WO2022028081A1 - 一种完整性度量方法和完整性度量装置 - Google Patents

一种完整性度量方法和完整性度量装置 Download PDF

Info

Publication number
WO2022028081A1
WO2022028081A1 PCT/CN2021/098477 CN2021098477W WO2022028081A1 WO 2022028081 A1 WO2022028081 A1 WO 2022028081A1 CN 2021098477 W CN2021098477 W CN 2021098477W WO 2022028081 A1 WO2022028081 A1 WO 2022028081A1
Authority
WO
WIPO (PCT)
Prior art keywords
measurement
module
sub
pcr
integrity
Prior art date
Application number
PCT/CN2021/098477
Other languages
English (en)
French (fr)
Inventor
邵旭龙
骆光瑞
欧阳文斌
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP21853166.3A priority Critical patent/EP4184367A4/en
Publication of WO2022028081A1 publication Critical patent/WO2022028081A1/zh

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present application relates to the field of network security, and in particular, to an integrity measurement method and an integrity measurement device.
  • a dynamic integrity measurement (dynamic integrity measurement, DIM) method is usually used to verify the integrity of the memory.
  • the so-called DIM method is to measure the integrity of the unchanged parts of the memory image (such as kernel code segment, kernel module code segment, user-mode process code segment, etc.), and then judge whether the memory image has been tampering to determine whether the memory has been maliciously attacked.
  • the existing DIM process does not establish a complete chain of trust, and the security of the measurement module executing the DIM method cannot be guaranteed, so that the measurement results of the DIM method are less feasible. Therefore, how to improve the accuracy and credibility of the integrity measurement has become one of the problems to be solved urgently.
  • the present application provides an integrity measurement method and an integrity measurement device, which can improve the accuracy and reliability of the integrity measurement.
  • an embodiment of the present application provides an integrity measurement method.
  • the first measurement module may perform integrity measurement on the second measurement module to obtain a first measurement result.
  • the credibility of the first measurement module is higher than the credibility of the second measurement module.
  • the second measurement module performs integrity measurement on the object to be measured to obtain a second measurement result, and sends the second measurement result to the first measurement module.
  • the first measurement module sends measurement result information to the certification module.
  • the measurement result information is determined by the first measurement result and the second measurement result.
  • the certification module determines whether the object to be measured passes the integrity verification according to the measurement result information.
  • the first measurement module obtains the first measurement result corresponding to the second measurement module and the second measurement result corresponding to the object to be measured, and determines the first measurement result and the second measurement result by the first measurement result and the second measurement result.
  • the measurement result information is sent to the attestation module, so that the attestation module determines whether the to-be-measured object passes the integrity verification according to the measurement result information.
  • the first measurement module with higher reliability is used as the measurement root to obtain the integrity measurement result of the first measurement module and the object to be measured and provide it to the proof module, thus constructing a complete chain of trust and improving the accuracy and reliability of the integrity measure.
  • the first measurement module may determine the first measurement result and the second measurement result as measurement result information. Then, the first measurement module sends the measurement result information to the certification module. The first measurement module directly determines the first measurement result and the second measurement result as measurement result information and sends it to the second measurement module.
  • the method is simple and easy to implement and can improve the efficiency of integrity measurement.
  • the first measurement module may send the first measurement result and the measurement result to a trusted platform module (trusted platform module, TPM), respectively.
  • TPM trusted platform module
  • the TPM can respectively carry out platform configuration register (platform configuration register, PCR) extension to the above-mentioned first measurement result and the second measurement result to obtain the first PCR value and the second PCR value corresponding to the first measurement result.
  • the TPM determines the above-mentioned first PCR value and second PCR value as measurement result information and sends it to the certification module.
  • the first measurement module first expands the measurement result into a corresponding PCR value through the TPM with high security and reliability, and then sends the expanded PCR value as measurement result information to the certification module through the TPM, It can effectively prevent the measurement results from being tampered with, and ensure the security of measurement results transmission.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module.
  • the first metric result includes a first metric sub-result and a second metric sub-result.
  • the first measurement module performs integrity measurement on the first measurement sub-module to obtain a first measurement sub-result.
  • the first measurement sub-module performs integrity measurement on the second measurement sub-module to obtain a second measurement sub-result and sends the second measurement result to the first measurement module.
  • the first measurement module determines the first measurement sub-result, the second measurement sub-result, and the second measurement result as measurement result information.
  • the first measurement module sends the measurement result information to a certification module.
  • the first metric module sends the first metric sub-result, the second metric sub-result, and the second metric result to the TPM, respectively.
  • the TPM performs PCR expansion on the first metric sub-result, the second metric sub-result, and the second metric result, respectively, to obtain the first sub-PCR value corresponding to the first metric sub-result and the first sub-PCR value corresponding to the second metric sub-result.
  • the TPM determines the first sub-PCR value, the second sub-PCR value, and the second PCR value as measurement result information, and sends the measurement result information to the certification module.
  • the first measurement module may further determine The preset metric trigger condition is met.
  • the metric triggering condition is at least one of the arrival of a preset metric period, the occurrence of a preset system abnormal event, and the receipt of a metric triggering instruction from a user.
  • different measurement triggering conditions are set to trigger the first measurement module to actively start the integrity measurement of the object to be measured, which can reduce the attack time window of the object to be measured and improve the security of the object to be measured.
  • the metric triggering condition is the occurrence of a preset system abnormal event
  • the first metric module receives an intrusion detection system (IDS) If the system exception message is sent, it is determined that the preset trigger condition is satisfied.
  • the system abnormality message is sent by the IDS when the occurrence of the system abnormality event is detected.
  • the data processing amount of the first measurement module can be reduced.
  • the first measurement module when it determines that the preset measurement triggering condition is satisfied, it may also send first measurement indication information to the second measurement module, the first measurement
  • the metric indication information is used to indicate to the second metric module that the first metric module will perform an integrity measurement on the second metric module.
  • an embodiment of the present application provides an integrity measurement method.
  • the proof module receives the measurement result information sent by the first measurement module.
  • the measurement result information is determined by the first measurement result and the second measurement result.
  • the first measurement result is a result of the integrity measurement performed by the first measurement module on the second measurement module.
  • the second measurement result is a result of the integrity measurement performed by the second measurement module on the object to be measured.
  • the reliability of the measurement module is higher than that of the second measurement module.
  • the attestation module determines whether the object to be measured passes the integrity verification according to the measurement result information.
  • the proof module combines the first measurement result and the second measurement result to determine whether the object to be measured passes the integrity verification, which can avoid the reliability of the measurement result of the object to be measured due to the unknown security of the second measurement module.
  • the occurrence of low-level situations improves the credibility of the integrity measurement results, and improves the accuracy and reliability of the integrity measurement method.
  • the measurement result information includes the first measurement result and the second measurement result. If the attestation module determines that the first measurement result is the same as the first baseline value corresponding to the second measurement module and the second measurement result is the same as the second baseline value corresponding to the object to be measured, then determine The object to be measured passes the integrity verification. If the attestation module determines that the first measurement result is different from the first baseline value, or determines that the second measurement result is different from the second baseline value, then determine that the object to be measured is not equal to Verified for integrity.
  • the measurement result information includes a first PCR value and a second PCR value.
  • the first PCR value is obtained by the first measurement module performing PCR expansion of the first measurement result through TPM
  • the second PCR value is obtained by the first measurement module through the TPM.
  • the second measurement result is obtained by PCR expansion. If the attestation module determines that the first PCR value is equal to the first PCR test value and the second PCR value is equal to the second PCR test value, it is determined that the object to be measured has passed the integrity verification.
  • the attestation module determines that the first PCR value is not equal to the first PCR test value, or determines that the second PCR value is not equal to the second PCR test value, then determine that the object to be measured fails Integrity verification.
  • the first PCR test value is obtained by performing PCR expansion of the first baseline value and the first PCR initial value corresponding to the second measurement module by the certification module.
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured by the certification module.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-module Quantum results.
  • the measurement result information includes the first measurement sub-result, the second measurement sub-result, and the second measurement result.
  • the attestation module determines that the first metric sub-result is the same as the first sub-baseline value corresponding to the first sub-metric module, the second metric sub-result and the second sub-base corresponding to the second sub-metric module If the baseline values are the same, and the second measurement result is the same as the second baseline value corresponding to the object to be measured, it is determined that the object to be measured passes the integrity verification.
  • the attestation module determines that the first metric sub-result is not the same as the first sub-baseline value corresponding to the first sub-metric module, or the second metric sub-result and the second sub-metric module correspond to The second sub-baseline values are different, or, if the second measurement result is the same as the second baseline value corresponding to the object to be measured, it is determined that the object to be measured has not passed the integrity verification.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-module. Measure sub-results.
  • the measurement result information includes a first sub-PCR value, a second sub-PCR value, and a second PCR value
  • the first sub-PCR value is PCR performed on the first measurement sub-result by the first measurement module through TPM Expanded and obtained
  • the second sub-PCR value is obtained by the first metric module performing PCR on the second metric sub-result through TPM
  • the second PCR value is obtained by the first metric module through the The TPM performs PCR expansion on the second measurement result to obtain.
  • the attestation module determines that the first sub-PCR value is equal to the first sub-PCR test value, the second sub-PCR value is equal to the second sub-PCR test value, and the second PCR value is equal to the second PCR test value If the values are equal, it is determined that the object to be measured has passed the integrity verification. If the attestation module determines that the first sub-PCR value and the first sub-PCR test value are not equal, or the second sub-PCR value and the second sub-PCR test value are not equal, or the second sub-PCR value If it is not equal to the second PCR test value, it is determined that the object to be measured has not passed the integrity verification.
  • the first sub-PCR test value is obtained by performing PCR expansion of the first sub-baseline value and the first sub-PCR initial value corresponding to the second measurement module by the certification module.
  • the second sub-PCR test value is obtained by the proof module performing PCR expansion on the second sub-baseline value and the second sub-PCR initial value corresponding to the second measurement module.
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured by the certification module.
  • an embodiment of the present application provides an integrity measurement method.
  • the second measurement module performs integrity measurement on the object to be measured to obtain a second measurement result.
  • the credibility of the first measurement module is higher than the credibility of the second measurement module.
  • the second measurement module sends the second measurement result to the first measurement module.
  • the second measurement module may be determined that the first measurement module has performed integrity measurement on it.
  • an integrity measurement apparatus provided by an embodiment of the present application may be the above-mentioned first measurement module.
  • the integrity measurement device may include:
  • the processor unit is configured to perform integrity measurement on the second measurement module to obtain the first measurement result.
  • the credibility of the first measurement module is higher than the credibility of the second measurement module.
  • a transceiver unit configured to receive the second measurement result sent by the second measurement module.
  • the second measurement result is obtained by measuring the integrity of the object to be measured by the second measurement module.
  • the processing unit is further configured to determine measurement result information according to the first measurement result and the second measurement result.
  • the transceiver unit is further configured to send the measurement result information to the certification module.
  • the attestation module is configured to determine whether the object to be measured passes the integrity verification according to the measurement result information.
  • the processing unit may determine the first measurement result and the second measurement result as measurement result information. Then, the transceiver unit may send the measurement result information to the certification module.
  • the transceiver unit may send the first measurement result and the measurement result to the TPM, respectively.
  • the TPM may perform PCR expansion of the platform configuration register on the first measurement result and the second measurement result, respectively, to obtain the first PCR value and the second PCR value corresponding to the first measurement result.
  • the TPM may also determine the above-mentioned first PCR value and second PCR value as measurement result information and send it to the certification module.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module.
  • the first metric result includes a first metric sub-result and a second metric sub-result.
  • the processing unit is configured to perform integrity measurement on the first measurement sub-module to obtain a first measurement sub-result.
  • the first measurement sub-module performs integrity measurement on the second measurement sub-module to obtain a second measurement sub-result and sends the second measurement result to the transceiver unit.
  • the processing unit is configured to determine the first measurement sub-result, the second measurement sub-result, and the second measurement result as measurement result information.
  • the first measurement module sends the measurement result information to a certification module.
  • the transceiver unit may send the first metric sub-result, the second metric sub-result, and the second metric result to the TPM, respectively.
  • the TPM performs PCR expansion on the first metric sub-result, the second metric sub-result, and the second metric result, respectively, to obtain the first sub-PCR value corresponding to the first metric sub-result and the first sub-PCR value corresponding to the second metric sub-result.
  • the TPM determines the first sub-PCR value, the second sub-PCR value, and the second PCR value as measurement result information, and sends the measurement result information to the certification module.
  • the processing unit may further determine a preset The metric trigger condition is met.
  • the metric triggering condition is at least one of the arrival of a preset metric period, the occurrence of a preset system abnormal event, and the receipt of a metric triggering instruction from a user.
  • the processing unit determines that the system abnormality message sent by the IDS is received, the preset trigger is determined condition is satisfied.
  • the system abnormality message is sent by the IDS when the occurrence of the system abnormality event is detected.
  • the transceiver unit may further send first measurement indication information to the second measurement module.
  • the first metric indication information is used to indicate to the second metric module that the first metric module will perform an integrity measurement on the second metric module.
  • an embodiment of the present application provides an integrity measurement apparatus, and the apparatus may be the above-mentioned attestation module.
  • the integrity measurement device may include:
  • a transceiver unit where the transceiver unit is configured to receive measurement result information sent by the first measurement module.
  • the measurement result information is determined by the first measurement result and the second measurement result.
  • the first measurement result is a result of the integrity measurement performed by the first measurement module on the second measurement module.
  • the second measurement result is a result of the integrity measurement performed by the second measurement module on the object to be measured. The reliability of the measurement module is higher than that of the second measurement module.
  • a processing unit configured to determine whether the object to be measured passes the integrity verification according to the measurement result information.
  • the measurement result information includes the first measurement result and the second measurement result. If the processing unit determines that the first measurement result is the same as the first baseline value corresponding to the second measurement module and the second measurement result is the same as the second baseline value corresponding to the object to be measured, then determine The object to be measured passes the integrity verification. If the processing unit determines that the first measurement result is not the same as the first baseline value, or determines that the second measurement result is not the same as the second baseline value, then determine that the object to be measured is not Verified for integrity.
  • the measurement result information includes a first PCR value and a second PCR value.
  • the first PCR value is obtained by the first measurement module performing PCR expansion of the first measurement result through TPM
  • the second PCR value is obtained by the first measurement module through the TPM.
  • the second measurement result is obtained by performing PCR expansion. If the processing unit determines that the first PCR value is equal to the first PCR inspection value and the second PCR value is equal to the second PCR inspection value, it is determined that the object to be measured has passed the integrity verification.
  • the processing unit determines that the first PCR value is not equal to the first PCR test value, or determines that the second PCR value is not equal to the second PCR test value, then determine that the object to be measured fails Integrity verification.
  • the first PCR test value is obtained by performing PCR expansion of the first baseline value and the first PCR initial value corresponding to the second measurement module by the certification module.
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured by the certification module.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-module Quantum results.
  • the measurement result information includes the first measurement sub-result, the second measurement sub-result, and the second measurement result.
  • the processing unit determines that the first metric sub-result is the same as the first sub-baseline value corresponding to the first sub-metric module, the second metric sub-result and the second sub-basic value corresponding to the second sub-metric module If the baseline values are the same, and the second measurement result is the same as the second baseline value corresponding to the object to be measured, it is determined that the object to be measured passes the integrity verification.
  • the processing unit determines that the first metric sub-result and the first sub-baseline value corresponding to the first sub-metric module are different, or the second metric sub-result and the second sub-metric module correspond to The second sub-baseline values are different, or, if the second measurement result is the same as the second baseline value corresponding to the object to be measured, it is determined that the object to be measured has not passed the integrity verification.
  • the second measurement module includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-module Quantum results.
  • the measurement result information includes a first sub-PCR value, a second sub-PCR value, and a second PCR value
  • the first sub-PCR value is PCR performed on the first measurement sub-result by the first measurement module through TPM Expanded and obtained
  • the second sub-PCR value is obtained by the first metric module performing PCR on the second metric sub-result through TPM
  • the second PCR value is obtained by the first metric module through the The TPM performs PCR expansion on the second measurement result to obtain.
  • the processing unit determines that the first sub-PCR value is equal to the first sub-PCR test value, the second sub-PCR value is equal to the second sub-PCR test value, and the second PCR value is equal to the second PCR test value If the values are equal, it is determined that the object to be measured has passed the integrity verification. If the processing unit determines that the first sub-PCR value and the first sub-PCR test value are not equal, or the second sub-PCR value and the second sub-PCR test value are not equal, or the second sub-PCR value If it is not equal to the second PCR test value, it is determined that the object to be measured has not passed the integrity verification.
  • the first sub-PCR test value is obtained by performing PCR expansion of the first sub-baseline value and the first sub-PCR initial value corresponding to the second measurement module by the certification module.
  • the second sub-PCR test value is obtained by the proof module performing PCR expansion on the second sub-baseline value and the second sub-PCR initial value corresponding to the second measurement module.
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured by the certification module.
  • an embodiment of the present application provides an integrity measurement apparatus, and the apparatus may be the above-mentioned second measurement module.
  • the integrity measuring device includes:
  • the processing unit is configured to perform integrity measurement on the object to be measured to obtain a second measurement result when it is determined that the first measurement module performs integrity measurement on the second measurement module.
  • the credibility of the first measurement module is higher than the credibility of the second measurement module.
  • a transceiver unit configured to send the second measurement result to the first measurement module.
  • the processing unit determines that the transceiver unit has received the first measurement indication information, it may be determined that the first measurement module has performed integrity measurement on it.
  • the first measurement module is a preset measurement root of trust.
  • using the metric root of trust with the highest reliability as the above-mentioned first metric module can further improve the accuracy and reliability of the integrity metric method.
  • the first measurement module is a DIM trusted execution environment (trusted execution environment, TEE) module or a hardware security module (hard security module, HSM) ), the second measurement module is a DIM module.
  • TEE trusted execution environment
  • HSM hardware security module
  • the first measurement module is an HSM
  • the first measurement sub-module is a DIM TEE module
  • the second measurement sub-module is a DIM module.
  • the attestation module includes a local attestation module or a remote attestation module.
  • the object to be measured includes a memory code segment or a static file.
  • the object to be measured includes a memory code segment, and the memory code segment includes a kernel code segment, a kernel module code segment, and a user-mode process code segment. at least one.
  • an embodiment of the present application provides an integrity measurement apparatus.
  • the integrity measurement device may be the above-mentioned first measurement module.
  • the integrity measurement device includes a memory, a processor and a transceiver.
  • the processor is configured to invoke the code stored in the memory to execute the integrity measurement method provided by any feasible implementation manner of the first aspect.
