WO2023173915A1 - Resource control method and apparatus - Google Patents

Abstract

The embodiments of the present application relate to the technical field of terminal devices. Provided are a resource control method and apparatus. The method comprises: before running a program which needs to be controlled, performing scanning on instructions in the program; and when it is found by means of scanning that the program comprises only instructions in a preset instruction set, limiting a resource access range of the instructions in the program. In this way, during the execution of the instructions in the program, the program can only perform resource access in the limited resource access range, and cannot access resources outside of the resource access range, thereby realizing security control of the program, and ensuring secure access to resources.

Description

Resource control method and device

This application claims priority to the Chinese patent application filed with the State Intellectual Property Office of China on March 17, 2022, with application number 202210262411.2 and application title "Resource Control Method and Device", the entire content of which is incorporated into this application by reference. .

Technical field

The embodiments of the present application relate to the technical field of terminal equipment, and in particular, to a resource control method and device.

Background technique

For information security, information can be isolated in the software. When isolating information, a computer can assign different roles to different software codes and allocate resources based on the role to form an instance of the role, thereby ensuring that different instances can only access corresponding role instances (such as processes, containers , virtual machines, etc.) are allocated resources to achieve secure access to information.

In order to achieve safe access to information, for any role instance, when the processor executes each instruction of the role instance, it needs to query the resource address list assigned to the role instance to determine whether the access address of the instruction is in Within the access rights of the role instance to decide whether to execute the instruction, obviously, this will reduce the program execution efficiency of the processor.

Contents of the invention

In order to solve the above technical problems, this application provides a resource control method and device. In this method, before the controlled module is run, by detecting that its instructions only include instructions of the preset instruction set and limiting the resource access scope of its instructions, there is no need to check the access rights of its instructions when running the controlled module. , thereby improving program execution efficiency.

In a possible implementation, the embodiment of the present application provides a resource control method, which is applied to a resource control device. The resource control device includes a control module and a controlled module. Instructions in the resource control device are divided into Controlled instructions and uncontrolled instructions. The method includes: before the controlled module is run, the control module scans the instructions in the controlled module to detect whether the instructions in the controlled module are all controlled instructions; in the control module When it is detected that the instructions in the controlled module are all the controlled class instructions, the control module allocates a target resource access range to each instruction in the controlled module.

For example, the instructions executed in the resource control device are divided into two categories: one type is controlled type instructions, and the other type is uncontrolled type instructions.

The resource control device may be a central processing unit (CPU), or any kind of processor. This application does not limit the implementation of the resource control device. For convenience of explanation, the resource control device is implemented as a CPU as an example.

By way of example, the controlled instructions may include the custom instruction set of the present application. When the instructions in the custom instruction set are executed by the CPU, they can only access a specific resource range and cannot access resources outside the specific resource range. . In other words, the instructions in the custom instruction set have limited resource access scope when executed by the CPU.

Optionally, controlled instructions may also include some traditional preset instructions that have no impact on the security of the code and data of uncontrolled modules (such as addition instructions, subtraction instructions, and other instructions that do not require access to memory resources). Preset instructions that have no impact on the security of codes and data in uncontrolled modules can be flexibly set according to needs, and this application does not limit this.

Optionally, in the case where the controlled class instructions include preset instructions that are independent of resources (that is, instructions that do not require access to resources, taking the resources as memory resources as an example), the control module does not need to allocate target resources to the preset instructions. Access scope, the control module only needs to allocate the target resource access scope to each controlled class instruction that needs to access memory resources in the controlled module. Here, the accessed resource is a memory resource as an example.

When a controlled instruction is executed by the CPU, the CPU can only access the specific resource access range allocated by the control module to the controlled instruction, and cannot access resources outside the specific resource access range. In other words, the semantics (or encoding) of controlled instructions determines the resource access scope of controlled instructions when executed by the CPU. Then when the CPU executes each controlled class instruction, it does not need to check whether the resource access address in the currently running controlled class instruction is within the resource access permission range of the currently running program by looking up the page table, etc., in order to improve CPU instruction processing efficiency.

When the CPU executes an uncontrolled instruction, it does not need to process the resource access address in the uncontrolled instruction. It can detect whether the resource access address in the uncontrolled instruction is pre-allocated in the traditional way. The accessible address of the controlled module (such as page lookup table and other detection methods). If the resource access address is an accessible address, the CPU accesses the resource according to the resource access address. If the resource access address is an inaccessible address , the CPU interrupts execution of instructions in the controlled module.

Then the instructions in the CPU are divided into controlled instructions and uncontrolled instructions, which can be executed according to the different execution methods of the above two types of instructions, so that the CPU can support running modules that are not restricted by the resource access range (such as non-controlled instructions). control module, in which uncontrolled modules can be used to call controlled modules), and support the operation of modules restricted by resource access scope (such as the above-mentioned controlled modules), enriching the types of instructions executable by the CPU, and realizing the control of running Resource-wide access control of controlled modules in the CPU.

In the embodiment of the present application, when a controlled class instruction is executed by the CPU, the CPU can only access a limited resource access range allocated to the controlled class instruction. Then, before the controlled module is run, the control module scans the controlled module. Whether the instructions in the controlled module are all controlled instructions, the control module can be used to check the type of instructions in the controlled module before running the controlled module. If the control module detects that the instructions in the controlled module are all controlled instructions, it can be sure that the controlled module will not access resources beyond its resource access scope at runtime to ensure safe access to resources by the controlled module at runtime. . That is, before the controlled module is run, the control module performs an instruction scan on the controlled module to determine whether the controlled module is safe. The controlled module will be run only when it is determined that the controlled module is safe. The embodiments of this application can realize the security check of the controlled module provided by a third party before the controlled module is run. There is no need to check in real time whether each instruction to be executed is safe during the running of the controlled module, which improves the security of the controlled module. module operating efficiency. It is possible to limit the resource access scope of the controlled module at the source of the instruction, without having to judge whether the resource requested by the instruction exceeds the resource access scope during the execution of the instruction.

For example, taking memory resources as an example, when the control module allocates a target resource access range to each instruction in the controlled module, the control module can send an uncontrolled instruction to the CPU, and the CPU executes the uncontrolled instruction. For each controlled class instruction in the controlled module, an accessible target address space can be allocated in the memory, and the target address parameters of the target address space can be determined. In addition, the control module can also send uncontrolled instructions to the CPU. When the CPU executes the uncontrolled instructions, the above target address parameters can be written into the storage unit. This achieves the allocation of the target resource access range for each instruction within the controlled module.

In this embodiment, the target resource access range is allocated to each controlled class instruction in the controlled module by the CPU executing the uncontrolled class instruction. The purpose is that when the controlled class instruction is executed by the CPU, the CPU can The controlled module allocates the target resource access range, and then the controlled module can send controlled class instructions confirmed by scanning to the CPU, so that the CPU can modify the target resource access range allocated to each instruction in the controlled module. For example, the controlled module modifies the target resource access scope to a resource access scope that the control module does not allow the controlled module to access, so that the resource access scope of the controlled module cannot be controlled by the control module. Therefore, the purpose of limiting the target resource access range of the controlled module through the control module cannot be achieved, making it easy for the controlled module to access sensitive memory resources (such as memory space that stores user account data and other data). In this embodiment of the present application, the control module serves as a limiter on the resource access scope of the controlled module. The CPU can allocate each controlled class instruction in the controlled module by executing the uncontrolled class instructions in the control module. The target resource access scope makes the resource access scope of the controlled module controlled by the control module. The controlled module itself cannot modify the target resource access scope that it can access, thereby ensuring the safe access of resources by the controlled module.

For example, the storage unit may be built into the CPU, or the storage unit may be a storage unit in an external chip independent of the CPU, and the CPU may access the storage unit in the external chip.

For example, the storage unit may be a register (including but not limited to a segment register, etc.), a magnetic head, etc.

After the control module writes the target address parameter to the storage unit in the CPU, the uncontrolled module can call the controlled module so that the controlled module runs in the CPU.

To illustrate with specific examples:

Application 1 (an example of an uncontrolled module) needs to run a plug-in developed by a third party (an example of a controlled module) to implement a new function of Application 1, then in order to ensure that the plug-in does not access sensitive data in Application 1 Information (such as user information, etc.), application 1 can embed the control program provided by this application (an example of a control module).

The control program can scan the instructions in the plug-in before application 1 runs the plug-in. When the scanned instructions in the plug-in are all controlled instructions, it means that the plug-in is safe. Then, the control program can set the memory resource access range for each controlled class instruction in the plug-in. The control program can specifically write the target address parameters that limit the memory access space into the CPU of this application through uncontrolled class instructions. Segment register (an example of a storage unit).

Among them, the instruction to write the target address parameter into the segment register can be an uncontrolled instruction, but not a controlled instruction. In this way, the above plug-in can be prevented from modifying the segment through the CPU executing controlled instructions during operation. The target address parameter in the register. The target address parameter can be used to determine the target address space accessible to controlled instructions in the plug-in. This can prevent the plug-in from tampering with the data in the segment register corresponding to the plug-in instruction in the CPU during operation, causing the plug-in to access the In the case of resources outside the target address space.

Then, application 1 can call the plug-in, so that after the plug-in is run, it sends a controlled class instruction to the CPU, so that the CPU executes the controlled class instruction, and accesses the original memory address in the controlled class instruction according to the address parameter in the segment register. , determine the target memory access address in the restricted memory access space, and access the target memory access address in the memory to achieve restricted access to memory resources.

In this way, when Application 1 calls a plug-in developed by a third party, it can use the functions of the plug-in while ensuring that the plug-in can only access data resources and code resources in a restricted memory address space, ensuring that the plug-in has safe access to Application 1's resources. .

In a possible implementation, the resource control device further includes a processing module. After the control module allocates a target resource access range to each instruction in the controlled module, the method further includes: the processing The module processes the first access address and accesses the target resource according to the processed first access address; wherein the first access address is the resource access address in the controlled class instruction currently running in the controlled module; Wherein, the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.

For example, during the operation of the controlled module, the processing module can execute the controlled class instruction (such as the target instruction) currently executed by the controlled module. When executing the target instruction, the processing module can access the original memory in the target instruction. The address is mapped to the target address space allocated to the target instruction, and the target memory access address corresponding to the original memory access address in the target address space is obtained; the processing module accesses memory resources according to the target memory access address.

For example, the processing module can execute the received target instruction, read the target address parameters set for the target instruction (a controlled class instruction) in the controlled module in the storage unit, and follow the preset algorithm, Based on the target address parameter and the original memory access address in the target instruction, the target memory access address is determined in the target address space corresponding to the target instruction; the processing module accesses the memory resource at the target memory access address.

For example, when the original memory access address exceeds the target address space, the processing module can set part of the high bits of the original memory access address to zero according to the target address parameter, so that the processed target memory access address is within the target address space. To describe it simply, for example, the target address space is 1 to 100 and the original memory access address is 1000. Then the address length of the original memory access address can be reduced by 10 times to obtain the target memory access address 100, so that the target memory access address is in the target address space. Inside.

In the embodiment of the present application, in order to enable the target instruction to only access the resources in the target address space set for the target instruction when it is executed by the processing module, the processing module executes the target instruction according to the encoding of the target instruction. When, the original memory access address can be processed according to the above algorithm (for example, multiple high-order addresses are set to zero). Then regardless of whether the original memory access address in the target instruction is in the target address space, the processed target memory access address is in the target address space.

For example, even if a piece of code in the controlled module requests to call a code resource at a certain address 1 outside the target address space, when the processing module executes the controlled class instruction corresponding to the piece of code, address 1 can be mapped according to the above algorithm. to address 2 within the target address space. Then no matter where the address of the resource requested to be accessed by the controlled module is, when the processing module executes the target instruction of the controlled module, it can find a target memory access address corresponding to the original memory access address in the target address space, and access The resource at the target memory access address is used as the access result to the original memory access address.

In this way, when the processing module of the embodiment of the present application executes the target instruction, it does not directly access the resource according to the original memory access address of the target instruction, but finds the target memory access address mapped by the original memory access address in the target address space. , and access the sub at the target memory address. The resources accessible to the controlled module can be restricted from the dimension of the access address of the target instruction. The resource pointed to by the target memory access address is accurate and unique. Then this refined dimension of resource restriction can ensure the access of the controlled module. The resources accessed by any instruction are the only resources that have been predetermined.

In a possible implementation, after the control module detects that the instructions in the controlled module are not uniformly the controlled class instructions, the method further includes: after the control module detects that the controlled module When the control module includes a first instruction that matches the first preset instruction set and the first instruction is an instruction for accessing a first preset code resource, the control module controls each of the controlled modules. The controlled class instructions allocate the target resource access range; wherein the uncontrolled class instructions include the first preset instruction set; the first preset code resource is located in the first resource access range, and The first resource access scope is different from the target resource access scope.

For example, the uncontrolled class instructions may include a first preset instruction set and a second preset instruction set, wherein the instructions in the first preset instruction set may be part or all of the uncontrolled class jump instructions. (jump command). The instructions in the second preset instruction set may be part or all of the uncontrolled jump instructions, and this application does not limit this.

For example, the first preset instruction set and the second preset instruction set may be the same or different, and the same instructions may exist in the two instruction sets.

For example, uncontrolled jump instructions (i.e. jump instructions) can also be divided into jump instructions with multiple encodings. Although jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this. Then, the instructions in the first preset instruction set and the second preset instruction set here are all jump instructions, but the encoding of the jump instructions between these two preset instruction sets may be different. For example, the instructions in the first preset instruction set are jump1 instructions to jump5 instructions. The instructions in the second default instruction set are jump6 instructions to jump10 instructions.

In this embodiment, in order to enable the controlled code to obtain some services of uncontrolled code (such as a controlled plug-in execution that needs to obtain the system time), it is only necessary to ensure that the controlled code calls the external service. For controlled instructions, the external code resources accessed (that is, code resources in uncontrolled code) are the first preset code resources that have been confirmed to be accessible through control code inspection, then these uncontrolled instructions can be allowed to exist in In the controlled code, in this way, compared with the solution of adding proxy code, in this embodiment, when calling an external function in the uncontrolled code, only one jump is needed to realize the call of the external function by the controlled code.

Exemplarily, the control code detects through the processing module that the controlled code includes an uncontrolled jump instruction, that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction. , then it can be further detected whether the jump target of the first instruction satisfies the preset condition. When the jump target of each first instruction in the controlled code satisfies the preset condition, it means that the first instruction is used for Instructions to access the first preset code resource. Then the control code allows the controlled code to run, otherwise it prompts an error and refuses to run.

For example, the first preset code resource is a control code, or an uncontrolled code, which is a code resource that is outside the access scope of the target resource and is allowed to be accessed by the controlled code.

The first preset code resource is a code resource located within the first resource access range. The access address of the first resource access range (for example, the fourth address space) does not overlap with the access address of the target resource access range (that is, the first address space and the second address space).

For example, the first preset code resource may be a first preset function. The first preset function may be one or more functions. This application does not limit this. Then the first preset function may be one that the control module allows the controlled module to access and does not belong to the first address space. and external functions in the second address space.

Exemplarily, the first instruction is a first jump instruction (for example, at least one instruction from the jump1 instruction to the jump5 instruction) used to access the first preset function;

For example, each first instruction in the controlled code is an instruction used to access the first preset code resource, then the control code can determine that the jump target of each first instruction in the controlled code satisfies the preset condition, Allow controlled code to run.

Exemplarily, the first preset code resource includes a first preset function, where the first preset function is a function that the control module allows the controlled module to access.

For example, the external function to which each jump instruction in the controlled code jumps is the first preset function, then it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. Furthermore, if the jump address (for example, the fourth access address) of each jump instruction in the controlled code is the second preset address, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. The second preset address is the address of the second preset function that the control code allows the controlled code to access.

In the embodiment of the present application, when the control code detects uncontrolled instructions when scanning instructions in the controlled code, and the uncontrolled instructions are all uncontrolled instructions that match the first preset instruction set, Jump instruction (i.e., the first instruction), and the jump target of the uncontrolled jump instruction (the first instruction) satisfies the preset conditions, for example, the code resource to which each jump instruction in the controlled code jumps is As the first preset code resource, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. The control code can then allow the controlled code to run. In this embodiment, when the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform a second jump through the proxy code. The execution speed of the controlled code is faster.

In a possible implementation, the first preset code resource includes a first preset function, and the first instruction is a first jump instruction used to access the first preset function;

Wherein, the first preset function is a function that the control module allows the controlled module to access.

In the embodiment of the present application, after the control code scans the instructions of the controlled code through the processing module, when it is detected that the instructions in the controlled code are not uniformly controlled instructions, the control code detects the controlled code through the processing module The included uncontrolled instructions are all first instructions in the first preset instruction set, and the first instructions are first type jump instructions (such as short_jump instructions) used to access the first preset function. When the control code scans the controlled code, it can detect the uncontrolled instructions in the controlled code. It detects that the uncontrolled instructions are all jump instructions of the uncontrolled class, and each uncontrolled class instruction The jump targets of the jump instructions are all the first preset functions, which can ensure that when the controlled code accesses code resources outside the first address space and the second address space, the code resources accessed are the third ones specified by the control code. A default function to ensure restricted access to external functions from controlled code. In this embodiment, when the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform two external jumps through the proxy code. The CPU executes the controlled code faster.

In a possible implementation, the controlled class instructions in the controlled module include a first class of instructions for accessing code resources and a second class of instructions for accessing data resources, and the control module Allocating the target resource access range to each controlled class instruction in the controlled module includes: the control module allocates a second resource access range to the first class instruction; the control module assigns the target resource access range to the first class instruction; The second type of instruction allocates a third resource access scope; wherein the resource access addresses between the second resource access scope and the third resource access scope are different.

Exemplarily, when the control code (an example of a control module) allocates a second resource access scope to a first type of instruction in the controlled code (an example of a controlled module), the control code may assign the second resource access scope to each instruction in the controlled code. A first type instruction allocates a first address space and a first address parameter corresponding to the first address space.

The first address space is used to store code resources accessible to controlled class instructions in the controlled code.

For example, the first address parameter may be used to determine the address range of the first address space.

For example, when the control code allocates the third resource access scope to the first type of instructions in the controlled code, the control code can allocate the second address space to each second type of instruction in the controlled code, and communicate with the third type of instruction. The second address parameter corresponding to the second address space.

The second address space is used to store data resources accessible to controlled class instructions in the controlled code.

For example, the second address parameter may be used to determine the address range of the second address space.

For example, the first address parameter may include a code_base parameter and a code_limit parameter.

Among them, the code_base parameter can represent the starting address of the first address space (i.e., the first address), and the code_limit parameter can be the address range parameter of the first address space (can be understood as the length of the first address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.

For example, the first address space allocated by the control code to the first type of instruction in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.

For example, the second address parameter may include a data_base parameter and a data_limit parameter.

Among them, the data_base parameter can represent the starting address of the second address space (i.e., the first address), and the data_limit parameter can be the address range parameter of the second address space (can be understood as the length of the second address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.

For example, the second address space allocated by the control code to the second type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.

Optionally, the control code can write the code_base parameter and the code_limit parameter respectively into two registers in the processing module, such as register 1 and register 2, and write the data_base parameter and data_limit parameter into two other registers in the processing module respectively. within, such as register 3 and register 4.

That is to say, the storage units corresponding to the first address parameter and the second address parameter are different.

For example, the above-mentioned register can be a segment register. However, this application is not limited to the type of storage unit in which the first address parameter or the second address parameter is written. It can be any hardware storage unit inside the processing module. Alternatively, it may also be a hardware storage unit in a chip that is independent of the processing module.

In this embodiment of the present application, the addresses between the first address space and the second address space are different. The controlled code can access the code stored in the first address space in the memory through the first type of instructions, and access the data stored in the second address space in the memory through the second type of instructions. If there are overlapping addresses in the first address space and the second address space, then the overlapping addresses can store code and data, and then the controlled code can use, for example, the store_short instruction after the control code scans that all the instructions are controlled class instructions. Access the overlapping address, and modify the code at the repeated address, so that the code (ie, instruction) in the controlled code is modified into an uncontrolled class instruction, so that it can be used between the restricted first address space and the second Access data or code outside the address space. This application configures different first address spaces and second address spaces for the controlled class instructions in the controlled code, so as to prevent the controlled code from modifying the internal code again after being scanned and allowed to run, making the controlled code The code includes uncontrolled instructions to access unallocated memory resources, thus evading scanning by the controlling code.

For example, when executing the first type of instruction, the processing module can follow the second preset algorithm code_base+[code_limit(mask)OR addr] to execute the first type of instruction in the first address space limited by code_base and code_limit. The original memory access address addr in the instruction is mapped to obtain the target access address limited to the first address space.

For example, if the first address space is 0 to ffff, then it can be determined that code_base=0x00000000 and code_limit=0x0000ffff.

For example, the first access address addr1 accessed by the short_jump instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the first address space. Then the processing module of this application can modify code_limit and addr1 when executing the short_jump instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678. Among them, the address length of addr2 is within the length limit of code_limit. Then, the processing module calculates code_base+addr2 and obtains the second access address addr3. Here code_base is 0. Therefore, addr3=addr2. Obviously, the jump address of the short_jump instruction is limited to addr3 (here is 0x00005678). This will not cause an error. Moreover, the controlled code can only access resources in the first address space. Among them, addr3 is in the address range from 0 to ffff (the first address space limited by code_base and code_limit).

For example, the processing module can read the data_base parameter and data_limit parameter from register 3 and register 4 respectively.

For example, the data_base parameter is the first address of the second address space, and the data_limit parameter is a binary mask that controls the size of the second address space.

For example, when the processing module executes the second type of instruction, it can obtain the memory access address addr in the second type of instruction according to the fourth preset algorithm data_base+[data_limit(mask)OR addr]. After that, data_base and data_limit In the restricted second address space, addr is mapped to obtain the accessible memory address.

For example, if the second address space is 0 to ffff, then it can be determined that data_base=0x00000000 and data_limit=0x0000ffff.

For example, the third access address addr1 accessed by the load_short instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the second address space. Then the processing module of this application can modify data_limit and addr1 when executing the load_short instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678. Among them, the address length of addr2 is within the length limit of data_limit. Then, the processing module calculates data_base+addr2 and obtains the fourth access address addr3. Here data_base is 0. Therefore, addr3=addr2. Obviously addr3 is in the address range from 0 to ffff (the second address space restricted by data_base and data_limit).

Compared with the CPU that processes each instruction by performing a page lookup table traversal operation, when the CPU of this application executes a controlled class instruction, it only needs to access the original access address in the controlled class instruction and convert the original access address according to the corresponding algorithm. Part of the high bits of the access address are set to 0, so that the processed access address can be located in the restricted address space, and the target address in the restricted address space is obtained. The speed of calculating the target address is faster than that of looking up the page table. Fast, the CPU's instruction execution efficiency is higher.

In a possible implementation, the uncontrolled instructions include a second preset instruction set, the control module includes an agent submodule, and the agent submodule includes an agent that matches the second preset instruction set. A second instruction, wherein the second instruction is an instruction for accessing a second preset code resource, the second preset code resource is located within a fourth resource access scope, and the fourth resource access scope is the same as the second preset code resource. The resource access addresses between the target resource access scopes are different; after the control module allocates the target resource access scope to each instruction in the controlled module, the method further includes: the control module assigns the proxy submodule Write to the second resource access scope.

Exemplarily, the control code may include agent code (an example of an agent submodule). The agent code may include at least one uncontrolled class jump instruction (i.e., jump instruction). The uncontrolled class jump instruction is in When executed by the processing module, the processing module can access the address of the second preset code resource.

For example, the uncontrolled class jump instruction in the agent code may be at least one instruction from the jump6 instruction to the jump10 instruction in the second preset instruction set.

The second default code resource is a code resource located within a fourth resource access range (eg, a third address space). The access address of the fourth resource access range does not overlap with the access address of the target resource access range (ie, the above-mentioned first address space and the second address space).

For example, the second preset code resource is a control code, or an uncontrolled code, which is a code resource outside the target resource access scope that is allowed to be accessed by the controlled code.

For example, the second preset code resource may be a second preset function. The second preset function may be one or more functions, which is not limited by this application. Then the second preset function may be an external function that the control module allows the controlled module to access.

In the embodiment of the present application, when the proxy code is included in the control code, the proxy code can be configured with a jump instruction of an uncontrolled class that allows the controlled code to access the second preset code resource in the uncontrolled code, then When allocating the first address space and the first address parameter that are allowed to be accessed to the first type of instruction in the controlled code, such as a jump instruction of the controlled type, the agent code can also be written into the area accessible to the controlled code. in the first address space. Then when the control code needs to call the second preset function in the uncontrolled code, it can first jump to the uncontrolled class in the agent code through the jump instruction, and then jump to the uncontrolled code through the agent code. A second preset code resource to achieve limited access to external code resources outside of the controlled code.

