WO2019148447A1 - Data protection method and data protection device - Google Patents

Data protection method and data protection device Download PDF

Info

Publication number
WO2019148447A1
WO2019148447A1 PCT/CN2018/075086 CN2018075086W WO2019148447A1 WO 2019148447 A1 WO2019148447 A1 WO 2019148447A1 CN 2018075086 W CN2018075086 W CN 2018075086W WO 2019148447 A1 WO2019148447 A1 WO 2019148447A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
data
protected
processing module
message
Prior art date
Application number
PCT/CN2018/075086
Other languages
French (fr)
Chinese (zh)
Inventor
肖福洲
尹友展
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2018/075086 priority Critical patent/WO2019148447A1/en
Priority to EP18904028.0A priority patent/EP3726390B1/en
Priority to PCT/CN2018/117500 priority patent/WO2019148948A1/en
Priority to CN201880016634.2A priority patent/CN110383256B/en
Priority to US16/965,935 priority patent/US20210049112A1/en
Publication of WO2019148447A1 publication Critical patent/WO2019148447A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow

Definitions

  • the present application relates to the field of electronic devices, and more particularly to data protection methods and data protection devices.
  • the operating data in the operating system on the electronic device is stored using memory. Some of these operational data are important to protect, that is, they cannot be changed at will.
  • the present application provides a data protection method and a data protection device to help improve data security.
  • the present application provides a data protection method, where the data protection method is implemented by a data protection device, where the data protection device includes a processor execution unit and a memory management unit, and the operating space of the processor execution unit partition includes the first The running space and the second running space, the abnormal level of the second running space is higher than the abnormal level of the first running space, and the data protection method comprises:
  • the first processing module running in the first running space sends a first message to the memory management unit, where the first message is used to request to modify the attribute of the first memory;
  • the memory management unit sends a second message to the second processing module running in the second running space, where the second message is used to request to determine whether the first memory is protected;
  • the second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table
  • the second processing module running in the second running space sends a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
  • the memory management unit modifies the attribute of the first memory according to the first message; if the third message is used to indicate that the attribute of the first memory is not modified, the memory management unit refuses to modify The first memory attribute.
  • the abnormal level of the second running space is higher than the abnormal level of the first running space, and the first processing module in the first running space needs to modify the attribute of the memory, it needs to go through the second running control.
  • the authorization of the second processing module enables the first processing module in the first running control to arbitrarily modify the attributes of the memory, so that the data in the memory cannot be arbitrarily modified, and finally helps to improve the security of the data.
  • the data protection method before the second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, the data protection method further includes:
  • the first processing module in the first running space sends a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected;
  • the second processing module in the second running space generates a memory protection table according to the fourth message, the memory protection table is used for recording the protected memory and/or the unprotected memory, and the protected memory includes storing the protected data.
  • Memory, unprotected memory includes memory for storing unprotected data.
  • the first processing module in the first runtime may indicate to the second processing module in the second runtime that which memory is protected and/or which memory is unprotected.
  • the data protection method before the second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, the data protection method further includes:
  • the second processing module running in the second running space determines that the first memory is used to store the protected data or the first memory is used to store the unprotected data;
  • the second processing module running in the second running space generates a memory protection table, where the memory protection table is used to record the first memory as protected memory or to record the first memory as unprotected memory, and the protected memory includes For memory that stores protected data, unprotected memory includes memory for storing unprotected data.
  • protected memory and/or unprotected memory may be predetermined.
  • the first running space is a kernel space
  • the first processing module is an operating system
  • the second super management space is a super management space.
  • the protected data includes: constant data written to the memory by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
  • the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router, or a switch.
  • the application provides a data protection device, where the data protection device includes a processor execution unit and a memory management unit, where the operating space divided by the processor execution unit includes a first running space and a second running space, and the second running The abnormal level of the space is higher than the abnormal level of the first running space, the first running space is used to run the first processing module, and the second running space is used to run the second processing module.
  • the first processing module is configured to send a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
  • the memory management unit is configured to send a second message to the second processing module, where the second message is used to request to determine whether the first memory is protected;
  • the second processing module is configured to determine, according to the pre-acquired memory protection table, whether the first memory is protected
  • the second processing module is further configured to send a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
  • the memory management unit is further configured to: when the third message is used to indicate that the attribute of the first memory is modified, the attribute of the first memory is modified according to the first message, and the third message is used to indicate that the first memory is refused to be modified when the attribute of the first memory is not modified. Attributes.
  • the first processing module is further configured to send a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected.
  • the second processing module determines, according to the pre-acquired memory protection table, whether the first memory is protected, and is further configured to: generate a memory protection table according to the fourth message, where the memory protection table is used to record the protected memory and/or not Protected memory, protected memory includes memory for storing protected data, and unprotected memory includes memory for storing unprotected data.
  • the second processing module determines, according to the pre-acquired memory protection table, whether the first memory is protected, and is further configured to:
  • Generating a memory protection table for recording the first memory as protected memory or for recording the first memory as unprotected memory the protected memory including memory for storing protected data
  • Protected memory includes memory for storing unprotected data.
  • the first running space is a kernel space
  • the first processing module is an operating system
  • the second running space is a super management space.
  • the protected data includes: constant data written to the memory by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
  • the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router, or a switch.
  • the data protection device is a system chip
  • the system chip includes a processor and an output interface
  • the processor includes a processor execution unit and a memory management unit
  • the output interface is used to modify the memory management unit.
  • the physical address of the first memory is output to the address bus.
  • the data protection device may further comprise a memory for the program code executed by the memory execution unit, the protected data, and the unprotected data.
  • the present application provides a computer readable storage medium.
  • Program code for execution of the data protection device is stored in the computer readable storage medium.
  • the program code includes instructions for performing the data protection method of the first aspect or any of the possible implementations of the first aspect.
  • the present application provides a computer program product comprising instructions.
  • the data protection device is caused to perform the data protection method in any one of the possible implementations of the first aspect or the first aspect.
  • the application provides a data protection device, where the data protection device includes a processor execution unit and a memory management unit, and the running space of the processor execution unit partition includes a kernel space and a super management space, and an abnormality of the super management space.
  • the level of exception is higher than the kernel space.
  • An operating system running in the kernel space is configured to send a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
  • the memory management unit is configured to send a second message to the critical data protection module running in the super management space, where the second message is used to request to determine whether the first memory is protected;
  • the key data protection module is configured to determine whether the first memory is protected according to the pre-acquired memory protection table
  • the key data protection module is further configured to send a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
  • the memory management unit is further configured to: when the third message is used to indicate that the attribute of the first memory is modified, the attribute of the first memory is modified according to the first message, and the third message is used to indicate that the first memory is refused to be modified when the attribute of the first memory is not modified. Attributes.
  • the operating system is further configured to send a fourth message to the critical data protection module, where the fourth message is used to indicate whether the first memory is protected.
  • the key data protection module determines whether the first memory is protected according to the pre-acquired memory protection table, and is further configured to: generate a memory protection table according to the fourth message, where the memory protection table is used to record the protected memory and/or not Protected memory, protected memory includes memory for storing protected data, and unprotected memory includes memory for storing unprotected data.
  • the critical data protection module determines whether the first memory is protected according to a pre-acquired memory protection table, and is also used to:
  • Generating a memory protection table for recording the first memory as protected memory or for recording the first memory as unprotected memory the protected memory including memory for storing protected data
  • Protected memory includes memory for storing unprotected data.
  • the protected data includes: constant data written by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
  • FIG. 1 is a schematic diagram of dividing an abnormal level according to an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of performing address mapping by an MMU according to an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of a data protection device according to another embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a data protection device according to another embodiment of the present application.
  • FIG. 5 is a schematic flowchart of a data protection method according to an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of a data protection method according to another embodiment of the present application.
  • FIG. 7 is a schematic flowchart of a data protection method according to another embodiment of the present application.
  • FIG. 8 is a schematic flowchart of a data protection method according to another embodiment of the present application.
  • FIG. 9 is a schematic structural diagram of a data protection device according to an embodiment of the present application.
  • the computer to which the data protection method and the data protection device of the embodiment of the present application can be applied may be an electronic device such as a mobile phone, a tablet computer, a server, a personal computer, a network router, a wearable device, or a switch.
  • a processor and a memory can be included in the computer.
  • the processor may also be referred to as a central processing unit (CPU) or a central processing unit.
  • An example of a processor in the computer is an Advanced RISC Machines (ARM) processor.
  • An example of a memory in this calculation is a random access memory (RAM) or a flash memory (Flash). Among them, RAM can also be called main memory or memory.
  • the memory has access rights attributes such as read-only, writable, executable, and inaccessible.
  • Virtualization technology is used in the processor of this computer. Virtualization technology can hide the underlying physical hardware in the computer, allowing multiple independent operating systems (OSs) to transparently use and share the computer's hardware resources. Simply put, virtualization technology can enable the computer to run multiple OSs concurrently.
  • OSs independent operating systems
  • the processor in the computer provides different levels of privilege for the program code to access resources in the computer to protect the data in the computer and prevent malicious behavior in the computer, thereby ensuring the security of the computer.
  • EL levels exception levels
  • EL levels the higher the level of the abnormal level, the lower the level of the abnormal level is.
  • the EL0 level is lower than the EL1 level
  • the EL1 level is lower than the EL2 level
  • the EL2 level is lower than the EL3 level.
  • the lower the level of the abnormal level the lower the value, and the higher the level of the abnormality, the higher the level of the abnormality.
  • Different levels of anomaly levels correspond to different levels of running space.
  • the division of the exception level or the division of the runtime space provides logically separate execution rights for the software for all operational states in the processor. It should be understood that the level of anomaly referred to in this application is similar to that of a hierarchical protection domain that is common in computer science and supports the concepts involved in the level protection domain.
  • An example of software running under each of these four exception levels is as follows.
  • a normal user application runs in the runspace corresponding to EL0; an operating system kernel, such as Linux or Windows, can run in the runspace corresponding to EL1, the operating system kernel is usually considered privileged; the hypervisor runs on EL2. In the corresponding running space; low-level firmware, such as the security monitor, runs in the running space corresponding to EL3.
  • the hypervisor can also be called a hypervisor.
  • the hypervisor can provide virtualization services to one or more operating system kernels when enabled.
  • Firmware is the first thing that runs when the processor starts.
  • the firmware provides a number of services, such as platform initialization, installation of trusted operating systems, and routing of commands for security monitors.
  • a piece of software occupies a separate level of exception, or a separate run space.
  • exceptions there are exceptions.
  • a kernel management program such as a kernel virtual machine (KVM)
  • KVM kernel virtual machine
  • the CPU execution unit can manage or access the memory through a memory management unit (MMU).
  • MMU memory management unit
  • the MMU can perform address mapping and provide operations such as memory access authorization.
  • the MMU when the program code running in the running space corresponding to different abnormal levels accesses the memory, the MMU performs different address mapping and different memory access authorization processes.
  • the MMU performs a two-stage address mapping process for an application with an exception level of EL0 and an operating system with an exception level of EL1, a hypervisor with an exception level of EL3 and a security monitor with an exception level of EL4. Perform a phased address mapping process.
  • the virtual address (VA) of the memory is converted to an intermediate physical address (IPA); in the second phase, the IPA is converted into a physical address (physical address). , PA).
  • TTBR translation table base register
  • VTTBR conversion translation table base register
  • the MMU can directly derive the PA according to the VA conversion.
  • the management program EL2 and the security supervisor EL3 have their own one-stage conversion tables.
  • the hypervisor EL2 and the security supervisor EL3 can directly convert from a virtual address to a physical address through respective corresponding tables.
  • the base address of the conversion table corresponding to the hypervisor EL2 is specified in TTNR0_EL2
  • the base address of the conversion table corresponding to the security supervisor EL3 is specified in TTNR0_EL3.
  • a continuous and variable-size address space at the bottom of the memory is respectively designated as the base address of the translation address table of the hypervisor EL2 and the security supervisor EL3.
  • TTBRn_EL1, TTNR0_EL2 and TTNR0_EL3 are only an example, and different names may be referred to in different materials.
  • the first phase is usually executed under the control of the operating system, and the second phase is usually executed under the control of the hypervisor.
  • the execution of the management program under the control of the management program can be understood as follows: the management program determines that the IPA or the VA corresponding to the IPA can be accessed, and then the MMU is authorized to perform IPA to PA conversion.
  • the data protection method of the embodiment of the present application is mainly implemented in the address mapping process of the second stage described above under the control of the management program.
  • the memory protection table is pre-stored in the computer, and the memory protection table records address information of the memory that needs to be protected and/or does not need to be protected, and a processing module is added in the management program, and the processing module queries the memory protection table whether Includes address information for the memory that the operating system or application requests to modify access properties. If the processing module queries the memory protection table and determines that the memory requested to modify the access attribute is a protected memory, the MMU is denied to modify the access attribute of the memory.
  • Table 1 An example of a memory protection table is shown in Table 1.
  • Table 1 both protected memory and unprotected memory are recorded, the first column records the virtual address of the protected memory, and the second column records the virtual address of the unprotected memory.
  • Protected memory virtual address Virtual address of unprotected memory 0x40000000-0x60000000 0x00000000-0x30000000
  • malware For example, if a computer downloads malware, or if a web page is viewed with a malicious plugin, the malware or
  • the malicious plug-in attacks the operating system, obtains the management rights of the operating system, and controls the operating system to change the access attribute of the memory whose virtual address is 0x41115000 to 0x41116000 from writable to read-only, so that the malware or malicious plug-in can modify the in-memory.
  • the management program in the process of the second stage mapping of the address of the memory by the MMU, the memory protection table is queried to know that the memory is protected, thereby rejecting the MMU to perform the second stage address mapping process, that is, rejecting Attacks by malware or malicious plugins protect the data in memory.
  • the management program may also issue a prompt message that the protected memory is attacked, for example, popping up a display box or sending an alarm sound.
  • the data protection device 300 shown in FIG. 3 is taken as an example to describe the data protection method proposed in the present application. It should be understood that the data protection device 300 shown in FIG. 3 is only an example, and the data protection device of the embodiment of the present application may further include other modules or units, or include modules similar to those of the modules in FIG. 3, or Includes all the modules in Figure 3.
  • the data protection device 300 shown in FIG. 3 includes a processor 310 and a memory 320.
  • the memory can exchange data with the processor 310.
  • RAM random access memory
  • main memory main memory
  • flash memory Another example of the memory 320 is a flash memory. It should be understood that the memory in subsequent embodiments may be replaced with a flash memory.
  • processor 310 is a central processing unit (CPU).
  • CPU can also be called a central processor.
  • a CPU execution unit 311 and a memory management unit 312 may be included in the processor 310. It should be understood that the integration of the MMU herein within the processor 310 is just one example, and the MMU may also be located outside of the processor 310.
  • ELs exception levels
  • the four exception levels are EL0, EL1, EL2, and EL3 from low to high.
  • EL0, EL1, EL2 and EL3 correspond to four operating spaces.
  • the running space corresponding to EL0 is the user program space, and the user program space is used to run the user program.
  • User programs can also be called applications.
  • the running space corresponding to EL1 is a kernel space, and the kernel space is used to run an operating system (OS).
  • OS operating system
  • An operating system running in kernel space can also be referred to as a guest operating system.
  • the running space corresponding to EL2 is the super management space.
  • the super management space is used to run the hypervisor.
  • the hypervisor can also be called a virtual machine monitor.
  • the hypervisor is an intermediate layer of software that runs between physical hardware and the operating system, allowing multiple operating systems and applications to share a single set of physical hardware.
  • the main function of the hypervisor is memory management and interrupt interception. In these two ways, the hypervisor can well monitor the operation of the operating system in kernel space.
  • the hypervisor can implement memory management through the MMU 312's two-stage (stage 2) memory mapping function.
  • the MMU 312 can implement storage management through techniques such as a shadow page table or an EPT page table.
  • stage 1 the address can be sent by the user program in the kernel space or the user program in the user program space.
  • Map to intermediate physical address; in stage 2 (stage-2), IPA can be mapped to the address of the memory chip.
  • the address sent by the user program in the kernel space or the user program space in the user program space may be referred to as a virtual address, or the address visible to the operating system or the user program is VA; the real address of the memory chip is called a physical address; VA
  • VA The address used in the process of mapping to the PA can be referred to as IPA.
  • stage-2 memory map function is only valid for operating systems running in kernel space and user programs in user program space. That is to say, the stage-2 memory mapping function is required only when the operating system running in kernel space and the user program in the user program space access memory.
  • Memory has access rights properties.
  • the access permission attribute of the memory is simply referred to as the attribute of the memory in the embodiment of the present application.
  • Memory attributes can include read-only, writable, inaccessible, and executable.
  • the memory attribute is read-only, which means that only the content in the memory can be read, and the content in the memory cannot be modified; if the attribute of the memory is writable, the content in the memory can be read, or can be modified. The contents of this memory.
  • the MMU 312 After receiving the address sent by the user program in the kernel space or the user program space in the user program space, the MMU 312 can access the content in the memory corresponding to the address according to the attribute of the memory corresponding to the address.
  • the MMU 312 For example, if the operating system in the kernel space or the user program in the user program space requests the MMU 312 to write data to the memory corresponding to an address, and the attribute of the memory corresponding to the address is writable, the MMU 312 will After the address is mapped to the physical address of the memory, the physical address is sent to the address bus for data to be written to.
  • the MMU 312 rejects the request.
  • An example of the MMU 312 rejecting the request is to make an exception prompt.
  • an operating system running in kernel space can invoke a hypervisor through a hypervisor call (HVC) instruction.
  • HVC hypervisor call
  • the security monitor space corresponding to the EL4 is used to run the security monitoring module of the processor.
