WO2022199807A1 - Dispositif et procédé de gestion d'accès à des ressources - Google Patents

Dispositif et procédé de gestion d'accès à des ressources Download PDF

Info

Publication number
WO2022199807A1
WO2022199807A1 PCT/EP2021/057537 EP2021057537W WO2022199807A1 WO 2022199807 A1 WO2022199807 A1 WO 2022199807A1 EP 2021057537 W EP2021057537 W EP 2021057537W WO 2022199807 A1 WO2022199807 A1 WO 2022199807A1
Authority
WO
WIPO (PCT)
Prior art keywords
resource
address
program
access
instruction
Prior art date
Application number
PCT/EP2021/057537
Other languages
English (en)
Inventor
Igor STOPPA
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/EP2021/057537 priority Critical patent/WO2022199807A1/fr
Publication of WO2022199807A1 publication Critical patent/WO2022199807A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • G06F12/1441Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block for a range
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30181Instruction operation extension or modification
    • G06F9/30185Instruction operation extension or modification according to one or more bits in the instruction, e.g. prefix, sub-opcode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/32Address formation of the next instruction, e.g. by incrementing the instruction counter
    • G06F9/321Program or instruction counter, e.g. incrementing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/38Concurrent instruction execution, e.g. pipeline or look ahead
    • G06F9/3836Instruction issuing, e.g. dynamic instruction scheduling or out of order instruction execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register

Definitions

  • the present disclosure relates to computer systems and devices, in particular, to resource management.
  • the present disclosure is concerned with a conditional availability of the resources.
  • the present disclosure provides a device and method for managing resource access of a program executing instructions to access a resource.
  • the computer hardware supports enforcing the access to only a limited amount of resources, and these are the resources that intervene in creating higher-privilege software, such as operating systems and hypervisors.
  • higher-privilege software such as operating systems and hypervisors.
  • hypervisor instead of relying on hardware enforcement, first the hypervisor and then the operating system are in charge of both implementing a mechanism and then enforcing a policy.
  • the purpose of restraining access to the key resources is that malicious code might attempt to circumvent existing blocks, and take direct control over these resources.
  • embodiments of the present disclosure aim to improve the conventional protection mechanisms.
  • An objective is to provide conditional resource availability, which is also suitable for simple computational devices like microcontrollers.
  • a hardware support for managing resource access is desired.
  • a first aspect of this disclosure provides a device for managing resource access, the device comprising processing circuitry configured to, when a program executes instructions to access a resource: obtain an address of a current instruction currently executed by the program and an identification of the resource; and permit the program to access the resource, if the address of the current instruction is within an address range associated with the resource according to a resource configuration, and deny the program to access the resource otherwise, wherein the resource configuration comprises an association between one or more resources and one or more address ranges, each resource being associated with at least one address range.
  • the device of the first aspect is able to implement conditional resource availability, in particular, by means of its processing circuitry and the resource configuration.
  • the resource configuration may be hardware-implemented by the processing circuitry.
  • Conditional resource availability in this case means that the resources are only available, if the condition of the address of the current instruction being within the address range associated with the resource (according to the resource configuration) is fulfilled.
  • the conditional resource availability provided by the device of the first aspect is suitable for all kinds of computational devices, also microcontrollers, due to its low complexity.
  • the software attack surface may be reduced. Also, it may become harder to detect and reverse-engineer by an attacker, since there is less or no code to disassemble.
  • the device of the first aspect does also not require a separate “protected mode”, and also no special binary code.
  • the resource configuration comprises a resource table including an identification of each of the one or more resources and the one or more address ranges.
  • the device is configured to obtain the resource configuration by loading the resource configuration during a boot of the processing circuitry.
  • the resource configuration may be written into the processing circuitry, i.e., it may be hardware-implemented.
  • the resource configuration is hard-wired into the processing circuitry.
  • the device is configured to obtain an address of a next instruction that will be executed by the program next after the current instruction; and permit the program to access the resource, if the address of the current instruction and the address of the next instruction are within the same address range associated with the resource, and deny the program to access the resource otherwise, and/or if the address of the current instruction is within the address range associated with the resource and if the address of the next instruction is an entry point address within a second address range associated with the resource; and deny the program to access the resource otherwise.
  • the entry point address is the first address in the second address range; or the entry point address is a tagged address in the second address range.
  • the address range associated with the resource is an address range on a system bus.
  • the resource comprises or designates a memory region of a memory; or the address range associated with the resource is an address range of a memory; or the resource comprises at least one of: a variable in a memory region of a data memory; a code in a memory region of a program memory; an internet protocol, IP, block; a memory mapped device.
  • the device is further configured to tag each instruction executed by the program with a resource tag, the resource tag indicating the resource the instruction attempts to access; and place each instruction in a memory region designated by the resource indicated by the resource tag of the instruction; or group multiple instructions into a memory region designated by the resources indicated by the resource tags of the instructions.
  • the one or more resources are restricted resources of a plurality of resources, the restricted resources being pre-determined or programmable into the processing circuitry.
  • the processing circuitry comprises an instruction decoder configured to obtain the address of the current instruction and the identification of the resource.
  • the processing circuitry comprises a resource access block configured to combine the address of the current instruction, the resource identification and the resource configuration to permit or deny the program to access the resource.
  • a second aspect of this disclosure provides a method for managing resource access, the method comprising, when a program executes instructions to access a resource: obtaining an address of a current instruction currently executed by the program and an identification of the resource; and permitting the program to access the resource, if the address of the current instruction is within an address range associated with the resource according to a resource configuration, and deny the program to access the resource otherwise, wherein the resource configuration comprises an association between one or more resources and one or more address ranges, each resource being associated with at least one address range.
  • the method is hardware-implemented by processing circuitry.
  • the resource configuration comprises a resource table including an identification of each of the one or more resources and the one or more address ranges.
  • the method comprises obtaining the resource configuration by loading the resource configuration during a boot of the processing circuitry.
  • the resource configuration is hard-wired into processing circuitry.
  • the method comprises obtaining an address of a next instruction that will be executed by the program next after the current instruction; and permitting the program to access the resource, if the address of the current instruction and the address of the next instruction are within the same address range associated with the resource, and deny the program to access the resource otherwise, and/or if the address of the current instruction is within the address range associated with the resource and if the address of the next instruction is an entry point address within a second address range associated with the resource; and deny the program to access the resource otherwise.
  • the entry point address is the first address in the second address range; or the entry point address is a tagged address in the second address range.
  • the address range associated with the resource is an address range on a system bus.
  • the resource comprises or designates a memory region of a memory; or the address range associated with the resource is an address range of a memory; or the resource comprises at least one of: a variable in a memory region of a data memory; a code in a memory region of a program memory; an internet protocol, IP, block; a memory mapped device.
  • the method comprises tagging each instructions executed by the program with a resource tag, the resource tag indicating the resource the instruction attempts to access; and placing each instruction in a memory region designated by the resource indicated by the resource tag of the instruction; or grouping multiple instructions into a memory region designated by the resources indicated by the resource tags of the instructions.
  • the one or more resources are restricted resources of a plurality of resources, the restricted resources being pre-determined or programmable into the processing circuitry.
  • the method of the second aspect and its implementation forms provide the same advantages as described above for the device of the first aspect and its corresponding implementation forms.
  • a third aspect of this disclosure provides a computer program comprising a program code for performing the method according to the second aspect or any of its implementation forms when executed on computer.
  • a fourth aspect of the present disclosure provides a non-transitory storage medium storing executable program code which, when executed by a processor, causes the method according to the second aspect or any of its implementation forms to be performed.
  • an address-based conditional resource availability is provided.
  • a resource may be identified in many ways, for example, through its address on the system bus.
  • a protected resource is made available exclusively under one or more certain conditions, and access to the resource is otherwise denied.
  • certain protected resources are made available only while code (including the instructions) being executed by the program is within a determined address range(s), e.g. in a special memory region, as configured by the resource configuration.
  • specific code sections e.g., specific instructions
  • a linker script may place them accordingly.
  • only specific addresses may be allowed as legal entry points within a determined address range(s).
  • no special mode execution is required for gating access to the resources, therefore removing a possible attack vector (compromising the access to the special mode), and the need for separate programs.
  • the correspondence between the address ranges and the resources according to the resource configuration does not have to be hardcoded, but it can be, for example, loaded as one-off operation at boot, from flash or ROM.
  • FIG. 1 shows a device according to an embodiment of this disclosure.
  • FIG. 2 shows in (a) an exemplary implementation of a resource configuration of a device according to an embodiment of this disclosure, and shows in (b) an exemplary tagging of address ranges of the resource configuration.
  • FIG. 3 illustrates an example of tagging in a special memory layout.
  • FIG. 4 shows in (a) an example of a linker file including linker sections, and shows in (b) a special section included in the linker sections.
  • FIG. 5 shows details of a device according to an embodiment of this disclosure.
  • FIG. 6 illustrates decisions taken by a device according to an embodiment of this disclosure regarding resource access.
  • FIG. 7 shows a method according to an embodiment of this disclosure.
  • FIG. 1 shows a device 100 according to an embodiment of this disclosure.
  • the device 100 is configured to manage resource(s) access, for instance, in a computer system.
  • the device 100 is configured to determine whether a program 110 (i.e., software), which executes an instruction to access a resource 120, is permitted to access the resource 120 or is denied to access the resource 120.
  • the permission or denial to access the resource 120 is based on a condition, so that the device 100 is able to implement conditional resource availability.
  • the program 110 may of course execute multiple instructions, e.g. consecutively, which may be referred to as an execution flow (of instructions).
  • the instructions may be part of or form a code executed by the program 110.
  • the device 100 comprises processing circuitry (not shown explicitly), for instance a processor or microcontroller, wherein the processing circuitry may be configured to perform, conduct or initiate the various operations of the device 100 described herein.
  • the processing circuitry may comprise hardware and/or the processing circuitry may be controlled by software.
  • the hardware may comprise analog circuitry or digital circuitry, or both analog and digital circuitry.
  • the digital circuitry may comprise components such as application-specific integrated circuits (ASICs), field-programmable arrays (FPGAs), digital signal processors (DSPs), or multi purpose processors.
  • the device 100 may further comprise memory circuitry, which stores one or more instruction(s) that can be executed by the processing circuitry, in particular under control of the software.
  • the memory circuitry may comprise a non-transitory storage medium storing executable software code which, when executed by the processing circuitry, causes the various operations of the device 100 to be performed.
  • the processing circuitry comprises one or more processors and a non-transitory memory connected to the one or more processors.
  • the non-transitory memory may carry executable program code which, when executed by the one or more processors, causes the device 100 to perform, conduct or initiate the operations or methods described herein.
  • the processing circuitry is configured to obtain an address 101 of a current instruction, i.e., an instruction that is currently executed by the program 110.
  • the instruction may be provided to the device 100, e.g., by the program 110, or may be obtained by the device 100, e.g., by intercepting it, and may be used as an input into the processing circuitry.
  • an instruction may be a part of a code executed by the program 110.
  • the code may comprise multiple instructions, i.e., executing the code may execute an execution flow of instructions.
  • the code may be stored in a memory, e.g., a program memory. Accordingly, the address 101 of each instruction (including the current instruction and one or more next instructions executed by the program 110) may refer to an address of this (program) memory.
  • the processing circuitry may obtain an identification 102 of the resource 120.
  • the device 100 may derive the identification 102 of the resource 120 from the instruction executed by the program 110, or may obtain it from the resource 120 itself based on information in the instruction, or the like. Then, the device 100 may permit or deny the access of the program 110 (particularly of the instruction executed by the program 110) to the resource 120 based on a resource configuration 104.
  • the resource configuration 104 may, for example, be hard-wired into the processing circuitry of the device 100, or may be obtained by loading it during a boot of the processing circuitry.
  • the resource configuration 104 comprise an association between one or more resources 120 and one or more address ranges 103, wherein each resource 120 is associated with at least one address range 103.
  • the one or more resources 120 may, in particular, be restricted (key) resources 120, e.g. of a plurality of resources 120 that are totally available.
  • the restricted resources 120 may be pre-determined or programmable into the processing circuitry.
  • the processing circuitry is configured to permit the program 110 to access the resource 120, if the address 101 of the current instruction is within an address range 103 that is associated with the resource 120 according to the resource configuration 104. For instance, if the instruction is included in a specific code section of the code executed by the program 110, and if this code section is stored in the program memory within the address range 103, then the access is permitted.
  • the address range 103 associated with the resource 120 may be an address range in a special memory (address) region of the memory, e.g. program memory. Otherwise, i.e., if the address 101 of the current instruction is not within an address range 103 associated with the resource 120 according to the resource configuration 104, the device 100 is configured to deny the program 110 to access the resource 120.
  • FIG. 2a shows an example of a resource configuration 104, as it may be used by the device 100 of FIG. 1 to determine whether the program 110 is allowed to access the resource 120 or not.
  • the resource configuration 104 is implemented as, or at least comprises, a resource table, which includes an identification 102 of each of the one or more resources 120 (here “Res 1”, “Res 2”, etc.) and further includes the one or more address ranges 103 (here “Range 1”, “Range 2”, etc.), in particular, associated with the one or more identifications 102.
  • Fig. 2a assumes, as an example, that the hardware (i.e., the processing circuitry of the device 100) supports gating (i.e., resource(s) access management) through N address ranges 103 and M resources 120, wherein N and M are both integers > 1.
  • the resource configuration 104 may be designed as illustrated in FIG. 2a.
  • the table may include a start address (“Range start”) and an end address (“Range end”).
  • the addresses of the address ranges 103 may be addresses of a memory, particularly, a program memory.
  • One or more of the resources 120 may be associated with each of the address ranges 103, for example, this may be indicated by one or more bits or other table entries (as shown).
  • the device 100 may be configured to generate the resource configuration 104 so as to load during boot (of the device 100 or its processing circuitry), and the device 100 may further use the resource configuration 104 for restricting resource(s) access based on code position (i.e., based on the address 101 of the instruction executed by the program 110).
  • FIG. 2b shows that the one or more address ranges 103, which are each associated with at least one resource 102, may be tagged.
  • one or more tags may be provided to each of the address ranges 103, or to individual addresses or to address sub-ranges in each address range 103.
  • each instruction executed by the program 100 may be provided with such a tag, i.e., with the tag provided to the address 101 of the instruction (in its address range 103).
  • the instruction may be provided with a certain function.
  • an entry point tag 201 and/or another tag 202 may be provided to an address, an address sub-range, or an address range 103.
  • An entry point tag 201 may define an entry point of the address range 103 - as explained with respect to FIG. 4. Further, each other tag 202 may define any other function.
  • the tags may also indicate the resource 120, which the instruction at the corresponding address 101 in the address range 103 attempts to access.
  • the device 100 may be configured to, based on the tag, place each instruction in a memory region designated by the resource 120, or group multiple instruction into a memory region designated by one or more indicated by the tags (if the resource 120 designates a memory region).
  • FIG. 3 shows an example of how the entry point tagging may be used.
  • different addresses, different address sub-ranges, or different address ranges 103 may be provided with entry point tags (or not).
  • entry point tags or not.
  • “flQ”, “f(2)”, “f(3)” may indicate addresses or address sub ranges in the address range 1
  • “f(4)” may indicate and address or address sub-range in the address range 2
  • “f5()” may indicate an address or address sub-range in address range 3
  • “f(6)”, “f(7)” and “(f8)” may indicate addresses or address sub-ranges in address range N.
  • fl() is tagged as an entry point for address range 1
  • f4() is tagged as an entry point for address range 2
  • f5() is tagged as an entry point for address range 3
  • f6() is tagged as an entry point for address range N.
  • allowed (legal) execution flows of instructions are from any instruction address to a next instruction address at any of fl(), f4(), f5(), and f6(), since these are all entry points (entry point addresses) of their address ranges 103.
  • An entry point address may be a first address in an address range 103, or any tagged address.
  • execution flows are allowed from an instruction address at f(l) to a next instruction address at f2() or f(3), since they are both in the same address range 103 as f(l), or to an instruction address at f4() or f(5) or f(6), since these are entry points of other address ranges 103, or to any outside instruction address.
  • Not allowed (illegal) execution flows are from any instruction address to a next instruction address at f2(), f3(), f7() or f8(), since these are not entry points of their respective address ranges 103, or from an instruction address outside the address ranges 103 (i.e., from an address outside of each range 1-N) to an instruction address at any non-entry point address.
  • the device 100 may obtain the address 101 of a current instruction an address of a next instruction that will be executed by the program 110 next after the current instruction. These instructions and their addresses are part of an execution flow.
  • the device 100 may now be configured to permit the program 110 to access the resource 120, if the address 101 of the current instruction and the address of the next instruction are within the same address range 103 associated with the resource 120 (in FIG. 3, for example, from f(l) to any of f2() or f(3), and/or if the address 101 of the current instruction is within the address range 103 associated with the resource and if the address of the next instruction is an entry point address within a second address range 103 associated with the resource 120 (in FIG. 3, for example, from fl() to any of f4(), f5()or f6()). Otherwise, if neither condition is fulfilled, the device 00 may deny the program 110 to access the resource 120.
  • FIG. 4 shows an example of a linker file, which may be used to define one or more address ranges 103, e.g., in a memory (like a program memory). These address ranges 103 may be special address ranges (i.e., denote a special region of the memory) as they may define the only addresses from which instructions 101 may access certain one or more resources 120, i.e., resources 120 to which the device 100 manages the access.
  • the linker file may comprise linker sections 401 as shown in FIG. 3a.
  • the linker sections 401 may comprise a special section 402, which is highlighted in FIG. 3b.
  • the special section can be one of: pre-defmed, i.e., the special section 402 will have to be explicitly placed accordingly; programmable, i.e., the special section 402 can be defined freely, but configuration data must be produced accordingly.
  • the special section 402 may indicate the address ranges 103, from which access to the resources 120 is permitted.
  • FIG. 5 shows a device 100 according to an embodiment of this disclosure, which builds on the embodiment shown in FIG. 1. Same elements in FIG. 1 and FIG. 5 are labelled with the same reference signs, and may be implemented likewise.
  • FIG,. 5 shows that the device 100 may comprise an instruction decoder 501, program counter 503 and pre-fetch unit, which may be configured to obtain the address 101 of the current instruction executed by the program 110.
  • the instructions of the program 110 (code; execution flow) may be stored in the program memory 500.
  • the program memory 500 may have a special memory region, which defines the one or more address ranges 103, which are associated with the one or more resources 120 in the resource configuration (here a table).
  • instruction decoder 501 may be configured to obtain the identification(s) 102 of the resource(s) 120.
  • the device 100 may comprise a resource access block 502, which is configured to combine the address 101 of the current instruction, the resource identification(s) 102 and the resource configuration 104 (e.g., table) to permit or deny the program 110 to access the resource(s) 120.
  • the resource access block 502 may perform either “resource gating” or “branch vetting”, as will be explained with respect to FIG. 6a and 6b, respectively.
  • the resource access block 502 may manage access to the program memory 500.
  • the program memory 500 also comprises one or more resources 120, for example, a variable in a data memory region of the program memory 500, and/or a code in a code memory region of the program memory 500, or a memory mapped device.
  • the resource 120 may comprise or designates the (special) memory region of the memory 500.
  • the resource access block 502 may, however, also manage access of a resource user (program) 110 to other resources.
  • FIG. 6a shows a block diagram, which describes the so-called “resource gating”.
  • the program 110 attempts to access a resource 120
  • both the resource identification 102 and the address 101 of the current instruction, which triggers the access to the resource 120 are cross-referenced through the resource configuration 104 (in this case it is implemented as a resource access matrix).
  • the output of the cross-referencing is the decision of the device 100 to either to grant access or to reject access of the program 110 to the resource 120.
  • FIG. 6b shows a block diagram, which describes the so-called “branch vetting”.
  • the address 101 of the current instruction and the address 601 of the next instruction are cross-referenced through the resource configuration 104 (again, a resource access matrix). If both the address 101 of the current instruction and the address 601 of the next instruction belong to the same address range 103, then the address 601 of the next instruction is allowed to be any address within that same address range 103, for accessing the resource 120.
  • the address 601 of the next instruction is only allowed to be the entry point address (e.g., the first address) within its address range 103, for accessing the resource 120.
  • Some examples include: (a) for a data memory, e.g., to limit access to control or state variables, which could be overwritten or exfiltrated; (b) for a program memory 500, e.g., to limit access to code controlling sensitive devices; (c) for IP blocks, e.g., to control access to some critical IP blocks, e.g., by gating their connection to an interconnect bus; (d) for memory mapped devices, e.g., to allow only specific code to take control of the memory mapped devices.
  • each entry point may vet the environment prior to proceeding with the protected functionality.
  • FIG. 7 shows a method 700 according to an embodiment of this disclosure.
  • the method 700 is for managing resource access.
  • the method 100 may be performed by the device 100 as described in FIG. 1 or FIG. 5.
  • the method 700 is performed, when a program 110 executes instructions to access a resource 120.
  • the method 700 comprises in this case a step 701 of obtaining an address of a current instruction currently executed by the program 110 and an identification 102 of the resource 120.
  • the method 700 comprises a step 702 of permitting the program 110 to access the resource 120, if the address 101 of the current instruction is within an address range 103 associated with the resource 120 according to a resource configuration 104, and deny the program 110 to access the resource 120 otherwise.
  • the resource configuration 104 comprises an association between one or more resources 120 and one or more address ranges 103, each resource 120 being associated with at least one address range 103.
  • the gating mechanism is implemented primarily through a hardware block, instead of a program, reducing the software attack surface. Harder to detect and reverse engineer by an attacker, since there is no code to disassemble (the resource table can be hardwired) No need for separate “protected mode”, nor for special binary code. In case both secure and non-secure versions of the same HW exist (with and without this invention), the same binary can run unmodified on both. Intrinsically resilient to ROP/JOP: even if the primary program is compromised, a safe state can be restored upon branching to any of the authorized entry points.
  • Usage scenarios of the embodiments of this disclosure include: hardening of resource utilization (especially for microcontrollers); defense from ROP/JOP; protection from reverse-engineering in internet of things (IoT), and embedded devices widely exposed to physical attacks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

La présente divulgation concerne la gestion de ressources dans un système informatique. La présente divulgation concerne la disponibilité conditionnelle des ressources. Dans ce but, la présente divulgation fournit un dispositif de gestion d'accès à des ressources d'un programme exécutant des instructions pour accéder à une ressource. Le dispositif comprend des circuits de traitement configurés pour obtenir une adresse d'une instruction courante exécutée par le programme et une identification de la ressource. Les circuits de traitement sont en outre configurés pour permettre au programme d'accéder à la ressource, si l'adresse de l'instruction courante est à l'intérieur d'une plage d'adresses associée à la ressource selon une configuration de ressources, et sinon de refuser au programme d'accéder à la ressource. Ainsi, la configuration de ressources comprend une association entre une ou plusieurs ressources et une ou plusieurs plages d'adresses, chaque ressource étant associée à au moins une plage d'adresses.
PCT/EP2021/057537 2021-03-24 2021-03-24 Dispositif et procédé de gestion d'accès à des ressources WO2022199807A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/057537 WO2022199807A1 (fr) 2021-03-24 2021-03-24 Dispositif et procédé de gestion d'accès à des ressources

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/057537 WO2022199807A1 (fr) 2021-03-24 2021-03-24 Dispositif et procédé de gestion d'accès à des ressources