  • an embodiment of the present application provides an integrity measurement apparatus.
  • the integrity measuring device may be the above-mentioned attestation module.
  • the integrity measurement device includes a memory, a processor and a transceiver.
  • the processor is configured to invoke the code stored in the memory to execute the integrity measurement method provided by any feasible implementation manner of the second aspect.
  • an embodiment of the present application provides an integrity measurement apparatus.
  • the integrity measurement device may be the above-mentioned second measurement module.
  • the integrity measurement device includes a memory, a processor, and a transceiver.
  • the processor is configured to invoke the code stored in the memory to execute the integrity measurement method provided by any feasible implementation manner of the third aspect.
  • an embodiment of the present application provides an integrity measurement apparatus, and the integrity measurement apparatus may include a first measurement module.
  • the first measurement module is configured to perform integrity measurement on the second measurement module to obtain a first measurement result.
  • the credibility of the first measurement module is higher than the credibility of the second measurement module.
  • the first measurement module is further configured to receive the second measurement result sent by the second measurement module.
  • the second measurement result is obtained by measuring the integrity of the object to be measured by the second measurement module.
  • the first measurement module is further configured to determine measurement result information according to the first measurement result and the second measurement result.
  • the first measurement module is further configured to send the measurement result information to the attestation module, wherein the attestation module is configured to determine whether the to-be-measured object passes the integrity verification according to the measurement result information.
  • the integrity measurement apparatus further includes at least one of the attestation module, the second measurement module, and the object to be measured.
  • an embodiment of the present application provides an integrity measurement apparatus, and the integrity measurement apparatus may include a processor and a transceiver, where the processor is configured to support the above-mentioned first measurement module to perform the above-mentioned integrity measurement the corresponding function in the method. It can also be configured to support at least one of the above-mentioned second measurement module, the above-mentioned attestation module and the object to be measured to perform the corresponding function in the above-mentioned method.
  • the transceiver is used to support the communication between the above-mentioned first measurement module and the attestation module.
  • the integrity measurement module may further include a memory, which is used for coupling with the processor and stores the necessary information for at least one of the first measurement module, the second measurement module, the attestation module and the object to be measured. Program instructions and data.
  • an embodiment of the present application provides a chip or a chip system, including an input and output interface and a processing circuit, where the input and output interface is used for exchanging information or data, and the processing circuit is used for running an instruction to make the installation
  • the integrity measurement device of the chip or chip system executes the integrity measurement method of any one of the first aspect to the third aspect.
  • the present application provides a computer-readable storage medium storing instructions in the computer-readable storage medium, the instructions being executable by one or more processors on a processing circuit.
  • the computer When running on a computer, the computer is caused to execute the integrity measurement method of any one of the first to third aspects.
  • the present application provides a computer program product comprising instructions, which, when executed on a computer, cause the computer to execute the integrity measurement method described in any one of the above-mentioned first to third aspects.
  • FIG. 1 is a schematic structural diagram of an integrity measurement device provided by an embodiment of the present application.
  • FIG. 2 is a schematic flowchart of an integrity measurement method provided by an embodiment of the present application.
  • FIG. 3 is another schematic flowchart of an integrity measurement method provided by an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of another integrity measurement device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another integrity measurement device provided by an embodiment of the present application.
  • FIG. 6 is a schematic structural diagram of another integrity measurement device provided by an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of another integrity measurement device provided by an embodiment of the present application.
  • FIG. 8 is a schematic structural diagram of another integrity measurement apparatus provided by an embodiment of the present application.
  • the DIM method is usually used to measure the integrity of the memory to determine whether the memory has suffered a malicious attack.
  • the existing DIM process does not establish a complete chain of trust, and the security of the measurement module executing the DIM method cannot be guaranteed during the execution process.
  • the security of the measurement module is threatened (such as being attacked by hackers, etc.), the measurement results obtained by the measurement module are no longer credible. Therefore, the reliability of the measurement results of the existing DIM methods is low.
  • the technical problem to be solved by this application is: how to improve the accuracy and reliability of the integrity measurement.
  • FIG. 1 is a schematic structural diagram of an integrity measurement apparatus provided by an embodiment of the present application.
  • the integrity measurement apparatus is applicable to the integrity measurement method provided in the embodiment of the present application.
  • the integrity measurement apparatus 10 may specifically include a first measurement module 101 involved in the integrity measurement method provided in the embodiment of the present application.
  • the integrity measurement apparatus 10 may further include one or more of the second measurement module 102, the proof module 103, and the object to be measured 104 involved in the integrity measurement method provided in the embodiment of the present application.
  • the above-mentioned first measurement module 101 is used to measure the integrity of the second measurement module 102 and obtain the result of the integrity measurement of the second measurement module 102 (for the convenience of understanding and distinction, the following will use the first degree quantitative results instead of description).
  • the above-mentioned second measurement module 102 is used to measure the integrity of the preset object to be measured 104, and will obtain the integrity measurement result of the object to be measured 104 (for the convenience of understanding and distinction, the second measurement result will be used hereinafter to replace the description. ) is sent to the above-mentioned first measurement module 101 .
  • the first measurement module 101 is further configured to determine measurement result information according to the first measurement result and the second measurement result, and send the measurement result information to the certification module 103 .
  • the above-mentioned attestation module 103 may be configured to determine whether the above-mentioned object to be measured 104 has passed the integrity verification according to the above-mentioned measurement result information.
  • the integrity measurement method provided by the embodiments of the present application hereinafter, which will not be described in detail here.
  • FIG. 1 is only an example of the structure of the integrity measurement system 10 provided in the embodiment of the present application.
  • the integrity measurement system 10 may further include the first measurement module 101, The second measurement module 102 and other functional modules other than the proof module 103 are not specifically limited in this application.
  • the integrity measurement device 10 may be a tablet computer, a mobile terminal (such as a mobile phone), a laptop computer, a desktop computer, a wearable device, an optical line terminal (OLT), an optical Electronic devices such as network terminals (optical network terminals, ONTs) themselves can also be chips or chip systems inside these electronic devices, such as central processing units (CPUs), microcontroller units (microcontrollers) inside these electronic devices unit, MCU) or a system-on-a-chip (SOC) including a CPU or MCU, etc., which are not specifically limited in this application.
  • CPUs central processing units
  • microcontroller units microcontrollers
  • SOC system-on-a-chip
  • the above-mentioned first measurement module 101 , second measurement module 102 , proof module 103 and the object to be measured 104 may specifically be the integrity measurement device 10 A software program or software module that runs on it.
  • the above-mentioned integrity measuring apparatus 10 may include a processor and a memory.
  • the memory stores the program codes or instruction sets corresponding to the first measurement module 101, the second measurement module 102, the proof module 103 or the object to be measured 104, and the processor runs these program codes or instruction sets to support the above-mentioned first
  • the first measurement module 101, the second measurement module 102, the proof module 103 or the object to be measured 104 implement the methods or functions involved in the integrity measurement method provided by the implementation of this application.
  • the integrity measurement apparatus 10 includes multiple processors and multiple memories
  • the program codes or instruction sets corresponding to 104 may be stored in different memories respectively, and may be implemented by running in different processors, which is not specifically limited in this application.
  • the above-mentioned processor may specifically be the aforementioned CPU, MCU, SOC, etc.
  • the above-mentioned memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile memory. Volatile solid-state memory.
  • the memory may further include memory located remotely from the processor, and these remote memories may be connected to the integrity measurement device 10 through a network.
  • networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
  • the above-mentioned first measurement module 101 may also be implemented by a hardware circuit with logic processing capability connected inside or outside the integrity measurement apparatus 10 .
  • logic information may be solidified in the hardware circuit, and the hardware circuit may implement the function of the first measurement module 101 according to the logic information after power-on.
  • the above-mentioned hardware circuit may be a digital signal processor (digital signal processor, DSP), an application specific integrated circuit (application specific integrated circuit, ASIC), a field programmable gate array (field programmable gate array, FPGA) or other programmable
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • the logic components are not specifically limited in this application.
  • the attestation module 103 can be divided into a local attestation (ie local attestation) module and a remote attestation (ie remote attestation) module.
  • the so-called local attestation module refers to that the attestation module 103 and the above-mentioned first measurement module 101 run in the same device.
  • the attestation module 103 is a local attestation module for the first measurement module 101 .
  • the attestation module 103 when the attestation module 103 is a local attestation module, the attestation module 103 may be included in the first measurement module 101, or may exist independently of the first measurement module 101, which is not described in this application. specific restrictions.
  • the so-called remote attestation module refers to that the attestation module 103 and the first measurement module 101 exist in different devices, and the attestation module 103 and the first measurement module 101 need to perform data interaction through a secure network.
  • the attestation module 103 when the attestation module 103 is a remote attestation module, it may include a remote attestation server (ie RA-sever) and a remote attestation client (ie, RA-client).
  • the remote attestation server communicates with the third attestation client through the remote attestation client.
  • a metric module 103 performs data interaction.
  • FIG. 2 is a schematic flowchart of an integrity measurement method provided by an embodiment of the present application. As shown in FIG. 2, the integrity measurement method includes steps:
  • the first measurement module performs integrity measurement on the second measurement module and determines a first measurement result.
  • the second measurement module performs integrity measurement on the object 104 to be measured to obtain a second measurement result, and sends the second measurement result to the first measurement module.
  • the first measurement module determines measurement result information according to the first measurement result and the second measurement result, and sends the measurement result information to the certification module.
  • the proof module determines whether the above-mentioned object to be measured 104 passes the integrity verification according to the above-mentioned measurement result information.
  • step S210 when the above-mentioned integrity measurement device 10 is in a normal working state, when the first measurement module 101 determines that the integrity measurement of the object 104 to be measured needs to be performed, it may First, completeness measurement is performed on the second measurement module 102 to obtain a first measurement result.
  • the reliability of the first measurement module 101 is higher than the reliability of the second measurement module.
  • the above-mentioned first measurement module may be a measurement root of trust preset by the integrity measurement device 10 .
  • the so-called metric root of trust is a component that always operates in a preset manner, its content will not be modified, and it is absolutely reliable for the device associated with the metric root of trust. letter.
  • the above-mentioned first measurement module 101 may be a measurement root of trust of the integrity measurement device 10.
  • the first degree of The quantity module 101 is absolutely reliable.
  • the above-mentioned object to be measured 104 may specifically be a memory code segment that does not change in the memory image of the integrity measurement device 10 , such as a kernel code segment, a kernel module code segment, a user process code segment, and the like.
  • the above-mentioned object to be measured 104 may also be a static file or the like stored in the memory.
  • the above-mentioned object to be measured 104 may exist inside the above-mentioned integrity measurement apparatus 10, or may exist in other apparatuses connected to the integrity measurement apparatus 10, which is not specifically limited in this application.
  • the above-mentioned object to be measured 104 may be preset, or may be determined by the first measurement module 103 based on an instruction input by the user, which is not specifically limited in this application.
  • the following will take the scenario in which the first measurement module 101, the second measurement module 102, and the object to be measured 104 all exist in the integrity measurement device 10 as an example to describe the integrity measurement provided by the embodiments of the present application.
  • the implementation process of the performance measurement method is described in detail.
  • FIG. 3 is another schematic flowchart of an integrity measurement method provided by an embodiment of the present application. As shown in FIG. 3 , in the first measurement module 101 to the second measurement module 102 Before performing the integrity measurement and determining the first measurement result, the integrity measurement method may further include the steps of:
  • the first measurement module determines that the preset measurement trigger condition is satisfied, and then determines to perform integrity measurement on the object 104 to be measured.
  • the first measurement module 101 may first detect whether a preset measurement trigger condition is satisfied. When the first measurement module 101 determines that the measurement trigger condition is satisfied, it determines to perform integrity measurement on the object 104 to be measured. When the first metric module 101 determines that the metric trigger condition is not satisfied, it repeats the operation of detecting whether the preset metric trigger condition is satisfied.
  • the above-mentioned measurement trigger condition may specifically include the arrival of a preset measurement period.
  • the above-mentioned metric triggering condition may include the occurrence of a preset system abnormal event.
  • the above-mentioned system abnormal events include but are not limited to code segment rewriting, high-risk system calls, or abnormal script execution, and the like. These system abnormal events are abnormal events of the operating system where the object to be measured 104 is located, and the occurrence of these system abnormal events may cause a security threat to the object to be measured 104 .
  • the above-mentioned metric triggering condition may include receiving a metric triggering instruction from a user.
  • the preset metric triggering condition may simultaneously include the arrival of the preset metric period, the occurrence of a preset system abnormal event, and the receipt of a metric triggering instruction from the user among the three conditions.
  • One or more conditions may also include other conditions than the above three conditions, which are not specifically limited in this application.
  • setting different measurement trigger conditions to trigger the first measurement module 1003 to actively start the integrity measurement of the object to be measured 104 can reduce the attack time window of the object to be measured 104 and improve the security of the object to be measured 104 .
  • the preset measurement period is the duration T1.
  • the first measurement module 101 can detect the time duration T2 between the current moment and the last moment when the object 104 to be measured is integrity-measured. When the first measurement module 101 determines that T2 is equal to T1, it is determined that the preset measurement period has arrived, and then it is determined to perform integrity measurement on the object to be measured 104.
  • the IDS in the operating system where the object to be measured 104 is located will detect in real time whether a system abnormal event occurs in the operating system.
  • the IDS detects that one or more of the system abnormal events occur in the operating system, it can send a system abnormality indication information to the above-mentioned first measurement module 101 and continue to detect abnormal events on the operating system.
  • the first measurement module 101 detects the system abnormality indication information sent by the IDS, it may determine that a preset system abnormality event has occurred, and may determine to perform integrity measurement on the object 104 to be measured.
  • the first metric module 101 may perform real-time detection on the received user instruction.
  • the first measurement module 101 detects that the received user instruction includes a preset measurement triggering instruction, it may determine to perform integrity measurement on the object 104 to be measured.
  • the preset metric triggering instruction is a metric challenge instruction
  • the user can input an instruction to the remote attestation server of the attestation module 103 for instructing the integrity measurement of the to-be-measured measurement.
  • the remote attestation server may send a measurement challenge instruction to the above-mentioned first measurement module through the remote attestation client in the attestation module 103 .
  • the first measurement module 103 may determine to receive the preset measurement trigger instruction, and may determine to perform integrity measurement on the object 104 to be measured.
  • FIG. 4 is a schematic structural diagram of yet another integrity measurement apparatus provided by an embodiment of the present application.
  • the integrity measurement apparatus 10 may further include a measurement triggering module 105 .
  • the integrity measurement system 10 further includes a measurement triggering module 104 , the operation of judging whether a preset measurement triggering condition is satisfied can be performed by the measurement triggering module 105 .
  • the metric triggering module 105 can determine whether the preset metric period has arrived, or detect whether the system abnormality indication information from the IDS is received, or whether the metric triggering instruction from the user is received.
  • the metric triggering module 105 When the metric triggering module 105 determines that the preset metric triggering condition is satisfied, it can send a metric triggering instruction to the first metric module 101 . After the first measurement module 101 detects the measurement triggering instruction, it can determine to perform integrity measurement on the object 104 to be measured. Here, the metric triggering module 105 performs the operation of judging whether the preset metric triggering condition is satisfied, which can reduce the amount of data interaction between the first metric module 101 and other modules, and can also reduce the data of the first metric module 101 itself. The processing amount is beneficial to ensure the security and reliability of the first measurement module 101 .
  • step S210 after the first measurement module 101 determines to perform integrity measurement on the object 104 to be measured, it may first perform integrity measurement on the second measurement module 102.
  • the process of measuring the second measurement module by the first measurement module 101 will be described in detail below in conjunction with the two scenarios of whether the second measurement module 102 is an independent module or composed of multiple sub-modules.
  • the first measurement module 101 may first obtain the code segment corresponding to the second measurement module 102 .
  • the first measurement module 101 can obtain the address space fed back by the second measurement module 102 after the first startup is completed (for the convenience of understanding, the description will be replaced by the first address space below), and from the first address space
  • the code segment corresponding to the above-mentioned second measurement module 102 is extracted from above.
  • the first measurement module 101 may also traverse all code segments corresponding to the entire operating system, and determine the second measurement module from all code segments of the entire operating system according to the code segment identifiers corresponding to the second measurement module 102 102 corresponds to the code segment.
  • the first measurement module 101 may also obtain the code segment corresponding to the second measurement module 102 in other ways, which is not specifically limited in this application.
  • the first measurement module 101 After the first measurement module 101 obtains the code segment corresponding to the second measurement module 102, it can use a preset hash function (for the convenience of distinction, the description will be replaced by the first hash function below) to the second measurement module
  • the code segment corresponding to 102 is hashed to obtain a hash value corresponding to the code segment. Then, the first measurement module 101 can determine the hash value as the first measurement result corresponding to the second measurement module 102 .
  • the first measurement module 101 may also send a measurement indication information to the second measurement module 102 (for the convenience of distinction, the following will Replace the description with first metric indication information), the first metric indication information can be used to indicate to the second metric module 102 that the first metric module 101 is to perform an integrity measurement on it.
  • FIG. 5 is a schematic structural diagram of another integrity measurement device provided by an embodiment of the present application.
  • the two metric module 102 may include a first metric sub-module 1021 and a second metric sub-module 1022 .
  • the first measurement module 101 may first perform an integrity measurement on the first measurement sub-module 1021 to obtain a first measurement sub-result of the first measurement sub-module 1021 .
  • the first measurement module 101 may also send a measurement indication message to the first measurement sub-module 1021 (for the convenience of distinction, The description will be replaced by second metric indication information hereinafter), the second metric indication information may be used to indicate to the first metric sub-module 1021 that the first metric module 101 is to perform an integrity measurement on it.
  • the first measurement sub-module 1021 may determine whether the first measurement module 101 performs integrity measurement on it. For example, the first metric sub-module 1021 can detect the above-mentioned second metric indication information in real time, and when it determines that it has received the second metric indication information from the first metric module 101, it can determine that the first metric module 101 performs Integrity Metrics. For another example, the first measurement sub-module 1021 may also acquire the current system log, and query the system log to determine whether the first measurement module 101 performs integrity measurement on it. Of course, the first measurement sub-module 1021 may also use other methods to determine whether the first measurement module 101 performs integrity measurement on it, which is not specifically limited in this application.
  • the first measurement sub-module 1021 After the first measurement sub-module 1021 determines that the first measurement module 101 performs integrity measurement on it, it can also perform integrity measurement on the second measurement sub-module 1022 to obtain a second measurement sub-module corresponding to the second measurement sub-module 1022 result. It should be noted that, for the specific process of the integrity measurement performed by the first measurement sub-module 1021 on the second measurement sub-module 1022, please refer to the first measurement module 101 performing integrity measurement on the second measurement module 102 described in Scenario 1 above. process, which will not be repeated here. Then, the first measurement sub-module 1021 may send the obtained second measurement sub-result to the first measurement module 101 .