  • the data protection method proposed by the present application mainly includes: when the program code running in the running space of the low abnormal level requests to modify the attribute of the memory, the program code running in the running space of the high abnormal level captures the request, and determines whether the memory is subjected to the request. Protected memory; if the memory is the protected memory, the program code running in the high exception level runtime rejects this modification.
  • FIG. 5 A schematic flowchart of a data protection method of an embodiment of the present application is shown in FIG. 5. This data protection method can be performed by the data protection device 300.
  • the data protection method shown in FIG. 5 includes S510, S520, S530, S540, and S550.
  • FIG. 5 shows the steps or operations of the data protection method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the operations in FIG. 5. Moreover, the various steps in FIG. 5 may be performed in a different order than that presented in FIG. 5, and it is possible that not all operations in FIG. 5 are to be performed.
  • the processing module running in the first running space sends a first message to the MMU, where the first message is used to request to modify the attribute of the first memory. Accordingly, the MMU receives the message.
  • the processing module running in the first running space may be referred to as a first processing module.
  • the first memory refers to the memory of the first message requesting modification of the attribute.
  • the first run space may be the user program space or kernel space shown in FIG.
  • the first processing module may be a user program; when the first running space is a kernel space, the first processing module may be an operating system.
  • the first message may include a VA of the first memory and a target attribute of the first memory. That is, the first message is used to request the MMU to modify the attribute of the first memory to the target attribute.
  • the target attribute of the first memory may include at least one of read-only, writable, executable, and inaccessible.
  • An example of requesting to modify the target attribute of the first memory to be writable is an instance of set_memory_RW; an instance of the first message requesting modification of the target attribute of the first memory to read-only is set_memory_RO.
  • the MMU sends a second message to the processing module running in the second running space, where the second message is used to request the processing module to determine whether the first memory is protected, and the abnormality level of the second running space is higher than the first running space. The level of exception.
  • the processing module running in the second runtime space receives the second message.
  • the processing module running in the second running space may be referred to as a second processing module or a kernel critical data protection module.
  • the second processing module or the kernel critical data protection module may be a processing module in the hypervisor.
  • the second run space may be the super management space shown in FIG.
  • the second message is also understood to be used to request the second processing module to determine whether the attribute of the first memory can be modified, or can be understood to be used to request the second processing module to determine whether the data in the first memory is protected. of.
  • the address of the first memory may be included in the second message.
  • the VA of the first memory may be included in the second message.
  • the information included in the second message may be the same as the information included in the first message.
  • the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, where the memory protection table is used to record the protected memory and/or the unprotected memory.
  • Protected memory can be understood as storing protected data.
  • the protected data may include at least one of the following: constant data of the operating system or data generated by the operating system during operation that needs to be protected.
  • the constant data of the operating system may include at least one of the following: constant data that appears during the compilation phase of the operating system and constant data that appears during the initialization phase of the operating system.
  • the interpretation of the protected memory may include that the attributes of the memory may not be modified from write-only, inaccessible, executable to writable; the interpretation of the unprotected memory may include: The properties of this memory can be modified from any property to any other property.
  • One way in which the memory protection table records protected memory and/or unprotected memory may include: recording the address of the protected memory and/or the address of the unprotected memory in the memory protection table.
  • the memory protection table can record the VA address of the protected memory and/or the VA address of the unprotected memory.
  • the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the protected memory recorded in the memory protection table is included The first memory, the processing module running in the second running space determines that the first memory is protected; if the protected memory recorded in the memory protection does not include the first memory, the processing module running in the second running space Make sure the first memory is unprotected.
  • only unprotected memory can be recorded in the memory protection table.
  • the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the unprotected memory recorded in the memory protection table is not Including the first memory, the processing module running in the second running space determines that the first memory is protected; if the unprotected memory recorded in the memory protection includes the first memory, the processing running in the second running space The module determines that the first memory is unprotected.
  • the memory protection table can record both protected memory and unprotected memory.
  • the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the protected memory recorded in the memory protection table includes the first a memory, the processing module running in the second running space determines that the first memory is protected; if the unprotected memory recorded in the memory protection table includes the first memory, the processing module running in the second running space Make sure the first memory is unprotected.
  • S540 The processing module running in the second running space sends a third message to the MMU, where the third message is used to indicate whether the MMU modifies the attribute of the first memory. Accordingly, the MMU receives the third message.
  • the third message is used to instruct the MMU to modify the attribute of the first memory; if the second processing module determines that the first memory is protected, The third message is used to indicate that the MMU does not modify the attributes of the first memory.
  • the MMU modifies the attribute of the first memory according to the first message; if the third message is used to indicate that the MMU does not modify the attribute of the first memory, the MMU refuses to modify The first memory attribute.
  • the MMU modifies the attribute of the first memory to the target attribute.
  • the MMU may return an abnormal operation prompt to the first processing module.
  • FIG. 6 a schematic flowchart of a method for assisting in protecting data is shown in FIG. 6.
  • the method shown in FIG. 6 may include S610 and S620. The method can be performed by data protection device 300.
  • FIG. 6 illustrates the steps or operations of the method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the various operations in FIG. 6. Moreover, the various steps in FIG. 6 may be performed in a different order than that presented in FIG. 6, and it is possible that not all operations in FIG. 6 are to be performed.
  • the processing module running in the third running space sends a fourth message to the processing module running in the second running space, where the fourth message is used to indicate whether the second memory should be protected.
  • the processing module in the second runtime receives the fourth message.
  • the third running space may be the user program space or the kernel space shown in FIG. 4.
  • the second run space may be the super management space shown in FIG.
  • the third running space and the first running space may be the same running space.
  • the processing module running in the second running space may be a second processing module or a kernel critical data protection module.
  • the fourth message may also be understood to indicate that the data stored in the second memory should be protected, or may be understood to indicate that the attribute of the second memory cannot be modified from any of read-only, executable, and inaccessible to Writable, or, can be understood as indicating that the data stored in the second memory should not be modified.
  • Data that should be protected or should not be modified may include at least one of the following: constant data stored by the operating system in memory during the compilation phase, constant data stored in memory during the initialization phase of the operating system, operating system or user program at Data that is stored in memory during the run phase and cannot be modified.
  • the address of the second memory may be included in the fourth message.
  • the VA of the second memory may be included in the fourth message.
  • the sending, by the processing module running in the third running space, the fourth message to the processing module running in the second running space may include: the processing module running in the third running space is called in the second running space.
  • the processing module is executed, and when invoked, the fourth message is delivered to the processing module running in the second running space through the interface.
  • an operating system running in kernel space can invoke a hypervisor running in a hypervisor space through an HVC instruction, so that the hypervisor generates a memory protection table based on the fourth message.
  • the processing module running in the second running space obtains a memory protection table according to the fourth message, where the memory protection table is used to record the protected and/or unprotected memory.
  • the abnormality level of the second running space is higher than the abnormal level of the third running space.
  • the processing module running in the second running space can record the second memory into the memory protection table. If the fourth message is used to indicate that the second memory should not be protected, the processing module running in the second running space does not record the second memory into the memory protection table.
  • the processing module running in the second running space can record the second memory to the memory protection.
  • the processing module running in the second running space does not record the second memory into the memory protection table.
  • the processing module running in the second running space may Recording the second memory into the memory protection table and identifying the second memory as protected memory; if the fourth message is used to indicate that the second memory should not be protected, the processing module running in the second running space may be The second memory is logged to the memory protection table and identifies the second memory as unprotected memory.
  • An example of the embodiment of the present application includes: the operating system writes constant data into the memory during the compiling phase, and after identifying the attribute of the memory as read-only, the hypervisor is called by the HVC instruction, and the memory is recorded as the protected memory.
  • Another example of the embodiment of the present application includes: the operating system writes constant data into the memory during the initialization phase, and after identifying the attribute of the memory as read-only, calls the hypervisor through HVC therapy, and records the memory as protected memory. .
  • the operating system writes data into the memory during the running phase, and after identifying the attribute of the memory as read-only, the hypervisor is invoked by the HVC treatment, and the memory is recorded as the protected memory.
  • the memory protection table used in S530 can be obtained by the method shown in FIG. 6.
  • the memory protection table used in S530 can be the memory protection table obtained in S620.
  • the second memory and the first memory may be the same memory; the third running space and the first running space may be the same running space, or may be different. Running space.
  • the processing module running in the third running space and the first processing module may be the same processing module.
  • the first running space and the third running space are both kernel spaces
  • the processing module and the first processing module running in the third running space are both operating systems.
  • the hypervisor can be called by the HVC instruction.
  • the first memory is recorded as protected memory in the memory protection table.
  • the MMU may send a second message to the hypervisor requesting the hypervisor to determine whether the first memory is protected. Since the first memory is protected memory in the memory protection table, the hypervisor indicates that the MMU cannot modify the attributes of the first memory.
  • the running space that is not the same as the first running space is that the first running space is a user program space, the third running space is a kernel space, the first processing module is an operating system, and the third running space is in a third running space.
  • the processing module is a user program.
  • FIG. 7 a schematic flowchart of a method for assisting in protecting data is shown in FIG. 7.
  • the method shown in FIG. 7 may include S710 and S720.
  • the method can be performed by data protection device 300.
  • FIG. 7 illustrates the steps or operations of the method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the various operations in FIG. Moreover, the various steps in FIG. 7 may be performed in a different order than that presented in FIG. 7, and it is possible that not all operations in FIG. 7 are to be performed.
  • the processing module running in the second running space determines that the third memory is used to store the protected data and/or the fourth memory is used to store the unprotected data.
  • the processing module running in the second run space determines which memory is used to store the protected data and/or which memory is used to store the unprotected data.
  • the memory used to store protected data is the third memory
  • the memory used to store unprotected data is the fourth memory.
  • the second run space may be the super management space shown in FIG.
  • the protected data may include at least one of the following: constant data stored in the operating system during the compilation phase, constant data stored in the operating system during the initialization phase, and the operating system or user program being stored in the memory during the run phase. Data that cannot be modified.
  • the third memory and/or the fourth memory may be determined by the processing module running in the second running space according to the pre-configured information, wherein the third memory is recorded in the pre-configured information for storing the protected data and / or fourth memory is used to store unprotected data.
  • the pre-configured information records which memory is used to store protected data, and/or records which memory is used to store unprotected data.
  • a memory for storing constant data of an operating system may be allocated in advance to an operating system in the kernel space. Since the constant data of the operating system is data that needs to be protected, the memory can be pre-configured as the information of the third memory. In this way, the processing module running in the second running space can determine, according to the pre-configured information, that the third memory is used to store the protected data.
  • the VA of the memory allocated for the constant data of the operating system can be recorded in the pre-configured information.
  • the processing module running in the second running space can determine, according to the pre-configured information, that the memory corresponding to the VA is used to store the protected data, that is, the memory is the third memory.
  • the processing module running in the second running space generates a memory protection table, where the third memory is protected memory and/or the fourth memory is unprotected memory.
  • the processing module running in the second running space determines that the third memory is the memory for storing the protected data
  • the third memory is recorded into the memory protection table, and the third memory is identified as the protected memory.
  • the fourth memory is recorded into the memory protection table, and the fourth memory is identified as unprotected memory.
  • the memory protection table used in S530 can be obtained by the method shown in FIG. In other words, the memory protection table used in S530 can be the memory protection table obtained in S720.
  • the third memory and the first memory may be the same memory, or the fourth memory and the first memory may be the same memory.
  • the hypervisor can record the third memory in the memory protection table. Protected memory.
  • the MMU may send a second message to the hypervisor requesting the hypervisor to determine whether the third memory is protected. Since the third memory is protected memory in the memory protection table, the hypervisor indicates that the MMU cannot modify the attributes of the third memory.
  • FIG. 8 A schematic flowchart of a data protection method of an embodiment of the present application is shown in FIG. 8.
  • the data protection method includes S810 and S820.
  • FIG. 8 illustrates the steps or operations of the data protection method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the operations in FIG. Moreover, the various steps in FIG. 8 may be performed in a different order than that presented in FIG. 8, and it is possible that not all operations in FIG. 8 are to be performed.
  • the processing module in the fourth running space sends a fifth message to the processing module in the second running space, where the fifth message is used to request that the first data is written into the fifth memory, where the abnormality level of the second running space is high.
  • the level of exception in the fourth run space is not limited to:
  • the fourth run space may be the user program space or kernel space shown in FIG. 4, and the second run space may be the super management space shown in FIG.
  • the address of the first data and the fifth memory may be carried in the fifth message.
  • the VA of the first data and the fifth memory may be carried in the fifth message.
  • the first data may include at least one of the following: constant data of the operating system at the compile stage, and constant data of the operating system during the initialization phase.
  • the fifth memory is a memory for storing the first data.
  • the processing module running in the second running space writes the first data into the fifth memory according to the fifth message.
  • the processing module in the fourth running space needs to modify the data in the memory through the processing module in the second running space that is higher than the abnormal level, that is, the processing module in the fourth running space. You can't directly modify the data in memory, so this method can improve the security of the data.
  • the method in the embodiment of the present application can modify the data in the memory as compared with the method in FIG. 5, and thus the flexibility is higher.
  • the processing module running in the second running space may write the first data to the fifth according to the request of the fifth message if the fifth message is sent by a predetermined module.
  • Memory to further improve the security of the data, thereby improving the security of the operating system.
  • the hypervisor writes the first data to the fifth memory only if the operating system's patch calls the hypervisor via the HVC instruction.
  • the S820 may specifically include: when the fifth message is sent by the pre-specified processing module to the processing module running in the second running space, in the second running space The running processing module writes the first data into the fifth memory according to the request of the fifth message.
  • the data protection method shown in FIG. 8 can be used in combination with the method shown in at least one of FIGS. 5 to 7.
  • the data protection device 300 can generate a memory protection table by the method of FIG. 6 and/or FIG. 7, and then can determine whether the memory is protected by the method shown in FIG. 5, and can pass the data protection method shown in FIG. To modify the data.
  • the fourth running space and the first running space may be the same running space.
  • the fourth running space and the first running space may both be kernel space
  • the processing module in the first running space may be an operating system
  • the processing module in the fourth running space may be a patch of an operating system
  • FIG. 9 is a schematic structural diagram of a data protection device according to an embodiment of the present application. It should be understood that the data protection device 900 shown in FIG. 9 is only an example, and the data protection device of the embodiment of the present application may further include other modules or units, or include modules similar to those of the modules in FIG. 9, or Includes all the modules in Figure 9.
  • the data protection device 900 includes a processor execution unit 910 and a memory management unit 920.
  • the operating space divided by the processor execution unit 910 includes a first running space 911 and a second running space 912, and the abnormality level of the second running space is higher than the first An exception level of the running space, the first running space is for running the first processing module, and the second running control is for running the second processing module.
  • the data protection device 900 can be used to perform the steps performed by the data protection device in the data protection method shown in any of Figures 4-8.
  • the first processing module is configured to send a first message to the memory management unit 920, the first message being used to request to modify an attribute of the first memory.
  • the memory management unit 920 is configured to send a second message to the second processing module, where the second message is used to request to determine whether the first memory is protected.
  • the second processing module is configured to determine, according to the pre-acquired memory protection table, whether the first memory is protected.
  • the second processing module sends a third message to the memory management unit 920, where the third message is used to indicate whether to modify the attribute of the first memory.
  • the memory management unit is configured to: when the third message is used to indicate that the attribute of the first memory is modified, modify an attribute of the first memory according to the first message; and use the third message in the third message Instructing not to modify the attribute of the first memory, and refusing to modify the attribute of the first memory.
  • the first processing module is configured to send a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected.
  • the second processing module is specifically configured to generate, according to the fourth message, the memory protection table, where the memory protection table is used to record protected memory and/or unprotected memory, where the protected memory includes A memory for storing protected data, including memory for storing unprotected data.
  • the second processing module is specifically configured to: determine that the first memory is used to store protected data or determine that the first memory is used to store unprotected data; and generate the memory protection table,
  • the memory protection table is configured to record the first memory as protected memory or to record the first memory as unprotected memory, where the protected memory includes memory for storing protected data.
  • the unprotected memory includes memory for storing unprotected data.
  • the first running space is a kernel space
  • the first processing module is an operating system
  • the protected data includes: constant data written by the operating system into a memory during a compiling phase, The constant data that the operating system writes to memory during the initialization phase.
  • the data protection device 900 may further include a memory for storing program codes and data executed by the processor execution unit 910.
  • the data protection device 900 can be a cell phone, a tablet, a server, a personal computer, a network router, or a switch.
  • the disclosed apparatus and method can be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present application which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory, a magnetic disk, or an optical disk, and the like, which can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The present application provides a data protection method and a data protection device. The data protection method comprises: when a first processing module running in a low exception level first running space requests an attribute of a memory to be modified, a second processing module running in a high exception level second running space acquiring the request, and determining whether the memory is a protected memory; and if the memory is a protected memory, the second processing module running in the high exception level second running space rejecting the modification. The data protection method and the data protection device provided by the present application improve data security.

Description

数据保护方法和数据保护装置Data protection method and data protection device 技术领域Technical field
本申请涉及电子设备领域,更具体地,涉及数据保护方法和数据保护装置。The present application relates to the field of electronic devices, and more particularly to data protection methods and data protection devices.
背景技术Background technique
电子设备上的操作系统中的运行数据都是使用内存进行存储。这些运行数据中有的重要是需要保护的,即不能被随意更改的。The operating data in the operating system on the electronic device is stored using memory. Some of these operational data are important to protect, that is, they cannot be changed at will.
一般来说,这些不可更改的数据被更改的话,会导致电子设备故障或者信息安全漏洞。例如,电子设备上的操行系统中的重要数据被恶意更改的话,会导致操作系统运行错误,从而导致电子设备故障或者信息安全漏洞。In general, these unchangeable data changes can lead to electronic device failure or information security vulnerabilities. For example, if important data in the operating system on the electronic device is maliciously changed, the operating system may be malfunctioning, resulting in electronic device failure or information security vulnerability.
现有的电子设备中,重要数据可以通过如下方式来保护:操作系统将重要数据所在的内存的属性设置为只读,以保护这些重要数据不被恶意修改。In existing electronic devices, important data can be protected by the operating system setting the attributes of the memory in which the important data is located to read-only to protect the important data from malicious modification.
但这种保护方法的安全性较低。例如,恶意软件获取操作系统的管理权限之后,就可以去掉操作系统设置的内存的只读属性,从而可以修改这些重要数据。However, this method of protection is less secure. For example, after the malware obtains the administrative rights of the operating system, the read-only attribute of the memory set by the operating system can be removed, so that the important data can be modified.
因此,需要提出一种安全性更高的数据保护方法来保护数据。Therefore, there is a need to propose a more secure data protection method to protect data.
发明内容Summary of the invention
本申请提供了一种数据保护方法和数据保护装置,有助于提高数据的安全性。The present application provides a data protection method and a data protection device to help improve data security.
第一方面,本申请提供了一种数据保护方法,该数据保护方法由数据保护装置执行,该数据保护装置中包括处理器执行单元和内存管理单元,处理器执行单元划分的运行空间包括第一运行空间和第二运行空间,第二运行空间的异常级别高于第一运行空间的异常级别,该数据保护方法包括:In a first aspect, the present application provides a data protection method, where the data protection method is implemented by a data protection device, where the data protection device includes a processor execution unit and a memory management unit, and the operating space of the processor execution unit partition includes the first The running space and the second running space, the abnormal level of the second running space is higher than the abnormal level of the first running space, and the data protection method comprises:
第一运行空间中运行的第一处理模块向内存管理单元发送第一消息,第一消息用于请求修改第一内存的属性;The first processing module running in the first running space sends a first message to the memory management unit, where the first message is used to request to modify the attribute of the first memory;
内存管理单元向第二运行空间中运行的第二处理模块发送第二消息,第二消息用于请求确定第一内存是否是受保护的;The memory management unit sends a second message to the second processing module running in the second running space, where the second message is used to request to determine whether the first memory is protected;
第二运行空间中运行的第二处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的;The second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table;
第二运行空间运行的第二处理模块向内存管理单元发送第三消息,第三消息用于指示是否修改第一内存的属性;The second processing module running in the second running space sends a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
若第三消息用于指示修改第一内存的属性,则内存管理单元根据第一消息修改第一内存的属性;若第三消息用于指示不修改第一内存的属性,则内存管理单元拒绝修改第一内存的属性。If the third message is used to indicate that the attribute of the first memory is modified, the memory management unit modifies the attribute of the first memory according to the first message; if the third message is used to indicate that the attribute of the first memory is not modified, the memory management unit refuses to modify The first memory attribute.
该数据保护方法中,由于第二运行空间的异常级别高于第一运行空间的异常级别,且第一运行空间中的第一处理模块需要修改内存的属性时,需要经过第二运行控制中的第二 处理模块的授权,这使得第一运行控制中的第一处理模块不能随意修改内存的属性,从而不能随意修改内存中的数据,最终有助于提高数据的安全性。In the data protection method, since the abnormal level of the second running space is higher than the abnormal level of the first running space, and the first processing module in the first running space needs to modify the attribute of the memory, it needs to go through the second running control. The authorization of the second processing module enables the first processing module in the first running control to arbitrarily modify the attributes of the memory, so that the data in the memory cannot be arbitrarily modified, and finally helps to improve the security of the data.
在第一种可能的实现方式中,第二运行空间中运行的第二处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,该数据保护方法还包括:In a first possible implementation, before the second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, the data protection method further includes:
第一运行空间中的第一处理模块向第二运行空间中的第二处理模块发送第四消息,第四消息用于指示第一内存是否是受保护的;The first processing module in the first running space sends a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected;
第二运行空间中的第二处理模块根据第四消息生成内存保护表,内存保护表用于记录受保护的内存和/或不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。The second processing module in the second running space generates a memory protection table according to the fourth message, the memory protection table is used for recording the protected memory and/or the unprotected memory, and the protected memory includes storing the protected data. Memory, unprotected memory includes memory for storing unprotected data.
该实现方式中,可以由第一运行空间中的第一处理模块向第二运行空间中的第二处理模块指示哪些内存是受保护和/或哪些内存是不受保护的。In this implementation, the first processing module in the first runtime may indicate to the second processing module in the second runtime that which memory is protected and/or which memory is unprotected.
在一种可能的实现方式中,第二运行空间中运行的第二处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,该数据保护方法还包括:In a possible implementation, before the second processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, the data protection method further includes:
第二运行空间中运行的第二处理模块确定第一内存用于存储受保护的数据或确定第一内存用于存储不受保护的数据;The second processing module running in the second running space determines that the first memory is used to store the protected data or the first memory is used to store the unprotected data;
第二运行空间中运行的第二处理模块生成内存保护表,内存保护表用于记录第一内存为受保护的内存或用于记录第一内存为不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。The second processing module running in the second running space generates a memory protection table, where the memory protection table is used to record the first memory as protected memory or to record the first memory as unprotected memory, and the protected memory includes For memory that stores protected data, unprotected memory includes memory for storing unprotected data.
该实现方式中,受保护的内存和/或不受保护的内存可以是预先确定的。In this implementation, protected memory and/or unprotected memory may be predetermined.
在一种可能的实现方式中,第一运行空间为内核空间,第一处理模块为操作系统,所述第二超级管理空间为超级管理空间。其中,受保护的数据包括:操作系统在编译阶段写入内存的常量数据,操作系统在初始化阶段写入内存的常量数据。In a possible implementation manner, the first running space is a kernel space, the first processing module is an operating system, and the second super management space is a super management space. Among them, the protected data includes: constant data written to the memory by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
在一种可能的实现方式中,数据保护装置为手机、平板电脑、服务器、个人电脑、网络路由器或交换机。In one possible implementation, the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router, or a switch.
第二方面,本申请提供一种数据保护装置,该数据保护装置中包括处理器执行单元和内存管理单元,处理器执行单元划分的运行空间包括第一运行空间和第二运行空间,第二运行空间的异常级别高于第一运行空间的异常级别,第一运行空间用于运行第一处理模块,第二运行空间用于运行第二处理模块。In a second aspect, the application provides a data protection device, where the data protection device includes a processor execution unit and a memory management unit, where the operating space divided by the processor execution unit includes a first running space and a second running space, and the second running The abnormal level of the space is higher than the abnormal level of the first running space, the first running space is used to run the first processing module, and the second running space is used to run the second processing module.
第一处理模块用于向内存管理单元发送第一消息,第一消息用于请求修改第一内存的属性;The first processing module is configured to send a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
内存管理单元用于向第二处理模块发送第二消息,第二消息用于请求确定第一内存是否是受保护的;The memory management unit is configured to send a second message to the second processing module, where the second message is used to request to determine whether the first memory is protected;
第二处理模块用于根据预先获取的内存保护表,确定第一内存是否是受保护的;The second processing module is configured to determine, according to the pre-acquired memory protection table, whether the first memory is protected;
第二处理模块还用于向内存管理单元发送第三消息,第三消息用于指示是否修改第一内存的属性;The second processing module is further configured to send a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
内存管理单元还用于:第三消息用于指示修改第一内存的属性时根据第一消息修改第一内存的属性,第三消息用于指示不修改第一内存的属性时拒绝修改第一内存的属性。The memory management unit is further configured to: when the third message is used to indicate that the attribute of the first memory is modified, the attribute of the first memory is modified according to the first message, and the third message is used to indicate that the first memory is refused to be modified when the attribute of the first memory is not modified. Attributes.
在一种可能的实现方式中,第一处理模块还用于向第二运行空间中的第二处理模块发送第四消息,第四消息用于指示第一内存是否是受保护的。In a possible implementation, the first processing module is further configured to send a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected.
第二处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,还用于:根据第四消息生成内存保护表,内存保护表用于记录受保护的内存和/或不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。The second processing module determines, according to the pre-acquired memory protection table, whether the first memory is protected, and is further configured to: generate a memory protection table according to the fourth message, where the memory protection table is used to record the protected memory and/or not Protected memory, protected memory includes memory for storing protected data, and unprotected memory includes memory for storing unprotected data.
在一种可能的实现方式中,第二处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,还用于:In a possible implementation manner, the second processing module determines, according to the pre-acquired memory protection table, whether the first memory is protected, and is further configured to:
确定第一内存用于存储受保护的数据或确定第一内存用于存储不受保护的数据;Determining that the first memory is used to store protected data or determining that the first memory is used to store unprotected data;
生成内存保护表,该内存保护表用于记录第一内存为受保护的内存或用于记录第一内存为不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。Generating a memory protection table for recording the first memory as protected memory or for recording the first memory as unprotected memory, the protected memory including memory for storing protected data, Protected memory includes memory for storing unprotected data.
在一种可能的实现方式中,第一运行空间为内核空间,第一处理模块为操作系统,第二运行空间为超级管理空间。其中,受保护的数据包括:操作系统在编译阶段写入内存的常量数据,操作系统在初始化阶段写入内存的常量数据。In a possible implementation manner, the first running space is a kernel space, the first processing module is an operating system, and the second running space is a super management space. Among them, the protected data includes: constant data written to the memory by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
在一种可能的实现方式中,数据保护装置为手机、平板电脑、服务器、个人电脑、网络路由器或交换机。In one possible implementation, the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router, or a switch.
在一种可能的设计中,该数据保护装置为系统芯片,该系统芯片包括处理器和输出接口,该处理器包括处理器执行单元和内存管理单元,该输出接口用于在内存管理单元修改第一内存的属性时,向地址总线输出第一内存的物理地址。In a possible design, the data protection device is a system chip, the system chip includes a processor and an output interface, and the processor includes a processor execution unit and a memory management unit, and the output interface is used to modify the memory management unit. When a memory attribute is used, the physical address of the first memory is output to the address bus.
可选地,该数据保护装置还可以包括存储器,该存储器用于存储器执行单元执行的程序代码、受保护的数据和不受保护的数据。Optionally, the data protection device may further comprise a memory for the program code executed by the memory execution unit, the protected data, and the unprotected data.
第三方面,本申请提供了一种计算机可读存储介质。该计算机可读存储介质中存储用于数据保护装置执行的程序代码。该程序代码包括用于执行第一方面或第一方面中任意一种可能的实现方式中的数据保护方法的指令。In a third aspect, the present application provides a computer readable storage medium. Program code for execution of the data protection device is stored in the computer readable storage medium. The program code includes instructions for performing the data protection method of the first aspect or any of the possible implementations of the first aspect.
第四方面,本申请提供了一种包含指令的计算机程序产品。当该计算机程序产品在数据保护装置上运行时,使得数据保护装置执行第一方面或第一方面中任意一种可能的实现方式中的数据保护方法。In a fourth aspect, the present application provides a computer program product comprising instructions. When the computer program product is run on the data protection device, the data protection device is caused to perform the data protection method in any one of the possible implementations of the first aspect or the first aspect.
第五方面,本申请提供了一种数据保护装置,该数据保护装置中包括处理器执行单元和内存管理单元,处理器执行单元划分的运行空间包括内核空间和超级管理空间,超级管理空间的异常级别高于内核空间的异常级别。In a fifth aspect, the application provides a data protection device, where the data protection device includes a processor execution unit and a memory management unit, and the running space of the processor execution unit partition includes a kernel space and a super management space, and an abnormality of the super management space. The level of exception is higher than the kernel space.
内核空间中运行的操作系统用于向内存管理单元发送第一消息,第一消息用于请求修改第一内存的属性;An operating system running in the kernel space is configured to send a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
内存管理单元用于向超级管理空间中运行的关键数据保护模块发送第二消息,第二消息用于请求确定第一内存是否是受保护的;The memory management unit is configured to send a second message to the critical data protection module running in the super management space, where the second message is used to request to determine whether the first memory is protected;
关键数据保护模块用于根据预先获取的内存保护表,确定第一内存是否是受保护的;The key data protection module is configured to determine whether the first memory is protected according to the pre-acquired memory protection table;
关键数据保护模块还用于向内存管理单元发送第三消息,第三消息用于指示是否修改第一内存的属性;The key data protection module is further configured to send a third message to the memory management unit, where the third message is used to indicate whether to modify the attribute of the first memory;
内存管理单元还用于:第三消息用于指示修改第一内存的属性时根据第一消息修改第一内存的属性,第三消息用于指示不修改第一内存的属性时拒绝修改第一内存的属性。The memory management unit is further configured to: when the third message is used to indicate that the attribute of the first memory is modified, the attribute of the first memory is modified according to the first message, and the third message is used to indicate that the first memory is refused to be modified when the attribute of the first memory is not modified. Attributes.
在一种可能的实现方式中,操作系统还用于向关键数据保护模块发送第四消息,第四 消息用于指示第一内存是否是受保护的。In a possible implementation, the operating system is further configured to send a fourth message to the critical data protection module, where the fourth message is used to indicate whether the first memory is protected.
关键数据保护模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,还用于:根据第四消息生成内存保护表,内存保护表用于记录受保护的内存和/或不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。The key data protection module determines whether the first memory is protected according to the pre-acquired memory protection table, and is further configured to: generate a memory protection table according to the fourth message, where the memory protection table is used to record the protected memory and/or not Protected memory, protected memory includes memory for storing protected data, and unprotected memory includes memory for storing unprotected data.
在一种可能的实现方式中,关键数据保护模块根据预先获取的内存保护表,确定第一内存是否是受保护的之前,还用于:In a possible implementation manner, the critical data protection module determines whether the first memory is protected according to a pre-acquired memory protection table, and is also used to:
确定第一内存用于存储受保护的数据或确定第一内存用于存储不受保护的数据;Determining that the first memory is used to store protected data or determining that the first memory is used to store unprotected data;
生成内存保护表,该内存保护表用于记录第一内存为受保护的内存或用于记录第一内存为不受保护的内存,受保护的内存包括用于存储受保护的数据的内存,不受保护的内存包括用于存储不受保护的数据的内存。Generating a memory protection table for recording the first memory as protected memory or for recording the first memory as unprotected memory, the protected memory including memory for storing protected data, Protected memory includes memory for storing unprotected data.
在一种可能的实现方式中,受保护的数据包括:操作系统在编译阶段写入内存的常量数据,操作系统在初始化阶段写入内存的常量数据。In a possible implementation, the protected data includes: constant data written by the operating system during the compile phase, and constant data written by the operating system during the initialization phase.
附图说明DRAWINGS
图1是本申请实施例的异常级别的划分示意图;1 is a schematic diagram of dividing an abnormal level according to an embodiment of the present application;
图2是本申请实施例的MMU进行地址映射的示意流程图;2 is a schematic flowchart of performing address mapping by an MMU according to an embodiment of the present application;
图3是本申请另一个实施例的数据保护装置的示意性结构图;3 is a schematic structural diagram of a data protection device according to another embodiment of the present application;
图4是本申请另一个实施例的数据保护装置的示意性结构图;4 is a schematic structural diagram of a data protection device according to another embodiment of the present application;
图5是本申请一个实施例的数据保护方法的示意性流程图;FIG. 5 is a schematic flowchart of a data protection method according to an embodiment of the present application; FIG.
图6是本申请另一个实施例的数据保护方法的示意性流程图;6 is a schematic flowchart of a data protection method according to another embodiment of the present application;
图7是本申请另一个实施例的数据保护方法的示意性流程图;FIG. 7 is a schematic flowchart of a data protection method according to another embodiment of the present application; FIG.
图8是本申请另一个实施例的数据保护方法的示意性流程图;8 is a schematic flowchart of a data protection method according to another embodiment of the present application;
图9是本申请一个实施例的数据保护装置的示意性结构图。FIG. 9 is a schematic structural diagram of a data protection device according to an embodiment of the present application.
具体实施方式Detailed ways
可以应用本申请实施例的数据保护方法和数据保护装置的计算机可以是手机、平板电脑、服务器、个人电脑、网络路由器、可穿戴设备或交换机等电子设备。The computer to which the data protection method and the data protection device of the embodiment of the present application can be applied may be an electronic device such as a mobile phone, a tablet computer, a server, a personal computer, a network router, a wearable device, or a switch.
该计算机中可以包括处理器和存储器。处理器也可以称为中央处理单元(central processing unit,CPU)或中央处理器。A processor and a memory can be included in the computer. The processor may also be referred to as a central processing unit (CPU) or a central processing unit.
该计算机中的处理器的一种示例为精简指令系统(Advanced RISC Machines,ARM)处理器。该计算中的存储器的示例为随机存取存储器(random access memory,RAM)或闪存(Flash)。其中,RAM也可以称为主存或者内存。存储器具有访问权限属性,例如只读、可写、可执行和不可访问。An example of a processor in the computer is an Advanced RISC Machines (ARM) processor. An example of a memory in this calculation is a random access memory (RAM) or a flash memory (Flash). Among them, RAM can also be called main memory or memory. The memory has access rights attributes such as read-only, writable, executable, and inaccessible.
该计算机的处理器中使用了虚拟化技术。虚拟化技术可以隐藏该计算机中的底层物理硬件,从而可以让多个各自独立运行的操作系统(operator system,OS)透明地使用和共享该计算机的硬件资源。简单地说,虚拟化技术可以使得该计算机能并发运行多个OS。Virtualization technology is used in the processor of this computer. Virtualization technology can hide the underlying physical hardware in the computer, allowing multiple independent operating systems (OSs) to transparently use and share the computer's hardware resources. Simply put, virtualization technology can enable the computer to run multiple OSs concurrently.
该计算机中的处理器为程序代码提供了不同的权限级别来访问该计算机中的资源,以保护该计算机中的数据和阻止该计算机中发生恶意行为,从而确保该计算机的安全。The processor in the computer provides different levels of privilege for the program code to access resources in the computer to protect the data in the computer and prevent malicious behavior in the computer, thereby ensuring the security of the computer.
例如,如图1所示,ARM处理器中可以定义四种异常级别(Exception levels,EL),分别为EL0、EL1、EL2和EL3。其中,数值越大的异常级别的等级越高,数值越小的异常级别的等级越低。例如,EL0的等级低于EL1的等级,EL1的等级低于EL2的等级,EL2的等级低于EL3的等级。当然,也可以是数值越大的异常级别的等级越低,数值越小的异常界别的等级越高,本申请实施例对此不作限制。For example, as shown in Figure 1, four exception levels (EL levels) can be defined in the ARM processor, namely EL0, EL1, EL2, and EL3. Among them, the higher the level of the abnormal level, the lower the level of the abnormal level is. For example, the EL0 level is lower than the EL1 level, the EL1 level is lower than the EL2 level, and the EL2 level is lower than the EL3 level. Of course, the lower the level of the abnormal level, the lower the value, and the higher the level of the abnormality, the higher the level of the abnormality.
不同等级的异常级别对应不同等级的运行空间。异常级别的划分或者说运行空间的划分为处理器中所有操作状态的软件提供了逻辑分离的执行权限。应理解,本申请所说的异常级别与计算机科学中常见的等级保护域相似并且支持等级保护域中涉及的概念。Different levels of anomaly levels correspond to different levels of running space. The division of the exception level or the division of the runtime space provides logically separate execution rights for the software for all operational states in the processor. It should be understood that the level of anomaly referred to in this application is similar to that of a hierarchical protection domain that is common in computer science and supports the concepts involved in the level protection domain.
运行在这四种异常级别中每种异常级别下的软件的示例如下。普通的用户应用程序运行在EL0对应的运行空间中;操作系统内核,例如Linux或Windows,可以运行在EL1对应的运行空间中,操作系统内核通常被认为具有特权;管理程序(hypervisor)运行在EL2对应的运行空间中;低级别的固件,例如安全监视器运行在EL3对应的运行空间中。hypervisor也可以称为超级管理器。An example of software running under each of these four exception levels is as follows. A normal user application runs in the runspace corresponding to EL0; an operating system kernel, such as Linux or Windows, can run in the runspace corresponding to EL1, the operating system kernel is usually considered privileged; the hypervisor runs on EL2. In the corresponding running space; low-level firmware, such as the security monitor, runs in the running space corresponding to EL3. The hypervisor can also be called a hypervisor.
管理程序在使能状态下可以为一个或多个操作系统内核提供虚拟化服务。The hypervisor can provide virtualization services to one or more operating system kernels when enabled.
固件是处理器启动时运行的第一个东西。固件提供很多服务,例如,平台初始化、可信任操作系统的安装以及安全监视器的命令的路由等。Firmware is the first thing that runs when the processor starts. The firmware provides a number of services, such as platform initialization, installation of trusted operating systems, and routing of commands for security monitors.
一般来说,一个软件(例如用户的应用程序,操作系统的内核或管理程序)占用一个单独的异常级别,或者说占用一个单独的运行空间。当然,也可以有例外。例如,内核管理程序,例如内核虚拟机(kernel virtual machine,KVM),可以既运行在EL2对应的运行空间中,也可以运行在EL1对应的运行空间中。In general, a piece of software (such as a user's application, the operating system's kernel or hypervisor) occupies a separate level of exception, or a separate run space. Of course, there are exceptions. For example, a kernel management program, such as a kernel virtual machine (KVM), can be run in either the run space corresponding to EL2 or in the run space corresponding to EL1.
该计算机的处理器中,CPU执行单元可以通过内存管理单元(memory management unit,MMU)来管理或访问存储器。例如,MMU可以执行地址映射以及提供内存访问授权等操作。In the processor of the computer, the CPU execution unit can manage or access the memory through a memory management unit (MMU). For example, the MMU can perform address mapping and provide operations such as memory access authorization.
处理器中,不同异常级别对应的运行空间中运行的程序代码对存储器进行访问时,MMU进行不同的地址映射和不同的内存访问授权流程。In the processor, when the program code running in the running space corresponding to different abnormal levels accesses the memory, the MMU performs different address mapping and different memory access authorization processes.
例如,如图2所示,MMU为异常级别为EL0的应用程序与异常级别为EL1的操作系统执行两阶段的地址映射流程,为异常级别为EL3的管理程序和异常级别为EL4的安全监视器执行一个阶段的地址映射流程。For example, as shown in Figure 2, the MMU performs a two-stage address mapping process for an application with an exception level of EL0 and an operating system with an exception level of EL1, a hypervisor with an exception level of EL3 and a security monitor with an exception level of EL4. Perform a phased address mapping process.
两阶段的地址映射流程中,在第一阶段,存储器的虚拟地址(virtual address,VA)转换为中间物理地址(immediate physical address,IPA);在第二阶段,IPA被转换为物理地址(physical address,PA)。In the two-stage address mapping process, in the first phase, the virtual address (VA) of the memory is converted to an intermediate physical address (IPA); in the second phase, the IPA is converted into a physical address (physical address). , PA).
第一阶段的地址转换中,MMU使用的转换表基址寄存器(translation table base registers,TTBR)的一种示例为TTBRn_EL1;第二阶段的地址转换中,MMU使用的转换表的基地址在虚拟化转化表基址寄存器(virtualization translation table base register,VTTBR)0_EL2中被指定。例如,在VTTBR0_EL2中指定存储器底部的一个连续的地址空间作为该转换表中的基地址。In the first stage of address translation, an example of a translation table base register (TTBR) used by the MMU is TTBRn_EL1; in the second stage of address translation, the base address of the conversion table used by the MMU is virtualized. The conversion translation table base register (VTTBR) 0_EL2 is specified. For example, a contiguous address space at the bottom of the memory is specified in VTTBR0_EL2 as the base address in the translation table.
一个阶段的地址映射流程中,MMU可以直接根据VA转换得到PA。其中,管理程序EL2和安全监督器EL3均有属于自己的一阶段转换的表格。管理程序EL2和安全监督器EL3通过各自对应的表格可以直接从虚拟地址转换到物理地址。管理程序EL2对应的转换 表的基地址在TTNR0_EL2中指定,安全监督器EL3对应的转换表的基地址在TTNR0_EL3中指定。在这两个寄存器中,分别指定了存储器底部的一个连续的、且大小可变的地址空间作为管理程序EL2和安全监督器EL3的转换地址表的基地址。In one stage of the address mapping process, the MMU can directly derive the PA according to the VA conversion. Among them, the management program EL2 and the security supervisor EL3 have their own one-stage conversion tables. The hypervisor EL2 and the security supervisor EL3 can directly convert from a virtual address to a physical address through respective corresponding tables. The base address of the conversion table corresponding to the hypervisor EL2 is specified in TTNR0_EL2, and the base address of the conversion table corresponding to the security supervisor EL3 is specified in TTNR0_EL3. In these two registers, a continuous and variable-size address space at the bottom of the memory is respectively designated as the base address of the translation address table of the hypervisor EL2 and the security supervisor EL3.
应理解,上述提到的TTBRn_EL1、TTNR0_EL2和TTNR0_EL3仅是一种示例,在不同的资料中可能会引用不同的名称。It should be understood that the above mentioned TTBRn_EL1, TTNR0_EL2 and TTNR0_EL3 are only an example, and different names may be referred to in different materials.
在上述两个阶段的地址映射流程中,第一个阶段通常在操作系统的控制下执行,第二个阶段通常在管理程序的控制下执行。In the above two stages of the address mapping process, the first phase is usually executed under the control of the operating system, and the second phase is usually executed under the control of the hypervisor.
此处所述的在管理程序的控制下执行,可以理解为:管理程序确定可以访问该IPA或该IPA对应的VA时,才授权MMU进行IPA至PA的转换。The execution of the management program under the control of the management program can be understood as follows: the management program determines that the IPA or the VA corresponding to the IPA can be accessed, and then the MMU is authorized to perform IPA to PA conversion.
本申请实施例的数据保护方法主要是在上述第二个阶段的地址映射流程中,在管理程序的控制下实现的。具体地,计算机中预先存储内存保护表,该内存保护表中记录需要保护和/或不需要保护的存储器的地址信息,并在管理程序中添加处理模块,由该处理模块在内存保护表查询是否包括了操作系统或应用程序请求修改访问属性的存储器的地址信息。若该处理模块查询内存保护表后确定被请求修改访问属性的存储器为受保护的存储器,则拒绝MMU修改该存储器的访问属性。The data protection method of the embodiment of the present application is mainly implemented in the address mapping process of the second stage described above under the control of the management program. Specifically, the memory protection table is pre-stored in the computer, and the memory protection table records address information of the memory that needs to be protected and/or does not need to be protected, and a processing module is added in the management program, and the processing module queries the memory protection table whether Includes address information for the memory that the operating system or application requests to modify access properties. If the processing module queries the memory protection table and determines that the memory requested to modify the access attribute is a protected memory, the MMU is denied to modify the access attribute of the memory.
内存保护表的一个示例如表1所示。表1中,既记录了受保护的内存,也记录了不受保护的内存,第一列记录受保护的内存的虚拟地址,第二列记录不受保护的内存的虚拟地址。An example of a memory protection table is shown in Table 1. In Table 1, both protected memory and unprotected memory are recorded, the first column records the virtual address of the protected memory, and the second column records the virtual address of the unprotected memory.
表1内存保护表Table 1 memory protection table
受保护的内存的虚拟地址Protected memory virtual address 不受保护的内存的虚拟地址Virtual address of unprotected memory
0x40000000-0x600000000x40000000-0x60000000 0x00000000-0x300000000x00000000-0x30000000
例如,计算机下载了恶意软件,或者浏览的网页中携带了恶意插件后,恶意软件或者For example, if a computer downloads malware, or if a web page is viewed with a malicious plugin, the malware or
恶意插件对操作系统发起攻击,获取操作系统的管理权限,控制操作系统将虚拟地址为0x41115000至0x41116000的内存的访问属性从可写修改为只读,以便于恶意软件或恶意插件修改该内存中的数据时时,管理程序在MMU对该存储器的地址进行第二阶段的映射的过程中,从内存保护表中查询获知该存储器是受保护的,从而拒绝MMU进行第二阶段的地址映射流程,即拒绝恶意软件或恶意插件的攻击,保护了存储器中的数据。The malicious plug-in attacks the operating system, obtains the management rights of the operating system, and controls the operating system to change the access attribute of the memory whose virtual address is 0x41115000 to 0x41116000 from writable to read-only, so that the malware or malicious plug-in can modify the in-memory. Data time, the management program in the process of the second stage mapping of the address of the memory by the MMU, the memory protection table is queried to know that the memory is protected, thereby rejecting the MMU to perform the second stage address mapping process, that is, rejecting Attacks by malware or malicious plugins protect the data in memory.
可选地,管理程序拒绝恶意软件或恶意插件修改存储器的访问属性后,还可以发出受保护存储器受到攻击的提示信息,例如,弹出显示框或发送警报声等。Optionally, after the hypervisor rejects the malware or the malicious plug-in to modify the access attribute of the memory, the management program may also issue a prompt message that the protected memory is attacked, for example, popping up a display box or sending an alarm sound.
下面以图3所示的数据保护装置300为例,介绍本申请提出的数据保护方法。应理解,图3示出的数据保护装置300仅是示例,本申请实施例的数据保护装置还可包括其他模块或单元,或者包括与图3中的各个模块的功能相似的模块,或者并非要包括图3中所有模块。The data protection device 300 shown in FIG. 3 is taken as an example to describe the data protection method proposed in the present application. It should be understood that the data protection device 300 shown in FIG. 3 is only an example, and the data protection device of the embodiment of the present application may further include other modules or units, or include modules similar to those of the modules in FIG. 3, or Includes all the modules in Figure 3.
图3所示的数据保护装置300包括处理器310和存储器320。存储器可以与处理器310交换数据。The data protection device 300 shown in FIG. 3 includes a processor 310 and a memory 320. The memory can exchange data with the processor 310.
存储器320的一种示例为随机存取存储器(random access memory,RAM)。RAM也可以称为主存或者内存。存储器320的另一种示例为闪存(Flash)。应理解,后续实施例中的内存可以替换为闪存。An example of the memory 320 is a random access memory (RAM). RAM can also be called main memory or memory. Another example of the memory 320 is a flash memory. It should be understood that the memory in subsequent embodiments may be replaced with a flash memory.
处理器310的一种示例为中央处理单元(central processing unit,CPU)。CPU也可以 称为中央处理器。One example of processor 310 is a central processing unit (CPU). The CPU can also be called a central processor.
处理器310中可以包括CPU执行单元311和内存管理单元312。应理解,此处MMU集成在处理器310内只是一种示例,MMU也可以位于处理器310之外。A CPU execution unit 311 and a memory management unit 312 may be included in the processor 310. It should be understood that the integration of the MMU herein within the processor 310 is just one example, and the MMU may also be located outside of the processor 310.
如图4所示,处理器310中定义了四种异常级别(exception level,EL)。或者可以说,CPU执行单元311执行的程序代码可以分为四种异常级别。这四个异常级别从低到高分别为EL0、EL1、EL2和EL3。EL0、EL1、EL2和EL3对应四个运行空间。As shown in FIG. 4, four exception levels (ELs) are defined in the processor 310. Alternatively, it can be said that the program code executed by the CPU execution unit 311 can be classified into four types of abnormalities. The four exception levels are EL0, EL1, EL2, and EL3 from low to high. EL0, EL1, EL2 and EL3 correspond to four operating spaces.
其中,EL0对应的运行空间为用户程序空间,用户程序空间用于运行用户程序。用户程序也可以称为应用程序。The running space corresponding to EL0 is the user program space, and the user program space is used to run the user program. User programs can also be called applications.
EL1对应的运行空间为内核(kernel)空间,内核空间用于运行操作系统(operating system,OS)。内核空间中运行的操作系统也可以称为客户端(guest)操作系统。The running space corresponding to EL1 is a kernel space, and the kernel space is used to run an operating system (OS). An operating system running in kernel space can also be referred to as a guest operating system.
EL2对应的运行空间为超级管理空间。超级管理空间用于运行管理程序(hypervisor)。hypervisor也可以称为虚拟机监视器(virtual machine monitor)。hypervisor是一种运行在物理硬件和操作系统之间的中间软件层,可允许多个操作系统和应用程序共享一套基础物理硬件。The running space corresponding to EL2 is the super management space. The super management space is used to run the hypervisor. The hypervisor can also be called a virtual machine monitor. The hypervisor is an intermediate layer of software that runs between physical hardware and the operating system, allowing multiple operating systems and applications to share a single set of physical hardware.
从系统安全的角度来看,hypervisor的主要功能是内存管理和中断拦截,通过这两种方式,hypervisor可以很好地监控内核空间中的操作系统的运行。From a system security perspective, the main function of the hypervisor is memory management and interrupt interception. In these two ways, the hypervisor can well monitor the operation of the operating system in kernel space.
hypervisor可以通过MMU 312的两阶段(stage 2)内存映射功能来实现内存管理。MMU 312可以通过影子页表或EPT页表等技术来实现存储管理。The hypervisor can implement memory management through the MMU 312's two-stage (stage 2) memory mapping function. The MMU 312 can implement storage management through techniques such as a shadow page table or an EPT page table.
如图4所示,MMU 312接收到从用户程序空间或内核空间发送的VA后,在阶段1(stage-1),可以将内核空间中的操作系统或用户程序空间中的用户程序发送的地址映射到中间物理地址;在阶段2(stage-2),可以将IPA映射到内存芯片的地址。As shown in FIG. 4, after the MMU 312 receives the VA sent from the user program space or the kernel space, in stage 1 (stage-1), the address can be sent by the user program in the kernel space or the user program in the user program space. Map to intermediate physical address; in stage 2 (stage-2), IPA can be mapped to the address of the memory chip.
其中,内核空间中的操作系统或用户程序空间中的用户程序发送的地址可以称为虚拟地址,或者说,操作系统或用户程序可见的地址为VA;内存芯片的真实地址称为物理地址;VA映射至PA的过程中所使用的地址均可以称为IPA。The address sent by the user program in the kernel space or the user program space in the user program space may be referred to as a virtual address, or the address visible to the operating system or the user program is VA; the real address of the memory chip is called a physical address; VA The address used in the process of mapping to the PA can be referred to as IPA.
应注意的是,stage-2内存映射功能只对内核空间中运行的操作系统和用户程序空间中的用户程序有效。也就是说,内核空间中运行的操作系统和用户程序空间中的用户程序访问内存时才需要使用stage-2内存映射功能。It should be noted that the stage-2 memory map function is only valid for operating systems running in kernel space and user programs in user program space. That is to say, the stage-2 memory mapping function is required only when the operating system running in kernel space and the user program in the user program space access memory.
上面介绍的MMU 312的两阶段内存映射功能的实现方式仅是一种示例。MMU 312的两阶段内存映射功能的实现方式可以参考现有技术,此处不再赘述。The implementation of the two-stage memory mapping feature of the MMU 312 described above is only an example. For the implementation of the two-stage memory mapping function of the MMU 312, reference may be made to the prior art, and details are not described herein again.
内存具有访问权限属性。为了描述方面,本申请实施例中将内存的访问权限属性简称为内存的属性。Memory has access rights properties. For the description, the access permission attribute of the memory is simply referred to as the attribute of the memory in the embodiment of the present application.
内存的属性可以包括只读、可写、不可访问和可执行。其中,内存的属性为只读是指只能读取该内存中的内容,而不能修改该内存中的内容;内存的属性为可写是指即可以读取该内存中的内容,也可以修改该内存中的内容。Memory attributes can include read-only, writable, inaccessible, and executable. The memory attribute is read-only, which means that only the content in the memory can be read, and the content in the memory cannot be modified; if the attribute of the memory is writable, the content in the memory can be read, or can be modified. The contents of this memory.
MMU 312接收内核空间中的操作系统或用户程序空间中的用户程序发送的地址后,可以根据该地址所对应的内存的属性来访问该地址对应的内存中的内容。After receiving the address sent by the user program in the kernel space or the user program space in the user program space, the MMU 312 can access the content in the memory corresponding to the address according to the attribute of the memory corresponding to the address.
例如,若内核空间中的操作系统或用户程序空间中的用户程序请求MMU 312向某个地址对应的内存中写入数据,且该地址所对应的内存的属性为可写时,MMU 312将该地址映射到内存的物理地址后,将该物理地址发送到地址总线,以便于数据写到该内存中。For example, if the operating system in the kernel space or the user program in the user program space requests the MMU 312 to write data to the memory corresponding to an address, and the attribute of the memory corresponding to the address is writable, the MMU 312 will After the address is mapped to the physical address of the memory, the physical address is sent to the address bus for data to be written to.
例如,若内核空间中的操作系统或用户程序空间中的用户程序请求MMU 312向某个地址对应的内存中写入数据,但该地址所对应的内存的属性为只读时,MMU 312拒绝该请求。MMU 312拒绝该请求的一种示例为进行异常提示。For example, if the operating system in the kernel space or the user program in the user program space requests the MMU 312 to write data to the memory corresponding to an address, but the attribute of the memory corresponding to the address is read-only, the MMU 312 rejects the request. An example of the MMU 312 rejecting the request is to make an exception prompt.
数据保护装置300中,内核空间中运行的操作系统可以通过超级管理调用(hypervisor call,HVC)指令调用hypervisor。In the data protection device 300, an operating system running in kernel space can invoke a hypervisor through a hypervisor call (HVC) instruction.
EL4对应的安全监视(secure monitor)空间用于运行处理器的安全监控模块。The security monitor space corresponding to the EL4 is used to run the security monitoring module of the processor.
应理解,图4所示的处理器中的运行空间的划分仅是一种示例,处理器中可以划分更多或更少的运行空间,本申请对此不作限制。It should be understood that the division of the running space in the processor shown in FIG. 4 is only an example, and more or less running space may be divided in the processor, which is not limited in this application.
本申请提出的数据保护方法主要包括:低异常级别的运行空间中运行的程序代码请求修改内存的属性时,高异常级别的运行空间中运行的程序代码捕获该请求,并判断该内存是否为受保护的内存;若该内存为该受保护的内存,则高异常级别的运行空间中运行的程序代码拒绝这次修改。The data protection method proposed by the present application mainly includes: when the program code running in the running space of the low abnormal level requests to modify the attribute of the memory, the program code running in the running space of the high abnormal level captures the request, and determines whether the memory is subjected to the request. Protected memory; if the memory is the protected memory, the program code running in the high exception level runtime rejects this modification.
