WO2019237867A1 - 一种将权力信息隔离并依托它进行权力检查的方法及计算装置 - Google Patents

一种将权力信息隔离并依托它进行权力检查的方法及计算装置 Download PDF

Info

Publication number
WO2019237867A1
WO2019237867A1 PCT/CN2019/086499 CN2019086499W WO2019237867A1 WO 2019237867 A1 WO2019237867 A1 WO 2019237867A1 CN 2019086499 W CN2019086499 W CN 2019086499W WO 2019237867 A1 WO2019237867 A1 WO 2019237867A1
Authority
WO
WIPO (PCT)
Prior art keywords
msu
information
power
check
power information
Prior art date
Application number
PCT/CN2019/086499
Other languages
English (en)
French (fr)
Inventor
杨力祥
Original Assignee
杨力祥
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 杨力祥 filed Critical 杨力祥
Publication of WO2019237867A1 publication Critical patent/WO2019237867A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • This application relates to the field of information technology, and in particular, to an access control technology and a technology to prevent attacks through power control.
  • the attacker can further modify the authorization information and change the authorization status to obtain a status beyond authorization. Further operations such as:
  • the present invention establishes an access control method, which is characterized in that the power information and the code for maintaining it are isolated from the rest of the software system to ensure the correctness of the power information, and to check based on the power information.
  • the checking refers to a power check based on the isolated power information during cross-MSU access during the execution of the system.
  • the power information includes user information and a user's read / write range of the file. For example, information used to indicate the user to which the file belongs; information about the user group to which the file belongs; information about users, user groups, out-of-group users, read, write, and execute permissions on the file; file data block number index information, and so on.
  • the isolating the power information and the code that maintains it from the rest of the software system to ensure the correctness of the power information includes: isolating the power information and the code that maintains it from the rest of the software system in the memory space; and / or, in During the calculation and processing of any power information, no longer interact with the outside world.
  • the power checking based on the power information includes: during the completion of a user-specified task, checking the data processed by the software system according to the power information at a specified location.
  • the power information and the code for maintaining it are separated from the rest of the software system, including: in the same linear address space, the power information and the program for maintaining it are independently packaged and separated from the rest of the software program Store separately.
  • the terminal MSU is used to store the power information and maintain its code (this type of MSU is hereinafter referred to as power information MSU). It further includes: individually encapsulating the program that performs the inspection function, and determining the subsequent execution of the program according to the power inspection result, which is called inspection encapsulation.
  • inspection encapsulation is used to implement inspection encapsulation.
  • the MSU refers to a memory system unit, and the memory system unit is a specific unit in a memory system device; the memory system device refers to a set of specific access controls and an access area controlled by the specific access control.
  • the abbreviation MSU in the present invention corresponds to a memory system unit.
  • the area includes a CPU-addressable storage space surrounded by a set of boundaries.
  • the area must be identified by an access control set.
  • the identification refers to recording the information of the area in the MSU information.
  • the access control set includes: MSU information, a permission mechanism for accessing the area, and / or a mechanism for prohibiting access to the area.
  • the addressable storage space may store data and / or instructions.
  • the data and codes of all software are put into designated MSUs separately according to design requirements, that is, no codes and data are placed outside the MSU.
  • the CPU refers to a central processing unit.
  • the area is composed of one or more continuous storage areas in the same linear address space, and each continuous storage area is defined by the address identifiers at both ends, and the set of all the foregoing address identifiers constitutes the boundary of the area.
  • a preferred solution for an area composed of multiple consecutive storage areas is that the consecutive storage areas in the area are disjoint from each other.
  • the storage areas where data and code are stored are called data area and instruction area, respectively. Regions of different MSUs do not intersect each other.
  • the MSU information includes: MSU boundary information, MSU port information, and MSU attribute information.
  • MSU boundary information As an optional implementation manner, an empty port MSU may be set.
  • the MSU port information of the empty port MSU is empty and still has MSU boundary information and MSU attribute information.
  • the MSU information further includes: MSU user information.
  • the permission mechanism includes: allowing non-branch instructions, interrupt instructions, and branch instructions in the current area (without exceeding the current area) to execute in the area, and allowing instructions in the area to access data in the current area. Further, the permission mechanism includes: allowing data to be passed between regions, whether within the region to outside the region or outside the region to the region, by passing parameters; allowing the regions to pass data by sharing physical memory, preferably, passing a large amount The data is shared by physical memory; the permission mechanism for access between regions, that is, beyond or entering the region, further includes: MSUs must execute port transfer instructions through ports, and attribute information and port information must match.
  • the prohibition mechanism includes prohibiting execution of instructions in a data area in the area. Except for the permission mechanism, for all cross-region execution instructions (including non-transfer instructions, branch instructions, and mismatches) from within the region to outside the region or from outside the region to the region, cross-region operations to access data will generate exceptions.
  • shared data MSU which is characterized by containing only data shared by other MSUs and no instructions; allowing other MSUs to manipulate data through agreed instructions.
  • the kernel stack and / or the user stack are placed in the shared data MSU, and the MSU to which the stack belongs must be the shared data MSU, and other MSUs operate the data in the stack by a predetermined instruction.
  • the MSU boundary information includes: a set of boundary information of all continuous storage areas in an area identified by an access control set.
  • the data structure storing the above information is referred to as boundary data, and the address of the boundary data is associated with and identifiable in the memory system device.
  • the device can find the data structure according to the address of the boundary data, and then all the boundary information can be obtained.
  • the MSU port information includes an entrance and / or an exit. Specify a limited number of instruction addresses as entrances or exits in the instruction address area within the area identified by the access control set, where each instruction address is an entrance or exit.
  • the optional entry is: the destination address of the inter-MSU branch instruction in the area; the optional exit is: the address of the inter-MSU branch instruction.
  • the MSU attribute information includes: MSU identification information and MSU type information.
  • the MSU identification information refers to a unique identification that is different from other MSUs.
  • the type information of the MSU may be one of an ordinary MSU and a shared data MSU.
  • the MSU attribute information may further include: user type information to which the MSU belongs, and user identification information to which the MSU belongs.
  • the type information of the user to which the MSU belongs refers to the type of the user to which the MSU belongs.
  • the user type is the user role
  • the user identification information to which the MSU belongs refers to the unique identifier of the user to which the MSU belongs.
  • the aforementioned boundary information and / or attribute information and / or MSU port information can be synthesized into a more convenient and complete data structure.
  • the matching of the MSU port information and the matching of the MSU attribute information means that in the program initialization phase, the exit, entrance, boundary, identification information, and type information of the MSU required for execution of the transfer instruction are recorded in the MSU descriptor table.
  • the information contained in the transfer instruction is compared with the port information and attribute information in the MSU descriptor table. If the results match, it is regarded as legitimate and the transfer instruction is allowed to execute. Otherwise, it is considered illegal and an exception is reported.
  • a check MSU is added to the MSU type information.
  • An MSU whose type information is marked "Check MSU" is considered to check MSU.
  • a non-check MSU is not allowed to directly call another non-check MSU.
  • the source MSU must first call the check MSU, and then the check MSU calls the target MSU. When the target MSU returns, it returns to the check MSU first.
  • the check MSU returns to the source MSU.
  • the non-inspection MSU refers to any other type of MSU other than the inspection MSU.
  • terminal MSU is added to the MSU type information.
  • An MSU whose type information is marked as "terminal MSU" can only be called by other MSUs, and cannot call other MSUs.
  • an empty port MSU is added to the MSU type information.
  • the MSU whose type information is marked as "empty port MSU" has no port.
  • Other MSUs can call any function of the empty port MSU through the port, but cannot directly access the data of the empty port MSU.
  • An empty port MSU calling another MSU must enter the MSU through its port. Function calls can be made between different empty port MSUs, but data cannot be accessed. When the terminal MSU exists, the empty port MSU cannot call the terminal MSU.
  • a safe MSU is added to the MSU type information.
  • This type of MSU is not allowed to contain instruction areas. Only certain operations that need to save status information can access the MSU.
  • the status information may be a return address, an interruption scene, and the like.
  • an IO instruction MSU is added to the MSU type information.
  • the device contains an IO instruction MSU, only special instructions related to IO operations are allowed to be executed within this type of MSU.
  • the attribute matching check rules of this type of MSU are the same as those of the terminal MSU.
  • the device may not support checking the implementation of MSU, terminal MSU, empty port MSU, safe MSU, IO instruction MSU, or one or more of them.
  • any power information including: in the initialization phase, by initiating a program, a section of power information loading special program is triggered to be executed, and all power information is loaded into the power information all at once In MSU; before shutdown, the kernel general shutdown program triggers a section of power information synchronization special program to synchronize all power information to the peripheral to ensure that the power information stored on the peripheral is consistent with the power information in memory; if the power information is received by the MSU To the new file request, the internal file power information processing program analyzes the file path and finally adds the file management structure information; if a file delete request is received, the file path is analyzed and the file management structure information is finally deleted; if a modified file is received Name request, analyze the file path, and finally change the contents of the directory entry corresponding to the file name; if the power information MSU receives a write file request, the internal data block handler finds the data block index information through the file management structure, and Added in information management structure
  • the data block index information is found through the file management structure, and the data block number is deleted in the index information management structure; the special program for file management information processing and the special program for data block processing in MSU By itself, you can complete the specified power information processing without any external support.
  • checking the data processed by the software system according to the power information at a specified position includes encapsulating a program that is not related to the power information and its maintenance code in different MSUs.
  • MSUs The attribute is ordinary MSU (hereafter referred to as this type of MSU as functional MSU).
  • Functional MSUs cannot be called or returned directly. Instead, power checks must be performed first.
  • a preferred method is as follows: It is described below with reference to FIG. 1. In the source code, the call requirements of MSU-1 to MSU-2 are recorded. In actual execution, the function MSU-1 is called to the power check MSU (see Figure 1).