Publications (1)

Publication Number Publication Date
WO2022199807A1 true WO2022199807A1 (fr) 2022-09-29

Family

ID=75302543

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/057537 WO2022199807A1 (fr) 2021-03-24 2021-03-24 Dispositif et procédé de gestion d'accès à des ressources

Country Status (1)

Country Link
WO (1) WO2022199807A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080155188A1 (en) * 2006-12-20 2008-06-26 Stmicroelectronics S.A. Memory area protection circuit
US20150032996A1 (en) * 2013-07-29 2015-01-29 Patrick Koeberl Execution-aware memory protection
US20200142700A1 (en) * 2017-05-25 2020-05-07 Arm Limited An apparatus and method for interpreting permissions associated with a capability

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080155188A1 (en) * 2006-12-20 2008-06-26 Stmicroelectronics S.A. Memory area protection circuit
US20150032996A1 (en) * 2013-07-29 2015-01-29 Patrick Koeberl Execution-aware memory protection
US20200142700A1 (en) * 2017-05-25 2020-05-07 Arm Limited An apparatus and method for interpreting permissions associated with a capability

Similar Documents

Publication Publication Date Title
US10642753B1 (en) System and method for protecting a software component running in virtual machine using a virtualization layer
US10216927B1 (en) System and method for protecting memory pages associated with a process using a virtualization layer
JP5580857B2 (ja) 計算機システム内のセキュリティ侵害を識別して防ぐためのシステムと方法
EP3761208B1 (fr) Procédé et système d'exploitation basé sur une zone de confiance
US8464011B2 (en) Method and apparatus for providing secure register access
US9530001B2 (en) System and method for below-operating system trapping and securing loading of code into memory
EP1708071B1 (fr) Procédé et système de détéction et neutralisation d'attaques de dépassement de capacité de tampons
US9262246B2 (en) System and method for securing memory and storage of an electronic device with a below-operating system security agent
US10726127B1 (en) System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
US9384349B2 (en) Negative light-weight rules
US8220029B2 (en) Method and system for enforcing trusted computing policies in a hypervisor security module architecture
US8966629B2 (en) System and method for below-operating system trapping of driver loading and unloading
JP5607752B2 (ja) 不正な変更からオペレーティング・システムを保護するための方法及びシステム
US20130312099A1 (en) Realtime Kernel Object Table and Type Protection
US20120255031A1 (en) System and method for securing memory using below-operating system trapping
US7890756B2 (en) Verification system and method for accessing resources in a computing environment
US8635664B2 (en) Method and system for securing application program interfaces in unified extensible firmware interface
US11003430B2 (en) Method of enforcing control flow integrity in a monolithic binary using static analysis
US9244863B2 (en) Computing device, with data protection
US10747686B2 (en) Method and system for co-privileged security domains
JP5069406B2 (ja) 計算機システム内のセキュリティ侵害を識別して防ぐためのシステムと方法
WO2022199807A1 (fr) Dispositif et procédé de gestion d'accès à des ressources
US11132437B2 (en) Secure computer operating system through interpreted user applications
US20180322277A1 (en) System management mode privilege architecture
Moula et al. ROPK++: an enhanced ROP attack detection framework for Linux operating system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21715528

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21715528

Country of ref document: EP

Kind code of ref document: A1