本申请一个实施例的数据保护方法的示意性流程图如图5所示。该数据保护方法可以由数据保护装置300执行。图5所示的数据保护方法包括S510、S520、S530、S540和S550。A schematic flowchart of a data protection method of an embodiment of the present application is shown in FIG. 5. This data protection method can be performed by the data protection device 300. The data protection method shown in FIG. 5 includes S510, S520, S530, S540, and S550.
应理解,图5示出了该数据保护方法的步骤或操作,但这些步骤或操作仅是示例,本申请实施例还可以执行其他操作或者图5中的各个操作的变形。此外,图5中的各个步骤可以按照与图5呈现的不同的顺序来执行,并且有可能并非要执行图5中的全部操作。It should be understood that FIG. 5 shows the steps or operations of the data protection method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the operations in FIG. 5. Moreover, the various steps in FIG. 5 may be performed in a different order than that presented in FIG. 5, and it is possible that not all operations in FIG. 5 are to be performed.
S510,第一运行空间中运行的处理模块向MMU发送第一消息,第一消息用于请求修改第一内存的属性。相应地,MMU接收该消息。S510. The processing module running in the first running space sends a first message to the MMU, where the first message is used to request to modify the attribute of the first memory. Accordingly, the MMU receives the message.
为了描述方便,第一运行空间中运行的该处理模块可以称为第一处理模块。第一内存是指第一消息请求修改属性的内存。For convenience of description, the processing module running in the first running space may be referred to as a first processing module. The first memory refers to the memory of the first message requesting modification of the attribute.
第一运行空间可以是图4中所示的用户程序空间或内核空间。第一运行空间为用户程序空间时,第一处理模块可以是用户程序;第一运行空间为内核空间时,第一处理模块可以是操作系统。The first run space may be the user program space or kernel space shown in FIG. When the first running space is a user program space, the first processing module may be a user program; when the first running space is a kernel space, the first processing module may be an operating system.
第一消息中可以包括第一内存的VA和第一内存的目标属性。也就是说,第一消息用于请求MMU将第一内存的属性修改为目标属性。第一内存的目标属性可以包括只读、可写、可执行和不可访问中至少一种。The first message may include a VA of the first memory and a target attribute of the first memory. That is, the first message is used to request the MMU to modify the attribute of the first memory to the target attribute. The target attribute of the first memory may include at least one of read-only, writable, executable, and inaccessible.
请求将第一内存的目标属性修改可写的第一消息的一种实例为set_memory_RW;请求将第一内存的目标属性修改只读的第一消息的一种实例为set_memory_RO。An example of requesting to modify the target attribute of the first memory to be writable is an instance of set_memory_RW; an instance of the first message requesting modification of the target attribute of the first memory to read-only is set_memory_RO.
S520,MMU向第二运行空间中运行的处理模块发送第二消息,第二消息用于请求该处理模块确定第一内存是否是受保护的,第二运行空间的异常级别高于第一运行空间的异常级别。相应地,第二运行空间中运行的处理模块接收第二消息。S520, the MMU sends a second message to the processing module running in the second running space, where the second message is used to request the processing module to determine whether the first memory is protected, and the abnormality level of the second running space is higher than the first running space. The level of exception. Correspondingly, the processing module running in the second runtime space receives the second message.
为了描述方便,第二运行空间中运行的处理模块可以称为第二处理模块或者内核关键数据保护(kernel critical data protection)模块。第二处理模块或者内核关键数据保护模块可以是hypervisor中的处理模块。For convenience of description, the processing module running in the second running space may be referred to as a second processing module or a kernel critical data protection module. The second processing module or the kernel critical data protection module may be a processing module in the hypervisor.
第二运行空间可以为图4中所示的超级管理空间。The second run space may be the super management space shown in FIG.
可选地,第二消息也可以理解为用于请求第二处理模块确定是否可以修改第一内存的属性,或者可以理解为用于请求第二处理模块确定第一内存中的数据是否是受保护的。Optionally, the second message is also understood to be used to request the second processing module to determine whether the attribute of the first memory can be modified, or can be understood to be used to request the second processing module to determine whether the data in the first memory is protected. of.
第二消息中可以包括第一内存的地址。例如,第二消息中可以包括第一内存的VA。The address of the first memory may be included in the second message. For example, the VA of the first memory may be included in the second message.
可选地,第二消息中包括的信息可以与第一消息中包括的信息相同。Optionally, the information included in the second message may be the same as the information included in the first message.
S530,第二运行空间中运行的处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的,其中,内存保护表用于记录受保护的内存和/或不受保护的内存。S530. The processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, where the memory protection table is used to record the protected memory and/or the unprotected memory.
受保护的内存可以理解为存储了受保护的数据。受保护的数据可以包括以下至少一种数据:操作系统的常量数据或操作系统在运行过程中生成的需要保护的数据。操作系统的常量数据可以包括以下至少一种数据:操作系统在编译阶段出现的常量数据和操作系统在初始化阶段出现的常量数据。Protected memory can be understood as storing protected data. The protected data may include at least one of the following: constant data of the operating system or data generated by the operating system during operation that needs to be protected. The constant data of the operating system may include at least one of the following: constant data that appears during the compilation phase of the operating system and constant data that appears during the initialization phase of the operating system.
从另一个角度来说,受保护的内存的解释可以包括:该内存的属性不可以从只读、不可访问、可执行中任意一种修改为可写;不受保护的内存的解释可以包括:该内存的属性可以从任意属性修改为其他任意属性。From another perspective, the interpretation of the protected memory may include that the attributes of the memory may not be modified from write-only, inaccessible, executable to writable; the interpretation of the unprotected memory may include: The properties of this memory can be modified from any property to any other property.
内存保护表记录受保护的内存和/或不受保护的内存的一种实现方式可以包括:内存保护表中记录受保护的内存的地址和/或不受保护的内存的地址。One way in which the memory protection table records protected memory and/or unprotected memory may include: recording the address of the protected memory and/or the address of the unprotected memory in the memory protection table.
例如,内存保护表中可以记录受保护的内存的VA地址和/或不受保护的内存的VA地址。For example, the memory protection table can record the VA address of the protected memory and/or the VA address of the unprotected memory.
在一种可能的实现方式中,内存保护表中可以仅记录受保护的内存。这种实现方式中,第二运行空间中运行的处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的,可以包括:若内存保护表中记录的受保护的内存中包括了第一内存,则第二运行空间中运行的处理模块确定第一内存是受保护的;若内存保护中记录的受保护的内存中不包括第一内存,则第二运行空间中运行的处理模块确定第一内存是不受保护的。In one possible implementation, only the protected memory can be recorded in the memory protection table. In this implementation manner, the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the protected memory recorded in the memory protection table is included The first memory, the processing module running in the second running space determines that the first memory is protected; if the protected memory recorded in the memory protection does not include the first memory, the processing module running in the second running space Make sure the first memory is unprotected.
在一种可能的实现方式中,内存保护表中可以仅记录不受保护的内存。这种实现方式汇总,第二运行空间中运行的处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的,可以包括:若内存保护表中记录的不受保护的内存中不包括第一内存,则第二运行空间中运行的处理模块确定第一内存是受保护的;若内存保护中记录的不受保护的内存中包括第一内存,则第二运行空间中运行的处理模块确定第一内存是不受保护的。In one possible implementation, only unprotected memory can be recorded in the memory protection table. According to the implementation manner, the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the unprotected memory recorded in the memory protection table is not Including the first memory, the processing module running in the second running space determines that the first memory is protected; if the unprotected memory recorded in the memory protection includes the first memory, the processing running in the second running space The module determines that the first memory is unprotected.
在一种可能的实现方式中,内存保护表中可以既记录受保护的内存,也记录不受保护的内存。这种实现方式中,第二运行空间中运行的处理模块根据预先获取的内存保护表,确定第一内存是否是受保护的,可以包括:若内存保护表中记录的受保护的内存中包括第一内存,则第二运行空间中运行的处理模块确定第一内存是受保护的;若内存保护表中记录的不受保护的内存中包括第一内存,则第二运行空间中运行的处理模块确定第一内存是不受保护的。In a possible implementation, the memory protection table can record both protected memory and unprotected memory. In this implementation manner, the processing module running in the second running space determines whether the first memory is protected according to the pre-acquired memory protection table, and may include: if the protected memory recorded in the memory protection table includes the first a memory, the processing module running in the second running space determines that the first memory is protected; if the unprotected memory recorded in the memory protection table includes the first memory, the processing module running in the second running space Make sure the first memory is unprotected.
S540,第二运行空间中运行的处理模块向MMU发送第三消息,其中,第三消息用于指示MMU是否修改第一内存的属性。相应地,MMU接收第三消息。S540: The processing module running in the second running space sends a third message to the MMU, where the third message is used to indicate whether the MMU modifies the attribute of the first memory. Accordingly, the MMU receives the third message.
例如,S530中,若第二处理模块确定第一内存是不受保护的,则第三消息用于指示MMU修改第一内存的属性;若第二处理模块确定第一内存是受保护的,则第三消息用于指示MMU不修改第一内存的属性。For example, in S530, if the second processing module determines that the first memory is unprotected, the third message is used to instruct the MMU to modify the attribute of the first memory; if the second processing module determines that the first memory is protected, The third message is used to indicate that the MMU does not modify the attributes of the first memory.
S550,若第三消息用于指示MMU修改第一内存的属性,则MMU根据第一消息修改第一内存的属性;若第三消息用于指示MMU不修改第一内存的属性,则MMU拒绝修改第一内存的属性。S550, if the third message is used to instruct the MMU to modify the attribute of the first memory, the MMU modifies the attribute of the first memory according to the first message; if the third message is used to indicate that the MMU does not modify the attribute of the first memory, the MMU refuses to modify The first memory attribute.
例如,若第三消息用于指示MMU修改第一内存的属性,且第一消息中包括第一内存 的地址和第一内存的目标属性,则MMU将第一内存的属性修改为目标属性。For example, if the third message is used to instruct the MMU to modify the attribute of the first memory, and the first message includes the address of the first memory and the target attribute of the first memory, the MMU modifies the attribute of the first memory to the target attribute.
例如,若第三消息用于指示MMU不修改第一内存的属性,则MMU可以向第一处理模块返回异常操作提示。For example, if the third message is used to indicate that the MMU does not modify the attributes of the first memory, the MMU may return an abnormal operation prompt to the first processing module.
图5所示的数据保护方法中,由于低异常级别的运行空间中运行的处理模块不能修改搞特别级别的运行空间中的代码逻辑和功能,因此,在低异常级别的运行空间中的处理模块的权限被恶意程序或外部装置获取的情况下,依然可以保护需要保护的重要数据,从而可以提高数据的安全性。In the data protection method shown in FIG. 5, since the processing module running in the running space of the low abnormal level cannot modify the code logic and function in the running space of the special level, the processing module in the running space of the low abnormal level When the permissions are acquired by malicious programs or external devices, important data that needs to be protected can still be protected, thereby improving data security.
例如,即使操作系统管理员权限和账户被恶意程序获取的情况下,依然可以保护操作系统中的重要数据,从而可以提高操作系统中的数据的安全性。For example, even if the operating system administrator rights and accounts are acquired by malicious programs, important data in the operating system can be protected, thereby improving the security of data in the operating system.
本申请另一个实施例中,用于辅助保护数据的方法的示意性流程图如图6所示。图6所示的方法可以包括S610和S620。该方法可以由数据保护装置300执行。In another embodiment of the present application, a schematic flowchart of a method for assisting in protecting data is shown in FIG. 6. The method shown in FIG. 6 may include S610 and S620. The method can be performed by data protection device 300.
应理解,图6示出了该方法的步骤或操作,但这些步骤或操作仅是示例,本申请实施例还可以执行其他操作或者图6中的各个操作的变形。此外,图6中的各个步骤可以按照与图6呈现的不同的顺序来执行,并且有可能并非要执行图6中的全部操作。It should be understood that FIG. 6 illustrates the steps or operations of the method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the various operations in FIG. 6. Moreover, the various steps in FIG. 6 may be performed in a different order than that presented in FIG. 6, and it is possible that not all operations in FIG. 6 are to be performed.
S610,第三运行空间中运行的处理模块向第二运行空间中运行的处理模块发送第四消息,第四消息用于指示第二内存是否应受到保护。相应地,第二运行空间中的处理模块接收第四消息。S610. The processing module running in the third running space sends a fourth message to the processing module running in the second running space, where the fourth message is used to indicate whether the second memory should be protected. Correspondingly, the processing module in the second runtime receives the fourth message.
其中,第三运行空间中可以是图4中所示的用户程序空间或内核空间。第二运行空间可以是图4中所示的超级管理空间。The third running space may be the user program space or the kernel space shown in FIG. 4. The second run space may be the super management space shown in FIG.
可选地,第三运行空间与第一运行空间可以是同一运行空间。第二运行空间中运行的处理模块可以是第二处理模块或内核关键数据保护模块。Optionally, the third running space and the first running space may be the same running space. The processing module running in the second running space may be a second processing module or a kernel critical data protection module.
第四消息也可以理解为用于指示第二内存中存储的数据应受到保护,或者,可以理解为用于指示第二内存的属性不能从只读、可执行和不可访问中任意一种修改为可写,或者,可以理解为用于指示第二内存中存储的数据不应被修改。The fourth message may also be understood to indicate that the data stored in the second memory should be protected, or may be understood to indicate that the attribute of the second memory cannot be modified from any of read-only, executable, and inaccessible to Writable, or, can be understood as indicating that the data stored in the second memory should not be modified.
应受到保护或不应被修改的数据可以包括以下至少一种数据:操作系统在编译阶段存储到内存中的常量数据,操作系统在初始化阶段存储到内存中的常量数据,操作系统或用户程序在运行阶段存储到内存中且不能被修改的数据。Data that should be protected or should not be modified may include at least one of the following: constant data stored by the operating system in memory during the compilation phase, constant data stored in memory during the initialization phase of the operating system, operating system or user program at Data that is stored in memory during the run phase and cannot be modified.
第四消息中可以包括第二内存的地址。例如,第四消息中可以包括第二内存的VA。The address of the second memory may be included in the fourth message. For example, the VA of the second memory may be included in the fourth message.
在一种可能的实现方式中,第三运行空间中运行的处理模块向第二运行空间中运行的处理模块发送第四消息可以包括:第三运行空间中运行的处理模块调用第二运行空间中运行的处理模块,并在调用时,通过接口将第四消息传递给第二运行空间中运行的处理模块。In a possible implementation, the sending, by the processing module running in the third running space, the fourth message to the processing module running in the second running space may include: the processing module running in the third running space is called in the second running space. The processing module is executed, and when invoked, the fourth message is delivered to the processing module running in the second running space through the interface.
例如,内核空间中运行的操作系统可以通过HVC指令调用超级管理空间中运行的hypervisor,以便于hypervisor根据第四消息生成内存保护表。For example, an operating system running in kernel space can invoke a hypervisor running in a hypervisor space through an HVC instruction, so that the hypervisor generates a memory protection table based on the fourth message.
S620,第二运行空间中运行的处理模块根据第四消息得到内存保护表,该内存保护表用于记录受保护和/或不受保护的内存。其中,第二运行空间的异常级别高于第三运行空间的异常级别。S620. The processing module running in the second running space obtains a memory protection table according to the fourth message, where the memory protection table is used to record the protected and/or unprotected memory. The abnormality level of the second running space is higher than the abnormal level of the third running space.
例如,内存保护表仅用于记录受保护的内存时,若第四消息用于指示第二内存应受保护,则第二运行空间中运行的处理模块可以将第二内存记录到内存保护表中;若第四消息用于指示第二内存不应受保护,则第二运行空间中运行的处理模块不会将第二内存记录到 内存保护表中。For example, when the memory protection table is only used to record the protected memory, if the fourth message is used to indicate that the second memory should be protected, the processing module running in the second running space can record the second memory into the memory protection table. If the fourth message is used to indicate that the second memory should not be protected, the processing module running in the second running space does not record the second memory into the memory protection table.
例如,内存保护表仅用于记录不受保护的内存时,若第四消息用于指示第二内存不应受保护,则第二运行空间中运行的处理模块可以将第二内存记录到内存保护表中;若第四消息用于指示第二内存应受保护,则第二运行空间中运行的处理模块不会将第二内存记录到内存保护表中。For example, when the memory protection table is only used to record unprotected memory, if the fourth message is used to indicate that the second memory should not be protected, the processing module running in the second running space can record the second memory to the memory protection. In the table, if the fourth message is used to indicate that the second memory should be protected, the processing module running in the second running space does not record the second memory into the memory protection table.
例如,内存保护表既用于记录受保护的内存,又用于记录不受保护的内存时,若第四消息用于指示第二内存应受保护,则第二运行空间中运行的处理模块可以将第二内存记录到内存保护表中,并标识第二内存为受保护的内存;若第四消息用于指示第二内存不应受保护,则第二运行空间中运行的处理模块可以将第二内存记录到内存保护表中,并标识第二内存为不受保护的内存。For example, when the memory protection table is used to record both the protected memory and the unprotected memory, if the fourth message is used to indicate that the second memory should be protected, the processing module running in the second running space may Recording the second memory into the memory protection table and identifying the second memory as protected memory; if the fourth message is used to indicate that the second memory should not be protected, the processing module running in the second running space may be The second memory is logged to the memory protection table and identifies the second memory as unprotected memory.
本申请实施例的一个示例中包括:操作系统在编译阶段将常量数据写入内存,且将该内存的属性标识为只读后,通过HVC指令调用hypervisor,将该内存记录为受保护的内存。An example of the embodiment of the present application includes: the operating system writes constant data into the memory during the compiling phase, and after identifying the attribute of the memory as read-only, the hypervisor is called by the HVC instruction, and the memory is recorded as the protected memory.
本申请实施例的另一个示例中包括:操作系统在初始化阶段将常量数据写入内存,且将该内存的属性标识为只读后,通过HVC治疗调用hypervisor,将该内存记录为受保护的内存。Another example of the embodiment of the present application includes: the operating system writes constant data into the memory during the initialization phase, and after identifying the attribute of the memory as read-only, calls the hypervisor through HVC therapy, and records the memory as protected memory. .
本申请实施例的另一个示例中包括:操作系统在运行阶段将数据写入内存,且将该内存的属性标识为只读后,通过HVC治疗调用hypervisor,将该内存记录为受保护的内存。In another example of the embodiment of the present application, the operating system writes data into the memory during the running phase, and after identifying the attribute of the memory as read-only, the hypervisor is invoked by the HVC treatment, and the memory is recorded as the protected memory.
在本申请的一个实施例中,S530中所使用的内存保护表可以通过图6所示的方法得到。换句话说,S530中所使用的内存保护表可以是S620中得到的内存保护表。In one embodiment of the present application, the memory protection table used in S530 can be obtained by the method shown in FIG. 6. In other words, the memory protection table used in S530 can be the memory protection table obtained in S620.
S530中所使用的内存保护表为S620中得到的内存保护表时,第二内存与第一内存可以是同一内存;第三运行空间与第一运行空间可以是相同的运行空间,也可以是不同的运行空间。When the memory protection table used in the S530 is the memory protection table obtained in the S620, the second memory and the first memory may be the same memory; the third running space and the first running space may be the same running space, or may be different. Running space.
