次可信度量后,将当前度量值和最后一次度量时间存入属性向量缓存表中。S2: Perform trust measurement on the policy file. After the policy file performs a trust measurement, the current measurement value and the last measurement time are stored in the attribute vector cache table.

作为优选的方案之一,在操作系统内核层实时监控策略文件的属性变化,监控的属性包括但不限于策略文件的索引节点、最后一次修改时间、最后一次属性变化时间、最后一次磁盘回写时间和最后一次度量时间等信息。As one of the preferred solutions, the attribute changes of the policy file are monitored in real time at the operating system kernel layer. The monitored attributes include but are not limited to the index node of the policy file, the last modification time, the last attribute change time, and the last disk write-back time. and the last measurement time and other information.

参见图3,本发明第二个目的是提供一种降低可信计算静态度量频率和频次的系统,该系统包括:Referring to Figure 3, the second purpose of the present invention is to provide a system for reducing the frequency and frequency of trusted computing static measurements. The system includes:

度量判断模块,用于查询属性向量缓存表,判断策略文件是否为首次可信度量,如果是,执行度量模块;如果不是,比较策略文件的实际属性与缓存属性是否一致,如果一致,结束判断,如果不一致,执行度量模块;所述缓存属性为策略文件缓存在属性向量缓存表中的属性,所述实际属性为策略文件的自带属性。The measurement judgment module is used to query the attribute vector cache table to determine whether the policy file is the first reliable measurement. If so, execute the measurement module; if not, compare the actual attributes of the policy file with the cached attributes to see if they are consistent. If they are consistent, end the judgment. If they are inconsistent, the measurement module is executed; the cached attributes are attributes cached in the attribute vector cache table of the policy file, and the actual attributes are self-contained attributes of the policy file.

度量模块,用于可信度量策略文件,将当前度量值和最后一次度量时间写入在策略文件的属性向量缓存表中。The measurement module is used in the trusted measurement policy file to write the current measurement value and the last measurement time in the attribute vector cache table of the policy file.

进一步的,还包括属性变化监控模块,用于实时监控属性向量缓存表中策略文件的属性变化。Furthermore, it also includes an attribute change monitoring module for real-time monitoring of attribute changes of the policy files in the attribute vector cache table.

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above are only preferred embodiments of the present invention and are not intended to limit the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present invention shall be included in the present invention. within the scope of protection.

Claims (8)

1. A method for reducing the frequency and frequency of trusted computing static metrics, comprising the steps of:
s1, inquiring an attribute vector cache table, judging whether a policy file is a first credible measurement, and if so, executing S2; if not, comparing whether the actual attribute of the policy file is consistent with the cache attribute, if so, ending the judgment, and if not, executing S2; the cache attribute is an attribute of the policy file cached in an attribute vector cache table, and the actual attribute is a self-contained attribute of the policy file;
in S1, both the cache attribute and the actual attribute comprise an index node, a time information variable and the last disk write-back time;
in S1, the specific process of comparing whether the actual attribute and the cache attribute of the policy file are consistent is as follows: judging whether index nodes of the strategy file change or not, if so, determining that the index nodes are inconsistent, and executing S2; if the time information variable of the policy file is unchanged, judging whether the time information variable of the policy file is changed, and if the time information variable of the policy file is unchanged, not requiring a trusted measure; if the time information variable is changed, judging whether the last disc write-back time of the strategy file is changed, if not, not needing the credible measurement, otherwise executing S2;
s2, the policy file is measured in a trusted way, and the current measurement value and the last measurement time are written in an attribute vector cache table of the policy file.
2. The method for reducing the frequency and the frequency of trusted computing static metrics according to claim 1, wherein in S1, the determining whether the policy file is a first trusted metric comprises: the attribute vector cache table is queried for the attribute of the policy file, and if the query is not received, the policy file is the first trusted measure.
3. The method of claim 1, wherein S1 monitors the change of the attributes of the policy file in real time in the kernel layer of the operating system during execution.
4. The method of claim 1, wherein the time information variables include last time of measurement, last time of modification, and last time of attribute change.
5. The method of reducing the frequency and frequency of trusted computing as claimed in claim 4, wherein any one of the last time the metric, the last time the modification and the last time the attribute was changed is changed, the time information variable is considered to be changed.
6. The method for reducing the frequency and the frequency of trusted computing static measurement according to claim 1, wherein in S1, when the trusted measurement is not needed, the last measurement result is extracted from the attribute vector cache table as the current measurement result.
7. A system for reducing the frequency and frequency of trusted computing static metrics for implementing the method of claim 1, comprising:
the measurement judging module is used for inquiring the attribute vector cache table and judging whether the strategy file is the first trusted measurement or not, and if so, the measurement module is executed; if not, comparing whether the actual attribute of the policy file is consistent with the cache attribute, if so, ending the judgment, and if not, executing the measurement module; the cache attribute is an attribute of the policy file cached in an attribute vector cache table, and the actual attribute is a self-contained attribute of the policy file;
and the measurement module is used for credibly measuring the policy file and writing the current measurement value and the last measurement time into an attribute vector cache table of the policy file.
8. The system for reducing the frequency and frequency of trusted computing static metrics of claim 7 further comprising:
and the attribute change monitoring module is used for monitoring the attribute change of the strategy file in the attribute vector cache table in real time.
CN202311374543.5A 2023-10-23 2023-10-23 Method and system for reducing frequency and frequency of trusted computing static measurement Active CN117149439B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311374543.5A CN117149439B (en) 2023-10-23 2023-10-23 Method and system for reducing frequency and frequency of trusted computing static measurement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311374543.5A CN117149439B (en) 2023-10-23 2023-10-23 Method and system for reducing frequency and frequency of trusted computing static measurement