  • Step 1) the power check MSU calls the power information MSU (as shown in step 2 in Figure 1), and passes the data related to the power to the power information MSU for comparison.
  • the power information MSU returns the check result to the power check MSU ( As shown in step 3) in Figure 1, if the comparison result exceeds the scope limited by the user's power information, enter the exception processing flow. If it does not exceed the range, the power check MSU actually calls the target function MSU according to the calling requirements. -2 to execute (as shown in step 4 of FIG. 1); and / or, when the function MSU-2 returns, first return to the power check MSU (as shown in step 5 in FIG. 1), and then call the power check MSU to the power information MSU (as shown in FIG. 1).
  • Step 6 and pass the power-related data to the power information MSU for comparison, and it returns the check result to the power check MSU (see step 7 in Figure 1). If the comparison result exceeds the limit of the user power information, enter The exception processing flow, if it does not exceed the scope, then the power check MSU returns to the function MSU-1 to execute ( Figure 8 step 8).
  • An access control mechanism is characterized by using the aforementioned method of access control based on power.
  • a secure operating system is characterized by using the aforementioned method of access control based on power.
  • the present invention can achieve the following technical effects:
  • Power information is the basis of power inspection.
  • the power information and its maintenance procedures are separated from the rest of the software system in space, especially through the MSU mechanism, which can effectively prevent the power of the rest of the software system from being affected by attacks.
  • the accuracy of the information On the basis of ensuring correctness, whenever an MSU visit is performed, a power check is performed based on the isolated power information, which can further avoid an unauthorized operation between MSUs.
  • Encapsulating the rest of the software system independently, especially through the MSU mechanism, can ensure that the programs in each MSU can only be called and returned through a limited port, and the power check at the port can ensure that when MSU interacts, It must pass the power check to realize that the MSU cannot operate beyond its authority. Performing power checks among all MSUs can ensure that unauthorized operations between MSUs cannot be achieved during the entire program execution process.
  • Unauthorized operation requires the cooperation of multiple functions in the program to achieve.
  • MSU mechanism to ensure that each MSU has a single function, it can ensure that the program in the MSU cannot achieve unauthorized operation independently.
  • FIG 1 Schematic diagram of MSU-1 calling MSU-2 must pass power check MSU for power check
  • a special program for power information loading is triggered by the startup program. All power information is loaded into the power information package at one time.
  • the special program for power information loading only includes The logic of loading power information, there is no other content to ensure that it is single and logically simple. Through formal tests and exhaustive tests, the correctness of this special program can be determined. It will not generate an attack when loaded. Affects the reliability of power information. At the same time, because the data processed by the software system has not yet been loaded, no other programs have been executed at this time, and no attack will occur. After the existing power information and power information processing programs are loaded, Is also correct.
  • the kernel general shutdown program causes a special program for power information synchronization to synchronize all power information to the peripherals to ensure that the power information stored on the peripherals is consistent with the power information in the memory.
  • the logic of this special program includes synchronizing power information to peripherals. There is no other content to ensure that its function is single and logically simple. The correctness of this special program can be determined through formal tests and exhaustive tests. During synchronization, it will not generate attacks itself and affect the reliability of power information.
  • the function MSU After the system call soft interrupt is entered, after entering the function MSU corresponding to the system call, the function MSU will receive parameters including the path of the file to be created, read and write attributes, and the mark of the file to be created. It will first call the power check MSU for permission check and power check The MSU will pass the passed parameters to the power information MSU.
  • the specific inspection work is performed in the power information MSU by a special program for file power information processing, that is, by analyzing the path name, it is determined whether the current user has the right to access the directory files at all levels.
  • the check passes, finally create a file management structure for the target file (where the file power attribute field contains user identity information, user group information, and the user, user group, and users outside the group "read” and “write” to the new file , "Execute” permissions), and mark it on the file attribute management structure bitmap; at the same time, find free entries in the structure corresponding to the file operation management structure and the file handle, and establish the file operation management structure through the entries-file Handle Correspondence Structure—The correspondence of the file attribute management structure. No interaction with the outside world is required to complete the work.
  • the function MSU After the system call soft interrupt is entered, after entering the function MSU corresponding to the system call, the function MSU will receive parameters including the path of the file to be deleted. It will first call the power check MSU for permission check. The power check MSU will pass the passed parameters.
  • the specific inspection work is performed in the power information MSU, which is performed by a special program for file power information processing. That is, by analyzing the path name, it is determined whether the current user has the right to access the directory files at all levels.
  • the file management structure corresponding to the file the position corresponding to this file management structure will be 0 on the file management structure bitmap, and the directory entry corresponding to the file management structure in the corresponding directory file will be emptied. No interaction with the outside world is required to complete the work.
  • the function MSU After the system call soft interrupt is entered, after entering the function MSU corresponding to the system call, the function MSU will receive parameters including the path of the file that needs to be changed and the file name that needs to be rewritten. The passed parameters will be passed to the power information MSU.
  • the specific inspection work is performed in the power information MSU by a special program for file power information processing, that is, by analyzing the path name, determine whether the current user has the right to access the directory files at all levels. The check is passed. Finally, in the corresponding directory file, the content of the file name in the corresponding directory entry is rewritten to the specified file name. No interaction with the outside world is required to complete the work.
  • a system call soft interrupt After entering the corresponding function MSU of the system call, it will receive parameters including the file handle to the target file, the address of the data to be written in the process space, and the number of bytes written. Call to the power check MSU for permission check.
  • the power check MSU will pass the passed parameters to the power information MSU.
  • the specific check is performed in the power information MSU and is performed by the data block processing special program.
  • the file handle is obtained through the file handle. Structure, check whether the file management structure is within the scope of the current user-operable file. If the check passes, further obtain the data block index information, and determine the data to be written by the file offset mark and the number of bytes written in the parameters.
  • a system call soft interrupt After entering the corresponding function of the system call MSU, it will receive parameters including the file handle of the target file to be deleted and the size of the file content to be retained. It will first call the power check MSU for permission check, and the power check MSU The passed parameters will be passed to the power information MSU. The specific inspection work is performed in the power information MSU and is performed by the data block processing special program. Through the file handle, the file management structure is obtained, and it is checked whether the file management structure is in the current user's authority. Within the scope of the operation file, if the check passes, the field identifying the file size in the file management structure is rewritten to adjust the file size according to the size of the reserved file content. No interaction with the outside world is required to complete the work.
  • the function MSU only contains function information, the program that processes the function information, and the logic for accessing the outside; the function MSU can only access the outside through the designated port, and can only call or return to the power check MSU, and the power check MSU Check the power-related data in the data it passes. After the check is passed, the power check MSU calls or returns to other function MSU port functions; it checks that the MSU is only responsible for receiving the data passed by the function MSU, and whether it is based on the result of the check. Pass, decide whether to continue to complete the access between functional MSUs or enter the exception handling process.
  • the power inspection MSU will call the power information MSU, and then the power information MSU will use the transmitted power information and the existing The power information is compared to determine whether the user has exceeded the power, and the comparison result is returned to the power check MSU.
  • the logic to add instructions includes:
  • the logic that needs to add instructions includes:
  • Step 1 Through the system call soft interrupt, after entering the corresponding function MSU of the system call, it will receive the file handle including the read target file, the address to read the data stored in the process space, the number of bytes read, and then call Before the function MSU corresponding to the file reading function, the authority check MSU needs to be called to perform the authority check.
  • the authority check MSU will pass the parameters passed to the authority information MSU. The specific inspection is performed in the authority information MSU.
  • the file read this time is within the range of all files that can be accessed by the current user; after that, the parameter "number of bytes read and file offset" is checked for power and passed their Value, which can accurately delimit the data block range of the current access file, and also determine which data blocks to be accessed this time, which have been loaded into the buffer and which have not yet. These power information will be used in the subsequent MSU. The basis for the power block consistency check of the data block.
  • Step 2 When the function MSU corresponding to the read file function calls the function MSU corresponding to the buffer processing function, it must also pass the power check MSU—power information MSU. First, perform a power check to check the file number and the target file to be read this time. Whether the file numbers are the same. If they are not the same, they are deemed to have exceeded their authority and entered the exception handling process.
  • Step 3 When the function corresponding to the buffer processing function MSU calls the MSU corresponding to the file management function, it must also pass the power check MSU—power information MSU. First, perform a power check to check whether the data block to be operated belongs to the current read. For the file, because the system calls the corresponding function MSU, the function corresponding to the read file function MSU performs a power check before the data block to be read is accurately delimited by the two parameters of read bytes and file offset.
  • Step 4 If the function corresponding to the buffer processing function MSU determines that the data block to be read is not loaded into the buffer, it will also call the function MSU corresponding to the page processing function to prepare to apply for a buffer block, and also pass the power check MSU—power Information MSU, first perform a power check to check whether the requested page belongs to another user. If it belongs, it is deemed to be beyond the authority and enters the exception processing flow.
  • MSU power Information MSU
  • Step 5 After applying for the buffer block, the function MSU corresponding to the buffer processing function calls the function MSU corresponding to the request item processing function, and must also pass the power check MSU—power information MSU. First, perform a power check to check the buffer block passed down. No., device number, block number, and page number of the buffer block, whether they correspond to the file to be accessed. If they are not consistent, they are deemed to be unauthorized and enter the exception processing flow.
