WO2011124148A1 - Flash data protection method and apparatus thereof - Google Patents

Flash data protection method and apparatus thereof Download PDF

Info

Publication number
WO2011124148A1
WO2011124148A1 PCT/CN2011/072537 CN2011072537W WO2011124148A1 WO 2011124148 A1 WO2011124148 A1 WO 2011124148A1 CN 2011072537 W CN2011072537 W CN 2011072537W WO 2011124148 A1 WO2011124148 A1 WO 2011124148A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
flash
authentication information
operation authority
authority
Prior art date
Application number
PCT/CN2011/072537
Other languages
French (fr)
Chinese (zh)
Inventor
王文宜
Original Assignee
华为终端有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为终端有限公司 filed Critical 华为终端有限公司
Publication of WO2011124148A1 publication Critical patent/WO2011124148A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories

Definitions

  • ECC error correction code
  • Embodiments of the present invention provide a FLASH data protection method and apparatus to improve the security of FLASH stored data.
  • the embodiment of the present invention adopts the following technical solutions:
  • a FLASH data protection method includes:
  • the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
  • a FLASH data protection device includes:
  • a receiving unit configured to receive an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
  • An authentication unit configured to read authentication information corresponding to the FLASH target address, and determine whether the operation authority of the application satisfies the requirement of the authentication information
  • an execution unit configured to allow the application to execute the operation content of the application at the FLASH target address if the result representation of the authentication unit is satisfied.
  • the solution provided by the embodiment of the present invention has the following beneficial effects:
  • the application can perform the operation content of the application in the FLASH after satisfying the requirements of the authentication information, thereby reducing the possibility of data being modified by mistake, and preventing the data from being maliciously modified by the hacker. Stealing, improving the security of FLASH storage data.
  • BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and other drawings may be obtained from those skilled in the art without departing from the drawings.
  • FIG. 1 is a schematic flowchart of a FLASH data protection method according to Embodiment 1 of the present invention.
  • FIG. 2 is a schematic diagram of an implementation manner for determining whether an operation authority of an application satisfies an authentication information requirement according to Embodiment 1 of the present invention
  • FIG. 3 is a schematic diagram of application of NAND FLASH hardware in Embodiment 1 of the present invention.
  • FIG. 4 is a schematic diagram of another implementation manner of determining whether an operation authority of an application satisfies an authentication information requirement according to Embodiment 1 of the present invention
  • FIG. 5 is a schematic structural diagram of a FLASH data protection apparatus according to Embodiment 2 of the present invention.
  • FIG. 6 is a schematic structural diagram of a FLASH data protection apparatus according to Embodiment 2 of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of them. Example. Based on the embodiments of the present invention, those obtained by those of ordinary skill in the art without creative efforts Other embodiments are within the scope of the invention. Moreover, the following embodiments are all optional of the present invention, and the order of the embodiments and the number of the embodiments are independent of the preferred execution order.
  • Example 1 is a schematic structural diagram of a FLASH data protection apparatus according to Embodiment 2 of the present invention.
  • This embodiment provides a FLASH data protection method. As shown in FIG. 1, the method mainly includes:
  • the operating system receives an operation request of the application for the FLASH, where the application includes an operation content of the application, an operation permission of the application, and a FLASH target address corresponding to the operation of the application;
  • the 101 may be: the operating system receives an operation request of the application 1 for the FLASH, and the operation request includes: applying for a write operation, operating permission when applying for a write operation, and a FLASH target address written by the write operation .
  • the method may further include: the operating system determining whether the operation authority of the application meets the permission requirement of the application 1; wherein the permission requirement of the application 1 is: the application 1 If the operation authority of the application satisfies the operation permission requirement of the application 1, the following 102 is further performed; if the operation authority of the application does not satisfy the operation permission requirement of the application 1, the operation is returned. Failure information.
  • the application 1 is preset with a corresponding operation permission range.
  • the scope of the operation authority can be set by the user, or the operator can set the default scope of operation authority for the application 1.
  • some applications have been set with a range of operation rights. Therefore, the specific setting method in this embodiment may also refer to the prior art, and details are not described herein.
  • the FLASH driver of the operating system determines whether the operation permission of the application 1 to perform the write operation is within the scope of the operation authority set by the application 1 (in the embodiment, the operation permission range of the application 1 is read, write, Execution), since the operation authority of the write operation requested by the application 1 is within the operation authority set by the application 1, the FLASH driver determines that the application 1 can continue to execute the following 102.
  • This step 102 can specifically have the following two implementations:
  • the first implementation in the case where the authentication information is an operation authority.
  • This first implementation will be described in conjunction with Figure 2.
  • the FLASH the FLASH address table sets the address in the page of the FLASH addressing, that is, each page corresponds to one address
  • the data area corresponding to the corresponding FLASH address is added.
  • Operation permission, SP Each address corresponds to the operation permission of a data area. Therefore, an application that wants to execute the operation content of the application at a certain address needs to execute the operation content of the application at the address only if the operation authority range of the application is smaller than the operation authority of the data area at the address.
  • FIG. 1 the FLASH address table sets the address in the page of the FLASH addressing, that is, each page corresponds to one address
  • the data area corresponding to the corresponding FLASH address is added.
  • Operation permission, SP Each address corresponds to the operation permission of a data area. Therefore, an application that wants to execute the operation content of the application at a certain address needs to execute the operation content of the application at
  • the operation authority of the data area added in this embodiment may be stored in the spare area of the corresponding page.
  • the operation authority of the data area may be set in advance for the spare area corresponding to each address in the FLASH address table, and the setting may be completed by the user, or may be set by the operator at the factory. level.
  • the specific execution manner of the current mode 102 includes: determining whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is within the operation authority of the data area, The operation authority of the application satisfies the requirement of the authentication information, and executes 103; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the authentication
  • the request for information is turned to 104 for execution. For example: setting the operation right of the data area corresponding to the FLASH target address is read and execute, and the application 1 carries the operation authority for requesting the write operation; the FLASH driver determines that the operation authority of the write operation of the application is not corresponding to the FLASH target address of the application. Within the scope of the operating rights of the data area, therefore, the application 1 does not satisfy the requirements of the operating authority of the data area, and thus executes 104.
  • the second implementation manner is when the authentication information is a hardware password of a data area corresponding to the FLASH target address.
  • This second implementation will be described in conjunction with FIG. It can be seen from FIG. 4 that a hard disk password corresponding to different FLASH address blocks is added to the FLASH, and SP: each address block is correspondingly provided with a hard disk password (in the FLASH partition table, the address is recorded in units of BLOCK). , that is, each BLOCK is recorded as an address, and each address ultimately corresponds to a page). Therefore, an application that wants to execute the operation content of the application at a certain address can execute the application in the address block only if the operation password input by the user who initiated the application matches the hardware password of the address block. The content of the operation.
  • Figure 4 is only used to indicate the operation permission of each address corresponding to the data area.
  • the operation authority is not stored in the FLASH partition table, because FLASH has a spare area in each page. Therefore, the hard disk password added in this embodiment can be stored in the spare area of the corresponding page of the address block.
  • the hard disk password can also be stored by using the ⁇ 1- ⁇ 5 part as shown in FIG. 3 . Therefore, in this implementation manner, a hard disk password may be set corresponding to at least one address block in the FLASH partition table, and the setting may be completed by the user, or the default hard disk password may be set by the operator at the factory. code.
  • the specific execution manner of the method includes: starting a password input procedure, and determining, after the user inputs the operation password according to the prompt, whether the operation password is consistent with the hardware password; if the operation password is consistent with the hardware password, The operation authority of the application satisfies the requirement of the authentication information, and executes 103; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the requirement of the authentication information, and turns to 104 execution.
  • the FLASH driver initiates an instruction to input an operation password, and the user can input an operation password according to the instruction; after receiving the input password, the FLASH driver compares the input.
  • the security of the FLASH data information can be improved.
  • the operational content of the application may include: one or a combination of one of read, write, delete, and execute. 104, return information that the operation failed.
  • the application applying for the operation can write the operation content of the application to the FLASH target address by means of the operation authority provided by the user or the operation password of the user, thereby ensuring data security stored in the FLASH, and After the data is stored in the FLASH, the application still needs to read, modify and erase the data in the corresponding position in the FLASH by virtue of the operation authority or operation password held, which can reduce the possibility of data being modified by mistake and prevent data. It is maliciously modified and stolen by hackers, which improves the security of FLASH storage data. Moreover, the existing backup area is used to store the added authentication information, and no additional code is needed for security verification, so as to ensure security. At the same time, the complexity of the implementation is reduced.
  • Example 2 Example 2
  • the embodiment provides a FLASH data protection device. As shown in FIG. 5, the device includes: a receiving unit 51, an authentication unit 52, and an executing unit 53.
  • the receiving unit 51 is configured to receive an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application; and an authentication unit 52, configured to read the The authentication information corresponding to the FLASH target address, and determining whether the operation authority of the application satisfies the requirement of the authentication information; the executing unit 53 is configured to: if the judgment result of the authentication unit 52 is that the authentication information is satisfied Requiring, the application is allowed to execute the operation content of the application at the FLASH target address.
  • the authentication information may be an operation permission of a data area corresponding to a FLASH target address, or may be
  • the authentication unit 52 includes:
  • the permission module 521 is configured to determine whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is within the operation authority of the data area, the operation permission of the application Satisfying the requirement of the authentication information; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the requirement of the authentication information; and/or
  • the cryptographic module 522 is configured to determine whether the operation password is consistent with the hardware password after inputting the operation password according to the prompt; if the operation password is consistent with the hardware password, the operation authority of the application satisfies the The request for the right information; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the requirement of the authentication information.
  • the apparatus may further include the following optional units: a program authority unit.
  • the program authority unit 54 is configured to determine whether the operation authority of the application meets the permission requirement of the application; wherein, the permission requirement of the application is: the operation permission range provided by the application; If the permission meets the operation permission requirement of the application, the operation is further performed by the authentication unit; if the operation authority of the application does not satisfy the operation permission requirement of the application, the information that the operation fails is returned.
  • the storage unit 55 is configured to store the authentication information in a spare area corresponding to a page where the FLASH target address is located.
  • the device provided in this embodiment utilizes the spare area of the existing FLASH, and adopts the technical means of increasing the operation authority of the FLASH data area and the password judgment, so as to protect the FLASH from being mishandled and maliciously operated, without introducing other codes. In the case, the security of the FLASH storage data is improved.
  • the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way.
  • the technical solution of the present invention which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer. , a hard disk or an optical disk, etc., including instructions for causing a device (which may be a mobile phone or the like) to perform the methods described in various embodiments of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A FLASH data protection method and an apparatus thereof are disclosed, relating to the field of information security. The method mainly involves: receiving an application for operating a FLASH from an application program, wherein the application includes operation contents of the application, operation limits of the application and the FLASH target addresses corresponding to the operation of the application (101); reading authentication information corresponding to the FLASH target addresses, and determining whether the operation limits of the application satisfy the requirements of the authentication information (102); if they do, permitting the application program to carry out the operation contents of the application at the FLASH target addresses (103). The solutions are mainly used to protect data security, and resolve the problem in the prior art that the security is low while a FLASH is being operated.

Description

FLASH数据保护方法及装置 本申请要求于 2010年 04月 08日提交中国专利局、 申请号为 CN 201010141963. 5、 发明名称为 "FLASH数据保护方法及装置" 的中国专利申请的优先权, 其全部内容通过 引用结合在本申请中。 技术领域 本发明涉及信息安全领域, 尤其涉及一种在 FLASH中的保护数据方法及装置及系 统。 背景技术 NAND闪存 (NAND FLASH )、 ONE NAND FLASH等是目前较流行的一种 FLASH格式。 它 们均是以块 (BLOCK) 为大的构成单位, 具有存取速度快、 擦除时间短的优点。 以某型 号的 NAND FLASH为例: 该 NAND FLASH具有 1024个 BLOCK, 每个 BLOCK有 64个 page , 每个 page有 2048个字节和部分空闲区。 所有对 NAND flash的操作是通过对 page进行 操作实现的, 即对它的读写都是以 page为单位进行处理的。 所以该 NAND FLASH容量是 1024 X 64 X 2048 = 128Mbyte。 其中, 每个 page上的空闲区通常被用于纠错码 (ECC)、 耗损均衡等功能。  FLASH data protection method and device The present application claims to be filed on April 8, 2010, the Chinese Patent Office, the application number is CN 201010141963. 5, the Chinese patent application entitled "FLASH data protection method and device" priority, all The content is incorporated herein by reference. TECHNICAL FIELD The present invention relates to the field of information security, and in particular, to a method, device, and system for protecting data in FLASH. BACKGROUND OF THE INVENTION NAND flash memory (NAND FLASH), ONE NAND FLASH, etc. are currently a popular FLASH format. They are all composed of blocks (BLOCK), which have the advantages of fast access speed and short erase time. Take a model of NAND FLASH as an example: The NAND FLASH has 1024 BLOCKs, each BLOCK has 64 pages, and each page has 2048 bytes and some free areas. All operations on the NAND flash are performed by manipulating the page, that is, reading and writing to it is performed on a page-by-page basis. So the NAND FLASH capacity is 1024 X 64 X 2048 = 128 Mbyte. Among them, the free area on each page is usually used for error correction code (ECC), wear leveling and other functions.
在利用类似这些格式的 FLASH存储数据的过程中,发明人发现现有技术中至少存在 如下问题: 将数据存储到 FLASH内部后, 应用程序可以任意读取、 修改和擦除 FLASH中 任意位置的数据, 从而造成数据易被误修改, 特别是数据易被黑客恶意修改和盗取等技 术问题。 发明内容  In the process of using FLASH to store data in these formats, the inventors found that at least the following problems exist in the prior art: After storing data into the FLASH, the application can arbitrarily read, modify, and erase data in any position in the FLASH. Therefore, the data is easily modified by mistakes, especially the technical problems such as data being maliciously modified and stolen by hackers. Summary of the invention
本发明的实施例提供一种 FLASH数据保护方法及装置, 以便提高 FLASH存储数据的安 全性。 为达到上述目的, 本发明的实施例采用如下技术方案:  Embodiments of the present invention provide a FLASH data protection method and apparatus to improve the security of FLASH stored data. In order to achieve the above object, the embodiment of the present invention adopts the following technical solutions:
一种 FLASH数据保护方法, 包括:  A FLASH data protection method includes:
接收应用程序对 FLASH的操作申请, 所述操作申请包括申请的操作内容、 申请的操 作权限以及申请的操作对应的 FLASH目标地址;  Receiving an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作权限是否满足所 述鉴权信息的要求; 如果满足, 则允许所述应用程序在所述 FLASH目标地址执行所述申请的操作内容。 一种 FLASH数据保护装置, 包括: Reading the authentication information corresponding to the FLASH target address, and determining whether the operation authority of the application satisfies the requirement of the authentication information; If so, the application is allowed to execute the operational content of the application at the FLASH target address. A FLASH data protection device includes:
接收单元, 用于接收应用程序对 FLASH的操作申请, 所述操作申请包括申请的操作 内容、 申请的操作权限以及申请的操作对应的 FLASH目标地址;  a receiving unit, configured to receive an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
鉴权单元, 用于读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作 权限是否满足所述鉴权信息的要求;  An authentication unit, configured to read authentication information corresponding to the FLASH target address, and determine whether the operation authority of the application satisfies the requirement of the authentication information;
执行单元, 用于如果鉴权单元的结果表示满足, 则允许所述应用程序在所述 FLASH 目标地址执行所述申请的操作内容。  And an execution unit, configured to allow the application to execute the operation content of the application at the FLASH target address if the result representation of the authentication unit is satisfied.
本发明实施例提供的方案具有如下有益效果: 应用程序在满足鉴权信息的要求后才 可在 FLASH中执行申请的操作内容, 可降低数据被误修改的可能性, 防止数据被黑客恶 意修改和盗取, 提高了 FLASH存储数据的安全性。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案, 下面将对实施例或现有 技术描述中所需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本 发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。  The solution provided by the embodiment of the present invention has the following beneficial effects: The application can perform the operation content of the application in the FLASH after satisfying the requirements of the authentication information, thereby reducing the possibility of data being modified by mistake, and preventing the data from being maliciously modified by the hacker. Stealing, improving the security of FLASH storage data. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments or the description of the prior art will be briefly described below, and obviously, in the following description The drawings are only some of the embodiments of the present invention, and other drawings may be obtained from those skilled in the art without departing from the drawings.
图 1为本发明实施例 1提供的 FLASH数据保护方法的流程示意图;  1 is a schematic flowchart of a FLASH data protection method according to Embodiment 1 of the present invention;
图 2为本发明实施例 1提供的判断申请的操作权限是否满足鉴权信息要求的一种实 现方式的示意图;  2 is a schematic diagram of an implementation manner for determining whether an operation authority of an application satisfies an authentication information requirement according to Embodiment 1 of the present invention;
图 3为本发明实施例 1中 NAND FLASH硬件的应用示意图;  3 is a schematic diagram of application of NAND FLASH hardware in Embodiment 1 of the present invention;
图 4为本发明实施例 1提供的判断申请的操作权限是否满足鉴权信息要求的另一种 实现方式的示意图;  4 is a schematic diagram of another implementation manner of determining whether an operation authority of an application satisfies an authentication information requirement according to Embodiment 1 of the present invention;
图 5为本发明实施例 2提供的 FLASH数据保护装置的结构示意图;  FIG. 5 is a schematic structural diagram of a FLASH data protection apparatus according to Embodiment 2 of the present invention; FIG.
图 6为本发明实施例 2提供的 FLASH数据保护装置的具体结构示意图。 具体实肺式 下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完 整地描述, 显然, 所描述的实施例仅仅是本发明一部分实施例, 而不是全部的实施例。 基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所 有其他实施例,都属于本发明保护的范围。并且, 以下各实施例均为本发明的可选方案, 实施例的排列顺序及实施例的编号与其优选执行顺序无关。 实施例 1 FIG. 6 is a schematic structural diagram of a FLASH data protection apparatus according to Embodiment 2 of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of them. Example. Based on the embodiments of the present invention, those obtained by those of ordinary skill in the art without creative efforts Other embodiments are within the scope of the invention. Moreover, the following embodiments are all optional of the present invention, and the order of the embodiments and the number of the embodiments are independent of the preferred execution order. Example 1
本实施例提供一种 FLASH数据保护方法, 如图 1所示, 该方法主要包括:  This embodiment provides a FLASH data protection method. As shown in FIG. 1, the method mainly includes:
101 ,操作系统接收应用程序对 FLASH的操作申请,所述申请包括申请的操作内容、 申请的操作权限以及申请的操作对应的 FLASH目标地址;  101. The operating system receives an operation request of the application for the FLASH, where the application includes an operation content of the application, an operation permission of the application, and a FLASH target address corresponding to the operation of the application;
具体地, 该 101可以为: 操作系统接收到应用程序 1对 FLASH 的操作申请, 该操 作申请包括: 申请执行写操作, 申请执行写操作时的操作权限, 以及该写操作写入的 FLASH目标地址。  Specifically, the 101 may be: the operating system receives an operation request of the application 1 for the FLASH, and the operation request includes: applying for a write operation, operating permission when applying for a write operation, and a FLASH target address written by the write operation .
另外本实施例中在 101后, 还可以包括: 操作系统判断所述申请的操作权限是否 满足所述应用程序 1的权限要求; 其中, 所述应用程序 1的权限要求为: 所述应用程序 1设有的操作权限范围; 如果申请的操作权限满足所述应用程序 1的操作权限要求, 则 进一步执行下述 102; 如果申请的操作权限不满足所述应用程序 1的操作权限要求, 则 返回操作失败的信息。  In addition, after the present embodiment, the method may further include: the operating system determining whether the operation authority of the application meets the permission requirement of the application 1; wherein the permission requirement of the application 1 is: the application 1 If the operation authority of the application satisfies the operation permission requirement of the application 1, the following 102 is further performed; if the operation authority of the application does not satisfy the operation permission requirement of the application 1, the operation is returned. Failure information.
其中, 需要说明的是: 在本实施例中上述应用程序 1是预先设置有对应的操作权 限范围的。 该操作权限范围可以由用户自行设置, 也可以由运营商对该应用程序 1设置 默认的操作权限范围。另外,在现有技术中,某些应用程序已经被设置了操作权限范围, 因此在本实施例中具体设置方法也可以参考现有技术, 在此不赘述。  It should be noted that, in the embodiment, the application 1 is preset with a corresponding operation permission range. The scope of the operation authority can be set by the user, or the operator can set the default scope of operation authority for the application 1. In addition, in the prior art, some applications have been set with a range of operation rights. Therefore, the specific setting method in this embodiment may also refer to the prior art, and details are not described herein.
例如: 操作系统的 FLASH驱动程序判断应用程序 1 申请执行写操作的操作权限是 否在应用程序 1设有的操作权限范围内(在本实施例中设应用程序 1的操作权限范围为 读、 写、 执行) , 因为应用程序 1申请的写操作的操作权限在应用程序 1设有的操作权 限范围内, 因此, FLASH驱动程序判定该应用程序 1可以继续执行下述 102。  For example: the FLASH driver of the operating system determines whether the operation permission of the application 1 to perform the write operation is within the scope of the operation authority set by the application 1 (in the embodiment, the operation permission range of the application 1 is read, write, Execution), since the operation authority of the write operation requested by the application 1 is within the operation authority set by the application 1, the FLASH driver determines that the application 1 can continue to execute the following 102.
102, 读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作权限是否 满足所述鉴权信息的要求; 如果满足, 则执行 103; 否则, 执行 104。  102. Read the authentication information corresponding to the FLASH target address, and determine whether the operation authority of the application satisfies the requirement of the authentication information; if yes, execute 103; otherwise, execute 104.
该步骤 102可以具体有以下两种实现方式:  This step 102 can specifically have the following two implementations:
第一种实现方式:在鉴权信息是操作权限的情况下。该第一种实现方式将结合图 2 所示进行描述。 由图 2中的示意可知, 在该 FLASH中 (FLASH地址表在 FLASH寻址中是 以 page为单位设置地址的, 即每一个 page对应一个地址)增加了根据不同的 FLASH地 址对应设置的数据区的操作权限, SP : 每个地址都对应设置有一个数据区的操作权限。 因此, 想要在某一地址执行申请的操作内容的应用程序, 需要只有在其申请的操作权限 范围小于所述地址处数据区的操作权限的情况下才可以在该地址执行申请的操作内容。 其中, 需要说明的是: 图 2仅用于示意每个地址对应设置有数据区的操作权限, 该操作 权限并非存储在 FLASH地址表中, 实际上, 因为 FLASH每 page中均有一个备用区域, 因此在本实施例中增加的数据区的操作权限可以是存储在对应 page 的备用区域中。 例 如: 当该 FLASH是 NAND FLASH硬件, 并且 FLASH规格为每页 512字节, 其中 16字节备 用时, 可利用如图 3所示的 ΒΥΠ 1-ΒΥΠ5部分存储该数据区的操作权限。 因此, 在该实 现方式中, 可预先为 FLASH地址表中每个地址对应页的备用区内对应设置该数据区的操 作权限, 该设置可以由用户完成, 也可以由运营商在出厂时设置默认级别。 The first implementation: in the case where the authentication information is an operation authority. This first implementation will be described in conjunction with Figure 2. As can be seen from the illustration in FIG. 2, in the FLASH (the FLASH address table sets the address in the page of the FLASH addressing, that is, each page corresponds to one address), the data area corresponding to the corresponding FLASH address is added. Operation permission, SP: Each address corresponds to the operation permission of a data area. Therefore, an application that wants to execute the operation content of the application at a certain address needs to execute the operation content of the application at the address only if the operation authority range of the application is smaller than the operation authority of the data area at the address. It should be noted that: FIG. 2 is only used to indicate that each address corresponds to an operation right set with a data area, and the operation authority is not stored in the FLASH address table. Actually, since FLASH has a spare area in each page, Therefore, the operation authority of the data area added in this embodiment may be stored in the spare area of the corresponding page. For example: When the FLASH is NAND FLASH hardware, and the FLASH specification is 512 bytes per page, 16 bytes of which are reserved, the operation authority of the data area can be stored by using the ΒΥΠ 1-ΒΥΠ5 part as shown in FIG. 3 . Therefore, in this implementation manner, the operation authority of the data area may be set in advance for the spare area corresponding to each address in the FLASH address table, and the setting may be completed by the user, or may be set by the operator at the factory. level.
相应地, 此时 102 的具体执行方式包括: 判断所述申请的操作权限是否在所述数 据区的操作权限范围内; 如果所述申请的操作权限在所述数据区的操作权限范围内, 则 所述申请的操作权限满足所述鉴权信息的要求, 并执行 103; 如果所述申请的操作权限 不在所述数据区的操作权限范围内, 则所述申请的操作权限不满足所述鉴权信息的要 求, 转向 104执行。 例如: 设 FLASH目标地址对应数据区的操作权限是读、 执行, 应用 程序 1携带的是申请写操作的操作权限; FLASH驱动程序判断该申请的写操作的操作权 限不在该申请的 FLASH目标地址对应的数据区的操作权限范围内, 因此, 该应用程序 1 不满足数据区的操作权限的要求, 故而执行 104。  Correspondingly, the specific execution manner of the current mode 102 includes: determining whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is within the operation authority of the data area, The operation authority of the application satisfies the requirement of the authentication information, and executes 103; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the authentication The request for information is turned to 104 for execution. For example: setting the operation right of the data area corresponding to the FLASH target address is read and execute, and the application 1 carries the operation authority for requesting the write operation; the FLASH driver determines that the operation authority of the write operation of the application is not corresponding to the FLASH target address of the application. Within the scope of the operating rights of the data area, therefore, the application 1 does not satisfy the requirements of the operating authority of the data area, and thus executes 104.
第二种实现方式, 在鉴权信息是 FLASH 目标地址对应的数据区的硬件密码的情况 下。 该第二种实现方式将结合图 4所示进行描述。 由图 4可知, 在该 FLASH中增加了根 据不同的 FLASH地址块对应设置的硬盘密码, SP : 每个地址块都对应设置有一个硬盘密 码 (在 FLASH分区表中是以 BLOCK为单位记录地址的, 即每一个 BLOCK记为一个地址, 且每个地址最终对应于一个 page )。 因此, 想要在某一地址执行申请的操作内容的应用 程序, 只有在发起该应用程序的用户输入的操作密码与所述地址块的硬件密码一致的情 况下才可以在该地址块中执行申请的操作内容。 其中, 需要说的是: 图 4仅用于示意每 个地址对应设置有数据区的操作权限,实际上,该操作权限并非存储在 FLASH分区表中, 因为 FLASH每 page中均有一个备用区域, 因此在本实施例中增加的硬盘密码可存储在 地址块对应 page的备用区域中。 例如: 当该 FLASH是 NAND FLASH硬件, 并且 FLASH 规格为每页 512字节, 其中 16字节备用时, 同样可利用如图 3所示的 ΒΥΠ 1-ΒΥΠ5部 分存储该硬盘密码。 因此, 在该实现方式中, 可为 FLASH分区表中至少一个地址块对应 设置硬盘密码, 该设置可以有用户自行完成, 也可以有运营商在出厂时设置默认硬盘密 码。 The second implementation manner is when the authentication information is a hardware password of a data area corresponding to the FLASH target address. This second implementation will be described in conjunction with FIG. It can be seen from FIG. 4 that a hard disk password corresponding to different FLASH address blocks is added to the FLASH, and SP: each address block is correspondingly provided with a hard disk password (in the FLASH partition table, the address is recorded in units of BLOCK). , that is, each BLOCK is recorded as an address, and each address ultimately corresponds to a page). Therefore, an application that wants to execute the operation content of the application at a certain address can execute the application in the address block only if the operation password input by the user who initiated the application matches the hardware password of the address block. The content of the operation. Among them, it should be said that: Figure 4 is only used to indicate the operation permission of each address corresponding to the data area. In fact, the operation authority is not stored in the FLASH partition table, because FLASH has a spare area in each page. Therefore, the hard disk password added in this embodiment can be stored in the spare area of the corresponding page of the address block. For example: When the FLASH is NAND FLASH hardware, and the FLASH specification is 512 bytes per page, 16 bytes of which are reserved, the hard disk password can also be stored by using the ΒΥΠ 1-ΒΥΠ5 part as shown in FIG. 3 . Therefore, in this implementation manner, a hard disk password may be set corresponding to at least one address block in the FLASH partition table, and the setting may be completed by the user, or the default hard disk password may be set by the operator at the factory. code.
相应地, 102的具体执行方式包括: 启动输入密码程序, 并在用户根据提示输入操 作密码后, 判断所述操作密码是否与所述硬件密码一致; 如果所述操作密码与所述硬件 密码一致, 则所述申请的操作权限满足所述鉴权信息的要求, 并执行 103; 如果所述操 作密码与所述硬件密码不一致, 则所述申请的操作权限不满足所述鉴权信息的要求, 转 向 104执行。 例如: 用户运行应用程序 1向 FLASH执行读操作时, FLASH驱动程序启动 提示输入操作密码的指示, 用户可根据该指示输入操作密码; FLASH驱动程序在接收到 输入的密码后, 比较所述输入的操作密码与对应所述 FLASH目标地址块存储的硬盘密码 是否一致; 如果两者一致, 代表该用户有权限在该目标地址块执行写操作的内容, 继续 103执行; 否则, 则代表该用户权限不足, 转向 104执行。  Correspondingly, the specific execution manner of the method includes: starting a password input procedure, and determining, after the user inputs the operation password according to the prompt, whether the operation password is consistent with the hardware password; if the operation password is consistent with the hardware password, The operation authority of the application satisfies the requirement of the authentication information, and executes 103; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the requirement of the authentication information, and turns to 104 execution. For example: When the user runs the application 1 to perform a read operation to the FLASH, the FLASH driver initiates an instruction to input an operation password, and the user can input an operation password according to the instruction; after receiving the input password, the FLASH driver compares the input. Whether the operation password is consistent with the hard disk password corresponding to the FLASH target address block; if the two are consistent, the content representing the user having the right to perform the write operation in the target address block continues 103; otherwise, the user authority is insufficient , turn to 104 to execute.
另外, 由于上述存储在备用区的鉴权信息, 可以根据用户的需要由用户进行自行 设置和更新, 能够提高 FLASH数据信息的安全性保证。  In addition, since the above-mentioned authentication information stored in the spare area can be set and updated by the user according to the needs of the user, the security of the FLASH data information can be improved.
103, 允许所述应用程序在所述 FLASH目标地址执行所述申请的操作内容。  103. Allow the application to execute the operation content of the application at the FLASH target address.
所述申请的操作内容可以包括: 读、 写、 删除和执行中的一种或者几种的组合。 104, 返回操作失败的信息。  The operational content of the application may include: one or a combination of one of read, write, delete, and execute. 104, return information that the operation failed.
本实施例提供的方法具有如下有益效果: 申请操作的应用程序可凭借其提供的操 作权限, 或者用户的操作密码将申请的操作内容写入 FLASH 目标地址从而保证存储在 FLASH中的数据安全, 并且在数据存储到 FLASH内部后, 应用程序仍旧需凭借所持有的 操作权限或操作密码才可读取、 修改和擦除 FLASH中相应位置的数据, 可降低数据被误 修改的可能性, 防止数据被黑客恶意修改和盗取, 提高了 FLASH存储数据的安全性; 并 且, 利用现有的备用区域对增加的鉴权信息进行存储, 无需为实现安全性校验引入其它 的代码, 在保证安全性的同时降低了实现的复杂度。 实施例 2  The method provided in this embodiment has the following beneficial effects: the application applying for the operation can write the operation content of the application to the FLASH target address by means of the operation authority provided by the user or the operation password of the user, thereby ensuring data security stored in the FLASH, and After the data is stored in the FLASH, the application still needs to read, modify and erase the data in the corresponding position in the FLASH by virtue of the operation authority or operation password held, which can reduce the possibility of data being modified by mistake and prevent data. It is maliciously modified and stolen by hackers, which improves the security of FLASH storage data. Moreover, the existing backup area is used to store the added authentication information, and no additional code is needed for security verification, so as to ensure security. At the same time, the complexity of the implementation is reduced. Example 2
本实施例提供一种 FLASH数据保护装置, 如图 5所示, 该装置包括: 接收单元 51, 鉴权单元 52, 执行单元 53。  The embodiment provides a FLASH data protection device. As shown in FIG. 5, the device includes: a receiving unit 51, an authentication unit 52, and an executing unit 53.
接收单元 51, 用于接收应用程序对 FLASH的操作申请, 所述操作申请包括申请的 操作内容、 申请的操作权限以及申请的操作对应的 FLASH目标地址; 鉴权单元 52, 用于 读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作权限是否满足所述鉴 权信息的要求; 执行单元 53, 用于如果鉴权单元 52的判断结果是满足所述鉴权信息的 要求, 则允许所述应用程序在所述 FLASH目标地址执行所述申请的操作内容。 The receiving unit 51 is configured to receive an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application; and an authentication unit 52, configured to read the The authentication information corresponding to the FLASH target address, and determining whether the operation authority of the application satisfies the requirement of the authentication information; the executing unit 53 is configured to: if the judgment result of the authentication unit 52 is that the authentication information is satisfied Requiring, the application is allowed to execute the operation content of the application at the FLASH target address.
其中, 所述鉴权信息可以是 FLASH 目标地址对应的数据区的操作权限, 也可以是 The authentication information may be an operation permission of a data area corresponding to a FLASH target address, or may be
FLASH目标地址对应的数据区的硬件密码, 且当是后者时, 所述操作权限为操作密码。 相应地, 如图 6所示, 鉴权单元 52包括: The hardware password of the data area corresponding to the FLASH target address, and when it is the latter, the operation authority is the operation password. Accordingly, as shown in FIG. 6, the authentication unit 52 includes:
权限模块 521, 用于判断所述申请的操作权限是否在所述数据区的操作权限范围 内; 如果所述申请的操作权限在所述数据区的操作权限范围内, 则所述申请的操作权限 满足所述鉴权信息的要求; 如果所述申请的操作权限不在所述数据区的操作权限范围 内, 则所述申请的操作权限不满足所述鉴权信息的要求; 和 /或  The permission module 521 is configured to determine whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is within the operation authority of the data area, the operation permission of the application Satisfying the requirement of the authentication information; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the requirement of the authentication information; and/or
密码模块 522,用于在根据提示输入操作密码后,判断所述操作密码是否与所述硬 件密码一致; 如果所述操作密码与所述硬件密码一致, 则所述申请的操作权限满足所述 鉴权信息的要求; 如果所述操作密码与所述硬件密码不一致, 则所述申请的操作权限不 满足所述鉴权信息的要求。  The cryptographic module 522 is configured to determine whether the operation password is consistent with the hardware password after inputting the operation password according to the prompt; if the operation password is consistent with the hardware password, the operation authority of the application satisfies the The request for the right information; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the requirement of the authentication information.
另外, 如图 6所示, 在本实施例中该装置还可包括如下可选单元: 程序权限单元 In addition, as shown in FIG. 6, in the embodiment, the apparatus may further include the following optional units: a program authority unit.
54, 存储单元 55。 54, storage unit 55.
程序权限单元 54, 用于判断所述申请的操作权限是否满足所述应用程序的权限要 求; 其中, 所述应用程序的权限要求为, 所述应用程序设有的操作权限范围; 如果申请 的操作权限满足所述应用程序的操作权限要求, 则进一步由鉴权单元执行其操作; 如果 申请的操作权限不满足所述应用程序的操作权限要求, 则返回操作失败的信息。  The program authority unit 54 is configured to determine whether the operation authority of the application meets the permission requirement of the application; wherein, the permission requirement of the application is: the operation permission range provided by the application; If the permission meets the operation permission requirement of the application, the operation is further performed by the authentication unit; if the operation authority of the application does not satisfy the operation permission requirement of the application, the information that the operation fails is returned.
存储单元 55, 用于将所述鉴权信息存储在所述 FLASH目标地址所在页对应的备用 区内。  The storage unit 55 is configured to store the authentication information in a spare area corresponding to a page where the FLASH target address is located.
本实施例提供的装置利用现有 FLASH的备用区域, 通过采用增加 FLASH数据区的 操作权限以及密码判断的技术手段, 可达到保护 FLASH不被误操作和恶意操作的情况发 生, 在不引入其它代码的情况下, 实现了提高 FLASH存储数据的安全性。  The device provided in this embodiment utilizes the spare area of the existing FLASH, and adopts the technical means of increasing the operation authority of the FLASH data area and the password judgment, so as to protect the FLASH from being mishandled and maliciously operated, without introducing other codes. In the case, the security of the FLASH storage data is improved.
通过以上的实施方式的描述, 所属领域的技术人员可以清楚地了解到本发明可借 助软件加必需的通用硬件平台的方式来实现, 当然也可以通过硬件, 但很多情况下前者 是更佳的实施方式。基于这样的理解, 本发明的技术方案本质上或者说对现有技术做出 贡献的部分可以以软件产品的形式体现出来, 该计算机软件产品存储在可读取的存储介 质中, 如计算机的软盘, 硬盘或光盘等, 包括若干指令用以使得一台设备 (可以是手机 等) 执行本发明各个实施例所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general hardware platform, and of course, can also be through hardware, but in many cases, the former is a better implementation. the way. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product stored in a readable storage medium, such as a floppy disk of a computer. , a hard disk or an optical disk, etc., including instructions for causing a device (which may be a mobile phone or the like) to perform the methods described in various embodiments of the present invention.
以上所述, 仅为本发明的具体实施方式, 但本发明的保护范围并不局限于此, 任 何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到变化或替换, 都 应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应所述以权利要求的保护范 围为准。 The above description is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. It is to be understood that those skilled in the art are susceptible to variations and substitutions within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权利要求 Rights request
1、 一种 FLASH数据保护方法, 其特征在于, 包括: A FLASH data protection method, comprising:
接收应用程序对 FLASH的操作申请, 所述操作申请包括申请的操作内容、 申请的操 作权限以及申请的操作对应的 FLASH目标地址;  Receiving an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作权限是否满足所 述鉴权信息的要求;  Reading the authentication information corresponding to the FLASH target address, and determining whether the operation authority of the application satisfies the requirement of the authentication information;
如果所述申请的操作权限满足所述鉴权信息的要求, 则允许所述应用程序在所述 FLASH目标地址执行所述申请的操作内容。  If the operation authority of the application satisfies the requirement of the authentication information, the application is allowed to execute the operation content of the application at the FLASH target address.
2、 如权利要求 1所述的方法, 其特征在于, 所述判断所述申请的操作权限是否满 足所述鉴权信息的要求包括:  2. The method according to claim 1, wherein the determining whether the operation authority of the application satisfies the authentication information comprises:
当所述鉴权信息是 FLASH目标地址对应的数据区的操作权限时,判断所述申请的操 作权限是否在所述数据区的操作权限范围内; 如果所述申请的操作权限在所述数据区的 操作权限范围内, 则所述申请的操作权限满足所述鉴权信息的要求; 如果所述申请的操 作权限不在所述数据区的操作权限范围内,则所述申请的操作权限不满足所述鉴权信息 的要求; 或者,  When the authentication information is an operation authority of the data area corresponding to the FLASH target address, determining whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is in the data area Within the scope of the operation authority, the operation authority of the application satisfies the requirement of the authentication information; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the Describe the requirements for authentication information; or,
当所述鉴权信息是 FLASH目标地址对应的数据区的硬件密码时,所述操作权限为操 作密码, 在根据提示输入操作密码后, 判断所述操作密码是否与所述硬件密码一致; 如 果所述操作密码与所述硬件密码一致, 则所述申请的操作权限满足所述鉴权信息的要 求; 如果所述操作密码与所述硬件密码不一致, 则所述申请的操作权限不满足所述鉴权 信息的要求。  When the authentication information is a hardware password of a data area corresponding to the FLASH target address, the operation authority is an operation password, and after inputting the operation password according to the prompt, determining whether the operation password is consistent with the hardware password; If the operation password is consistent with the hardware password, the operation authority of the application satisfies the requirement of the authentication information; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the The request for rights information.
3、 如权利要求 1所述的方法, 其特征在于, 在所述读取所述 FLASH目标地址对应 的鉴权信息之前, 所述方法还包括:  The method according to claim 1, wherein before the reading the authentication information corresponding to the FLASH target address, the method further includes:
判断所述申请的操作权限是否满足所述应用程序的权限要求; 其中, 所述应用程序 的权限要求为, 所述应用程序预设的操作权限范围;  Determining whether the operation authority of the application meets the permission requirement of the application; wherein, the permission requirement of the application is: the operation permission range preset by the application;
如果申请的操作权限满足所述应用程序的操作权限要求, 则进一步读取所述 FLASH 目标地址对应的鉴权信息; 如果申请的操作权限不满足所述应用程序的操作权限要求, 则返回操作失败的信息。  If the operation permission of the application meets the operation permission requirement of the application, the authentication information corresponding to the FLASH target address is further read; if the operation permission of the application does not satisfy the operation permission requirement of the application, the return operation fails. Information.
4、 如权利要求 1所述的方法, 其特征在于, 所述申请的操作内容包括: 读、 写、 删除或执行。  4. The method according to claim 1, wherein the operation content of the application comprises: reading, writing, deleting or executing.
5、 如权利要求 1至 4中任意一项所述的方法, 其特征在于, 所述鉴权信息存储在 所述 FLASH目标地址所在页对应的备用区内。 The method according to any one of claims 1 to 4, wherein the authentication information is stored in a spare area corresponding to a page where the FLASH target address is located.
6、 如权利要求 5所述的方法, 其特征在于, 所述鉴权信息可以由用户进行设置和 更新。 6. The method of claim 5, wherein the authentication information can be set and updated by a user.
7、 一种 FLASH数据保护装置, 其特征在于, 包括: 7. A FLASH data protection device, comprising:
接收单元, 用于接收应用程序对 FLASH的操作申请, 所述操作申请包括申请的操作 内容、 申请的操作权限以及申请的操作对应的 FLASH目标地址;  a receiving unit, configured to receive an operation request of the application for the FLASH, where the operation request includes an operation content of the application, an operation authority of the application, and a FLASH target address corresponding to the operation of the application;
鉴权单元, 用于读取所述 FLASH目标地址对应的鉴权信息, 并判断所述申请的操作 权限是否满足所述鉴权信息的要求;  An authentication unit, configured to read authentication information corresponding to the FLASH target address, and determine whether the operation authority of the application satisfies the requirement of the authentication information;
执行单元, 用于如果鉴权单元判断所述申请的操作权限满足所述鉴权信息的要求, 则允许所述应用程序在所述 FLASH目标地址执行所述申请的操作内容。  And an execution unit, configured to allow the application to execute the operation content of the application at the FLASH target address if the authentication unit determines that the operation authority of the application satisfies the requirement of the authentication information.
8、 如权利要求 7所述的装置, 其特征在于, 所述鉴权信息是 FLASH目标地址对应 的数据区的操作权限; 所述鉴权单元包括:  The device according to claim 7, wherein the authentication information is an operation authority of a data area corresponding to a FLASH target address; the authentication unit includes:
权限模块, 用于判断所述申请的操作权限是否在所述数据区的操作权限范围内; 如 果所述申请的操作权限在所述数据区的操作权限范围内, 则所述申请的操作权限满足所 述鉴权信息的要求; 如果所述申请的操作权限不在所述数据区的操作权限范围内, 则所 述申请的操作权限不满足所述鉴权信息的要求。  The permission module is configured to determine whether the operation authority of the application is within the operation authority of the data area; if the operation authority of the application is within the operation authority of the data area, the operation authority of the application is satisfied The request for the authentication information; if the operation authority of the application is not within the operation authority of the data area, the operation authority of the application does not satisfy the requirement of the authentication information.
9、 如权利要求 7所述的装置, 其特征在于, 所述鉴权信息是 FLASH目标地址对应 的数据区的硬件密码时, 所述操作权限为操作密码; 所述鉴权单元包括:  The device according to claim 7, wherein, when the authentication information is a hardware password of a data area corresponding to a FLASH target address, the operation authority is an operation password; and the authentication unit comprises:
密码模块, 用于在根据提示输入操作密码后, 判断所述操作密码是否与所述硬件密 码一致; 如果所述操作密码与所述硬件密码一致, 则所述申请的操作权限满足所述鉴权 信息的要求; 如果所述操作密码与所述硬件密码不一致, 则所述申请的操作权限不满足 所述鉴权信息的要求。  a password module, configured to determine, after the operation password is input according to the prompt, whether the operation password is consistent with the hardware password; if the operation password is consistent with the hardware password, the operation authority of the application satisfies the authentication The requirement of the information; if the operation password is inconsistent with the hardware password, the operation authority of the application does not satisfy the requirement of the authentication information.
10、 如权利要求 7所述的装置, 其特征在于, 所述装置还包括:  The device of claim 7, wherein the device further comprises:
程序权限单元, 用于判断所述申请的操作权限是否满足所述应用程序的权限要求; 其中, 所述应用程序的权限要求为, 所述应用程序预设的操作权限范围; 如果申请的操 作权限满足所述应用程序的操作权限要求, 则进一步由鉴权单元执行其操作; 如果申请 的操作权限不满足所述应用程序的操作权限要求, 则返回操作失败的信息。  a program authority unit, configured to determine whether the operation authority of the application meets the permission requirement of the application; wherein, the permission requirement of the application is: the operation permission range preset by the application; If the operation permission requirement of the application is satisfied, the operation is further performed by the authentication unit; if the operation authority of the application does not satisfy the operation permission requirement of the application, the information that the operation fails is returned.
11、 如权利要求 7至 10中任意一项所述的装置, 其特征在于, 该装置还包括: 存储单元,用于将所述鉴权信息存储在所述 FLASH目标地址所在页对应的备用区内。  The device according to any one of claims 7 to 10, further comprising: a storage unit, configured to store the authentication information in a spare area corresponding to a page where the FLASH target address is located Inside.
12、 如权利要求 7至 10中任意一项所述的装置, 其特征在于, 该装置为手机。 12. Apparatus according to any one of claims 7 to 10, characterized in that the apparatus is a mobile phone.
PCT/CN2011/072537 2010-04-08 2011-04-08 Flash data protection method and apparatus thereof WO2011124148A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010141963.5 2010-04-08
CN 201010141963 CN101799858A (en) 2010-04-08 2010-04-08 FLASH data protection method and device

Publications (1)

Publication Number Publication Date
WO2011124148A1 true WO2011124148A1 (en) 2011-10-13

Family

ID=42595531

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/072537 WO2011124148A1 (en) 2010-04-08 2011-04-08 Flash data protection method and apparatus thereof

Country Status (2)

Country Link
CN (1) CN101799858A (en)
WO (1) WO2011124148A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI502400B (en) * 2014-07-30 2015-10-01 Elan Microelectronics Corp Microcontroller unit and protecting method for a data in the microcontroller unit

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101799858A (en) * 2010-04-08 2010-08-11 华为终端有限公司 FLASH data protection method and device
CN105279094A (en) * 2014-06-09 2016-01-27 中兴通讯股份有限公司 NAND Flash operation processing method, NAND Flash operation processing device and logic device
CN106228092A (en) * 2016-07-08 2016-12-14 苏州国芯科技有限公司 A kind of method for security protection of nonvolatile storage

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6453397B1 (en) * 1998-12-14 2002-09-17 Nec Corporation Single chip microcomputer internally including a flash memory
US20040010656A1 (en) * 2002-07-11 2004-01-15 Mong-Ling Chiao Secure flash memory device and method of operation
US20060161750A1 (en) * 2005-01-20 2006-07-20 Matsushita Electric Industrial Co., Ltd. Using hardware to secure areas of long term storage in CE devices
US20080052781A1 (en) * 2004-06-22 2008-02-28 Nds Limited Digital Rights Management System
US20080250509A1 (en) * 2007-04-04 2008-10-09 Nokia Corporation Write Protection For Memory Devices
CN101620652A (en) * 2008-07-01 2010-01-06 联想(北京)有限公司 Main board, computer and method for protecting memory data
CN101799858A (en) * 2010-04-08 2010-08-11 华为终端有限公司 FLASH data protection method and device

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1276363C (en) * 2002-11-13 2006-09-20 深圳市朗科科技有限公司 Method of actualizing safety data storage and algorithm storage in virtue of semiconductor memory device
JP2005050286A (en) * 2003-07-31 2005-02-24 Fujitsu Ltd Network-node machine and information network system
JP5225003B2 (en) * 2008-10-01 2013-07-03 キヤノン株式会社 MEMORY PROTECTION METHOD, INFORMATION PROCESSING DEVICE, MEMORY PROTECTION PROGRAM, AND RECORDING MEDIUM CONTAINING MEMORY PROTECTION PROGRAM

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6453397B1 (en) * 1998-12-14 2002-09-17 Nec Corporation Single chip microcomputer internally including a flash memory
US20040010656A1 (en) * 2002-07-11 2004-01-15 Mong-Ling Chiao Secure flash memory device and method of operation
US20080052781A1 (en) * 2004-06-22 2008-02-28 Nds Limited Digital Rights Management System
US20060161750A1 (en) * 2005-01-20 2006-07-20 Matsushita Electric Industrial Co., Ltd. Using hardware to secure areas of long term storage in CE devices
US20080250509A1 (en) * 2007-04-04 2008-10-09 Nokia Corporation Write Protection For Memory Devices
CN101620652A (en) * 2008-07-01 2010-01-06 联想(北京)有限公司 Main board, computer and method for protecting memory data
CN101799858A (en) * 2010-04-08 2010-08-11 华为终端有限公司 FLASH data protection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI502400B (en) * 2014-07-30 2015-10-01 Elan Microelectronics Corp Microcontroller unit and protecting method for a data in the microcontroller unit

Also Published As

Publication number Publication date
CN101799858A (en) 2010-08-11

Similar Documents

Publication Publication Date Title
US10324864B2 (en) Storage system and method for performing and authenticating write-protection thereof
US11880313B2 (en) Storage system and method for performing and authenticating write-protection thereof
US8646054B1 (en) Mechanism to manage access to user data area with bridged direct-attached storage devices
US20100058073A1 (en) Storage system, controller, and data protection method thereof
US8782389B2 (en) Storage device and method for updating a shadow master boot record
US20090164709A1 (en) Secure storage devices and methods of managing secure storage devices
CN109739613B (en) Maintenance method and access control method of nested page table and related device
US9071581B2 (en) Secure storage with SCSI storage devices
KR102567097B1 (en) Method for updating Boot ROM of Embedded system and booting of thereof
TWI451248B (en) Data protecting method, memory controller and memory storage apparatus
US20130191636A1 (en) Storage device, host device, and information processing method
CN104951405A (en) Storage system and method for performing and authenticating write-protection thereof
WO2011124148A1 (en) Flash data protection method and apparatus thereof
CN116089327A (en) Data protection method and related equipment
CN115391844A (en) Secure key storage device
US11468159B2 (en) Memory system
JP2000250817A (en) Storage system, storage device and stored data protecting method
CN110069934B (en) Memory storage system, host system verification method and memory storage device
JP2000250818A (en) Storage system, storage device and stored data protecting method
KR20220091955A (en) Memory system discarding method and memory system thereof
EP3961451B1 (en) Storage device
KR20230064538A (en) Memory controller and storage device
CN111045962A (en) SD card data security method, system, equipment and computer medium
JP2013191043A (en) Disk device, file sharing system, file sharing method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11765066

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11765066

Country of ref document: EP

Kind code of ref document: A1