第三运行空间与第一运行空间是相同的运行空间时,第三运行空间中运行的处理模块与第一处理模块可以是相同的处理模块。例如,第一运行空间与第三运行空间均为内核空间,第三运行空间中运行的处理模块与第一处理模块均为操作系统。When the third running space and the first running space are the same running space, the processing module running in the third running space and the first processing module may be the same processing module. For example, the first running space and the third running space are both kernel spaces, and the processing module and the first processing module running in the third running space are both operating systems.
例如,操作系统在编译阶段将常量数据或者在初始化阶段将常量数据或者在运行阶段将数据写入第一内存,且将第一内存的属性标识为只读后,可以通过HVC指令调用hypervisor,在内存保护表中记录第一内存为受保护的内存。这样,操作系统向MMU发送第一消息,请求修改第一内存的属性时,MMU可以向hypervisor发送第二消息,请求hypervisor确定第一内存是否是受保护的。由于内存保护表中记录了第一内存是受保护的内存,因此,hypervisor指示MMU不能修改第一内存的属性。For example, after the operating system writes constant data in the compile phase or writes the constant data in the initialization phase or writes the data to the first memory in the running phase, and identifies the attribute of the first memory as read-only, the hypervisor can be called by the HVC instruction. The first memory is recorded as protected memory in the memory protection table. In this way, when the operating system sends a first message to the MMU requesting to modify the attribute of the first memory, the MMU may send a second message to the hypervisor requesting the hypervisor to determine whether the first memory is protected. Since the first memory is protected memory in the memory protection table, the hypervisor indicates that the MMU cannot modify the attributes of the first memory.
第三运行空间与第一运行空间不是相同的运行空间的一种示例为:第一运行空间为用户程序空间,第三运行空间为内核空间,第一处理模块为操作系统,第三运行空间中的处理模块为用户程序。An example of the running space that is not the same as the first running space is that the first running space is a user program space, the third running space is a kernel space, the first processing module is an operating system, and the third running space is in a third running space. The processing module is a user program.
本申请又一个实施例中,用于辅助保护数据的方法的示意性流程图如图7所示。图7所示的方法可以包括S710和S720。该方法可以由数据保护装置300执行。In another embodiment of the present application, a schematic flowchart of a method for assisting in protecting data is shown in FIG. 7. The method shown in FIG. 7 may include S710 and S720. The method can be performed by data protection device 300.
应理解,图7示出了该方法的步骤或操作,但这些步骤或操作仅是示例,本申请实施例还可以执行其他操作或者图7中的各个操作的变形。此外,图7中的各个步骤可以按照与图7呈现的不同的顺序来执行,并且有可能并非要执行图7中的全部操作。It should be understood that FIG. 7 illustrates the steps or operations of the method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the various operations in FIG. Moreover, the various steps in FIG. 7 may be performed in a different order than that presented in FIG. 7, and it is possible that not all operations in FIG. 7 are to be performed.
S710,第二运行空间中运行的处理模块确定第三内存用于存储受保护的数据和/或第四内存用于存储不受保护的数据。S710. The processing module running in the second running space determines that the third memory is used to store the protected data and/or the fourth memory is used to store the unprotected data.
或者可以说,第二运行空间中运行的处理模块确定哪些内存用于存储受保护的数据和/或确定哪些内存用于存储不受保护的数据。用于存储受保护的数据的内存即为第三内存,用于存储不受保护的数据的内存即为第四内存。Or it can be said that the processing module running in the second run space determines which memory is used to store the protected data and/or which memory is used to store the unprotected data. The memory used to store protected data is the third memory, and the memory used to store unprotected data is the fourth memory.
第二运行空间可以是图4中所示的超级管理空间。The second run space may be the super management space shown in FIG.
受保护的数据可以包括以下至少一种数据:操作系统在编译阶段存储到内存中的常量数据,操作系统在初始化阶段存储到内存中的常量数据,操作系统或用户程序在运行阶段存储到内存中且不能被修改的数据。The protected data may include at least one of the following: constant data stored in the operating system during the compilation phase, constant data stored in the operating system during the initialization phase, and the operating system or user program being stored in the memory during the run phase. Data that cannot be modified.
可选地,第三内存和/或第四内存可以是第二运行空间中运行的处理模块根据预先配置的信息确定的,该预先配置的信息中记录第三内存用于存储受保护的数据和/或第四内存用于存储不受保护的数据。Optionally, the third memory and/or the fourth memory may be determined by the processing module running in the second running space according to the pre-configured information, wherein the third memory is recorded in the pre-configured information for storing the protected data and / or fourth memory is used to store unprotected data.
或者可以说,该预先配置的信息中记录了哪些内存是用于存储受保护的数据的,和/或记录了哪些内存是用于存储不受保护的数据的。Or it can be said that the pre-configured information records which memory is used to store protected data, and/or records which memory is used to store unprotected data.
例如,数据保护装置300中可以预先为内核空间中的操作系统分配用于存储操作系统的常量数据的内存。由于操作系统的常量数据为需要保护的数据,因此,可以预先配置该内存为第三内存的信息。这样,第二运行空间中运行的处理模块可以根据该预先配置的信息确定出第三内存是用于存储受保护的数据的。For example, in the data protection device 300, a memory for storing constant data of an operating system may be allocated in advance to an operating system in the kernel space. Since the constant data of the operating system is data that needs to be protected, the memory can be pre-configured as the information of the third memory. In this way, the processing module running in the second running space can determine, according to the pre-configured information, that the third memory is used to store the protected data.
例如,该预先配置的信息中可以记录为操作系统的常量数据分配的内存的VA。这样,第二运行空间中运行的处理模块可以根据该预先配置的信息确定该VA对应的内存是用于存储受保护的数据的,即该内存为第三内存。For example, the VA of the memory allocated for the constant data of the operating system can be recorded in the pre-configured information. In this way, the processing module running in the second running space can determine, according to the pre-configured information, that the memory corresponding to the VA is used to store the protected data, that is, the memory is the third memory.
S720,第二运行空间中运行的处理模块生成内存保护表,该内存保护表中记录第三内存为受保护的内存和/或第四内存为不受保护的内存。S720. The processing module running in the second running space generates a memory protection table, where the third memory is protected memory and/or the fourth memory is unprotected memory.
例如,第二运行空间中运行的处理模块确定第三内存为用于存储受保护的数据的内存后,将第三内存记录到内存保护表中,并标识第三内存为受保护的内存。For example, after the processing module running in the second running space determines that the third memory is the memory for storing the protected data, the third memory is recorded into the memory protection table, and the third memory is identified as the protected memory.
例如,第二运行空间中运行的处理模块确定第四内存为用于存储不受保护的数据的内存后,将第四内存记录到内存保护表中,并标识第四内存为不受保护的内存。For example, after the processing module running in the second running space determines that the fourth memory is the memory for storing the unprotected data, the fourth memory is recorded into the memory protection table, and the fourth memory is identified as unprotected memory. .
在本申请的一个实施例中,S530中所使用的内存保护表可以通过图7所示的方法得到。换句话说,S530中所使用的内存保护表可以是S720中得到的内存保护表。In one embodiment of the present application, the memory protection table used in S530 can be obtained by the method shown in FIG. In other words, the memory protection table used in S530 can be the memory protection table obtained in S720.
S530中所使用的内存保护表为S720中得到的内存保护表时,第三内存与第一内存可以是同一内存,或者第四内存与第一内存可以是同一内存。When the memory protection table used in the S530 is the memory protection table obtained in the S720, the third memory and the first memory may be the same memory, or the fourth memory and the first memory may be the same memory.
例如,操作系统在编译阶段将常量数据写入原先为该常量数据分配的第三内存,且操作系统将第三内存的属性标识为只读后,hypervisor可以在内存保护表中记录第三内存为受保护的内存。这样,操作系统向MMU发送第一消息,请求修改第三内存的属性时,MMU可以向hypervisor发送第二消息,请求hypervisor确定第三内存是否是受保护的。由于内存保护表中记录了第三内存是受保护的内存,因此,hypervisor指示MMU不能修改第三内存的属性。For example, after the operating system writes the constant data to the third memory allocated for the constant data in the compile phase, and the operating system identifies the attribute of the third memory as read-only, the hypervisor can record the third memory in the memory protection table. Protected memory. In this way, when the operating system sends a first message to the MMU requesting to modify the attributes of the third memory, the MMU may send a second message to the hypervisor requesting the hypervisor to determine whether the third memory is protected. Since the third memory is protected memory in the memory protection table, the hypervisor indicates that the MMU cannot modify the attributes of the third memory.
本申请有一个实施例的数据保护方法的示意性流程图如图8所示。该数据保护方法包括S810和S820。A schematic flowchart of a data protection method of an embodiment of the present application is shown in FIG. 8. The data protection method includes S810 and S820.
应理解,图8示出了该数据保护方法的步骤或操作,但这些步骤或操作仅是示例,本申请实施例还可以执行其他操作或者图8中的各个操作的变形。此外,图8中的各个步骤可以按照与图8呈现的不同的顺序来执行,并且有可能并非要执行图8中的全部操作。It should be understood that FIG. 8 illustrates the steps or operations of the data protection method, but these steps or operations are merely examples, and other embodiments of the present application may also perform other operations or variations of the operations in FIG. Moreover, the various steps in FIG. 8 may be performed in a different order than that presented in FIG. 8, and it is possible that not all operations in FIG. 8 are to be performed.
S810,第四运行空间中的处理模块向第二运行空间中的处理模块发送第五消息,第五消息用于请求将第一数据写入第五内存,其中,第二运行空间的异常级别高于第四运行空间的异常级别。S810. The processing module in the fourth running space sends a fifth message to the processing module in the second running space, where the fifth message is used to request that the first data is written into the fifth memory, where the abnormality level of the second running space is high. The level of exception in the fourth run space.
第四运行空间可以是图4中所示的用户程序空间或内核空间,第二运行空间可以是图4中所示的超级管理空间。The fourth run space may be the user program space or kernel space shown in FIG. 4, and the second run space may be the super management space shown in FIG.
第五消息中可以携带第一数据和第五内存的地址。例如,第五消息中可以携带第一数据和第五内存的VA。The address of the first data and the fifth memory may be carried in the fifth message. For example, the VA of the first data and the fifth memory may be carried in the fifth message.
第一数据可以包括以下至少一种数据:操作系统在编译阶段的常量数据,操作系统在初始化阶段的常量数据。The first data may include at least one of the following: constant data of the operating system at the compile stage, and constant data of the operating system during the initialization phase.
第五内存是用于存储第一数据的内存。The fifth memory is a memory for storing the first data.
S820,第二运行空间中运行的处理模块根据第五消息,将第一数据写入第五内存。S820. The processing module running in the second running space writes the first data into the fifth memory according to the fifth message.
本申请实施例中,由于第四运行空间中的处理模块需要经过比其异常级别高的第二运行空间中的处理模块来修改内存中的数据,也就是说,第四运行空间中的处理模块不能直接修改内存中的数据,因此,该方法是可以提高数据的安全性的。In this embodiment, the processing module in the fourth running space needs to modify the data in the memory through the processing module in the second running space that is higher than the abnormal level, that is, the processing module in the fourth running space. You can't directly modify the data in memory, so this method can improve the security of the data.
此外,与图5中的方法相比,本申请实施例中的方法可以修改内存中的数据,因此灵活性更高。In addition, the method in the embodiment of the present application can modify the data in the memory as compared with the method in FIG. 5, and thus the flexibility is higher.
本申请实施例中,可选地,第二运行空间中运行的处理模块可以在第五消息是预先规定的模块发送的情况下,才根据第五消息的请求,将第一数据写入第五内存,以进一步提高数据的安全性,从而提高操作系统的安全性。In the embodiment of the present application, optionally, the processing module running in the second running space may write the first data to the fifth according to the request of the fifth message if the fifth message is sent by a predetermined module. Memory to further improve the security of the data, thereby improving the security of the operating system.
例如,仅在操作系统的补丁程序通过HVC指令调用hypervisor的情况下,hypervisor才将第一数据写入第五内存。For example, the hypervisor writes the first data to the fifth memory only if the operating system's patch calls the hypervisor via the HVC instruction.
也就是说,在本申请实施例的一种实现方式中,S820具体可以包括:第五消息由预先规定的处理模块向第二运行空间中运行的处理模块发送的情况下,第二运行空间中运行的处理模块根据第五消息的请求,将第一数据写入第五内存。That is, in an implementation manner of the embodiment of the present application, the S820 may specifically include: when the fifth message is sent by the pre-specified processing module to the processing module running in the second running space, in the second running space The running processing module writes the first data into the fifth memory according to the request of the fifth message.
本申请另一个实施例中,图8所示的数据保护方法可以与图5至图7中至少一个所示的方法结合在一起使用。In another embodiment of the present application, the data protection method shown in FIG. 8 can be used in combination with the method shown in at least one of FIGS. 5 to 7.
例如,数据保护装置300可以通过图6和/或图7的方法生成内存保护表,然后可以通过图5所示的方法来判定内存是否是受保护,并可以通过图8所示的数据保护方法来修改数据。For example, the data protection device 300 can generate a memory protection table by the method of FIG. 6 and/or FIG. 7, and then can determine whether the memory is protected by the method shown in FIG. 5, and can pass the data protection method shown in FIG. To modify the data.
若将图5所示的数据保护方法与图6所述的数据保护方法结合在一起使用,则第四运行空间与第一运行空间可以是同一个运行空间。If the data protection method shown in FIG. 5 is used in combination with the data protection method described in FIG. 6, the fourth running space and the first running space may be the same running space.
例如,第四运行空间与第一运行空间均可以为内核空间,第一运行空间中的处理模块可以是操作系统,第四运行空间中的处理模块可以是操作系统的补丁程序。For example, the fourth running space and the first running space may both be kernel space, the processing module in the first running space may be an operating system, and the processing module in the fourth running space may be a patch of an operating system.
图9是本申请一个实施例的数据保护装置的示意性结构图。应理解,图9示出的数据保护装置900仅是示例,本申请实施例的数据保护装置还可包括其他模块或单元,或者包括与图9中的各个模块的功能相似的模块,或者并非要包括图9中所有模块。FIG. 9 is a schematic structural diagram of a data protection device according to an embodiment of the present application. It should be understood that the data protection device 900 shown in FIG. 9 is only an example, and the data protection device of the embodiment of the present application may further include other modules or units, or include modules similar to those of the modules in FIG. 9, or Includes all the modules in Figure 9.
数据保护装置900中包括处理器执行单元910和内存管理单元920,处理器执行单元910划分的运行空间包括第一运行空间911和第二运行空间912,第二运行空间的异常级别高于第一运行空间的异常级别,所述第一运行空间用于运行第一处理模块,第二运行控制用于运行第二处理模块。The data protection device 900 includes a processor execution unit 910 and a memory management unit 920. The operating space divided by the processor execution unit 910 includes a first running space 911 and a second running space 912, and the abnormality level of the second running space is higher than the first An exception level of the running space, the first running space is for running the first processing module, and the second running control is for running the second processing module.
数据保护装置900可以用于执行图4至图8中任意一个所示的数据保护方法中的数据保护装置执行的步骤。The data protection device 900 can be used to perform the steps performed by the data protection device in the data protection method shown in any of Figures 4-8.
例如,第一处理模块用于向内存管理单元920发送第一消息,所述第一消息用于请求修改第一内存的属性。For example, the first processing module is configured to send a first message to the memory management unit 920, the first message being used to request to modify an attribute of the first memory.
内存管理单元920用于向第二处理模块发送第二消息,所述第二消息用于请求确定所述第一内存是否是受保护的。The memory management unit 920 is configured to send a second message to the second processing module, where the second message is used to request to determine whether the first memory is protected.
第二处理模块用于根据预先获取的内存保护表,确定所述第一内存是否是受保护的。The second processing module is configured to determine, according to the pre-acquired memory protection table, whether the first memory is protected.
第二处理模块向内存管理单元920发送第三消息,所述第三消息用于指示是否修改所述第一内存的属性。The second processing module sends a third message to the memory management unit 920, where the third message is used to indicate whether to modify the attribute of the first memory.
所述内存管理单元用于:在所述第三消息用于指示修改所述第一内存的属性时,根据所述第一消息修改所述第一内存的属性;在所述第三消息用于指示不修改所述第一内存的属性,拒绝修改所述第一内存的属性。The memory management unit is configured to: when the third message is used to indicate that the attribute of the first memory is modified, modify an attribute of the first memory according to the first message; and use the third message in the third message Instructing not to modify the attribute of the first memory, and refusing to modify the attribute of the first memory.
可选地,第一处理模块具体用于向所述第二运行空间中的所述第二处理模块发送第四消息,所述第四消息用于指示所述第一内存是否是受保护的。Optionally, the first processing module is configured to send a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is protected.
所述第二处理模块具体用于根据所述第四消息生成所述内存保护表,所述内存保护表用于记录受保护的内存和/或不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。The second processing module is specifically configured to generate, according to the fourth message, the memory protection table, where the memory protection table is used to record protected memory and/or unprotected memory, where the protected memory includes A memory for storing protected data, including memory for storing unprotected data.
可选地,所述第二处理模块具体用于:确定所述第一内存用于存储受保护的数据或确定所述第一内存用于存储不受保护的数据;生成所述内存保护表,所述内存保护表用于记录所述第一内存为受保护的内存或用于记录所述第一内存为不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。Optionally, the second processing module is specifically configured to: determine that the first memory is used to store protected data or determine that the first memory is used to store unprotected data; and generate the memory protection table, The memory protection table is configured to record the first memory as protected memory or to record the first memory as unprotected memory, where the protected memory includes memory for storing protected data. The unprotected memory includes memory for storing unprotected data.
可选地,所述第一运行空间为内核空间,所述第一处理模块为操作系统;其中,所述受保护的数据包括:所述操作系统在编译阶段写入内存的常量数据,所述操作系统在初始化阶段写入内存的常量数据。Optionally, the first running space is a kernel space, and the first processing module is an operating system; wherein the protected data includes: constant data written by the operating system into a memory during a compiling phase, The constant data that the operating system writes to memory during the initialization phase.
可选地,数据保护装置900中还可以包括存储器,该存储器用于存储处理器执行单元910执行的程序代码以及数据。Optionally, the data protection device 900 may further include a memory for storing program codes and data executed by the processor execution unit 910.
可选地,数据保护装置900可以为手机、平板电脑、服务器、个人电脑、网络路由器或交换机。Alternatively, the data protection device 900 can be a cell phone, a tablet, a server, a personal computer, a network router, or a switch.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods to implement the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的装置和单 元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided herein, it should be understood that the disclosed apparatus and method can be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(read-only memory,ROM)、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present application, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory, a magnetic disk, or an optical disk, and the like, which can store program codes.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The foregoing is only a specific embodiment of the present application, but the scope of protection of the present application is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present application. It should be covered by the scope of protection of this application. Therefore, the scope of protection of the present application should be determined by the scope of the claims.