  • Step 6 The function MSU corresponding to the request processing function calls the function MSU corresponding to the driver processing function. It also needs to pass the power check MSU—power information MSU. First, perform a power check to check the absolute sector number and the number of sectors read. Whether it matches the specified data block and byte number of the file to be read this time. If it does not match, it is deemed to be beyond the authority and the exception processing flow is entered.
  • Step 7 The function corresponding to the driver processing function MSU calls the DMA command to send the corresponding terminal MSU.
  • the power check is performed to check whether the downloaded DMA parameters match the data block to be operated this time. If they do not match, it is regarded as Unauthorized, enter the exception processing flow. If they match, it means that the data operation command issued is not unauthorized. Enter the DMA command to send the corresponding terminal MSU. It is the last step and directly sends the DMA disk read command.
  • writing data to a process page requires at least two steps. One is to find the specified process page, and the other is to write data to the specified page.
  • the content of the specified process page is encapsulated.
  • the content of writing data to a specified page is encapsulated in a terminal MSU, which is responsible for finding the MSU of the specified page and cannot write data; the MSU responsible for writing data cannot specify the page, which MSU alone The content in the content cannot be exceeded, and the MSU responsible for finding the specified process page must go through the power check MSU after finding the specified page, check whether the current user has the right to write data to the specified page, check it, and then The power check MSU calls the data to write to the corresponding MSU for execution. If the check fails, it will be intercepted.
  • the production of A1 memory system device includes:
  • the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
  • the MSU port information includes: MSU exit information and MSU entry letter;
  • the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs;
  • the entry information of the MSU includes the ID, entry number, and entry address value of the MSU to which it belongs;
  • the port matching table includes a pair of exits and entries having a calling relationship between MSUs.
  • each MSU In the data area of each MSU, set: a pointer variable pointing to the MSU control comparison table; a pointer variable pointing to the port matching table; a variable that records the address value of the bottom of the MSU stack.
  • a space is reserved in a page-aligned manner, and the space size is an integer multiple of the page size.
  • the control lookup table is set therein, and other data is not stored therein.
  • MSU access control logic is controlled by software instructions, which specifically include:
  • the logic of adding instructions is: before the parameter transfer instruction called between MSUs, obtain the top address of the stack, and push this address value into the stack, this address value is used as the bottom MSU address value; At the beginning of its instruction, the above address value passed in the stack is obtained and saved to a variable used to record the current address value of the bottom of the MSU stack.
  • non-pointer variables can be explicitly accessed at the compilation stage, a preferred solution is that they no longer perform boundary judgment on the runtime, and only need to perform a boundary check on the data pointer.
  • the specific method is to access the corresponding data pointer. Before the instruction, add judgment logic to check the boundary of the access, including:
  • Step 1 If the final destination address of the access is in the global data area of the current MSU, or in the heap area, or in the area corresponding to the current MSU in the stack area, skip to step 2, otherwise skip to step 3;
  • Step 2 execute the data access instruction, skip to step 4;
  • Step 3 Enter the exception processing flow
  • Step 4 Execute the next instruction
  • Step 1 If the accessed final destination address is in the instruction area of the current MSU, skip to step 2; otherwise, skip to step 3;
  • Step 2 execute the indirect transfer instruction in the MSU, and go to step 4;
  • Step 3 Enter the exception processing flow
  • Step 4 Execute the next instruction
  • the address information and target address information of the call instructions between MSUs are recorded and reflected in the check instructions.
  • the purpose of the port check is to check whether the current MSU call and return are consistent with the expected inter-MSU call and return to prevent changing the execution order between MSUs.
  • the specific method is: 1. Before calling between MSUs, check whether the address value of the current calling instruction and the target address are recorded in the port matching table. 2. When returning between MSUs, one return instruction may correspond to multiple legal return addresses. If the entry and exit match check is performed, execution efficiency may be reduced. A preferred solution is to check only the return instruction when returning. For legal export.
  • non-branch instructions they can be determined to be within the MSU area by compiling.
  • the target address can also be ensured to be within the MSU area during the compilation phase.
  • By setting the page where the instruction area is set to read-only it can be guaranteed that the instruction will not be changed at runtime.
  • a preferred solution is to rely on the compilation stage to ensure its correctness, and no longer modify it at runtime. Check.
  • This operation is required whether the IO instructions are advanced code generation or directly embedded assembly, to ensure that all IO instructions in the executable program include this check logic before.
  • the IO instruction is a special instruction that directly reads and writes to peripheral devices.
  • the IO instructions of CPUs in different architectures are different, and the actual conditions prevail, such as the in and out instructions in the INTEL system.
  • Access control application methods for manufacturing methods of such memory system devices include:
  • B1 compiles the source program containing MSU, including:
  • Extract MSU information including:
  • B1-1-1 Write and compile source programs containing MSU information:
  • this rule adds the following grammar rules based on the C language:
  • the MSU type represents the attributes of MSU: common_msu represents ordinary MSU, check_msu represents check MSU, terminal_msu represents terminal MSU, nothing_msu represents empty port MSU, and share_msu represents shared data MSU.
  • common_msu represents ordinary MSU
  • check_msu represents check MSU
  • terminal_msu represents terminal MSU
  • nothing_msu represents empty port MSU
  • share_msu represents shared data MSU.
  • the MSU name represents the identification information of the MSU; the data and functions in a pair of ⁇ belong to the same MSU.
  • the function identified by the inner access identifier is the MSU empty port function
  • the function identified by the port access identifier is an MSU port function
  • Validation / deactivation bit which records whether the MSU is available. 1 means valid, 0 means invalid.
  • Pointer area type The pointer identified by data is the global data area pointer; the pointer identified by stack is the pointer of the stack area; the pointer identified by heap is the pointer of the heap area; if the pointer area type identifier is not added before the pointer definition, the default pointer is global data Area pointer.
  • the compiler recognizes the MSU information retained in the program by adding syntax rules and saves the information in the syntax tree. For subsequent steps.
  • the compiler When the compiler performs syntax analysis, the above rules can be used to identify the information related to the MSU in the program, and finally generate a syntax tree and save the MSU information.
  • the remaining syntax compiling technology is the same as the existing technology.
  • Instructions and data belonging to the same MSU are page-aligned and closely linked separately. Instructions are stored in the instruction area and data are stored in the data area. All MSUs are uniformly addressed with the same base address in the same linear address space.
  • the ID of the current MSU stores the ID value of the currently running MSU, and is used to find information of the currently running MSU in the MSU control comparison table.
  • the information of the MSU control comparison table includes all MSU information, and specifically includes: MSU ID number, MSU boundary information, attribute information, port information, and validity / invalidation information. Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • MSU ID number MSU ID number
  • MSU boundary information attribute information
  • port information port information
  • validity / invalidation information Preferably, it also includes information about the type of user to which the MSU belongs, and user identification information to which the MSU belongs.
  • the MSU ID number is generated by different MSU names stored in the syntax tree
  • the MSU boundary information includes: instruction area boundary information, global data area boundary information, and heap area boundary information.
  • the instruction area boundary information and global data area boundary information can be determined by statistically compiling the generated instructions and the global data footprint.
  • For heap area boundary information because the size of the heap area that needs to be established cannot be determined at compile time, you can reserve an entry in the comparison table and temporarily add information when the heap area is needed at runtime;
  • the MSU attribute information may be set according to the MSU type information recorded in the syntax tree;
  • the MSU port information includes: MSU exit information and MSU entry letter;
  • the exit information of the MSU includes the ID, exit number, and exit address value of the MSU to which it belongs; where the exit number is a unique number for each exit, and the exit address value is the address value of the call / return instruction between MSUs;
  • the MSU entry information includes the ID, entry number, and entry address value of the MSU to which it belongs; where the entry number is a unique number for each entry, and the entry address value is the next instruction address value of the call instruction between MSUs, and The address value of the first instruction of the port function;
  • the validity / invalidation information is set by the validity / invalidation flag recorded in the syntax tree node.
  • the port matching table is a set of call relationships for the MSU to call other MSUs.
  • One of the entries includes a pair of exits and entries that have a call relationship between MSUs.
  • the pointer variable pointing to the MSU control comparison table is used to access the MSU control comparison table in the inspection instruction.
  • the pointer variable pointing to the port matching table is used to access the port matching table in a check instruction.
  • the variable used to record the address value of the bottom of the MSU stack is used to control the access boundary of the stack area of the current MSU in the check instruction.
  • the initial value of this variable is the stack bottom address value of the corresponding privileged stack.
  • each MSU data area a piece of space is reserved in page alignment.
  • the size of the space is an integer multiple of the page size.
  • the control table is set in it, and other data cannot be stored in it. Within the execution file.
  • the compiler analyzes the information recorded in the syntax tree, and does not generate executable programs for code that does not comply with the MSU access rules. If it does, it enters the subsequent process of generating assembly code and linking.
  • B1-3 generates instructions related to MSU access:
  • the inter-MSU call access transfer instruction is: call target address value.
  • indirect transfer by call instruction is not allowed.
  • the inter-MSU return access transfer instruction is: ret.
  • the instructions for accessing global MSU and heap data are consistent with the instructions for accessing stack data.
  • the operating system allocates a stack area for the process.
  • a preferred solution is to set the size of the stack to the actual applicable size, rather than the size of the entire linear address space.
  • the boundary of the shared data MSU representing the stack is set to Same boundary as the stack.
  • the program in the MSU When the program in the MSU is executed, if it needs to request / release heap space, it enters the kernel through a dedicated system call, and the dedicated program in the kernel requests / releases heap space for it, and the heap area boundary value in the MSU control comparison table is modified accordingly.
  • the program in the MSU When the program in the MSU is executed, if it is necessary to add / remove the MSU, it enters the kernel through a dedicated system call, and the dedicated program in the kernel adds / removes the MSU for it, and modifies the corresponding data for boundary access control.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种访问控制方法,涉及信息技术,特别是信息安全领域,包括:确保权力信息的正确性以及依托权力信息进行权力检查。所述确保权力信息的正确性包括:在内存空间上,将权力信息及维护它的代码与软件系统其余部分隔离;在任何一个权力信息的计算处理过程中,不再与外界做交互。所述依托权力信息进行权力检查包括:在用户指定任务完成过程中,在指定位置处依据权力信息对软件系统处理的数据进行检查。应用本发明提供的方案,权力信息不会被攻击者篡改,也无法获得有效的攻击结果。

Description

一种将权力信息隔离并依托它进行权力检查的方法及计算装置 技术领域
本申请涉及信息技术领域,特别涉及一种访问控制技术,以及一种通过权力控制防止攻击的技术。
背景技术
现有技术中,软件难免存在设计缺陷,这些缺陷又往往成为可供攻击利用的“漏洞”。例如,利用超越范围的数组拷贝,数组下标操作导致的数组越界等方法,攻击者可以用准备好的数据修改内核的数据、代码,进而发起攻击。
在此基础上,攻击者就可以进一步修改授权信息、改变授权状态,从而获得超越授权的状态。进而可以进行诸如以下操作:
1、超越授权读取用户数据(包括内存和外设的数据)。
2、超越授权写入(包括篡改、删除)用户数据。
3、超越授权执行系统调用。
4、超越授权执行应用程序。
产生上述问题的根源之一,在于目前冯.诺依曼架构下的内存结构是几乎平坦的,因此一旦发生攻击,攻击者就可能跳转到它想要的几乎任意目标位置,进而完成数据覆盖等操作,从而获得超越授权的状态。进一步的,操作系统中对于用户的访问控制,又缺乏有效的机制,导致攻击程序很容易通过攻击获得 超越授权,并保持这种状态。
特别是对于类似Dirty Cow这样的攻击,其利用操作系统内核的竞争条件,通过可以称作“外部震荡”的方式,引发竞争,进而取得超越授权的效果。
发明内容
针对现有技术的问题,本发明建立一种访问控制方法,其特征在于:将权力信息及维护它的代码与软件系统其余部分隔离以确保权力信息的正确性,以及依托权力信息进行检查。
优选的,所述检查是指在系统的执行过程中,跨MSU访问时,依据隔离的权力信息进行权力检查。
所述权力信息包括:用户信息和用户对文件读写范围。例如,用来表示文件所属用户的信息;文件所属用户组的信息;用户、用户组、组外用户、对文件的读、写、执行权限信息;文件数据块号索引信息等。
所述将权力信息及维护它的代码与软件系统其余部分隔离以确保权力信息的正确性包括:在内存空间上,将权力信息及维护它的代码与软件系统其余部分隔离;和/或,在任何一个权力信息的计算处理过程中,不再与外界做交互。所述依托权力信息进行权力检查包括:在用户指定任务完成过程中,在指定位置处依据权力信息对软件系统处理的数据进行检查。
所述在内存空间上,将权力信息及维护它的代码与软件系统其余部分隔离,包括:在同一个线性地址空间内,将权力信息及维护它的程序独立的封装并与软件的其余部分程序分开存储。优选的,用终端MSU存储权力信息及维护它的代码(此类MSU以后简称权力信息MSU)。进一步包括:将执行检查功能的程 序进行单独的封装,根据权力检查结果决定程序后续执行,称为检查封装,优选的,利用检查MSU实现检查封装,(此类MSU以后简称为权力检查MSU)。
所述MSU是指内存系统单元,所述内存系统单元是内存系统装置中的某个具体单元;所述内存系统装置是指特定访问控制的集合及其控制的访问区域。
除非特别指明,本发明中MSU这一缩写对应的就是内存系统单元(Memory System Unit)。
所述区域,包括:由一组边界包围而成的CPU可寻址存储空间,区域必须由访问控制集合认定,所述认定是指将区域的信息记录在MSU信息中。所述访问控制集合,包括:MSU信息,对区域进行访问的允许机制,和/或对区域进行访问的禁止机制。所述可寻址存储空间可以存放数据和/或指令。优选的,全部软件的数据、代码都按设计要求分别放入指定的MSU之中,即没有代码、数据放在MSU之外。
所述CPU是指中央处理器。
进一步,区域由同一个线性地址空间中的一个或多个连续存储区组成,每个连续存储区由两端的地址标识界定,所有前述的地址标识的集合构成区域的边界。对于由多个连续存储区组成的区域的优选方案是区域中的连续存储区之间互不相交。其中存储数据、代码的存储区分别被称作数据区、指令区。不同MSU的区域互不相交。
进一步的,所述MSU信息包括:MSU边界信息、MSU端口信息、MSU属性信息。作为一种可选的实现方式,可以设置空端口MSU,所述空端口MSU其MSU端口信息为空,仍具有MSU边界信息、MSU属性信息。
优选的,所述MSU信息进一步包括:MSU用户信息。
进一步的,所述允许机制包括:允许区域内的非转移指令、中断指令及目标地址在当前区域内(不超越当前区域)的转移指令执行,允许区域内的指令访问当前区域内的数据。进一步的,允许机制包括:允许区域间,不论是区域内到区域外或区域外到区域内,通过传参的方式传递数据;允许区域间通过共享物理内存的方式传递数据,优选的,传递大量的数据时采用共享物理内存的方式;对区域间,即超出或进入本区域,进行访问的允许机制,进一步包括:MSU间必须经过端口执行转移指令,并且属性信息、端口信息必须匹配。
所述禁止机制包括,禁止在区域中的数据区执行指令。除允许机制之外,对一切由区域内向区域外或由区域外向区域内的跨区域执行指令(包括非转移指令、转移指令及不匹配情形),跨区域操作访问数据都产生异常。
一个特例是共享数据MSU,其特征是只包含被其他MSU共享的数据,没有指令;允许其他MSU通过约定的指令操作数据。
在本发明的一种具体实现方式中,将内核栈和/或用户栈置于共享数据MSU中,栈所属的MSU必须为共享数据MSU,其他MSU通过约定的指令操作栈中的数据。
所述MSU边界信息包括:由访问控制集合认定的区域中,所有连续存储区的边界信息构成的集合。存储上述信息的数据结构简称边界数据,所述边界数据的地址被关联到内存系统装置中并为其可识别。当需要查找区域的边界时,所述装置可以根据边界数据的地址找到数据结构,即可获得所有的边界信息。
所述MSU端口信息包括入口和/或出口。在访问控制集合认定的区域范围内的指令地址区域中指定有限个指令地址为入口或出口,其中每一个指令地址 为一个入口或出口。可选的入口为:区域中MSU间转移指令的目标地址;可选的出口为:MSU间转移指令的所在地址。
所述MSU属性信息包括:MSU标识信息,MSU类型信息。所述MSU标识信息是指区别于其它MSU的唯一标识。所述MSU的类型信息可以是普通MSU、共享数据MSU中的一种。
优选的,所述MSU属性信息还可包括:MSU所属用户类型信息,MSU所属用户标识信息。所述MSU所属用户类型信息是指这个MSU所属用户的类型,在一些应用场景中,用户类型即为用户角色,所述MSU所属用户标识信息是指MSU所属用户的唯一标识。
优选的,可以将前述的边界信息和/或属性信息和/或MSU端口信息合成为一个更方便使用的、完整的数据结构。
所述MSU端口信息匹配、所述MSU属性信息匹配是指:在程序初始化阶段,将转移指令执行所需MSU的出口、入口、边界、标识信息、类型信息记录在MSU描述符表中,在程序运行时,将转移指令包含的信息,分别与MSU描述符表中的端口信息、属性信息做对比,如果结果匹配,视为合法,允许转移指令执行,反之,视为非法,报异常。
进一步的,在MSU类型信息中增加一种检查MSU。类型信息被标记为“检查MSU”的MSU被视为检查MSU。当所述装置包含检查MSU时,不允许非检查MSU直接调用另外一个非检查MSU,必须由源MSU先调用检查MSU,再由检查MSU调用目标MSU;目标MSU返回时,先返回到检查MSU,再由检查MSU返回到源MSU。所述非检查MSU指除了检查MSU外的任何其它类型的MSU。
进一步的,在MSU类型信息中增加一种终端MSU。类型信息标记为“终端MSU”的MSU只可被其它MSU调用,不可调用其它MSU。
进一步的,在MSU类型信息中增加一种空端口MSU。类型信息被标记为“空端口MSU”的MSU没有端口,其它MSU可以通过端口调用任意空端口MSU的函数,但不可直接访问空端口MSU的数据。空端口MSU调用其它MSU必须通过其端口进入该MSU。不同的空端口MSU之间可以任意进行函数调用,但不可访问数据。当终端MSU存在时,空端口MSU不可调用终端MSU。
进一步的,在MSU类型信息中增加一种保险箱MSU。此类MSU不允许包含指令区。只有某些需要保存状态信息的操作,才可访问该MSU。优选的,所述状态信息可以是返回地址、中断现场等。
进一步的,在MSU类型信息中增加一种IO指令MSU。当所述装置包含IO指令MSU时,仅允许这类MSU内执行IO操作相关的特殊指令。此类MSU的属性匹配检查规则与终端MSU相同。
在装置中,可不支持检查MSU、终端MSU、空端口MSU、保险箱MSU、IO指令MSU的实现,也可支持其中的一种或几种。
所述在任何一个权力信息的计算处理过程中,不再与外界做交互,包括:在初始化阶段,通过启动程序,引发一段权力信息加载专用程序执行,将所有权力信息一次性全部载入权力信息MSU中;关机前,由内核通用关机程序,引发一段权力信息同步专用程序将权力信息全部同步到外设上,确保外设上的存储的权力信息与内存中权力信息一致;如果权力信息MSU接收到新建文件请求,则内部的文件权力信息处理程序分析文件路径,并最终添加文件管理结构信息; 如果接收到删除文件请求,则分析文件路径,并最终删除文件管理结构信息;如果接收到修改文件名的请求,则分析文件路径,并最终更改文件名对应目录项中内容;如果权力信息MSU接收到写文件请求,则内部的数据块处理程序通过文件管理结构找到数据块索引信息,并在索引信息管理结构中添加数据块号,如果接收到删除逻辑块请求,则通过文件管理结构找到数据块索引信息,并在索引信息管理结构中删除数据块号;MSU中的文件管理信息处理专用程序和数据块处理专用程序,通过自身就可以完成指定的权力信息处理工作,不需要任何外界的支持。
所述在用户指定任务完成过程中,在指定位置处依据权力信息对软件系统处理的数据进行检查,包括:将与权力信息及其维护代码无关的程序,封装在不同的MSU内,此类MSU的属性为普通MSU(以后简称此类MSU为功能MSU),功能MSU之间不能直接调用或返回,而是要先进行权力检查,当功能MSU-1对功能MSU-2有调用需求的时候,一种优选的方式是:以下结合附图1进行说明,在源代码中记录着MSU-1对MSU-2的调用需求,实际执行时,由功能MSU-1调用到权力检查MSU(如图1步骤1),权力检查MSU再调用到权力信息MSU(如图1步骤2),并将与权力相关的数据,传递给权力信息MSU做比较,权力信息MSU会将检查结果返回给权力检查MSU(如图1步骤3),如果比较结果超出用户权力信息限定的范围,进入异常处理流程,如果没有超出范围,再由权力检查MSU根据调用需求,实际调用到目标功能MSU-2去执行(如图1步骤4);和/或,当功能MSU-2返回时,先返回到权力检查MSU(如图1步骤5),权力检查MSU再调用到权力信息MSU(如图1步骤6),并将与权力相关的数据,传递给权力信息MSU做比较,它将检查结果返回给权力检查MSU(如图1步骤7),如果比较结果超出用户权力信息限定的范围,进入异常 处理流程,如果没有超出范围,再由权力检查MSU返回到功能MSU-1去执行(如图1步骤8)。
一种访问控制方法,其特征在于:
确保MSU中内容功能单一,包括:确保每一个MSU中的内容,只能完成用户指定任务中的一部分功能,这部分功能无法单独实现越权。
一种访问控制机制,其特征在于:使用前述的基于权力进行访问控制的方法。
一种安全操作系统,其特征在于:使用前述的基于权力进行访问控制的方法。
通过上述方法,本发明能够起到以下技术效果:
权力信息是权力检查的基础,将权力信息及其维护程序与软件系统其余部分,在空间上隔离,特别是通过MSU机制实现隔离,可以有效的避免由于软件系统其余部分内容被攻击而影响到权力信息的正确性。在保证正确性的基础上,每当进行MSU间访问时,依据隔离的权力信息进行权力检查,可以进一步避免MSU间的越权操作。