  • the first metric sub-module 1021 when it performs integrity measurement on the second metric sub-module 1022, it can also send a metric indication message to the second metric sub-module 1022 (for the convenience of distinction, the third metric indication will be used below. information instead of description), the third metric indication information can be used to indicate to the second metric sub-module 1022 that the first metric sub-module 1021 has performed an integrity measurement on it.
  • the first measurement module 101 performs integrity measurement on the second measurement module 102 including the first measurement sub-module 1021 and the second measurement sub-module 1022, and obtains a A second metric result of a first-degree quantum result and a second-quantity quantum result.
  • the structure of the second measurement module 102 shown in FIG. 5 is only an example, and it may also include 3 or more measurement submodules, as long as it is ensured that at least one measurement submodule is used It is sufficient to perform integrity measurement on the object 104 to be measured.
  • the integrity measurement performed by the first measurement module 101 on the second measurement module 102 is the integrity measurement performed on each measurement sub-module in the second measurement module 102 .
  • the specific measurement process may be similar to the above-mentioned, the first measurement module 101 only measures one measurement sub-module A among the three or more measurement sub-modules, and the three or more measurement sub-modules Other measurement sub-modules in the module except the measurement sub-module A can be measured by the measurement sub-module A and the measurement result is sent to the first measurement module 101 .
  • the first measurement module 101 can also directly measure the integrity of each measurement sub-module and obtain the integrity measurement result of each measurement sub-module.
  • the second measurement module 102 may also measure the integrity of the object 104 to be measured and obtain a second measurement result corresponding to the object 104 to be measured.
  • the following will describe the process that the second measurement module 102 also measures the integrity of the object to be measured 104 and obtains the second measurement result corresponding to the object to be measured 104 in conjunction with the scenarios 1 and 2 described above.
  • the second measurement module 102 may first determine whether the first measurement module 101 has performed integrity measurement on it. For example, the second measurement module 102 may detect whether the first measurement indication information from the first measurement module 101 is received. When the second measurement module 102 determines that it has received the first measurement indication information from the first measurement module, it may be determined that the first measurement module 101 has performed integrity measurement on it. Alternatively, the second measurement module 102 may also determine whether the first measurement module 101 has performed integrity measurement on the system log by querying the system log. Of course, the second measurement module 102 may also use other methods to determine whether the first measurement module 101 has performed integrity measurement on it, which is not specifically limited in this application.
  • the second measurement module 102 may perform integrity measurement on the object to be measured 104 to obtain a second measurement corresponding to the object to be measured 104. result.
  • the above-mentioned object to be measured 104 may be preset, or may be designated by a user through a user instruction, which is not specifically limited in this application.
  • the second measurement module 102 can obtain the specific content of the memory code segment, and then use a preset hash function (for For convenience of distinction, the following description will be replaced by a second hash function) Hash the memory code segment to obtain a corresponding hash value, and this hash value is the second measurement result of the object to be measured 104 .
  • the second measurement module 102 can obtain the specific content of the static file, and then perform hash processing on the specific content through the above-mentioned second hash function to obtain the corresponding hash value, Thus, the second measurement result of the object to be measured 104 is obtained.
  • the second measurement module 102 may also send the second measurement result to the first measurement module 101 .
  • the second measurement sub-module 1022 in the second measurement module 102 may first determine whether the first measurement module 101 has performed the integrity measurement on the first measurement sub-module 1021 .
  • the second measurement sub-module 1022 may detect whether it receives the third measurement indication information from the first measurement sub-module 1021 . If the second measurement sub-module 1022 determines that it has received the above-mentioned third measurement indication information, it may be determined that the first measurement module 101 has performed the integrity measurement on the second measurement module 102 .
  • the second measurement sub-module 1022 may also determine whether the first measurement module 101 has performed integrity measurement on the second measurement module 102 by querying the system log.
  • the second measurement sub-module 1022 may perform integrity measurement on the object 104 to be measured to obtain the measurement to be measured.
  • the second measurement result corresponding to the object 104 refer to the process of the second measurement module 102 to measure the integrity of the object to be measured 104 described above, which will not be repeated here.
  • the second measurement sub-module 1022 After the second measurement sub-module 1022 obtains the above-mentioned second measurement result, it can directly send the second measurement result to the first measurement module 101, or it can also send the second measurement result to the first measurement sub-module module 1021, and then forward the above-mentioned second measurement result to the above-mentioned first measurement module 101 through the first measurement sub-module 1021.
  • the first measurement module 101 may, according to the first measurement result and the second measurement result, The measurement result information is determined, and the measurement result information is sent to the certification module 103 .
  • the embodiments of the present application provide a variety of methods for determining measurement result information. The following will combine the scenarios 1 and 2 described above and the various methods for determining measurement result information provided by the embodiments of the present application. The process of determining 101 measurement result information and sending the measurement result information to the attestation module 103 will be described.
  • the first measurement module 101 may directly determine the first measurement result and the second measurement result as measurement result information.
  • the first metric module 101 can directly The quantum result and the second measurement result are determined as measurement result information.
  • the first measurement module 101 directly determines the first measurement result and the second measurement result, or the first measurement sub-result, the second measurement sub-result and the second measurement result as measurement result information and sends it to the second measurement In module 102, the method is simple and easy to implement, which can improve the efficiency of the integrity measurement.
  • the first measurement module 101 may send the measurement result information to the second measurement module 102 .
  • the first measurement module 101 can encrypt the above-mentioned measurement result information by means of a digital certificate, a digital signature, etc., and send the encrypted measurement result information to the certification module, so that Improve the security of measurement result information transmission.
  • FIG. 6 is a schematic structural diagram of another integrity measurement apparatus provided by an embodiment of the present application.
  • the integrity measurement structure 10 may further include a trusted platform module TPM106 .
  • the TPM 106 includes a PCR, and the PCR can store one or more PCR values extended by the TPM 106 .
  • the first measurement module 101 can extend the first measurement result and the second measurement result to the PCR of the TPM 106 , respectively. to obtain the first PCR value corresponding to the first measurement result and the second PCR value corresponding to the second measurement result.
  • the first measurement module 101 may first initiate a PCR extension operation on the TPM 106 , and send the first measurement result to the TPM 106 .
  • the TPM 106 determines to perform the PCR extension operation and receives the above-mentioned first measurement result, it can extract the PCR storage value corresponding to the first measurement result from the PCR (for convenience of distinction, the following description will be replaced by the first PCR storage value) ), where the first PCR stored value is when the integrity measurement device 10 performed the integrity measurement on the object 104 to be measured last time, the first measurement module 101 extended the measurement result of the second measurement module 102 into the PCR of the TPM106 The resulting PCR value. Then, the TPM 106 may perform PCR expansion processing on the first measurement result and the first PCR stored value to obtain a first PCR value corresponding to the first measurement result.
  • the TPM 106 may hash the above-mentioned first measurement result and the first PCR stored value through a preset hash function (for convenience of distinction, the description will be replaced by a third hash function below), and hash the obtained hash function.
  • the value is determined as the first PCR value corresponding to the first measurement result.
  • the TPM 106 may also update the current first PCR stored value to the current first PCR value. For example, assuming that the stored value of the first PCR is d1, the above-mentioned first measurement result is d2.
  • the TPM 106 may perform hash processing on d1 and d2 at the same time to obtain the first PCR value d3. Then, the TPM 106 may also update the above-mentioned first PCR storage value from d1 to the above-mentioned d3. It should be noted here that, if the current measurement is the first integrity measurement performed by the integrity measurement device 10 on the object to be measured, the TPM 106 may simultaneously measure the above-mentioned first measurement result and the PCR initial value preset by the second measurement module. PCR expansion processing is performed to obtain a first PCR value corresponding to the first measurement result.
  • the first measurement module 101 can also perform PCR expansion on the second measurement result through the TPM106 to obtain the second PCR value corresponding to the second measurement result.
  • the specific process refer to the TPM106 extension described above to obtain the first measurement result. The corresponding process of the first PCR will not be repeated here.
  • the TPM 106 determines the above-mentioned first PCR value and the second PCR value as measurement result information, and sends the above-mentioned measurement result information to the certification module 103 .
  • the first metric module 101 can respectively The quantum result and the second metric result are extended to the PCR of TPM 106 to obtain the first sub-PCR value corresponding to the first metric sub-result, the second sub-PCR value corresponding to the second metric sub-result, and the second sub-PCR value corresponding to the second metric result. PCR value.
  • the process of obtaining the first sub-PCR value, the second sub-PCR value and the second PCR value by the first metric module 101 through the expansion of the TPM 106 can refer to the process of determining the first PCR value through the TPM 106 described above, and will not be discussed here. Repeat. Then, after obtaining the first PCR sub-value, the second PCR sub-value and the second PCR value, the TPM 106 may determine the first PCR sub-value, the second PCR sub-value and the second PCR value as measurement result information.
  • the TPM 106 may send the measurement result information to the certification module 103 .
  • the TPM 106 can encrypt the above measurement result information by means of a digital certificate, digital signature, etc., and send the encrypted measurement result information to the certification module 103, so as to ensure the security of transmission of the measurement result information.
  • the first measurement module 102 first expands the measurement result into a corresponding PCR value through the TPM106 with high security and reliability, and then sends the expanded PCR value as measurement result information to the certification module 103 through the TPM106, which can effectively It prevents the measurement results from being tampered with, and ensures the security of measurement results transmission.
  • the attestation module 103 may determine whether the foregoing object to be measured 104 passes the integrity verification according to the foregoing measurement result information.
  • the process of determining whether the above-mentioned object to be measured 104 has passed the integrity verification by the proof module 103 according to the above-mentioned measurement result information will be carried out. detailed description.
  • the measurement result information received by the proof module 103 may include the first measurement result information. measurement results and secondary measurement results. Then, the certification module 103 may acquire the preset first baseline value corresponding to the second measurement module 102 and the second baseline value corresponding to the object to be measured 104 . Then, the proof module 103 may determine whether the above-mentioned first measurement result and the above-mentioned first baseline value are the same. If the proving module 103 determines that the first measurement result and the first baseline value are the same, it can continue to determine whether the second measurement result and the second baseline value are the same.
  • the attestation module 103 determines that the above-mentioned second measurement result is the same as the above-mentioned second baseline value, it can be determined that the object to be measured 104 has passed the integrity verification and its content has not been tampered with. If the attestation module 103 determines that the first measurement result is not the same as the first baseline value, or the second measurement result is different from the second baseline value, the attestation module 103 may determine that the object to be measured 104 fails the integrity Check, its content has been tampered with, posing a security risk.
  • the proof module 103 can also first determine whether the above-mentioned second measurement result is the same as the above-mentioned second baseline value, and then determine whether the above-mentioned first measurement result is the same as the above-mentioned first baseline value. No specific restrictions are imposed.
  • the measurement result information received by the certification module 103 may include the first measurement result information.
  • the certification module 103 can acquire the preset first sub-baseline value corresponding to the first measurement sub-module 1021 , the preset second sub-baseline value corresponding to the second measurement sub-module 1022 , and the above-mentioned object to be measured 104 corresponding to Second baseline value.
  • the attestation module 103 can determine whether the first metric sub-result and the first sub-baseline value are the same, whether the second metric sub-result and the second sub-baseline value are the same, and whether the second metric result and the second baseline value are the same. Only when the certification module 103 determines that the first metric result is the same as the first sub-baseline value, the second metric sub-result and the second sub-baseline value are the same, and the second metric result and the second baseline value are the same, the object to be measured can be determined 104 has passed the integrity check, and its content has not been tampered with.
  • the attestation module 103 determines that the first metric sub-result is not the same as the first sub-baseline value, or the second metric sub-result is not the same as the second sub-baseline value, or the second metric result is not the same as the second sub-baseline value, it may It is determined that the above-mentioned object to be measured 104 has not passed the integrity check, its content has been tampered with, and there is a security risk.
  • the certification module 103 judges whether the object to be measured 104 has passed the integrity verification according to the first measurement sub-result, the second measurement sub-result, the second measurement result and the first sub-baseline value, the second sub-baseline value and the second baseline value
  • the proof module 103 judges whether the object to be measured 104 passes the integrity verification according to the first measurement result, the second measurement result, the first baseline value and the second baseline value, which will not be repeated here. .
  • the measurement result information received by the proof module 103 may include the first measurement result information. PCR value and second PCR value. Then, the proof module 103 can determine the first PCR test value and the second PCR test value corresponding to the second measurement module 102 and the to-be-measured.
  • the proof module 103 can first extract the preset PCR initial value corresponding to the second measurement module 102 (the PCR initial value is consistent with the PCR initial value corresponding to the second measurement module 102 stored at the beginning in the TPM 106 ) and The preset first baseline value corresponding to the above-mentioned second metric module 102, and then through the PCR expansion record of the TPM 105 to determine the expansion sequence and expansion times used by the TPM 105 to expand the above-mentioned first PCR value (it is assumed to be T1 times here). Then, the proof module 103 may perform T1 expansions on the first original PCR value and the first baseline value according to the expansion sequence, so as to obtain the first PCR test value.
  • the PCR expansion of the first original PCR value and the first baseline value by the proof module 103 is the same as the expansion process of the first measurement result and the first PCR stored value by the TPM 106 described above, and the specific process will not be repeated here.
  • the proof module 103 can also obtain the second PCR test value corresponding to the object to be measured 104 by extending the preset second baseline value corresponding to the object to be measured 104 and the initial PCR value corresponding to the object to be measured.
  • the proving module 103 can determine whether the first PCR value and the first PCR check value are the same. If the proving module 103 determines that the first PCR value is the same as the first PCR check value, it can continue to judge whether the second PCR value and the second PCR check value are the same. If the certification module 103 determines that the second PCR value and the second PCR check value are the same, it can be determined that the object to be measured 104 has passed the integrity verification and its content has not been tampered with.
  • the certification module 103 determines that the first PCR value and the first PCR test value are different, or the second PCR value and the second PCR test value are different, the certification module 103 can determine that the object to be measured 104 has not passed the complete If the content is tampered with, there is a security risk. It can be understood here that the proof module 103 can also first determine whether the second PCR value and the second PCR test value are the same, and then determine whether the first PCR value and the first PCR test value are the same. The order is not particularly limited.
  • the measurement result information received by the proof module 103 may include the first measurement result information.
  • the certification module 103 can determine the first sub-PCR test value, the second sub-PCR test value and the second PCR test value corresponding to the first measurement sub-module 1021, the second measurement sub-module 1022 and the object to be measured 104.
  • the proof module 103 determines the first sub-PCR test value, the second sub-PCR test value and the second PCR test value, please refer to the above-mentioned process of the proof module determining the first PCR test value, which will not be repeated here. Then, the proving module 103 can determine whether the first sub-PCR value and the first sub-PCR test value are the same, whether the second sub-PCR value and the second sub-PCR test value are the same, and whether the second PCR value and the above-mentioned The second PCR checks whether the values are the same.
  • the certification module 103 determines that the first sub-PCR value and the first sub-PCR test value are the same, the second sub-PCR value and the second sub-PCR test value are the same, and the second PCR value and the second PCR test value are the same Similarly, it can be determined that the object to be measured 104 has passed the integrity verification and its content has not been tampered with.
  • the certification module 103 determines that the first sub-PCR value and the first sub-PCR test value are not the same, or the second sub-PCR value and the second sub-PCR test value are not the same, or the second PCR value and the above-mentioned If the second PCR check value is also different, it can be determined that the above-mentioned object 104 to be measured has not passed the integrity verification, and its content may be tampered with, thereby posing a security threat.
  • the proving module 103 reference may be made to the process of determining the first PCR value and the second PCR value by the proving module 103 described above, which will not be repeated here.
  • the above-mentioned first measurement module 101 may specifically be a DIM TEE module running in the integrity measurement device 10, or a DIM TEE module existing in the integrity measurement device 10 Internal or external hardware security module (hardware security module, HSM).
  • the above-mentioned second measurement module 102 may specifically be a DIM module running in the integrity measurement device 10, and the above-mentioned object to be measured 104 may specifically be a kernel code segment in the memory of the integrity measurement device 10, a code segment of a kernel module, or a user-mode process.
  • the above-mentioned attestation module 103 may be a local attestation module running in the integrity measurement device 10 or a remote attestation module running on other devices other than the above-mentioned integrity measurement device 10 .
  • the DIM module can be measured first to obtain the first measurement result, and at the same time, the DIM module is also triggered to perform the integrity measurement of the object to be measured 104 to obtain the first measurement result. Obtain the second measurement result.
  • the DIM TEE module or HSM may send the metric result information determined by the first metric result and the second metric to the attestation module 103.
  • the certification module 103 can determine whether the object to be measured 104 passes the integrity verification through the above-mentioned measurement result information.
  • the first measurement module 101 may specifically be an HSM inside or outside the integrity measurement device 10, and the first measurement module 102 in the second measurement module 102 may be an HSM.
  • the first quantum module can be the DIM TEE module running in the integrity measuring device 10
  • the above-mentioned second measuring sub-module can be the DIM module running in the integrity measuring device 10
  • the above-mentioned object to be measured 104 can specifically be the integrity measuring device 10.
  • One or more of the kernel code segment in the memory, the code segment of the kernel module or the code segment of the user-mode process, the above-mentioned attestation module 103 may be a local attestation module running in the integrity measurement device 10 or other than the above-mentioned integrity measurement.
  • the HSM can first initiate the integrity measurement to the DIM TEE module to obtain the first measurement sub-result of the DIM TEE module, and at the same time the DIM TEE module can initiate the integrity measurement to the DIM module.
  • the DIM module can also initiate an integrity metric for the object to be measured 104 to obtain the second metric result of the object to be measured 104 and send it to the HSM.
  • the second measurement result is sent to the HSM.
  • the HSM can send the measurement result information determined by the first measurement sub-result, the second measurement sub-result and the second measurement result to the certification module 103, so that the certification module 103 can determine the above-mentioned object to be measured according to the measurement result information 104 Pass the integrity metric.
  • the certification module 103 can determine the above-mentioned object to be measured according to the measurement result information 104 Pass the integrity metric.
  • first measurement module 101 second measurement module 102
  • proof module 103 may also be other modules with the same functions except the aforementioned modules, which are not specifically limited in this application.
  • the first measurement module 103 does not use the first measurement result and the second measurement result until the first measurement result and the second measurement result are obtained.
  • the measurement result information determined by the measurement result is sent to the certification module 103 for certification.
  • the first measurement module 103 may first send the above-mentioned first measurement result to the proof module 103, so that the proof module 103 can firstly evaluate the second measurement module 102 Integrity verification.
  • the attestation module 103 determines that the above-mentioned second measurement module has passed the integrity verification (that is, the first measurement result is the same as the preset baseline value or the PCR value corresponding to the first measurement result is the same as the corresponding PCR test value), it can report to the third A metric module 101 sends a verification pass message.
  • the certification module 103 determines that the above-mentioned second measurement module 102 fails the integrity verification (that is, the first measurement result is different from the preset baseline value or the PCR value corresponding to the first measurement result is different from the preset PCR test value)
  • the certification module 103 may send a verification failure message to the first measurement module 101 or not give any feedback to the first measurement module 101 within a preset period of time.
  • the first measurement module 103 can trigger the second measurement module 102 to measure the object to be measured 104 to obtain a second measurement result, and then send the second measurement result to the certification module 103 for Integrity verification is performed on the object 104 to be measured. If the first measurement module 103 receives the verification failure information or does not receive any feedback from the certification module 103 within a preset period, it can determine that the second measurement module 102 fails the integrity verification, and can re-execute The above operation of determining whether a metric trigger condition is satisfied.
  • the integrity measurement of the to-be-measured object 104 is continued only when it is determined that the second measurement module 102 has passed the integrity verification, so as to avoid invalidation of the to-be-measured object 104 caused by the failure of the second measurement module 102 to pass the integrity verification. operation, which can improve the efficiency of integrity measurement.
  • the first measurement module 103 obtains the first measurement result corresponding to the second measurement module 102 and the second measurement result corresponding to the object 104 to be measured, and obtains the first measurement result and the second measurement result.
  • the measurement result information corresponding to the result is sent to the proof module 103 for proof, so that the entire measurement method takes the first measurement module 103 with high reliability as the measurement root to obtain all measurement results and provide them to the proof module 103, thereby The reliability of the proof result obtained by the proof module 103 is high, thereby improving the accuracy and reliability of the integrity measurement method.
  • FIG. 7 is a schematic structural diagram of another integrity measurement apparatus provided by an embodiment of the present application.
  • the integrity measurement device 70 may be the first measurement module 101 described above, and the integrity is shown in FIG. 7 .
  • the integrity measurement device 70 includes a processing unit 701 and a transceiver unit 702 .
  • the processor unit 701 may be configured to perform integrity measurement on the second measurement module 102 to obtain the first measurement result.
  • the credibility of the first measurement module 101 is higher than the credibility of the second measurement module 102 .
  • the transceiver unit 702 may be configured to receive the second measurement result sent by the second measurement module 102 .
  • the second measurement result is obtained by the integrity measurement of the object 104 to be measured by the second measurement module 102 .
  • the processing unit 701 is further configured to determine measurement result information according to the first measurement result and the second measurement result.
  • the transceiver unit 702 is further configured to send the measurement result information to the certification module 103 .
  • the attestation module 103 is configured to determine whether the object to be measured 104 passes the integrity verification according to the measurement result information.
  • the processing unit 701 may determine the first measurement result and the second measurement result as measurement result information. Then, the transceiver unit 702 may send the measurement result information to the certification module 103 .
  • the transceiver unit 702 may respectively send the first measurement result and the measurement result to the TPM.
  • the TPM may perform PCR expansion of the platform configuration register on the first measurement result and the second measurement result, respectively, to obtain the first PCR value and the second PCR value corresponding to the first measurement result.
  • the TPM may also determine the above-mentioned first PCR value and second PCR value as measurement result information and send it to the certification module 103 .
  • the second measurement module 102 includes a first measurement sub-module and a second measurement sub-module.
  • the first metric result includes a first metric sub-result and a second metric sub-result.
  • the processing unit 701 is configured to perform integrity measurement on the first measurement sub-module to obtain a first measurement sub-result.
  • the first measurement sub-module performs integrity measurement on the second measurement sub-module to obtain a second measurement sub-result, and sends the second measurement result to the transceiver unit 702 .
  • the processing unit 701 is configured to determine the first measurement sub-result, the second measurement sub-result, and the second measurement result as measurement result information.
  • the first measurement module 101 sends the measurement result information to the certification module 103 .
  • the transceiver unit 702 may send the first metric sub-result, the second metric sub-result, and the second metric result to the TPM, respectively.
  • the TPM performs PCR expansion on the first metric sub-result, the second metric sub-result, and the second metric result, respectively, to obtain the first sub-PCR value corresponding to the first metric sub-result and the first sub-PCR value corresponding to the second metric sub-result.
  • the TPM determines the first sub-PCR value, the second sub-PCR value, and the second PCR value as measurement result information, and sends the measurement result information to the certification module 103 .
  • the processing unit 701 may further determine a preset measurement trigger condition is satisfied.
  • the metric triggering condition is at least one of the arrival of a preset metric period, the occurrence of a preset system abnormal event, and the receipt of a metric triggering instruction from a user.
  • the processing unit 701 determines that the system abnormality message sent by the IDS is received, the preset triggering condition is determined to be satisfied.
  • the system abnormality message is sent by the IDS when the occurrence of the system abnormality event is detected.
  • the transceiver unit 702 may further send the first measurement indication information to the second measurement module 102 .
  • the first measurement indication information is used to indicate to the second measurement module 102 that the first measurement module 101 will perform an integrity measurement on the second measurement module 102 .
  • the first measurement module 101 is a preset measurement root of trust.
  • the first measurement module 101 is a DIM TEE module or an HSM
  • the second measurement module 102 is a DIM module.
  • the first measurement module 101 is an HSM
  • the first measurement sub-module is a DIM TEE module
  • the second measurement sub-module is a DIM module.
  • the attestation module 103 includes a local attestation module 103 or a remote attestation module 103 .
  • the object to be measured 104 includes a memory code segment or a static file.
  • the object to be measured 104 includes a memory code segment, and the memory code segment includes at least one of a kernel code segment, a kernel module code segment, and a user-mode process code segment.
  • the integrity measuring device 70 may also be the proof module 103 described above.
  • the transceiver unit 702 is configured to receive the measurement result information sent by the first measurement module 101 .
  • the measurement result information is determined by the first measurement result and the second measurement result.
  • the first measurement result is a result of the integrity measurement performed by the first measurement module 101 on the second measurement module 102 .
  • the second measurement result is a result of the integrity measurement performed by the second measurement module 102 on the object 104 to be measured.
  • the reliability of the measurement module is higher than that of the second measurement module 102 .
  • the processing unit 701 is configured to determine whether the object to be measured 104 passes the integrity verification according to the measurement result information.
  • the measurement result information includes the first measurement result and the second measurement result. If the processing unit 701 determines that the first measurement result is the same as the first baseline value corresponding to the second measurement module 102 and the second measurement result is the same as the second baseline value corresponding to the object to be measured 104 , it is determined that the object to be measured 104 has passed the integrity verification. If the processing unit 701 determines that the first measurement result is different from the first baseline value, or determines that the second measurement result is different from the second baseline value, then determine the object to be measured 104 Integrity verification failed.
  • the measurement result information includes a first PCR value and a second PCR value.
  • the first PCR value is obtained by the first measurement module 101 performing PCR expansion on the first measurement result through TPM
  • the second PCR value is obtained by the first measurement module 101 through the The TPM performs PCR expansion on the second measurement result to obtain. If the processing unit 701 determines that the first PCR value is equal to the first PCR test value and the second PCR value is equal to the second PCR test value, it is determined that the object to be measured 104 has passed the integrity verification.
  • the processing unit 701 determines that the first PCR value is not equal to the first PCR test value, or determines that the second PCR value is not equal to the second PCR test value, then determine the object to be measured 104 Integrity verification failed.
  • the first PCR test value is obtained by performing PCR expansion of the first baseline value and the first PCR initial value corresponding to the second measurement module 102 by the certification module 103 .
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured 104 by the certification module 103 .
  • the second measurement module 102 includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-result.
  • the measurement result information includes the first measurement sub-result, the second measurement sub-result, and the second measurement result.
  • the processing unit 701 determines that the first metric sub-result is the same as the first sub-baseline value corresponding to the first sub-metric module, the second metric sub-result and the second sub-metric corresponding to the second sub-metric module If the sub-baseline values are the same, and the second measurement result is the same as the second baseline value corresponding to the object to be measured 104, it is determined that the object to be measured 104 passes the integrity verification.
  • the processing unit 701 determines that the first metric sub-result is different from the first sub-baseline value corresponding to the first sub-metric module, or the second metric sub-result corresponds to the second sub-metric module If the second sub-baseline value of the object to be measured is not the same, or the second measurement result is the same as the second baseline value corresponding to the object to be measured 104, it is determined that the object to be measured 104 has not passed the integrity verification.
  • the second measurement module 102 includes a first measurement sub-module and a second measurement sub-module
  • the first measurement result includes a first measurement sub-result and a second measurement sub-result.
  • the measurement result information includes a first sub-PCR value, a second sub-PCR value, and a second PCR value
  • the first sub-PCR value is performed by the first measurement module 101 on the first measurement sub-result through TPM.
  • PCR expansion is obtained
  • the second sub-PCR value is obtained by the first measurement module 101 performing PCR expansion on the second measurement sub-result through TPM
  • the second PCR value is obtained by the first measurement module 101
  • the second measurement result is obtained by performing PCR expansion on the TPM.
  • the processing unit 701 determines that the first sub-PCR value is equal to the first sub-PCR test value, the second sub-PCR value is equal to the second sub-PCR test value, and the second PCR value is equal to the second PCR value If the check values are equal, it is determined that the object to be measured 104 passes the integrity verification. If the processing unit 701 determines that the first sub-PCR value and the first sub-PCR test value are not equal, or the second sub-PCR value and the second sub-PCR test value are not equal, or the second PCR If the value is not equal to the second PCR check value, it is determined that the object to be measured 104 fails the integrity verification.
  • the first sub-PCR test value is obtained by performing PCR expansion of the first sub-baseline value and the first sub-PCR initial value corresponding to the second measurement module 102 by the certification module 103 .
  • the second sub-PCR test value is obtained by the proof module 103 performing PCR expansion on the second sub-baseline value and the second sub-PCR initial value corresponding to the second measurement module 102 .
  • the second PCR test value is obtained by performing PCR expansion on the second baseline value and the second PCR initial value corresponding to the object to be measured 104 by the certification module 103 .
  • the integrity measurement device 70 may also be the second measurement module 102 described above.
  • the processing unit 701 is configured to perform integrity measurement on the object to be measured 104 to obtain a second measurement result when it is determined that the first measurement module 101 performs integrity measurement on the second measurement module 102 .
  • the credibility of the first measurement module 101 is higher than the credibility of the second measurement module 102 .
  • the transceiver unit 702 is configured to send the second measurement result to the first measurement module 101 .
  • the processing unit 701 determines that the transceiver unit 702 has received the first measurement indication information, it may be determined that the first measurement module 101 has performed integrity measurement on it.
  • the above-mentioned processing unit 701 and the transceiver unit 701 can respectively execute the functions corresponding to one or more modules in the first measurement module 101, the second measurement module 102, the proof module 103 and the object to be measured 104.
  • the specific implementation process please refer to the foregoing description, here It will not be described in detail.
  • FIG. 8 is a schematic structural diagram of another integrity measurement apparatus provided by an embodiment of the present application. Due to the difference in the degree of integration, the integrity measurement apparatus 80 may include one or more of the components shown in FIG. 8 , and may be used to execute the methods or steps involved in the first measurement module 101 in the above embodiments. As shown in FIG. 8 , the integrity measuring apparatus 80 may include: a processor 801 , a memory 802 , and a transceiver 803 . The processor 801 , the transceiver 803 , and the memory 802 are connected through a bus or other means, and the embodiment of the present application does not limit the specific connection medium between the above components.
  • the integrity measurement apparatus 80 may be a complete device, which implements the integrity measurement method in the foregoing embodiment.
  • the integrity measurement device 80 may be a chip system or a processing system, and is applied to the whole device to control the whole device to implement the integrity measurement method in the above embodiment.
  • the chip system or the processing system may include:
  • the processor optionally, also includes a computer-readable storage medium/memory.
  • the transceiver 803 may be used to support communication between the first measurement module 101 and other modules (eg, the second measurement module 102, the attestation module 103, etc.).
  • the transceiver 803 may be used to perform the process of sending the measurement result information to the attestation module 103 in step S230.
  • the transceiver 803 may also be configured to perform the process of sending the first metric indication information to the second metric module 102 involved in step 210 .
  • the processor 801 is used to control and manage the actions of the first measurement module 101, and is used to execute the processing performed by the first measurement module 101 in the foregoing embodiment.
  • the processor 801 may perform the process of performing the integrity measurement on the second measurement module 102 in step 210 .
  • the processor 801 may also be configured to perform the step of determining the measurement result information according to the first measurement result and the second measurement result in step S230.
  • the memory 803 stores programs, instructions or data for executing the technical solutions of the present application.
  • the memory 803 may contain sufficient instructions to allow the integrity measurement device 80 to perform the functions of the first measurement module 101 referred to in the above-described embodiments.
  • the processor 803 may further include a processing circuit and a communication interface circuit, wherein the processing circuit may be used to perform the step of determining the measurement result information described in step S230 in the embodiment, or may be used to perform the step of step 200.
  • the communication interface circuit is used for outputting the information generated by the processing circuit, and can also be applied to input the information received by the first measurement module or the instructions in the memory into the processing circuit for processing.
  • the memory 803 may be an internal memory located inside the processor, or may be an external memory located outside the processor and coupled to the processor.
  • the integrity measuring device 80 can also be used to execute the methods or steps involved in the attestation module 103 in the above embodiments.
  • the transceiver 803 may be used to support data transmission between the attestation module 103 and the first measurement module 101 or the second measurement module 102 .
  • transceiver 803 may be used to perform the step of receiving measurement result information described in step 240 .
  • the processor 801 is used to control and manage the actions of the attestation module 103, and is used to execute the processing performed by the attestation module 103 in the above embodiments. For example, the processor 801 may perform the step of determining whether the object to be measured 104 passes the integrity verification according to the measurement result information in step S240.
  • the memory 802 stores programs, instructions or data for executing the technical solutions of the present application.
  • memory 802 may contain sufficient instructions to allow the integrity measurement device 80 to perform the functions of any of the above-described embodiments involving attestation module 103.
  • the processor 802 may include a processing circuit and a communication interface circuit, wherein the processing circuit may be configured to determine whether the object to be measured 104 passes the integrity verification according to the measurement result information.
  • the communication interface circuit is used to output the information generated by the processing circuit, and can also be applied to input the information received by the certification module 103 or the instructions in the memory into the processing circuit for processing.
  • the memory 802 may be an internal memory located inside the processor, or may be an external memory located outside the processor and coupled to the processor.
  • the integrity measurement device 80 may also be used to execute the methods or steps involved in the second measurement module 102 in the above embodiments.
  • the transceiver 803 may be used to support data transmission between the second measurement module 102 and the first measurement module 101 or the attestation module 103 .
  • the transceiver 803 can be used to perform the step of receiving the first measurement result information described in step S210, and can also be used to perform the step of sending the second measurement result to the first measurement module 101 described in step S220.
  • the processor 801 is used to control and manage the actions of the attestation module 103, and is used to execute the processing performed by the attestation module 103 in the above embodiments. For example, the processor 801 may perform the step of determining whether the object to be measured 104 passes the integrity verification according to the measurement result information in step S240.
  • the memory 802 stores programs, instructions or data for executing the technical solutions of the present application.
  • the memory 802 may contain sufficient instructions to allow the integrity measurement device 80 to perform the functions of any of the above-described embodiments involving the second measurement module 102.
  • the processor 802 may include a processing circuit and a communication interface circuit, wherein the processing circuit may be used for the process of performing the integrity measurement on the object 104 to be measured.
  • the communication interface circuit is used for outputting the information generated by the processing circuit, and can also be applied to input the information received by the second measurement module 102 or the instructions in the memory into the processing circuit for processing.
  • the memory 802 may be an internal memory located inside the processor, or may be an external memory located outside the processor and coupled to the processor.
  • the upper processor 801, the memory 802 and the transceiver 803 can simultaneously execute the functions corresponding to one or more modules in the first measurement module 101, the second measurement module 102, the proof module 103 and the object to be measured 104,
  • the upper processor 801, the memory 802 and the transceiver 803 can simultaneously execute the functions corresponding to one or more modules in the first measurement module 101, the second measurement module 102, the proof module 103 and the object to be measured 104.
  • FIG. 8 only shows a simplified design of the integrity measurement device 80.
  • the integrity measurement device 80 may include any number of transceivers, processors, memories, etc., and all possible implementations are It is within the protection scope of the integrity measuring device 80 of the present application.
  • the processor 801 of the integrity measuring apparatus 80 may be a general-purpose processor, such as a general-purpose central processing unit, a network processor (NP), a microprocessor, etc., or an application-specific integrated circuit. (application-specific integrated circBIt, ASIC for short), or one or more integrated circuits used to control the execution of the program of this application. It can also be a digital signal processor (DSP for short), a field-programmable gate array (FPGA for short), or other programmable logic devices, discrete gate or transistor logic devices, and discrete hardware components.
  • DSP digital signal processor
  • FPGA field-programmable gate array
  • a controller/processor may also be a combination that implements computing functions, such as a combination comprising one or more microprocessors, a combination of a DSP and a microprocessor, and the like. Processors typically perform logical and arithmetic operations based on program instructions stored in memory.
  • the memory referred to above holds the operating system and other applications.
  • the program may include program code, and the program code includes computer operation instructions.
  • the above-mentioned memory may be a read-only memory (ROM for short), other types of static storage devices that can store static information and instructions, random access memory (RAM for short), a memory device that can store Other types of dynamic storage devices for information and instructions, disk storage, etc.
  • the memory 802 may also be a combination of the above-described storage types.
  • the above-mentioned memory may be in the processor, outside the processor, or distributed on multiple entities including the processor or processing circuit.
  • the memory described above may be embodied in a computer program product.
  • a computer program product may include a computer-readable medium in packaging materials.
  • Embodiments of the present application further provide a computer-readable medium on which a computer program is stored, and when the computer program is executed by a computer, implements the first measurement module 101, the second measurement module 102, or the proof module 103 in the above-mentioned embodiment. methods or steps to be performed.
  • Embodiments of the present application further provide a computer program product that, when executed by a computer, implements the methods or steps performed by the first measurement module 101 , the second measurement module 102 , or the proof module 103 in the foregoing embodiments.
  • An embodiment of the present application further provides a chip or a chip system, where the chip or chip system includes a processor for supporting the above-mentioned first measurement module 101, second measurement module 102, and proof module 103 to have the object 104 to be measured to realize
  • the chip system may further include a memory for storing necessary program instructions and data, and when the processor executes the program instructions, the device on which the chip or the chip system is installed is implemented.
  • the chip system may be composed of chips, or may include chips and other discrete devices.
  • the steps of the methods or algorithms described in conjunction with the disclosure of the present application may be implemented in a hardware manner, or may be implemented in a manner in which a processor executes software instructions.
  • the software instructions can be composed of corresponding software modules, and the software modules can be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, removable hard disk, CD-ROM, or any other form of storage known in the art in the medium.
  • An exemplary storage medium is coupled to the processor, such that the processor can read information from, and write information to, the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and storage medium may reside in an ASIC. Alternatively, the ASIC may be located in the user equipment. Of course, the processor and storage medium may also exist in the user equipment as discrete components.
  • system and “network” in the embodiments of the present application can often be used interchangeably.
  • the term “and/or” in this embodiment is only an association relationship to describe associated objects, indicating that there can be three kinds of relationships, for example, A and/or B, it can mean that A exists alone, A and B exist at the same time, There are three cases of B alone.
  • the character "/" in this document generally indicates that the related objects are an "or” relationship.
  • the functions described in this application may be implemented in hardware, software, firmware, or any combination thereof.
  • the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
  • Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • a storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Tests Of Electronic Circuits (AREA)