Publications (2)

Publication Number Publication Date
CN117149439A CN117149439A (en) 2023-12-01
CN117149439B true CN117149439B (en) 2024-01-30

Family

ID=88884437

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311374543.5A Active CN117149439B (en) 2023-10-23 2023-10-23 Method and system for reducing frequency and frequency of trusted computing static measurement

Country Status (1)

Country Link
CN (1) CN117149439B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104517057A (en) * 2014-12-22 2015-04-15 中国人民解放军信息工程大学 Software hybrid measure method based on trusted computing
CN112214769A (en) * 2020-10-30 2021-01-12 国家电网有限公司信息通信分公司 Active measurement system of Windows system based on SGX architecture
WO2023061397A1 (en) * 2021-10-12 2023-04-20 中兴通讯股份有限公司 Trusted measurement method and apparatus, computer device, and readable medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104517057A (en) * 2014-12-22 2015-04-15 中国人民解放军信息工程大学 Software hybrid measure method based on trusted computing
CN112214769A (en) * 2020-10-30 2021-01-12 国家电网有限公司信息通信分公司 Active measurement system of Windows system based on SGX architecture
WO2023061397A1 (en) * 2021-10-12 2023-04-20 中兴通讯股份有限公司 Trusted measurement method and apparatus, computer device, and readable medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A review on trust management in fog/edge computing: Techniques, trends, and challenges;Mohammad Nikravan等;《Journal of Network and Computer Applications》;全文 *
一种可配置策略的软件动态完整性度量架构;范超;赵荣彩;单征;王银浩;;信息工程大学学报(01);全文 *

Also Published As

Publication number Publication date
CN117149439A (en) 2023-12-01

Similar Documents

Publication Publication Date Title
US9026679B1 (en) Methods and apparatus for persisting management information changes
AU2006235058B2 (en) System and method for foreign code detection
CN110647750B (en) File integrity measurement method and device, terminal and security management center
CN108399338A (en) Platform integrity status measure information method based on process behavior
WO2021139308A1 (en) Cloud server monitoring method, apparatus and device, and storage medium
US11775649B2 (en) Perform verification check in response to change in page table base register
WO2021197040A1 (en) Trusted measurement method and related apparatus
CN113157543B (en) A trusted measurement method and device, server, and computer-readable storage medium
WO2017133442A1 (en) Real-time measurement method and device
CN102880826A (en) Dynamic integrity measurement method for security of electronic government cloud platform
US20120222115A1 (en) Using a declaration of security requirements to determine whether to permit application operations
CN111967044A (en) Method and system for tracking leaked private data suitable for cloud environment
US20220377109A1 (en) Crypto-jacking detection
CN110598467A (en) Memory data block integrity checking method
CN117149439B (en) Method and system for reducing frequency and frequency of trusted computing static measurement
CN107392030A (en) A kind of method and device for detecting virtual machine and starting safety
CN113821790B (en) Industrial trusted computing dual-system architecture implementation method based on Trustzone
CN106845281A (en) A kind of dynamic credible measure of use nonce mechanism
CN105631317B (en) A kind of system call method and device
WO2024021472A1 (en) Interface information processing method and apparatus
US11449601B2 (en) Proof of code compliance and protected integrity using a trusted execution environment
CN117093404B (en) Method, system and equipment for automatically recovering untrusted process in trusted dynamic measurement process
CN111310162A (en) Device access control method, device, product and medium based on trusted computing
CN107247910B (en) File integrity measurement detection method, system and detection equipment
Kim et al. Fully Batch processing enabled memory integrity verification algorithm based on Merkle tree

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant