WO2019072158A1 - 安全控制方法及计算机系统 - Google Patents
安全控制方法及计算机系统 Download PDFInfo
- Publication number
- WO2019072158A1 WO2019072158A1 PCT/CN2018/109416 CN2018109416W WO2019072158A1 WO 2019072158 A1 WO2019072158 A1 WO 2019072158A1 CN 2018109416 W CN2018109416 W CN 2018109416W WO 2019072158 A1 WO2019072158 A1 WO 2019072158A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- domain
- random number
- audited
- audit
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 209
- 238000012550 audit Methods 0.000 claims description 208
- 230000008569 process Effects 0.000 claims description 122
- 238000007726 management method Methods 0.000 claims description 26
- 238000003860 storage Methods 0.000 claims description 18
- 239000000700 radioactive tracer Substances 0.000 claims description 15
- 238000010801 machine learning Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012552 review Methods 0.000 claims description 6
- 238000000638 solvent extraction Methods 0.000 claims description 5
- 230000006870 function Effects 0.000 description 28
- 238000010586 diagram Methods 0.000 description 21
- 238000012546 transfer Methods 0.000 description 13
- 230000001960 triggered effect Effects 0.000 description 13
- 230000005540 biological transmission Effects 0.000 description 11
- 239000013598 vector Substances 0.000 description 11
- 238000004422 calculation algorithm Methods 0.000 description 9
- 238000004891 communication Methods 0.000 description 9
- 238000003066 decision tree Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 9
- 230000003068 static effect Effects 0.000 description 7
- 238000012795 verification Methods 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000009471 action Effects 0.000 description 5
- 238000012549 training Methods 0.000 description 5
- 230000007704 transition Effects 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000013480 data collection Methods 0.000 description 3
- 238000007781 pre-processing Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000002567 autonomic effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 230000006837 decompression Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012966 insertion method Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000005236 sound signal Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/582—Pseudo-random number generators
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F7/00—Methods or arrangements for processing data by operating upon the order or content of the data handled
- G06F7/58—Random or pseudo-random number generators
- G06F7/588—Random number generators, i.e. based on natural stochastic processes
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/10—Services
- G06Q50/26—Government or public services
- G06Q50/265—Personal security, identity or safety
Definitions
- the present application relates to a security control technology for a computer system, and more particularly to a method, device, and system for implementing system security by auditing control flow and the like.
- system-level security is achieved by dividing the hardware and software resources of system on chips (SoC) into two worlds, namely the normal world and the secure world.
- SoC system on chips
- the two worlds correspond to the rich execution environment (REE) and the trusted execution environment (TEE).
- TEE and REE run on the same device.
- TEE ensures the storage, processing and protection of sensitive data in a trusted environment and provides a secure execution environment for authorized trusted applications (TAs).
- the client application (CA) (also known as the normal application) runs on the REE.
- the CA accesses the TA by calling the TEE client application programming interface (API) located in the REE, thereby providing the TEE and the TA.
- API TEE client application programming interface
- an authentication procedure of the CA is set on the REE side, and the authentication program is used to extract the identity information of the CA, so as to subsequently verify the identity of the CA.
- the REE side extracts the identity information of the CA by executing the authentication procedure, and then submits it to the TEE side through a secure mode call (SMC), and allows the CA to access the TEE side after the verification is passed.
- SMC secure mode call
- the operating system (OS) running by the CA may be compromised, causing the authentication procedure to be bypassed, that is, not executed.
- the present application provides a computer system, a terminal device, and a security control method and the like applied thereto for improving the security of a terminal device or other type of computer system.
- Domain A logical organizational unit of a computer system, specifically a logical organizational unit within a computer device. Each domain has its own security policy, and there are security boundaries between different domains.
- the domain of the computer system may be divided by software, for example The user mode and kernel mode of the system, for example, a host layer and a guest layer formed by using virtualization technology; or may be divided by hardware, for example, a TrustZone-based security domain and a non-security domain.
- Tracker Also called tracer in this application, it is used to record transfer instructions (such as jump instructions) and data transfer instructions issued on the CPU (for example In the load command and store instruction), these instructions can be used as control flow information to reconstruct the control flow and to obtain dynamic data.
- transfer instructions such as jump instructions
- data transfer instructions issued on the CPU for example In the load command and store instruction
- the tracker can exist as a single device, or it can be partially or fully embedded in the CPU or other hardware.
- Control flow (also called execution flow): Indicates the execution process of the program.
- the control flow can be expressed directly or indirectly as an instruction address sequence or a sequence of events.
- the value of y stored in the memory flows to the register of the CPU, and then flows to the memory of x.
- the control flow of the code is executed first 0x1234, and then executes 0x1238, and the value of y belongs to the dynamic data during the execution of the code. .
- Control flow information used to indicate that information can be reconstructed from the control flow.
- one of the plurality of pieces of control flow information forming a control flow of a program, in another description, all information forming a control flow of a program, and in other descriptions may also be used to refer to the control flow itself, specifically See the description context.
- Data stream indicates the data read and write process of the program, including the data in the process.
- Data stream information used to represent information that can be reconstructed, including dynamic data.
- one of a plurality of dynamic data forming a data stream of a program, in another description, all dynamic data forming a data stream of a program, and in other descriptions may also be used to refer to the data stream itself, See the description context.
- Automaton A computer-implemented mathematical model. An automaton can transition from one state to another in response to an external input, such as an event.
- the automaton instance is a runtime automaton.
- the rules or models are used to audit information such as control flows, and the automaton is an implementation form of "rules or models.”
- Executing an action in the first domain or the second domain may be understood to mean that the subject performing the action is deployed in the first domain or the second domain, or may be understood to be executing the subject in the first domain or
- the state represented by the second domain, the body performing the action may be a hardware module or a software module; or because the "domain" is a logical organization unit, in some cases, the execution subject of the action may be the first domain or Second domain.
- Multiple or “multiple times” appearing in the present application means “two or more” or “two or more times” unless otherwise specified.
- the terms “first” and “second” appearing in this application do not have a meaning of order, only to distinguish two subjects in some description contexts for convenience of understanding, but the subject matter indicated is not in all embodiments. Both must be different subjects.
- “A/B”, “A and/or B” appearing in the present application include A, B, and A and B. In this application Means A is a trademark name, but does not bring The words may also be trademark names.
- the application provides a computer system, which may be a terminal device, where the first device and the second domain are deployed on the terminal device, a program is deployed in the first domain, and a control is deployed in the second domain.
- a tracker is further disposed on the terminal device, and implements integrity auditing of the control flow of the program together with the control flow module and the audit module.
- control flow management module is configured to acquire information to be audited by a hardware tracker when the program located in the first domain is executed, where the information to be audited includes control flow information of the program;
- the auditing module is configured to perform an audit on the information to be audited according to an auditing rule, and determine that the auditing is passed when the information to be audited matches the auditing rule.
- the domain responsible for auditing is typically higher than (or equal to) the domain in which the audited program is running.
- the first domain and the second domain may be partitioned by software and/or hardware.
- the first domain and the second domain are respectively a TrustZone-based non-secure world and a security world (also understood to be REE and TEE).
- the tracking flow such as CoreSight or IPT
- a program to be protected in the following specific embodiment is used to obtain control flow information of a key program (referred to as a program to be protected in the following specific embodiment), and the program is in another domain according to a preset audit rule.
- the control flow performs an integrity audit, and the next operation is allowed when the control flow matches the audit rule, for example, allowing the program or other programs related to the program to access the function of the domain of the audit module, thereby avoiding Some kind of attack means that the critical program is bypassed by system execution or illegal execution, which leads to system vulnerabilities and improves the security of the terminal device.
- control flow integrity audit may also be referred to as control flow integrity verification, and is referred to as control flow auditing in this application.
- the program can be stored in a read-only memory area of the memory deployed in the first domain, avoiding being modified, further ensuring security.
- the information to be audited further includes data flow information of the program. While performing control flow auditing, the data flow information of the program is also audited, and the security of the code execution process is ensured, and the security of the data in the code is also ensured, thereby further improving the security of the terminal device.
- the terminal device further includes a Tracer audit module deployed in the second domain.
- the Tracer audit module is configured to perform an audit of the tracker before the audit module performs an audit. Specifically, whether the register of the audit trailer has been modified, if it is modified, the audit fails, and vice versa. After the audit is passed, the audit module is triggered to perform the audit. Review the tracker before the tracker performs a security audit to ensure that the tracker has not been tampered with to ensure the reliability of the audit process.
- the terminal device further includes a process identity acquisition module deployed in the first domain.
- the process identifier obtaining module is configured to acquire a process identifier (eg, a PID or a process name) of a process executing the program before the tracker collects the control flow information, and store the process identifier in the tracker In the first register.
- the control flow management module is specifically configured to acquire the to-be-audited information by using the tracker, where the to-be-audited information further includes the process identifier, where the process identifier is the tracker from the first The process ID read in the register.
- the auditing module is specifically configured to search for an auditing rule that matches the process identifier according to the process identifier, and perform an audit on the control flow information according to the found auditing rule.
- each control flow information Before triggering the collection of each control flow information, the process identifier of the current process is obtained, and then the control flow information of the program executed by the current process is triggered, and then the control flow information is associated with the process identifier. Equivalent to each control flow information has a process identifier to identify its own source, so that the audit module can distinguish control flow information from different programs according to the process identification, and select the matching audit rules for auditing, thereby implementing multiple programs. Parallel auditing.
- the terminal device further includes a first random number generator and a self-acquisition module deployed in the first domain, and the second domain includes a TEXT segment of the program.
- the TEXT segment here can be placed into the second domain by hard coding.
- the self-acquisition module is configured to call the first random number generator to generate a random number RX before the program is executed, and store the random number RX in a second register of the tracker; The random number RX and the TEXT segment of the process executing the program are calculated to obtain a hash value H1.
- the control flow management module is specifically configured to acquire the to-be-audited information by using the tracker, where the information to be audited further includes the random number RX, wherein the RX accesses the second by the tracker Register is obtained.
- the auditing module is specifically configured to acquire the hash value H1, calculate a hash value H2 according to the random number RX and the TEXT segment included in the second domain, and compare the H1 and H2. When H1 and H2 are the same and other information to be audited matches the audit rule, the audit is determined to pass.
- the TEXT segment can be scrambled in other forms than random numbers.
- the random number RX may also not be generated, the hash value H1 is not calculated, only the TEXT segment is transmitted, and then compared with the TEXT segment contained in the second domain.
- the "TEXT segment” points to a section of storage area.
- the code and constants of the program are included in the TEXT section of a program.
- the "TEXT segment” in the right means the sum of all or part of the content contained in the TEXT segment, the content of the compressed TEXT segment, or the content contained in the TEXT segment.
- TXT is usually or Used in other systems
- the storage area containing program code and constants may be called other names.
- the "TEXT” segment means a storage area having the same meaning in all types of systems.
- the TEXT section contains the code and constants of the program, the content of the TEXT section is first placed in the second domain, and then the TEXT section is acquired again during the running of the program, and transmitted to the second domain, and the TEXT segments obtained twice are compared. After passing, the audit is confirmed, which will further ensure the security of the program. Further, by random number scrambling in the process of TEXT segment transmission, the security of the TEXT segment transmission can be improved, thereby ensuring the reliability of the audit.
- the terminal device further includes a first random number generator deployed in the first domain and a second random number generator deployed in the second domain.
- the first random number generator herein may be a random number generator in the foregoing implementation, or may be another random number generator.
- the information to be audited obtained by the control flow management module further includes a random number.
- the first random number generator is invoked when the program is executed to generate the random number, the random number is written into a third register of the tracker, and then the tracker is acquiring the control When the information is streamed, the third register is accessed to obtain a random number currently stored in the register, and is used together with the current control flow information as a piece of information to be audited.
- the auditing module is specifically configured to acquire a last random number RY generated by the first random number generator during execution of the program, and acquire a number n of random numbers generated in the second domain;
- the n triggering the second random number generator generates n random numbers, and compares the nth random number Rn with the RY, when the Rn is the same as the RY and other to-be-audited information matches the audit.
- the rules are determined when the audit is passed.
- the first random number generator (in the first domain) generates a plurality of random numbers when the program is executed, each random number is written to the register of the tracker after generation, and then the tracker collects the control stream When the information is read, the random number is read from the register and passed along with the control flow information to the second domain.
- the auditing module of the second domain may determine the random number RX generated by the first random number generator from the random number passed in a plurality of manners, and then acquire the random number generator occurrence number n corresponding to the random number RX. , this n is preset in the second domain according to the normal execution of the program. The audit module then calls the second random number generator to generate n random numbers and selects the nth random number. If the random numbers obtained by the two methods are the same, the execution of the program in the first domain is not interfered.
- the "audit rules" appearing in this application can be understood differently in different implementation modes.
- the audit rule when only the control flow information is included in the information to be audited, the audit rule can be understood as a rule containing only the audit control flow, and when the audit is to be audited
- the audit rule can be understood as a rule that also matches the process identification, and/or rules for reviewing random numbers, TEXT, and the like.
- an "audit rule” can also be understood to include only control flow audit rules, and other information matching or auditing belongs to another model or rule.
- the "audit rules" can be implemented in a variety of ways, such as an automaton, an audit model, or a table, a list, a judgment statement, and so on.
- Complex audit rules can be implemented in a machine learning manner.
- the program can be simulated running on the terminal device or the server side, and then learning to obtain an execution feature (or a model) of the program, and then determining the actual situation by matching information such as the actual execution flow of the program with the execution feature. Whether the execution process is legal.
- all or part of the components of the tracker are placed in the second domain by way of hardware partitioning or software rights management, and the second domain is more secure than the first domain. In this way, the security of the tracker can be ensured. In the foregoing implementation manner, the review of the tracker is not necessary, and of course, the audit can still be performed, and the dual mechanism is used to ensure the security of the tracker.
- a trigger instruction is inserted at multiple locations of the program for triggering the tracker to collect control flow information for a particular location; in other implementations, the tracker may not require triggering of the triggering command, but rather All control flow information of the program.
- the present application also provides an auditing method, which is applied to a computer system in which a first domain and a second domain are deployed.
- the information to be audited is acquired by the tracker in the second domain, and the information to be audited includes control flow information of the program.
- the information to be audited is audited according to the auditing rule in the second domain, and the auditing is determined when the information to be audited matches the auditing rule.
- the tracker may be deployed in whole or in part in the second domain.
- the audit pass allows the next operation to be performed, for example, the program or the next program associated with the program is allowed to perform access to a certain security program of the second domain.
- the tracker is turned on when the program starts executing, and then the information to be audited collected by the tracker is acquired synchronously or asynchronously in the second domain; in other implementations, the program is executed.
- the tracker is turned on when there is a certain key code in the middle, or the tracker can be turned on after the system is started.
- the information to be audited further includes data flow information of the program.
- the tracker is audited in the second domain before the control flow information is audited, and the control flow information is audited after the audit is passed.
- the tracker before obtaining the information to be audited by the tracker, acquiring a process identifier of the process executing the program, and storing the process identifier in a first register of the tracker; Acquiring the information to be audited collected by the tracker, where the information to be audited includes the control flow information and the process identifier in the first register when the control flow information is collected.
- the process identifies the current process identification read from the first register when the tracker acquires the control flow information.
- the audit rule matching the process identifier is searched according to the process identifier, and the control flow information is audited according to the found audit rule.
- the computer system further includes a first random number generator deployed in the first domain, the second domain including a TEXT segment of the program. Calling the first random number generator in the first domain to generate a random number RX, and storing the random number RX in a second register of the tracker, and according to the program being executed The random number RX and the TEXT segment of the process executing the program are calculated to obtain a hash value H1. Acquiring the information to be audited collected by the tracker, where the information to be audited includes the control flow information and the random number RX, wherein the RX is obtained by the tracker accessing the second register.
- the computer system further includes a first random number generator deployed in the first domain and a second random number generator deployed in the second domain.
- the first random number generator is called in the first domain to generate a random number, and the random number is written to a third register of the tracker.
- the information to be audited is obtained by the tracker, where the information to be audited includes control flow information and a random number in the third register when the control flow information is collected.
- the audit rule determines that the audit is passed.
- the present application further provides a computer readable storage medium comprising computer readable instructions for implementing any one of the foregoing methods when the computer readable instructions are executed by one or more processors .
- the present application further provides a computer program product comprising computer readable instructions for implementing any one of the foregoing methods when the computer readable instructions are executed by one or more processors .
- the present application further provides a computer system, the hardware layer of which includes a tracker, a processor, and a memory.
- the computer system can be logically divided into a first domain and a second domain.
- the processor is configured to read computer readable instructions in the memory and execute the computer readable instructions to effect initiation of the tracker and to execute a program located in the first domain.
- the hardware tracker is configured to collect information to be audited related to the program when the program is executed. Further, the security of the second domain may be higher than (or equal to) the first domain.
- the action of the tracker to collect the information to be audited is triggered in some implementations by the processor when the program is executed, for example, the trigger instruction is inserted in the program; in other implementations It is triggered by the processor in other situations, or it may be executed autonomously after the tracker is started.
- FIG. 1 is a schematic structural diagram of a computer system according to an embodiment of the present disclosure
- FIG. 2 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure
- FIG. 3 is a schematic flow chart of a security control method based on FIG. 2;
- FIG. 4 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 5 is a schematic flow chart of a security control method based on FIG. 4;
- FIG. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 7 is a schematic flow chart of an audit method based on FIG. 6;
- FIG. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 9 is a schematic diagram of collecting information based on the tracker of FIG. 8.
- FIG. 10 is a schematic flow chart of an audit method based on FIG. 8 and FIG. 9;
- FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 12 is a schematic diagram of collecting information based on the tracker of FIG. 11;
- FIG. 13 is a schematic flow chart of an audit method based on FIG. 11 and FIG. 12;
- FIG. 14 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 15 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 16 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- FIG. 17 is a schematic flow chart of an audit method based on FIG. 16;
- FIG. 18 is a schematic diagram of a server and a network there according to the embodiment.
- FIG. 19 is a schematic diagram of a server and a network there according to the embodiment.
- FIG. 20 is a schematic diagram of a logical structure of a terminal device according to an embodiment of the present disclosure.
- FIG. 1 is a schematic structural diagram of a computer system according to an embodiment of the present disclosure.
- the computer system includes a hardware layer including a processor 150, a memory 160, and a tracker 170.
- the computer system may specifically be a terminal device, and a fixed terminal or a mobile terminal may be used.
- the fixed terminal is, for example, a personal computer, a point of sale (POS), or an automatic teller machine;
- the mobile terminal is, for example, a smart phone, a laptop computer, a digital broadcast terminal, a personal digital assistant, a portable multimedia player, or a car.
- a navigation system or the like has a mobile computer. . It should be understood that the method provided by any embodiment of the present application may be applied to other types of computer systems, such as servers, in addition to the type of terminal device.
- Processor 150 can be a single core or multi-core processor. Multiple types of processors can also be included in the computer system.
- the memory 160 may include one or more of the following types: flash memory, hard disk type memory, micro multimedia card type memory, card memory (such as SD or XD memory), random access memory (random access memory) , RAM), static random access memory (SRAM), read only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable Read-only memory (PROM), magnetic memory, magnetic disk or optical disk.
- the memory 160 may also include a network storage device on the Internet that may perform operations such as updating or reading on the memory 160 on the Internet.
- the computer system is divided into two domains: a first domain and a second domain, which are run by the same processor but run in different states of the processor.
- the two domains respectively have first and second operating systems, and the first and second operating systems respectively run a plurality of first applications and a plurality of second applications.
- first operating system and the second operating system may be the same or different, or may be two different states of the same operating system, such as a user state and a kernel state, that is, the first domain and the first domain.
- the two domains are respectively the two states of the same operating system.
- the program 110 to be protected is set in the first operating system, and the program to be protected collects control flow information and the like related to the running of the program through the tracker 170 during operation, and then the Tracer management module 130 can obtain the information.
- the program 110 to be protected may be part of the first application.
- the "program to be protected” is any program that needs to be protected.
- the program must be executed according to the original execution flow and cannot be tampered with or bypassed.
- the program to be protected may be located anywhere in the system, may be located on the REE side of the embodiment described below, or may be located on the TEE side.
- the program to be protected may be, for example, The kernel module (the module with the suffix KO), the CA authentication module, and so on.
- the acquisition of information such as feature information may be accomplished by inserting one or more triggering instructions for triggering the acquisition of information at one or more locations of the function code to generate the program 110 to be protected.
- the trigger tracker 170 collects relevant information of the program 110 to be protected.
- This information (hereinafter referred to as information to be audited) may include one or more of the following information: control flow information related to code execution for control flow auditing, dynamics in code execution process for data auditing Data, a random number for securing information transmission, and a process identification (PID) for identifying a program to be protected in a parallel audit.
- Non-read-only data that is manipulated during code execution is dynamic data
- read-only data is static data.
- the value of y belongs to the dynamic data.
- the TEXT section contains code and data, which are usually static data.
- Dynamic data can be obtained by the tracker tracking load instruction and store instruction.
- the load instruction reads the value of y from the memory of y into the register, and the store instruction registers the register.
- the value in the memory is written to the memory of x.
- the read and write of the memory data generally has to pass the load instruction and the store instruction, so tracking the two instructions can obtain dynamic data.
- the generation of the program 110 to be protected may be on another computer system other than the computer system.
- the content of the trigger command and the specific insertion position can be determined by the developer, or can be automatically generated by the computer by inputting a specific rule into the computer.
- the trigger instruction can be manually inserted into the program to be protected by the developer during development, or it can be automatically inserted by the computer.
- the Tracer management module 130 In addition to acquiring (or managing) the information collected by the tracker 170, the tracker 170 itself can be managed, for example, opened and initialized during the startup phase of the computer system. Tracker 170, and in some cases, audits such operations as Tracer. In addition, program entry and startup operations may differ for different types of programs.
- the audit triggering module 120 is configured to send trigger information to the auditing module 140 set in the second operating system to trigger the auditing module 140 to start performing the auditing operation of the program 110. Specifically, the audit trigger module 120 compares the audit rule 11 with the control flow acquired by the Tracer management module 130, and if the control flow complies with the audit rule 11, continues the subsequent functional operations. If the control flow does not comply with the audit rules, then there is a problem with the execution of the program 110, terminating the current operation and/or returning an error message to the first operating system. The audit trigger module 120 may also be part of the program 110 to be protected.
- the audit rule 11 is stored in the memory 160. There may be many types of audit rules 11 . Automata is a specific implementation of audit rules.
- a control flow audit can be performed on the execution process of the code to be protected in another domain in one domain to ensure the normal execution of the code, and the code is effectively avoided after the domain is privileged to be promoted.
- a domain is elevated by privilege means that the higher or highest privilege of the domain is obtained.
- the auditing module 140 may process the information together to further enhance the applicability or security of the application. Sex.
- the following combines the TrustZone technology framework with The operating system is exemplarily introduced to the control flow auditing method provided by the present application and embodiments of various other methods.
- FIG. 2 is a schematic structural diagram of a device of a terminal device according to the embodiment.
- the terminal device includes a hardware layer including a processor 250, a memory 260, and a CoreSight 270.
- CoreSight 270 is a typical hardware tracker.
- the CoreSight 270 is in an open state during the entire period or part of the operation of the terminal device 200.
- the memory 260 includes a read only memory area 260-1 and other memory areas 260-2 that are set to be read only.
- the memory 260 may also include other types of storage media. For reference, the foregoing embodiments are not described herein.
- the terminal device 200 includes two domains: a rich execution environment (REE) and a trusted execution environment (TEE). These two domains are running separately Operating system and a TEE side operating system (such as the open source OP-TEE operating system). The operating system and TEE OS are further divided into user state and kernel state.
- REE rich execution environment
- TEE trusted execution environment
- the client application (CA) is set in the user mode on the REE side. Before accessing the trusted application (TA) on the TEE side, the CA needs to invoke a kernel-based authentication program 210.
- This code is the program to be protected in the foregoing embodiment. 110. In other embodiments, the code can also be understood as part of the code of the CA, so the CA is also an object that can be protected and monitored by the present application.
- the authentication procedure 210 is part of the REE and TEE pre-communication handshake procedure. This handshake procedure is divided into two parts: 1. REE proposes a handshake; 2. TEE handles the handshake request and decides whether the handshake is successful. The authentication procedure 210 implements the first part, ie, the REE proposes a handshake.
- the functions of the authentication program 210 mainly include: 1. collecting CA identity information; 2. constructing a handshake request; 3. verifying the identity information and the handshake request, generating a checksum; 4. placing the CA identity information, handshake request, and school Check and send to TEE. In the existing architecture, TEE rejects requests that have not been sent through the handshake process.
- the handshake is made up of a series of function codes and the data they need to process.
- Security attack behavior can find vulnerabilities in the execution order of functions, corresponding data, or function execution order and data combination, thereby destroying the integrity of the execution of this code and causing subsequent security vulnerabilities.
- a fake CA can bypass the process of collecting identity information, send fake identity information that is not its own, and impersonate the identity of a legitimate CA.
- the authentication procedure 210 in this embodiment is no longer a prior art authentication procedure, and multiple locations of the authentication procedure 210 are inserted into multiple CoreSight triggering instructions.
- Trigger instructions are used to trigger information about the CoreSight270 acquisition code execution.
- the CoreSight trigger instruction can be a program whose functions are: 1. Configure the data transfer register of the CoreSight 270; 2. Enable the CoreSight 270 to start collecting the information to be audited.
- the plurality of locations of the authentication procedure 210 can be understood as "collection points" that trigger the collection of information.
- the SMC calling module 220 is also configured in the kernel state of the REE.
- the module is mainly used to send a trigger message for triggering the audit to the auditing module 240.
- the SMC calling module 220 is implemented as part of the authentication program 210, that is, the authentication program 210 itself sends a trigger message triggering the audit.
- the SMC calling module 220 and the program to be protected may also be independent.
- FIG. 3 shows a process of controlling flow integrity auditing (hereinafter referred to as control flow auditing).
- the user inputs his or her fingerprint when booting or performing a certain payment operation, activates a certain CA, and the CA calls the authentication program 210, and then the authentication program 210 starts execution (S110).
- the CoreSigt 270 can perform the feature information collecting operation (S120) when executing each of the triggering instructions, and directly or through the information.
- the control flow information as the authentication program 270 after the conversion is stored.
- the SMC call module 220 sends a trigger message to the audit module 240 through the SMC command (S130).
- the trigger message includes content such as CA identity information.
- the location of the SMC call module 220 can be understood as an "audit point" that triggers an audit.
- SMC calling module 220 sends a trigger message to the auditing module 240, it involves switching from REE to TEE.
- the SMC (secure monitor call) command needs to be called, and the intermediate mode of the TrustZone is switched from the REE to the monitor mode (Monitor Mode), and then the monitoring mode is performed. Switch yourself to TEE.
- SMC is the basic technology of the TrustZone technology framework, and more implementations are not described here.
- control flow information of the authentication program 210 is acquired from the memory 260, or the control flow management module 230 is invoked to acquire the control flow information (S140 and S150).
- control flow management module 230 acquires control flow information from the CoreSight 270 (S140), and returns to the audit module 240 (S150). More specifically, the previous CoreSigt 270 stores the control flow information in a storage medium inside the CoreSigt 270, and the control flow management module 230 reads the control flow information from the storage medium, and stores the control flow information directly into the memory 260, or The control flow information is subjected to specific processing and then stored in the memory 260 or directly returned to the audit module 240. In some other embodiments, the control flow management module 230 and the audit module 240 can also be combined into one module.
- the audit module 240 also obtains an automaton for auditing the control flow in accordance with the audit rules 21. Specifically, the auditing module 240 generates an automaton instance according to the auditing rule 21 (S160). The auditing module 240 implements auditing of the control flow by inputting control flow information or converted information into the automaton instance (S170). After the audit succeeds, the result is returned to the REE side.
- the REE continues to send the fingerprint information input by the user to the TEE, and then the TE of the TEE side performs the verification of the fingerprint information. For example, the TEE side invokes an authentication TA to verify whether the fingerprint information is preset. There is a match in the legal identity database. If there is a match, the fingerprint verification is successful to the REE side. If the audit is unsuccessful, the TEE terminates the current handshake, returns a handshake unsuccessful message to the REE, or returns information indicating the security issue.
- An automaton can be understood as a function implemented by software code.
- the function's properties contain a two-dimensional array. Each element in the array represents a state of the automaton, such as the xth row and the value of the yth column. v, then the automaton code will be expressed as if the automaton is currently in state x and the current input is event y, then the state of the automaton is transitioned to v.
- Each state has its own attributes, "initial” and "terminate". There are only one state with an "initial” attribute, but there can be multiple states with a "terminate” attribute.
- An automaton instance is a specific runtime automaton instance created based on the aforementioned automaton (which can be understood as a template), and its initial state is the state of the attribute "initial".
- the method for the audit module 240 to perform the audit by using the automaton is specifically: converting the obtained control flow information into an event sequence, and driving the automaton instance to perform state transition by using the event sequence. After all events have been entered, check the status of the automaton. If the state is "terminated", the audit is successful; otherwise the audit fails.
- the control flow management module 230 can manage the control flow information (S180), such as pre-processing, storage, and the like. In some other embodiments, the step of the control flow management module 230 acquiring and managing the control flow information from the CoreSight 270 (S140 and S180) may also be triggered without the call of the audit module 240, or before the triggering of the audit module 240. Control flow information is retrieved from CoreSight 270 and stored in memory 260.
- the auditing module 240 on the TEE side audits the control flow of the authentication program 210 before the security application TA is invoked, and the call to the TA is actually implemented after the audit is successful (ie, the authentication program 210 is reliably executed), which is effective.
- the illegal CA is prevented from bypassing the authentication procedure 210. If the authentication process 210 is incomplete, the identity information of the illegitimate CA cannot be obtained normally, and the illegitimate CA can send the forged identity information that does not belong to itself but can pass the verification to the TEE side, and then the TEE side according to the forgery. The identity information is verified by the illegal CA, so that the illegal CA can communicate with the TEE side, thereby causing a security hole in the system.
- the memory area may be divided in the startup phase of the terminal device, and a read-only memory area 260-1 is drawn, and the authentication program 210 is loaded into the read-only memory area 260-1, thereby avoiding authentication.
- the code of the program 210 is illegally modified to further ensure the security of the terminal device.
- the CoreSight 270 is used to collect control flow information (and other information to be audited), so the security of the CoreSight 270 itself is the basis of the system. To further ensure security, the CoreSight 270 needs to be reviewed before any modules on the TEE side can read data from the CoreSight 270 storage media.
- a Tracer audit module 230b is added to the base of FIG. 3 for reviewing the CoreSight 270.
- the SMC call module 220 sends a trigger message to the Tracer audit module 230b (S130).
- the Tracer auditing module 230b first audits the CoreSight 270 (S130a), and sends an audited message to the auditing module 240 (S130b) to trigger the auditing module 240 to perform the next operation.
- the CoreSight 270 is reviewed to determine if the CoreSight 270 registers have been modified. Specifically, the current value of the register and the initial value of the register when the CoreSight 270 is initialized are obtained, and the two are compared. If they are consistent, the audit is passed, and if not, the audit fails.
- the "registers" reviewed here may include all of the registers in CoreSight 270 or any one or more of the registers that are considered critical.
- the "initial value” is set at CoreSight design, written in the startup code, and the "initial value” recorded in the code is obtained during the review and then compared with the current value.
- FIG. 5 The other steps in FIG. 5 are similar to those in FIG. 3, and the foregoing description may be referred to, and details are not described herein.
- the audit module 240 can still receive the trigger message as shown in FIG. 3 and then selectively invoke the Tracer audit module 230b. In other words, the audit module 240 can determine that the CoreSight 270 need not be audited.
- the present application also provides a method for parallel auditing, which can implement parallel auditing of control flows of multiple programs to be protected by using a tracker in a scenario in which multiple programs to be protected are simultaneously running.
- the method of parallel auditing can be implemented in any of the foregoing embodiments.
- FIG. 6 is a schematic diagram of an apparatus for a parallel auditing method according to an embodiment of the present invention.
- the CoreSight 270 is configured with a register 271 that can be written to any value by software.
- the 210a is the authentication program 210 in the foregoing embodiment, and the programs 210b and 210c to be protected are other codes, which are not limited in this embodiment.
- Audit module 240 contains three automaton instances a, b, and c. Other modules can be described with reference to the foregoing embodiments.
- PID process identification
- the CoreSight 270 triggers the command to trigger the CoreSight 270 to collect information it not only collects the control flow information of the collection point, but also reads the value of the PID stored in the time register 271 generated by the control flow information from the register 271, and stores the value associated with the control flow information. Get up as information to be audited.
- the audit module 240 on the TEE side is triggered to perform the audit. It is also possible to review the CoreSight 270 before auditing as in the embodiment shown in FIG. 5.
- the code for acquiring and writing the process PID can be understood as one or more process identifier acquisition modules, which are not shown in the figure.
- each piece of control flow information and the process of generating the control flow information are stored, so that different autonomic machine instances are separately used for auditing for different control flow information.
- the auditing module 240 obtains the information to be audited and searches for or creates a matching automaton instance according to the PID in the information to be audited, and inputs the control flow information in the information to be audited into the automaton instance, and each automaton instance Control flow auditing for each program to be protected is implemented separately.
- the auditing module 240 obtains the next piece of control flow information from all the information to be audited, and the piece of to-be-audited information includes the control flow information and the PID (S701).
- the audit module 240 determines whether the information to be audited is empty (S702). If the information to be audited is not empty, the matching automaton instance is searched according to the PID in the information to be audited (S703).
- Determining whether an automaton instance is found (S704), if an automaton instance is not found, creating an automaton instance identified as the PID (S705); if an automaton instance is found or an automaton instance is created, the control flow information is input into the The automaton instance (S706) is to push the automaton instance forward further. Then, the process returns to step S701.
- step S702 If it is determined in step S702 that the acquired information to be audited is empty, that is, all the current to-be-audited information is processed according to the foregoing method, the PID of the process for sending the current audit trigger message is obtained (S707).
- the CA on the REE side usually stores the PID of the process of the CA and the identifier and parameters of the TA to be called into the shared memory when the cross-domain call is made, so that the module on the TEE side can be shared from the shared memory. Get the value of the PID of the process.
- the automaton instance identified as the value of the PID is found (S708), and if such an automaton instance does not exist (S709), the audit fails for this. If such an automaton instance exists (S709), it is determined whether the automaton instance is currently in a state of "terminating" (abbreviated as a termination state), and if so, the audit is successful, and if not, the audit fails.
- the auditing module 240 first obtains the PID of the process that sends the audit trigger message, obtains the to-be-audited information that contains the same PID from the information to be audited, and then performs the following on each acquired information to be audited. Operation: Find the matching automaton instance according to the obtained PID. If not found, create an automaton instance identified as the PID; if found, enter the to-be-audited information into the automaton instance. After all the information to be audited is processed, if the automaton instance is in the "terminated" state, the audit is successful, otherwise the audit fails.
- the automata instance that matches the information to be audited is the automaton instance identified as the PID
- the PID is the value of the PID included in the to-be-audited information.
- the process PID of the program to be protected and the identifier of the corresponding automaton instance do not have to be completely consistent, and the inconsistency but the correspondence between the two or the conversion relationship between the two may be implemented. .
- control flow audit provided by this embodiment can simultaneously audit multiple programs to be protected in a terminal device having only one tracker, so that the auditing efficiency is higher, and the applicable scenario of the method is wider.
- the embodiment provides a method for performing control flow auditing in combination with a random number.
- FIG. 8 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- the terminal device includes two hardware (pseudo) random number generators 280a and 280b, which are respectively divided into a REE side and a TEE side by a hardware partitioning mechanism of the TrustZone, that is, the random number generator 280a can Accessed by the REE side (either on the TEE side or inaccessible), the random number generator 280b can only be accessed by the TEE side.
- CoreSight 270 is also provided with a register 272, which can be written to any value by software. Each record generated by CoreSight 270 is accompanied by the value of the register at the time the record was generated.
- the state of the automaton mentioned in the foregoing embodiment has two attributes of "initial” and “terminating”.
- "data transmission” and “random number generator access” are added for each state.
- a plurality of locations are selected in the authentication program 210. These multiple locations are called “random number generation points", and the code is inserted at the random number generation point, and the incoming code realizes that the random number is generated.
- the 280a generates a random number and writes the random number to the register 272 of the CoreSight 270.
- the random number generator 280a is called once and the generated random number is written to the register 272.
- multiple locations of the authentication program 210 are inserted with a CoreSight trigger command for triggering the CoreSight 270 to collect control flow information (refer to FIG. 3). These multiple locations may be referred to as “acquisition points”.
- the "random number generation point” and “acquisition point” proposed in the example may be completely overlapped, or may be partially overlapped, or may not overlap at all.
- a "point” produces a random number, but is not a "collection point”
- the random number will be acquired by the CoreSight 270 along with the next adjacent "collection point” and then obtained by the TEE side. As shown in FIG.
- the authentication program 210 includes at least four acquisition points (shown by a circle) CP1-CP4 and at least five random number generation points (square representation) GP1-GP5, wherein GP3 and CP3, GP5 and CP4 Overlapping separately. If they overlap, as shown in the figure, the generation instruction of the random number of the position is usually before the CoreSight trigger instruction.
- the random number generator 280a is called to generate the random number R1, and the random number is written into the register 272, and then when the collection point CP2 is executed, the CoreSight 270 is triggered to acquire the The strip control stream information and the current random number R1 in the register 272 (refer to step S120 in Fig. 9) are used as one piece of information to be audited.
- the program is executed through four acquisition points of CP1-CP4, corresponding to four events E1-E4, and the automaton may be coded according to the execution flow: (S0)–E1->(S1)– E2->(S2)–E3->(S3)–E4->S4.
- the value of the access number attribute of the random number generator of S0, S1 is 0; since there is a random number between E1 and E2 to generate the point GP1, the value of the access number attribute of the random number generator of S2 is 1;
- the values of the random number generator access times attribute of S3 and S4 are 3 and 5, respectively.
- the last generation of the random number before the REE side termination state S4 is at GP5, the random number needs to be recorded, and the information to be audited is the information to be audited corresponding to the CP4, and the information to be audited includes the control flow information E4. (or as "event") and the random number (refer to Figure 9), so the value of the "data transfer" attribute of state S4 after E4 can be set to 1 in order to facilitate the subsequent automaton instance during operation.
- the attribute records the last random number generated on the REE side on the TEE side.
- the value of the "Data Transfer" attribute of other states can be set arbitrarily.
- the manner in which the setting is 1 or non-1, true or false is merely an example, and those skilled in the art can easily think of other setting manners according to the essence of the embodiment, and are also within the protection scope of the present application.
- an automaton instance is generated and the automaton instance is driven to perform state transition according to the acquired information to be audited to audit the control flow.
- the automaton instance has a variable V for recording random numbers.
- the status change rule has the following changes: after receiving the information to be audited and the status is pushed, if the value of the "data transmission" attribute of the advanced state is not 1, the random number carried in the information to be audited is ignored, if 1 , the random number is assigned to the variable V.
- the audit is unsuccessful; if the automaton instance is in the termination state, n random numbers are acquired from the random number generator 280b at a time, and the n is the random state of the termination state. The value of the number of generator access times attribute, and then compare the nth random number with the value of the variable V. If they are consistent, the audit is passed. If they are inconsistent, the audit fails.
- any one of the automata instances in the auditing module 240 performs the following steps: acquiring the next to-be-audited information (S1001), including the control flow information E[next] and the random number R[next] , if it is empty (S1002), if it is empty, it means that all the information to be audited is processed; if it is not empty, the automaton instance is advanced to the next state according to the E[next] and S[current] [current] (S1003).
- the "data transfer" attribute may also be left unset, that is, each random number may be recorded with a variable V, each time covering the previous value.
- the purpose of this embodiment is to match the last generated random number V in the normal execution flow of the REE side to be protected code with the random number Rn generated on the TEE side, and Rn is the automaton termination state according to the execution flow.
- the pre-set random number generator access number n is generated.
- the data transfer attribute of the current state is first determined in the automaton instance state transition rule, and then the current state is advanced to the next state, then according to the foregoing example, the state The "data transfer" attribute of S3 should be set to 1 in order to record the last generated random number, etc.
- the auditing method of the control flow is introduced, which can largely detect the situation that the program to be protected is modified or bypassed, thereby discovering system problems in time and avoiding system loopholes.
- the following describes an embodiment that can audit the control flow and also perform identity auditing to further improve security.
- TEXT segments When a (static) program is stored on a medium, its code and static data (also called constants) are placed in a storage area, called TEXT segments in some systems.
- the (dynamic) program is run by the process.
- Virtual memory technology allows each process to monopolize the entire memory space, starting at zero and reaching the upper memory limit.
- Each process divides this part of the space (from low address to high address) into multiple parts, one of which is a TEXT segment, which includes the code of the entire program and static data (ie constant).
- the TEXT segment of the process contains all the instructions of the program executed by the process. Compared with the process PID or the process name, the TEXT segment is more difficult to forge. Therefore, in this embodiment, this content is understood as the "identity" of the process.
- the audit is called an "identity" audit.
- FIG. 11 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
- the terminal device includes a hardware (pseudo) random number generator 290, which is divided into the REE side by the hardware partitioning mechanism of TrustZone.
- CoreSight 270 is also provided with a register 272, which can be written to any value by software. Each record generated by CoreSight 270 is accompanied by the value of the register at the time the record was generated.
- a "data transfer” attribute is added for each state, or this attribute is added to one or more of the states according to requirements.
- a self-acquisition module 210a in the authentication program 210 which is used to call the random number generator 290 to generate a random number, and write the random number into the register 272 of the CoreSight 270, and generate a segment. Scrambled data stream.
- the content of the scrambled data stream is: the generated random number is spliced together with the TEXT segment of the current process on the REE side, and the splicing method is a random number first, a TEXT segment is followed, and the spliced data is made.
- a hash value H1 obtained by a hash operation (such as the sha256 algorithm).
- the self-collection module 210a overwrites the random number with other data after calculating the stream header containing the random number.
- random numbers To use random numbers for calculations, random numbers must be read into registers and may even be written to memory, so the "overwrite” here is to remove the value of the random number from the register or memory to prevent hackers from using it. .
- the random number can be after the TEXT segment. Random numbers have the advantage in the front: the actual processing does not have to be done before the calculation, it can be calculated stream. The random number can be used to complete the calculation related to the random number as soon as possible, so that the value of the random number is cleared from the memory or the register.
- the spliced may not be the original content of the TEXT segment, and may be a digest of the content contained in the TEXT segment or a compressed TEXT segment.
- the algorithm for calculating the digest may be, for example, sha256 or md5.
- the code of the self-acquisition module 210a is set before the authentication program 210 first triggers the location of the CoreSight 270 in the previous embodiment.
- the piece of code 210a and the authentication program 210 can also be understood together as a program to be protected. Since it also belongs to the program to be protected, a collection point (not shown in FIG. 11) can also be set inside the self-acquisition module 210a.
- CA is a program that is a process at runtime.
- the TEXT segment here refers to the TEXT segment of all legitimate CAs. Therefore, the "TEXT segment on the REE side" is the TEXT segment of all legal CAs prepared in advance, including the code and constants of each CA.
- hard coding into the TEE side may also be a digest of the original content of the TEXT segment or a compressed TEXT segment.
- the self-acquisition module 210a executes first, and sets the entry of the code as an "acquisition point" (P1), triggering the CoreSight 270 to collect control flow information and a random number in the register 272, which is a self-acquisition module. 210a generates and writes the random number of register 272. Since the self-acquisition module 210a also generates a random number and writes to the register 272, the acquisition point is also a random number generation point (P1).
- the automaton is encoded, the data transmission attribute of the state obtained by inputting the event corresponding to the acquisition point P1 into the automaton is set to 1.
- the random number can also be transmitted to the TEE side along with other acquisition points except P1.
- the REE transmits the hash value H1 obtained from the acquisition module 210a to the TEE through a conventional means provided by the TrustZone, and specifically, to the audit module 240. This can happen any time after the hash value is generated, but is recommended to be passed before the audit module 240 is triggered.
- the execution process of the automaton instance is similar to that of FIG. 10, except that the random number is generated only once (refer to FIG. 12, the random number generation point P1), and because the corresponding state is set.
- the data transfer attribute, so the random number is recorded in the variable V after the automaton instance is finished, referring to steps S1301-S1306 of FIG.
- the steps S1301-S1306 can also be simplified. Because there is only one random number, the step of acquiring and judging the data transmission attribute can be cancelled after the first time V is assigned. There are many similar variants that the coding personnel can easily think of, and the present application does not describe them one by one.
- the value of V and the hard-coded TEXT segment or TEXT segment are spliced together, and the splicing mode is the value of V first, TEXT segment or TEXT.
- the spliced data is hashed to obtain a hash value H2 (S1308), and H1 and H2 are compared (S1309). If the two are the same, the audit is passed, otherwise the audit fails.
- decompression is needed here.
- the random number generator mentioned in any of the foregoing embodiments is a hardware implementation.
- the random number generator can also be implemented in software.
- the two random number generators 280a and 280b in FIG. 8 are replaced by software-implemented two random number generators, and the two software random number generators are respectively placed in a storage area that can be accessed by the REE and can only be In the storage area accessed by the TEE.
- the CoreSight 270 was reviewed to ensure that the CoreSight 270 was not tampered with.
- the embodiment further provides a security implementation method of the tracker. After the secure tracker is implemented by hardware or software, the review of the tracker is not necessary.
- the first is hardware, which guarantees the security of the CoreSight270 through hardware isolation.
- the CoreSight 270 is divided into the system security zone by hardware.
- the modules of the CoreSight 270 can be divided into the security world by the TZPC (TrustZone protection controller), that is, the TEE side.
- TZPC TitanZone protection controller
- TZPC is A standard module (IP) under the architecture that provides the ability to partition different hardware modules in a system into a secure world (such as TEE) or a non-secure world (such as REE).
- TEE secure world
- REE non-secure world
- the function of TZPC is to control the access rights of other hardware.
- Some hardware can be divided into secure hardware or non-secure hardware through TZPC.
- the security hardware can only be accessed by the operating system of the security world, and the operating system access of the non-secure world is divided into hardware registers of the security hardware, which may cause errors.
- the hardware CoreSight 270 and the hardware TZPC are connected during hardware manufacturing, so that the TZPC has the ability to control the CoreSight 270.
- the TEE side is initialized first when the system starts up. During the initialization process, the CoreSight 270 is divided into secure state accessible by hardware TZPC, and non-secure state is inaccessible.
- the second is the software mode, which guarantees the security of CoreSight270 through the setting of software access rights.
- the management of the CoreSight 270 is placed at a higher privilege level of the same security level. When accessing the CoreSight 270 at a lower privilege level, it will first fall into a high privilege level, restricting access to the CoreSight 270 through a page table prefabricated at a high privilege level.
- the page table of the REE side EL2 is configured to prevent access to the CoreSight 270 from EL0 and EL1, and a list of CoreSight 270 readable and writable registers and a table of possible values are prefabricated in EL2, respectively.
- the REE side The kernel's access to the CoreSight 270 will fall into EL2, which only allows EL1 to operate on specific values of the preset registers. In this way, the attack on CoreSight270 from EL1 and EL0 is partly due to this.
- the CoreSight 270 is protected on the REE side, it is still necessary to perform a CoreSight 270 audit at the TEE to further ensure security.
- EL is an abbreviation of exception level, which is The concept inside.
- EL0 can be understood as a user mode
- EL1 is understood to be a kernel mode
- EL2 is a hypervisor
- EL3 is a secure mode.
- EL2 can control EL0 and EL1 access to physical memory.
- the above embodiment means that the EL2 collation table is limited in that EL0 and EL1 access the physical memory address of the CoreSight 270 register.
- Figure 15 shows another system in which the REE side is divided into a hypervisor 22 and a normal operating system 21 (or guest operating system).
- the normal operating system 21 is the first operating system in the foregoing embodiment (refer to FIG. 1), and it needs to undergo a two-stage mapping when accessing the memory of the hardware layer (for example, memory and registers): the first stage of normal operation System 21 maps the virtual address to a virtual linear address using the managed first page table; the second stage hypervisor maps the virtual linear address to the actual physical address using the second page table managed by the hypervisor.
- VM virtual machine
- VMM virtual machine monitor
- the security of the CoreSight 270 is enhanced by the hypervisor.
- the specific implementation steps are as follows: the system starts; the hypervisor 22 is started; the hypervisor 22 creates the second page table 221, and the second page does not include the address mapping of the hardware registers of the CoreSight 270, in other words, No virtual linear address can be mapped to the address of the CoreSight270 register.
- the hypervisor 22 then starts the normal operating system 21 and creates a first page table 211.
- CoreSight 270 is triggered to collect information after authentication program 210 is invoked.
- the normal operating system 21 calls hypercall and starts the CoreSight 270 through the hypervisor 22.
- hypercall is called, and the CoreSight 270 is closed by the hypervisor 22.
- the CoreSight270 call is moved down to the hypervisor22, thereby avoiding the normal operation of the CoreSight 270 by the normal operating system 21, and improving the security of the CoreSight 270.
- a tracker has multiple components, such as a data collection module, a data transmission module, and a data storage module, only one or more of the critical components can be protected when the security of the tracker is implemented by software or hardware.
- only the data storage module for storing data may be protected in the aforementioned hardware or software implementation.
- the REE side operating system or the normal operating system 22 can still control the data collection module and the data transmission module of the CoreSight 270, but cannot control the data storage module, thereby improving flexibility while avoiding the REE side operating system or the ordinary operating system 22 passing. Write fake data to the data storage module for spoofing.
- the third is the combination of soft and hard.
- some components such as ETM can be protected by the above software in order to facilitate the design of the system software and reduce the software overhead, and the remaining components are protected by hardware.
- ETM Embedded Trace Macrocell
- CoreSight is a component in CoreSight, which is used to obtain the tracking information of the processor core.
- the tracker itself can be prevented from being tampered to a certain extent, the security of the tracker itself is ensured, the audit trailer is avoided, and the audit process of the control flow is simplified without affecting the security of the system.
- this embodiment adds the audited elements and provides a joint auditing method for the control flow and the data flow.
- FIG. 16 is a schematic structural diagram of a terminal device according to the embodiment.
- the terminal device includes a CoreSight 270, and the ETM component of the hardware enables the ViewData function.
- the ETM is a component of the CoreSight 270 located inside the processor 250 for collecting control flow information.
- ViewData is an optional feature of ETM hardware. If this feature is configured, the ETM has the ability to monitor the value of the data that the load/store instruction reads from or writes to memory. After the ViewData function is enabled, if the monitored instruction is load/store, the collected information has the value of the data read or written by the load/store instruction in addition to the control flow information. This part of the information is called data in this embodiment. Stream or data stream information.
- the authentication procedure 210 in this embodiment is no longer a prior art authentication procedure, and multiple locations of the authentication procedure 210 are inserted into multiple CoreSight triggering instructions.
- the load/store directive exists in the location where some or all of the CoreSight trigger instructions are inserted.
- the trigger instruction is used to trigger the CoreSight 270 to collect control flow information and data information.
- the CoreSight trigger instruction can be a program whose functions are: 1. Configure the data transfer register of CoreSight270; 2. Enable CoreSight270 to start data collection. Among them, function 1 includes the register of the ETM component of CoreSight270, which enables ViewData to monitor the data stream.
- the state of the automaton mentioned in the foregoing embodiment has two attributes of “initial” and “terminating”.
- the “data flow auditing” attribute is added for each state, or according to requirements.
- One or more of these states adds these two attributes.
- the state containing the data flow audit attribute also requires a data constraint.
- the data constraint may be a limit on the range of a data value, such as the data is not 0 or greater than 1000, or may be a relationship with other data, such as the data is obtained twice or less than the state y obtained by the state x Data, etc. If the data constraint is related to other data, the automaton needs to add a set of variables to store the data acquired during the operation of the automaton, called the "acquired data list".
- a state is added.
- the new state is not the initial and terminated states, and the destination state without any other state is the state.
- This state accepts all events, and the destination state is all the state itself.
- This state is hereinafter referred to as state F.
- the automaton instance is generated and the automaton instance is driven to perform state transition according to the acquired control flow information and the data flow information to audit the control flow and the data flow.
- the state change rule has the following changes: after receiving the information to be audited and the state is pushed, determining whether to obtain the value of the data related to the data flow in the information to be audited according to the data flow audit attribute of the current state (in the information to be audited) There may also be no data flow related data), and the value of the data is checked according to the data constraint corresponding to the state. If the check is passed, the data is saved in the “acquired data list” of the automaton, and the next information to be audited is continuously obtained; if the check is not passed, the current state is set to the state F.
- the attribute value of the data flow audit attribute of the current state S[current] is obtained (S1704). If the value is not 1, the process returns to step S1701. If the value is 1, the value of the data is compared. With the data constraint condition of S[current] (S1707), if the value of the data satisfies the data constraint condition, the value of the data is saved in the "acquired data list" (S1709), and returns to step S1701; otherwise S[current] is set to state F. After all the information to be audited is processed, if S[current] is not terminated, the audit fails.
- the data in the data stream may not be recorded, ie, the variable "acquired data list" is not set.
- the method of the present embodiment and the method of other embodiments of the present application can also be used in combination. For example, if one of the data flow auditing attributes and the data transmission attribute and the random number generator access number attribute mentioned in the foregoing embodiment exist simultaneously, when the information to be audited is processed, the concurrent attributes are implemented according to the foregoing. The method described in the example is processed.
- the method provided by the present application can be applied not only to relatively complicated scenes but also to simple scenes.
- the present embodiment provides a simplified auditing method.
- the external interrupt is turned off during the execution of the authentication program 210 (hereinafter referred to as an authentication flow).
- the instruction for starting the authentication process in the authentication program 210 and the address of the instruction for invoking the TEE function (referred to as address A and address B, respectively) are hard-coded into the operating system on the TEE side.
- the CoreSight trigger instruction is not inserted in the authentication program 210.
- the CoreSight 270 is controlled by the operating system on the TEE side and is turned on before each switch to REE (including the first switch to REE at startup). Once turned on, CoreSight 270 begins collecting control flow information and stores it in its internal memory.
- the operating system on the TEE side reads the control flow information stored in the memory inside the CoreSight 270, and finds the last occurrence according to the address A and the address B stored by the TEE side (obtained by hard coding described above). The acquisition point y of address B (or as a data point), and find the collection point x where address A last appeared before the last occurrence of address B.
- the audit fails: 1. The collection point cannot be located; y2. The collection point cannot be located; x3. There is an address between the collection point y and the last collection point recorded in the hardware. A.
- control flow information may still be collected by inserting a CoreSight trigger instruction at a code location corresponding to address A and address B. Additionally, the above steps can be simply extended to verify that the REE has executed 3 or more addresses in order.
- the auditing rules do not have to be implemented by means of an automaton, and the control flow or other information is audited through an automaton instance, and different rules can be set for different scenarios, according to the rules.
- Different implementations of features and complexity may be performed by simple matching procedures based on simple rules.
- the original program is inserted into the tracker triggering instruction to form a program to be protected.
- the program to be protected may be manually written, that is, the triggering instruction is manually inserted, or the computer may automatically be based on the auditing requirement. Generated.
- This embodiment provides a method for automatically generating a program to be protected.
- a version generation device 310 and a version distribution device 320 on the server 300 side there are a version generation device 310 and a version distribution device 320 on the server 300 side.
- the two devices may exist on the same physical server or on different physical servers.
- the version generating device 310 includes a processing unit 311 for automatically generating a program to be protected and an audit rule according to the program and the auditing requirement, and generating the program to be protected by the software issuing unit 321 located in the version issuing device. , or the program to be protected and the audit rules are sent to the terminal device, such as a smartphone, a tablet, and the like.
- the terminal device stores the program to be protected and the audit rule in a local storage, and can be stored in a read-only storage area to avoid malicious tampering.
- this embodiment proposes a machine learning method to improve the accuracy of the audit rule description and reduce the complexity of the rule as much as possible, thereby improving the efficiency of the audit.
- a positive sample is generated by performing acquisition, and a negative sample is generated by a simulated attack, and a control flow model is learned and generated from the two types of samples, and an audit rule is generated according to the control flow model.
- the audit rule is a model obtained by machine learning, and the collected information may be directly or after being filtered and input into the model, and whether the audit is successful according to the calculated result (the automaton is not necessary).
- the tracker can collect all the control flow information of the running program, and collect the control flow information and machine learning. Extract audit rules. Further, if you want to apply the data flow auditing methods mentioned in some of the foregoing embodiments, you can also collect data stream information and other information to be audited.
- the server 400 includes a machine learning device 410 and a rule issuing device 420.
- the machine learning device 410 is configured to generate an audit rule by a method of machine learning
- the rule issuing unit 421 in the rule issuing device 420 is configured to send the audit rule to each terminal device.
- the device 420 of Figure 19 can be combined with the device 320 of Figure 18 into one device.
- the method for generating audit rules is as follows:
- the running module 411 runs the target program in the target terminal or the simulation environment; 2. During the running of the target program, the running module 411 simulates various input conditions, and the collecting module 413 collects the conditions. Control flow information and/or data flow information as a positive sample; 3. During the running of the target program, the attack module 412 simulates various possible attacks, and the acquisition module 413 collects control flow information and/or data during the attack process. Flow information, as a negative sample; 4, the positive and negative samples as the feature model of the program, input into the machine learning algorithm, through which the rules of the program execution feature are extracted; 5. The processing tool processes the aforementioned rules and the source to be audited; 7. The audit blueprint and the protection object of the processing output are placed on the version release server as the release target.
- the acquisition module 413 in this embodiment collects information through a tracker.
- the information to be audited may include control flow information and data flow information;
- the security domain (eg TEE) operating system reads the information to be audited in the circular buffer and records it in (non-volatile) memory, which is called a positive sample;
- the circular buffer can be implemented as an array to record information from the beginning. If the array is full, continue recording from the beginning, overwriting the oldest record in the buffer.
- the functions implemented by the attack chain include: calling a function in the secure operating system (such as a TA).
- the ROP attack begins: the specific function in the program is executed by the ROP method, and the security domain operating system is invoked;
- the security domain operating system is called to reach the audit point, read the information to be audited in the circular buffer, and record it in the memory, the record is called a negative sample.
- ROP Return-oriented Programming
- a machine learning algorithm is used to build a classifier based on positive and negative samples. Take the C5.0 decision tree algorithm as an example:
- Data Preprocessing 1 Parse all positive and negative samples and generate a set of events for each sample.
- the event refers to an event that occurs in the sample. For example, CPU3 executes an instruction at 0xfffffff12340000.
- Data preprocessing 2 Eliminate unimportant information in the event collection, such as CPU number.
- Each of the data points that once appeared in a sample is a dimension. For example, if the following message appears in a sample: an instruction at 0xfffffff12340000 is executed, there is a dimension corresponding to it in the high-dimensional space.
- Vectorization Convert each sample into a vector in the high-dimensional space defined in the previous step. The principle of conversion is: if there is an event in the event collection of the sample, the vector has a value of 1 in the dimension corresponding to the event, otherwise the value is 0.
- the instructions 1, 2, and 4 all generate data.
- the various legal A, B, and C as inputs, run the above program, and generate multiple positive samples.
- the flow of control for these positive samples is 1-2-3-4-5, and the data streams are different, but the value of C is never zero.
- a positive sample may have the characteristics [1,1,1,1,0,0,...,0,0,1]; a negative sample, which may be characterized by [0,1,0,1,0 , 0,...,0,1,1].
- the collected information is vectorized as described above and then input to the decision tree, and the sample is output as a positive sample or the sample is a negative sample, and if the conclusion is a negative sample, the audit fails.
- the above-mentioned machine learning method can automatically generate an audit rule and send it to the terminal device.
- the audit rule can be one or more models (can be understood as a formula), and then the terminal device collects the information to be audited in real time, inputs the model, and obtains Audit results. It can be seen that using this method can improve the generation speed and accuracy of the audit rules, thereby improving the reliability of the audit process.
- the trigger tracker collects the information to be audited, and can open the tracker and configure its function to collect the control flow waiting for the audit information before the program to be protected starts executing.
- the position of the trigger instruction may be determined by the machine learning algorithm. For example, after the decision tree is generated, the instructions with the weight are selected, and the trigger instruction is inserted at the code corresponding to the instruction. It can be seen that the machine learning algorithm can also be combined with the insertion method of the trigger instruction.
- FIG. 20 is a schematic structural diagram of a computer system according to an embodiment of the present invention.
- the computer system can be a terminal device.
- the computer system includes a communication module 510, a sensor 520, a user input module 530, an output module 540, a processor 550, an audio and video input module 560, a tracker 570, a memory 580, and a power source 590.
- Communication module 510 can include at least one module that enables communication between the computer system and a communication system or other computer system.
- the communication module 510 can include one or more of a wired network interface, a broadcast receiving module, a mobile communication module, a wireless internet module, a local area communication module, and a location (or positioning) information module.
- a wired network interface for example, a wireless network interface
- a mobile communication module for example, a mobile communication module
- a wireless internet module a wireless internet module
- local area communication module a local area communication module
- a location (or positioning) information module There are many implementations of these various modules in the prior art, and the present application does not describe them one by one.
- Sensor 520 can sense the current state of the system, such as an open/closed state, position, contact with the user, direction, and acceleration/deceleration, and sensor 520 can generate a sensing signal for controlling the operation of the system.
- the current state of the system such as an open/closed state, position, contact with the user, direction, and acceleration/deceleration
- the user input module 530 is configured to receive input digital information, character information or contact touch/contactless gestures, and receive signal input related to user settings and function control of the system.
- User input module 530 includes a touch panel and/or other input device.
- the output module 540 includes a display panel for displaying information input by the user, information provided to the user, or various menu interfaces of the system, and the like.
- the display panel can be configured in the form of a liquid crystal display (LCD) or an organic light-emitting diode (OLED).
- the touch panel can cover the display panel to form a touch display.
- the output module 540 may further include an audio output module, an alarm, a haptic module, and the like.
- the audio and video input module 560 is configured to input an audio signal or a video signal.
- the audio and video input module 560 can include a camera and a microphone.
- the power supply 590 can receive external power and internal power under the control of the processor 550 and provide the power required for operation of the various components of the system.
- Processor 550 can include one or more processors.
- processor 150 can include one or more central processors, or can include a central processing unit and a graphics processor.
- the processor 150 includes a plurality of processors, the plurality of processors may be integrated on the same chip, or may each be a separate chip.
- a processor can include one or more physical cores, with the physical core being the smallest processing module.
- Tracker 570 is used to acquire instruction information of the processor for debugging or other purposes. Tracker 570 contains a number of components that are distributed throughout the hierarchy of the system, and some components may be embedded into the processor as shown.
- the memory 580 stores a computer program including an operating system program 582, an application 581, and the like.
- Typical operating systems such as Microsoft's Windows, Apple's MacOS, etc. for desktop or notebook systems, as developed by Google Inc.
- Android A system such as a system for a mobile terminal.
- the memory 580 may be one or more of the following types: flash memory, hard disk type memory, micro multimedia card type memory, card memory (such as SD or XD memory), random access memory (random access memory) , RAM), static random access memory (SRAM), read only memory (ROM), electrically erasable programmable read-only memory (EEPROM), programmable Read-only memory (PROM), magnetic memory, magnetic disk or optical disk.
- the memory 580 can also be a network storage device on the Internet, and the system can perform operations such as updating or reading on the memory 580 on the Internet.
- the processor 550 is configured to read a computer program in the memory 580 and then execute a computer program defined method, such as the processor 550 reading the operating system program 582 to run an operating system on the system and implementing various functions of the operating system, or reading One or more applications 581 are taken to run the application on the system.
- the memory 580 also stores other data 583 in addition to the computer program, such as the information to be audited as set forth herein.
- an application specific integrated circuit ASIC
- DSP digital signal processor
- PLD programmable logic device
- FPGA field programmable gate array
- implementations such as procedures and functions may be implemented using software modules that perform at least one function and operation.
- the software modules can be implemented in a software program written in any suitable software language.
- the software program can be stored in memory 580 and read and executed by processor 550.
- the tracker utilized in the present application contains a plurality of hardware components distributed in multiple layers of the system, but the execution of the hardware often requires software drivers, so the "tracker" does not exclude that some components may be software implemented.
- connection relationship of each module in FIG. 20 is only an example, and the method provided in any embodiment of the present application may also be applied to other connection mode terminal devices, for example, all modules are connected through a bus.
- the device embodiments described above are merely illustrative, wherein the modules described as separate components may or may not be physically separate, and the components displayed as modules may or may not be physical modules, ie may be located A place, or it can be distributed to multiple network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
- the connection relationship between the modules indicates that there is a communication connection between them, and specifically, one or more communication buses or signal lines can be realized.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Computational Mathematics (AREA)
- Mathematical Analysis (AREA)
- Mathematical Optimization (AREA)
- Pure & Applied Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Debugging And Monitoring (AREA)
Abstract
本申请提供一种安全控制方法及计算机系统,该计算机系统上部署有第一域和第二域,第二域的安全性高于第一域,所述第一域内部署有程序,所述第二域内部署有控制流管理模块和审计模块。所述第二域的安全性高于第一域。所述控制流管理模块在位于所述第一域中的程序执行时,通过跟踪器获取控制流信息;所述审计模块根据审计规则对所述待审计信息执行审计,当所述待审计信息匹配所述审计规则时确定审计通过,然后允许第一域执行之后的操作,例如访问第二域的安全程序。审计控制流信息的同时还可以审计程序的数据流。通过上述方法,可避免一些关键程序的执行被绕过,提高计算机系统的安全性。
Description
本申请涉及计算机系统的安全控制技术,尤其涉及通过审计控制流等信息实现系统安全的方法、设备及系统。
终端设备处理重要服务的需求日益增加。从能够支付、下载和观看某一特定时段的最新好莱坞大片,到能够通过手机远程支付账单和管理银行账户,这些发展趋势已使终端设备成为恶意软件、木马和rootkit等病毒的重点攻击目标。为了保证终端设备的安全性,出现了以TrustZone为代表的终端设备安全框架。
在现有的TrustZone框架下,系统级的安全是通过将片上系统(system on chips,SoC)的软硬件资源划分到两个世界中分别获得,即正常世界(normal world)和安全世界(secure world)(也可以叫安全域和非安全域),这两个世界分别对应富执行环境(rich execution environment,REE)和可信执行环境(trusted execution environment,TEE)。TEE和REE运行于同一个设备上,TEE能够保证在可信的环境中进行敏感数据的存储、处理和保护,并为授权的可信应用(trusted application,TA)提供安全的执行环境。客户应用(client application,CA)(也称之为普通应用)运行于REE上,CA通过调用位于REE的TEE客户端应用编程接口(application programming interface,API)去访问TA,从而使用TEE及TA提供的安全功能。
现有技术中,为了保证CA访问TA的安全性,在REE侧设置有CA的鉴权程序,该鉴权程序用于提取CA的身份信息,以便于后续验证CA的身份。具体的,在CA访问TA之前,REE侧通过执行该鉴权程序提取CA的身份信息,然后通过安全模式调用(secure monitor call,SMC)提交给TEE侧,TEE侧验证通过之后才允许CA访问它想要访问的TA。但是在REE侧,CA所运行的操作系统(operating system,OS)有可能被攻破,导致该鉴权程序被绕过,亦即不执行。例如,以
为代表的REE侧的OS之上部署有各种CA,而
中部署有CA鉴权程序,
存在一个超级用户权限,即root权限。当
被超级提权(即被root)之后,原有的权限管理不再有效。也就是说,被root之后的
CA就有可能在某些攻击情况下绕过鉴权程序。如果鉴权程序被绕过,CA的身份信息提取过程没有了。这样,仿冒的CA就可以将伪造的身份信息直接提交给TEE侧,待TEE侧验证通过之后,仿冒的CA就可以调用TA提供的安全功能,比如指纹验证功能,进而造成一系列的系统安全问题。
发明内容
本申请提供一种计算机系统、终端设备以及应用在其上的安全控制方法等,用于提高终端设备或其他类型的计算机系统的安全性。
为了方便理解本申请提出的技术方案,首先在此介绍本申请描述中会引入的几个要素。
域:计算机系统的一个逻辑组织单元,具体可以是一台计算机设备内部的逻辑组织单元。每个域都有自己的安全策略,不同域之间存在安全边界。计算机系统的域可能是通过软件划分的,例如
系统的用户态和内核态,再例如利用虚拟化技术形成的宿主层(host)和客户层(guest);也可能是通过硬件方式划分的,例如基于TrustZone的安全域和非安全域。
跟踪器:本申请中也叫tracer,用于记录CPU上发出的转移指令(例如跳转指令)和数据传输指令(例如
中的load指令和store指令)等,这些指令可以作为控制流信息用来重构控制流以及用于获取动态数据等。例如
架构下的CoreSight,X86架构下的IPT(
Processor Tracer),或其它可以实现CPU指令跟踪的单元或模块。跟踪器可以独立作为一个装置存在,也可以部分或全部嵌入到CPU中或其他硬件中。
控制流(也可以叫执行流):表示程序的执行过程。控制流可直接或间接地表现为指令地址序列或事件序列。例如代码x=y,转换为汇编语言就是0x1234:load r0,[y];0x1238:store r0,[x]。这里内存中存着的y的值流动到CPU的寄存器,再流动到x的内存中,该代码的控制流就是先执行0x1234,再执行0x1238,而其中y的值属于代码执行过程中的动态数据。
控制流信息:用来表示可以重构控制流的信息。在一些描述中指形成一段程序的控制流的多条控制流信息中的一条,在另一描述中指形成一段程序的控制流的所有信息,在其他一些描述中也可以用来指控制流本身,具体可参考描述上下文。
数据流:表示程序的数据读写过程,包含过程中的数据。可直接或间接地表现为程序的数据读写事件序列。本申请的一些实施例中通过对读写事件序列中包含的数据进行审计以保证系统的安全性,该数据一般为动态数据。
数据流信息:用来表示可以重构数据流的信息,其中包含动态数据。在一些描述中指形成一段程序的数据流的多个动态数据中的一个,在另一描述中指形成一段程序的数据流的所有动态数据,在其他一些描述中也可以用来指数据流本身,具体可参考描述上下文。
自动机:计算机实现的数学模型。自动机可以响应于外部输入(例如一个事件)而从一个状态转换为另一个状态。自动机实例是一个运行时自动机。在本申请提供的实施例中,规则或模型用来审计控制流等信息,自动机则为“规则或模型”的一种实现形式。
“在第一域或第二域中执行某个动作”可以理解为执行该动作的主体部署在第一域或第二域中,或者可以理解为执行该动作的执行主体处在第一域或第二域所代表的状态,执行动作的主体可以是硬件模块也可以是软件模块;或者由于“域”是逻辑组织单元,所以某些情况下也可以理解为动作的执行主体为第一域或第二域。
本申请中出现的“多个”或“多次”若无特殊说明则意指“两个或两个以上”,或“两次或两次以上”。本申请中出现的“第一”和“第二”并无限定顺序的意思,仅是为了在某些描述上下文中区分两个主体,以方便理解,但是其所指示的主体并非在所有实施例中都必须是不同的主体。本申请中出现的“A/B”、“A和/或B”包括A、B以及A和B三种情况。本申请中
意指A为一个商标名称,但没有带
的词语也有可能是商标名称。
接下来将分不同的方面介绍本申请提供的技术方案。应理解的是,以下方面未必涵盖本申请提出的所有实现方式,并且不同方面的实现方式和有益效果可互相参考。
第一方面,本申请提供一种计算机系统,具体可以为终端设备,所述终端设备上部署有第一域和第二域,所述第一域内部署有程序,所述第二域内部署有控制流管理模块和审计模块。该终端设备上还部署有跟踪器,与所述控制流模块和审计模块一起实现对所述程序的控制流的完整性审计。具体的,所述控制流管理模块被配置为在位于所述第一域中的程序执行时,通过硬件跟踪器获取待审计信息,所述待审计信息包括所述程序的控制流信息;所述审计模块被配置为根据审计规则对所述待审计信息执行审计,当所述待审计信息匹配所述审计规则时确定审计通过。负责审计的域的安全性通常高于(或等于)被审计的程序所运行的域。第一域和第二域可以是通过软件和/或硬件划分的。
在一些实现方式下,所述第一域和第二域分别为基于TrustZone的非安全世界和安全世界(也可以理解为是REE和TEE)。
可见,利用跟踪器,例如CoreSight或IPT,获取关键的程序(下述具体实施方式中称为待保护程序)的控制流信息,并在另一域中根据预设的审计规则对所述程序的控制流进行完整性审计,当所述控制流匹配所述审计规则时才允许下一个操作,例如允许所述程序或与所述程序相关的其他程序访问审计模块所在域的功能等,从而避免由于某种攻击手段导致该关键的程序被绕过执行或非法执行进而引起的系统漏洞,提升终端设备的安全性。
需要说明的是,控制流完整性审计也可以称之为控制流完整性验证,在本申请中简称为控制流审计。
在一些实现方式下,所述程序可以存储在部署在第一域的存储器的只读存储区,避免被修改,进一步保证安全性。
在一些实现方式中,所述待审计信息还包括所述程序的数据流信息。在执行控制流审计的同时也审计程序的数据流信息,代码执行过程的安全性得到保证的同时,代码中的数据的安全性也得到了保证,进一步提高了终端设备的安全性。
在一些实现方式中,该终端设备还包括部署在所述第二域内的Tracer审核模块。该Tracer审核模块被配置为在所述审计模块执行审计之前对所述跟踪器执行审核。具体的,审核跟踪器的寄存器是否被修改过,若被修改过,则审核不通过,反之,审核通过。审核通过后再触发所述审计模块执行所述审计。在跟踪器做安全审计之前先审核跟踪器,确保跟踪器没有被篡改,保证审计过程的可靠性。
在一些实现方式中,该终端设备还包括部署在所述第一域内的进程标识获取模块。该进程标识获取模块被配置为在所述跟踪器采集所述控制流信息之前获取执行所述程序的进程的进程标识(例如PID或进程名字),并将所述进程标识存入所述跟踪器的第一寄存器中。所述控制流管理模块具体被配置为通过所述跟踪器获取所述待审计信息,所述待审计信息还包括所述进程标识,其中,所述进程标识为所述跟踪器从所述第一寄存器中读取的进程标识。所述审计模块具体被配置为根据所述进程标识查找与所述进程标识匹配的审计规则,并根据查找到的审计规则对所述控制流信息执行审计。
触发采集每条控制流信息之前,先获取当前进程的进程标识,然后再触发采集当前进程执行的程序的控制流信息,之后将该条控制流信息和该进程标识关联存储。相当于每条控制流信息都有一个进程标识标识自己的来源,这样审计模块就可以根据进程标识区分来 自不同程序的控制流信息,并选择与之匹配的审计规则进行审计,从而实现多个程序的并行审计。
在一些实现方式中,所述终端设备还包括部署在所述第一域的第一随机数发生器和自采集模块,所述第二域中包含所述程序的TEXT段。这里的TEXT段可以通过硬编码方式置入所述第二域。所述自采集模块被配置为在所述程序被执行之前调用所述第一随机数发生器以产生随机数RX,并将所述随机数RX存入所述跟踪器的第二寄存器;根据所述随机数RX和执行所述程序的进程的TEXT段计算得到哈希值H1。所述控制流管理模块具体被配置为通过所述跟踪器获取所述待审计信息,这里的待审计信息中还包括所述随机数RX,其中所述RX由所述跟踪器访问所述第二寄存器获得。所述审计模块具体被配置为获取所述哈希值H1,根据所述随机数RX和所述第二域中包含的所述TEXT段计算得到哈希值H2,比较所述H1和H2,当所述H1和H2相同且其他待审计信息匹配所述审计规则时确定审计通过。
在另一些实现方式中,可以采用除随机数之外的其他形式对所述TEXT段进行加扰。
在另一些实现方式中,随机数RX也可以不产生,不计算哈希值H1,只传输TEXT段,然后和第二域中包含的TEXT段比较。
“TEXT段”指向一段存储区域。一个程序的TEXT段中包含该程序的代码和常量。权要中的“TEXT段”指TEXT段包含的所有或部分内容、压缩过的TEXT段的内容或TEXT段包含的内容的摘要。
TEXT段中包含程序的代码和常量,将TEXT段的内容先置入第二域,然后在程序运行的过程中再获取一次TEXT段,并传输到第二域,两次获取的TEXT段做比较,通过后才确定审计通过,这样可进一步确保程序的安全性。进一步的,在TEXT段传输的过程中通过随机数加扰,更能提高TEXT段传输的安全性,从而确保审计的可靠性。
在一些实现方式中,所述终端设备还包括部署在第一域的第一随机数发生器和部署在第二域的第二随机数发生器。这里的第一随机数发生器可以是前述实现方式中的随机数发生器,也可以是另一个随机数发生器。所述控制流管理模块获取的待审计信息中还包括随机数。所述第一随机数发生器在所述程序被执行时被调用而产生所述随机数,该随机数被写入所述跟踪器的第三寄存器中,然后所述跟踪器在采集所述控制流信息的时候访问所述第三寄存器获得寄存器中当前存储的随机数,并与当前的控制流信息一起作为一条待审计信息。所述审计模块具体被配置为获取所述第一随机数发生器在所述程序执行过程中产生的最后一个随机数RY以及获取所述第二域中预置的随机数发生次数n;根据所述n触发所述第二随机数发生器产生n个随机数,并将其中第n个随机数Rn与所述RY比较,当所述Rn与所述RY相同且其他待审计信息匹配所述审计规则时确定审计通过。
换句话说,(在第一域)第一随机数发生器所述程序被执行时产生多个随机数,每个随机数都在产生之后被写入跟踪器的寄存器,之后跟踪器采集控制流信息的时候一并从寄存器中读取该随机数,和控制流信息一起传递到第二域。第二域的审计模块可通过多种方式 从传递过来的随机数中确定出第一随机数发生器最后一次产生的随机数RX,然后获取与该随机数RX对应的随机数发生器发生次数n,此n是根据程序正常执行的情况预置在第二域中的。之后审计模块调用第二随机数发生器产生n个随机数并选取其中第n个随机数,如果两种方式获得的随机数相同,则说明第一域中的程序的执行没有被干扰过。
本申请中出现的“审计规则”可以在不同的实现方式下有不同的理解,例如在待审计信息中只有控制流信息时,审计规则可以理解为只包含审计控制流的规则,而当待审计信息中出现其他信息,如数据流信息、进程标识、随机数、TEXT段等信息时,审计规则可以理解为还包含匹配进程标识的规则,和/或审核随机数、TEXT等信息的规则。在其他一些实现方式中,“审计规则”也可以理解为只包含控制流审计规则,其他信息的匹配或审核属于另外的模型或规则。“审计规则”的实现方式有多种,可以是自动机、审计模型,也可以是一张表、一个列表、一个判断语句等等。复杂的审计规则可以通过机器学习的方式实现。例如,可以在终端设备或服务器端模拟运行所述程序,然后学习获得所述程序的执行特征(或称为模型),之后通过将程序的实际执行流程等信息与所述执行特征匹配确定该实际执行流程是否合法。
在一些实现方式中,所述跟踪器的全部组件或部分组件通过硬件划分的方式或软件权限管理的方式放到第二域中,所述第二域的安全性高于所述第一域。通过这种方式可以保证跟踪器的安全性,前述实现方式中对跟踪器的审核就不是必须的了,当然也可以仍然执行审核,采用双重机制保障跟踪器的安全。
在一些实现方式中,在所述程序的多个位置插入触发指令,用于触发跟踪器采集特定位置的控制流信息;在另一些实现方式中跟踪器可以不需要触发指令的触发,而是采集程序所有的控制流信息。
第二方面,本申请还提供一种审计方法,该方法应用于部署有第一域和第二域的计算机系统中。当位于所述第一域中的程序被执行时,通过跟踪器在所述第二域中获取待审计信息,所述待审计信息包括所述程序的控制流信息。在所述第二域中根据审计规则对所述待审计信息进行审计,当所述待审计信息匹配所述审计规则时确定审计通过。所述跟踪器可以全部或部分部署在所述第二域中。
将该审计方法应用于安全控制之后,当审计通过再允许执行下一步操作,例如允许所述程序或与所述程序相关的下一个程序对所述第二域的某个安全程序执行访问。
在一些实现方式中,所述程序开始执行之时才开启所述跟踪器,然后在第二域中同步或异步获取跟踪器采集的待审计信息;在另一些实现方式中,所述程序被执行中间某个关键代码时才开启所述跟踪器,或者跟踪器可以在系统启动之后就一直是开启状态。
在一些实现方式中,所述待审计信息还包括所述程序的数据流信息。
在一些实现方式中,在对所述控制流信息进行审计之前,在所述第二域中对所述跟踪器进行审核,审核通过后再对所述控制流信息进行审计。
在一些实现方式中,在所述通过跟踪器获取待审计信息之前,获取所述执行所述程序的进程的进程标识,并将所述进程标识存入所述跟踪器的第一寄存器中;然后获取所述跟踪器采集的待审计信息,此时该待审计信息包括所述控制流信息和所述控制流信息被采集时所述第一寄存器中的进程标识。换句话说,所述进程标识为所述跟踪器采集所述控制流 信息时从所述第一寄存器中读取的当前的进程标识。然后,根据所述进程标识查找与所述进程标识匹配的审计规则,并根据查找到的审计规则对所述控制流信息执行审计。
在一些实现方式中,所述计算机系统还包括部署在所述第一域的第一随机数发生器,所述第二域中包含所述程序的TEXT段。在所述程序被执行之前,在所述第一域中调用所述第一随机数发生器以产生随机数RX,并将所述随机数RX存入所述跟踪器的第二寄存器,以及根据所述随机数RX和执行所述程序的进程的TEXT段计算得到哈希值H1。获取所述跟踪器采集的待审计信息,此时所述待审计信息中包括所述控制流信息和所述随机数RX,其中所述RX由所述跟踪器访问所述第二寄存器获得。在所述第二域中获取所述哈希值H1,根据所述随机数RX和所述第二域中包含的所述TEXT段计算得到哈希值H2,比较所述H1和H2,当所述H1和H2相同且其他待审计信息匹配所述审计规则时确定审计通过。在一些实现方式中,所述计算机系统还包括部署在第一域的第一随机数发生器和部署在第二域的第二随机数发生器。在所述程序被执行时,在所述第一域中调用所述第一随机数发生器产生随机数,并将所述随机数写入所述跟踪器的第三寄存器。通过所述跟踪器获取待审计信息,所述待审计信息中包括控制流信息和该控制流信息被采集时所述第三寄存器中的随机数。在所述第二域中获取所述第一随机数发生器在所述程序执行过程中产生的最后一个随机数RY以及获取所述第二域中预置的随机数发生次数n.。然后根据所述n触发所述第二随机数发生器产生n个随机数,并将其中第n个随机数Rn与所述RY比较,当所述Rn与所述RY相同且其他待审计信息匹配所述审计规则时确定审计通过。
应理解的是,上述需要随机数的实现方式中并不限定每一条待审计信息中都要包含随机数。
第三方面,本申请还提供一种计算机可读存储介质,该存储介质包括计算机可读指令,当所述计算机可读指令被一个或多个处理器执行时用于实现如前述任意一种方法。
第四方面,本申请还提供一种计算机程序产品,该计算机程序产品中包括计算机可读指令,当所述计算机可读指令被一个或多个处理器执行时用于实现如前述任意一种方法。
第五方面,本申请还提供一种计算机系统,该计算机系统的硬件层包括跟踪器、处理器以及存储器。该计算机系统逻辑上又可分为第一域和第二域。所述处理器被配置为读取所述存储器中的计算机可读指令并执行所述计算机可读指令以实现启动所述跟踪器,以及执行位于所述第一域的程序。而所述硬件跟踪器被配置为在所述程序执行时,采集与所述程序相关的待审计信息。,进一步的所述第二域的安全性可以高于(或等于)所述第一域。
跟踪器的采集待审计信息的动作在一些实现方式中是由处理器在执行所述程序的时候由所述处理器触发的,例如所述程序中被插入有触发指令;在另一些实现方式下是处理器在其他情形下触发的,也可能是跟踪器启动后自主执行的。
为了更清楚地说明本申请提供的技术方案,下面将对附图作简单地介绍。显而易见地,下面描述的附图仅仅是本申请的一些实施例。
图1为本实施例提供的一种计算机系统的结构示意图;
图2为本实施例提供的一种终端设备的结构示意图;
图3为基于图2的一种安全控制方法的流程示意图;
图4为本实施例提供的一种终端设备的结构示意图;
图5为基于图4的一种安全控制方法的流程示意图;
图6为本实施例提供的一种终端设备的结构示意图;
图7为基于图6的一种审计方法的流程示意图;
图8为本实施例提供的一种终端设备的结构示意图;
图9为基于图8的跟踪器采集信息的示意图;
图10为基于图8和图9的一种审计方法的流程示意图;
图11为本实施例提供的一种终端设备的结构示意图;
图12为基于图11的跟踪器采集信息的示意图;
图13为基于图11和图12的一种审计方法的流程示意图;
图14为本实施例提供的一种终端设备的结构示意图;
图15为本实施例提供的一种终端设备的结构示意图;
图16为本实施例提供的一种终端设备的结构示意图;
图17为基于图16的一种审计方法的流程示意图;
图18为本实施例提供的一种服务器及所在网络的示意图;
图19为本实施例提供的一种服务器及所在网络的示意图;
图20为本实施例提供的一种终端设备的逻辑结构示意图。
实施例一
请参考图1,为本实施例提供的一种计算机系统的结构示意图。该计算机系统包括硬件层,硬件层包括处理器150、存储器160以及跟踪器170。该计算机系统具体可以为终端设备,固定终端或移动终端都可以。固定终端例如为个人电脑、销售终端(point of sale,POS)、或自动取款机等;移动终端例如为智能电话、膝上型计算机、数字广播终端、个人数字助理、便携式多媒体播放器、或车载导航系统等等具有移动性质的计算机。。应理解的是,除了终端设备这种类型以外,本申请任意实施例提供的方法也可以应用于其他类型的计算机系统,例如服务器。
处理器150可以是单核或多核处理器。该计算机系统中也可以包含多种类型的处理器。存储器160可以包括以下类型中的一种或多种:闪速(flash)存储器、硬盘类型存储器、微型多媒体卡型存储器、卡式存储器(例如SD或XD存储器)、随机存取存储器(random access memory,RAM)、静态随机存取存储器(static RAM,SRAM)、只读存储器(read only memory,ROM)、电可擦除可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、可编程只读存储器(programmable ROM,PROM)、磁存储器、磁盘或光盘。
在其他一些实施例中,存储器160也可以包括因特网上的网络存储设备,该计算机系统可以对在因特网上的存储器160执行更新或读取等操作。
从软件的角度,该计算机系统被划分为两个域:第一域和第二域,这两个域由同一个处理器运行,但是运行在处理器的不同状态下。这两个域中分别运行有第一和第二操作系统,第一和第二操作系统之上分别运行有多个第一应用和多个第二应用。
需要说明的是,第一操作系统和第二操作系统的类型可以相同,也可以不同,还可以是同一个操作系统的两种不同的状态,例如用户态和内核态,即第一域和第二域分别为同一操作系统的两种状态。
在第一操作系统中设置有待保护的程序110,该待保护的程序在运行过程中通过跟踪器170采集该程序的运行相关的控制流信息等,然后Tracer管理模块130可以获取这些信息。待保护的程序110有可能是第一应用的一部分。
“待保护的程序”为任意一段需要保护的程序,该程序必须按照原本的执行流程被执行,不能被篡改或被绕过。待保护的程序可以位于系统中的任意位置,可以位于下述实施例中的REE侧,也可以位于TEE侧。例如,待保护的程序例如可以为
中的内核模块(后缀名为KO的模块)、CA鉴权模块等。
特征信息等信息的获取可通过如下方式:在功能代码的一个或多个位置分别插入一个或多个用于触发采集信息的触发指令,以生成待保护的程序110。当待保护的程序110运行到这些触发指令处的时候,触发跟踪器170采集待保护的程序110的相关信息。这些信息(下文称之为待审计信息)可以包括以下信息中的一种或多种:用于做控制流审计的与代码运行相关的控制流信息、用于数据审计的代码执行过程中的动态数据、用于保证信息传输安全的随机数、以及用于在并行审计中标识待保护的程序的进程ID(process identification,PID)等。
代码的执行过程中被操作的非只读数据是动态数据,只读数据为静态数据。例如,在发明内容部分关于控制流的解释的例子中,y的值就属于动态数据。再例如,TEXT段中包含代码和数据,这些数据通常都是静态数据。动态数据可以通过跟踪器跟踪load指令和store指令获取,例如代码x=y,对应于一个load指令和一个store指令,load指令将y的值从y的内存中读到寄存器中,store指令将寄存器中的值写到x的内存中,内存数据的读写一般都要通过load指令和store指令,所以跟踪这两个指令可以获得动态数据。
待保护的程序110的生成可以在除该计算机系统的另一个计算机系统上。触发指令的内容及具体的插入位置等可以由开发人员确定,也可以通过将特定规则输入计算机后由计算机自动生成。触发指令可以是开发者在开发时手动插入到待保护的程序中的,也可以是通过计算机自动插入的。
需要说明的是,Tracer管理模块130的具体实现有多种,除了获取(或管理)跟踪器170收集的信息之外,还可以对跟踪器170本身进行管理,例如在计算机系统启动阶段打开和初始化跟踪器170、以及在某些情况下审核Tracer等操作。另外,针对不同类型的程序,程序进入与启动操作可能会有所不同。
审计触发模块120用于向第二操作系统中设置的审计模块140发送触发信息,以触发审计模块140开始执行程序110的审计操作。具体的,审计触发模块120通过将审计规则11与Tracer管理模块130获取的控制流进行比较,若控制流符合审计规则11,则继续后续的功能操作。若控制流不符合审计规则,则说明程序110的执行存在问题,终止当前操作 和/或返回错误信息给第一操作系统。审计触发模块120也可能是待保护的程序110的一部分。
审计规则11被存储在存储器160中。审计规则11的种类可能有多种。自动机是审计规则的一种具体实现方式。
需要说明的是,触发信息从一个域被发送到另一域时,一般都会涉及到两个域的切换。两个域切换的方法和过程与本申请应用的系统有关,本实施例不做限定。
可见,利用本实施例提供的方法,可以在一个域中对另一域的待保护代码的执行过程进行控制流审计以保证该代码的正常执行,有效避免所在域被权限提升之后该代码被绕过,从而避免由此可能造成的安全漏洞。这里某一域被权限提升意指该域的较高或最高权限被获取。
进一步的,若跟踪器(或Tracer管理模块130)获取了除控制流信息之外的其他待审计信息,那么审计模块140可以对这些信息一并进行处理,以进一步增强本申请的适用性或安全性。
实施例二
请参与图2,为本实施例提供的一种终端设备的装置结构示意图。该终端设备包括硬件层,硬件层包括处理器250、存储器260以及CoreSight270。CoreSight270为一种典型的硬件跟踪器。CoreSight270在终端设备200运行的整个时段或部分时段处于打开状态。
存储器260中包括被设置为只读的只读内存区260-1和其他内存区260-2。当然存储器260还可以包括其他类型的存储介质,可参考前述实施例,在此不再赘述。
终端设备200上包含两个域:富执行环境(rich execution environment,REE)和可信执行环境(trusted execution environment,TEE)。这两个域中分别运行有
操作系统和一种TEE侧操作系统(例如开源的OP-TEE操作系统)。
操作系统和TEE OS又划分为用户态和内核态两种状态。
REE侧的用户态中设置客户端应用(CA),CA在访问TEE侧的可信应用(TA)之前需要调用内核态的一段鉴权程序210,这段代码就是前述实施例中的待保护程序110。在其他一些实施例中,该代码也可以理解为是CA的一部分代码,所以CA也属于本申请能够保护和监控的对象。
鉴权程序210属于REE与TEE通信前握手程序中的一部分。这段握手程序分为两部分:1.REE提出握手;2.TEE处理握手请求并决定是否握手成功。鉴权程序210实现的是第1部分即REE提出握手。鉴权程序210的功能主要包括:1.收集CA身份信息;2.构造握手请求;3.将身份信息和握手请求进行校验,生成校验和;4.将CA身份信息,握手请求和校验和发给TEE。在现有的架构里,TEE拒绝没有经过握手过程而发送过来的请求。
该握手程序是由一系列函数代码及其所需要处理的数据组成的。安全攻击行为可以在函数的执行顺序、相应的数据、或者函数执行顺序及数据的组合中,找到漏洞,从而破坏这段代码执行的完整性,造成后续安全漏洞。例如,仿冒的CA可以绕过身份信息的收集 过程,发送不属于自己的伪造的身份信息,假冒合法CA的身份。
本实施例中的鉴权程序210已经不再是现有技术的鉴权程序,鉴权程序210的多个位置分别被插入多个CoreSight触发指令。触发指令用于触发CoreSight270采集代码执行的相关信息。具体的,CoreSight触发指令可以是一段程序,该程序的功能是:1.配置CoreSight270的数据传递寄存器;2.使CoreSight270开始采集待审计信息。鉴权程序210的这多个位置可理解为触发采集信息的“采集点”。
REE侧内核态中还设置有SMC调用模块220,该模块主要用于向审计模块240发送用于触发审计的触发消息。本实施例中,SMC调用模块220实现为鉴权程序210中的一部分,即鉴权程序210自己发送触发审计的触发消息。在其他实施例中,SMC调用模块220和待保护的程序也可以独立。
以指纹验证为例,图3示出了控制流完整性审计(下述简称为控制流审计)的过程。用户在开机或进行某项支付操作时输入自己的指纹,激活某个CA,该CA又调用鉴权程序210,而后鉴权程序210开始执行(S110)。在鉴权程序210的执行过程中,由于在代码中设置了多个CoreSight触发指令,在执行到每个触发指令时,CoreSigt270就可以执行特征信息的收集操作(S120),将这些信息直接或经过转化后作为鉴权程序270的控制流信息存储起来。鉴权程序210执行到最后,SMC调用模块220通过SMC指令向审计模块240发送触发消息(S130),具体的,该触发消息中包括CA身份信息等内容。SMC调用模块220所在位置可理解为触发审计的“审计点”。
SMC调用模块220向审计模块240发送触发消息时涉及到REE到TEE的切换,需要调用SMC(secure monitor call)指令,先从REE切换到TrustZone的中间模式即监控模式(Monitor Mode),然后监控模式再把自己切换到TEE。SMC是TrustZone技术框架的基础技术,更多实现在此不再赘述。
当审计模块240接收到触发信息之后,从存储器260中获取鉴权程序210的控制流信息,或调用控制流管理模块230获取控制流信息(S140和S150)。
具体的,控制流管理模块230从CoreSight270中获取控制流信息(S140),并返回给审计模块240(S150)。更具体的,之前CoreSigt270将控制流信息存储到CoreSigt270内部的某存储介质中,控制流管理模块230从该存储介质中读取控制流信息,并将该控制流信息直接存储到存储器260中,或对该控制流信息做特定处理之后再存储到存储器260中,或直接返回给审计模块240。在其他一些实施例中,控制流管理模块230和审计模块240也可以合并为一个模块。
审计模块240还根据审计规则21获取用于审计该控制流的自动机。具体的,审计模块240根据审计规则21生成一个自动机实例(S160)。审计模块240通过将控制流信息或转化后的信息输入自动机实例实现对控制流的审计(S170)。审计成功之后返回结果给REE侧,REE继续将用户输入的指纹信息发送给TEE,然后由TEE侧的TA执行指纹信息的验证,例如,TEE侧调用某个鉴权TA验证指纹信息是否在预置的合法身份信息库中存在匹配,如果存在匹配,则向REE侧返回指纹验证成功。审计不成功则TEE终止当前握手,向REE返回握手不成功消息,或返回用于指示安全问题的信息。
自动机可以理解为一个由软件代码实现的函数,该函数的属性中包含一个二维数组, 该数组中的每个元素表示自动机的一种状态,例如第x行且第y列的值为v,那么自动机代码将会表述为若自动机当前处于状态x,且当前输入为事件y,则将自动机的状态转变到v。每种状态拥有各自的属性,分别为“初始”和“终止”,具有“初始”属性的状态有且只有一个,但具有“终止”属性的状态可以有多个。自动机实例就是基于前述自动机(可理解为一个模板)创建的一个具体的运行时自动机实例,其创建之初的状态为属性为“初始”的状态。审计模块240利用自动机执行审计的方法具体为:将获取到的控制流信息转化为事件序列,以此事件序列驱动自动机实例进行状态转换。全部事件都输入完毕后,检查自动机的状态。如果在属性为“终止”的某个状态,则审计成功;否则审计失败。
控制流管理模块230可以管理该控制流信息(S180),比如预处理、存储等。在其他一些实施例中,控制流管理模块230从CoreSight270中获取并管理控制流信息(S140和S180)的步骤也可以不需要审计模块240的调用触发,或者说在审计模块240的触发之前就把控制流信息从CoreSight270中获取并存储到存储器260中。
可见,TEE侧的审计模块240在安全应用TA被调用之前对鉴权程序210的控制流进行了审计,审计成功(即鉴权程序210可靠执行)之后才真正实现对TA的调用,这样可有效防止非法CA绕过鉴权程序210。鉴权程序210若执行不完整,非法CA的身份信息就不能被正常获取,进而非法CA就可以向TEE侧发送不属于自己但能够通过验证的伪造身份信息给TEE侧,然后TEE侧根据该伪造身份信息验证通过该非法CA,使得该非法CA可以和TEE侧通信,进而造成系统的安全漏洞。
进一步的,本实施例可以在终端设备启动阶段对内存区域进行划分,划出一块只读内存区260-1,将鉴权程序210加载到该只读内存区260-1中,从而避免鉴权程序210的代码被非法修改,进一步保证终端设备的安全性。
实施例三
根据上述实施例的介绍可知,CoreSight270用于收集控制流信息(以及其他待审计信息),所以CoreSight270本身的安全性是系统的基础。为进一步确保安全性,在TEE侧任意模块从CoreSight270的存储介质中读取数据之前需要审核CoreSight270。
参考图4,在图3的基础上增加了Tracer审核模块230b,用于审核CoreSight270。参考图5虚线方框所示,SMC调用模块220向Tracer审核模块230b发送触发消息(S130)。Tracer审核模块230b先审核CoreSight270(S130a),审核通过后才向审计模块240发送审核通过的消息(S130b),用以触发审计模块240执行接下来的操作。
审核CoreSight270主要是判断CoreSight270的寄存器有没有被修改过。具体的,获取该寄存器当前的值和CoreSight270被初始化时该寄存器的初始值,比较二者,若一致,则审核通过,反之则审核不通过。这里审核的“寄存器”可以包括CoreSight270中的所有寄存器或其中任意一个或多个认为关键的寄存器。
“初始值”在CoreSight设计时就定好了,写在启动代码里,审核的时候获取代码中记录的该“初始值”,然后与当前值比较。
图5其他步骤与图3类似,可参考前述描述,在此不在赘述。
在其他一些实施例中,审计模块240可仍然如图3所示接收到触发消息,然后有选择 地调用Tracer审核模块230b。换句话说,审计模块240可以决定CoreSight270需不需要被审核。
可见,通过上述方法在审计之前审核CoreSight270,可以提高整个审计过程的可信性,从而进一步提高系统的安全性。
实施例四
本申请还提供一种并行审计的方法,能够在多个待保护程序同时运行的场景中,利用一个跟踪器实现多个待保护程序的控制流的并行审计。该并行审计的方法可以融合在前述任意实施例中实现。
图6为本实施例提供的并行审计方法的装置示意图。CoreSight270设置有寄存器271,该寄存器可以由软件写入任意值。在REE侧存在待保护的程序210a、210b和210c。其中210a是前述实施例中的鉴权程序210,待保护的程序210b和210c为其它代码,本实施例不做限定。审计模块240包含三个自动机实例a、b和c。其他模块可参考前述实施例描述。
与图3不同的是,程序210a、210b和210c分别被三个PID=a,PID=b和PID=c的进程执行,执行到CoreSight270触发指令处,CoreSight270触发指令触发获取执行当前程序的进程的PID(process identification),并将该PID写入寄存器271。CoreSight270触发指令触发CoreSight270收集信息时,不仅收集该采集点的控制流信息,还要从寄存器271中读取该控制流信息产生的时刻寄存器271中存储的PID的值,和该控制流信息关联存储起来作为待审计信息。当程序210a、210b和210c中任意一个程序执行到触发审计的审计点时(例如图3中的S130),触发TEE侧的审计模块240执行审计。如图5示出的实施例那样审计之前先审核CoreSight270也可以。
需要说明的是,获取并写入进程PID的代码可以理解为一个或多个进程标识获取模块,在图中未示出。
通过上述方式,每一条控制流信息以及产生该控制流信息的进程就被存储下来,以便于后面针对不同的控制流信息利用不同的自动机实例分别进行审计。
审计被触发后,审计模块240获取待审计信息并根据待审计信息中的PID查找或创建匹配的自动机实例,并将待审计信息中的控制流信息输入该自动机实例,每个自动机实例分别实现针对每个待保护程序的控制流审计。
在一种实现方式下,如图7所示,审计模块240从所有待审计信息中获取下一条控制流信息,该条待审计信息包含控制流信息和PID(S701)。关于审计模块240如何从CoreSight270直接或间接获取待审计信息的方式可参考前述实施例。获取该待审计信息之后,审计模块240判断该待审计信息是否为空(S702),如果该待审计信息不为空,则根据该待审计信息中的PID查找匹配的自动机实例(S703)。判断是否找到自动机实例(S704),若没有找到自动机实例,则新建一个标识为该PID的自动机实例(S705);若找到自动机实例或创建自动机实例之后,将控制流信息输入该自动机实例(S706),以将该自动机实例往前推进一步。之后返回步骤S701。
若步骤S702判断获取到的待审计信息为空,亦即当前所有的待审计信息都按照前述方法处理完成之后,获取发送本次审计触发消息的进程的PID(S707)。具体的,REE侧的 CA在做跨域调用时通常都会将该CA的进程的PID以及想要调用的TA的标识和参数等存储到共享内存中,这样TEE侧的模块就可以从共享内存中获取该进程的PID的值。查找标识为该PID的值的自动机实例(S708),若这样的自动机实例不存在(S709),则对于本次审计失败。若这样的自动机实例存在(S709),则判断该自动机实例当前是否在属性为“终止”的状态(简称终止状态),若是,则审计成功,若否,则审计失败。
在另一种实现方式下,审计模块240先获取发送本次审计触发消息的进程的PID,从待审计信息中获取包含相同PID的待审计信息,然后对所获取的每一条待审计信息执行以下操作:根据获取的PID查找匹配的自动机实例,若没有找到则创建一个标识为该PID的自动机实例;若找到,则将该待审计信息输入该自动机实例。所有待审计信息均处理完成之后,若该自动机实例在属性为“终止”状态,则审计成功,否则审计失败。
需要说明的是,本实施例中与每一条待审计信息匹配的(或称对应的)自动机实例为标识为PID的自动机实例,该PID为该待审计信息中包含的PID的值。例如PID=a的待审计信息,其匹配的自动机实例是标识为a的自动机实例。在其他一些实施例中,待保护的程序的进程PID和对应的自动机实例的标识不一定要完全一致,不一致但存储二者的对应关系或已知二者的转换关系也可以实现本实施例。
通过以上并行审计的方法,本实施例提供的控制流审计可以在仅有一个跟踪器的终端设备中同时审计多个待保护的程序,这样审计效率更高,方法的适用场景也更广。
实施例五
为了进一步减少待保护程序被窥探的可能性,本实施例提供一种结合随机数来进行控制流审计的方法。
图8为本实施例提供的一种终端设备的结构示意图。该终端设备中包括两个硬件的(伪)随机数发生器280a和280b,这两个随机数发生器通过TrustZone的硬件划分机制分别被划分到REE侧和TEE侧,即随机数发生器280a可以被REE侧访问(TEE侧可访问或不可访问均可),随机数发生器280b仅能被TEE侧访问。另外,CoreSight270中还设置有寄存器272,该寄存器可以由软件写入任意值,CoreSight270产生的每一条记录都会附带产生该记录的时刻该寄存器的值。
前述实施例中提到过自动机的状态具有“初始”和“终止”两种属性,本实施例中在设计自动机时,为每种状态都增加“数据传输”和“随机数发生器访问次数”两个属性,或者根据需求为其中的一种或多种状态增加这两个属性。
根据鉴权程序210的执行流程在鉴权程序210中挑选出多个位置,这多个位置称之为“随机数产生点”,在随机数产生点插入代码,出入的代码实现调用随机数发生器280a产生一个随机数并将该随机数写入CoreSight270的寄存器272。这样,鉴权程序210在执行时,每执行到随机数产生点,就是调用一次随机数发生器280a并将产生的随机数写入寄存器272。
在前述实施例中,鉴权程序210的多个位置被插入了CoreSight触发指令,用于触发CoreSight270采集控制流信息(参考图3),这多个位置可以称之为“采集点”,本实施例中 提出的“随机数产生点”和“采集点”可以完全重叠,也可以部分重叠,也可以完全不重叠。当一个“点”产生随机数,但是并非“采集点”,那么该随机数将会伴随着相邻的下一个“采集点”被CoreSight270采集,进而被TEE侧获得。如图9所示,鉴权程序210中包括至少4个采集点(圆形所示)CP1-CP4和至少5个随机数产生点(方形表示)GP1-GP5,其中GP3和CP3,GP5和CP4分别重叠。若重叠,则如图所示,该位置随机数的产生指令通常在CoreSight触发指令之前。在鉴权程序210执行到不重叠的随机数产生点GP1时,调用随机数发生器280a产生随机数R1,并将该随机数写入寄存器272,然后执行到采集点CP2时,触发CoreSight270采集该条控制流信息以及寄存器272中的当前随机数R1(参考图9中的步骤S120)作为一条待审计信息。
设置了随机数产生点以后,在编码自动机时,手工或自动计算一下自动机运行到每个状态时经过了多少次随机数产生点,据此来设置每个状态的“随机数发生器访问次数”属性。例如,继续参考图9,程序被执行时经过CP1-CP4四个采集点,分别对应E1-E4四个事件,根据执行流程自动机可能被编码为:(S0)–E1->(S1)–E2->(S2)–E3->(S3)–E4->S4。那么,S0,S1的随机数发生器访问次数属性的值为0;由于E1和E2中间有1个随机数产生点GP1,因此S2的随机数发生器访问次数属性的值为1;依此类推,S3和S4的随机数发生器访问次数属性的值分别为3和5。
按照前述示例,REE侧终止状态S4之前最后一次产生随机数是在GP5,该随机数需要被记录,而携带该随机数的是CP4对应的待审计信息,该待审计信息里包含控制流信息E4(或理解为“事件”)和该随机数(参考图9),因此可以将E4之后的状态S4的“数据传输”属性的值设置为1,以便于在后续自动机实例运行过程中根据该属性将该REE侧最后一次产生的随机数记录在TEE侧。其它状态的“数据传输”属性的值可以随意设置。当然这种设置为1或非1,true或false的方式仅是举例,本领域技术人员容易根据本实施方式的实质想到其它设置方式,亦在本申请的保护范围之内。
按照前述实施例,审计模块240被触发后,生成自动机实例并根据获取的待审计信息驱动自动机实例进行状态变换以审计控制流。本实施例中对自动机实例做出以下变更:自动机实例带有一个变量V,用于记录随机数。状态变换规则发生以下变更:接收到待审计信息且状态被推进之后,如果推进后的状态的“数据传输”属性的值不为1,则忽略该待审计信息中携带的随机数,若为1,则将该随机数赋值给变量V。审计完成时,如果自动机实例没有处于终止状态,则审计不成功;如果自动机实例处于终止状态,则从随机数发生器280b中一次获取n个随机数,所述n为该终止状态的随机数发生器访问次数属性的值,然后将第n个随机数与变量V的值比较,若一致,则审计通过,若不一致,则审计不通过。
具体的,如图10所示,审计模块240中的任意一个自动机实例执行下述步骤:获取下一条待审计信息(S1001),其中包含控制流信息E[next]和随机数R[next],判断是否为空(S1002),如果为空,则说明所有待审计信息都处理完了;如果不为空,则根据该E[next]和S[current]将自动机实例推进到下一个状态S[current](S1003)。获取推进后的状态S[current]的“数据传输”属性的值(S1004),判断该值是否为1(S1005),若不为1,返回S1001;若为1,则该随机数R[next]赋值给变量V(S1006)。在所有待审计信息都处理完成之后,判断S[current]是否为终止状态(S1007),若否,则审计失败。若S[current]为终止状 态,则获取S[current]的随机数生成器访问次数的属性值n(S1008),并根据n调用随机数发生器280b产生n个随机数并记录第n个随机数Rn(S1009)。之后判断Rn和变量V的当前值是否相同(S1010),若相同,则审计成功,否则审计失败。
在其他实现方式中,“数据传输”属性也可以不设置,即可以用变量V记录每个随机数,每次记录都覆盖之前的值。
需要说明的是,本实施例的目的将REE侧待保护代码正常的执行流程中最后一次产生的随机数V与TEE侧产生的随机数Rn进行匹配,Rn是根据该执行流程下自动机终止状态里预先设置的随机数生成器访问次数n产生的。为了实现该目的,在设计具体方案时存在很多可能的变化,例如如果在自动机实例状态转换规则中先判断当前状态的数据传输属性,再推进当前状态到下一个状态,那么按照前述举例,状态S3的“数据传输”属性应该被设置为1,以便于记录最后一次产生的随机数,等等这些变化本领域技术人员容易想到,本申请在此不一一列举。
只是用自动机的话只能保证一个进程调用了所有该调用的点,不能保证这些点只被它调用了。如果另一个进程切入进来调用了一些安全流程,只靠自动机是审计不出来的。另一个进程可能只是切进来窃取一些数据或者注入一些假数据,可能并不会触发跨域调用,它的异常行为通过自动机审计不出来,但是如果它调用了“随机数产生点”,随机数序列就会发生变化,自动机就会发现随机数不匹配,进而发现这个过程受到了干扰。因此,通过上述方式,可以在TEE侧及时发现REE侧进程是否被干扰,进一步提高系统的安全性。
实施例六
在前述实施例中介绍了控制流的审计方法,能够很大程度上检测出待保护程序被修改或被绕过的情形,从而及时发现系统问题,避免出现系统漏洞。下面介绍一个实施例在对控制流审计的同时,还可以进行身份的审计,进一步提高安全性。
(静态的)程序存储在介质中时,其代码和静态数据(也称之为常量)放在一个存储区域里,在某些系统中叫做TEXT段。(动态的)程序由进程运行。虚拟内存技术使得每个进程都可以独占整个内存空间,地址从零开始,直到内存上限。每个进程都将这部分空间(从低地址到高地址)分为多个部分,其中一个部分为TEXT段,这段内存中包括整个程序的代码以及静态数据(即常量)。
进程的TEXT段包含进程所执行的程序的全部指令,和进程PID或进程名字相比,TEXT段更难伪造,因此本实施例中将这段内容理解为进程的“身份”,对这部分内容的审计称之为“身份”审计。
图11为本实施例提供的一种终端设备的结构示意图。该终端设备中包括1个硬件的(伪)随机数发生器290,该随机数发生器290通过TrustZone的硬件划分机制被划分到REE侧。另外,CoreSight270中还设置有寄存器272,该寄存器可以由软件写入任意值,CoreSight270产生的每一条记录都会附带产生该记录的时刻该寄存器的值。
除“初始”和“终止”两种属性,本实施例中在设计自动机时,为每种状态增加“数据传输”属性,或者根据需求为其中的一种或多种状态增加这个属性。
如图11所示,鉴权程序210中存在一个自采集模块210a,该自采集模块210a用于调 用随机数发生器290产生一个随机数,将该随机数写入CoreSight270的寄存器272,并产生一段加扰过的数据流。该加扰过的数据流的内容为:将产生的该随机数与REE侧当前进程的TEXT段拼接在一起,拼接的方式为随机数在前,TEXT段在后,并对拼接后的数据做哈希运算(例如sha256算法)得到的哈希值H1。自采集模块210a在计算完含有随机数的流头部后就将随机数用其他数据覆盖。要使用随机数做计算,随机数必须被读入到寄存器里,甚至可能会被写到内存里,因此这里说的“覆盖”就是从寄存器或内存中将随机数的值清除掉,防止黑客利用。
在其他一些实施例中,随机数可以在TEXT段之后。随机数在前面有好处:实际的处理并非一定要先拼好再计算,可以是流式地计算。随机数在前可以尽快完成和随机数有关的计算,从而将随机数的值从内存或寄存器中清除掉。
在其他一些实施例中,被拼接的可以不是TEXT段的原始内容,可以是TEXT段包含的内容的摘要或被压缩后的TEXT段。计算摘要的算法例如可以为sha256或md5等。
如图12所示,自采集模块210a的代码设置在鉴权程序210在之前的实施例中首次触发CoreSight270的位置之前。也可以将该段代码210a和鉴权程序210一起理解为待保护的程序。因为也属于待保护的程序,所以在自采集模块210a内部也可以设置采集点(图11未示出)。
另外,在TEE侧复制一份合法的REE侧进程的TEXT段。具体的,在版本发布过程中,编译TEE侧操作系统时,把REE侧的TEXT段包含的全部内容硬编码到TEE侧操作系统中。
需要说明的是,本实施例中假设预先知道这个系统上REE侧能运行的所有合法的CA。CA是一段程序,它在运行时是一个进程。这里的TEXT段指得是所有合法CA的TEXT段。因此,“REE侧的TEXT段”就是预先准备好的所有合法CA的TEXT段,包括每个CA的代码和常量。
在其他一些实施例中,硬编码进TEE侧的也可以是TEXT段原始内容的摘要或压缩后的TEXT段。
如图12所示,自采集模块210a先执行,并将该代码的入口设置为“采集点”(P1),触发CoreSight270收集控制流信息以及寄存器272中的随机数,该随机数就是自采集模块210a产生并写入寄存器272的那个随机数。由于自采集模块210a也产生了随机数并写入了寄存器272,因此该采集点也是随机数产生点(P1)。在编码自动机时,将该采集点P1对应的事件输入自动机后得到的状态的数据传输属性设置为1。例如,假设P1触发CoreSight270收集的特征信息对应的事件为E
P1,E
P1输入之前自动机状态为S0,输入之后自动机状态变换为S1,即(S0)–E
P1->(S1),那么S1对应的数据传输属性的值设置为1。
需要说明的,因为本实施例只需产生一次随机数,所以也可以让该随机数伴随着除P1之外的其它的采集点传递到TEE侧。
REE将自采集模块210a获取到的哈希值H1通过TrustZone提供的常规手段传递给TEE,具体的,传递给审计模块240。这个可以发生在哈希值产生之后的任何时间,但建议在审计模块240被触发之前传递到。
参考图13,审计模块240被触发后,其自动机实例的执行过程与图10类似,只是,随 机数只产生了一次(参考图12随机数产生点P1),又因为设置了相应状态的“数据传输”属性,所以该随机数在自动机实例运转结束后会被记录到变量V中,参考图13的步骤S1301-S1306。
需要说明的是,在其他实施例中,S1301-S1306这几个步骤也可以简化一下,因为只有一个随机数,所以V第一次被赋值以后就可以取消对数据传输属性的获取和判断步骤。编码人员容易想到的类似变形方案很多,本申请不一一赘述。
继续参考图13,若最终状态S[current]是终止状态,则将V的值和硬编码得到的TEXT段或TEXT段的摘要拼接在一起,拼接方式为V的值在前,TEXT段或TEXT段的摘要在后,将拼接后的数据做哈希运算得到哈希值H2(S1308),比较H1和H2(S1309),若两者相同,则审计通过,否则审计不通过。在其它实施例中,如果硬编码的是压缩后的TEXT段,这里需要解压缩。
前述任意实施例提到的随机数发生器是硬件实现,在其他实施例中,随机数发生器也可以用软件实现。例如将图8中的两个随机数发生器280a和280b换成软件实现的两个随机数发生器,并将这两个软件随机数发生器分别置于能够被REE访问的存储区域和仅能被TEE访问的存储区域中。
通过本实施例提供的方法,可以实现身份和控制流的联合审计,进一步提高了系统的安全性。进一步的,在REE向TEE传输身份信息的过程中,采用了随机数进行加扰,确保了身份信息传输过程的安全性。
实施例七
前述图4所示的实施例中,为了确保CoreSight270的安全,对CoreSight270进行了审核,以确保CoreSight270没有被篡改。本实施例进一步提供一种跟踪器的安全实现方法,通过硬件或软件的方式实现安全的跟踪器之后,对跟踪器的审核就不是必须的。
第一种为硬件方式,通过硬件隔离保证CoreSight270的安全性。
在系统启动阶段通过硬件方式划分CoreSight270到系统高安全区域,例如,如图14所示,在本实施例中,可以通过TZPC(TrustZone protection controller)将CoreSight270的各模块划分到安全世界,即TEE侧,从而保证只有TEE才能访问CoreSight270,进而避免CoreSight270被攻击。
TZPC是
架构下的标准模块(IP),它提供了把系统中不同硬件模块划分到安全世界(例如TEE)或非安全世界(例如REE)的能力。TZPC的功能是:控制其他硬件的访问权限。通过TZPC可以将一些硬件划分为安全硬件或非安全硬件。其中,安全硬件只能由安全世界的操作系统访问,非安全世界的操作系统访问被划分为安全硬件的硬件寄存器会导致错误。
具体的,在硬件制造时将硬件CoreSight270和硬件TZPC连接,使TZPC有控制CoreSight270的能力。系统启动时首先初始化TEE侧。在初始化过程中,将CoreSight270通过硬件TZPC划分为安全态可访问,非安全态不可访问。
第二种为软件方式,通过软件访问权限的设置保证CoreSight270的安全性。把CoreSight 270的管理放到同一个安全级别的更高特权级别,当低特权级别访问CoreSight 270时会先 陷入到高特权级别,通过在高特权级别预制的页表限制对CoreSight 270的访问。
具体的,在系统启动阶段通过配置REE侧EL2的页表以防止从EL0和EL1对CoreSight270的访问,并在EL2分别预制一个CoreSight270可读写寄存器的列表和可能的值的表格。在鉴权程序210执行与信息采集阶段,REE侧
内核对CoreSight270的访问会陷入到EL2,EL2只允许EL1操作预置的寄存器的特定值。通过这种方式一定程度上来自EL1和EL0的对CoreSight270的攻击。在此实施例中,虽然在REE侧对CoreSight270做了保护,但是仍然有必要在TEE执行CoreSight270审核,以进一步确保安全。
需要说明的是,EL是exception level的缩写,是
里的概念。在一种方式下,EL0可以被理解为用户态,EL1被理解为内核态,EL2是hypervisor,EL3是安全模式。EL2可以控制EL0和EL1对物理内存的访问。上述实施例的意思就是EL2配页表,使得EL0和EL1访问CoreSight270的寄存器所在的物理内存地址时受到限制。
图15示出了另一种系统,该系统中REE侧被划分为监视器(hypervisor)22和普通操作系统21(或称客户操作系统)。在这种系统中,普通操作系统21即为前述实施例中第一操作系统(参考图1),它访问硬件层的存储器(例如内存和寄存器)时需要经过两阶段映射:第一阶段普通操作系统21利用管理的第一页表将虚拟地址映射为虚拟线性地址;第二阶段hypervisor利用hypervisor管理的第二页表将虚拟线性地址映射为实际的物理地址。在这种系统中,如果hypervisor管理的第二页表没有对某些寄存器的映射,则普通操作系统21无法访问到这些寄存器控制的硬件,而hypervisor自身可以直接通过物理地址访问它们。虚拟机(virtual machine,VM)和虚拟机监视器(virtual machine monitor,VMM)是该系统的一种具体实现,其中普通操作系统21运行在VM中,VMM即为hypervisor。
利用以上机制,通过hypervisor增强CoreSight270的安全性,具体实现步骤如下:系统启动;启动hypervisor22;hypervisor22建立第二页表221,第二页表中不包括CoreSight270的硬件寄存器的地址映射,换句话说,任何虚拟线性地址都不能被映射为CoreSight270的寄存器的地址。之后hypervisor22启动普通操作系统21,建立第一页表211。
类似地,当鉴权程序210被调用之后,触发CoreSight270进行信息收集。在触发的时候,不是直接触发,而是普通操作系统21调用hypercall,通过hypervisor22启动CoreSight270。普通操作系统21运行到待保护的代码以外时,调用hypercall,通过hypervisor22关闭CoreSight270。
通过以上方法将CoreSight270的调用下移到hypervisor22,从而避免了普通操作系统21任意操作CoreSight270,提高了CoreSight270的安全性。
由于一个跟踪器具有多个组件,例如数据收集模块,数据传输模块和数据存储模块,因此在通过软件或硬件方式实现跟踪器的安全性的时候,可以仅将其中关键的一个或多个组件保护起来,例如在前述硬件或软件实现方式中可以仅将用于存储数据的数据存储模块保护起来。通过这种方式,REE侧操作系统或普通操作系统22依然可以控制CoreSight270的数据收集模块和数据传输模块,但是无法控制数据存储模块,提高灵活性的同时避免REE侧操作系统或普通操作系统22通过向数据存储模块写入伪造的数据进行欺骗。
第三种为软硬结合的方式。考虑到一个跟踪器有多个组件,为了系统软件设计的便利性和降低软件开销,可以把部分组件(例如ETM)通过上述软件方式保护,其余组件通过 硬件方式保护。其中,ETM(Embedded Trace Macrocell)是CoreSight中的一个组件,用于获取处理器核的跟踪信息。
通过上述任意一种方式,可一定程度上避免跟踪器本身被篡改,确保跟踪器本身的安全,在不影响系统安全性的前提下避免审核跟踪器,简化控制流的审计过程。
实施例八
为了进一步防止恶意程序用错误的数据伪造控制流欺骗控制流审计的过程,本实施例增加被审计的要素,提供一种控制流和数据流的联合审计方法.
图16为本实施例提供的一种终端设备的结构示意图.该终端设备包括一个CoreSight270,该硬件的ETM组件使能了ViewData功能。ETM是CoreSight270的一个组件,位于处理器250内部,用于收集控制流信息。ViewData是ETM硬件的一个可选功能。如果配置了该功能则ETM有能力监控load/store指令从内存中读入或向内存写入的数据的值。使能ViewData功能后,如果被监控的指令为load/store,则收集的信息除控制流信息之外还带有load/store指令读或写的数据的值,这部分信息本实施例称为数据流或数据流信息。
本实施例中的鉴权程序210已经不再是现有技术的鉴权程序,鉴权程序210的多个位置被插入多个CoreSight触发指令。部分或全部被插入CoreSight触发指令的位置存在load/store指令。触发指令用于触发CoreSight270收集控制流信息和数据信息。CoreSight触发指令可以是一段程序,该程序的功能是:1.配置CoreSight270的数据传递寄存器;2.使CoreSight270开始进行数据收集。其中,功能1中包括配置CoreSight270的ETM组件的寄存器,使能ViewData监控数据流的功能。当审计模块240接收到触发信息之后,从存储器260中获取鉴权程序210的控制流信息和数据流信息,或调用控制流管理模块230获取控制流信息和数据流信息。
前述实施例中提到过自动机的状态具有“初始”和“终止”两种属性,本实施例中在设计自动机时,为每种状态都增加“数据流审计”属性,或者根据需求为其中的一种或多种状态增加这两个属性。含有数据流审计属性的状态同时需要有一个数据约束条件。数据约束条件可以为对一个数据值的范围的限制,如本数据不为0或大于1000等,也可以为和其他数据的关系,如本数据是状态x获得数据的2倍或小于状态y获得的数据等。如果数据约束条件为和其他数据的关系,则自动机同时需要增加一组变量,用来存储自动机运行过程中获取的数据,称为”已获取数据列表”。
另外,本实施例中,设计自动机时,增加一个状态。该新增的状态不是初始和终止状态,且没有任何其他状态的目的状态为该状态。该状态可接受所有事件,且目的状态全部为该状态自身。下文将这个状态称为状态F。
审计模块240被触发后,生成自动机实例并根据获取的控制流信息和数据流信息驱动自动机实例进行状态变换以审计控制流和数据流。本实施例中状态变换规则发生以下变更:接收到待审计信息且状态被推进之后,根据当前状态的数据流审计属性确定是否获取待审计信息中的数据流相关的数据的值(待审计信息中也可能没有数据流相关的数据),根据该状态对应的数据约束条件检查该数据的值。如果通过检查,则将数据保存在自动机的“已 获取数据列表”中,继续获取下一条待审计信息;如果未通过检查,将当前状态置为状态F。
具体的,参考图17,获取当前状态S[current]的数据流审计属性的属性值(S1704),若该值不为1,则返回步骤S1701,若该值为1,则比较该数据的值与S[current]的数据约束条件(S1707),若该数据的值满足数据约束条件,则将该数据的值保存到“已获取数据列表”中(S1709),并返回到步骤S1701;否则将S[current]设置为状态F。所有待审计信息都处理完成之后,若S[current]不为终止状态,则审计失败。如果在前面处理时曾有一次S[current]被设置为状态F,根据状态F的特点,状态F将保持到最后,所以会导致审计失败。若S[current]为终止状态,则审计成功,或参考前述任意实施例进行其他的判断。
在其他实施例中,若已知每种数据约束条件均不涉及与其他数据或历史数据比较,则数据流里的数据可以不被记录,即不设置变量“已获取数据列表”。
需要说明的是,这里数据流审计属性的设置仅为举例,其他方式不一一列举。图17仅为本实施例重要步骤的图示,有些步骤与前述实施例类似,可参考前述描述。
本实施例的方法和本申请其他实施例的方法也可以融合在一起使用。例如,数据流审计属性和前述实施例中提到的数据传输属性、随机数发生器访问次数属性其中的一个或多个同时存在,则在处理一条待审计信息时,同时存在的属性按照前述实施例描述的方式进行处理。
实施例九
本申请提供的方法不仅可以应用于相对复杂的场景,也可以应用于简单的场景。针对简单场景,本实施例提供一种简化的审计方法。
本实施例中,只有一个CPU,且在鉴权程序210的执行过程中(下述称为鉴权流程)关闭外部中断。在本实施例中,把鉴权程序210中鉴权流程开始的指令和调用TEE功能的指令的地址(分别称为地址A和地址B)硬编码到TEE侧的操作系统中。
在本实施例中,不在鉴权程序210中插入CoreSight触发指令。CoreSight270由TEE侧的操作系统控制,在每次切换进REE之前开启(包括启动时第一次切换进REE)。开启之后CoreSight270就开始收集控制流信息并存储在其内部的存储器中。切换进TEE之时或之后,TEE侧的操作系统将存储在CoreSight270内部的存储器中的控制流信息读取,根据TEE侧存储的地址A和地址B(通过上述硬编码获得),找到最后一次出现地址B的采集点y(或理解为数据点),并找出在最后一次出现地址B之前最后一次出现地址A的采集点x。在采集点y到硬件中记录的最后一个采集点之间,检查是否存在其他的采集点,其地址信息为地址A。如果满足以下情况中的任意一个或多个,则审计不通过:1.无法定位采集点;y2.无法定位采集点;x3.在采集点y到硬件中记录的最后一个采集点之间存在地址A。
需要说明的是,在其它实现方式中,依然可以通过在地址A和地址B对应的代码位置插入CoreSight触发指令来收集控制流信息。另外,上述步骤可以简单地扩展到验证REE是否按顺序执行了3个或更多个地址。
通过上述简化的审计方法,可以看出,审计规则不一定非要通过自动机的方式实现,并通过自动机实例来审计控制流或其他信息,针对不同的场景可以设置不同的规则,根据 规则的特点和复杂程度采取不同的实现方式,可能就是根据简单的规则执行简单的匹配过程,同样可以达到审计效果。
实施例十
在前述一些实施例中,原始的程序中被插入跟踪器触发指令形成待保护的程序,这个待保护的程序可以是人工编写的,即触发指令是人工插入的,也可以是计算机根据审计需求自动生成的。本实施例提供一种自动生成待保护的程序的方法。
参考图18,在服务器300侧存在版本生成装置310和版本发布装置320,两个装置可以存在于同一台物理服务器上,也可以存在于不同的物理服务器上。
版本生成装置310中包含加工单元311,该加工单元311用于根据程序和审计需求自动生成待保护的程序和审计规则,并通过位于版本发放装置中的软件发放单元321将生成的待保护的程序,或者待保护的程序和审计规则,发送到终端设备上,例如智能手机、平板电脑等。终端设备将该待保护的程序和审计规则存储在本地的存储器中,可以存储在只读存储区,以避免被恶意篡改。
实施例十一
在待审计控制流中路径较多,审计规则描述复杂时,一方面可能导致审计的效率低下进而影响正常业务,另一方面规则复杂还会导致审计准确性降低从而使得审计失效。针对更加复杂的场景,本实施例提出机器学习的方式来提升审计规则描述的准确性,并尽可能降低规则的复杂度,从而提升审计的效率。
本实施例主要是通过执行采集生成正样本,以及模拟攻击生成负样本,从这两类样本中学习与生成控制流模型,根据这个控制流模型来生成审计规则。在本实施例中,审计规则是机器学习获得的模型,采集到的信息可以直接或经过筛选后输入到该模型中,根据计算后的结果确定是否审计成功(自动机不是必须的)。
另外,不再需要使用插入触发指令的方式来触发跟踪器采集,只要跟踪器被配置为开启状态,跟踪器可以对运行程序的全部控制流信息做采集,通过采集到的控制流信息和机器学习提取审计规则。进一步的,如果想应用前述一些实施例提到的数据流审计等方法,也可以一并采集数据流信息以及其他待审计信息。
如图19所示,该服务器400包括机器学习装置410和规则发放装置420。其中机器学习装置410用于通过机器学习的方法生成审计规则,规则发放装置420中的规则发放单元421用于将该审计规则发送到各个终端设备上。图19的装置420可以和图18的装置320合并为一个装置。
审计规则的生成方法如下:
1、将程序编译成可运行的目标程序,运行模块411在目标终端或者模拟环境中运行该目标程序;2、目标程序运行过程中,运行模块411模拟各种输入条件,采集模块413采集这些条件下的控制流信息和/或数据流信息,作为正样本;3、在目标程序运行过程中,攻击模块412模拟各种可能的攻击,采集模块413采集攻击过程中的控制流信息和/或数据流信息,作为负样本;4、将正负样本作为该程序的特征模型,输入到机器学习算法中,通过 该算法提取程序执行特征的规则;5、使得加工工具处理前述规则与待审计源;7、将加工输出的审计蓝本与保护对象,作为版本发布目标置于版本发布服务器。本实施例中的采集模块413是通过跟踪器来采集信息的。
下面介绍正、负样本及学习训练的详细过程。应理解的是,正、负样本的采集过程和前述实施例中描述的审计方法的信息采集过程是类似的。相似或相同部分可参考前述实施例。
(一)正样本的获取
1)到达审计点,提交待审计信息,该待审计信息可以包括控制流信息和数据流信息;
2)安全域(例如TEE)操作系统读取循环缓冲区中的待审计信息,并将其记录在(非易失)存储器中,该条记录称为一个正样本;
3)安全域操作系统返回审计通过,并进行后续操作;
4)在不同场景下运行上述过程,获得一定数量的正样本。
循环缓冲去可以实现为一个数组,从头开始记录信息。如果该数组满了,就从头开始继续记录,覆盖掉缓冲区里最早的记录。
(一)负样本的获取
1)对系统进行攻击,尝试绕过该程序并调用审计点,以ROP攻击为例:
a.分析系统镜像,使用ROP Gadget或类似工具找出可用gadget,并构造出攻击链。攻击链实现的功能包括:调用安全操作系统中的某个功能(例如某个TA)。
b.通过有意设置的或者系统中现存的栈溢出漏洞将gadget调用链置于栈上;
c.当系统运行到ret指令时,ROP攻击开始:通过ROP的方式执行程序中特定的功能,调用安全域操作系统;
2)安全域操作系统被调用即到达审计点,读取循环缓冲区中的待审计信息,并将其记录在存储器中,该条记录称为一个负样本。
ROP全称为Return-oriented Programming(面向返回的编程)是一种新型的基于代码复用技术的攻击,攻击者从已有的库或可执行文件中提取指令片段,构建恶意代码。
(三)模型的建立
利用机器学习算法,根据正样本和负样本建立一个分类器。以C5.0决策树算法为例:
1)数据预处理一:解析所有正负样本,为每一个样本生成一个事件集合。其中,事件指样本中出现的事件,如:CPU3执行了位于0xfffffff12340000位置的指令。
2)数据预处理二:消除事件集合中不重要的信息,如CPU编号等。
3)分析正负样本中出现的所有数据点,建立一个高维空间。其中每个曾经在某个样本中出现的数据点为一个维度。如:某个样本中出现了以下信息:执行了位于0xfffffff12340000位置的指令,则高维空间中存在一个维度与之对应。
4)向量化:将每个样本转化为一个在上一步定义的高维空间中的向量。转化的原则是:如果该样本的事件集合中存在一个事件,则向量在该事件对应的维度上值为1,否则值为0。
5)标注:将所有向量化后的样本转化为二元组:<向量,正负>.其中,正样本中“正负”值为true,负样本相反.
6)对上一步中产生的所有标注后的向量使用C5.0算法生成决策树。决策树的效果是:给定一个向量,给出true或false。训练的目标是:尽量让正样本中的向量返回true,负样本中的向量返回false。
7)将上一步产生的决策树编码,得到审计规则。
以下面计算A+B/C的程序为例。该程序转化为汇编语言为:
1:X1=[B]
2:X2=[C]
3:X3=X1/X2
4:X4=[A]
5:X5=X4+X3
这里指令1,2,4都产生了数据。训练时,使用各种合法的A、B和C作为输入,运行上述程序,生成多个正样本。这些正样本的控制流都是1-2-3-4-5,数据流则各相不同,但是C的值从来不为0。
1)首先攻击这段程序。采用各种攻击方法,例如通过ROP切入,只执行后续部分;给它发中断打断执行等;使用非法数据,如使C为0等。最终生成多个负样本。2)然后提取特征。这一步需要通过一些数学的方法或经人为指定获得。本示例提取控制流特征:指令1后面跟着指令2,指令2后面跟着指令3,指令3后面跟着指令4,指令4后面跟着指令5(前面都是合法的特征),指令2后面跟着指令1,指令5后面跟着指令2…(这些是非法的特征),以及数据流特征:A不为0,B不为0,C不为0…。3)接下来向量化。将每个数据转化为一个向量。其中,向量的每个维度对应上述的一个特征。如果该数据满足这个特征,则该维度上的值为1,否则为0。例如,一个正样本,其特征可能为[1,1,1,1,0,0,…,0,0,1];一个负样本,其特征可能为[0,1,0,1,0,0,…,0,1,1]。
对每个样本都做以上转换,则会生成多个向量,且知道向量对应正样本或负样本。
得到以上信息,就可以用C5.0决策树训练算法进行训练。最终得到一个决策树,决策树就是审计规则。
在终端设备审计过程中将采集到的信息如上所述向量化以后输入给该决策树,输出该样本为正样本或该样本为负样本,如果结论为负样本则审计不通过。
通过上述机器学习的方式可以自动生成审计规则,并发送到终端设备上,该审计规则可以是一个或多个模型(可理解为公式),然后终端设备实时采集待审计信息,输入该模型,得到审计结果。可见,采用该方法,可以提升审计规则的生成速度和准确性,进而提升审计过程的可靠性。
如果在审计规则生成过程中利用的是全部的控制流等待审计信息,那在终端设备执行控制流审计的过程中也无需再像前述实施例那样插入CoreSight触发指令,在待保护程序的特定位置去触发跟踪器收集待审计信息,而是在待保护程序开始执行之前能够打开跟踪器,并配置其功能使其能够收集控制流等待审计信息即可。
在其他实施例中,通过机器学习算法也可以把要插入触发指令的位置确定出来,比如说生成决策树以后把权重大的指令挑出来,在这些指令对应的代码处插入触发指令。可见,机器学习算法也可以和触发指令的插入方法结合。
实施例十二
图20为本实施例提供的一种计算机系统的结构示意图。该计算机系统可以为终端设备。如图所示,该计算机系统包括通信模块510、传感器520、用户输入模块530、输出模块540、处理器550、音视频输入模块560、跟踪器570、存储器580以及电源590。
通信模块510可以包括至少一个能使该计算机系统与通信系统或其他计算机系统之间进行通信的模块。例如,通信模块510可以包括有线网络接口,广播接收模块、移动通信模块、无线因特网模块、局域通信模块和位置(或定位)信息模块等其中的一个或多个。这多种模块均在现有技术中有多种实现,本申请不一一描述。
传感器520可以感测系统的当前状态,诸如打开/闭合状态、位置、与用户是否有接触、方向、和加速/减速,并且传感器520可以生成用于控制系统的操作的感测信号。
用户输入模块530,用于接收输入的数字信息、字符信息或接触式触摸操作/非接触式手势,以及接收与系统的用户设置以及功能控制有关的信号输入等。用户输入模块530包括触控面板和/或其他输入设备。
输出模块540包括显示面板,用于显示由用户输入的信息、提供给用户的信息或系统的各种菜单界面等。可选的,可以采用液晶显示器(liquid crystal display,LCD)或有机发光二极管(organic light-emitting diode,OLED)等形式来配置显示面板。在其他一些实施例中,触控面板可覆盖显示面板上,形成触摸显示屏。另外,输出模块540还可以包括音频输出模块、告警器以及触觉模块等。
音视频输入模块560,用于输入音频信号或视频信号。音视频输入模块560可以包括摄像头和麦克风。
电源590可以在处理器550的控制下接收外部电力和内部电力,并且提供系统的各个组件的操作所需的电力。
处理器550可以包括一个或多个处理器,例如,处理器150可以包括一个或多个中央处理器,或者包括一个中央处理器和一个图形处理器。当处理器150包括多个处理器时,这多个处理器可以集成在同一块芯片上,也可以各自为独立的芯片。一个处理器可以包括一个或多个物理核,其中物理核为最小的处理模块。
跟踪器570用于采集处理器的指令信息,用于调试或其他用途。跟踪器570包含多个组件,分布在系统的各个层次中,有些组件也可能如图所示嵌入到处理器中。
存储器580存储计算机程序,该计算机程序包括操作系统程序582和应用程序581等。典型的操作系统如微软公司的Windows,苹果公司的MacOS等用于台式机或笔记本的系统,又如谷歌公司开发的基于
的安卓
系统等用于移动终端的系统。
存储器580可以是以下类型中的一种或多种:闪速(flash)存储器、硬盘类型存储器、微型多媒体卡型存储器、卡式存储器(例如SD或XD存储器)、随机存取存储器(random access memory,RAM)、静态随机存取存储器(static RAM,SRAM)、只读存储器(read only memory,ROM)、电可擦除可编程只读存储器(electrically erasable programmable read-only memory,EEPROM)、可编程只读存储器(programmable ROM,PROM)、磁存储器、磁盘或光盘。在其他一些实施例中,存储器580也可以是因特网上的网络存储设备,系统可以对在因特网上的存储器580执行更新或读取等操作。
处理器550用于读取存储器580中的计算机程序,然后执行计算机程序定义的方法,例如处理器550读取操作系统程序582从而在该系统运行操作系统以及实现操作系统的各种功能,或读取一种或多种应用程序581,从而在该系统上运行应用。
存储器580还存储有除计算机程序之外的其他数据583,例如本申请提出的待审计信息等。
本申请提供的方案中除跟踪器实现的操作之外的其他操作可用硬件或软件来实现。在硬件实现方式下,可以使用专用集成电路(application specific integrated circuit,ASIC)、数字信号处理器(digital signal processor,DSP)、可编程逻辑器件(programmable logic device,PLD)、现场可编程门阵列(field programmable gate array,FPGA)、处理器、控制器、微控制器和/或微处理器等电子单元中的至少一个来实现本申请的实施方式。在软件实现方式下,诸如过程和功能的实施方式可以使用执行至少一个功能和操作的软件模块实现。软件模块可以以任意适当的软件语言编写的软件程序来实现。软件程序可以存储在存储器580中,并由处理器550读取并执行。本申请中利用的跟踪器包含多个硬件组件,分布在系统多个层次中,但是硬件的执行往往需要软件驱动,所以“跟踪器”中也不排除可以有部分组件是软件实现。
图20中各个模块的连接关系仅为一种示例,本申请任意实施例提供的方法也可以应用在其它连接方式的终端设备中,例如所有模块通过总线连接。
需要说明的是,前述实施例中提出模块或单元的划分仅作为一种示例性的示出,所描述的各个模块的功能仅是举例说明,本申请并不以此为限。本领域普通技术人员可以根据需求合并其中两个或更多模块的功能,或者将一个模块的功能拆分从而获得更多更细粒度的模块,以及其他变形方式。
以上描述的各个实施例之间相同或相似的部分可相互参考。
以上所描述的装置实施例仅仅是示意性的,其中所述作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方,或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。另外,本发明提供的装置实施例附图中,模块之间的连接关系表示它们之间具有通信连接,具体可以实现为一条或多条通信总线或信号线。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。
以上所述,仅为本申请的一些具体实施方式,但本申请的保护范围并不局限于此。
Claims (26)
- 一种计算机系统,其特征在于,所述计算机系统上部署有第一域和第二域,所述第一域内部署有程序,所述第二域内部署有控制流管理模块和审计模块,其中:所述控制流管理模块被配置为:在位于所述第一域中的程序执行时,通过跟踪器获取待审计信息,所述待审计信息包括所述程序的控制流信息;所述审计模块被配置为:根据审计规则对所述待审计信息执行审计,当所述待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求1所述的计算机系统,其特征在于,所述待审计信息还包括所述程序的数据流信息。
- 如权利要求1或2所述的计算机系统,其特征在于,所述计算机系统还包括部署在所述第二域内的Tracer审核模块,所述Tracer审核模块被配置为:在所述审计模块执行审计之前对所述跟踪器执行审核,审核通过后再触发所述审计模块执行所述审计。
- 如权利要求1-3任意一项所述的计算机系统,其特征在于,所述计算机系统还包括部署在所述第一域内的进程标识获取模块,所述进程标识获取模块被配置为:在所述跟踪器采集所述控制流信息之前获取执行所述程序的进程的进程标识,并将所述进程标识存入所述跟踪器的第一寄存器中;所述控制流管理模块具体被配置为:通过所述跟踪器获取所述待审计信息,所述待审计信息还包括所述进程标识,其中,所述进程标识为所述跟踪器从所述第一寄存器中读取的进程标识;所述审计模块具体被配置为:根据所述进程标识查找与所述进程标识匹配的审计规则,并根据查找到的审计规则对所述控制流信息执行审计。
- 如权利要求1-4任意一项所述的计算机系统,其特征在于,所述计算机系统还包括部署在所述第一域的第一随机数发生器和自采集模块,所述第二域中包含所述程序的TEXT段;所述自采集模块被配置为:在所述程序被执行之前调用所述第一随机数发生器以产生随机数RX,并将所述随机数RX存入所述跟踪器的第二寄存器;根据所述随机数RX和执行所述程序的进程的TEXT段计算得到哈希值H1;所述控制流管理模块具体被配置为:通过所述跟踪器获取所述待审计信息,所述待审计信息中还包括所述随机数RX,其中所述RX由所述跟踪器访问所述第二寄存器获得;所述审计模块具体被配置为:获取所述哈希值H1;根据所述随机数RX和所述第二域中包含的所述TEXT段计算得到哈希值H2,比较所述H1和H2,当所述H1和H2相同且其他待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求1-4任意一项所述的计算机系统,其特征在于,所述计算机系统还包括部署在第一域的第一随机数发生器和部署在第二域的第二随机数发生器;所述控制流管理模块具体被配置为:通过所述跟踪器获取所述待审计信息,所述待审计信息中还包括随机数,其中,所述随机数为在所述程序被执行时所述第一随机数发生器 被调用而产生的且产生之后被写入所述跟踪器的第三寄存器中,然后由所述跟踪器访问所述第三寄存器获得;所述审计模块具体被配置为:获取所述第一随机数发生器在所述程序执行过程中产生的最后一个随机数RY以及获取所述第二域中预置的随机数发生次数n;根据所述n触发所述第二随机数发生器产生n个随机数,并将其中第n个随机数Rn与所述RY比较,当所述Rn与所述RY相同且其他待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求1-6任意一项所述的计算机系统,其特征在于,所述跟踪器的全部组件或部分组件通过硬件划分的方式部署到所述第二域中,或所述跟踪器的全部组件或部分组件通过软件权限管理的方式部署到所述第二域中;其中,所述第二域的安全性高于所述第一域。
- 如权利要求1-7任意一项所述的计算机系统,其特征在于,所述审计规则通过机器学习的方法获得。
- 如权利要求1-8任意一项所述的计算机系统,其特征在于,所述程序存储在只读存储区中。
- 一种计算机系统,所述计算机系统上部署有第一域和第二域,所述计算机系统还包括处理器、跟踪器和存储器,其特征在于:所述存储器被配置为:存储计算机可读指令;所述处理器被配置为:执行所述计算机可读指令以实现:启动所述跟踪器,以及在所述第一域中执行程序;所述跟踪器被配置为:在所述处理器执行所述程序时,采集待审计信息,所述待审计信息包括所述程序的控制流信息;所述处理器还被配置为:执行所述计算机可读指令以实现:在所述第二域中获取所述待审计信息,并根据审计规则对所述待审计信息执行审计,当所述待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求10所述的计算机系统,其特征在于,所述待审计信息还包括所述程序的数据流信息。
- 如权利要求10或11所述的计算机系统,其特征在于,所述处理器还被配置为:在执行所述审计之前,在所述第二域中审核所述跟踪器,在审核通过后再执行所述审计。
- 如权利要求10-12任意一项所述的计算机系统,其特征在于,所述处理器还被配置为:在所述跟踪器采集所述待审计信息之前,在所述第一域中获取当前进程的进程标识,并将所述进程标识存入所述跟踪器的第一寄存器;所述跟踪器被配置为:在采集所述控制流信息时读取所述第一寄存器中当前存储的进程标识,以和所述控制流信息一起作为所述待审计信息;所述处理器被配置为:在所述第二域中根据所述进程标识查找与所述进程标识匹配的审计规则,并根据查找到的审计规则对所述控制流信息执行审计。
- 如权利要求10-13任意一项所述的计算机系统,其特征在于,所述计算机系统还包 括部署在所述第一域的第一随机数发生器,所述第二域中包含所述程序的TEXT段;所述处理器还被配置为:在执行所述程序之前,在所述第一域中调用所述第一随机数发生器以产生随机数RX,并将所述随机数RX存入所述跟踪器的第二寄存器,以及根据所述随机数RX和执行所述程序的进程的TEXT段计算得到哈希值H1;所述跟踪器还被配置为:在采集所述控制流信息时读取所述第二寄存器中存储的随机数RX,以和所述控制流信息一起作为待审计信息;所述处理器还被配置为:在所述第二域中获取所述哈希值H1,根据所述随机数RX和所述第二域中包含的所述TEXT段计算得到哈希值H2,比较所述H1和H2,当所述H1和H2相同且所述待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求10-13任意一项所述的计算机系统,其特征在于,所述计算机系统还包括部署在所述第一域的第一随机数发生器和部署在所述第二域的第二随机数发生器;所述处理器还被配置为:在所述第一域中执行所述程序时调用所述第一随机数发生器产生随机数,并将所述随机数存入所述跟踪器的第三寄存器;所述跟踪器还被配置为:在采集所述控制流信息时读取所述第三寄存器中当前存储的随机数,以和所述控制流信息一起作为待审计信息;所述处理器还被配置为:在所述第二域中获取所述第一随机数发生器在所述程序执行过程中产生的最后一个随机数RY以及获取所述第二域中预置的随机数发生次数n;根据所述n触发所述第二随机数发生器产生n个随机数,并将其中第n个随机数Rn与所述RY比较,当所述Rn与所述RY相同且所述待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求10-15任意一项所述的计算机系统,其特征在于,所述跟踪器的全部组件或部分组件通过硬件划分的方式部署到所述第二域中,或所述跟踪器的全部组件或部分组件通过软件权限管理的方式部署到所述第二域中;其中,所述第二域的安全性高于所述第一域。
- 如权利要求10-16任意一项所述的计算机系统,其特征在于,所述审计规则通过机器学习的方法获得。
- 如权利要求10-17任意一项所述的计算机系统,其特征在于,所述程序存储在所述存储器的只读存储区中。
- 一种安全控制方法,其特征在于,应用于部署有第一域和第二域的计算机系统,包括:当位于所述第一域中的程序被执行时,通过跟踪器在所述第二域中获取待审计信息,所述待审计信息包括所述程序的控制流信息;在所述第二域中根据审计规则对所述待审计信息进行审计,当所述待审计信息匹配所述审计规则时确定审计通过并允许对所述第二域的访问。
- 如权利要求19所述的方法,其特征在于,所述待审计信息还包括所述程序的数据流信息。
- 如权利要求19或20所述的方法,其特征在于,在对所述控制流信息进行审计之前,还包括:在所述第二域中对所述跟踪器进行审核,审核通过后再对所述控制流信息进行审计。
- 如权利要求19-21任意一项所述的方法,其特征在于,所述方法还包括:在所述通过跟踪器获取待审计信息之前,在所述第一域中获取所述执行所述程序的进程的进程标识,并将所述进程标识存入所述跟踪器的第一寄存器中;相应的:所述通过跟踪器获取待审计信息包括:获取所述跟踪器采集的所述待审计信息,所述待审计信息还包括所述进程标识,其中,所述进程标识为所述跟踪器从所述第一寄存器中读取的进程标识;所述根据审计规则对所述待审计信息进行审计包括:根据所述进程标识查找与所述进程标识匹配的审计规则,并根据查找到的审计规则对所述控制流信息执行审计。
- 如权利要求19-22任意一项所述的方法,其特征在于,所述计算机系统还包括部署在所述第一域的第一随机数发生器,所述第二域中包含所述程序的TEXT段;所述方法还包括:在所述程序被执行之前,在所述第一域中调用所述第一随机数发生器以产生随机数RX,并将所述随机数RX存入所述跟踪器的第二寄存器,以及根据所述随机数RX和执行所述程序的进程的TEXT段计算得到哈希值H1;相应的:所述通过跟踪器获取待审计信息包括:获取所述跟踪器采集的所述待审计信息,所述待审计信息中还包括所述随机数RX,其中所述RX由所述跟踪器访问所述第二寄存器获得;所述根据审计规则对所述待审计信息进行审计包括:获取所述哈希值H1,根据所述随机数RX和所述第二域中包含的所述TEXT段计算得到哈希值H2,比较所述H1和H2,当所述H1和H2相同且其他待审计信息匹配所述审计规则时确定审计通过。
- 如权利要求19-22任意一项所述的方法,其特征在于,所述计算机系统还包括部署在第一域的第一随机数发生器和部署在第二域的第二随机数发生器;所述方法还包括:在所述程序被执行时,在所述第一域中调用所述第一随机数发生器产生随机数,并将所述随机数写入所述跟踪器的第三寄存器;相应的:所述通过跟踪器获取待审计信息包括:获取所述跟踪器采集的所述待审计信息,所述待审计信息中还包括随机数,其中,所述随机数为所述跟踪器访问所述第三寄存器获得;所述根据审计规则对所述待审计信息进行审计包括:获取所述第一随机数发生器在所述程序执行过程中产生的最后一个随机数RY以及获取所述第二域中预置的随机数发生次数n;根据所述n触发所述第二随机数发生器产生n个随机数,并将其中第n个随机数Rn与所述RY比较,当所述Rn与所述RY相同且其他待审计信息匹配所述审计规则时确定审计通过。
- 一种计算机可读存储介质,其特征在于,包括计算机可读指令,当所述计算机可读指令被一个或多个处理器执行时用于实现如权利要求19-24任意一项所述的方法。
- 一种计算机程序产品,其特征在于,包括计算机可读指令,当所述计算机可读指令被一个或多个处理器执行时用于实现如权利要求19-24任意一项所述的方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020207011063A KR102347562B1 (ko) | 2017-10-13 | 2018-10-09 | 보안 제어 방법 및 컴퓨터 시스템 |
EP18867252.1A EP3674954B1 (en) | 2017-10-13 | 2018-10-09 | Security control method and computer system |
US16/838,935 US11687645B2 (en) | 2017-10-13 | 2020-04-02 | Security control method and computer system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710952362.4 | 2017-10-13 | ||
CN201710952362.4A CN109670312A (zh) | 2017-10-13 | 2017-10-13 | 安全控制方法及计算机系统 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/838,935 Continuation US11687645B2 (en) | 2017-10-13 | 2020-04-02 | Security control method and computer system |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019072158A1 true WO2019072158A1 (zh) | 2019-04-18 |
Family
ID=66100376
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/109416 WO2019072158A1 (zh) | 2017-10-13 | 2018-10-09 | 安全控制方法及计算机系统 |
Country Status (5)
Country | Link |
---|---|
US (1) | US11687645B2 (zh) |
EP (1) | EP3674954B1 (zh) |
KR (1) | KR102347562B1 (zh) |
CN (1) | CN109670312A (zh) |
WO (1) | WO2019072158A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP4095725A4 (en) * | 2020-03-06 | 2023-01-11 | Huawei Technologies Co., Ltd. | ELECTRONIC DEVICE AND SECURITY PROTECTION METHOD |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109960582B (zh) * | 2018-06-19 | 2020-04-28 | 华为技术有限公司 | 在tee侧实现多核并行的方法、装置及系统 |
US11416603B2 (en) * | 2018-11-16 | 2022-08-16 | Intel Corporation | Methods, systems, articles of manufacture and apparatus to detect process hijacking |
US11356845B1 (en) * | 2019-07-10 | 2022-06-07 | Sprint Communications Company L.P. | Trusted operating system in an internet of things (IoT) device |
US10783054B2 (en) | 2019-07-29 | 2020-09-22 | Alibaba Group Holding Limited | Method, apparatus, and device for storing operation record based on trusted execution environment |
CN110457898B (zh) * | 2019-07-29 | 2020-10-30 | 创新先进技术有限公司 | 基于可信执行环境的操作记录存储方法、装置及设备 |
EP4209947A4 (en) * | 2020-10-15 | 2023-09-27 | Huawei Technologies Co., Ltd. | PROCESSOR SECURITY MEASUREMENT DEVICE AND METHOD |
KR102338191B1 (ko) * | 2020-10-28 | 2021-12-13 | 주식회사 스파이스웨어 | 지도 학습을 이용한 데이터 암호화 장치 및 방법 |
US12079379B2 (en) * | 2020-12-03 | 2024-09-03 | Huawei Technologies Co., Ltd. | Peripheral component interconnect express protection controller |
CN116635858A (zh) * | 2020-12-29 | 2023-08-22 | 华为技术有限公司 | 一种安全隔离装置和方法 |
CN112948863B (zh) * | 2021-03-15 | 2022-07-29 | 清华大学 | 敏感数据的读取方法、装置、电子设备及存储介质 |
KR102526681B1 (ko) * | 2021-07-13 | 2023-05-02 | 한국전자통신연구원 | 가상 머신 보안 위협 방지 장치 및 방법 |
CN114154163B (zh) * | 2021-10-19 | 2023-01-10 | 北京荣耀终端有限公司 | 漏洞检测方法和装置 |
CN113946869B (zh) * | 2021-11-02 | 2022-10-28 | 深圳致星科技有限公司 | 用于联邦学习和隐私计算的内部安全攻击检测方法及装置 |
CN116861445B (zh) * | 2023-09-04 | 2023-12-15 | 湖北芯擎科技有限公司 | 可信执行环境的实现方法、系统级芯片及存储介质 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080288789A1 (en) * | 2007-05-02 | 2008-11-20 | Arm Limited | Reducing information leakage between processes sharing a cache |
CN104318182A (zh) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | 一种基于处理器安全扩展的智能终端隔离系统及方法 |
CN104794395A (zh) * | 2015-05-13 | 2015-07-22 | 上海瓶钵信息科技有限公司 | 基于体系结构特性的轻量级多系统安全管理架构 |
CN106921799A (zh) * | 2017-02-24 | 2017-07-04 | 深圳市金立通信设备有限公司 | 一种移动终端安全防护方法以及移动终端 |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5794252A (en) * | 1995-01-24 | 1998-08-11 | Tandem Computers, Inc. | Remote duplicate database facility featuring safe master audit trail (safeMAT) checkpointing |
EP1870829B1 (en) | 2006-06-23 | 2014-12-03 | Microsoft Corporation | Securing software by enforcing data flow integrity |
EP2648386B1 (en) * | 2012-04-08 | 2021-08-25 | Samsung Electronics Co., Ltd. | Management Server and Method for Controlling Device, User Terminal Apparatus and Method for Controlling Device, and User Terminal Apparatus and Control Method Thereof |
US9253209B2 (en) * | 2012-04-26 | 2016-02-02 | International Business Machines Corporation | Policy-based dynamic information flow control on mobile devices |
US8955039B2 (en) | 2012-09-12 | 2015-02-10 | Intel Corporation | Mobile platform with sensor data security |
US9846717B2 (en) | 2012-10-23 | 2017-12-19 | Galois, Inc. | Software security via control flow integrity checking |
AU2014348812B2 (en) | 2013-11-12 | 2019-09-26 | RunSafe Security, Inc. | Improved control flow integrity system and method |
KR102355480B1 (ko) * | 2014-06-23 | 2022-01-26 | 오라클 인터내셔날 코포레이션 | 멀티테넌트 어플리케이션 서버 환경에서 보안을 지원하는 시스템 및 방법 |
CN104134038B (zh) * | 2014-07-31 | 2016-11-23 | 浪潮电子信息产业股份有限公司 | 一种基于虚拟平台的安全可信运行保护方法 |
CN104794410B (zh) * | 2015-03-23 | 2018-01-09 | 中国科学院软件研究所 | 一种基于可信计算技术的数据库安全保护方法 |
US10650140B2 (en) | 2015-03-27 | 2020-05-12 | Intel Corporation | Control-flow integrity with managed code and unmanaged code |
CN106209734B (zh) * | 2015-04-30 | 2019-07-19 | 阿里巴巴集团控股有限公司 | 进程的身份认证方法和装置 |
CN106295350B (zh) | 2015-06-04 | 2019-12-10 | 摩托罗拉移动通信软件(武汉)有限公司 | 一种可信执行环境的身份验证方法、装置及终端 |
CN105760444A (zh) * | 2016-02-03 | 2016-07-13 | 国网智能电网研究院 | 一种新型的业务和数据库审计数据中心 |
CN107194252B (zh) * | 2017-05-09 | 2019-11-22 | 华中科技大学 | 一种完全上下文敏感的程序控制流完整性保护方法和系统 |
US10614224B2 (en) * | 2017-05-15 | 2020-04-07 | International Business Machines Corporation | Identifying computer program security access control violations using static analysis |
US20190073473A1 (en) * | 2017-09-01 | 2019-03-07 | Dornerworks, Ltd. | Dynamic security domain data flow analysis via passive monitoring |
US11323242B2 (en) * | 2018-06-20 | 2022-05-03 | University Of Central Florida Research Foundation, Inc. | System, secure processor and method for restoration of a secure persistent memory |
-
2017
- 2017-10-13 CN CN201710952362.4A patent/CN109670312A/zh active Pending
-
2018
- 2018-10-09 WO PCT/CN2018/109416 patent/WO2019072158A1/zh unknown
- 2018-10-09 EP EP18867252.1A patent/EP3674954B1/en active Active
- 2018-10-09 KR KR1020207011063A patent/KR102347562B1/ko active IP Right Grant
-
2020
- 2020-04-02 US US16/838,935 patent/US11687645B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080288789A1 (en) * | 2007-05-02 | 2008-11-20 | Arm Limited | Reducing information leakage between processes sharing a cache |
CN104318182A (zh) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | 一种基于处理器安全扩展的智能终端隔离系统及方法 |
CN104794395A (zh) * | 2015-05-13 | 2015-07-22 | 上海瓶钵信息科技有限公司 | 基于体系结构特性的轻量级多系统安全管理架构 |
CN106921799A (zh) * | 2017-02-24 | 2017-07-04 | 深圳市金立通信设备有限公司 | 一种移动终端安全防护方法以及移动终端 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3674954A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP4095725A4 (en) * | 2020-03-06 | 2023-01-11 | Huawei Technologies Co., Ltd. | ELECTRONIC DEVICE AND SECURITY PROTECTION METHOD |
Also Published As
Publication number | Publication date |
---|---|
EP3674954A4 (en) | 2020-08-12 |
KR102347562B1 (ko) | 2022-01-06 |
EP3674954B1 (en) | 2022-06-15 |
EP3674954A1 (en) | 2020-07-01 |
CN109670312A (zh) | 2019-04-23 |
US11687645B2 (en) | 2023-06-27 |
US20200250302A1 (en) | 2020-08-06 |
KR20200052957A (ko) | 2020-05-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3674954B1 (en) | Security control method and computer system | |
CN108292337B (zh) | 虚拟化环境下安全堡垒区域的可信开启 | |
Smith | Trusted computing platforms: design and applications | |
US8522018B2 (en) | Method and system for implementing a mobile trusted platform module | |
CN103959247B (zh) | 虚拟化计算机程序中的安全 | |
US20070180509A1 (en) | Practical platform for high risk applications | |
KR20170095161A (ko) | 시큐어 시스템 온 칩 | |
CN104871174B (zh) | 用户便携设备及用于“自带”计算工作环境的系统和方法 | |
CN108475217A (zh) | 用于审计虚拟机的系统及方法 | |
CN106575237A (zh) | 用于在退出虚拟机器后暴露当前处理器指令的结果的系统及方法 | |
CN103718165A (zh) | Bios闪存攻击保护和通知 | |
EP4354334A2 (en) | Protecting selected disks on a computer system | |
CN107480524A (zh) | 一种安全沙箱及其构建方法 | |
KR20220090537A (ko) | 정책 적용을 위한 가상 환경 유형 검증 | |
JP5986897B2 (ja) | 端末装置、完全性検証システム、およびプログラム | |
CN113448681B (zh) | 一种虚拟机监控器公钥的注册方法、设备和存储介质 | |
CN112470153B (zh) | 安全数据处理 | |
CN109165509A (zh) | 软件实时可信度量的方法、设备、系统及存储介质 | |
Buchner et al. | Survey on trusted execution environments | |
Zobaed et al. | Confidential computing across edge-to-cloud for machine learning: A survey study | |
CN112906045A (zh) | 一种手机盾访问记录存证和告警方法及计算机系统 | |
CN111177752A (zh) | 一种基于静态度量的可信文件存储方法、装置及设备 | |
Shepherd et al. | Trusted Execution Environments | |
Zegzhda et al. | Aspects of information security of computer systems | |
Yao et al. | The Kernel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18867252 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2018867252 Country of ref document: EP Effective date: 20200326 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 20207011063 Country of ref document: KR Kind code of ref document: A |