在任何一个权力信息的计算处理过程中,不再与外界做交互,首先可以使权力信息的处理变得极为简单且功能单一,通过形式化测试和穷举测试,就可以保证其正确性;其次由于在处理过程中不需要与外界做交互,也就保证了权力信息处理过程不受外界影响,保证了权力信息处理的正确性。
将软件系统其余部分进行独立封装,特别是通过MSU机制进行封装,可以保证每个MSU中的程序只能通过有限的端口进行调用和返回,在端口处进行权力检查,可以保证MSU间交互时,必须经过权力检查,以此实现MSU间无法越权操作。在所有MSU间进行权力检查,可以保证在整个程序执行过程中,都无法实现MSU间的越权操作。
越权操作需要程序中多个功能协同配合才能实现,通过MSU机制,确保每个MSU功能单一,可以确保MSU内的程序无法独立实现越权。
将对外设的操作或对用户数据的操作封装在终端MSU中,并确保此类终端MSU中不包含其余内容,而且其余MSU如果需要与外设进行交互或操作用户数据,只能通过此类终端MSU。这样做可以避免其它MSU中程序通过与外设直接交互或操作用户数据的方式,直接实现越权。
附图说明
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。
图1:MSU-1调用MSU-2必须通过权力检查MSU进行权力检查的示意图
具体实施方式
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是 全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。
以下通过具体实施方式来进一步说明本发明的技术内容。
实施例1
对于“在任何一个权力信息的计算处理过程中,不再与外界做交互”的一种实施方式是:
系统启动后,所有的普通MSU中内容加载前,通过启动程序,引发一段权力信息加载的专用程序执行,将所有权力信息一次性全部载入权力信息封装中,权力信息加载的专用程序中只包括加载权力信息的逻辑,除此之外没有其它内容,以此确保其单一且逻辑简单,通过形式化测试和穷举测试就可以确定此专用程序的正确性,加载时它自身不会产生攻击而影响到权力信息的可靠性,同时,由于软件系统处理的数据还没有加载,所以此时还没有其它程序执行,也不会产生攻击,这样已有的权力信息和权力信息处理程序载入后,也是正确的。
实施例2
对于“在任何一个权力信息的计算处理过程中,不再与外界做交互”的一种实施方式是:
关机前,由内核通用关机程序,引发一段权力信息同步的专用程序将权力信息全部同步到外设上,确保外设上的存储的权力信息与内存中权力信息一致。此专用程序的逻辑,包括往外设上同步权力信息,除此之外,没有其它内容,以此确保其功能单一且逻辑简单,通过形式化测试和穷举测试就可以确定此专用程序的正确性,同步时它自身不会产生攻击而影响到权力信息的可靠性。
实施例3
对于“在任何一个权力信息的计算处理过程中,不再与外界做交互”的一种实施方式是:
以创建文件为例:
通过系统调用软中断,进入系统调用对应的功能MSU后,功能MSU会接收到包括需要创建文件的路径、读写属性、创建文件标记等参数,会先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中,由文件权力信息处理专用程序进行,即通过分析路径名,确定当前用户是否有权力访问各级目录文件,如果检查通过,最后为目标文件创建添加文件管理结构(其中文件权力属性字段中包含用户身份信息、用户组信息,以及用户自身、用户组、组外用户对新建文件的“读”、“写”、“执行”权限),并在文件属性管理结构位图上做标识;同时在文件操作管理结构、文件句柄对应的结构中,找到空闲表项,并通过表项建立文件操作管理结构——文件句柄对应结构——文件属性管理结构的对应关系。整个完成工作不需要与外界进行交互。
以删除文件为例:
通过系统调用软中断,进入系统调用对应的功能MSU后,功能MSU会接收到包括需要删除文件的路径等参数,会先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中,由文件权力信息处理专用程序进行,即通过分析路径名,确定当前用户是否有权力访问各级目录文件,如果检查通过,最后为删除目标文件对应的文件管理结构,并在文件管理结构位图上将与此文件管理结构对应的位 置0,以及将相应目录文件中与把此文件管理结构对应的目录项清空。整个完成工作不需要与外界进行交互。
以更改文件名为例:
通过系统调用软中断,进入系统调用对应的功能MSU后,功能MSU会接收到包括需要更改文件的路径、需要改写成的文件名等参数,会先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中,由文件权力信息处理专用程序进行,即通过分析路径名,确定当前用户是否有权力访问各级目录文件,如果检查通过,最后在相应的目录文件中,将相应目录项中文件名内容改写为指定文件名。整个完成工作不需要与外界进行交互。
实施例4
对于“在任何一个权力信息的计算处理过程中,不再与外界做交互”的一种实施方式是:
以向文件中写入内容为例:
通过系统调用软中断,进入系统调用对应的功能MSU后,会接收到包括写入目标文件的文件句柄、需要写入数据在进程空间的地址、写入的字节数在内的参数,会先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中,由数据块处理专用程序进行,通过文件句柄,获取文件文件管理结构,检查此文件管理结构是否处于当前用户可操作文件范围内,如果检查通过,进一步获取数据块索引信息,通过文件偏移标记和参数中的写入字节数,确定待写入数据需要占 用的数据块数量以及在文件中的逻辑位置;通过数据块管理位图,确定需要占用块设备上哪些空闲数据块,确定块号,并最终将数据块号写入索引信息中。整个完成工作不需要与外界进行交互。
以删除文件中内容为例:
通过系统调用软中断,进入系统调用对应的功能MSU后,会接收到包括将要删除目标文件的文件句柄、要保留的文件内容大小等参数,会先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中,由数据块处理专用程序进行,通过文件句柄,获取文件文件管理结构,检查此文件管理结构是否处于当前用户可操作文件范围内,如果检查通过,根据保留的文件内容大小,改写文件管理结构中标识文件大小的字段以调整文件大小。整个完成工作不需要与外界进行交互。
实施例5
对于“利用MSU的特性,在除权力信息及维护它的代码之外的内容所在MSU之间,进行权力检查”的一种实施方式是:
功能MSU中只包含功能信息、对功能信息进行处理的程序以及对外部进行访问的逻辑;功能MSU只能通过指定的端口才能对外部访问,而且只能调用或返回到权力检查MSU,权力检查MSU对其所传递数据中与权力相关的数据做检查,检查通过后,再由权力检查MSU调用或返回到其它功能MSU端口函数;检查MSU只负责接收功能MSU传递的数据,并根据检查的结果是否通过,决定是继续完成功能MSU间的访问,还是进入异常处理流程,对于实际的权力检查工作,权力检查MSU会调用到权力信息MSU,再由权力信息MSU用下传的 权力信息和已有的权力信息作比对,确定用户是否越权,并将比对结果返回给权力检查MSU。
为此需要在功能MSU中,针对权力检查,需要添加指令,逻辑是:
功能MSU端口函数调用权力检查MSU端口函数前,需要添加指令的逻辑包括:
传递参数(参数中包含权力信息)
传递当前功能MSU的ID号
传递当前功能MSU出口号
传递目标功能MSU的ID号
传递目标功能MSU入口号。
权力检查MSU中,针对权力检查,需要添加指令的逻辑包括:
根据原功能MSU的ID号、原MSU出口号、目标功能MSU的ID号、目标MSU入口号,找到对应的检查逻辑
从参数中提取权力信息,并调用相应的权力信息MSU端口函数,将权力信息以参数形式传递给权力信息MSU
接收权力信息MSU返回的权力检查结果,如果权力检查没通过,进入异常处理流程,如果权力检查通过,调用目标功能MSU的端口函数
从目标功能MSU端口函数的返回值中提取权力信息,并调用相应的权力信息MSU端口函数,将权力信息以参数形式传递给权力信息MSU
接收权力信息MSU返回的权力检查结果,如果权力检查没通过,进入异常处理流程,如果权力检查通过,返回到原功能MSU的端口函数,并将返回值回传给原功能MSU。
一个具体的应用是:
读文件过程中进行的权力检查:
步骤1:通过系统调用软中断,进入系统调用对应的功能MSU后,会接收到包括读取目标文件的文件句柄、需要读出数据存储在进程空间的地址、读取的字节数,之后调用读文件功能对应的功能MSU前,需要先调用到权力检查MSU进行权限检查,权力检查MSU会将传递的参数,传递给权力信息MSU,具体的检查工作在权力信息MSU中进行,权力信息MSU接到参数后,通过分析文件句柄,确定此次读取的文件处于当前用户能够访问的所有文件范围内;之后再对参数“读取的字节数以及文件偏移”进行权力检查,通过它们的数值,可以精确的圈定此次访问文件的数据块范围,还可以确定此次要访问的数据块,哪些已经被载入到缓冲区,哪些还没有,这些权力信息,将作为后续MSU中,对数据块进行权力一致性检查的依据。
步骤2:读文件功能对应的功能MSU调用缓冲区处理功能对应的功能MSU时,也要通过权力检查MSU——权力信息MSU,先进行权力检查,检查文件号与此次要读取的目标文件的文件号是否一致,如果不一致,便视为越权,进入异常处理流程。
步骤3:缓冲区处理功能对应的功能MSU调用文件管理功能对应的MSU时,也要通过权力检查MSU——权力信息MSU,先进行权力检查,检查要操作的数据块是否属于当前要读取的文件,由于系统调用对应的功能MSU调用读文件功能对应的功能MSU前进行权力检查时,就已经通过读取字节数和文件偏移这两个参数精确圈定了此次要读取的数据块范围,所以此时检查数据块的文件归属时,不仅能检查出数据块是否属于要读取的目标文件(如果不属于目标文 件,即被视为越权),而且还能检查出是否属于本次要操作的数据块范围内,如果超出,即便不是越权,也可以做出提示,进入异常处理流程。
步骤4:如果缓冲区处理功能对应的功能MSU确定要读取的数据块没有载入缓冲区,还会调用页面处理功能对应的功能MSU,准备申请缓冲块,也要通过权力检查MSU——权力信息MSU,先进行权力检查,检查申请到的页面是否属于其它用户,如果属于,视为越权,进入异常处理流程。
步骤5:申请到缓冲块后,缓冲区处理功能对应的功能MSU调用请求项处理功能对应的功能MSU,也要通过权力检查MSU——权力信息MSU,先进行权力检查,检查下传的缓冲块号、设备号、块号、缓冲块所在页面号,是否对应着当前要访问的文件,如果不一致,就视为越权,进入异常处理流程。
步骤6:请求项处理功能对应的功能MSU调用驱动处理功能对应的功能MSU,也要通过权力检查MSU——权力信息MSU,先进行权力检查,检查下传的绝对扇区号、读取扇区数,与本次指定的要读取的文件数据块和字节数是否匹配,如果不匹配,视为越权,进入异常处理流程。
步骤7:驱动处理功能对应的功能MSU调用DMA命令发送对应的终端MSU,调用前先进行权力检查,检查下传的DMA参数是否与此次要操作的数据块相匹配,如果不匹配,视为越权,进入异常处理流程,如果匹配,说明下达的数据操作命令没有越权,进入DMA命令发送对应的终端MSU,它是最后一步,直接发送DMA读盘命令。
实施例6
针对“确保MSU中内容功能单一”的一个实施方式是:
比如往进程页面中写入数据,至少需要两个步骤,一步是找到指定的进程 页面,另一步是往指定页面中写入数据,为了确保功能单一,把找到指定的进程页面这部分内容,封装在一个普通MSU中,把往指定页面中写入数据这部分内容封装在一个终端MSU中,负责查找指定页面的MSU,不能写入数据;负责写入数据的MSU,不能指定页面,单独哪个MSU中的内容,都无法实现越权,而负责找到指定进程页面的MSU,在找到指定页面后,要先经过权力检查MSU,检查当前用户是否有权力往指定的页面中写入数据,检查通过,再由权力检查MSU调用数据写入对应的MSU去执行,检查如果不通过,就会被拦截。
实施例7:
一种现有体系下通过软件指令进行访问控制的MSU制作方法及针对该方法的访问控制应用方式:
A1内存系统装置的制作,具体包括:
A1-1制作MSU信息记录单元:
建立以下数据:
当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
所述MSU控制对照表的信息包括:所有MSU的信息,具体包括:MSU的ID号、MSU的边界信息、属性信息、端口信息、生效/失效信息。优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。
所述MSU边界信息,包括:指令区边界信息、全局数据区边界信息、堆区边界信息。
所述MSU端口信息包括:MSU的出口信息和MSU的入口信;
所述MSU的出口信息,包括:其所属的MSU的ID、出口号、出口地址值; 所述MSU的入口信息,包括:其所属的MSU的ID、入口号、入口地址值;
所述端口匹配表,包括:一对有MSU间调用关系的出口和入口。
在每个MSU的数据区,设置:指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;记录MSU栈底地址值的变量。
在每个MSU数据区的线性地址空间中,以页对齐的方式预留一段空间,空间大小为页大小的整数倍,将控制对照表设置于其中,其它数据不存入其中。
A1-2制作访问控制单元
在本制作方法中:MSU访问控制逻辑靠软件指令进行控制,具体包括:
●获取当前MSU栈底地址值:
添加指令的逻辑是:在MSU间调用的参数传递指令前,获取栈顶地址值,并将此地址值压入栈中,此地址值作为目标MSU的栈底地址值;调用进目标MSU后,在其指令的起始位置,获取栈中传递的上述地址值,保存到用于记录当前MSU栈底地址值的变量中。
●添加检查指令用以判定数据访问是否超出MSU边界:
由于对于非指针变量,可以在编译阶段明确访问地址,所以一种优选的方案是,运行时不再对它们进行边界判断,只需对数据指针进行边界检查,具体方式:在访问数据指针对应的指令之前,添加判断逻辑,来进行访问的边界检查,具体包括:
步骤1:如果访问的最终目标地址处于当前MSU的全局数据区,或堆区,或处于栈区中当前MSU对应的区域内,跳转到步骤2,否则跳转到步骤3;
步骤2:执行数据访问指令,跳转到步骤4;
步骤3:进入异常处理流程;
步骤4:执行下一条指令
●添加检查指令用以判断MSU内间接转移指令的目标地址是否超出MSU边界:
由于对于MSU内的直接转移指令,可以在编译阶段明确转移目标地址,所以一种优选的方案是,运行时不再对它们进行边界判断,只需对MSU内间接转移指令的目标地址进行边界检查,具体方式:在MSU内间接转移指令之前,添加判断逻辑,来进行访问的边界检查,具体包括:
步骤1:如果访问的最终目标地址处于当前MSU的指令区内,跳转到步骤2,否则跳转到步骤3;
步骤2:执行MSU内间接转移指令,跳转到步骤4;
步骤3:进入异常处理流程;
步骤4:执行下一条指令
●MSU属性匹配检查:
根据编译器和链接器,将MSU间调用指令所在地址信息和目标地址信息予以记载,并体现到检查指令中。
根据MSU间调用指令的目标地址值和所有MSU的边界信息,确定目标MSU,并进一步用当前MSU的属性和目标MSU的属性做比对,如果属性匹配符合发明内容中记载的MSU属性匹配规则,再进行端口匹配检查,否则,进入异常处理流程。
●MSU端口匹配检查:
端口检查的目的是:检查当前MSU调用、返回是否与预期的MSU间调用、返回一致,防止改变MSU间执行序。具体方式是:1,在MSU间调用前,检查当前调用指令的地址值与目标地址是否记录在端口匹配表中。2,在MSU间返回时,一个返回指令,可能对应多个合法的返回地址,如果进行出入口的匹配 检查,可能导致执行效率降低,一种优选的方案是:在返回时,仅检查返回指令是否为合法的出口。
在MSU间调用指令前添加逻辑如下:
通过MSU间调用指令所在地址值,在端口匹配表中找到相应的出口,通过此出口,确定其匹配的入口;再判断MSU间调用指令目标地址值,是否与该入口地址值一致,如果一致,允许MSU间调用指令执行,否则,进入异常处理流程。
在MSU间返回指令前添加逻辑如下:通过MSU间返回指令所在地址值,在当MSU控制对照表中找相应的出口,如果能够找到,说明这是一个合法的出口,允许MSU间返回指令执行,否则,进入异常处理流程。
●对MSU中非转移指令和内部直接转移指令的检查:
对于非转移指令,可通过编译确定其在所属MSU的区域范围内;对于内部直接转移指令,也可在编译阶段确保其目标地址在MSU的区域范围内。通过将指令区所在页面设置为只读,可保证指令在运行时不会被更改,为了提高执行效率,一种优选的方案是:依靠编译阶段保证其正确性,在运行时阶段不再对其进行检查。
●对IO指令的检查:
从语法树生成汇编指令时,在所有指定的IO指令前增加判断逻辑:判断当前MSU的类型是否为IO指令类型的MSU,如是,可继续执行,如不是,则报出异常。
不论IO指令是高级代码生成还是直接嵌入的汇编,都需进行此操作,确保可执行程序中所有的IO指令前都包含此检查逻辑。
所述IO指令为直接对外设进行读写的特殊指令,不同体系的CPU的IO指 令各不相同,以实际为准,如INTEL体系下in、out指令。
针对该种内存系统装置制作方式的访问控制应用方式,包括:
B1编译包含MSU的源程序,具体包括:
B1-1、提取MSU信息,具体包括:
B1-1-1:编写、编译包含MSU信息的源程序:
●一种增设语法规则的方式表达MSU信息
增设语法规则,使编程阶段完成准确保留程序设计中MSU信息,为了兼容性,本规则在C语言的基础上,增设如下语法规则:
Figure PCTCN2019086499-appb-000001
Figure PCTCN2019086499-appb-000002
其中MSU类型代表MSU的属性:common_msu代表普通MSU、check_msu 代表检查MSU、terminal_msu代表终端MSU、nothing_msu代表空端口MSU、share_msu代表共享数据MSU。当MSU类型为空端口MSU时,不需要定义函数的访问标识符。
MSU名代表MSU的标识信息;一对{}里面的数据和函数,从属于同一个MSU。
由inner这个访问标识符标识的函数为MSU空端口函数;
由port这个访问标识符标识的函数为MSU端口函数;
生效/失效位,记录着MSU是否可用,1代表生效,0代表失效。
共享数据MSU中只允许定义数据。
指针区域类型:data标识的指针为全局数据区指针;stack标识的指针为栈区指针;heap标识的指针为堆区指针;如果指针定义前不添加指针区域类型标识符,则默认指针为全局数据区指针。
编译器通过增设语法规则,识别出程序中保留的MSU信息,把信息保存在语法树上。供后续步骤使用。
编译器进行语法分析时,可通过上述规则分别认定程序中与MSU相关的信息,最终生成语法树、保存MSU信息,其余语法的编译技术与现有技术相同。
B1-1-2:内存布局及编址方式
把属于同一MSU的指令和数据,以页对齐的形式,分别密排链接,指令保存在指令区、数据保存在数据区。所有MSU在同一线性地址空间内,以同一个基址进行统一编址。
B1-1-3:提取并保存MSU信息:
在编译链接阶段,为每个MSU建立以下数据,存储在MSU的数据区:
当前MSU的ID;MSU控制对照表;端口匹配表;指向MSU控制对照表的指针变量;指向端口匹配表的指针变量;用以记录MSU栈底地址值的变量。
所述当前MSU的ID,保存当前MSU正在运行的MSU的ID值,用以在MSU控制对照表中找到当前正在运行的MSU的信息。
所述MSU控制对照表的信息包括:所有MSU的信息,具体包括:MSU的ID号、MSU的边界信息、属性信息、端口信息、生效/失效信息。优选的,还包括MSU所属用户类型信息,MSU所属用户标识信息。表中:
所述MSU的ID号,通过语法树中保存的不同MSU名生成;
所述MSU边界信息,包括:指令区边界信息、全局数据区边界信息、堆区边界信息。对于指令区边界信息、全局数据区边界信息,可以通过统计编译生成的指令和全局数据占用空间大小来确定。对于堆区边界信息,由于编译时无法确定需要建立的堆区大小,可以在对照表中先预留表项,等到运行时需要堆区的时候再临时添加信息;
所述MSU属性信息,可以根据语法树中记录的MSU类型信息来设定;
所述MSU端口信息包括:MSU的出口信息和MSU的入口信;
所述MSU的出口信息,包括:其所属的MSU的ID、出口号、出口地址值;其中出口号为每一个出口的唯一编号,出口地址值为MSU间调用/返回指令所在地址值;
所述MSU的入口信息,包括:其所属的MSU的ID、入口号、入口地址值;其中入口号为每一个入口的唯一编号,入口地址值为MSU间调用指令的下一条指令地址值,以及端口函数的第一条指令的地址值;
所述生效/失效信息,通过语法树节点中记录的生效/失效标记设置。
所述端口匹配表,为本MSU调用其它MSU的调用关系集合。其中一个表项,包括:一对有MSU间调用关系的出口和入口。
所述指向MSU控制对照表的指针变量,用于在检查指令中,访问MSU控制对照表。
所述指向端口匹配表的指针变量,用于在检查指令中,访问端口匹配表。
所述用以记录MSU栈底地址值的变量,用于在检查指令中,控制当前MSU的栈区访问边界。此变量的初始值为对应特权级的栈的栈底地址值。
在每个MSU数据区的线性地址空间中,以页对齐的方式预留一段空间,空间大小为页大小的整数倍,将控制对照表设置于其中,其它数据不可存入其中,并保存到可执行文件内。
B1-2限定MSU语法访问规则:
编译器分析语法树中记载的信息,对不符合MSU访问规则的代码不予生成可执行程序,如符合,进入后续的生成汇编代码、链接的流程。
B1-3生成与MSU访问相关的指令:
生成的MSU间调用访问转移指令为:call目标地址值。MSU间调用时,不允许通过call指令进行间接转移。
生成的MSU间返回访问转移指令为:ret。
访问本MSU全局数据、堆数据的指令与访问栈数据的指令一致。
B2运行时阶段对MSU信息的处理
创建进程时,为每个MSU申请独立的页面,用以加载上述用于边界访问控制的数据,根据进程的用户ID、用户角色类型,设置MSU属性中的MSU所属用户标识信息、MSU所属用户类型信息,页面中不能存在其它内容,为了保证 数据的安全,一种优选的方案是:加载后将页面设置为只读,在需要修改这些数据时,关闭只读,修改完成后,再重新设置为只读。
创建进程时,由操作系统为进程分配栈区域,一种优选的方案是:栈的大小被设置为实际适用的大小,而非整个线性地址空间的大小,代表栈的共享数据MSU的边界设置为与栈的边界相同。
如果操作系统加载程序时,MSU的内存分配布局,与编译链接时,确定的用于边界访问控制的数据不同,则需将该数据改为与实际相符。
MSU中程序执行时,如果需要申请/释放堆空间,则通过专用系统调用进入内核,由内核中专用程序为其申请/释放堆空间,并相应修改MSU控制对照表中堆区域边界值。
MSU中程序执行时,如果需要添加/删除MSU,则通过专用系统调用进入内核,由内核中专用程序为其添加/删除MSU,并修改相应用于边界访问控制的数据。
以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。

