WO2021102729A1 - Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique - Google Patents

Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique Download PDF

Info

Publication number
WO2021102729A1
WO2021102729A1 PCT/CN2019/121216 CN2019121216W WO2021102729A1 WO 2021102729 A1 WO2021102729 A1 WO 2021102729A1 CN 2019121216 W CN2019121216 W CN 2019121216W WO 2021102729 A1 WO2021102729 A1 WO 2021102729A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
access
address
request
attribute
Prior art date
Application number
PCT/CN2019/121216
Other languages
English (en)
Chinese (zh)
Inventor
陈星�
房玲江
Original Assignee
深圳市大疆创新科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市大疆创新科技有限公司 filed Critical 深圳市大疆创新科技有限公司
Priority to CN201980039310.5A priority Critical patent/CN112384923A/zh
Priority to PCT/CN2019/121216 priority patent/WO2021102729A1/fr
Publication of WO2021102729A1 publication Critical patent/WO2021102729A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Definitions

  • the embodiments of the present invention relate to the field of communication technology, and in particular, to a memory access method, a microprocessor, a client, and a computer storage medium.
  • memory protection is a necessary security measure.
  • the memory access methods existing in the prior art have their own advantages and disadvantages. Some are easily restricted by hardware structures such as microprocessors, some are complicated to operate and tend to reduce system efficiency, and some can only achieve protection. Access does not provide a means of detection.
  • the embodiments of the present invention provide a memory access method, a microprocessor, a client, and a computer storage medium, which can prevent the memory from being accidentally accessed or modified, and can also detect abnormal operations in the protected area in real time, thereby improving the security of memory access Sex.
  • the first aspect of the present invention is to provide a memory access method, including:
  • a memory protection unit is used to adjust the memory attribute of the memory area to an access permitted state.
  • the second aspect of the present invention is to provide a microprocessor, including:
  • Memory used to store computer programs
  • the processor is configured to run a computer program stored in the memory to realize:
  • a memory protection unit is used to adjust the memory attribute of the memory area to an access permitted state.
  • the third aspect of the present invention is to provide a memory access method, including:
  • the fourth aspect of the present invention is to provide a client, including:
  • Memory used to store computer programs
  • the processor is configured to run a computer program stored in the memory to realize:
  • the fifth aspect of the present invention is to provide a computer-readable storage medium, the storage medium is a computer-readable storage medium, the computer-readable storage medium stores program instructions, and the program instructions are used in the first aspect.
  • the sixth aspect of the present invention is to provide a computer-readable storage medium, the storage medium is a computer-readable storage medium, the computer-readable storage medium stores program instructions, and the program instructions are used in the third aspect.
  • the memory access method, the microprocessor, the client and the computer storage medium provided by the embodiment of the present invention determine the memory area and the standard key corresponding to the address to be accessed by obtaining the memory access request.
  • the memory protection unit is used to adjust the memory attributes of the memory area to the allowed access state
  • the memory protection unit is used to adjust the memory access state based on the secret key, which not only prevents the memory from being accessed accidentally Or modification, and effective protection of the memory is also realized, thereby ensuring the safety and reliability of memory access, and effectively improving the practicability of the method.
  • Fig. 1 is a schematic diagram of the upper and lower boundary protection method provided by the prior art
  • Figure 2 is a schematic diagram of a process stack protection method provided by the prior art
  • FIG. 3 is a first schematic flowchart of a memory access method provided by an embodiment of the present invention.
  • FIG. 4 is a second schematic diagram of a flow of a memory access method provided by an embodiment of the present invention.
  • FIG. 5 is a third schematic flowchart of a memory access method provided by an embodiment of the present invention.
  • FIG. 6 is a fourth schematic flowchart of a memory access method provided by an embodiment of the present invention.
  • FIG. 7 is a schematic diagram of a process of identifying illegal users who access the memory area according to an embodiment of the present invention.
  • FIG. 8 is a fifth schematic flowchart of a memory access method provided by an embodiment of the present invention.
  • FIG. 9 is a sixth flowchart of a memory access method provided by an embodiment of the present invention.
  • FIG. 10 is a first schematic flowchart of another memory access method according to an embodiment of the present invention.
  • FIG. 11 is a second schematic flowchart of another memory access method provided by an embodiment of the present invention.
  • FIG. 12 is a first schematic flowchart of a memory access method provided by an application embodiment of the present invention.
  • FIG. 13 is a first schematic diagram of a memory access method provided by an application embodiment of the present invention.
  • FIG. 14 is a second schematic flowchart of a memory access method provided by an application embodiment of the present invention.
  • 15 is a second schematic diagram of a memory access method provided by an application embodiment of the present invention.
  • FIG. 16 is a schematic structural diagram of a microprocessor provided by an embodiment of the present invention.
  • FIG. 17 is a schematic structural diagram of a client provided by an embodiment of the present invention.
  • memory protection is an enduring proposition. Regardless of the type of memory protection method, it has its own advantages and disadvantages: some are limited by the hardware structure of the microprocessor, and some memory protection processes are complicated to operate, which reduces the efficiency of data processing; some can only achieve protection. , But cannot provide detection for abnormal access.
  • microprocessors it can include high-end microprocessors and low-end microprocessors.
  • the high-end microprocessor contains a memory management unit (MMU), which is used to implement virtual memory. Management, so that the memory address is divided into a virtual address and a physical address. For the user, what the user can view is the virtual address, and the virtual address is isolated from the actual physical address, so as to achieve the purpose of memory protection.
  • MMU memory management unit
  • MPU memory protection unit
  • the MPU is a hardware structure that uses a region as a unit and provides memory region attribute settings.
  • MPU can have 8 or more areas. Each area is correspondingly set with a memory area and memory attributes, where the memory attributes include read and write (whether the area can be read and written), execution (whether the area can be directly accessed and executed), cache and write cache.
  • different areas are allowed to overlap when setting the memory area, and different areas can have different priorities.
  • the high-priority area will override the low-priority area setting Attributes.
  • the attributes of the memory operation and the area setting are different, an abnormal operation of the hardware will be generated immediately and the microprocessor will be notified. Therefore, you can use the setting of read and write attributes to protect the memory, and use abnormal operations to discover illegal operations of the memory.
  • two memory protection methods can be used.
  • One method is to use only software processing algorithms to achieve memory protection methods without MPU, such as upper and lower bound protection methods; the other method is to use MPU protection Methods, such as a process stack protection method combined with an operating system (OS for short).
  • OS operating system
  • the process of the upper and lower bound protection method includes: preset upper and lower bound registers, where the upper and lower bound registers store the start address and end address of the memory used by the program being executed, and during the data execution process, The memory operation is checked by a unified software processing algorithm to determine whether the accessed address is within the upper and lower bounds. If not, it is determined that the current visit is illegal; otherwise, it is legal. Referring to Figure 1, the memory access addresses of "1#" and "3#" exceed the upper and lower bound addresses defined by the memory area. Therefore, it can be determined that the memory access operations of "1#" and "3#" are illegal Operation; and the memory access address of "2#" meets the address requirements, then successful access will be possible.
  • the process stack protection method is a stack memory protection method that uses the combination of operating system OS and hardware. This method can realize the protection between the stack memory of the currently running process and the stack memory of other processes, effectively preventing stack overflow , And realize the protection of the space in the stack. As shown in Figure 2, its specific implementation principle is as follows:
  • a memory space is allocated in advance for the stack background space of the process stack, and the stacks of all processes are allocated in this space.
  • the stack space of the process to be started is set to be readable and non-executable using the high-priority area (process area) of the MPU.
  • the high priority of the MPU overrides the low priority, only the started process stack space can be read and written, while other process stacks cannot be read and written, thus realizing the protection of other process stacks and preventing stack overflow or abnormal pointers. modify.
  • the realization mechanism of the protection measures at the software level is based on the inspection of the access address (for example: the upper and lower bound protection method), so when the memory is accessed, it needs to be accessed through a fixed software channel. Therefore, when the abnormal access of the system does not pass through its fixed memory channel, its protection measures will be invalid. For example: the widespread abnormal pointer memory access. When the abnormal pointer points to the protected area, it is not protected because it does not pass through a fixed memory channel.
  • the above-mentioned memory protection methods are basically based on the memory protection of the process, and there are no effective measures for the protection of the internal process.
  • the above-mentioned memory protection is a protection method for a single process or a single user, and it is difficult to realize memory sharing and shared protection among multiple users.
  • Figure 3 is a schematic flow diagram of a memory access method provided by an embodiment of the present invention. referring to Figure 3, in order to solve the above problem, this embodiment provides a memory access method, which can prevent the memory from being accessed accidentally or Modifications can also detect abnormal operations in the protected area in real time, thereby improving the security of memory access.
  • the execution subject of the memory access method may be a microprocessor, the microprocessor may be a low-end microprocessor, and the microprocessor may be implemented as software or a combination of software and hardware.
  • the method may include:
  • S101 Acquire a memory access request, where the memory access request includes an address to be accessed and an access key.
  • the memory access request may be sent by the first virtual user.
  • the first virtual user can be any of the following manifestations: a process, a software module running independently on the central processing unit, an application, a terminal device, etc., and the number of the first virtual user can be one or more It is understandable that in different application scenarios, the first virtual user may have different manifestations.
  • the microprocessor can obtain the memory access request.
  • the memory access request includes the address to be accessed and the access key, where the access key is used for The memory access operation is implemented for the address to be accessed.
  • S102 Determine the memory area and the standard key corresponding to the address to be accessed.
  • the address to be accessed can be analyzed and processed to determine the memory area and standard key corresponding to the accessed address.
  • the specific implementation method for determining the memory area and the standard key corresponding to the address to be accessed is not limited, and those skilled in the art can set according to specific application scenarios and application requirements, such as: obtaining and According to the address identification information corresponding to the address to be accessed, the memory area and standard key corresponding to the address to be accessed are determined according to the address identification information.
  • the standard key is used to verify the validity of the memory access request; in the standard key and memory When the access key included in the access request matches, the memory access request is determined to be a legitimate request; when the standard key does not match the access key included in the memory access request, the memory access request is determined to be an illegal request.
  • the memory protection unit is used to adjust the memory attribute of the memory area to an access permitted state.
  • the allowed access state includes: a state in which the first virtual user is allowed to perform a corresponding data processing operation with respect to the memory area.
  • other virtual users associated with the first virtual user identity may be allowed to access the memory area and perform corresponding data processing operations.
  • the memory protection unit can be used to adjust the memory attributes in the memory area to allow access, where the memory attributes can include at least the following One: read and write attributes, address execution attributes, and cache attributes, so that the first virtual user can perform data processing operations corresponding to the memory access request for the memory area; wherein, the memory protection unit in this embodiment can be integrated in In the microprocessor.
  • the memory attribute of the memory area is in the access prohibited state.
  • the memory access request is a read and write request sent for the first address
  • the first access secret included in the read and write request can be obtained.
  • the memory protection unit is used to adjust the read and write attributes of the memory area to a permitted state, so that the first virtual The user performs data read and write operations corresponding to the read and write request for the memory area.
  • the memory access request is an address execution request sent for the second address
  • the second access key included in the address execution request may be obtained, and the standard key corresponding to the second address may be determined.
  • the memory protection unit is used to adjust the address execution attribute of the memory area to the allowed state, so that the first virtual user performs the address execution operation corresponding to the address execution request for the memory area .
  • the memory access method provided in this embodiment determines the memory area and the standard key corresponding to the address to be accessed by obtaining the memory access request, and when the access key matches the standard key, use
  • the memory protection unit adjusts the memory attributes of the memory area to the allowed access state, and then uses the memory protection unit to adjust the memory access state based on the secret key, which not only prevents the memory from being accidentally accessed or modified, but also realizes effective protection of the memory , Thereby ensuring the safety and reliability of memory access, and effectively improving the practicability of the method.
  • Fig. 4 is a schematic flow chart of another memory access method provided by an embodiment of the present invention. on the basis of the above embodiment, referring to Fig. 4, the method in this embodiment can also be used before acquiring the memory access request include:
  • S201 Acquire a memory protection request sent by a second virtual user, where the memory protection request includes address information to be protected.