Abstract

一种完整性度量方法和完整性度量装置。该方法包括:第一度量模块对第二度量模块进行完整性度量以得到第一度量结果,该第一度量模块的可信度高于第二度量模块的可信度。第一度量模块接收第二度量模块发送的第二度量结果,其中,第二度量结果由第二度量模块对待度量对象进行完整性度量得到。第一度量模块向证明模块发送度量结果信息,其中,该度量结果信息由第一度量结果和第二度量结果确定。证明模块根据度量结果信息确定待度量对象是否通过完整性验证。该方法可提升完整性度量的准确性和可靠性。

Description

一种完整性度量方法和完整性度量装置
本申请要求于2020年8月4日提交中国国家知识产权局、申请号为202010772453.1、申请名称为“一种完整性度量方法和完整性度量装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及网络安全领域,尤其涉及一种完整性度量方法和完整性度量装置。
背景技术
随着互联网技术的不断发展,网络安全技术也得到的了长足的发展。近年来,遭受恶意网络攻击的对象已经逐渐从终端设备的系统中可执行文件转移到内存中正在运行的进程,并且这种针对内存的恶意攻击具有很强的隐蔽性。因此,如何准确的验证内存的完整性已经成为当前亟待解决的问题之一。
现有技术中通常会采用动态完整性度量(dynamic integrity measurement,DIM)方法来对内存的完整性进行验证。所谓的DIM方法,就是针对内存映像中不发生变化的部分(如内核代码段、内核模块代码段、用户态进程代码段等)进行完整性度量,然后根据得到的度量结果来判断内存映像是否被篡改,从而确定内存是否遭受到恶意攻击。但是,现有的DIM过程并未建立完整的信任链条,并且执行该DIM方法的度量模块的安全性也无法得到保证,从而使得DIM方法的度量结果的可行的较低。因此,如何提升完整性度量的准确度和可信度已经成为了亟待解决的问题之一。
发明内容
为了解决上述问题,本申请提供了一种完整性度量方法和完整性度量装置,可提升完整性度量的准确性和可靠性。
第一方面,本申请实施例提供了一种完整性度量方法。第一度量模块可对第二度量模块进行完整性度量以得到第一度量结果。这里,所述第一度量模块的可信度高于所述第二度量模块的可信度。第二度量模块对待度量对象进行完整性度量以得到第二度量结果,并将该第二度量结果发送给第一度量模块。然后,所述第一度量模块向证明模块发送度量结果信息。这里,所述度量结果信息由所述第一度量结果和所述第二度量结果确定。证明模块根据所述度量结果信息确定所述待度量对象是否通过完整性验证。
在本申请实施例中,第一度量模块获取到第二度量模块对应的第一度量结果以及待度量对象对应的第二度量结果并由将该第一度量结果和第二度量结果确定的度量结果信息发送给证明模块,以使得证明模块根据度量结果信息确定待度量对象是否通过完整性验证。整个度量过程中是以可信度较高的第一度量模块作为度量根来得到第一度量模块和待度量对象的完整性度量的结果并提供给证明模块,构建了完整的信任链条,提升了完整性度量的准确性和可靠性。
结合第一方面,在一种可行的实现方式中,所述第一度量模块可将所述第一度量结果和所述第二度量结果确定为度量结果信息。然后,所述第一度量模块将所述度量结果信息发送给证明模块。第一度量模块直接将第一度量结果和第二度量结果确定为度量结果信息并发送给第二度量模块,方法简单易行,可提升完整性度量的效率。
结合第一方面,在一种可行的实现方式中,所述第一度量模块可分别将第一度量结果和度量结果发送给可信平台模块(trusted platform module,TPM)。TPM可分别对上述第一度量结果和第二度量结果进行平台配置寄存器(platform configuration register,PCR)扩展以得到第一度量结果对应的第一PCR值和第二PCR值。TPM将上述第一PCR值和第二PCR值确定为度量结果信息并发送给证明模块。在本实现方式中,第一度量模块通过安全性和可靠性较高的TPM将度量结果先扩展成对应的PCR值,再通过TPM将扩展得到的PCR值作为度量结果信息发送给证明模块,能够有效的防止度量结果被篡改等情况的发生,保证了度量结果传输的安全性。
结合第一方面,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块和第二度量子模块。所述第一度量结果包括第一度量子结果和第二度量子结果。所述第一度量模块对所述第一度量子模块进行完整性度量以得到第一度量子结果。所述第一度量子模块对所述第二度量子模块进行完整性度量以得到第二度量子结果并将所述第二度量结果发送给第一度量模块。
结合第一方面,在一种可行的实现方式中,所述第一度量模块将所述第一度量子结果、第二度量子结果和所述第二度量结果确定为度量结果信息。所述第一度量模块将所述度量结果信息发送证明模块。
结合第一方面,在一种可行的实现方式中,所述第一度量模块分别将所述第一度量子结果、第二度量子结果和所述第二度量结果发送给TPM。TPM分别对上述第一度量子结果、第二度量子结果和第二度量结果进行PCR扩展以,以得到所述第一度量子结果对应的第一子PCR值、第二度量子结果对应的第二子PCR值以及所述第二度量结果对应的第二PCR值。TPM将所述第一子PCR值、第二子PCR值和所述第二PCR值确定为度量结果信息,并将所述度量结果信息发送给证明模块。
结合第一方面,在一种可行的实现方式中,在所述第一度量模块对第二度量模块进行完整性度量以得到第一度量结果之前,所述第一度量模块还可确定预设的度量触发条件被满足。这里,所述度量触发条件为预设度量周期到达、发生预设的系统异常事件、接收到来自于用户的度量触发指令中的至少一种。这里,设定不同的度量触发条件来触发第一度量模块主动启动对待度量对象的完整性度量,可降低待度量对象的攻击时间窗,提升待度量对象的安全性。
结合第一方面,在一种可行的实现方式中,当所述度量触发条件为发生预设的系统异常事件时,若所述第一度量模块接收到入侵检测系统(intrusion detection system,IDS)发送的系统异常消息,则确定预设触发条件被满足。这里,所述系统异常消息由所述IDS在检测到所述系统异常事件发生的情况下发送。这里,通过IDS来检测系统异常事件是否发生,可减少第一度量模块的数据处理量。
结合第一方面,在一种可行的实现方式中,当第一度量模块确定预设的度量触发条件 被满足时,还可向第二度量模块发送第一度量指示信息,所述第一度量指示信息用于为第二度量模块指示所述第一度量模块将要对第二度量模块进行完整性度量。
第二方面,本申请实施例提供了一种完整性度量方法。证明模块接收第一度量模块发送的度量结果信息。其中,所述度量结果信息由第一度量结果和第二度量结果确定。所述第一度量结果为所述第一度量模块对所述第二度量模块进行的完整性度量的结果。所述第二度量结果为所述第二度量模块对待度量对象进行的完整性度量的结果。所述度量模块的可信度高于所述第二度量模块。所述证明模块根据所述度量结果信息确定待度量对象是否通过完整性验证。这里,证明模块结合第一度量结果和第二度量结果来判定待度量对象是否通过完整性验证,可避免因第二度量模块的安全性未知带来的待度量对象的度量结果的可信度低等情况的发生,提升完整性度量结果的可信度,提升了完整性度量方法的精度和可靠性。
结合第二方面,在第一种可行的实现方式中,所述度量结果信息包括所述第一度量结果和所述第二度量结果。若所述证明模块确定所述第一度量结果与所述第二度量模块对应的第一基线值相同并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证。若所述证明模块确定所述第一度量结果与所述第一基线值不相同,或者,确定所述第二度量结果与所述第二基线值不相同,则确定所述待度量对象未通过完整性验证。
结合第二方面,在第一种可行的实现方式中,所述度量结果信息包含第一PCR值和第二PCR值。其中,所述第一PCR值由所述第一度量模块通过TPM对所述第一度量结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR扩展得到。若所述证明模块确定所述第一PCR值与第一PCR检验值相等并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证。若所述证明模块确定所述第一PCR值与所述第一PCR检验值不相等,或者,确定所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证。其中,所述第一PCR检验值由所述证明模块对所述第二度量模块对应的第一基线值和第一PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块对所述待度量对象对应的第二基线值和第二PCR初始值进行PCR扩展得到。
结合第二方面,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括所述第一度量子结果、所述第二度量子结果和所述第二度量结果。若所述证明模块确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值相同,所述第二度量子结果与所述第二子度量模块对应的第二子基线值相同,并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证。若所述证明模块确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值不相同,或者,所述第二度量子结果与所述第二子度量模块对应的第二子基线值不相同,或者,所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象未通过完整性验证。
结合第二方面在,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块 和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括第一子PCR值、第二子PCR值和第二PCR值,所述第一子PCR值由所述第一度量模块通过TPM对所述第一度量子结果进行PCR扩展得到,所述第二子PCR值由所述第一度量模块通过TPM对所述第二度量子结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR扩展得到。若所述证明模块确定所述第一子PCR值与第一子PCR检验值相等,所述第二子PCR值与第二子PCR检验值相等,并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证。若所述证明模块确定所述第一子PCR值与第一子PCR检验值不相等,或者,所述第二子PCR值与第二子PCR检验值不相等,或者,所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证。其中,所述第一子PCR检验值由所述证明模块对所述第二度量模块对应的第一子基线值和第一子PCR初始值进行PCR扩展得到。所述第二子PCR检验值由所述证明模块对所述第二度量模块对应的第二子基线值和第二子PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块对所述待度量对象对应的第二基线值和第二PCR初始值进行PCR扩展得到。
第三方面,本申请实施例提供了一种完整性度量方法。在确定第一度量模块对第二度量模块进行完整性度量的情况下,所述第二度量模块对待度量对象进行完整性度量以得到第二度量结果。其中,所述第一度量模块的可信度高于所述第二度量模块的可信度。所述第二度量模块向所述第一度量模块发送所述第二度量结果。
结合第三方面,在一种可行的实现方式中,若第二度量模块接收到第一度量指示信息,则可确定第一度量模块对其进行了完整性度量。
第四方面,本申请实施例提供的一种完整性度量装置,该完整性度量装置可以是上述第一度量模块。该完整性度量装置可包括:
处理器单元,用于对第二度量模块进行完整性度量以得到第一度量结果。其中,所述第一度量模块的可信度高于所述第二度量模块的可信度。
收发单元,用于接收所述第二度量模块发送的第二度量结果。其中,所述第二度量结果由所述第二度量模块对待度量对象进行完整性度量得到。
所述处理单元,还用于根据所述第一度量结果和所述第二度量结果确定度量结果信息。
所述收发单元,还用于向证明模块发送所述度量结果信息。其中,所述证明模块用于根据所述度量结果信息确定所述待度量对象是否通过完整性验证。
结合第四方面,在一种可行的实现方式中,所述处理单元可将所述第一度量结果和所述第二度量结果确定为度量结果信息。然后,所述收发单元可将所述度量结果信息发送给证明模块。
结合第四方面,在一种可行的实现方式中,所述收发单元可分别将第一度量结果和度量结果发送给TPM。TPM可分别对上述第一度量结果和第二度量结果进行平台配置寄存器PCR扩展以得到第一度量结果对应的第一PCR值和第二PCR值。TPM还可将上述第一PCR值和第二PCR值确定为度量结果信息并发送给证明模块。
结合第四方面,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块和第二度量子模块。所述第一度量结果包括第一度量子结果和第二度量子结果。所述处理单 元用于对所述第一度量子模块进行完整性度量以得到第一度量子结果。所述第一度量子模块对所述第二度量子模块进行完整性度量以得到第二度量子结果并将所述第二度量结果发送给所述收发单元。
结合第四方面,在一种可行的实现方式中,所述处理单元用于将所述第一度量子结果、第二度量子结果和所述第二度量结果确定为度量结果信息。所述第一度量模块将所述度量结果信息发送证明模块。
结合第四方面,在一种可行的实现方式中,所述收发单元可分别将所述第一度量子结果、第二度量子结果和所述第二度量结果发送给TPM。TPM分别对上述第一度量子结果、第二度量子结果和第二度量结果进行PCR扩展以,以得到所述第一度量子结果对应的第一子PCR值、第二度量子结果对应的第二子PCR值以及所述第二度量结果对应的第二PCR值。TPM将所述第一子PCR值、第二子PCR值和所述第二PCR值确定为度量结果信息,并将所述度量结果信息发送给证明模块。
结合第四方面,在一种可行的实现方式中,在所述第一度量模块对第二度量模块进行完整性度量以得到第一度量结果之前,所述处理单元还可确定预设的度量触发条件被满足。这里,所述度量触发条件为预设度量周期到达、发生预设的系统异常事件、接收到来自于用户的度量触发指令中的至少一种。
结合第四方面,在一种可行的实现方式中,当所述度量触发条件为发生预设的系统异常事件时,若所述处理单元确定接收到IDS发送的系统异常消息,则确定预设触发条件被满足。这里,所述系统异常消息由所述IDS在检测到所述系统异常事件发生的情况下发送。
结合第四方面,在一种可行的实现方式中,当所述处理单元确定预设的度量触发条件被满足时,所述收发单元还可向第二度量模块发送第一度量指示信息。所述第一度量指示信息用于为第二度量模块指示所述第一度量模块将要对第二度量模块进行完整性度量。
第五方面,本申请实施例提供了一种完整性度量装置,该装置可以是上述证明模块。该完整性度量装置可包括:
收发单元,所述收发单元用于接收第一度量模块发送的度量结果信息。其中,所述度量结果信息由第一度量结果和第二度量结果确定。所述第一度量结果为所述第一度量模块对所述第二度量模块进行的完整性度量的结果。所述第二度量结果为所述第二度量模块对待度量对象进行的完整性度量的结果。所述度量模块的可信度高于所述第二度量模块。
处理单元,用于根据所述度量结果信息确定待度量对象是否通过完整性验证。
结合第五方面,在一种可行的实现方式中,所述度量结果信息包括所述第一度量结果和所述第二度量结果。若所述处理单元确定所述第一度量结果与所述第二度量模块对应的第一基线值相同并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证。若所述处理单元确定所述第一度量结果与所述第一基线值不相同,或者,确定所述第二度量结果与所述第二基线值不相同,则确定所述待度量对象未通过完整性验证。
结合第五方面,在一种可行的实现方式中,所述度量结果信息包含第一PCR值和第二PCR值。其中,所述第一PCR值由所述第一度量模块通过TPM对所述第一度量结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR 扩展得到。若所述处理单元确定所述第一PCR值与第一PCR检验值相等并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证。若所述处理单元确定所述第一PCR值与所述第一PCR检验值不相等,或者,确定所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证。其中,所述第一PCR检验值由所述证明模块对所述第二度量模块对应的第一基线值和第一PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块对所述待度量对象对应的第二基线值和第二PCR初始值进行PCR扩展得到。
结合第五方面,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括所述第一度量子结果、所述第二度量子结果和所述第二度量结果。若所述处理单元确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值相同,所述第二度量子结果与所述第二子度量模块对应的第二子基线值相同,并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证。若所述处理单元确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值不相同,或者,所述第二度量子结果与所述第二子度量模块对应的第二子基线值不相同,或者,所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象未通过完整性验证。
结合第五方面,在一种可行的实现方式中,所述第二度量模块包括第一度量子模块和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括第一子PCR值、第二子PCR值和第二PCR值,所述第一子PCR值由所述第一度量模块通过TPM对所述第一度量子结果进行PCR扩展得到,所述第二子PCR值由所述第一度量模块通过TPM对所述第二度量子结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR扩展得到。若所述处理单元确定所述第一子PCR值与第一子PCR检验值相等,所述第二子PCR值与第二子PCR检验值相等,并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证。若所述处理单元确定所述第一子PCR值与第一子PCR检验值不相等,或者,所述第二子PCR值与第二子PCR检验值不相等,或者,所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证。其中,所述第一子PCR检验值由所述证明模块对所述第二度量模块对应的第一子基线值和第一子PCR初始值进行PCR扩展得到。所述第二子PCR检验值由所述证明模块对所述第二度量模块对应的第二子基线值和第二子PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块对所述待度量对象对应的第二基线值和第二PCR初始值进行PCR扩展得到。
第六方面,本申请实施例提供了一种完整性度量装置,该装置可以是上述第二度量模块。该完整性度量装置包括:
处理单元,用于在确定第一度量模块对第二度量模块进行完整性度量的情况下,对待度量对象进行完整性度量以得到第二度量结果。其中,所述第一度量模块的可信度高于所述第二度量模块的可信度。
收发单元,用于向所述第一度量模块发送所述第二度量结果。
结合第六方面,在一种可行的实现方式中,若所述处理单元确定所述收发单元接收到第一度量指示信息,则可确定第一度量模块对其进行了完整性度量。
结合上述第一方面到第六方面,在一种可行的实现方式中,所述第一度量模块为预设的度量可信根。这里,以可信度最高的度量可信根作为上述第一度量模块,可进一步提升完整性度量方法的准确性和可靠性。
结合上述第一方面到第六方面,在一种可行的实现方式中,所述第一度量模块为DIM可信执行环境(trusted execution environment,TEE)模块或者硬件安全模块(hard security module,HSM),所述第二度量模块为DIM模块。
结合上述第一方面到第六方面,在一种可行的实现方式中,所述第一度量模块为HSM,所述第一度量子模块为DIM TEE模块,所述第二度量子模块为DIM模块。
结合上述第一方面到第三方面,在一种可行的实现方式找那个,所述证明模块包括本地证明模块或者远程证明模块。
结合第一方面到第六方面,在一种可行的实现方式中,所述待度量对象包括内存代码段或者静态文件。
结合第一方面到第六方面,在一种可行的实现方式中,所述待度量对象包括内存代码段,所述内存代码段包括内核代码段、内核模块代码段和用户态进程代码段中的至少一种。
第七方面,本申请实施例提供了一种完整性度量装置。该完整性度量装置可为上述第一度量模块。该完整性度量装置包括存储器、处理器和收发器。其中,该处理器用于调用存储器存储的代码执行上述第一方面中任意一种可行的实现方式所提供的完整性度量方法。
第八方面,本申请实施例提供了一种完整性度量装置。该完整性度量装置可为上述证明模块。该完整性度量装置包括存储器、处理器和收发器。其中,该处理器用于调用存储器存储的代码执行上述第二方面中任意一种可行的实现方式所提供的完整性度量方法。
第九方面,本申请实施例提供了一种完整性度量装置。该完整性度量装置可为上述第二度量模块。该完整性度量装置包括存储器、处理器、和收发器。其中,该处理器用于调用存储器存储的代码执行上述第三方面中任意一种可行的实现方式所提供的完整性度量方法。
第十方面,本申请实施例提供了一种完整性度量装置,该完整性度量装置可包括第一度量模块。所述第一度量模块用于对第二度量模块进行完整性度量以得到第一度量结果。其中,所述第一度量模块的可信度高于所述第二度量模块的可信度。所述第一度量模块还用于接收所述第二度量模块发送的第二度量结果。其中,所述第二度量结果由所述第二度量模块对待度量对象进行完整性度量得到。所述第一度量模块还用于根据所述第一度量结果和所述第二度量结果确定度量结果信息。所述第一度量模块还用于向证明模块发送所述度量结果信息,其中,所述证明模块用于根据所述度量结果信息确定所述待度量对象是否通过完整性验证。
结合第十方面,在一种可行的实现方式中,所述完整性度量装置还包括所述证明模块、所述第二度量模块和所述待度量对象中的至少一个。
第十一方面,本申请实施例提供一种完整性度量装置,该完整性度量装置可包括处理 器,和收发器,所述处理器被配置为支持上述第一度量模块执行上述完整性度量方法中相应的功能。还可被配置为支持上述第二度量模块、上述证明模块以及待度量对象中的至少一个执行上述方法中相应的功能。所述收发器用于支持上述第一度量模块与证明模块之间的通信。该完整性度量模块还可以包括存储器,所述存储器用于与处理器耦合,其保存有上述第一度量模块、上述第二度量模块、上述证明模块以及待度量对象中的至少一个所必要的程序指令和数据。
第十二方面,本申请实施例提供一种芯片或芯片系统,包括输入输出接口和处理电路,所述输入输出接口用于交互信息或数据,所述处理电路用于运行指令,以使得安装所述芯片或芯片系统的完整性度量装置执行上述第一方面到第三方面中任一方面的所述的完整性度量方法。
第十三方面,本申请提供了一种计算机可读存储介质,所述计算机可读存储介质中存储有指令,所述指令可以由处理电路上的一个或多个处理器执行。当其在计算机上运行时,使得计算机执行第一方面到第三方面中任一方面的所述的完整性度量方法。
第十四方面,本申请提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述第一方面到第三方面中任一方面的所述的完整性度量方法。
附图说明
图1是本申请实施例提供的一种完整性度量装置的结构示意图;
图2是本申请实施例提供的一种完整性度量方法一流程示意图;
图3是本申请实施例提供的一种完整性度量方法又一流程示意图;
图4是本申请实施例提供的又一种完整性度量装置的结构示意图;
图5是本申请实施例提供的又一种完整性度量装置的结构示意图;
图6是本申请实施例提供的又一种完整性度量装置的结构示意图;
图7是本申请实施例提供的又一种完整性度量装置的结构示意图;
图8是本申请实施例提供的又一种完整性度量装置的结构示意图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。
需要说明的是,本发明的说明书和权利要求以及附图中的术语“第一”、“第二”等是用于区别类似的对象,而不是用于描述特定的顺序或者先后次序。应该理解这样使用的数据或者对象在适当情况下可以互换,以便这里描述的本发明的实施例能够以除了这里图示或者描述的哪些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何形变,意图在于覆盖不排他的包含,例如,包含了一系列步骤或者单元的过程、方法、系统、产品或者设备不必限于清楚地列出的那些步骤或者单元,而是可包括没有清楚的列出的或对于这些过程、方法、产品或者设备固有的其他步骤或单元。
现有技术中,通常采用DIM方法对内存进行完整性度量,以判断内存是否遭受到了恶 意攻击。但是,现有的DIM过程并未建立完整的信任链条,并且执行该DIM方法的度量模块的安全性在执行过程中也无法得到保证。在度量模块的安全性受到威胁的情况下(如遭受黑客攻击等),其得到的度量结果也不再可信。因此,现有的DIM方法的度量结果的可信度较低。
因此,本申请要解决的技术问题是:如何提升完整性度量的准确度和可信度。
请参见图1,图1是本申请实施例提供的一种完整性度量装置的结构示意图。该完整性度量装置适用于本申请实施例提供的完整性度量方法。如图1所述的,该完整性度量装置10具体可包括本申请实施例提供的完整性度量方法所涉及的第一度量模块101。可选的,该完整性度量装置10中还可包括本申请实施例提供的完整性度量方法所涉及的第二度量模块102、证明模块103和待度量对象104中的一个或者多个。在实际应用中,上述第一度量模块101用于对第二度量模块102进行完整性度量并得到第二度量模块102的完整性度量的结果(为方便理解和区别,下文将以第一度量结果代替描述)。上述第二度量模块102用于对预设的待度量对象104进行完整性度量,并将得到的待度量对象104的完整性度量结果(为了方便理解和区别,下文将以第二度量结果代替描述)发送给上述第一度量模块101。上述第一度量模块101还用于根据上述第一度量结果和第二度量结果确定出度量结果信息,并将该度量结果信息发送给证明模块103。上述证明模块103可用于根据上述度量结果信息来判定上述待度量对象104是否通过完整性验证。这里,上述各模块功能的具体实现可参见后文中对本申请实施例提供的完整性度量方法的描述,此处不再详述。