Claims (14)

  1. 一种方法,其特征在于:将权力信息及维护它的代码与软件系统其余部分隔离以确保权力信息的正确性,以及依托权力信息进行检查。
  2. 根据权利要求1所述的方法,其特征在于:所述权力信息,包括:用户信息和用户对文件读写范围。
  3. 根据权利要求1-2之一所述的方法,其特征在于:所述将权力信息及维护它的代码与软件系统其余部分隔离以确保权力信息的正确性,包括:在内存空间上,将权力信息及维护它的代码与软件系统其余部分隔离;和/或,在任何一个权力信息的计算处理过程中,不再与外界做交互。
  4. 根据权利要求1-3之一所述的方法,其特征在于:所述依托权力信息进行权力检查,包括:在用户指定任务完成过程中,在指定位置处依据权力信息对软件系统处理的数据进行检查。
  5. 根据权利要求4所述的方法,其特征在于:所述在内存空间上,将权力信息及维护它的代码与软件系统其余部分隔离,分别称作权力封装、其他封装,包括:在同一个线性地址空间内,将权力信息及维护它的程序独立的封装并与软件的其余部分程序分开存储。
  6. 根据权利要求5所述的方法,其特征在于:所述其他封装中包括检查封装,所述检查封装是指将执行检查功能的程序进行单独的封装,根据权力检查结果决定程序后续执行。
  7. 根据权利要求5-6之一所述的方法,其特征在于:将所述封装用MSU实现,所述MSU是指内存系统单元。
  8. 根据权利要求3所述的方法,其特征在于:所述在任何一个权力信息的计算处理过程中,不再与外界做交互,包括:在初始化阶段,通过启动程序,引发一段权力信息加载专用程序执行,将所有权力信息一次性全部载入权力信 息MSU中;关机前,由内核通用关机程序,引发一段权力信息同步专用程序将权力信息全部同步到外设上,确保外设上的存储的权力信息与内存中权力信息一致;如果权力信息MSU接收到新建文件请求,则内部的文件权力信息处理程序分析文件路径,并最终添加文件管理结构信息;如果接收到删除文件请求,则分析文件路径,并最终删除文件管理结构信息;如果接收到修改文件名的请求,则分析文件路径,并最终更改文件名对应目录项中内容;如果权力信息MSU接收到写文件请求,则内部的数据块处理程序通过文件管理结构找到数据块索引信息,并在索引信息管理结构中添加数据块号,如果接收到删除逻辑块请求,则通过文件管理结构找到数据块索引信息,并在索引信息管理结构中删除数据块号;MSU中的文件管理信息处理专用程序和数据块处理专用程序,通过自身就可以完成指定的权力信息处理工作,不需要任何外界的支持。
  9. 根据权利要求4所述的方法,其特征在于:所述在用户指定任务完成过程中,在指定位置处依据权力信息对软件系统处理的数据进行检查,包括:将与权力信息及其维护代码无关的程序,封装成不同的普通MSU,普通MSU之间不能直接调用或返回,而是要先进行权力检查。
  10. 根据权利要求9所述的方法,其特征在于:由普通MSU调用到权力检查MSU,权力检查MSU再调用到权力信息MSU,并将与权力相关的数据,传递给权力信息MSU做比较,权力信息MSU会将检查结果返回给权力检查MSU,如果比较结果超出用户权力信息限定的范围,进入异常处理流程,如果没有超出范围,再由权力检查MSU调用到目标普通MSU去执行;和/或,由普通MSU返回到权力检查MSU,权力检查MSU再调用到权力信息MSU,并将与权力相关的数据,传递给权力信息MSU做比较,它将检查结果返回给权力检查MSU,如果比较结果超出用户权力信息限定的范围,进入异常处理流程,如果没有超 出范围,再由权力检查MSU返回到原普通MSU去执行。
  11. 一种方法,其特征在于:确保每一个MSU中的内容功能单一。
  12. 根据权利要求11所述的方法,其特征在于:所述功能单一是指确保每一个MSU中的内容,只能完成用户指定任务中的一部分功能,这部分功能无法单独实现越权。
  13. 一种访问控制机制,其特征在于:使用权利要求1-12之一的方法。
  14. 一种安全操作系统,其特征在于:使用权利要求1-12之一的方法。
PCT/CN2019/086499 2018-06-12 2019-05-11 一种将权力信息隔离并依托它进行权力检查的方法及计算装置 WO2019237867A1 (zh)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810599752.2 2018-06-12
CN201810599752.2A CN110598412B (zh) 2018-06-12 2018-06-12 将权力信息隔离并依托它进行权力检查的方法及计算装置