Claims (13)

  1. 一种数据保护方法,其特征在于,所述数据保护方法由数据保护装置执行,所述数据保护装置中包括处理器执行单元和内存管理单元,所述处理器执行单元划分的运行空间包括第一运行空间和第二运行空间,所述第二运行空间的异常级别高于所述第一运行空间的异常级别;A data protection method, wherein the data protection method is performed by a data protection device, where the data protection device includes a processor execution unit and a memory management unit, and the operating space of the processor execution unit partition includes the first a running space and a second running space, wherein an abnormal level of the second running space is higher than an abnormal level of the first running space;
    所述数据保护方法包括:The data protection method includes:
    所述第一运行空间中运行的第一处理模块向所述内存管理单元发送第一消息,所述第一消息用于请求修改第一内存的属性;The first processing module running in the first running space sends a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
    所述内存管理单元向所述第二运行空间中运行的第二处理模块发送第二消息,所述第二消息用于请求确定所述第一内存是否是受保护的;The memory management unit sends a second message to the second processing module running in the second running space, where the second message is used to request to determine whether the first memory is protected;
    所述第二运行空间中运行的所述第二处理模块根据预先获取的内存保护表,确定所述第一内存是否是受保护的;The second processing module running in the second running space determines whether the first memory is protected according to a pre-acquired memory protection table;
    所述第二运行空间运行的所述第二处理模块向所述内存管理单元发送第三消息,所述第三消息用于指示是否修改所述第一内存的属性;The second processing module of the second running space sends a third message to the memory management unit, where the third message is used to indicate whether to modify an attribute of the first memory;
    若所述第三消息用于指示修改所述第一内存的属性,则所述内存管理单元根据所述第一消息修改所述第一内存的属性;若所述第三消息用于指示不修改所述第一内存的属性,则所述内存管理单元拒绝修改所述第一内存的属性。If the third message is used to indicate that the attribute of the first memory is modified, the memory management unit modifies an attribute of the first memory according to the first message; if the third message is used to indicate that the attribute is not modified And the attribute of the first memory, the memory management unit refuses to modify the attribute of the first memory.
  2. 根据权利要求1所述的数据保护方法,其特征在于,所述第二运行空间中运行的所述第二处理模块根据预先获取的内存保护表,确定所述第一内存是否是受保护的之前,所述数据保护方法还包括:The data protection method according to claim 1, wherein the second processing module running in the second running space determines whether the first memory is protected before according to a memory protection table acquired in advance. The data protection method further includes:
    所述第一运行空间中的所述第一处理模块向所述第二运行空间中的所述第二处理模块发送第四消息,所述第四消息用于指示所述第一内存是否是受保护的;The first processing module in the first running space sends a fourth message to the second processing module in the second running space, where the fourth message is used to indicate whether the first memory is received protected;
    所述第二运行空间中的所述第二处理模块根据所述第四消息生成所述内存保护表,所述内存保护表用于记录受保护的内存和/或不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。The second processing module in the second running space generates the memory protection table according to the fourth message, where the memory protection table is used to record protected memory and/or unprotected memory, Protected memory includes memory for storing protected data, including memory for storing unprotected data.
  3. 根据权利要求1所述的数据保护方法,其特征在于,所述第二运行空间中运行的所述第二处理模块根据预先获取的内存保护表,确定所述第一内存是否是受保护的之前,所述数据保护方法还包括:The data protection method according to claim 1, wherein the second processing module running in the second running space determines whether the first memory is protected before according to a memory protection table acquired in advance. The data protection method further includes:
    所述第二运行空间中运行的所述第二处理模块确定所述第一内存用于存储受保护的数据或确定所述第一内存用于存储不受保护的数据;The second processing module running in the second running space determines that the first memory is used to store protected data or the first memory is used to store unprotected data;
    所述第二运行空间中运行的所述第二处理模块生成所述内存保护表,所述内存保护表用于记录所述第一内存为受保护的内存或用于记录所述第一内存为不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。The second processing module running in the second running space generates the memory protection table, where the memory protection table is configured to record the first memory as a protected memory or to record the first memory as Unprotected memory, the protected memory includes memory for storing protected data, and the unprotected memory includes memory for storing unprotected data.
  4. 根据权利要求2或3所述的数据保护方法,其特征在于,所述第一运行空间为内核空间,所述第一处理模块为操作系统,所述第二运行空间为超级管理空间;The data protection method according to claim 2 or 3, wherein the first running space is a kernel space, the first processing module is an operating system, and the second running space is a super management space;
    其中,所述受保护的数据包括:所述操作系统在编译阶段写入内存的常量数据,所述 操作系统在初始化阶段写入内存的常量数据。The protected data includes: constant data written by the operating system to the memory during the compiling phase, and the operating system writes constant data of the memory during the initialization phase.
  5. 根据权利要求1至4中任一项所述的数据保护方法,其特征在于,所述数据保护装置为手机、平板电脑、服务器、个人电脑、网络路由器或交换机。The data protection method according to any one of claims 1 to 4, wherein the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router or a switch.
  6. 一种数据保护装置,其特征在于,包括:处理器执行单元和内存管理单元,所述处理器执行单元划分的运行空间包括第一运行空间和第二运行空间,所述第二运行空间的异常级别高于所述第一运行空间的异常级别,所述第一运行空间用于运行第一处理模块,所述第二运行空间用于运行第二处理模块;A data protection device, comprising: a processor execution unit and a memory management unit, wherein the operating space divided by the processor execution unit comprises a first running space and a second running space, and the second running space is abnormal The level is higher than the abnormal level of the first running space, the first running space is used to run the first processing module, and the second running space is used to run the second processing module;
    所述第一处理模块用于向所述内存管理单元发送第一消息,所述第一消息用于请求修改第一内存的属性;The first processing module is configured to send a first message to the memory management unit, where the first message is used to request to modify an attribute of the first memory;
    所述内存管理单元用于向所述第二处理模块发送第二消息,所述第二消息用于请求确定所述第一内存是否是受保护的;The memory management unit is configured to send a second message to the second processing module, where the second message is used to request to determine whether the first memory is protected;
    所述第二处理模块用于根据预先获取的内存保护表,确定所述第一内存是否是受保护的;The second processing module is configured to determine, according to the pre-acquired memory protection table, whether the first memory is protected;
    所述第二处理模块还用于向所述内存管理单元发送第三消息,所述第三消息用于指示是否修改所述第一内存的属性;The second processing module is further configured to send a third message to the memory management unit, where the third message is used to indicate whether to modify an attribute of the first memory;
    所述内存管理单元还用于:所述第三消息用于指示修改所述第一内存的属性时根据所述第一消息修改所述第一内存的属性,所述第三消息用于指示不修改所述第一内存的属性时拒绝修改所述第一内存的属性。The memory management unit is further configured to: when the third message is used to indicate that the attribute of the first memory is modified, modify an attribute of the first memory according to the first message, where the third message is used to indicate that The modification of the attribute of the first memory refuses to modify the attribute of the first memory.
  7. 根据权利要求6所述的数据保护装置,其特征在于,所述第一处理模块还用于向所述第二运行空间中的所述第二处理模块发送第四消息,所述第四消息用于指示所述第一内存是否是受保护的;The data protection device according to claim 6, wherein the first processing module is further configured to send a fourth message to the second processing module in the second running space, where the fourth message is used Instructing whether the first memory is protected;
    所述第二处理模块根据预先获取的内存保护表,确定所述第一内存是否是受保护的之前,还用于:根据所述第四消息生成所述内存保护表,所述内存保护表用于记录受保护的内存和/或不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。And the second processing module is configured to: before the first memory is protected according to the pre-acquired memory protection table, and configured to: generate the memory protection table according to the fourth message, where the memory protection table is used Recording protected memory and/or unprotected memory, the protected memory including memory for storing protected data, the memory for storing unprotected data .
  8. 根据权利要求6所述的数据保护装置,其特征在于,所述第二处理模块根据预先获取的内存保护表,确定所述第一内存是否是受保护的之前,还用于:The data protection device according to claim 6, wherein the second processing module determines whether the first memory is protected according to a pre-acquired memory protection table, and is further configured to:
    确定所述第一内存用于存储受保护的数据或确定所述第一内存用于存储不受保护的数据;Determining that the first memory is for storing protected data or determining that the first memory is for storing unprotected data;
    生成所述内存保护表,所述内存保护表用于记录所述第一内存为受保护的内存或用于记录所述第一内存为不受保护的内存,所述受保护的内存包括用于存储受保护的数据的内存,所述不受保护的内存包括用于存储不受保护的数据的内存。Generating the memory protection table, where the memory protection table is configured to record the first memory as protected memory or to record the first memory as unprotected memory, where the protected memory is included A memory that stores protected data, including memory for storing unprotected data.
  9. 根据权利要求7或8所述的数据保护装置,其特征在于,所述第一运行空间为内核空间,所述第一处理模块为操作系统;The data protection device according to claim 7 or 8, wherein the first running space is a kernel space, and the first processing module is an operating system;
    其中,所述受保护的数据包括:所述操作系统在编译阶段写入内存的常量数据,所述操作系统在初始化阶段写入内存的常量数据。The protected data includes: constant data written by the operating system to the memory during the compiling phase, and the operating system writes constant data of the memory during the initialization phase.
  10. 根据权利要求6至9中任一项所述的数据保护装置,其特征在于,所述数据保护装置为手机、平板电脑、服务器、个人电脑、网络路由器或交换机。The data protection device according to any one of claims 6 to 9, wherein the data protection device is a mobile phone, a tablet, a server, a personal computer, a network router or a switch.
  11. 一种计算机存储介质,其特征在于,所述计算机可读存储介质中存储用于数据保 护装置执行的程序代码,所述程序代码包括用于执行权利要求1至5中任一项所述的数据保护方法的指令。A computer storage medium, wherein the computer readable storage medium stores program code for execution by a data protection device, the program code comprising data for performing the method of any one of claims 1 to 5. The instruction to protect the method.
  12. 一种芯片,其特征在于,所述芯片包括处理器,所述处理器用于执行如权利要求1至5中任一项所述的数据保护方法。A chip, characterized in that the chip comprises a processor for performing the data protection method according to any one of claims 1 to 5.
  13. 一种计算机程序产品,其特征在于,所述计算机程序产品在数据保护装置上运行时,使得所述数据保护装置执行如权利要求1至5中任一项所述的数据保护方法。A computer program product, wherein the computer program product, when run on a data protection device, causes the data protection device to perform the data protection method of any one of claims 1 to 5.
PCT/CN2018/075086 2018-02-02 2018-02-02 Data protection method and data protection device WO2019148447A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
PCT/CN2018/075086 WO2019148447A1 (en) 2018-02-02 2018-02-02 Data protection method and data protection device
EP18904028.0A EP3726390B1 (en) 2018-02-02 2018-11-26 Method and device for protecting kernel integrity
PCT/CN2018/117500 WO2019148948A1 (en) 2018-02-02 2018-11-26 Method and device for protecting kernel integrity
CN201880016634.2A CN110383256B (en) 2018-02-02 2018-11-26 Kernel integrity protection method and device
US16/965,935 US20210049112A1 (en) 2018-02-02 2018-11-26 Kernel integrity protection method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/075086 WO2019148447A1 (en) 2018-02-02 2018-02-02 Data protection method and data protection device