It should be noted that in this embodiment of the application, the processing module jumps to the agent code by executing the jump instructions of the controlled classes in the controlled code to access the jump instructions of the uncontrolled classes in the agent code. , to achieve access to external functions through the jump instructions of this uncontrolled class. However, the address space accessed by the second type of instruction used to access data in the controlled code (such as the controlled type memory access instruction, load_short instruction) is limited to the second address space and cannot access the first address space. Therefore, The address space where the proxy code is located cannot be accessed to prevent the controlled code from modifying the code in the proxy code through the second type of instructions, thereby jumping to the illegal space through the proxy code, and preventing the controlled code from illegally calling unallowed services. The so-called illegal space is the address space that the control code does not allow the controlled code to access.

For example, the first preset code resource and the second preset code resource may be the same. Then the controlled code can achieve access to the external code resources through proxy code, or by including a jump instruction of an uncontrolled class that accesses the first preset code resource within the controlled code. This application provides There is no restriction on this.

Optionally, the first preset code resource and the second preset code resource may be different. Then the controlled code can achieve access to the external code resources by using proxy code and including jump instructions of the uncontrolled class that access the first preset code resource within the controlled code. This application provides There is no restriction on this.

Similarly, the first preset function and the second preset function may be the same or different, and the first instruction and the second instruction may also be the same or different.

In a possible implementation, the second preset code resource includes a second preset function, and the first type of instructions includes a second jump type instruction used to access the second instruction; the processing The module processes the first access address, and accesses the target resource according to the processed first access address, including: the processing module processes the second access address in the second jump instruction, and accesses the target resource according to the processed first access address. The processed second access address accesses the second instruction; the processing module accesses the second preset function according to the third access address in the second instruction; wherein the second preset function is The control module allows the controlled module to access functions.

Exemplarily, the first type of instruction is a jump instruction of the controlled type in the controlled code. For example, the second type of jump instruction used to access the second instruction is a short_jump instruction. The processing module executes the controlled code in the controlled code. The short_jump instruction can set the jump address of the short_jump instruction (i.e. the second access address) according to the algorithm described above to zero the high bit of the jump address, thereby shortening the address length of the second access address so that The processed second access address is in the address space where the agent code is located in the first address space. Then the processing module can read the uncontrolled class jump instruction (ie, the second instruction) in the agent code from the processed second access address, such as the jump6 instruction. Then the processing module can perform a code jump by executing the jump6 instruction, and can jump to the jump address corresponding to the jump6 instruction (i.e., the above-mentioned third access address) to access the second preset function. In this way, controlled control is achieved through the agent code. Code access to a second preset function in uncontrolled code.

In the embodiment of the present application, after the control code scans the instructions of the controlled code through the processing module, when it is detected that the instructions in the controlled code are controlled class instructions, the control code can use the processing module to scan the instructions in the controlled code. The agent code is written in the first address space so that the first address space includes not only the controlled code but also the agent code. Then the controlled code can jump to the agent code through the jump instruction of the controlled class and pass The jump instruction of the uncontrolled class in the agent code jumps to the location of the fixed function that the uncontrolled code allows the controlled code to access, such as the first address of the second preset function. In this way, the controlled code can only enter the first address position of each function specified by the uncontrolled code. The code at these positions can make appropriate checks and then decide whether to provide relevant functions to ensure access to the second preset function. Safety.

In a possible implementation, an embodiment of the present application provides a resource control device. The resource control device includes a control module and a controlled module. Instructions in the resource control device are divided into controlled instructions and uncontrolled instructions. The control module is used to: before the controlled module is run, Scan the instructions in the controlled module to detect whether the instructions in the controlled module are all controlled instructions; when it is detected that the instructions in the controlled module are all controlled instructions, Each instruction within the controlled module is assigned a target resource access scope.

In a possible implementation, the resource control device further includes a processing module; the processing module is used to process the first access address, and access the target resource according to the processed first access address; wherein, The first access address is the resource access address in the controlled class instruction currently running in the controlled module; wherein, the processed first access address is in all the controlled class instructions corresponding to the currently running Within the access scope of the above target resources.

In a possible implementation, the control module is further configured to, after detecting that the instructions in the controlled module are not uniformly the controlled class instructions, detect that the controlled module includes the same When a first instruction matches a preset instruction set and the first instruction is an instruction for accessing a first preset code resource, allocate all controlled class instructions to each controlled class instruction in the controlled module. The target resource access scope; wherein the uncontrolled instructions include the first preset instruction set; the first preset code resource is located in the first resource access scope, and the first resource access scope is consistent with the first preset instruction set. The access scope of the above target resources is different.

In a possible implementation, the first preset code resource includes a first preset function, and the first instruction is a first jump instruction used to access the first preset function; wherein, The first preset function is a function that the control module allows the controlled module to access.

In a possible implementation, the controlled class instructions in the controlled module include: a first class of instructions for accessing code resources and a second class of instructions for accessing data resources; the control module , specifically used to: allocate a second resource access scope to the first type of instruction; allocate a third resource access scope to the second type of instruction; wherein the second resource access scope and the third resource access scope The resource access addresses are different between them.

In a possible implementation, the uncontrolled instructions include a second preset instruction set, the control module includes an agent submodule, and the agent submodule includes an agent that matches the second preset instruction set. A second instruction; wherein the second instruction is an instruction for accessing a second preset code resource, the second preset code resource is located within a fourth resource access range, and the fourth resource access range is consistent with the The resource access addresses between the target resource access scopes are different; the control module is also used to write the proxy sub-module to the second resource access scope.

In a possible implementation, the second preset code resource includes a second preset function, and the first type of instructions includes a second jump type instruction used to access the second instruction; the processing Module, specifically used for: processing the second access address in the second jump instruction, and accessing the second instruction according to the processed second access address; according to the third instruction in the second instruction. Access the address to access the second preset function; wherein the second preset function is a function that the control module allows the controlled module to access.

The effects of the resource control apparatus in the above embodiments are similar to the effects of the resource control methods in the above embodiments, and will not be described again here.

In a possible implementation, an embodiment of the present application provides a resource control device. The resource control device includes one or more interface circuits and one or more processors; the interface circuit is used to receive signals from the memory and send the signals to the processor, where the signals include computer data stored in the memory. Instructions; when the processor executes the computer instructions, the processor can implement the method in any of the above implementations.

The effect of the resource control device in this embodiment is similar to the effect of the resource control method in each of the above embodiments, and will not be described again here.

In a possible implementation manner, embodiments of the present application provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is run on a computer or processor, it causes the computer or processor to execute the method in any of the above embodiments.

The effect of the computer-readable storage medium in this embodiment is similar to the effect of the resource control method in the above embodiments, and will not be described again here.

In a possible implementation manner, embodiments of the present application provide a computer program product. The computer program product includes a software program. When the software program is executed by a computer or processor, the method in any of the above embodiments is executed.

The effect of the computer program product in this embodiment is similar to the effect of the resource control method in each of the above embodiments, and will not be described again here.

Description of the drawings

In order to explain the technical solutions of the embodiments of the present application more clearly, the drawings needed to be used in the description of the embodiments of the present application will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative labor.

Figure 1 is a schematic diagram illustrating exemplary code isolation;

Figure 2a is a schematic diagram of an exemplary process isolation code;

Figure 2b is a schematic diagram of an exemplary virtual machine isolation code;

Figure 2c is a schematic diagram of an exemplary safe zone isolation code;

Figure 3a is a schematic diagram of the system framework structure;

Figure 3b is a schematic diagram of the system framework structure;

Figure 4a is an operational flow chart of the system shown in an exemplary manner;

Figure 4b is a schematic diagram of an exemplary memory address space;

Figure 5a is an operational flow chart of the exemplary shown system;

Figure 5b is a schematic diagram of an exemplary memory address space;

Figure 5c is a schematic diagram of an exemplary compilation process of controlled code;

Figure 6a is an operational flow chart of the exemplary system shown;

Figure 6b is a schematic diagram of an exemplary memory address space;

Figure 6c is a schematic diagram of an exemplary compilation process of controlled code;

Figure 7 is a schematic diagram of an exemplary system architecture;

Figure 8 is a schematic structural diagram of a device provided by an embodiment of the present application;

Figure 9 is a schematic structural diagram of a chip provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.

The term "and/or" in this article is just an association relationship that describes related objects, indicating that three relationships can exist. For example, A and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.

The terms “first” and “second” in the description and claims of the embodiments of this application are used to distinguish different objects, rather than to describe a specific order of objects. For example, the first target object, the second target object, etc. are used to distinguish different target objects, rather than to describe a specific order of the target objects.

In the embodiments of this application, words such as "exemplary" or "for example" are used to represent examples, illustrations or explanations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary" or "such as" is intended to present the concept in a concrete manner.

In the description of the embodiments of this application, unless otherwise specified, the meaning of “plurality” refers to two or more. For example, multiple processing units refer to two or more processing units; multiple systems refer to two or more systems.

For information security, information can be isolated in the software. When isolating information, the computer can assign different roles to different software codes and allocate resources based on the role to form an instance of the role, thereby ensuring that different instances can only access the resources assigned to the corresponding role instance. To achieve code isolation and ensure safe access to information.

For example, role instances may include but are not limited to processes, containers, virtual machines, etc.

For example, for ease of understanding, the role instance is used as a process for illustration. For example, an application (App, Application) is run on the Android operating system (Android for short) of the mobile phone. Android is provided by the mobile phone vendor and represents a role. The App is provided by the App provider, so for the sake of information security, Android allows the App to only access the phone function but not the location function. In order to control the permissions of the App, Android can modify the permission status of the CPU from operating system permissions to process permissions before handing over the control of the central processing unit (CPU) to the App. Among them, Android can set permissions on the process. To control the App's resource access within process permissions. For example, process permissions may include access to the phone, but not access to the location.

After the App code takes over the CPU, the App code can only access resources within the process permissions, but cannot access resources within the permissions of the process that Android has not assigned to the App. Then if the App wants to obtain higher permissions to access resources beyond the process permissions (such as accessing location information), then the App can only return control of the CPU to Android, and the Android code will take over the CPU again, and then, Android completes resource access to location information.

As can be seen from the above examples, when isolating code, a hierarchical or classified state can be designed for the CPU, and high-privileged code (such as operating system code) controls low-privileged code (such as general user program code) , such as the code of the above App) resource access scope (such as phone access permissions). And modify the permissions of the CPU from high privilege level to low privilege level, causing the code executed by the CPU to jump to the low privilege level code, so that the low privilege level code takes over the CPU. Then low-privileged code can only access resources within the assigned permissions, and cannot access resources outside the permissions.

If low-privilege code wants to leave the low-privilege CPU state, the low-privilege code can only give up control of the CPU actively (such as system calls) or passively (such as interrupts, etc.), causing the code executed by the CPU to jump to At a specific code location with a high privilege level, the CPU permissions are modified from a low privilege level to a high privilege level, so that the high privilege level code regains control of the CPU. The high privilege level code can be placed in the high privilege level. Access resources within the scope of authority.

Then high-privilege code (such as operating system code) can ensure the security of resource access by low-privilege code by controlling the permissions of low-privilege code, such as the security of the operation behavior of the above-mentioned App, preventing the App from obtaining Get the user's key information, such as reading the user's transaction password, etc.

Figure 1 is a schematic diagram illustrating exemplary code isolation.

It should be understood that Figure 1 is only an example, and the isolation structure for code isolation may have more or fewer levels than shown in the figure.

As shown in Figure 1, the CPU permissions from high to low are system-wide control permissions, virtual machine permissions, operating system permissions, and process permissions.

Among them, the system-wide control code runs within the permissions of the system-wide control pointed by the dotted arrow, the operating system management code runs within the permissions of the operating system pointed by the dotted arrow (here, the permissions of the operating system in the virtual machine), and the general user program code Runs within the permissions of the process pointed to by the dotted arrow. Then the privilege codes from high to low are system-wide control code, virtual machine management code, operating system management code and general application code.

As shown in Figure 1, if a general user program running within the permissions of the process wants to access resources outside the permissions of the process, the process needs to hand over control of the CPU to a higher-privileged program. Operating system; operating system management code running within the permissions of the operating system. If you want to access resources outside the permissions of the operating system, the virtual machine needs to hand over control of the CPU and hand over control of the CPU to a higher privilege level. Virtual machine; virtual machine management code running within the permissions of the virtual machine. If you want to access resources outside the permissions of the virtual machine, the virtual machine needs to hand over control of the CPU and hand over control of the CPU to higher privileges. level of system-wide control code to enable resource access within system-wide control permissions.

In other words, if low-privilege level code wants to leave the low-privilege level CPU state, the low-privilege level code can only give up control of the CPU actively (such as system calls) or passively (such as interrupts, etc.), causing the CPU to execute The code jumps to a specific code location with a high privilege level, and at the same time changes the CPU permissions from a low privilege level to a high privilege level, so that the high privilege level code regains control of the CPU. The high privilege level code can be Access resources within the scope of high privileges.

For example, in Figure 1, when the system-wide control code runs within the permissions of the system-wide control, the permissions of the virtual machine can be configured to limit the resource access permissions of the virtual machine; the virtual machine management code runs within the permissions of the virtual machine. When running, the permissions of the operating system can be configured to limit the resource access permissions of the operating system; the operating system management code can run within the permissions of the operating system, and the permissions of the process can be configured to limit the resource access permissions of the process. In other words, high-privilege code can assign permissions to low-privilege code to control the resource access scope of low-privilege code.

For example, with reference to Figure 1 and Figure 2a, high-privilege operating system management code (running in a virtual machine) can configure the permissions of a process running general user program code to limit the resource access scope of the process. . Among them, memory resources are the more important resources. Whether it is a process, a virtual machine, or an operating system, it can access memory resources. However, the operating system management code can limit the specific addresses of the memory resources that can be accessed by the process. The operating system management code can configure the page table of each process to set the address range of the memory resources that the process can access. Among them, the page table can include information about the memory addresses that the process can access.

Generally, user program code runs within the permissions of a process. When a process initiates a resource access request beyond the permissions of the process, control of the CPU needs to be handed over to the operating system, which initiates the resource access request. For example, a process initiates an instruction to access system resources. If the resource access permission is not within the permissions of the process and the instruction is prohibited from accessing, then the permissions of the CPU can be modified from the permissions of the process to the permissions of the operating system, and the permissions of the CPU can be changed. The code pointer points from the general user program code running in the process to the operating system management code, so that the operating system management code controls the CPU to achieve access to system resources. In this way, it can be ensured that the process accesses resources within the assigned resource access permissions. Generally, user program code is isolated and runs within the permissions corresponding to the process, and cannot access unallocated resources beyond the permissions range.

However, memory resources are resources that can be accessed within the permissions of the process, and the addresses that a process can access to memory resources are limited by the page table of the process. Then every time the CPU receives a memory access instruction initiated by a process, it needs to query the page table configured for the process in user mode to determine the list of memory addresses allocated to the process. If the memory address accessed by the memory access instruction is not in the memory address list, the CPU cannot execute the memory access instruction and an exception may be generated.

For the solution of implementing code security isolation through processes, when the CPU executes instructions initiated by the process, the CPU confirms that the high-privilege code has indeed allocated specific resources to the low-privilege role instance. Every time low-privilege code accesses a resource, the CPU must check the resources allocated to the role instance (such as the page table) before running the resource access instruction, for example, confirm whether the memory resources allocated to the process are Including the memory resources pointed to by this instruction, this will reduce the execution efficiency of the CPU.

For example, containers are also a code isolation solution, which can be regarded as a special process solution that has nothing to do with hardware. The operating system can treat multiple processes into groups. The resources requested by multiple processes in the group can be provided by the CPU. Resource access requests that are not between processes are not provided. This solution is similar to the solution in Figure 2a. Within the container The process cannot access unallocated resources beyond the scope of the container, thereby ensuring that the code of the process within the container is safe.

In the same way, every time the code in the process of the container accesses a resource, the CPU must check the resources allocated to the container (such as the page table) before running the resource access instruction, such as confirming the memory resources allocated to the container. Whether the memory resource pointed to by the instruction is included, then this will reduce the execution efficiency of the CPU.

For example, combining Figure 1 and Figure 2b, the virtual machine is a code isolation solution, and the virtual machine solution can be regarded as a superposition of the process isolation solution shown in Figure 2a. The operating system and the process can be regarded as a managed object, and the virtual machine management code can be regarded as a manager with higher privileges than the operating system management code in Figures 1 and 2a. The logic of virtual machine isolation is similar to the logic of process isolation, which is briefly explained below with reference to Figure 2b.

As shown in Figure 2b, the operating system code runs within the permissions of the virtual machine. Regarding the permissions of virtual machines, physical chip devices can provide two configurations of address space permissions. Level 1 configuration is specified by the virtual machine, and level 2 configuration is specified by the virtual machine management code. Among them, for level 2 configuration, as shown in Figure 2b, the virtual machine management code can configure the permissions of the virtual machine to limit the resource access scope of the virtual machine.

Among them, memory resources are the more important resources. Whether it is a process, a virtual machine, or an operating system, it can access memory resources. However, the virtual machine management code can place restrictions on the virtual machine as to the specific addresses of memory resources that can be accessed. As shown in Figure 2b, the virtual machine management code can configure each virtual machine's level 2 page table to set the address range of memory resources that the virtual machine can access. Among them, the level 2 page table can include information about the memory address that the virtual machine can access, so that the virtual machine management code controls the virtual machine's address access rights to memory resources on the level 2 page table, thereby realizing control over the memory resources running on the virtual machine. Range control of resource access addresses in the operating system.

For operating system code running in the permissions of a virtual machine, the addresses accessible to memory resources are restricted by the virtual machine's page table. Then every time the CPU receives a memory access instruction initiated by a virtual machine, it needs to query the page table configured for the virtual machine to determine the list of memory addresses allocated to the virtual machine. If the memory address accessed by the memory access instruction is not in the memory address list, the CPU cannot execute the memory access instruction and an exception may be generated.

For the solution of implementing code security isolation through a virtual machine, when the CPU executes instructions initiated by the virtual machine, the CPU confirms that the high-privilege code has indeed allocated specific resources to the low-privilege role instance. Every time low-privilege code accesses a resource, the CPU must check the resources allocated to the role instance (such as the page table) before running the resource access instruction, such as confirming that the memory resources allocated to the virtual machine are Whether the memory resource pointed to by this instruction is included, this will reduce the execution efficiency of the CPU.

For example, with reference to Figure 2c, the safe zone is a code isolation solution. The safe zone solution can be regarded as a superposition of the virtual machine isolation solution shown in Figure 2b. As shown in Figure 2c, the code can be divided into safe zone code running in the safe zone and non-safe zone code running in the non-safe zone. Among them, the security zone code may include virtual machine management code, operating system code, general user program code, etc. Security zone code can run within the permissions of the security zone. The security management code can be regarded as a manager with higher privileges than the virtual machine management code in Figure 2c. The logic of code isolation in the safe zone is similar to the logic of process isolation shown in Figure 2a and virtual machine isolation shown in Figure 2b. The following is a brief explanation of the differences between the process isolation and virtual machine isolation solutions in conjunction with Figure 2c.

In different implementation scenarios, safe zone solutions may differ. Security management codes can be used to set up secure and non-secure work environments. For example, on ARM CPUs, the memory accessible to the safe zone is not specified through the page table, but is determined by hardware hard coding. Therefore, whether the safe zone code can access the memory at a specific address depends on the hardware hard coding. If the security zone code takes over the CPU and is within the scope of authority to run the security zone, the request issued by the CPU to the security zone code will add a security mark, so that the request issued by the CPU has a security mark, otherwise the request issued by the CPU does not have this Flag (for example, the CPU is running non-safe zone code). There is a bus between the CPU and the memory. The CPU sends a request to write memory to the memory through the bus. The bus-related logic can decide whether to allow the request to be responded to based on this mark. If the request has the tag added, the request can access the memory, if the request does not have the tag, the request is discarded. Then the security management code can determine the instructions that the CPU can execute based on whether the request issued by the CPU has a security mark, or when the CPU issues an address access request, it can detect whether there is access permission to the address.

Another difference is that secure zones usually don't have multiple instances, process solutions can have multiple processes, and virtual machine solutions can have multiple virtual machines, but there may only be one secure zone, so this architecture often allows non-secure zones and Codes between security zones call each other directly without going through the security management code for transit. Among them, when the safe zone and the non-safe zone call each other, they can only call each other's fixed address, and the called address is controlled by the security management code, thereby maintaining the security of different areas.

Then when the security zone code is running on the CPU, the request issued by the CPU has a preset tag. When the security management code is running, it checks whether the request issued by the CPU has a preset tag to determine the range of resources that the request can access. This judgment It needs to be executed every time the CPU makes a request, which increases running costs.

In summary, when traditional code isolation solutions such as processes, containers, virtual machines, and safe zones are implemented, when the CPU executes instructions, it is necessary to confirm that high-privilege code has indeed allocated specific resources to low-privilege role instances. Every time low-privilege code accesses a resource, the CPU must check the resources allocated to the role instance (such as the page table) before running the resource access instruction, such as confirming that the memory resources allocated to the virtual machine are Whether the memory resource pointed to by this instruction is included, this will reduce the execution efficiency of the CPU.

In some application scenarios, when a program needs to use third-party code, in order to ensure that the third-party code does not access some key information in the program during operation, traditional technology can create processes, containers or virtualization for the third-party code. In this way, the resource access scope of third-party code is limited to the permissions corresponding to the role instance to which the third-party code belongs. Among them, the permissions of the role instance corresponding to the third-party code are assigned by the code with higher privileges. The shortcomings of traditional technology are as mentioned above. Every time the CPU executes instructions from third-party code, it needs to check permissions and resources, which will reduce the execution efficiency of the CPU.

To this end, this application provides a resource control method that can scan the instructions used by the controlled code before the code that needs to ensure safe access to resources (referred to as controlled code, such as the above-mentioned third-party code) is run. . After this method scans that the instructions used by the controlled code are all controlled class instructions, where the controlled class instructions can only access resources within the target resource access range of the controlled code, then When the controlled code is running, the CPU does not need to check the instructions issued by the controlled code (such as querying the resources allocated to the process to which the controlled code belongs). Then the instructions used by the controlled code will not exceed the target resource access range of the controlled code, thereby improving the execution efficiency of the CPU. Moreover, when restricting the resource access scope of the controlled code, there is no need to create corresponding role instances, such as processes, virtual machines, etc., for the controlled code to restrict permissions on the controlled code within the role instance.

Example 1

Exemplarily, FIG. 3a and FIG. 3b are schematic diagrams of the system framework structure. It should be understood that the system shown in Figures 3a and 3b is only an example, and the system of the present application may have more or fewer modules than shown in the figures, two or more modules may be combined, or Can have different module configurations. The various modules shown in Figures 3a, 3b may be implemented in hardware, software, or a combination of hardware and software including one or more signal processing and/or application specific integrated circuits.

As shown in Figure 3a, the resource control device provided by the present application may include a control module and a controlled module, optionally including a processing module. Instructions in the resource control device are divided into controlled class instructions and uncontrolled class instructions. instruction. The resource control device can execute the method described in the following embodiments.

For example, the resource control device can be implemented as a central processing unit (CPU), or any kind of processor, etc. This application does not limit the implementation of the resource control device. For convenience of explanation, the resource control device is implemented as a CPU. Example to illustrate.

Exemplarily, the processing module may be hardware including one or more signal processing and/or application-specific integrated circuits in the central processing unit. The processing module may be used to execute instructions. The instructions executable by the processing module are divided into controlled class instructions. With uncontrolled instructions, the processing module does not distinguish between instruction types when executing instructions, and can interpret and execute instructions according to the semantics (or encoding) of the instructions.

When a controlled instruction is executed by the processing module, the processing module can only access the specific resource access range allocated by the control module to the controlled instruction, but cannot access resources outside the specific resource access range. In other words, the semantics (or encoding) of the controlled class instructions determine that the resource access scope of the controlled class instructions is restricted when executed by the processing module. Then when the processing module executes each controlled class instruction, it does not need to check whether the resource access address in the currently running controlled class instruction is within the resource access permission range of the currently running program by looking up the page table, etc. Improve the instruction processing efficiency of the processing module.

When an uncontrolled instruction is executed by the processing module, resource access can be performed according to the resource access address of the uncontrolled instruction without processing the resource access address in the uncontrolled instruction. Optionally, the processing module can determine whether the process (or virtual machine, etc.) in which the uncontrolled instruction is located has access rights to the access address in accordance with traditional page lookup methods, so as to decide whether to continue executing the uncontrolled instruction. Controlled instructions. If the resource access address is within the authority, the processing module accesses the resource according to the resource access address. If the resource access address is outside the authority, the processing module interrupts execution of the instructions in the controlled module.