这里可以理解到的是,上述图1仅是本申请实施例提供的完整性度量系统10的结构的示例,在实际应用中,完整性度量系统10还可包括除上述第一度量模块101、第二度量模块102以及证明模块103以外的其他功能模块,本申请不作具体限制。
进一步的,在一实施例中,完整性度量装置10可以是诸如平板电脑、移动终端(如手机)、膝上计算机、台式计算机、可穿戴设备、光线路终端(optical line terminal,OLT)、光网络终端(optical network terminal,ONT)等电子设备本身,也可以是这些电子设备内部的芯片或者芯片系统,如这些电子设备内部的中央处理单元(central processing unit,CPU)、微控制器单元(microcontroller unit,MCU)或者包含有CPU或者MCU的片上系统(system-on-a-chip,SOC)等,本申请不作具体限制。
结合图1所示的完整性度量装置10的结构,在一实施例中,上述第一度量模块101、第二度量模块102、证明模块103和待度量对象104具体可以是完整性度量装置10上运行的软件程序或者软件模块。具体的,上述完整性度量装置10中可包含有处理器和存储器。该存储器中存储有上述第一度量模块101、第二度量模块102、证明模块103或者待度量对象104对应的程序代码或者指令集,上述处理器运行这些程序代码或者指令集,以支持上述第一度量模块101、第二度量模块102、证明模块103或者待度量对象104实现本申请实施提供的完整性度量方法中所涉及的方法或者功能。当然,可以理解到的是,当完整性度量装置10中包括有多个处理器和多个存储器的情况下,上述第一度量模块101、第二度量模块102、证明模块103或者待度量对象104对应的程序代码或者指令集可分别存储在不同的存储器中,可在不同的处理器中运行实现,本申请不作具体限制。这里,上述处理器具体可以是前文所述的CPU、MCU、SOC等,上述存储器可包括高速随机存储器,还可包括 非易失性存储器,如一个或者多个磁性存储装置、闪存、或者其他非易失性固态存储器。在一些实例中,存储器可进一步包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至完整性度量装置10。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。
进一步的,在又一实施例中,上述第一度量模块101还可以由完整性度量装置10内部或者外部连接的具备逻辑处理能力的硬件电路来实现。具体的,该硬件电路中可固化有逻辑信息,该硬件电路可以在上电后根据该逻辑信息实现上述第一度量模块101的功能。可选的,上述硬件电路可以是数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现场可编程门阵列(field programmable gate array,FPGA)或者其他可编程逻辑组件,本申请不作具体限制。
这里还需要说明的是,在实际应用中,根据证明模块103所在位置的不同,证明模块103可划分为本地证明(即local attestation)模块和远程证明(即remote attestation)模块。所谓的本地证明模块,指代的是该证明模块103和上述第一度量模块101运行在同一装置中。例如,当证明模块103和第一度量模块101在同一台计算机上运行时,则该证明模块103对于第一度量模块101来说就是本地证明模块。可选的,在实际应用中,当证明模块103为本地证明模块时,该证明模块103可以包含在第一度量模块101内部,也可以与第一度量模块101相互独立存在,本申请不作具体限制。所谓的远程证明模块,指代的是证明模块103和第一度量模块101存在于不同的装置中,证明模块103和第一度量模块101需通过安全网络进行数据交互。可选的,当证明模块103为远程证明模块时,其可包括远程证明服务器(即RA-sever)和远程证明客户端(即RA-client),远程证明服务器通过所述远程证明客服端与第一度量模块103进行数据交互。
下面将结合图1所述的完整性度量装置10的结构,面对本申请提供的完整性度量方法的过程进行具体的描述。请参见图2,图2是本申请实施例提供的一种完整性度量方法一流程示意图,如图2所示,该完整性度量方法包括步骤:
S210,第一度量模块对第二度量模块进行完整性度量并确定第一度量结果。
S220,第二度量模块对待度量对象104进行完整性度量以得到第二度量结果,并将该第二度量结果发送给第一度量模块。
S230,第一度量模块根据所述第一度量结果和第二度量结果确定度量结果信息,并向证明模块发送度量结果信息。
S240,证明模块根据上述度量结果信息确定上述待度量对象104是否通过完整性验证。
在一些可行的实现方式中,如上述步骤S210所述,在上述完整性度量装置10处于正常的工作状态下,当第一度量模块101确定需要对待度量对象104进行完整性度量后,其可先对第二度量模块102进行完整性度量并得到第一度量结果。
这里需要说明的是,上述第一度量模块101的可信度要高于上述第二度量模块的可信度。优选的,上述第一度量模块可以是完整性度量装置10预设的度量可信根。一般来说,所谓的度量可信根具体为一个组件,它始终以预设的方式运行,它的内容不会被修改,对于与该度量可信根相关联的装置来说,它是绝对可信的。例如,在本申请实施例中,上述第一度量模块101即可是完整性度量装置10的一个度量可信根,对于完整性度量装置10 或者其内部的任意功能实体来说,该第一度量模块101都是绝对可信的。上述待度量对象104具体可是完整性度量装置10的内存映像中不发生变化的内存代码段,如内核代码段、内核模块代码段、用户进程代码段等。或者,上述待度量对象104也可以是存储器中存储的静态文件等。在实际应用中,上述待度量对象104可以存在于上述完整性度量装置10内部,也可以存在于与该完整性度量装置10相连的其他装置中,本申请不作具体限制。在实际执行过程中,上述待度量对象104可以是预先设定好的,也可以是第一度量模块103基于用户输入的指令确定的,本申请不作具体限制。为了方便理解和描述,后文将以上述第一度量模块101、第二度量模块102和待度量对象104均存在上述完整性度量装置10中这一场景为例,对本申请实施例提供的完整性度量方法的执行过程进行详细的描述。
可选的,请一并参见图3,图3是本申请实施例提供的一种完整性度量方法又一流程示意图,如图3所示,在第一度量模块101对第二度量模块102进行完整性度量并确定第一度量结果之前,该完整性度量方法还可包括步骤:
S200,第一度量模块确定到预设的度量触发条件被满足,则确定对待度量对象104进行完整性度量。
在一些可行的实现方式中,第一度量模块101可先检测预设的度量触发条件是否被满足。当第一度量模块101确定度量触发条件被满足时,则确定对待度量对象104进行完整性度量。当第一度量模块101确定度量触发条件没有被满足时,则重复检测预设的度量触发条件是否被满足的操作。
需要说明的,上述度量触发条件具体可包括预设度量周期到达。或者,上述度量触发条件可包括发生预设的系统异常事件。这里,上述系统异常事件包括但不限于代码段改写、高危系统调用或者异常脚本执行等。这些系统异常事件是上述待度量对象104所在操作系统的异常事件,这些系统异常事件的发生可能会对待度量对象104产生安全威胁。又或者,上述度量触发条件可包括接收到来自于用户的度量触发指令。这里可以理解到的是,在实际应用中,预设的度量触发条件可以同时包含预设度量周期到达、发生预设的系统异常事件以及接收到来自于用户的度量触发指令在三个条件中的一个或者多个,还可包括除上述三种条件以外的其他条件,本申请不作具体限制。这里,设定不同的度量触发条件来触发第一度量模块1003主动启动对待度量对象104的完整性度量,可降低待度量对象104的攻击时间窗,提升待度量对象104的安全性。
在一个实施例中,当量触发条件包括预设度量周期到达时,假设预设度量周期为时长T1。第一度量模块101可检测当前时刻与其上一次对待度量对象104进行完整性度量的时刻之间的时长T2。当第一度量模块101确定T2等于T1时,则确定预设度量周期到达,则可确定对待度量对象104进行完整性度量。
在另一个实施例中,当上述度量触发条件包括发生预设的系统异常事件时,待度量对象104所在的操作系统中的IDS会实时检测该操作系统是否发生系统异常事件。当IDS检测到该操作系统发生系统异常事件中的一种或者多种时,可向上述第一度量模块101发送一个系统异常指示信息并继续对该操作系统进行异常事件的检测。然后,第一度量模块101若检测到IDS发送的系统异常指示信息,则可确定发生了预设系统异常事件,则可确定对待度量对象104进行完整性度量。
在又一个实施例中,当上述度量触发条件为接收到来自于用户的度量触发指令时,上述第一度量模块101可对其接收到的用户指令进行实时的检测。当第一度量模块101检测到其接收到的用户指令中包括有预设的度量触发指令时,则可确定对待度量对象104进行完整性度量。例如,假设预设的度量触发指令为度量挑战指令时,当上述证明模块103为远程证明模块时,用户可向证明模块103的远程证明服务器输入一个用于指示对待度量进行完整性度量的指令。远程证明服务器在接收到该指令后,可通过证明模块103中的远程证明客户端向上述第一度量模块发送一个度量挑战指令。第一度量模块103在检测到该度量挑战指令后,即可确定接收预设的度量触发指令,则可确定对待度量对象104进行完整性度量。
在又一个实施例中,在参见图4,图4是本申请实施例提供的又一种完整性度量装置的结构示意图。如图4所示,该完整性度量装置10还可包括度量触发模块105。在完整性度量系统10还包括有度量触发模块104的情况下,判断预设的度量触发条件是否被满足的操作可由该度量触发模块105来执行。例如,度量触发模块105可判断预设的度量周期是否到达,或者检测是否接受到来自于IDS的系统异常指示信息,或者检测是否接受到来自于用户的度量触发指令。当度量触发模块105确定预设度量触发条件被满足时,其可向第一度量模块101发送一个度量触发指令。当第一度量模块101检测到该度量触发指令后,即可确定对待度量对象104进行完整性度量。这里,由度量触发模块105来执行判断预设的度量触发条件是否被满足的操作,可减少第一度量模块101与其他模块的数据交互量,也可降低第一度量模块101自身的数据处理量,有利于保证第一度量模块101的安全性和可信度。
进一步的,如步骤S210所述,当第一度量模块101确定对待度量对象104进行完整性度量后,其可先对第二度量模块102进行完整性度量。下面将结合第二度量模块102是独立的模块还是由多个子模块构成这两种场景,对第一度量模块101度量第二度量模块的过程进行详细的描述。
场景一:
在第二度量模块102为独立的模块的场景下,第一度量模块101可以先获取到第二度量模块102对应的代码段。例如,第一度量模块101可获取到第二度量模块102在第一次启动完成后反馈的地址空间(为方便理解,下文将以第一地址空间代替描述),并从该第一地址空间上提取到上述第二度量模块102对应的代码段。又例如,第一度量模块101也可对整个操作系统对应的所有代码段进行遍历,并根据第二度量模块102对应的代码段标识从整个操作系统的所有代码段中确定出第二度量模块102对应的代码段。当然,第一度量模块101也可采用其他方式获取到第二度量模块102对应的代码段,本申请不作具体限制。在第一度量模块101获取到第二度量模块102对应的代码段之后,其可采用预设的哈希函数(为了方便区别,下文将以第一哈希函数代替描述)对第二度量模块102对应的代码段进行哈希处理,以得到该代码段对应的哈希值。然后,第一度量模块101即可将该哈希值确定为第二度量模块102对应的第一度量结果。
可选的,在第一度量模块101确定对第二度量模块102进行完整性度量时,第一度量模块101还可向第二度量模块102发送一个度量指示信息(为方便区别,下文将以第一度 量指示信息代替描述),该第一度量指示信息可用于为第二度量模块102指示第一度量模块101将要对其进行完整性度量。
场景二:
在第二度量模块102有多个子模块构成的场景下,请一并参见图5,图5是本申请实施例提供的又一种完整性度量装置的结构示意图,如图5所示,上述第二度量模块102可包括第一度量子模块1021和第二度量子模块1022。具体实现中,第一度量模块101可先对第一度量子模块1021进行完整性度量,以得到第一度量子模块1021的第一度量子结果。这里,第一度量模块101对第一度量子模块1021进行完整性度量的具体过程可参见前文场景一中所描述的第一度量模块101对第二度量模块102进行完整性度量的过程,此处便不再赘述。可选的,在第一度量模块101确定对第一度量子模块1021发起完整性度量时,第一度量模块101还可向第一度量子模块1021发送一个度量指示信息(为方便区别,下文将以第二度量指示信息代替描述),该第二度量指示信息可用于为第一度量子模块1021指示第一度量模块101将要对其进行完整性度量。
进一步的,第一度量子模块1021可确定第一度量模块101是否对其进行完整性度量。例如,第一度量子模块1021可实时检测上述第二度量指示信息,当其确定接收到来自于第一度量模块101的第二度量指示信息,则可确定第一度量模块101对其进行完整性度量。又例如,第一度量子模块1021也可获取到当前的系统日志,并对系统日志进行查询以确定第一度量模块101是否对其进行完整性度量。当然,第一度量子模块1021也可采用其他方式确定第一度量模块101是否对其进行完整性度量,本申请不作具体限制。当第一度量子模块1021确定第一度量模块101对其进行完整性度量后,其也可对第二度量子模块1022进行完整性度量以得到第二度量子模块1022对应的第二度量子结果。需要说明的是,第一度量子模块1021对第二度量子模块1022进行完整性度量的具体过程可参见前文场景一中所描述的第一度量模块101对第二度量模块102进行完整性度量的过程,此处便不再赘述。然后,第一度量子模块1021可将其得到的第二度量子结果发送给第一度量模块101。可选的,第一度量子模块1021在对第二度量子模块1022进行完整性度量时,也可向第二度量子模块1022发送一个度量指示信息(为方便区别,下文将以第三度量指示信息代替描述),该第三度量指示信息可用于为第二度量子模块1022指示第一度量子模块1021对其进行了完整性度量。
简而言之,在本场景下,第一度量模块101对包含有第一度量子模块1021和第二度量子模块1022的第二度量模块102进行可完整性度量,并获取到了包含有第一度量子结果和第二度量子结果的第二度量结果。
这里还需要补充说明的是,图5所示的第二度量模块102的结构仅是一种示例,其还可包括3个或者更多个度量子模块,只要保证有至少一个度量子模块是用于对待度量对象104进行完整性度量即可。而第一度量模块101对第二度量模块102进行完整性度量即是对第二度量模块102中的每个度量子模块进行完整性度量。具体度量过程可以是类似如前文所述那样,第一度量模块101仅对这3个或者更多个度量子模块中的一个度量子模块A进行度量,而这3个或者更多个度量子模块中除度量子模块A以外的其他度量子模块则可由度量子模块A进行度量并将度量结果发送给第一度量模块101。或者,也可由第一度量 模块101分别直接对每个度量子模块进行完整性度量并得到每个度量子模块的完整性度量结果。
在一些可行的实现方式中,如上述步骤S220所述,第二度量模块102也可对待度量对象104进行完整性度量并得到待度量对象104对应的第二度量结果。下面将结合前文所述的场景一和场景二,对第二度量模块102也对待度量对象104进行完整性度量并得到待度量对象104对应的第二度量结果的过程进行描述。
场景一:
在一实施例中,第二度量模块102可先确定第一度量模块101是否对其进行了完整性度量。例如,第二度量模块102可检测是否收到来自于第一度量模块101的第一度量指示信息。当第二度量模块102确定其接收到来自于第一度量模块的第一度量指示信息时,则可确定第一度量模块101对其进行了完整性度量。或者,第二度量模块102也可通过对系统日志的查询来确定第一度量模块101是否对其进行了完整性度量。当然,第二度量模块102也可采用其他方式来确定第一度量模块101是否对其进行了完整性度量,本申请不作具体限制。
进一步的,在第二度量模块102确定第一度量模块101对其进行了完整性度量后,第二度量模块102可对待度量对象104进行完整性度量以得到待度量对象104对应的第二度量结果。这里,上述待度量对象104可以是预先设定好的,也可以是用户通过用户指令指定的,本申请不作具体限制。如前文所述,当待度量对象104为诸如内核代码段、用户进程代码段等内存代码段时,第二度量模块102可获取内存代码段的具体内容,再通过预设的哈希函数(为方便区别,下文将以第二哈希函数代替描述)对内存代码段进行哈希处理以得到相应的哈希值,这个哈希值就是待度量对象104的第二度量结果。同理,当待度量对象104为静态文件时,第二度量模块102可获取静态文件的具体内容,再通过上述第二哈希函数对这些具体内容进行哈希处理以得到相应的哈希值,从而得到待度量对象104的第二度量结果。
进一步的,第二度量模块102在得到上述第二度量结果后,还可将该第二度量结果发送给第一度量模块101。
场景二:
在一实施例中,第二度量模块102中的第二度量子模块1022可先确定第一度量模块101是否对第一度量子模块1021进行了完整性度量。例如,第二度量子模块1022可检测其是否接收到来自于第一度量子模块1021的第三度量指示信息。若第二度量子模块1022确定其接收到上述第三度量指示信息,则可确定第一度量模块101对第二度量模块102进行了完整性度量。或者,第二度量子模块1022也可通过对系统日志的查询来确定第一度量模块101是否对第二度量模块102进行了完整性度量。
进一步的,在第二度量子模块1022确定第一度量模块101对第一度量子模块1021进行了完整性度量后,第二度量子模块1022可对待度量对象104进行完整性度量以得到待度量对象104对应的第二度量结果。这里,第二度量子模块1022对待度量对象104进行完整性度量的过程参见前文描述的第二度量模块102对待度量对象104进行完整性度量的过程,此处便不再赘述。第二度量子模块1022在得到上述第二度量结果后,其可直接将该第二度 量结果发送给第一度量模块101,或者,其也可将该第二度量结果发送给第一度量子模块1021,然后再通过第一度量子模块1021将上述第二度量结果转发给上述第一度量模块101。
在一些可行的实现方式中,如前文步骤S230所述,第一度量模块101在获取到上述第一度量结果和第二度量结果之后,可根据上述第一度量结果和第二度量结果确定出度量结果信息,并将该度量结果信息发送给证明模块103。本申请实施例提供了多种确定度量结果信息的方式,下面将结合前文所述的场景一和场景二,以及本申请实施例提供的多种确定度量结果信息的方式,对第一度量模块101确定度量结果信息并将该度量结果信息发送给证明模块103的过程进行描述。
度量结果确定方式一:
如前文所述的场景一下,第一度量模块101在获取到上述第一度量结果和第二度量结果之后,可直接将上述第一度量结果和第二度量结果确定为度量结果信息。如前文所述的场景二下,第一度量模块101在获取到上述第一度量子结果、第二度量子结果和第二度量结果之后,可直接将上述第一度量子结果、第二度量子结果和第二度量结果确定为度量结果信息。这里,第一度量模块101直接将第一度量结果和第二度量结果,或者,第一度量子结果、第二度量子结果和第二度量结果确定为度量结果信息并发送给第二度量模块102,方法简单易行,可提升完整性度量的效率。
进一步的,第一度量模块101在确定出上述度量结果信息后,可将该度量结果信息发送给第二度量模块102。可选的,第一度量模块101在得到上述度量结果信息后,可通过数字证书、数字签名等方式对上述度量结果信息进行加密,并将加密后的度量结果信息发送给证明模块,这样可提升度量结果信息传输的安全性。
度量结果信息确定方式二:
请参见图6,图6是本申请实施例提供的又一种完整性度量装置的结构示意图,如图6所示,该完整性度量结构10还可包括可信平台模块TPM106。TPM106中包括有PCR,PCR中可存储有一个或者多个由TPM106扩展得到的PCR值。
在如前文所述的场景一下,第一度量模块101在获取到上述第一度量结果和第二度量结果之后,可分别将上述第一度量结果和第二度量结果扩展至TPM106的PCR中,以得到第一度量结果对应的第一PCR值和第二度量结果对应的第二PCR值。具体的,第一度量模块101可先对TPM106发起PCR扩展操作,并将第一度量结果发送给TPM106。然后,TPM106在确定执行PCR扩展操作并接收到上述第一度量结果后,可从PCR中提取第一度量结果对应的PCR存储值(为了方便区别,下文将以第一PCR存储值代替描述),这里,该第一PCR存储值是完整性度量装置10上一次对待度量对象104进行完整性度量的时候,第一度量模块101将第二度量模块102的度量结果扩展至TPM106的PCR中所得到的PCR值。然后,TPM106可对上述第一度量结果和第一PCR存储值进行PCR扩展处理,以得到第一度量结果对应的第一PCR值。例如,TPM106可通过预设的哈希函数(为方便区别,下文将以第三哈希函数代替描述)对上述第一度量结果和第一PCR存储值进行哈希,并将得到的哈希值确定为第一度量结果对应的第一PCR值。可选的,TPM106还可将当前上述第一PCR存储值更新为当前的第一PCR值。例如,假设第一PCR存储值为d1,上述第一度量结果为d2。TPM106在得到的上述第一度量结果d2和PCR存储值d1后,可同时对d1和d2进行哈希处理,以 得到第一PCR值d3。然后,TPM106还可将上述第一PCR存储值由d1更新为上述d3。这里需要说明的是,若本次度量就是完整性度量装置10对待度量对象进行的第一次完整性度量,则TPM106可将上述第一度量结果和第二度量模块预设的PCR初始值同时进行PCR扩展处理,以得到第一度量结果对应的第一PCR值。同理,第一度量模块101也可通过TPM106对第二度量结果进行PCR扩展,以得到第二度量结果对应的第二PCR值,具体过程可参见前文叙述的TPM106扩展得到第一度量结果对应的第一PCR的过程,此处便不再赘述。
进一步的,TPM106将上述第一PCR值和第二PCR值确定为度量结果信息,将上述度量结果信息发送给证明模块103。
如前文所述的场景二下,第一度量模块101在获取到上述第一度量子结果、第二度量子结果和第二度量结果之后,可分别将上述第一度量子结果、第二度量子结果和第二度量结果扩展至TPM106的PCR中,以得到第一度量子结果对应的第一子PCR值、第二度量子结果对应的第二子PCR值和第二度量结果对应的第二PCR值。这里,第一度量模块101通过TPM106扩展得到上述第一子PCR值、第二子PCR值和第二PCR值的过程可参见前文叙述的通过TPM106确定第一PCR值的过程,此处便不再赘述。然后,TPM106在得到上述第一PCR子值、第二PCR子值和第二PCR值之后,可将上述第一PCR子值、第二PCR子值和第二PCR值确定为度量结果信息。
进一步的,TPM106在确定出上述度量结果信息后,可将该度量结果信息发送给证明模块103。可选的,TPM106可通过数字证书、数字签名等方式对上述度量结果信息进行加密,并将加密后的度量结果信息发送给证明模块103,这样可保证度量结果信息传输的安全性。
这里,第一度量模块102通过安全性和可靠性较高的TPM106将度量结果先扩展成对应的PCR值,再通过TPM106将扩展得到的PCR值作为度量结果信息发送给证明模块103,能够有效的防止度量结果被篡改等情况的发生,保证了度量结果传输的安全性。
在一些可行的实现方式中,如上述步骤S240所述,证明模块103在接收到上述度量结果信息后,可根据上述度量结果信息确定上述待度量对象104是否通过完整性验证。下面将结合前文所述的度量结果信息确定方式一、度量结果信息确定方式二以及两种不同的场景,对证明模块103根据上述度量结果信息确定上述待度量对象104是否通过完整性验证的过程进行详细的描述。
在一实施例中,当第一度量模块101采用上述度量结果信息确定方式一得到上述度量结果信息时,在如前文所述场景一下,证明模块103接收到的度量结果信息可包括第一度量结果和第二度量结果。然后,证明模块103可获取到上述第二度量模块102对应的预设的第一基线值以及上述待度量对象104对应的第二基线值。然后,证明模块103可判断上述第一度量结果和上述第一基线值是否相同。若证明模块103确定上述第一度量结果和上述第一基线值相同,则可继续判断上述第二度量结果和上述第二基线值是否相同。若证明模块103确定上述第二度量结果和上述第二基线值相同,则可确定待度量对象104通过完整性验证,其内容未被篡改。若证明模块103确定上述第一度量结果与上述第一基线值不相同,或者上述第二度量结果和上述第二基线值不相同,则证明模块103可确定上述待度量对象104未通过完整性校验,其内容被篡改,存在安全风险。这里可以理解的是,证明模块103也可先判断上述第二度量结果和上述第二基线值是否相同,再判断上述第一度量 结果和上述第一基线值是否相同,本申请对判断的顺序不作具体限制。
在另一实施例中,当第一度量模块101采用上述度量结果信息确定方式一得到上述度量结果信息时在如前文所述场景二下,证明模块103接收到的度量结果信息可包括第一度量子结果、第二度量子结果和第二度量结果。然后,证明模块103可获取到上述第一度量子模块1021对应的预设的第一子基线值、第二度量子模块1022对应的预设的第二子基线值以及上述待度量对象104对应的第二基线值。然后,证明模块103可判断上述第一度量子结果与第一子基线值是否相同,第二度量子结果和第二子基线值是否相同,以及,第二度量结果和第二基线值是否。当证明模块103确定第一度量子结果与第一子基线值相同,第二度量子结果和第二子基线值相同,并且第二度量结果和第二基线值相同时,方可确定待度量对象104通过完整性校验,其内容未被篡改。当证明模块103确定第一度量子结果与第一子基线值不相同,或者,第二度量子结果和第二子基线值不相同,或者第二度量结果和第二基线值不相同,则可确定上述待度量对象104未通过完整性校验,其内容被篡改,存在安全风险。这里,证明模块103根据第一度量子结果、第二度量子结果和第二度量结果以及第一子基线值、第二子基线值和第二基线值判断待度量对象104是否通过完整性验证的具体过程可参见前文叙述的证明模块103根据第一度量结果、第二度量结果以及第一基线值和第二基线值判断待度量对象104是否通过完整性验证的过程,此处便不再赘述。
在又一实施例中,当第一度量模块101采用上述度量结果信息确定方式二得到上述度量结果信息后,在如前文所述场景一下,证明模块103接收到的度量结果信息可包括第一PCR值和第二PCR值。然后,证明模块103可确定出上述第二度量模块102和待度量对应的第一PCR检验值和第二PCR检验值。具体的,证明模块103可先提取出上述第二度量模块102对应的预设的PCR初始值(该PCR初始值和TPM106中最开始存储的与第二度量模块102对应的PCR初始值一致)和上述第二度量模块102对应的预设的第一基线值,然后再通过TPM105的PCR扩展记录确定出TPM105扩展得到上述第一PCR值所采用的扩展顺序和扩展次数(这里假设为T1次)。然后,证明模块103可按照该扩展顺序对上述第一原始PCR值和第一基线值进行T1次扩展,从而得到上述第一PCR检验值。这里,证明模块103对第一原始PCR值和第一基线值进行的PCR扩展和前文描述的TPM106对第一度量结果和第一PCR存储值的扩展过程相同,具体过程此处便不再赘述。同理,证明模块103也可通过待度量对象104对应的预设的第二基线值和待度量对象对应的PCR初始值扩展得到上述待度量对象104对应的第二PCR检验值。
然后,证明模块103可判断上述第一PCR值和上述第一PCR检验值是否相同。若证明模块103确定第一PCR值和上述第一PCR检验值相同,则可继续判断上述第二PCR值和上述第二PCR检验值是否相同。若证明模块103确定上述第二PCR值和上述第二PCR检验值相同,则可确定待度量对象104通过完整性验证,其内容未被篡改。若证明模块103确定上述第一PCR值与上述第一PCR检验值不相同,或者上述第二PCR值和上述第二PCR检验值不相同,则证明模块103可确定上述待度量对象104未通过完整性校验,其内容被篡改,存在安全风险。这里可以理解的是,证明模块103也可先判断上述第二PCR值和上述第二PCR检验值是否相同,再判断上述第一PCR值和上述第一PCR检验值是否相同,本申请对判断的顺序不作具体限制。
在又一实施例中,当第一度量模块101采用上述度量结果信息确定方式二得到上述度量结果信息后,在如前文所述场景二下,证明模块103接收到的度量结果信息可包括第一PCR子值、第二PCR子值和第二PCR值。然后,证明模块103可确定出上述第一度量子模块1021、第二度量子模块1022和待度量对象104对应的第一子PCR检验值、第二子PCR检验值和第二PCR检验值。这里,证明模块103确定第一子PCR检验值、第二子PCR检验值和第二PCR检验值具体可参见前文所述的证明模块确定第一PCR检验值的过程,此处便不再赘述。然后,证明模块103可判断上述第一子PCR值和上述第一子PCR检验值是否相同、上述第二子PCR值和上述第二子PCR检验值是否相同,以及,上述第二PCR值和上述第二PCR检验值是否相同。若证明模块103确定上述第一子PCR值和上述第一子PCR检验值相同,上述第二子PCR值和上述第二子PCR检验值相同,并且上述第二PCR值和上述第二PCR检验值也相同,则可确定待度量对象104通过完整性验证,其内容未被篡改。若证明模块103确定上述第一子PCR值和上述第一子PCR检验值不相同,或者,上述第二子PCR值和上述第二子PCR检验值不相同,或者,上述第二PCR值和上述第二PCR检验值也不相同,则可确定上述待度量对象104未通过完整性验证,其内容可能被篡改,存在安全威胁。这里,证明模块103执行的具体的判断过程可参见前文描述的证明模块103对第一PCR值和第二PCR值的判断的过程,此处便不再赘述。
在一种可选的实际应用中,在如前文所述场景一下,上述第一度量模块101具体可以为完整性度量装置10中运行的DIM TEE模块,或者为存在于所述完整性度量装置10内部或者外部的硬件安全模块(hardware security module,HSM)。上述第二度量模块102具体可以是完整性度量装置10中运行的DIM模块,上述待度量对象104具体可以是完整性度量装置10的内存中的内核代码段、内核模块的代码段或者用户态进程的代码段中的一个或者多个,上述证明模块103可以是完整性度量装置10中运行的本地证明模块或者除上述完整性度量装置10以外的其他装置上运行的远程证明模块。具体实现中,DIM TEE模块或者HSM在确定对待度量对象104进行完整性度量后,可先对DIM模块进行度量以得到第一度量结果,同时也触发DIM模块对待度量对象104进行完整性度量以得到第二度量结果。然后,DIM TEE模块或者HSM可将由第一度量结果和第二度量确定的度量结果信息发送给证明模块103。证明模块103可通过上述度量结果信息确定待度量对象104后是否通过完整性验证。这里,具体的度量以及证明过程可参见前文的描述,此处便不再赘述。
在另一种可选的实际应用中,如前文所述的场景二下,上述第一度量模块101具体可以是完整性度量装置10内部或者外部的HSM,上述第二度量模块102中的第一度量子模块可以是完整性度量装置10中运行的DIM TEE模块,上述第二度量子模块可以是完整性度量装置10中运行的DIM模块,上述待度量对象104具体可以是完整性度量装置10的内存中的内核代码段、内核模块的代码段或者用户态进程的代码段中的一个或者多个,上述证明模块103可以是完整性度量装置10中运行的本地证明模块或者除上述完整性度量装置10以外的其他装置上运行的远程证明模块。具体实现中,HSM在确定对待度量对象104进行完整性度量后,可先向DIM TEE模块发起完整性度量以得到DIM TEE模块的第一度量子结果,同时DIM TEE模块又可向DIM模块发起完整性度量以得到DIM模块的第二度量子结果并将该第二度量子结果发送给HSM,而DIM模块也可对待度量对象104发起完整性度量以 得到待度量对象104的第二度量结果并将该第二度量结果发送给HSM。然后,HSM可以将由上述第一度量子结果、第二度量子结果和第二度量结果确定出的度量结果信息发送给证明模块103,以使得证明模块103可以根据该度量结果信息确定上述待度量对象104是否通过完整性度量。这里,具体的度量以及证明过程可参见前文的描述,此处便不再赘述。
这里可以理解的是,上述第一度量模块101、第二度量模块102、证明模块103也可以是除前文所述的几个模块以外的其他具备相同功能的模块,本申请不作具体限制。
另外,需要补充说明的是,前文所示的完整性度量过程中,第一度量模块103是在得到上述第一度量结果和上述第二度量结果之后才将由第一度量结果和第二度量结果确定出的度量结果信息发送证明模块103进行证明。在一个实施例中,第一度量模块103在得到上述第一度量结果后,可先向将上述第一度量结果发送给证明模块103,使得证明模块103能够对第二度量模块102先进行完整性验证。当证明模块103确定上述第二度量模块通过完整性验证(即第一度量结果和预设的基线值或者第一度量结果对应的PCR值和相应的PCR检验值相同)之后,可向第一度量模块101发送一个验证通过信息。当证明模块103确定上述第二度量模块102未通过完整性验证(即第一度量结果和预设的基线值或者第一度量结果对应的PCR值和预设的PCR检验值不相同),则证明模块103可向第一度量模块101发送一个验证未通过信息或者在预设时段内不对第一度量模块101进行任何反馈。然后,第一度量模块103若接收到上述验证通过信息,则可触发第二度量模块102对待度量对象104进行度量以得到第二度量结果,再将该第二度量结果发送给证明模块103以对待度量对象104进行完整性验证。若第一度量模块103若接收到上述验证未通过信息或者在预设时段内未接收到证明模块103的任何反馈,则可确定上述第二度量模块102未通过完整性验证,则可重新执行上述确定度量触发条件是否被满足的操作。这里,在确定第二度量模块102通过完整性验证的情况下才继续对待度量对象104进行完整性度量,可避免因第二度量模102未通过完整性验证带来的对待度量对象104进行的无效操作,可提升完整性度量的效率。
在本申请实施例中,第一度量模块103获取到第二度量模块102对应的第一度量结果以及待度量对象104对应的第二度量结果并将该第一度量结果和第二度量结果对应的度量结果信息发送给证明模块103来进行证明,从而使得整个度量方法是以可信度很高的第一度量模块103为度量根来得到所有的度量结果并提供给证明模块103,从而使得证明模103得到的证明结果的可信度高,从而提升了完整性度量方法的准确度和可靠性。
请参见图7,图7是本申请实施例提供的又一种完整性度量装置的结构示意图。该完整性度量装置70可以为前文所述的第一度量模块101,该完整性如图7所示,该完整性度量装置70包括处理单元701和收发单元702。
具体实现中,处理器单元701可用于对第二度量模块102进行完整性度量以得到第一度量结果。其中,所述第一度量模块101的可信度高于所述第二度量模块102的可信度。收发单元702可用于接收所述第二度量模块102发送的第二度量结果。其中,所述第二度量结果由所述第二度量模块102对待度量对象104进行完整性度量得到。所述处理单元701还用于根据所述第一度量结果和所述第二度量结果确定度量结果信息。所述收发单元702还用于向证明模块103发送所述度量结果信息。其中,所述证明模块103用于根据所述度 量结果信息确定所述待度量对象104是否通过完整性验证。
在一种可行的实现方式中,所述处理单元701可将所述第一度量结果和所述第二度量结果确定为度量结果信息。然后,所述收发单元702可将所述度量结果信息发送给证明模块103。
在一种可行的实现方式中,所述收发单元702可分别将第一度量结果和度量结果发送给TPM。TPM可分别对上述第一度量结果和第二度量结果进行平台配置寄存器PCR扩展以得到第一度量结果对应的第一PCR值和第二PCR值。TPM还可将上述第一PCR值和第二PCR值确定为度量结果信息并发送给证明模块103。
在一种可行的实现方式中,所述第二度量模块102包括第一度量子模块和第二度量子模块。所述第一度量结果包括第一度量子结果和第二度量子结果。所述处理单元701用于对所述第一度量子模块进行完整性度量以得到第一度量子结果。所述第一度量子模块对所述第二度量子模块进行完整性度量以得到第二度量子结果并将所述第二度量结果发送给所述收发单元702。
在一种可行的实现方式中,所述处理单元701用于将所述第一度量子结果、第二度量子结果和所述第二度量结果确定为度量结果信息。所述第一度量模块101将所述度量结果信息发送证明模块103。
在一种可行的实现方式中,所述收发单元702可分别将所述第一度量子结果、第二度量子结果和所述第二度量结果发送给TPM。TPM分别对上述第一度量子结果、第二度量子结果和第二度量结果进行PCR扩展以,以得到所述第一度量子结果对应的第一子PCR值、第二度量子结果对应的第二子PCR值以及所述第二度量结果对应的第二PCR值。TPM将所述第一子PCR值、第二子PCR值和所述第二PCR值确定为度量结果信息,并将所述度量结果信息发送给证明模块103。
在一种可行的实现方式中,在所述第一度量模块101对第二度量模块102进行完整性度量以得到第一度量结果之前,所述处理单元701还可确定预设的度量触发条件被满足。这里,所述度量触发条件为预设度量周期到达、发生预设的系统异常事件、接收到来自于用户的度量触发指令中的至少一种。
在一种可行的实现方式中,当所述度量触发条件为发生预设的系统异常事件时,若所述处理单元701确定接收到IDS发送的系统异常消息,则确定预设触发条件被满足。这里,所述系统异常消息由所述IDS在检测到所述系统异常事件发生的情况下发送。
在一种可行的实现方式中,当所述处理单元701确定预设的度量触发条件被满足时,所述收发单元702还可向第二度量模块102发送第一度量指示信息。所述第一度量指示信息用于为第二度量模块102指示所述第一度量模块101将要对第二度量模块102进行完整性度量。
在一种可行的实现方式中,所述第一度量模块101为预设的度量可信根。
在一种可行的实现方式中,所述第一度量模块101为DIM TEE模块或者HSM,所述第二度量模块102为DIM模块。
在一种可行的实现方式中,所述第一度量模块101为HSM,所述第一度量子模块为DIM TEE模块,所述第二度量子模块为DIM模块。
在一种可行的实现方式找那个,所述证明模块103包括本地证明模块103或者远程证明模块103。
在一种可行的实现方式中,所述待度量对象104包括内存代码段或者静态文件。
在一种可行的实现方式中,所述待度量对象104包括内存代码段,所述内存代码段包括内核代码段、内核模块代码段和用户态进程代码段中的至少一种。
请一并参见图7,该完整性度量装置70还可以为前文所述的证明模块103。具体实现中,收发单元702用于接收第一度量模块101发送的度量结果信息。其中,所述度量结果信息由第一度量结果和第二度量结果确定。所述第一度量结果为所述第一度量模块101对所述第二度量模块102进行的完整性度量的结果。所述第二度量结果为所述第二度量模块102对待度量对象104进行的完整性度量的结果。所述度量模块的可信度高于所述第二度量模块102。处理单元701用于根据所述度量结果信息确定待度量对象104是否通过完整性验证。
在一种可行的实现方式中,所述度量结果信息包括所述第一度量结果和所述第二度量结果。若所述处理单元701确定所述第一度量结果与所述第二度量模块102对应的第一基线值相同并且所述第二度量结果与所述待度量对象104对应的第二基线值相同,则确定所述待度量对象104通过完整性验证。若所述处理单元701确定所述第一度量结果与所述第一基线值不相同,或者,确定所述第二度量结果与所述第二基线值不相同,则确定所述待度量对象104未通过完整性验证。
在一种可行的实现方式中,所述度量结果信息包含第一PCR值和第二PCR值。其中,所述第一PCR值由所述第一度量模块101通过TPM对所述第一度量结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块101通过所述TPM对所述第二度量结果进行PCR扩展得到。若所述处理单元701确定所述第一PCR值与第一PCR检验值相等并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象104通过完整性验证。若所述处理单元701确定所述第一PCR值与所述第一PCR检验值不相等,或者,确定所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象104未通过完整性验证。其中,所述第一PCR检验值由所述证明模块103对所述第二度量模块102对应的第一基线值和第一PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块103对所述待度量对象104对应的第二基线值和第二PCR初始值进行PCR扩展得到。
在一种可行的实现方式中,所述第二度量模块102包括第一度量子模块和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括所述第一度量子结果、所述第二度量子结果和所述第二度量结果。若所述处理单元701确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值相同,所述第二度量子结果与所述第二子度量模块对应的第二子基线值相同,并且所述第二度量结果与所述待度量对象104对应的第二基线值相同,则确定所述待度量对象104通过完整性验证。若所述处理单元701确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值不相同,或者,所述第二度量子结果与所述第二子度量模块对应的第二子基线值不相同,或者,所述第二度量结果与所述待度量对象104对应的第二基线值相同,则确定所述待度量对象104未通过完整性验证。
在一种可行的实现方式中,所述第二度量模块102包括第一度量子模块和第二度量子模块,所述第一度量结果包括第一度量子结果和第二度量子结果。所述度量结果信息包括第一子PCR值、第二子PCR值和第二PCR值,所述第一子PCR值由所述第一度量模块101通过TPM对所述第一度量子结果进行PCR扩展得到,所述第二子PCR值由所述第一度量模块101通过TPM对所述第二度量子结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块101通过所述TPM对所述第二度量结果进行PCR扩展得到。若所述处理单元701确定所述第一子PCR值与第一子PCR检验值相等,所述第二子PCR值与第二子PCR检验值相等,并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象104通过完整性验证。若所述处理单元701确定所述第一子PCR值与第一子PCR检验值不相等,或者,所述第二子PCR值与第二子PCR检验值不相等,或者,所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象104未通过完整性验证。其中,所述第一子PCR检验值由所述证明模块103对所述第二度量模块102对应的第一子基线值和第一子PCR初始值进行PCR扩展得到。所述第二子PCR检验值由所述证明模块103对所述第二度量模块102对应的第二子基线值和第二子PCR初始值进行PCR扩展得到。所述第二PCR检验值由所述证明模块103对所述待度量对象104对应的第二基线值和第二PCR初始值进行PCR扩展得到。
请一并参见图7,该完整性度量装置70还可以为前文所述的第二度量模块102。具体实现中,处理单元701用于在确定第一度量模块101对第二度量模块102进行完整性度量的情况下,对待度量对象104进行完整性度量以得到第二度量结果。其中,所述第一度量模块101的可信度高于所述第二度量模块102的可信度。收发单元702用于向所述第一度量模块101发送所述第二度量结果。
在一种可行的实现方式中,若所述处理单元701确定所述收发单元702接收到第一度量指示信息,则可确定第一度量模块101对其进行了完整性度量。
这里需要说明的是,当第一度量模块101、第二度量模块102、证明模块103和待度量对象104中的一个或者多个同时工作在上述完整性度量装置70中,则上述处理单元701和收发单元701可分别执行第一度量模块101、第二度量模块102、证明模块103和待度量对象104中的一个或者多个模块对应的功能,具体实现过程可参见前文所述,此处便不再具体赘述。
请参见图8,图8是本申请实施例提供的又一种完整性度量装置的结构示意图。由于集成度的差异,该完整性度量装置80可以包括如图8所示的部件中的一个或多个,可以用于执行上述实施例中涉及第一度量模块101的方法或步骤。如图8所,该完整性度量装置80可以包括:处理器801、存储器802、收发器803。其中,处理器801,收发器803以及存储器802等通过总线或者其他方式连接,本申请实施例不限定上述部件之间的具体连接介质。一个示例中,该完整性度量装置80可以为整机设备,实现上述实施例中的完整性度量方法。另一个示例中,该完整性度量装置80可以为芯片系统或处理系统,应用于整机设备中,控制整机设备实现上述实施例中的完整性度量方法,该芯片系统或处理系统可以包括:处理器,可选的,还包括计算机可读存储介质/存储器。
具体实现中,收发器803可用于支持第一度量模块101与其他模块(如第二度量模块102、证明模块103等)之间进行通信。例如,收发器803可以用于执行步骤S230中的向 证明模块103发送度量结果信息的过程。又例如,收发器803还可以用于执行步骤210中所涉及向第二度量模块102发送第一度量指示信息的过程。
处理器801用于对第一度量模块101的动作进行控制管理,用于执行上述实施例中由第一度量模块101进行的处理。例如,处理器801可以用执行步骤210中的对第二度量模块102进行完整性度量的过程。又例如,处理器801还可以用于执行步骤S230中根据第一度量结果和第二度量结果确定度量结果信息的步骤。
可选的,存储器803中保存有执行本申请技术方案的程序,指令或者数据。例如,存储器803可包含足以允许完整性度量装置80执行上述实施例中涉及的第一度量模块101的功能的指令。
可选的,该处理器803还可包括处理电路和通信接口电路,其中,处理电路可以用于执行实施例中步骤S230中描述的确定度量结果信息的步骤,也可以用于执行如步骤200中的确定度量触发条件被满足的步骤。通信接口电路用于将处理电路生成的信息输出,还可以应用将第一度量模块接收到的信息或存储器中的指令输入到处理电路中处理。
可选的,存储器803可以为位于处理器内部的内部存储器,还可以为位于处理器外部,与处理器耦合链接的外部存储器。
请一并参见图8,该完整性度量装置80还可以用于执行上述实施例中涉及证明模块103的方法或步骤。这里,关于该完整性度量装置80的结构的描述可参见前文,此处便不再赘述。收发器803可用于支持证明模块103与第一度量模块101或者第二度量模块102之间进行的数据传输。例如,收发器803可以用于执行步骤240描述的接收度量结果信息的步骤。
处理器801用于对证明模块103的动作进行控制管理,用于执行上述实施例中由证明模块103进行的处理。例如,处理器801可以用执行步骤S240中根据度量结果信息确定待度量对象104是否通过完整性验证的步骤。
可选的,存储器802中保存有执行本申请技术方案的程序,指令或者数据。例如,存储器802可包含足以允许该完整性度量装置80执行上述任一实施例中涉及证明模块103的功能的指令。
可选的,该处理器802可包括处理电路和通信接口电路,其中,处理电路可以用于根据度量结果信息确定待度量对象104是否通过完整性验证。通信接口电路用于将处理电路生成的信息输出,还可以应用将证明模块103接收到的信息或存储器中的指令输入到处理电路中处理。
可选的,存储器802可以为位于处理器内部的内部存储器,还可以为位于处理器外部,与处理器耦合链接的外部存储器。
请一并参见图8,该完整性度量装置80还可以用于执行上述实施例中涉及第二度量模块102的方法或步骤。这里,关于该完整性度量装置80的结构的描述可参见前文,此处便不再赘述。收发器803可用于支持第二度量模块102与第一度量模块101或者证明模块103之间进行的数据传输。例如,收发器803可以用于执行步骤S210中描述的接收第一度量结果信息步骤,还可用于执行步骤S220中描述的向第一度量模块101发送第二度量结果的步骤。
处理器801用于对证明模块103的动作进行控制管理,用于执行上述实施例中由证明模块103进行的处理。例如,处理器801可以用执行步骤S240中根据度量结果信息确定待度量对象104是否通过完整性验证的步骤。
可选的,存储器802中保存有执行本申请技术方案的程序,指令或者数据。例如,存储器802可包含足以允许该完整性度量装置80执行上述任一实施例中涉及第二度量模块102的功能的指令。
可选的,该处理器802可包括处理电路和通信接口电路,其中,处理电路可以用于对待度量对象104进行完整性度量的过程。通信接口电路用于将处理电路生成的信息输出,还可以应用将第二度量模块102接收到的信息或存储器中的指令输入到处理电路中处理。
可选的,存储器802可以为位于处理器内部的内部存储器,还可以为位于处理器外部,与处理器耦合链接的外部存储器。
这里需要说明的是,这里需要说明的是,当第一度量模块101、第二度量模块102、证明模块103和待度量对象104中的一个或者多个同时由上述完整性度量装置80实现时,则上处理器801、存储器802和收发器803可同时执行上述第一度量模块101、第二度量模块102、证明模块103和待度量对象104中的一个或者多个模块所对应的功能,具体实现过程可参见前文所述,此处便不再具体赘述。
可以理解的是,图8仅仅示出了完整性度量装置80的简化设计,在实际应用中,完整性度量装置80可以包含任意数量的收发器,处理器,存储器等,而所有的可能实现均在本申请的完整性度量装置80保护范围之内。
需要说明的是,上述完整性度量装置80的处理器801可以是通用处理器,例如通用中央处理器、网络处理器(network processor,简称NP)、微处理器等,也可以是特定应用集成电路(application-specific integrated circBIt,简称ASIC),或一个或多个用于控制本申请方案程序执行的集成电路。还可以是数字信号处理器(digital signal processor,简称DSP)、现场可编程门阵列(field-programmable gate array,简称FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件。控制器/处理器也可以是实现计算功能的组合,例如包含一个或多个微处理器组合,DSP和微处理器的组合等等。处理器通常是基于存储器内存储的程序指令来执行逻辑和算术运算。
上述涉及的存储器保存有操作系统和其他应用程序。具体地,程序可以包括程序代码,程序代码包括计算机操作指令。更具体的,上述存储器可以是只读存储器(read-only memory,简称ROM)、可存储静态信息和指令的其他类型的静态存储设备、随机存取存储器(random access memory,简称RAM)、可存储信息和指令的其他类型的动态存储设备、磁盘存储器等等。存储器802还可以是上述存储类型的组合。并且上述存储器可以在处理器中,还可以在处理器的外部,或在包括处理器或处理电路的多个实体上分布。上述存储器可以具体体现在计算机程序产品中。举例而言,计算机程序产品可以包括封装材料中的计算机可读介质。
本申请实施例还提供了一种计算机可读介质,其上存储有计算机程序,该计算机程序被计算机执行时实现上述实施例中第一度量模块101、第二度量模块102或者证明模块103所执行的方法或者步骤。
本申请实施例还提供了一种计算机程序产品,该计算机程序产品被计算机执行时实现上述实施例中第一度量模块101、第二度量模块102或者证明模块103所执行的方法或者步骤。
本申请实施例还提供了一种芯片或者芯片系统,该芯片或者芯片系统包括处理器,用于支持上述第一度量模块101、第二度量模块102、证明模块103已经待度量对象104以实现上述实施例中所涉及的功能,例如生成或处理上述方法中所涉及的数据和/或信息。在一种可能的设计中,所述芯片系统还可以包括存储器,所述存储器,用于存储必要的程序指令和数据,当处理器运行该程序指令时,使得安装该芯片或者芯片系统的装置实现上述实施例中所涉及的方法。该芯片系统,可以由芯片构成,也可以包含芯片和其他分立器件。
结合本申请公开内容所描述的方法或者算法的步骤可以硬件的方式来实现,也可以是由处理器执行软件指令的方式来实现。软件指令可以由相应的软件模块组成,软件模块可以被存放于RAM存储器、闪存、ROM存储器、EPROM存储器、EEPROM存储器、寄存器、硬盘、移动硬盘、CD-ROM或者本领域熟知的任何其它形式的存储介质中。一种示例性的存储介质耦合至处理器,从而使处理器能够从该存储介质读取信息,且可向该存储介质写入信息。当然,存储介质也可以是处理器的组成部分。处理器和存储介质可以位于ASIC中。另外,该ASIC可以位于用户设备中。当然,处理器和存储介质也可以作为分立组件存在于用户设备中。
应理解,本申请实施例中的术语“系统”和“网络”常可被互换使用。本实施例中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。
本领域技术人员应该可以意识到,在上述一个或多个示例中,本申请所描述的功能可以用硬件、软件、固件或它们的任意组合来实现。当使用软件实现时,可以将这些功能存储在计算机可读介质中或者作为计算机可读介质上的一个或多个指令或代码进行传输。计算机可读介质包括计算机存储介质和通信介质,其中通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。存储介质可以是通用或专用计算机能够存取的任何可用介质。
以上所述的具体实施方式,对本申请的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本申请的具体实施方式而已,并不用于限定本申请的保护范围,凡在本申请的技术方案的基础之上,所做的任何修改、等同替换、改进等,均应包括在本申请的保护范围之内。