Publications (1)

Publication Number Publication Date
WO2019237867A1 true WO2019237867A1 (zh) 2019-12-19

Family

ID=68841923

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/086499 WO2019237867A1 (zh) 2018-06-12 2019-05-11 一种将权力信息隔离并依托它进行权力检查的方法及计算装置

Country Status (2)

Country Link
CN (1) CN110598412B (zh)
WO (1) WO2019237867A1 (zh)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773413A (zh) * 2004-11-10 2006-05-17 中国人民解放军国防科学技术大学 角色定权方法
US20090319741A1 (en) * 2008-06-24 2009-12-24 Nagravision Sa Secure memory management system and method
CN101964068A (zh) * 2009-07-22 2011-02-02 深圳市江波龙电子有限公司 一种sd卡及其数据访问控制方法
CN102970414A (zh) * 2012-10-30 2013-03-13 广东欧珀移动通信有限公司 一种基于Android系统的手机密码保护方法
CN103312801A (zh) * 2013-06-05 2013-09-18 上海西本网络科技有限公司 应用装置、应用装置之间数据交互的方法、系统和服务器
CN106295385A (zh) * 2015-05-29 2017-01-04 华为技术有限公司 一种数据保护方法和装置
CN106557699A (zh) * 2016-11-11 2017-04-05 大唐高鸿信安(浙江)信息科技有限公司 基于权能模块的操作系统安全增强系统
CN106899563A (zh) * 2016-06-29 2017-06-27 阿里巴巴集团控股有限公司 鉴权方法及装置、鉴权码生成方法及装置、鉴权系统

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5666516A (en) * 1993-12-16 1997-09-09 International Business Machines Corporation Protected programmable memory cartridge having selective access circuitry
CN1302415A (zh) * 1998-05-01 2001-07-04 张玮 因特网集成电路卡系统
WO2001001272A2 (en) * 1999-06-30 2001-01-04 Apptitude, Inc. Method and apparatus for monitoring traffic in a network
WO2002048844A2 (en) * 2000-12-11 2002-06-20 Apomon Aps Changing of operating modes in a computer
US7317605B2 (en) * 2004-03-11 2008-01-08 International Business Machines Corporation Method and apparatus for improving performance margin in logic paths
US20060069662A1 (en) * 2004-09-30 2006-03-30 Citrix Systems, Inc. Method and apparatus for remapping accesses to virtual system resources
CN100507843C (zh) * 2007-04-05 2009-07-01 杨力祥 一种动态编程方法
CN103188249A (zh) * 2011-12-31 2013-07-03 北京亿阳信通科技有限公司 集中权限管理系统及其授权方法和鉴权方法
CN103826210A (zh) * 2012-11-16 2014-05-28 中兴通讯股份有限公司 一种彩铃业务的实现方法及彩铃业务系统
CN104951410B (zh) * 2014-03-27 2018-01-26 北京兆易创新科技股份有限公司 一种芯片信息的访问方法和装置
CN203882579U (zh) * 2014-06-05 2014-10-15 中睿通信规划设计有限公司 一种可单线控制led矩阵及数码管的驱动装置
CN104318182B (zh) * 2014-10-29 2017-09-12 中国科学院信息工程研究所 一种基于处理器安全扩展的智能终端隔离系统及方法
JP6478026B2 (ja) * 2015-01-28 2019-03-06 株式会社リコー 情報処理装置、プログラム、及び記録媒体
CN106304040A (zh) * 2015-05-25 2017-01-04 阿里巴巴集团控股有限公司 管理移动应用的方法、装置
US20160363919A1 (en) * 2015-06-09 2016-12-15 Fisher Controls International Llc Custom application environment in a process control device
CN105787477A (zh) * 2016-04-11 2016-07-20 北京奇虎科技有限公司 虹膜识别方法及终端
CN107959747A (zh) * 2016-10-17 2018-04-24 湖南移商动力网络技术有限公司 一种智能终端的生日助手应用系统
CN106778291B (zh) * 2016-11-22 2019-09-17 北京安云世纪科技有限公司 应用程序的隔离方法及隔离装置
CN107885517B (zh) * 2017-10-25 2021-07-30 西南电子技术研究所(中国电子科技集团公司第十研究所) 嵌入式系统处理器程序加载电路

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1773413A (zh) * 2004-11-10 2006-05-17 中国人民解放军国防科学技术大学 角色定权方法
US20090319741A1 (en) * 2008-06-24 2009-12-24 Nagravision Sa Secure memory management system and method
CN101964068A (zh) * 2009-07-22 2011-02-02 深圳市江波龙电子有限公司 一种sd卡及其数据访问控制方法
CN102970414A (zh) * 2012-10-30 2013-03-13 广东欧珀移动通信有限公司 一种基于Android系统的手机密码保护方法
CN103312801A (zh) * 2013-06-05 2013-09-18 上海西本网络科技有限公司 应用装置、应用装置之间数据交互的方法、系统和服务器
CN106295385A (zh) * 2015-05-29 2017-01-04 华为技术有限公司 一种数据保护方法和装置
CN106899563A (zh) * 2016-06-29 2017-06-27 阿里巴巴集团控股有限公司 鉴权方法及装置、鉴权码生成方法及装置、鉴权系统
CN106557699A (zh) * 2016-11-11 2017-04-05 大唐高鸿信安(浙江)信息科技有限公司 基于权能模块的操作系统安全增强系统

Also Published As

Publication number Publication date
CN110598412A (zh) 2019-12-20
CN110598412B (zh) 2021-12-14

Similar Documents

Publication Publication Date Title
US11119949B2 (en) Apparatus and method for handling page protection faults in a computing system
CN110598405B (zh) 一种运行时访问控制方法及计算装置
CN109359487B (zh) 一种基于硬件隔离的可扩展安全影子存储及标签管理方法
US7272832B2 (en) Method of protecting user process data in a secure platform inaccessible to the operating system and other tasks on top of the secure platform
US8352797B2 (en) Software fault isolation using byte-granularity memory protection
Volckaert et al. Cloning your gadgets: Complete ROP attack immunity with multi-variant execution
JP4759059B2 (ja) メモリページをプログラムに対応付けるページカラーリング
US20070006175A1 (en) Intra-partitioning of software components within an execution environment
US9189620B2 (en) Protecting a software component using a transition point wrapper
CN105190570A (zh) 用于虚拟机器的完整性保护的存储器自省引擎
CN102930185A (zh) 运行时程序安全关键数据的完整性验证方法及装置
US20090172346A1 (en) Transitioning between software component partitions using a page table pointer target list
US20220366037A1 (en) Domain transition disable configuration parameter
KR20230017832A (ko) Tag 체킹 장치 및 방법
CN115510430A (zh) 一种函数指针及其数据依赖的识别与保护方法、装置
WO2023093385A1 (zh) 一种基于cet机制的保护通用内存完整性的方法
WO2019237867A1 (zh) 一种将权力信息隔离并依托它进行权力检查的方法及计算装置
WO2019237864A1 (zh) 一种安全用户架构及权限控制方法
US11055202B1 (en) Compilation scheme for tagged global variables
CN110162965B (zh) 一种运行时访问控制方法及计算装置
CN118069403B (zh) 一种异常指令的处理方法
US12067400B2 (en) Intermodal calling branch instruction
CN118093202A (zh) 一种访存异常的处理方法、计算设备、存储介质及程序产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19819730

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19819730

Country of ref document: EP

Kind code of ref document: A1