As shown in Figure 3a, the processing module in the CPU provided by this application can support the execution of two types of instructions, controlled instructions and uncontrolled instructions, and execute these two types of instructions in different ways.

For example, the processing module may be a hardware structure in a CPU.

For example, the present application can make improvements to the above hardware structure in the CPU, so that the CPU that originally only supports the execution of uncontrolled instructions can support the interpretation and execution of controlled instructions in hardware after the improvement, and the CPU can Controlled instructions and uncontrolled instructions are interpreted and executed in different ways.

For example, taking the accessed resource as a memory resource, for uncontrolled instructions, the processing module can perform memory access according to the memory access address in the uncontrolled instruction in a traditional way (such as page table lookup); For controlled instructions, the processing module can map the memory access address in the controlled instruction to a specific memory address space to access the memory in the specific memory address space, so that the controlled instruction can be executed by the CPU. Access to resources is limited.

As shown in Figure 3a and Figure 3b, the program running in the CPU optionally includes a controlled module, a control module, and an uncontrolled module. While the CPU is running any one of the above three modules, the processing module can execute the current Directives in the running module to implement the functionality of the currently running module.

The following is a brief description of the relationship between the above three modules:

As shown in Figure 3b, the uncontrolled module can be used to call the controlled module developed by a third party. As an example, the uncontrolled module can be run in the CPU provided by this application to realize the call of the controlled module. , the processing module can be used to execute instructions in the uncontrolled module. The uncontrolled module can include uncontrolled instructions, and optionally, can also include controlled instructions. This application does not limit this.

For example, the controlled module and the uncontrolled module can be regarded as two parts of one module (a program). For example, the uncontrolled module and the controlled module may have a calling and called relationship. For example, the uncontrolled module first initiates a call to the controlled module. During the operation of the controlled module, the controlled module can also call functions in the uncontrolled module to implement corresponding functions.

In addition, the development platforms of uncontrolled modules and controlled modules are different. The uncontrolled module cannot fully trust the controlled module so that it can access any resources of the uncontrolled module or the module to which the uncontrolled module belongs. In order to ensure that the controlled module During the running process of the module, the operations performed are controllable to the uncontrolled module, and the uncontrolled module needs to limit the resources accessed by the controlled module.

To this end, this application provides the above-mentioned control module. As shown in Figure 3b, the uncontrolled module can be installed or embedded with the control module provided by this application to ensure that the uncontrolled module uses the control module when calling the controlled module. , controlled modules have access to limited resources. Exemplarily, the control module may include uncontrolled instructions, and optionally further include controlled instructions.

For example, as shown in Figure 3a and Figure 3b, the control module can run in the CPU, and the control module can be used when the uncontrolled module needs to call the controlled module (such as calling a function, etc.), before the controlled module runs, The control module can send an uncontrolled instruction to the processing module, so that the processing module executes the uncontrolled instruction, so as to scan the instructions in the controlled module. The control module can scan whether the instructions in the controlled module are all controlled instructions. When the control module detects that the instructions in the controlled module are all controlled instructions, the control module can send uncontrolled instructions to the processing module. Instruction mode is used to allocate the target resource access range (which may include the target address space) to each instruction within the controlled module. In this way, after the controlled module is run, the processing module can only access resources in the target address space when executing the controlled class instructions in the controlled module. For example, the resource may be the memory resource shown in Figure 3a.

It should be noted that the resources that restrict the access range to the controlled module are not limited to memory resources, and may also include but are not limited to resources within the peripheral when accessing the peripheral in memory mode. The resources that can be stored in the memory may include code and data, and the memory resources may include code resources and data resources.

For example, when the resources within the restricted access range of the controlled module are memory resources, the control module can restrict the memory address space accessed by the controlled module.

For example, when the resources within the restricted access range of the controlled module are resources of the above-mentioned peripheral device, the control module may restrict the address space in the peripheral device accessed by the controlled module.

For ease of explanation, each embodiment of the present application takes the access restriction of memory resources as an example. When the resource is an accessible resource other than memory resources, the method is the same and will not be described again here.

For example, the control module and the controlled module may be software programs running in the CPU of this application.

Optionally, the control module can also run on a traditional CPU, which is not limited by this application.

The following is an introduction to controlled instructions and uncontrolled instructions:

By way of example, the controlled instructions may include the custom instruction set of the present application. When the instructions in the custom instruction set are executed by the CPU, they can only access a specific resource range and cannot access resources outside the specific resource range. . In other words, the instructions in the custom instruction set have limited resource access scope when executed by the CPU.

Optionally, controlled instructions may also include some traditional instructions that have no impact on the security of the code and data of uncontrolled modules (such as addition instructions, subtraction instructions, and other instructions that do not require access to memory resources), which have no impact on the security of uncontrolled modules. Instructions that do not affect the security of the code and data in the control module can be flexibly set according to needs, and this application does not impose restrictions on this.

For example, for the resource-independent preset instructions in the controlled class instructions (that is, instructions that do not need to access resources, taking the resource as a memory resource as an example), the control module does not need to allocate a target resource access range to the preset instruction, and the control module The module only needs to assign a target resource access range to each controlled class instruction that needs to access memory resources in the controlled module. Here, the accessed resource is a memory resource as an example.

Uncontrolled instructions can be any instructions except controlled instructions.

Uncontrolled instructions may include but are not limited to: third type instructions and fourth type instructions.

For example, when the third type of instruction is executed by the CPU, the CPU can access the code and execute the code.

For example, the third type of instructions may include but is not limited to: jump instructions, which is not limited in this application.

Among them, the jump instruction is used for instruction jumps, can be used in function call scenarios, can be used to access code, and is also a memory access instruction.

For example, a jump instruction can be classified as an instruction that accesses code in memory, and the jump instruction can be referred to as an "uncontrolled jump instruction".

For example, when the fourth type of instruction is executed by the CPU, the CPU can access data.

The fourth type of instructions may include but is not limited to: load instructions, store instructions, stack access instructions, etc., which are not limited in this application.

Among them, when the load instruction is executed, the CPU can load the data in the memory to the CPU according to the memory access address in the instruction; when the store instruction is executed, the CPU can write the data in the CPU according to the memory access address in the instruction. into memory.

The stack access instruction may include a push instruction and a pop instruction, where the stack access instruction is also a memory access instruction.

Load instructions, store instructions, push instructions, and pop instructions can be classified as instructions for accessing data in memory.

As mentioned above, controlled instructions may include the custom instruction set of this application, and optionally may also include some traditional instructions that have no impact on the security of the code and data of uncontrolled modules. For the convenience of explanation, the following text Each embodiment will be described by taking the controlled class instructions as the custom instruction set here as an example.

For example, for controlled instructions, the instruction types of the custom instruction set may include but are not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, short_jump instruction.

Taking memory resources as an example, instructions in a custom instruction set can only access data or code in a specific memory address space.

Among them, when the load_short instruction is executed by the CPU, the CPU can execute the instruction based on the semantics of the load_short instruction, thereby loading the data in the specific memory address space to the CPU according to the preset algorithm;

For example, the load_short instruction can be divided into load_short instructions of multiple encodings. For ease of understanding, it can be described as load_shortN, where N is a positive integer. Load_short instructions of different encodings have different N values.

When the load_short instructions with different encodings are executed by the CPU, when the CPU loads the data in the memory address space to the CPU, for example, the loading process may be different, but the resource access scope of the load_short instructions with different encodings is limited when executed. limit. In the same way, other instructions in the custom instruction set (such as the store_short instruction) can also include instructions of the same type in multiple encodings.

When the store_short instruction is executed by the CPU, the CPU can execute the store_short instruction based on the semantics of the store_short instruction to write the data in the CPU to a specific memory address space according to the preset algorithm;

It should be noted that the load instruction and the load_short instruction have different instruction encodings. They are both instructions for loading data in the memory into the CPU, but the resource range of the load_short instruction is limited; similarly, the store instruction and the store_short instruction The instruction encoding is different, and the resource access scope of the store_short instruction is limited.

In the same way, the short_push instruction and short_pop instruction are compared with the traditional push instruction and pop instruction. When the short_push instruction and short_pop instruction are executed by the CPU, the CPU can proceed in a specific stack address space according to the preset algorithm of this application. Stack and pop instructions to access resources within the restricted stack address space.

Similarly, the short_jump instruction is compared with the traditional jump instruction. When the short_jump instruction is executed by the CPU, the CPU can perform code access in a specific memory address space according to the preset algorithm of this application.

Then the instructions in the custom instruction set can also be divided into two types of instructions:

When the first type of instructions is executed by the CPU, the CPU can access the code resources and run the code resources.

The first type of instructions may include but is not limited to: short_jump instructions.

For example, the first type of instructions may be referred to as "controlled type jump instructions".

When the second type of instructions is executed by the CPU, the CPU can access data resources.

The second type of instructions may include but is not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, etc.

Illustratively, for the convenience of explanation, in the following description, the controlled class instructions are the above-mentioned custom instruction set, and the resource access range restricted by the controlled class instructions is the memory resource access range as an example. Then the controlled class instructions are They are all memory access instructions and can be divided into the first type of instructions and the second type of instructions mentioned above.

In addition, for the sake of simplicity, the "XX instruction is an instruction used to access code resources" described in the full text is used to indicate that when the XX instruction is executed by the CPU (or the processing module in the CPU), the CPU (or the processing module in the CPU) can Access the code resource and run the code resource. Similarly, "XX instruction is an instruction used to access data resources" is used to indicate that when the XX instruction is executed by the CPU (or the processing module in the CPU), the CPU (or the processing module in the CPU) can access the data resources.

Continuing to refer to Figure 3a, the control module can scan whether the instructions in the controlled module are all controlled instructions. For example, the control module can include the above-mentioned custom instruction set. The control module can scan the instructions in the controlled module and compare them with The instructions in the custom instruction set are compared to detect whether the instructions in the controlled module are all controlled instructions.

Optionally, if the control module detects that the instructions in the controlled module are all instructions in the custom instruction set, the control module can determine that the instructions in the controlled module are all controlled instructions.

Optionally, if the control module detects that instructions in the controlled module include instructions other than the custom instruction set, the control module may determine that the instructions in the controlled module are not all controlled instructions.

For example, referring to Figure 3a, when the control module detects that the instructions in the controlled module are all controlled instructions, the control module can write the target address parameters to the processing module by sending uncontrolled instructions to the processing module. module (such as a storage unit in a processing module) to limit the target resource access range of the controlled module, such as the target address space of memory.

Specifically, for example, when the control module allocates a target resource access range to each instruction in the controlled module, the control module may send an uncontrolled instruction to the processing module, and the processing module executes the uncontrolled instruction. For each controlled class instruction in the controlled module, an accessible target address space can be allocated in the memory, and the target address parameters of the target address space can be determined. In addition, the control module can also send an uncontrolled instruction to the processing module, and when the processing module executes the uncontrolled instruction, the above target address parameter can be written into the storage unit. This achieves the allocation of the target resource access range for each instruction within the controlled module.

In this embodiment, the target resource access range is allocated to each controlled class instruction in the controlled module by executing the uncontrolled class instruction by the processing module. The purpose is that if the controlled class instruction is executed by the processing module, the processing The module can allocate the target resource access range to the controlled module, and then the controlled module can send controlled class instructions confirmed by scanning to the processing module, so that the processing module can modify the target resources allocated to each instruction in the controlled module. Access scope. For example, the controlled module modifies the target resource access scope to a resource access scope that the control module does not allow the controlled module to access, so that the resource access scope of the controlled module cannot be controlled by the control module. Therefore, the purpose of limiting the target resource access range of the controlled module through the control module cannot be achieved, making it easy for the controlled module to access sensitive memory resources (such as memory space that stores user account data and other data). In this embodiment of the present application, the control module serves as a limiter of the resource access scope of the controlled module, and the processing module can execute each controlled class instruction in the controlled module by executing the uncontrolled class instructions in the control module. Allocate the target resource access scope so that the resource access scope of the controlled module is controlled by the control module. The controlled module itself cannot modify the target resource access scope that it can access, thereby ensuring the safe access of resources by the controlled module.

Optionally, the storage unit used to store the target address parameter may be built into the CPU.

Alternatively, the storage unit can be built into the processing module, or built into the CPU but external to the processing module (wherein the processing module can be communicatively connected with the storage unit).

Optionally, the storage unit can also be a storage unit in an external chip that is independent of the CPU, and the processing module can access the storage unit in the external chip.

For example, the storage unit may be a register (including but not limited to a segment register, etc.), a magnetic head, etc.

Considering that there may be differences in the resource access scopes restricted by different controlled modules called by uncontrolled modules, this difference can be flexibly configured as needed. Then before the controlled module runs in the CPU of this application (for example, before the uncontrolled module calls the controlled module), the control module can run in the CPU of this application and update the target in the storage unit through uncontrolled instructions. Address parameter to ensure that the controlled code to be called by the uncontrolled module can only access memory resources within the specific address space restricted by the target address parameter.

Optionally, the target address parameters may include multiple sets of address parameters, and the control module may allocate different address parameters to different types of controlled instructions according to the instruction type in the controlled module, so that When different types of controlled instructions in the controlled module are executed by the CPU, the address space accessed by the CPU is different. For example, a set of address parameters corresponds to an address space.

Optionally, when the target address parameters include multiple sets of address parameters, the storage units where each set of address parameters are stored may be the same or different.

For example, the target address parameter can be set through an uncontrolled class instruction but cannot be set through a controlled class instruction to prevent the controlled module from modifying its accessible address space by sending a controlled class instruction to the processing module.

For example, the target address parameter can be written to the storage unit by the control module by sending an uncontrolled instruction before the controlled module is run.

Optionally, during the operation of the controlled module, the control program cannot update the target address parameters assigned to the controlled instructions in the controlled module through uncontrolled instructions.

Optionally, after the controlled module runs, the control program can clear the target address parameters of the controlled module in the storage unit through uncontrolled instructions, so that the processing module can execute the code in the next controlled module. .

After the control module writes the target address parameters to the processing module, and the processing module writes the target address parameters into the storage unit, the uncontrolled module can call the controlled module so that the controlled module runs in the CPU.

During the operation of the controlled module, the processing module can execute the controlled class instruction (such as the target instruction) currently running by the controlled module. When executing the target instruction, the processing module can map the original memory access address in the target instruction to the In the target address space corresponding to the target instruction, the target memory access address corresponding to the original memory access address in the target address space is obtained; the processing module accesses memory resources according to the target memory access address.

For example, the processing module can process the original memory access address in the target instruction, so that the processed memory access address (ie, the target memory access address) is in the target address space corresponding to the target instruction, and the processing module performs the processing according to the target Memory access address to access memory resources.

For example, the processing module can execute the received target instruction, read the target address parameters set for the target instruction (a controlled class instruction) in the controlled module in the storage unit, and follow the preset algorithm, Based on the target address parameter and the original memory access address in the target instruction, the target memory access address is determined in the target address space corresponding to the target instruction; the processing module accesses the memory resource at the target memory access address.

For example, when the original memory access address exceeds the target address space, the processing module can set part of the high bits of the original memory access address to zero according to the target address parameter, so that the processed target memory access address is within the target address space. To describe it simply, for example, the target address space is 1 to 100 and the original memory access address is 1000. Then the address length of the original memory access address can be reduced by 10 times to obtain the target memory access address 100, so that the target memory access address is in the target address space. Inside.

In the embodiment of the present application, in order to enable the target instruction to only access the resources in the target address space set for the target instruction when it is executed by the processing module, the processing module executes the target instruction according to the encoding of the target instruction. When, the original memory access address can be processed according to the above algorithm (for example, multiple high-order addresses are set to zero). Then regardless of whether the original memory access address in the target instruction is in the target address space, the processed target memory access address is in the target address space.

For example, even if a piece of code in the controlled module requests to call a code resource at a certain address 1 outside the target address space, when the processing module executes the controlled class instruction corresponding to the piece of code, address 1 can be mapped according to the above algorithm. to address 2 within the target address space. Then no matter where the address of the resource requested to be accessed by the controlled module is, when the processing module executes the target instruction of the controlled module, it can find a target memory access address corresponding to the original memory access address in the target address space, and access The resource at the target memory access address is used as the access result to the original memory access address.

In this way, when the processing module of the embodiment of the present application executes the target instruction, it does not directly access the resource according to the original memory access address of the target instruction, but finds the target memory access address mapped by the original memory access address in the target address space. , and access the sub at the target memory address. The resources accessible to the controlled module can be restricted from the dimension of the access address of the target instruction. The resource pointed to by the target memory access address is accurate and unique. Then this refined dimension of resource restriction can ensure the access of the controlled module. The resources accessed by any instruction are the only resources that have been predetermined.

Optionally, the processing module can also execute uncontrolled instructions sent by the control module to access any address space in the memory within the memory access permissions of the control module.

Optionally, before the controlled module is run, if the control module scans that the controlled module includes uncontrolled instructions, the control module can prompt an error to refuse to execute the controlled module to ensure that the controlled module can only access the instructions provided by the target. The memory resources within the target address space restricted by the address parameter.

Optionally, before the controlled module is run, if the control module scans that the controlled module includes an uncontrolled instruction, and the uncontrolled instruction is the above-mentioned third type instruction (when executed by the processing module, the processing module-accessible code), such as jump instructions for uncontrolled classes. Then when the control module detects that the function accessed by the jump instruction of the uncontrolled class is a preset function (which may include the first preset function and the second preset function described below), it can also explain Controlled modules (such as plug-ins) are safe, and control modules allow controlled modules to run. Among them, the preset function is a function that the control module allows the controlled module to access and is outside the resource access scope of the controlled module.

Illustratively, the systems of Figure 3a and Figure 3b can be understood in conjunction with the following examples:

Application 1 (an example of an uncontrolled module) needs to run a plug-in developed by a third party (an example of a controlled module) to implement a new function of Application 1, then in order to ensure that the plug-in does not access sensitive data in Application 1 Information (such as user information, etc.), application 1 can embed the control program provided by this application (an example of a control module).

The control program can scan the instructions in the plug-in before application 1 runs the plug-in. When the scanned instructions in the plug-in are all controlled instructions, it means that the plug-in is safe. Then, the control program can set the memory resource access range for each controlled class instruction in the plug-in. Specifically, the control program can write the address parameters that limit the memory access space into the segment in the CPU of this application through uncontrolled class instructions. Register (an example of a storage unit).

Among them, the instruction to write the target address parameter into the segment register can be an uncontrolled instruction, but not a controlled instruction. In this way, the above plug-in can be prevented from modifying the segment through the CPU executing controlled instructions during operation. The target address parameter in the register. The target address parameter can be used to determine the target address space accessible to controlled instructions in the plug-in. This can prevent the plug-in from tampering with the data in the segment register corresponding to the plug-in instruction in the CPU during operation, causing the plug-in to access the In the case of resources outside the target address space.

Then, application 1 can call the plug-in, so that after the plug-in is run, it sends a controlled class instruction to the processing module, so that the processing module executes the controlled class instruction, and accesses the original memory address in the controlled class instruction according to the segment register. Address parameter, determine the target memory access address in the restricted memory access space, and access the target memory access address in the memory.

In this way, when Application 1 calls a plug-in developed by a third party, it can use the functions of the plug-in while ensuring that the plug-in can only access data resources and code resources in a restricted memory address space, ensuring that the plug-in has safe access to Application 1's resources. .

Optionally, when the control program scans and detects that the plug-in includes uncontrolled instructions, it means that the plug-in is unsafe, and the control program can report an error to prohibit the plug-in from running.

Optionally, when the control program scans that the plug-in includes an uncontrolled instruction, and the uncontrolled instruction is an uncontrolled jump instruction, then if the function accessed by the jump instruction is a preset function , it can also indicate that the plug-in is safe. Then perform the above operations such as allocating memory resource access ranges, which will not be described again here.

Among them, the preset function specifies external functions accessible to the plug-in for the control program. The so-called external functions are functions in the uncontrolled program.

For example, the controlled module is a controlled program, and the controlled program is a compiled program (binary data file, such as a plug-in).

Optionally, the control module may include a compilation module. In an example, the compilation module is a compiler.

Then when a third party provides an uncompiled program 1, before the uncontrolled module calls the program 1, the control module of this application can compile the program 1 through the compiler. For example, when the compiler of this application compiles the high-level language program code in program 1, it can compile the program code according to the controlled class instructions, so that the compiled file (hereinafter also referred to as instructions) file) contains only controlled instructions.

For example, for the code in the program code to be compiled that indicates loading data in the memory into the CPU, the traditional compiler can compile it into a load instruction, and the compiler of this application can compile it into a load_short instruction.

For example, for the code in the program code to be compiled that writes the data in the CPU into the memory, the traditional compiler can compile it into a store instruction, and the compiler of this application compiles it into a store_short instruction.

For example, for the program code that calls a function in the program code to be compiled, the traditional compiler can compile it into a jump instruction, and the compiler of this application compiles it into a short_jump instruction.

For example, for the program code that accesses data on the stack in the program code to be compiled, the traditional compiler can compile it into a push instruction or a pop instruction, and the compiler of this application compiles it into a short_push instruction or a short_pop instruction.

For example, if the controlled module is a plug-in (which has been compiled), then after the control module scans the plug-in, if it scans for uncontrolled instructions, it means that the plug-in may have used an illegal compiler, that is, a compilation not provided by this application. or, after being compiled by the compiler provided by this application, the compiled program was manually tampered with. The control module can then refuse to execute the plug-in.

For example, if the controlled module is a plug-in, then the compiler of this application can compile the plug-in according to the controlled class instructions and generate compiled controlled code. Then when the control module scans the instructions in the controlled code, it can determine that all the controlled codes are controlled instructions, and the controlled code can be run in the uncontrolled code.

Optionally, the controlled module may also be a module that does not require compilation. For example, the controlled module is written in assembly language, and the compiler of the present application may not be used when controlling the resource access scope of the controlled module.

It should be noted that when the control module in Figure 3a scans whether the instructions in the controlled module are all controlled instructions, the CPU running the controlled module can be any traditional CPU. However, when the control module performs the process of sending uncontrolled instructions to the processing module shown in Figure 3a to write the target address parameters that limit the resource access range of the controlled module into the storage unit, the process provided by this application is implemented in CPU.

For example, the same module can be a controlled module or an uncontrolled module in different environments.

For example, if the browser App runs on the user's mobile phone, but the browser App is not developed for the mobile phone platform, then the operating system code of the mobile phone can be an uncontrolled module, and the code of the browser App can be a controlled module. In order to restrict browsing According to the resource access scope of the server App on the mobile phone, the mobile phone operating system can embed the control module provided by this application. Then before the operating system runs the browser App, the control module in the operating system can scan whether the browser App is a controlled class instruction. If so, the browser App is allowed to run. Otherwise, an error is reported and the browser App is not allowed to run. Ensure secure access to operating system resources.

For another example, if the browser App wants to load a dynamic library and call functions in the dynamic library, then the browser App is an uncontrolled module and the dynamic library is a controlled module. The browser app cannot ensure whether the code in the dynamic library has unauthorized access to the content of the browser app. In order to ensure that the dynamic library cannot access resources not allocated to it, the browser App can embed the control module provided by this application so that when the browser App calls a program developed by any third-party platform, the third-party platform The developed programs can only be run using controlled class instructions, so the resource content accessible to programs developed on third-party platforms is limited. In this example, before the browser App calls the functions in the dynamic library, the control program in the browser App can scan whether the functions in the dynamic library are all controlled class instructions. If so, the functions in the dynamic library are allowed to run. , otherwise an error will be reported and the functions in the dynamic library will not be allowed to run to ensure safe access to the resources of the browser App.

In the embodiment of this application, the instructions in the CPU are divided into controlled instructions and uncontrolled instructions, which can be executed according to different execution methods of the above two types of instructions, so that the CPU can support running modules that are not restricted by resource access ranges. (such as uncontrolled modules, where uncontrolled modules can be used to call controlled modules), and support for running modules restricted by resource access scope (such as the above-mentioned controlled modules), enriching the types of instructions that the CPU can execute, and Implements access control to the resource range of controlled modules running in the CPU.

In the embodiment of the present application, when a controlled class instruction is executed by the CPU, the CPU can only access a limited resource access range allocated to the controlled class instruction. Then, before the controlled module is run, the control module scans the controlled module. Whether the instructions in the controlled module are all controlled instructions, the control module can be used to check the type of instructions in the controlled module before running the controlled module. If the control module detects that the instructions in the controlled module are all controlled instructions, it can be sure that the controlled module will not access resources beyond its resource access scope at runtime to ensure safe access to resources by the controlled module at runtime. . That is, before the controlled module is run, the control module performs an instruction scan on the controlled module to determine whether the controlled module is safe. The controlled module will be run only when it is determined that the controlled module is safe. The embodiments of this application can realize the security check of the controlled module provided by a third party before the controlled module is run. There is no need to check in real time whether each instruction to be executed is safe during the running of the controlled module, which improves the security of the controlled module. module operating efficiency.