Claims (19)

  1. 一种完整性度量方法,其特征在于,所述方法包括:
    第一度量模块对第二度量模块进行完整性度量以得到第一度量结果,其中,所述第一度量模块的可信度高于所述第二度量模块的可信度;
    所述第一度量模块接收所述第二度量模块发送的第二度量结果,其中,所述第二度量结果由所述第二度量模块对待度量对象进行完整性度量得到;
    所述第一度量模块向证明模块发送度量结果信息,其中,所述度量结果信息由所述第一度量结果和所述第二度量结果确定,所述证明模块用于根据所述度量结果信息确定所述待度量对象是否通过完整性验证。
  2. 根据权利要求1所述的方法,其特征在于,所述第一度量模块为预设的度量可信根。
  3. 根据权利要求1或2所述的方法,其特征在于,所述第一度量模块为动态完整性度量DIM可信执行环境TEE模块或者硬件安全模块HSM,所述第二度量模块为DIM模块。
  4. 根据权利要求1或2所述的方法,其特征在于,所述第二度量模块包括第一度量子模块和第二度量子模块,所述第一度量模块为HSM,所述第一度量子模块为DIM TEE模块,所述第二度量子模块为DIM模块。
  5. 根据权利要求1-4任一项所述的方法,其特征在于,所述待度量对象包括内存代码段或者静态文件。
  6. 根据权利要求1-5任一项所述的方法,其特征在于,在所述第一度量模块对第二度量模块进行完整性度量以得到第一度量结果之前,所述方法还包括:
    所述第一度量模块确定预设的度量触发条件被满足,其中,所述度量触发条件为预设度量周期到达,或者,所述度量触发条件为发生预设的系统异常事件,或者,所述度量触发条件为接收到来自于用户的度量触发指令。
  7. 根据权利要求6所述的方法,其特征在于,当所述度量触发条件为发生预设的系统异常事件时,所述第一度量模块确定预设触发条件被满足包括:
    若所述第一度量模块接收到入侵检测系统IDS发送的系统异常消息,则确定预设触发条件被满足,其中,所述系统异常消息由所述IDS在检测到所述系统异常事件发生的情况下发送。
  8. 根据权利要求1-7任一项所述方法,其特征在于,所述方法还包括:
    证明模块接收所述度量结果信息,其中,所述度量结果信息包括所述第一度量结果和所述第二度量结果;
    若所述证明模块确定所述第一度量结果与所述第二度量模块对应的第一基线值相同并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证;
    若所述证明模块确定所述第一度量结果与所述第一基线值不相同,或者,确定所述第二度量结果与所述第二基线值不相同,则确定所述待度量对象未通过完整性验证。
  9. 根据权利要求1-7任一项所述的方法,其特征在于,所述方法还包括:
    证明模块接收所述度量结果信息,其中,所述度量结果信息包含第一PCR值和第二PCR 值,所述第一PCR值由所述第一度量模块通过可信平台模块TPM对所述第一度量结果进行PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR扩展得到;
    若所述证明模块确定所述第一PCR值与第一PCR检验值相等并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证;
    若所述证明模块确定所述第一PCR值与所述第一PCR检验值不相等,或者,确定所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证。
  10. 根据权利要求4-7任一项所述的方法,其特征在于,所述第一度量结果包括所述第一度量子模块对应的第一度量子结果和所述第二度量子模块对应的第二度量子结果,所述方法还包括:
    证明模块接收所述度量结果信息,其中,所述度量结果信息包括所述第一度量子结果、所述第二度量子结果和所述第二度量结果;
    若所述证明模块确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值相同,所述第二度量子结果与所述第二子度量模块对应的第二子基线值相同,并且所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象通过完整性验证;
    若所述证明模块确定所述第一度量子结果与所述第一子度量模块对应的第一子基线值不相同,或者,所述第二度量子结果与所述第二子度量模块对应的第二子基线值不相同,或者,所述第二度量结果与所述待度量对象对应的第二基线值相同,则确定所述待度量对象未通过完整性验证。
  11. 根据权利要求4-7任一项所述的方法,其特征在于,所述第一度量结果包括所述第一度量子模块对应的第一度量子结果和所述第二度量子模块对应的第二度量子结果,所述方法还包括:
    证明模块接收所述度量结果信息,其中,所述度量结果信息包括第一子PCR值、第二子PCR值和第二PCR值,所述第一子PCR值由所述第一度量模块通过TPM对所述第一度量子结果进行PCR扩展得到,所述第二子PCR值由所述第一度量模块通过TPM对所述第二度量子结果进行所述PCR扩展得到,所述第二PCR值由所述第一度量模块通过所述TPM对所述第二度量结果进行PCR扩展得到;
    若所述证明模块确定所述第一子PCR值与第一子PCR检验值相等,所述第二子PCR值与第二子PCR检验值相等,并且所述第二PCR值与第二PCR检验值相等,则确定所述待度量对象通过完整性验证;
    若所述证明模块确定所述第一子PCR值与第一子PCR检验值不相等,或者,所述第二子PCR值与第二子PCR检验值不相等,或者,所述第二PCR值与第二PCR检验值不相等,则确定所述待度量对象未通过完整性验证;
    其中,所述第一子PCR检验值由所述证明模块对所述第一度量子模块对应的第一基线值和第一初始PCR值进行PCR扩展得到,所述第二子PCR检验值由所述证明模块对所述第二度量子模块对应的第二基线值和第二初始PCR阈值进行所述第一PCR扩展得到,所述第二PCR检验值由所述证明模块对所述待度量对象对应的第二基线值和第三初始PCR值进行 PCR扩展得到。
  12. 一种完整性度量装置,其特征在于,所述完整性度量装置包括第一度量模块:
    所述第一度量模块用于对第二度量模块进行完整性度量以得到第一度量结果,其中,所述第一度量模块的可信度高于所述第二度量模块的可信度;
    所述第一度量模块,还用于接收所述第二度量模块发送的第二度量结果,其中,所述第二度量结果由所述第二度量模块对待度量对象进行完整性度量得到;
    所述第一度量模块,还用于根据所述第一度量结果和所述第二度量结果确定度量结果信息;
    所述第一度量模块,还用于向证明模块发送所述度量结果信息,其中,所述证明模块用于根据所述度量结果信息确定所述待度量对象是否通过完整性验证。
  13. 根据权利要求12所述的完整性度量装置,其特征在于,所述完整性度量装置还包括所述证明模块、所述第二度量模块和所述待度量对象中的至少一个。
  14. 根据权利要求12或13所述的完整性度量装置,其特征在于,所述第一度量模块为度量可信根。
  15. 根据权利要求12-14任一项所述的完整性度量装置,其特征在于,所述第一度量模块为DIM TEE或者HSM,所述第二度量模块为DIM模块。
  16. 根据权利要求12-14任一项所述的完整性度量装置,其特征在于,所述第二度量模块包括第一度量子模块和第二度量子模块,所述第一度量模块为HSM,所述第一度量子模块为DIM TEE模块,所述第二度量子模块为DIM模块。
  17. 根据权利要求12-16任一项所述的完整性度量装置,其特征在于,所述完整性度量装置为芯片或者芯片系统。
  18. 一种完整性度量装置,其特征在于,所述完整性度量装置包括:处理器和存储器,所述存储器存储有代码,所述处理器运行所述代码以实现所述权利要求1-11任一项所述完整性度量方法。
  19. 一种计算机可读存储介质,其特征在于,所述可读存储介质中存储程序指令,当所述程序指令运行时,使得如权利要求1-11任一项所述的完整性度量方法被执行。
PCT/CN2021/098477 2020-08-04 2021-06-04 一种完整性度量方法和完整性度量装置 WO2022028081A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP21853166.3A EP4184367A4 (en) 2020-08-04 2021-06-04 INTEGRITY MEASUREMENT METHOD AND INTEGRITY MEASUREMENT DEVICE

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010772453.1A CN114091110A (zh) 2020-08-04 2020-08-04 一种完整性度量方法和完整性度量装置
CN202010772453.1 2020-08-04

Publications (1)

Publication Number Publication Date
WO2022028081A1 true WO2022028081A1 (zh) 2022-02-10

Family

ID=80119893

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/098477 WO2022028081A1 (zh) 2020-08-04 2021-06-04 一种完整性度量方法和完整性度量装置

Country Status (3)

Country Link
EP (1) EP4184367A4 (zh)
CN (1) CN114091110A (zh)
WO (1) WO2022028081A1 (zh)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116737526A (zh) * 2022-03-01 2023-09-12 华为技术有限公司 一种代码段动态度量方法、装置及电子设备
CN117061346A (zh) * 2022-05-07 2023-11-14 华为技术有限公司 业务管理方法和装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101650764A (zh) * 2009-09-04 2010-02-17 瑞达信息安全产业股份有限公司 一种可信计算密码平台及其实现方法
US20180365422A1 (en) * 2017-06-15 2018-12-20 International Business Machines Corporation Service Processor and System with Secure Booting and Monitoring of Service Processor Integrity
CN110263545A (zh) * 2019-05-22 2019-09-20 西安理工大学 一种基于Android系统的启动过程完整性度量检测方法
CN111124664A (zh) * 2019-11-22 2020-05-08 华为技术有限公司 第一操作系统访问第二操作系统资源的方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101650764A (zh) * 2009-09-04 2010-02-17 瑞达信息安全产业股份有限公司 一种可信计算密码平台及其实现方法
US20180365422A1 (en) * 2017-06-15 2018-12-20 International Business Machines Corporation Service Processor and System with Secure Booting and Monitoring of Service Processor Integrity
CN110263545A (zh) * 2019-05-22 2019-09-20 西安理工大学 一种基于Android系统的启动过程完整性度量检测方法
CN111124664A (zh) * 2019-11-22 2020-05-08 华为技术有限公司 第一操作系统访问第二操作系统资源的方法和装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
See also references of EP4184367A4
ZHAO SHAOHUANG, GUO YUDONG, WANG WEI, LIN JIAN: "Trusted Measurement Method Based on Local Verification", XINXI-GONGCHENG-DAXUE-XUEBAO / JOURNAL OF INFORMATION ENGINEERING UNIVERSITY, vol. 18, no. 3, 30 June 2017 (2017-06-30), pages 364 - 369, XP055895340, ISSN: 1671-0673, DOI: 10.3969/j.issn.1671-0673.2017.03.021 *

Also Published As

Publication number Publication date
EP4184367A4 (en) 2024-01-24
CN114091110A (zh) 2022-02-25
EP4184367A1 (en) 2023-05-24

Similar Documents

Publication Publication Date Title
WO2021109669A1 (zh) 恶意域名访问的检测方法、装置及计算机可读存储介质
US20180157700A1 (en) Storing and verifying event logs in a blockchain
US8161285B2 (en) Protocol-Independent remote attestation and sealing
TWI727988B (zh) 用於在封閉商品設備上建立可信診斷/調試代理的系統和方法
WO2022028081A1 (zh) 一种完整性度量方法和完整性度量装置
US11714910B2 (en) Measuring integrity of computing system
WO2021197040A1 (zh) 可信度量方法及相关装置
WO2017185827A1 (zh) 用于确定应用程序可疑行为的方法和装置
US11522901B2 (en) Computer security vulnerability assessment
CN111737081B (zh) 云服务器监控方法、装置、设备及存储介质
US11055416B2 (en) Detecting vulnerabilities in applications during execution
CN108027856B (zh) 使用可信平台模块来建立攻击信息的实时指示器
CN112685745B (zh) 一种固件检测方法、装置、设备及存储介质
CN110647750A (zh) 文件完整性度量方法、装置、终端及安全管理中心
WO2016041419A1 (zh) 一种可信度量方法及装置
US20230388352A1 (en) Techniques for detecting cybersecurity events based on multiple sources
KR20240035463A (ko) 마이크로컨트롤러의 측정된 재시작
US10289510B1 (en) Intelligent platform management interface functional fuzzer
US11290471B2 (en) Cross-attestation of electronic devices
WO2023165257A1 (zh) 一种代码段动态度量方法、装置及电子设备
US20240095362A1 (en) Methods and apparatuses for starting application on target platform
Turan et al. Propagating trusted execution through mutual attestation
Detken et al. Software-design for internal security checks with dynamic integrity measurement (DIM)
JP5955165B2 (ja) 管理装置、管理方法及び管理プログラム
JP6863290B2 (ja) 診断装置、診断方法、及び、診断プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21853166

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021853166

Country of ref document: EP

Effective date: 20230215

NENP Non-entry into the national phase

Ref country code: DE