Publications (1)

Publication Number Publication Date
WO2019148447A1 true WO2019148447A1 (en) 2019-08-08

Family

ID=67479470

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/075086 WO2019148447A1 (en) 2018-02-02 2018-02-02 Data protection method and data protection device

Country Status (1)

Country Link
WO (1) WO2019148447A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101788958A (en) * 2010-02-04 2010-07-28 杭州晟元芯片技术有限公司 Method for protecting data of memorizer
CN102750202A (en) * 2012-06-06 2012-10-24 宇龙计算机通信科技(深圳)有限公司 Data protection method and device
CN202694329U (en) * 2012-02-24 2013-01-23 深圳市江波龙电子有限公司 Wireless storage equipment
JP2015099461A (en) * 2013-11-19 2015-05-28 日本電気株式会社 Data protection device, method, and program
CN105787360A (en) * 2016-03-02 2016-07-20 杭州字节信息技术有限公司 Method for technically controlling secure access to embedded system memory

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101788958A (en) * 2010-02-04 2010-07-28 杭州晟元芯片技术有限公司 Method for protecting data of memorizer
CN202694329U (en) * 2012-02-24 2013-01-23 深圳市江波龙电子有限公司 Wireless storage equipment
CN102750202A (en) * 2012-06-06 2012-10-24 宇龙计算机通信科技(深圳)有限公司 Data protection method and device
JP2015099461A (en) * 2013-11-19 2015-05-28 日本電気株式会社 Data protection device, method, and program
CN105787360A (en) * 2016-03-02 2016-07-20 杭州字节信息技术有限公司 Method for technically controlling secure access to embedded system memory

Similar Documents

Publication Publication Date Title
US10831886B2 (en) Virtual machine manager facilitated selective code integrity enforcement
US11651085B2 (en) Cryptographic memory ownership table for secure public cloud
CN111651778B (en) Physical memory isolation method based on RISC-V instruction architecture
JP5736090B2 (en) Method, system and computer program for memory protection of virtual guest
WO2019148948A1 (en) Method and device for protecting kernel integrity
KR101332135B1 (en) Systems, methods, and apparatus to virtualize tpm accesses
CN110348204B (en) Code protection system, authentication method, authentication device, chip and electronic equipment
US20190034633A1 (en) Protecting computer systems used in virtualization environments against fileless malware
US10146962B2 (en) Method and apparatus for protecting a PCI device controller from masquerade attacks by malware
US9183391B2 (en) Managing device driver cross ring accesses
CN113094700A (en) System for executing safety operation and method for executing safety operation by system
JP7436495B2 (en) Secure storage isolation
US9411979B2 (en) Embedding secret data in code
WO2019148447A1 (en) Data protection method and data protection device
US10938857B2 (en) Management of a distributed universally secure execution environment
Heo et al. Hardware-assisted trusted memory disaggregation for secure far memory
US20230098991A1 (en) Systems, methods, and media for protecting applications from untrusted operating systems
CN116561824A (en) Method and apparatus for managing memory in a confidential computing architecture

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18903723

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18903723

Country of ref document: EP

Kind code of ref document: A1