The control module of this application can be used in the scenario of embedded code, that is, an uncontrolled module in a role instance (including but not limited to user mode process, virtual machine, operating system, etc.), which needs to be executed to embed the uncontrolled module In the scenario of a controlled module, the control module embedded in the uncontrolled module can distinguish between controlled instructions and uncontrolled instructions to scan whether the controlled module includes uncontrolled instructions before running the controlled module. To determine whether the controlled module can be called and run by the uncontrolled module, it can implement security verification of external modules. The instructions executable by the processing module are divided into controlled instructions and uncontrolled instructions. When the processing module executes the controlled instructions, it can perform resources within the limited address space set by the control module for the controlled instructions. Access to ensure safe access by external modules to resources of uncontrolled modules.

Example 2

Optionally, Figure 4a exemplarily shows the operation flow chart of the system of the present application. Combined with Figures 3a and 3b, please refer to Figures 4a and 4b. The control module can be implemented as control code, and the controlled module can implement To be controlled code, uncontrolled modules can be implemented as uncontrolled code.

The CPU of the present application includes a processing module, and the CPU optionally runs controlled code, and optionally runs control code. Processing modules execute instructions in code running in the CPU.

Figure 4b exemplarily shows a schematic diagram of the memory address space of the embodiment of Figure 4a.

Before the controlled code runs on the CPU of the present application, the CPU can run instructions of the control code, and then the control code executes S101, S103 and S105 through the processing module.

S101, the control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.

As an example, take App1 calling plug-in 1 developed by a third party as an example. App1 has the control code of this application embedded in it. As shown in Figure 4b, the address space of the uncontrolled code of App1 in the memory is from d0 to d3, where the address space of the control code embedded in the uncontrolled code is d1 to d2, and the uncontrolled code of App1 is running in process 1. The processing module executes the uncontrolled instructions of App1 within the authority of process 1, where the address spaces d0 to d3 store uncontrolled instructions.

For example, the uncontrolled code may include uncontrolled instructions, and optionally may also include controlled instructions, which is not limited by this application.

For example, the control code can issue uncontrolled instructions to the processing module to access any address space within the permissions of process 1. Optionally, the control code may also include controlled instructions, which is not limited by this application.

For example, as shown by the dotted arrow in Figure 4b, the control code can access address spaces d3 to d4, address spaces d4 to d5, and address spaces d6 to d7 in the memory. It should be noted that this is only an example and is not used to limit this application.

Optionally, App1 or the control code can write the code of plug-in 1 (ie, the controlled code) into the memory to implement the processing module to read the instructions of the control code from the memory to execute the instructions of the control code to control plug-in 1 Scanning of instructions.

Among them, the instructions executed by the processing module are instructions in the control code. When the instructions are executed by the processing module, the processing module can scan the instructions in plug-in 1 as the data read by the processing module, and scan whether the instructions in plug-in 1 are all Controlled instructions.

For example, as shown in Figure 4b, the address space of the controlled code (such as plug-in 1) stored in the memory is d4 to d5, then the control code can scan the controlled code in the address space d4 to d5 to detect the controlled code. Whether the instructions in the code are all controlled instructions.

Optionally, when the control code detects that the controlled code includes uncontrolled instructions, an error is prompted to refuse to execute the controlled code.

For example, when the control code detects that the instructions in the controlled code are all controlled instructions, the process goes to S103.

S103: The control code determines the first address space and first address parameters, as well as the second address space and second address parameters for the controlled code.

As described in the above embodiments, controlled instructions can be divided into first type instructions and second type instructions.

For example, taking the resource with limited access scope as a memory resource, when the first type of instruction is executed by the CPU, the CPU can access the code resource in the memory and run the code resource.

The first type of instructions may include but is not limited to: short_jump instructions.

When the second type of instructions is executed by the CPU, the CPU can access data resources. The second type of instructions includes but is not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, etc.

Then when the control code allocates the target resource access scope to each controlled class instruction in the controlled code, the control code can allocate the second resource access scope to the first class instruction in the controlled code, and assign the second resource access scope to the second class instruction. Three resource access scopes. Wherein, the resource access addresses between the second resource access scope and the third resource access scope are different.

For example, when the control code allocates the second resource access scope to the first type of instruction in the controlled code, the control code may allocate the first address space to each first type of instruction in the controlled code, and communicate with the first type of instruction in the controlled code. The first address parameter corresponding to an address space.

The first address space is used to store code resources accessible to controlled class instructions in the controlled code.

For example, the first address parameter may be used to determine the address range of the first address space.

For example, when the control code allocates the third resource access scope to the first type of instructions in the controlled code, the control code can allocate the second address space to each second type of instruction in the controlled code, and communicate with the third type of instruction. The second address parameter corresponding to the second address space.

The second address space is used to store data resources accessible to controlled class instructions in the controlled code.

For example, the second address parameter may be used to determine the address range of the second address space.

As shown in Figure 4b, before the control code scans the controlled code, the control code has written the controlled code to the address space d4 to d5, then when the control code detects that the instructions in the controlled code are all controlled instructions , address spaces d4 to d5 can be used as the first address space allocated to the controlled code.

Additionally, the control code may determine a second address space allocated to the controlled code within an address space of memory that is not accessible to the controlled code.

Optionally, when the control code allocates the first address space and the second address space to the controlled class instructions in the controlled code, the size of the allocated address space can be determined according to the size of the non-direct address space into which the control code is embedded. The controlled code (such as the above-mentioned App1 embedded in the control code) specifies a predetermined size space for the controlled code (such as plug-in 1), or determines the space allocated to the controlled code according to the needs of the controlled code. The size of the first address space and the second address space.

As shown in Figure 4b, the first address space is the address space d4 to d5, that is, the address space where the code accessible to the controlled code is stored; the second address space is the address space d6 to d7, that is, the data accessible to the controlled code (referred to as "controlled data") is stored in the address space.

It should be noted that the addresses between the first address space and the second address space are different. The controlled code can access the code stored in the first address space in the memory through the first type of instructions, and access the data stored in the second address space in the memory through the second type of instructions. If there are overlapping addresses in the first address space and the second address space, then the overlapping addresses can store code and data, and then the controlled code can use, for example, the store_short instruction after the control code scans that all the instructions are controlled class instructions. Access the overlapping address, and modify the code at the repeated address, so that the code (ie, instruction) in the controlled code is modified into an uncontrolled class instruction, so that it can be used between the restricted first address space and the second Access data or code outside the address space. This application configures different first address spaces and second address spaces for the controlled class instructions in the controlled code, so as to prevent the controlled code from modifying the internal code again after being scanned and allowed to run, making the controlled code The code includes uncontrolled instructions to access unallocated memory resources, thus evading scanning by the controlling code.

For example, after the control code allocates the first address space to the first type of instruction in the controlled code, the control code may determine the first address parameter corresponding to the first address space.

Exemplarily, the first address parameter can be used to determine the address range of the first address space. Optionally, the first address parameter is used to determine the mapping of the first access address in the first type of instruction in the first address space. the second access address.

Then the control code can determine the first address parameter according to the first preset algorithm based on the address range of the first address space.

It should be noted that the difference in the specific algorithm of the first preset algorithm may also cause the parameter type of the determined first address parameter to be different, and the application does not impose restrictions on the specific parameters of the first address parameter. The first preset algorithm for determining the first address parameter based on the address range of an address space is also not limited. The first preset algorithm and the second preset algorithm, the third preset algorithm and the fourth preset algorithm mentioned in subsequent embodiments can be any algorithm that can realize the function of limiting the resource access range of the controlled code. , this application does not impose any restrictions on the specific algorithm.

For example, the first address parameter may include a code_base parameter and a code_limit parameter.

Among them, the code_base parameter can represent the starting address of the first address space (i.e., the first address), and the code_limit parameter can be the address range parameter of the first address space (can be understood as the length of the first address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.

For example, the first address space allocated by the control code to the first type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.

In the same way, when the processing module executes the first type of instruction in the control code, it can also calculate the first access address carried in the first type of instruction based on the data_base parameter and the data_limit parameter according to the corresponding first preset algorithm. , to obtain the second access address restricted to the final access within the first address space.

For example, the first address space of the controlled code in Figure 4b is the continuous address space d4 to d5.

For example, when allocating the first address space to the first type of instructions in the controlled code, the same or different first address spaces may be allocated to different instructions in the first type of instructions.

Similarly, after the control code allocates the second address space to the second type of instruction in the controlled code, the control code can determine the second address parameter corresponding to the second address space.

The principle by which the control code determines the second address parameter corresponding to the second address space is the same as the principle described above for determining the first address parameter corresponding to the first address space.

Exemplarily, the second address parameter can be used to determine the address range of the second address space. Optionally, the second address parameter is used to determine the mapping in the second address space for the third access address in the second type of instruction. The fourth access address.

Then the control code can determine the second address parameter based on the address range of the second address space and according to the third preset algorithm.

It should be noted that the difference in the specific algorithm of the third preset algorithm may also cause the parameter type of the determined second address parameter to be different, and the application does not impose restrictions on the specific parameters of the second address parameter. The third preset algorithm for determining the second address parameter based on the address range of the second address space is also not limited.

For example, the second address parameter may include a data_base parameter and a data_limit parameter.

Among them, the data_base parameter can represent the starting address of the second address space (i.e., the first address), and the data_limit parameter can be the address range parameter of the second address space (can be understood as the length of the second address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.

For example, the second address space allocated by the control code to the second type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.

In the same way, when the processing module executes the second type of instruction in the control code, it can also calculate the third access address carried in the second type of instruction based on the data_base parameter and the data_limit parameter according to the corresponding third preset algorithm. , to obtain the fourth access address restricted to the final access within the second address space.

S105. The control code writes the first address parameter and the second address parameter to different storage units in the processing module.

For example, the control code can write the code_base parameter and the code_limit parameter respectively into two registers in the processing module, such as register 1 and register 2, and write the data_base parameter and data_limit parameter into two other registers in the processing module respectively. within, such as register 3 and register 4.

That is to say, the storage units corresponding to the first address parameter and the second address parameter are different.

For example, the above-mentioned register can be a segment register. However, this application is not limited to the type of storage unit in which the first address parameter or the second address parameter is written. It can be any hardware storage unit inside the processing module. Alternatively, it may also be a hardware storage unit in a chip that is independent of the processing module.

In addition, this application does not limit the timing when the control code writes the first address parameter and the second address parameter into the storage unit. They can be written sequentially or simultaneously.

It should be noted that the instructions for writing the first address parameter and the second address parameter into the storage unit are uncontrolled instructions in the control code. In other words, the controlled program does not include instructions for writing the first address parameter and the second address parameter. The second address parameter is an uncontrolled instruction to a storage location. For example, the plug-in called by App1 does not include uncontrolled instructions to modify the code_base parameters and code_limit parameters, and uncontrolled instructions to modify the data_base parameters and data_limit parameters, and the plug-in cannot access the ability to modify the code_base parameters and code_limit parameters. , as well as the uncontrolled class instructions of the data_base parameter and data_limit parameter.

Exemplary controlled stack access instructions (such as short_push instructions and short_pop instructions) are also controlled class instructions. The operations performed by the control code on the controlled stack access instructions are the same as those performed on the memory access instructions in the above example. The operations are similar and will not be repeated here.

For example, the control code can allocate an address space for the controlled stack access instruction and determine the address parameters of the address space, such as the stack_base parameter (indicating the starting address of the stack) and the stack_limit parameter (indicating the size of the stack space). And the control code can write the stack_base parameter and stack_limit parameter into the register, so that when the processing module executes the short_push instruction or short_pop instruction in the controlled code, the stack address to be accessed addr, the address of the stack limited by the stack_base parameter and stack_limit parameter Determine the stack address finally accessed within the space range, and perform push or pop operations.

After S105, the control code will allow the controlled code to run, then the uncontrolled code can call the controlled code, so that the CPU in Figure 3a of the present application can run the controlled code, then the processing module can execute the instructions of the controlled code .