  • the second virtual user can be any of the following manifestations: a process, a software module running independently on the central processing unit, an application program, etc., and the number of the second virtual user can be one or more. It is understood that in different application scenarios, the second virtual user may have different manifestations. In a specific application scenario, the second virtual user may be the same as or different from the first virtual user.
  • the second virtual user can send a memory protection request to the microprocessor.
  • the memory protection request may include the address information to be protected.
  • the address information may include one of the following: address information of the process stack, address information of the non-process stack; wherein the memory area corresponding to the address information of the non-process stack is used to store at least one of the following: authentication information, device information, Configuration information, operation information, and status information.
  • S202 Allocate a corresponding memory area for the address information according to the memory protection request.
  • a corresponding memory area can be allocated to the address information to be protected based on the memory protection request.
  • the memory area may correspond to memory attributes, and the memory attributes may include at least one of the following: read and write attributes, Address execution attributes, cache attributes, etc.,
  • S203 Use the memory protection unit to adjust the memory attribute of the memory area to a state of forbidden to access.
  • the memory protection unit can be used to adjust the memory attribute of the memory area to the forbidden state. It can be understood that after adjusting the memory attribute of the memory area to the forbidden state, any user The memory area cannot be accessed, for example: the user cannot perform data read and write operations, cannot perform data caching operations, and cannot achieve address execution operations; thus, the memory area can be effectively protected.
  • S204 Generate key information corresponding to the address information, and send the key information to the second virtual user.
  • the key information corresponding to the address information can be generated, specifically, the secret key corresponding to the address information can be generated.
  • Key information can include:
  • S2041 Use a random number generator to generate random key information corresponding to the address information.
  • a random number generator is preset, and the random number generator can be integrated in the microprocessor. After the memory attribute of the memory area of the address information is adjusted to the forbidden access state, the random number generator can be used to generate a and Random key information corresponding to the address information. It is conceivable that the random key information is generated by the random number generator, thereby effectively ensuring that the key information corresponding to the address information is not fixed, and further ensuring the strength of the protection of the memory area.
  • the key information can be sent to the second virtual user, so that the second virtual user can implement a legal access operation to the memory area based on the key information.
  • the corresponding relationship between the key information and the address information can be shared with other virtual users.
  • the second virtual user can share the corresponding relationship between the key information and the address information.
  • the corresponding relationship between the key information and the address information is shared with the first virtual user, so that the first virtual user can perform a legal access operation to the memory area based on the shared key information.
  • the first virtual user may send a memory access request to the microprocessor, and the memory access request includes an access key.
  • the access key of the first virtual user may be shared with the first virtual user according to the second virtual user.
  • the first virtual user effectively realizes the legal access operation to the memory area based on the key information shared by the second virtual user under the authorization of the second virtual user.
  • the microprocessor can recognize that the virtual user is an illegal user, so that illegal access operations to the memory area can be discovered.
  • the corresponding memory area is allocated to the address information according to the memory protection request, the memory attribute of the memory area is adjusted to the forbidden state by the memory protection unit, and the
  • the key information corresponding to the address information is sent to the second virtual user, which effectively realizes the effective protection of the memory area corresponding to the address information to be protected, and also enables the second virtual user to be based on the key
  • the information performs legal access operations to the memory area, which effectively prevents the memory from being accessed or modified accidentally.
  • abnormal access operations in the protected area can be found in real time, that is, illegal access operations by virtual users can be obtained, thereby improving the Security of memory access.
  • this embodiment does not limit the specific implementation of obtaining memory access requests.
  • Those skilled in the art can make settings according to specific application requirements and design requirements, preferably Yes, the acquisition of the memory access request in this embodiment includes:
  • S1011 Obtain a memory access request sent by the first virtual user through the memory access channel.
  • the memory access channel can be a pre-configured legal access channel corresponding to the address information.
  • the first virtual user can send the memory access request through the memory access channel corresponding to the address information. , So that the microprocessor can obtain the memory access request sent by the first virtual user through the memory access channel, thereby effectively ensuring the legitimacy of the memory access request.
  • Fig. 5 is a schematic flow chart of another memory access method provided by an embodiment of the present invention; on the basis of the above-mentioned embodiment, referring to Fig. 5, when acquiring the memory access request sent by the first virtual user through the memory access channel Before, the method in this embodiment may further include:
  • S301 Assign a corresponding memory access channel to the address information according to the memory protection request.
  • S302 Send the memory access channel to the second virtual user.
  • the corresponding memory access channel can be assigned to the address information in the memory protection request. It is conceivable that different address information can correspond to the same or different memory access channels; and then the memory access channel Send to the second virtual user, so that the second virtual user can implement legal access to the memory area through the memory access channel.
  • the corresponding relationship between the memory access channel and the address information can be shared with other virtual users.
  • the second virtual user can access the memory
  • the correspondence between the channel and the address information is shared with the first virtual user, so that the first virtual user can perform a legal access operation to the memory area based on the shared memory access channel.
  • the first virtual user can send a memory access request to the microprocessor based on the address information through the memory access channel.
  • the memory access channel of the first virtual user is the memory shared by the second virtual user to the first virtual user. Access channel, which can realize that the first virtual user can realize the legal access operation to the memory area based on the memory access channel shared by the second virtual user.
  • the second virtual user accesses the memory area, it is necessary to use the key information and memory access channel corresponding to the address information to access the memory area, and only the memory access channel and key information pass After verification, the legal access operation to the memory area can be realized.
  • the key information fails the verification
  • the memory access channel passes the verification
  • the memory access channel fails the verification and the key information passes the verification
  • the second virtual user cannot implement legal access operations to the memory area.
  • the memory access channel is sent to the second virtual user, which effectively increases the strength of protecting the memory area corresponding to the address information to be protected , So that the second virtual user can perform legal access operations to the memory area based on the memory access channel, effectively preventing the memory from being accessed or modified accidentally, and can also discover abnormal access operations in the protected area in real time, which can be obtained
  • the illegal access operation of the virtual user improves the security of access to the memory.
  • the method in this embodiment may further include:
  • S205 Store the key information in a preset area.
  • the preset area may include an area in the memory area that is located before the address information; or, the preset area may be adjacent to the memory area.
  • the preset area is A0-A10, where the A0 area is the area before the address information.
  • the key information can be stored in the A0 area.
  • the preset area is A, and the area adjacent to the preset area A includes the area B and the area C. After the key information is obtained, the key information may be stored in the area B or the area C.
  • Fig. 6 is a fourth flowchart of a memory access method provided by an embodiment of the present invention; on the basis of any of the foregoing embodiments, referring to Fig. 6, the method in this embodiment may further include:
  • S402 Generate illegal access information corresponding to the illegal access user.
  • the virtual user who accesses the memory area can be a legal user or an illegal user.
  • the legal user can mean that the access key in the memory access request sent matches the standard key, and the access The virtual user whose channel matches the preset memory access channel; and the illegal access user can mean that the access key in the memory access request sent does not match the standard key, and/or the access channel and the preset memory access Virtual users whose channels do not match.
  • a way to realize the identification of users who illegally access the memory area may include:
  • the access key included in the memory access request can be obtained, and then the access key and the standard key are analyzed and matched, and the access key is compared with the standard key.
  • the keys do not match it means that the access key sent by the first virtual user is different from the preset standard key, and it can be determined that the first virtual user at this time is an illegal access user.
  • this implementation also provides another way to identify users who have illegally accessed the memory area. Specifically, they include:
  • S501 Use the memory protection unit to identify an access channel through which the first virtual user sends a memory access request.
  • the memory protection unit can be used to identify the access channel through which the first virtual user sends the memory access request, and then the access channel is analyzed and matched with the preset memory access channel.
  • the access channel does not match the memory access channel, it means that the access channel of the memory access request sent by the first virtual user is different from the preset memory access channel, and it can be determined that the first virtual user at this time is an illegal access user.
  • the access channel matches the memory access channel
  • the access key included in the memory access request can be obtained, and then the access key is analyzed and matched with the standard key.
  • matching it means that the access key sent by the first virtual user is the same as the preset standard key, and it can be determined that the first virtual user at this time is a legitimate access user.
  • the illegal access information corresponding to the illegal access user can be generated.
  • the illegal access information can include the user ID of the illegal access user, access record, access time, etc.; through the generated illegal access
  • the information can prompt the user so that the user can obtain the abnormal access operation in the microprocessor in time, which effectively prevents the memory from being accidentally accessed or modified.
  • the abnormal operation of the protected area can be found in real time, which further improves the The quality and effect of protecting the memory area.
  • FIG. 8 is a schematic flow diagram five of a memory access method provided by an embodiment of the present invention; on the basis of any one of the above embodiments, referring to FIG. 8, the memory protection request includes a first request and a second request.
  • One request includes the first access address
  • the second request includes the second access address.
  • the memory area and the memory attributes corresponding to the memory area can include:
  • S601 Allocate a first memory area corresponding to the first access address and a first memory attribute corresponding to the first memory area according to the first request.
  • S602 Allocate a second memory area corresponding to the second access address and a second memory attribute corresponding to the second memory area according to the second request.
  • S603 Acquire the first attribute priority of the first memory area and the second attribute priority of the second memory area.
  • S604 Determine the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority.
  • the first request and the second request may be sent to the microprocessor by two different virtual users.
  • the microprocessor receives the first request and the second request.
  • the first memory area corresponding to the first access address can be allocated according to the first request.
  • the first memory area can correspond to the first memory attribute, and according to the second request for the second access
  • the second memory area corresponding to the address is allocated.
  • the second memory area can correspond to the second memory attribute. Since there are overlapping addresses between the first access address and the second access address to be protected, there will be a gap between the first memory area allocated for the first access address and the second memory area allocated for the second access address.
  • determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority may include:
  • the higher attribute priority can be determined, and then the overlapping memory attribute of the overlapping address is determined to be consistent with the higher attribute priority.
  • the overlapping memory attribute of the overlapping address is determined as the first memory attribute, or when the priority of the first attribute is lower than the priority of the second attribute, the The overlapping memory attribute of the overlapping address is determined as the second memory attribute.
  • the first access address included in the first request is: 192.168.1.1-192.168.1.154
  • the second access address included in the second request is: 192.168.1.100-192.168.1.254
  • the first access The overlapping address between the address and the second access address is: 192.168.1.100-192.168.1.154.
  • the first memory area allocated to the first access address is area A
  • the second memory area allocated to the second access address is area B.
  • the overlap area C is used To store the above-mentioned overlapping addresses; at this time, all areas composed of area A and area B can be divided into three parts: area A1 for storing the non-overlapping address part of the first access address, The overlapping area C and the area B1 used for the non-overlapping address portion in the second access address, where the area A1 and the overlapping area C constitute the area A, and the area B1 and the overlapping area C constitute the area B.
  • the memory attribute of area A1 conforms to the first attribute priority
  • the memory attribute of area B1 conforms to the second attribute priority
  • the first attribute priority corresponds to the first request
  • the priority of the second attribute corresponds to the second request.
  • the memory attribute of the overlapping area C conforms to the attribute information with higher priority in the first attribute priority and the second attribute priority, so that virtual users with high priority can access the overlapping area, while virtual users with low priority cannot By accessing the overlapping area, different memory protection strategies can be set for virtual users of different priority levels, which further improves the flexibility and reliability of the use of memory protection methods.
  • FIG. 9 is a sixth flowchart of a memory access method provided by an embodiment of the present invention.
  • the memory protection request includes a first request and a second request.
  • One request includes the first access address and the identity of the first virtual user, and the second request includes the second access address and the identity of the second virtual user; at this time, the generation in this embodiment corresponds to the address information Key information can include:
  • S701 Determine the first access priority corresponding to the first access address according to the identity of the first virtual user, and determine the second access priority corresponding to the second access address according to the identity of the second virtual user.
  • S702 Generate first key information corresponding to the first access address, where the first key information meets the first access priority.
  • S703 Generate second key information corresponding to the second access address, where the second key information meets the second access priority.
  • the first request and the second request may be sent to the microprocessor by the first virtual user and the second virtual user, respectively.
  • the identity of the first virtual user included in the first request can be identified, and then the first access priority corresponding to the first access address can be determined according to the identity of the first virtual user
  • the identity of the second virtual user included in the second request can be identified, and then the second access priority corresponding to the second access address can be determined according to the identity of the second virtual user.
  • the first key information corresponding to the first access address can be directly generated, and the first key information meets the first access priority; and the second access address is generated Corresponding to the second key information, the second key information satisfies the second access priority.
  • the overlapped address When there is an overlap address between the first access address and the second access address, the overlapped address will correspond to the first key information that meets the first access priority and the second key information that meets the second access priority. Key information. At this time, the key information with higher access priority will overwrite the key information with lower access priority.
  • the overlapping area corresponds to the first key information with higher access priority and the second key information with lower access priority
  • the key information corresponding to the overlapping area is the first key Information, so that virtual users with high priority can access the overlapped area, while virtual users with low priority cannot access the overlapped area. This realizes setting different memory protection strategies for virtual users of different priority levels, and further improves the use of memory protection methods. Flexible and reliable.
  • Figure 10 is a schematic flowchart of another memory access method provided by an embodiment of the present invention. referring to Figure 10, in order to solve the above problem, this embodiment provides a memory access method, which can prevent the memory from being accessed accidentally Or modify, but also can discover the abnormal operation of the protected area in real time, thereby improving the security of memory access.
  • the execution subject of the memory access method may be a client. It is understandable that the client may be implemented as software or a combination of software and hardware. Specifically, the method may include:
  • S801 Send a memory protection request to the microprocessor, where the memory protection request includes address information to be protected.
  • S802 Receive the key information and the memory access channel sent by the microprocessor according to the memory protection request, where the key information corresponds to the address information.
  • a memory protection request for the address information to be protected can be generated, and then the memory protection request can be sent to the microprocessor, so that the microprocessor can be based on
  • the memory protection request allocates a memory area corresponding to the address information to be protected, and performs a memory protection operation on the memory area, and then can return key information and memory access channels corresponding to the address information to be protected, so that the client can receive The key information and memory access channel corresponding to the memory protection request.
  • the key information and memory access channel correspond to the address information to be protected, so that the client can legalize through the memory access channel and key information. Data access operations.
  • the memory access method by sending a memory protection request to the microprocessor, and receiving the key information and memory access channel sent by the microprocessor according to the memory protection request, it effectively realizes that the client can be based on the memory access channel and The key information performs legal data access operations, which further prevents the memory from being accessed or modified accidentally, thereby improving the security of memory access, and effectively ensuring the practicability of the memory access method.
  • the method in this embodiment may further include:
  • S901 Share the key information and address information with other clients, so that other clients perform corresponding data access operations on the memory area corresponding to the address information.
  • the key information and address information can be shared with other clients, so that other clients can target the address under the authorization of the client.
  • the memory area corresponding to the information performs the corresponding data access operation, which effectively realizes that the client with legal authority can perform the corresponding data access operation on the memory area, while the client without legal authority cannot perform the corresponding data access operation on the memory area.
  • the corresponding data access operation further prevents the memory from being accessed or modified accidentally, and improves the quality and effect of protecting the memory access.
  • FIG. 11 is a second schematic flowchart of another memory access method provided by an embodiment of the present invention. on the basis of the foregoing embodiment, referring to FIG. 11, the method in this embodiment may further include:
  • S1001 Send a memory access request to the microprocessor based on the memory access channel.
  • the memory access request includes the address to be accessed and the access key, so that the microprocessor can determine the memory attributes of the memory area corresponding to the address to be accessed according to the access key. Adjust to allow access status.
  • S1002 Perform a data processing operation corresponding to the memory access request for the memory area.
  • the client can also request access to the corresponding memory area through the microprocessor. Specifically, the client can request the corresponding memory area based on the memory access channel.
  • the microprocessor sends a memory access request.
  • the memory access request includes the address to be accessed and the access key.
  • the microprocessor After the microprocessor receives the memory access request, it can identify the legitimacy of the client based on the access key included in the memory access request.
  • the memory attribute of the memory area corresponding to the address to be accessed can be adjusted to the running access state according to the access key, so that the client can execute and memory access requests for the memory area Corresponding data processing operations.
  • a memory access request is sent to the microprocessor based on the memory access channel.
  • the client targets the memory The area performs data processing operations corresponding to the memory access request, so that clients with legal rights can perform data processing operations corresponding to the memory access request for the memory area, which not only prevents the memory from being accidentally accessed or modified, but also The effective protection of the memory is also realized, thereby ensuring the safety and reliability of the application of the memory, and effectively improving the practicability of the method.
  • this application embodiment provides a memory access method, which uses a combination of software and hardware to protect the memory, with high reliability, high performance, small granularity, and shareable functions. At the same time, it can retain Illegal access to the memory information occurs, and the reason for the illegal access is discovered to prevent illegal addressing operations in the protected area.
  • this method can realize the setting of memory attributes and write cache attributes while realizing legal access to the memory, which is beneficial to solve the problem of memory data synchronization. Specifically, as shown in FIG. 12, the method includes the following steps:
  • step1 Obtain the memory protection request sent by the user.
  • the memory protection request includes the address information to be protected.
  • step2 According to the memory protection request, allocate the corresponding memory area for the address information.
  • step3 Configure the address information of the memory area.
  • step4 Use the memory protection unit to adjust the memory attributes of the memory area to the forbidden state.
  • step5 Generate the key information corresponding to the address information, and send the key information to the user.
  • the user can use the address that needs to be protected to apply for a memory area from the memory protection unit MPU.
  • the memory attribute of the address can be adjusted to a prohibited access state, for example: the read and write permissions are closed (that is, the lock is closed) , Cache permissions are closed, etc., the memory area in the forbidden access state will not be accessible. If access occurs, abnormal access information will be generated immediately, thereby realizing the location of illegal access information.
  • a random number generator is used to generate a random key, and the random key is bound to the address, that is, the key information corresponding to the address information is obtained, and the key information can be stored in the memory area.
  • the key information obtained can also be sent to the user, as shown in Figure 13, so that the user can unlock the memory area according to the key information held, thereby realizing the Legal access operation of the memory area.
  • the key information can also be shared. As shown in Figure 14, the user can give his key information to other users, thereby realizing the memory sharing in the protected state. This realizes that other authorized users can legally access the memory area through the shared key information.
  • step11 Obtain the sent memory access request.
  • the memory access request includes the address to be accessed and the access key.
  • step12 Determine the memory area and standard key corresponding to the address to be accessed, and use the standard key to verify the access key.
  • step13 When the standard key does not match the access key, it means that the access key has not been verified, and you can send feedback information to the user; when the standard key matches the access key, it means that the access key is verified .
  • step14 After the access key is verified, the memory attributes of the memory area can be adjusted to allow access. At this point, the user can access the memory area through the access key.
  • step15 After accessing the memory area, you can adjust the memory attributes of the memory area to the forbidden access state again, thus realizing the safe access operation to the memory area.
  • the memory access method provided by this application embodiment after receiving the memory protection request sent by the virtual user, performs the protection operation on the memory area based on the memory protection request, thereby realizing the application of the memory protection area based on the request of the virtual user as a unit.
  • Small-granularity memory protection can realize the memory division and protection within the process; in addition, the microprocessor in this embodiment adopts the MPU hardware unit for memory protection. Compared with the software-level memory protection measures, it reduces the number of reads and writes. The address check has higher read and write efficiency; and the read and write attributes are set through the MPU to achieve memory protection, which is equivalent and reliable compared to the memory protection at the software level.
  • this method can also detect abnormal memory operations caused by abnormal access operations, which has a stronger protective effect. Specifically, when an illegal memory access operation occurs, the abnormal access operation can be triggered immediately through the MPU, and the micro-processing can be notified The processor enables the microprocessor to perform exception handling, thereby positioning the abnormal operation of the memory.
  • the method in this embodiment can realize the sharing of key information, so that the data in the protected memory can be shared, which further improves the flexibility and reliability of the method.
  • FIG. 16 is a schematic structural diagram of a microprocessor provided by an embodiment of the present invention. referring to FIG. 16, as shown in FIG. 16, this embodiment provides a microprocessor for executing the memory access shown in FIG. 3 above. method.
  • the microprocessor may include:
  • the first memory 12 is used to store computer programs
  • the first processor 11 is configured to run a computer program stored in the first memory 12 to implement:
  • the memory access request includes the address to be accessed and the access key
  • the memory protection unit is used to adjust the memory attributes of the memory area to a permitted access state.
  • the memory access request is sent by a first virtual user
  • the permitted access state includes: a state in which the first virtual user is allowed to perform a corresponding data processing operation on the memory area.
  • the structure of the microprocessor may also include a first communication interface 13 for communication between the electronic device and other devices or a communication network.
  • the memory attributes include at least one of the following: read and write attributes, address execution attributes, and cache attributes.
  • the first processor 11 is further configured to: acquire the memory protection request sent by the second virtual user, the memory protection request includes the address information to be protected; and the address information is allocated according to the memory protection request. Corresponding memory area; use the memory protection unit to adjust the memory attributes of the memory area to a state of forbidden access; generate key information corresponding to the address information, and send the key information to the second virtual user.
  • the access key of the first virtual user is determined according to the key information shared by the second virtual user with the first virtual user.
  • the address information to be protected includes one of the following: address information of the process stack and address information of the non-process stack.
  • the first processor 11 when the first processor 11 generates key information corresponding to the address information, the first processor 11 is configured to use a random number generator to generate random key information corresponding to the address information.
  • the first processor 11 when the first processor 11 obtains the memory access request, the first processor 11 is configured to: obtain the memory access request sent by the first virtual user through the memory access channel.
  • the first processor 11 is further configured to: allocate a corresponding memory access channel for the address information according to the memory protection request; and send the memory access channel to The second virtual user.
  • the memory access channel of the first virtual user is a memory access channel shared by the second virtual user to the first virtual user.
  • the first processor 11 is further configured to: store the key information in a preset area.
  • the preset area includes an area in the memory area before the address information.
  • the preset area is adjacent to the memory area.
  • the first processor 11 is further configured to: identify illegal access users for the memory area; and generate illegal access information corresponding to the illegal access users.
  • the first processor 11 when the first processor 11 identifies an illegal user accessing the memory area, the first processor 11 is configured to: when the access key does not match the standard key, determine that the first virtual user is an illegal access user.
  • the first processor 11 when the first processor 11 identifies an illegal user accessing the memory area, the first processor 11 is configured to: use the memory protection unit to identify the access channel through which the first virtual user sends the memory access request; When the memory access channels do not match, the first virtual user is determined to be an illegal access user.
  • the memory protection request includes a first request and a second request, the first request includes a first access address, the second request includes a second access address, and there is an overlap address between the first access address and the second access address;
  • the first processor 11 allocates a memory area corresponding to the address information and a memory attribute corresponding to the memory area according to a memory protection request
  • the first processor 11 is further configured to: allocate a corresponding memory area for the first access address according to the first request A first memory area and a first memory attribute corresponding to the first memory area; allocate a second memory area corresponding to the second access address and a second memory attribute corresponding to the second memory area according to the second request; obtain The first attribute priority of the first memory area and the second attribute priority of the second memory area; the overlapping memory attribute of the overlapping address is determined according to the first attribute priority and the second attribute priority.
  • the first processor 11 determines the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority
  • the first processor 11 is further configured to: when the first attribute priority is higher than the second attribute priority In the case of priority, the overlapping memory attribute of the overlapping address is determined as the first memory attribute; or, when the priority of the first attribute is lower than the priority of the second attribute, the overlapping memory attribute of the overlapping address is determined as the second memory attribute.
  • the memory protection request includes a first request and a second request.
  • the first request includes the first access address and the identity of the first virtual user
  • the second request includes the second access address and the identity of the second virtual user.
  • the first processor 11 When the first processor 11 generates the key information corresponding to the address information, the first processor 11 is further configured to: determine the first access priority corresponding to the first access address according to the identity of the first virtual user , And determine the second access priority corresponding to the second access address according to the identity of the second virtual user; generate first key information corresponding to the first access address, and the first key information satisfies the first access priority Level; generate second key information corresponding to the second access address, and the second key information meets the second access priority.
  • the microprocessor shown in Fig. 16 can execute the methods of the embodiments shown in Figs. 3-9 and 12-15.
  • FIGS. 3-9 and 12-15 For the implementation process and technical effects of this technical solution, please refer to the descriptions in the embodiments shown in FIGS. 3-9 and 12-15, which will not be repeated here.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions used by electronic devices, which includes the memory used to execute the method embodiments shown in FIGS. 3-9 and 12-15. The procedures involved in the access method.
  • Fig. 17 is a schematic structural diagram of a client provided by an embodiment of the present invention; as shown in Fig. 17, this embodiment provides a client for executing the memory access method shown in Fig. 10 above.
  • the client may include:
  • the second memory 22 is used to store computer programs
  • the second processor 21 is configured to run a computer program stored in the second memory 22 to implement:
  • the key information and memory access channel sent by the microprocessor according to the memory protection request are received, and the key information corresponds to the address information.
  • the structure of the client may further include a second communication interface 23 for the electronic device to communicate with other devices or a communication network.
  • the second processor 21 is further configured to share the key information and the address information to other clients, so that the other clients perform corresponding data access operations on the memory area corresponding to the address information.
  • the second processor 21 is further configured to send a memory access request to the microprocessor based on the memory access channel, and the memory access request includes the address to be accessed and the access key, so that the microprocessor will communicate with the processor according to the access key.
  • the memory attribute of the memory area corresponding to the access address is adjusted to the allowed access state; the data processing operation corresponding to the memory access request is performed for the memory area.
  • the client shown in FIG. 17 can execute the methods of the embodiments shown in FIGS. 10-15.
  • parts that are not described in detail in this embodiment please refer to the related descriptions of the embodiments shown in FIGS. 10-15.
  • the implementation process and technical effects of this technical solution please refer to the description in the embodiment shown in FIG. 10 to FIG. 15, which will not be repeated here.
  • an embodiment of the present invention provides a computer storage medium for storing computer software instructions used by electronic devices, which includes programs for executing the memory access method in the method embodiments shown in FIGS. 10-15. .
  • the disclosed related remote control device and method can be implemented in other ways.
  • the embodiments of the remote control device described above are only illustrative.
  • the division of the modules or units is only a logical function division, and there may be other divisions in actual implementation, such as multiple units or components. It can be combined or integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, remote control devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present invention essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium.
  • the aforementioned storage media include: U disk, mobile hard disk, Read-Only Memory (ROM), Random Access Memory (RAM, Random Access Memory), magnetic disks or optical disks and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique. Le procédé consiste : à acquérir une requête d'accès à la mémoire, la requête d'accès à la mémoire comprenant une adresse à accéder et une clé d'accès (S101) ; à déterminer une région de mémoire et une clé standard correspondant à l'adresse (S102) ; et lorsque la clé d'accès correspond à la clé standard, à utiliser une unité de protection de mémoire pour ajuster des attributs de mémoire de la région de mémoire à un état d'accès autorisé (S103). Au moyen de l'acquisition d'une requête d'accès à la mémoire, lorsqu'une clé d'accès est vérifiée, des attributs de mémoire d'une région de mémoire sont ajustés à un état d'accès autorisé, de sorte qu'un utilisateur peut effectuer une opération de traitement de données correspondante sur la région de mémoire, ce qui permet non seulement d'empêcher la mémoire de faire l'objet d'un accès ou d'une modification de manière accidentelle, mais également de protéger efficacement la mémoire.
PCT/CN2019/121216 2019-11-27 2019-11-27 Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique WO2021102729A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980039310.5A CN112384923A (zh) 2019-11-27 2019-11-27 内存访问方法、微处理器、客户端及计算机存储介质
PCT/CN2019/121216 WO2021102729A1 (fr) 2019-11-27 2019-11-27 Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/121216 WO2021102729A1 (fr) 2019-11-27 2019-11-27 Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique

Publications (1)

Publication Number Publication Date
WO2021102729A1 true WO2021102729A1 (fr) 2021-06-03

Family

ID=74586596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/121216 WO2021102729A1 (fr) 2019-11-27 2019-11-27 Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique

Country Status (2)

Country Link
CN (1) CN112384923A (fr)
WO (1) WO2021102729A1 (fr)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114626034A (zh) * 2022-03-16 2022-06-14 中电(海南)联合创新研究院有限公司 一种内存访问方法、装置、设备及存储介质
CN115292697B (zh) * 2022-10-10 2022-12-16 北京安帝科技有限公司 一种基于入侵行为分析的内存保护方法及装置
CN115587348B (zh) * 2022-11-24 2023-04-07 中国人民解放军国防科技大学 Pcie设备访存的可配置安全控制方法、装置及介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5901311A (en) * 1996-12-18 1999-05-04 Intel Corporation Access key protection for computer system data
US20020124148A1 (en) * 2001-03-01 2002-09-05 Ibm Corporation Using an access key to protect and point to regions in windows for infiniband
WO2016072999A1 (fr) * 2014-11-07 2016-05-12 Hewlett Packard Enterprise Development Lp Conversion de données à l'aide d'un identifiant d'espace d'adresse
CN107533514A (zh) * 2015-09-30 2018-01-02 慧与发展有限责任合伙企业 存储器内容的基于密码的初始化
CN109766165A (zh) * 2018-11-22 2019-05-17 海光信息技术有限公司 一种内存访问控制方法、装置、内存控制器及计算机系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6775750B2 (en) * 2001-06-29 2004-08-10 Texas Instruments Incorporated System protection map
CN1251065C (zh) * 2003-11-21 2006-04-12 苏州国芯科技有限公司 一种用于信息安全的嵌入式cpu
GB2448149B (en) * 2007-04-03 2011-05-18 Advanced Risc Mach Ltd Protected function calling

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5901311A (en) * 1996-12-18 1999-05-04 Intel Corporation Access key protection for computer system data
US20020124148A1 (en) * 2001-03-01 2002-09-05 Ibm Corporation Using an access key to protect and point to regions in windows for infiniband
WO2016072999A1 (fr) * 2014-11-07 2016-05-12 Hewlett Packard Enterprise Development Lp Conversion de données à l'aide d'un identifiant d'espace d'adresse
CN107533514A (zh) * 2015-09-30 2018-01-02 慧与发展有限责任合伙企业 存储器内容的基于密码的初始化
CN109766165A (zh) * 2018-11-22 2019-05-17 海光信息技术有限公司 一种内存访问控制方法、装置、内存控制器及计算机系统

Also Published As

Publication number Publication date
CN112384923A (zh) 2021-02-19

Similar Documents

Publication Publication Date Title
US20230128711A1 (en) Technologies for trusted i/o with a channel identifier filter and processor-based cryptographic engine
CN109766165B (zh) 一种内存访问控制方法、装置、内存控制器及计算机系统
US8452934B2 (en) Controlled data access to non-volatile memory
CN110383277B (zh) 虚拟机监视器测量代理
WO2021102729A1 (fr) Procédé d'accès à la mémoire, microprocesseur, client et support de stockage informatique
US8365294B2 (en) Hardware platform authentication and multi-platform validation
CN100580642C (zh) 通用串行总线存储设备及其访问控制方法
EP3089040B1 (fr) Procédé de commande d'accès de sécurité pour disque dur et disque dur
JP5402498B2 (ja) 情報記憶装置、情報記憶プログラム、そのプログラムを記録した記録媒体及び情報記憶方法
CN110928646A (zh) 一种访问共享内存的方法、装置、处理器和计算机系统
US11625275B2 (en) Technologies for controlling memory access transactions received from one or more I/O devices
TW201807616A (zh) 安全儲存系統以及用於安全儲存的方法
CN104657193B (zh) 一种访问物理资源的方法和装置
US20030221115A1 (en) Data protection system
KR20090094239A (ko) 애플리케이션 의존성 스토리지 제어
US20070271472A1 (en) Secure Portable File Storage Device
KR20090121712A (ko) 가상화 시스템 및 그 가상화 시스템에서의 컨텐트 사용제한 방법
CN110301127B (zh) 用于预测性令牌验证的装置和方法
WO2021027976A1 (fr) Pare-feu de système hiérarchique et procédé de configuration
US10318767B2 (en) Multi-tier security framework
EP2975547B1 (fr) Procédé et appareil pour empêcher une sortie illégitime d'un document électronique
US7925801B2 (en) Method and system for protection and security of IO devices using credentials
Walsh et al. Costs of security in the PFS file system
US11783095B2 (en) System and method for managing secure files in memory
US20240289150A1 (en) Secure management of device control information in confidential computing environments

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19953829

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19953829

Country of ref document: EP

Kind code of ref document: A1