For the above S101 to S105, an example is used to illustrate: This example can be understood in conjunction with Figure 4b. Before App1 calls plug-in 1, the code of App1 runs in process 1, and the processing module works within the permissions of process 1. Then the processing module can execute the uncontrolled instructions embedded in the control code in App1 to perform the following operations: scan the instructions in plug-in 1, and after the scan confirms that they are controlled instructions, The first type of instructions in allocate the first address space d4 to d5 of accessible code, and the second type of instructions allocate the second address space d6 to d7 of accessible data; and determine the code_base parameter and code_limit parameter of the first address space. , the data_base parameter and data_limit parameter of the second address space, and write these parameters into the register of the processing module, where different parameters can be written into different registers. Then, App1 can call plug-in 1. If plug-in 1 (ie, the controlled code) is not written into the memory, the processing module can execute the uncontrolled class instructions of App1 to write the controlled code into the first address space d4 to d5. Then, plug-in 1 is called through App1, so that after plug-in 1 is run, the processing module can execute the controlled class instructions in plug-in 1.

For example, as shown in Figure 4a, after S105, S201, S203 and S205 are optionally included.

S201. The processing module receives the first type of instruction sent by the controlled code for accessing code resources.

For example, the first type of instruction is the short_jump instruction, which can carry the first access address addr.

S203 and S205: The processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine the first address parameter in the first address space based on the first address parameter and the first access address. two access addresses, and access code resources from the second access address located in the first address space.

For example, the code resource accessed by the processing module from the second access address is a jump instruction of a controlled class, such as a short_jump instruction.

For example, the processing module can read the code_base parameter and code_limit parameter from register 1 and register 2 respectively.

For example, the code_base parameter is the first address of the first address space, and the code_limit parameter is a binary mask that controls the size of the first address space.

For example, when executing the first type of instruction, the processing module can follow the second preset algorithm code_base+[code_limit(mask)OR addr] to execute the first type of instruction in the first address space limited by code_base and code_limit. The original memory access address addr in the instruction is mapped to obtain the target access address limited to the first address space.

For example, if the first address space is 0 to ffff, then it can be determined that code_base=0x00000000 and code_limit=0x0000ffff.

For example, the first access address addr1 accessed by the short_jump instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the first address space. Then the processing module of this application can modify code_limit and addr1 when executing the short_jump instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678. Among them, the address length of addr2 is within the length limit of code_limit. Then, the processing module calculates code_base+addr2 and obtains the second access address addr3. Here code_base is 0. Therefore, addr3=addr2. Obviously, the jump address of the short_jump instruction is limited to addr3 (here is 0x00005678). This will not cause an error. Moreover, the controlled code can only access resources in the first address space. Among them, addr3 is in the address range from 0 to ffff (the first address space limited by code_base and code_limit).

Compared with the CPU that processes each instruction by performing a page lookup table traversal operation, when the CPU of this application executes a controlled class instruction, it only needs to access the original access address in the controlled class instruction and convert the original access address according to the corresponding algorithm. The access address is mapped to the restricted address space, and the target address in the restricted address space can be obtained. The speed of calculating the target address is faster than that of looking up the page table, and the CPU's instruction execution efficiency is higher.

It should be noted that the above-mentioned first preset algorithm and the second preset algorithm here are algorithms that correspond to each other. When the first preset algorithm changes, the second preset algorithm also changes.

It should be noted that this application does not limit the parameter types of the above-mentioned first preset algorithm, second preset algorithm and first address parameter. Any traditional algorithm that can realize the functions of this application can be used to convert the Addresses that exceed the restricted address range are processed so that the processed addresses are within the address range.

In addition, this application does not limit the number of memory access addresses (such as the above-mentioned first access address) carried in controlled instructions. It can be one or more first access addresses, but no matter how many memory access addresses there are When the processing module executes the controlled class instruction, it needs to calculate the first access address carried by the controlled class instruction based on the second preset algorithm to calculate the first access address of the memory allocated to the controlled class instruction. In an address space, the final accessible second access address is determined.

For example, if the first type of instruction in S201 is a short_jump instruction, then as shown in Figure 4b, the controlled code can jump within the controlled code, such as a function call within the controlled code.

When the processing module of the embodiment of the present application receives the first type of instruction in the controlled code, such as the short_jump instruction, it can respectively read code_base in the segment register (such as register 1 and register 2) that stores the address parameter of the short_jump instruction. parameter and code_limit parameter to use these two parameters to process the access address (i.e. jump address) of the short_jump instruction, so that the processed access address is the first address space restricted to achieve limited access to code resources.

Optionally, as shown in Figure 4a, after S105, S301, S303 and S305 are optionally included.

S301. The processing module receives the second type of instruction sent by the controlled code for accessing data resources.

For example, the second type of instruction is the load_short instruction, which can carry the second access address addr.

S303 and S305: The processing module can execute the second type of instruction to read the second address parameter from the second storage unit, and then determine the second address parameter in the second address space based on the second address parameter and the third access address. four access addresses, and access the data resource from the fourth access address located in the second address space.

For example, the processing module can read the data_base parameter and data_limit parameter from register 3 and register 4 respectively.

For example, the data_base parameter is the first address of the second address space, and the data_limit parameter is a binary mask that controls the size of the second address space.

For example, when the processing module executes the second type of instruction, it can obtain the memory access address addr in the second type of instruction according to the fourth preset algorithm data_base+[data_limit(mask)OR addr]. After that, data_base and data_limit In the restricted second address space, addr is mapped to obtain the accessible memory address.

For example, if the second address space is 0 to ffff, then it can be determined that data_base=0x00000000 and data_limit=0x0000ffff.

For example, the third access address addr1 accessed by the load_short instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the second address space. Then the processing module of this application can modify data_limit and addr1 when executing the load_short instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678. Among them, the address length of addr2 is within the length limit of data_limit. Then, the processing module calculates data_base+addr2 and obtains the fourth access address addr3. Here data_base is 0. Therefore, addr3=addr2. Obviously addr3 is in the address range from 0 to ffff (the second address space restricted by data_base and data_limit).

It should be noted that, based on the difference in the third preset algorithm used in determining the second address parameter in the second address space, the second address parameter may be different, then the processing module executes the second type of instruction (such as a memory read instruction). load_short), when calculating the third access address in the second type of instruction based on the second address parameter to obtain the fourth access address in the second address space, the fourth default algorithm used may also exist The difference is not limited to the above algorithms.

It should be noted that this application does not limit the parameter types of the above-mentioned third preset algorithm, fourth preset algorithm and second address parameter, and any traditional resource that can implement the restricted controlled code of the present application can be used. The algorithm that accesses the range function is used as the algorithm of this application.

In addition, this application does not limit the number of memory access addresses (such as the above-mentioned third access address) carried in controlled instructions. It can be one or more third access addresses, but no matter how many memory access addresses there are When the processing module executes the controlled class instruction, it needs to calculate the third access address carried by the controlled class instruction based on the second preset algorithm to calculate the third access address of the memory allocated to the controlled class instruction. In the second address space, determine the finally accessible access address.

For example, if the second type of instruction in S301 is a load_short instruction or a store_short instruction, then as shown in Figure 4b, the controlled code can access the controlled data in the address space d6 to d7 to read or write the memory.

When the processing module of the embodiment of the present application receives the second type of instruction in the controlled code, such as the load_short instruction or the store_short instruction, it can store the address parameters of the two instructions in the segment register, such as register 3 and register 4. Read the data_base parameter and data_limit parameter to use these two parameters to process the address (i.e., access address) requested by the oadshort instruction or the store_short instruction, so that the processed access address is limited to the second address space to implement data resources limited access.

For example, the control code may allocate different second address spaces to different instructions in the second type of instructions in the controlled code, so that there may be multiple second address spaces corresponding to the controlled code.

For example, the load_short instruction is assigned a set of data_base parameter 1 and data_limit parameter 1, and the store_short instruction is assigned a set of data_base parameter 2 and data_limit parameter 2, and the data_base parameter 1 and data_limit parameter 1 are written to register 21 and register 22 by the processing module, data_base Parameter 2 and data_limit parameter 2 are written to register 23 and register 23 by the processing module.

For example, taking the load_short instruction in the controlled class instruction as an example, the load_short instruction can be divided into multiple load_short instructions, such as load_shortN, N=any one of 1, 2, 3...n. The principles for other controlled instructions are similar and will not be described again here.

Optionally, as mentioned above, the load_short instruction can include multiple differently encoded load_short instructions with different execution methods of the CPU. Then the control code can assign different address parameters (including data_base parameters and data_limit parameters) to different encoded load_short instructions, This makes the address parameters corresponding to different types of load_short instructions have different values. This makes the address spaces accessible to different load_short instructions different.

Optionally, the control code can also assign multiple sets of address parameters (ie, multiple sets of data_base parameters and data_limit parameters) to a load_short instruction, so that the address space accessible by the load_short instruction is a discontinuous address space.

Then when the processing module receives the load_short instruction in the controlled code, it can read data_base parameter 1 and data_limit parameter 1 from register 21 and register 22 to perform data reading within the address space limited by data_base parameter 1 and data_limit parameter 1. Pick. Then when the processing module receives the store_short instruction in the controlled code, it can read data_base parameter 2 and data_limit parameter 2 from register 231 and register 23 to perform data writing within the address space limited by data_base parameter 2 and data_limit parameter 2. enter.

In the embodiment of the present application, before the controlled module is run, for example, before the instructions in the controlled module are executed, the control module scans the instructions in the controlled module through the processing module, and determines the instructions in the controlled module. When only controlled class instructions are included, controlled code is allowed to run. When the controlled module is running in the CPU, the processing module does not need to perform operations such as page table lookup for each instruction sent by the controlled module that needs to be executed. It can be coded according to the respective codes of controlled instructions and uncontrolled instructions. Execution with different interpretive execution methods. This application can not only place the security judgment on the controlled code when it is running before the controlled code is run, but also realize the security check of the controlled module. It can also improve the operating efficiency of the controlled code and reduce the implementation and operation of the hardware. cost.

Example 3

Optionally, combined with Figure 3a and Figure 3b, Figure 4a and Figure 4b, Figure 5a exemplarily shows the operation flow chart of the system of the present application, and Figure 5b exemplarily shows the memory address of the embodiment of Figure 5a Schematic diagram of space.

The same steps in Figures 4a and 5a have the same meanings, and the same diagrams and arrows in Figures 4b and 5b also have the same meanings. This embodiment will not be described in detail one by one. Please refer to the implementation of Figures 4a and 4b. example.

For example, the uncontrolled code may include uncontrolled instructions, and optionally may also include controlled instructions, which is not limited by this application. The uncontrolled code includes control code, then the control code may include uncontrolled instructions, and optionally may also include uncontrolled instructions, which is not limited in this application.

In this embodiment, the controlled code that is allowed to run still cannot include uncontrolled instructions, but only controlled instructions. However, in order to be able to provide services in uncontrolled code to the controlled code (such as obtaining the system time) service), then the embodiment of the present application can supplement the agent code (an example of an agent sub-module) in the first address space of the controlled code (for example, the memory address space defined by the code_base parameter and the code_limit parameter). The agent code Can be used to jump to the first preset address in uncontrolled code outside the first address space. For example, when controlled code needs to call a function in uncontrolled code (referred to as "external function"), it can first jump to the proxy code, and then jump to the external function that needs to be accessed through the proxy code. Jump to implement the controlled code's call to the external function.

Before introducing Figures 5a and 5b, the compilation process of the controlled code in this embodiment is first described in conjunction with Figure 5c. As mentioned above, the compiler of this application can compile the program code according to the controlled class instructions. Compile so that the compiled instruction file only includes controlled class instructions.

As shown in Figure 5c, before the controlled code is compiled, the controlled code includes the code of function 0, and function 0 is used to call function 1 in the uncontrolled code. For example, function 1 is an uncontrolled code that allows controlled code If you use a traditional compiler to compile the controlled code, the controlled code may include jump instructions of uncontrolled classes.

However, this application can use the compiler provided by this application to compile the controlled code, so that function 0 in the controlled code is compiled into a jump instruction of the controlled class, here is instruction 0, and this instruction 0 is processed Address 1 can be accessed when the module is executed. This address 1 can be an address in the memory located after the tail position d5 of the address space where the compiled controlled code is located (for example, the address spaces d4 to d5 shown in Figure 5b). For example, address 1 is d51 in Figure 5b. At this time, address d51 has not been linked to instructions in the agent code, that is, the content of current address d51 is empty.

The following is a brief description of the agent code. From the perspective of instructions, the agent code is a sequence of instructions. Each instruction in the agent code is a jump instruction of an uncontrolled class. The jump instructions of these uncontrolled classes are The transfer target is the address of an external function in uncontrolled code that is allowed to be accessed by controlled code. Then the agent code may include: an uncontrolled class jump instruction, such as instruction 1', of an external function (such as function 1) that the controlled code can access with the permission of the uncontrolled code (or control code).

After the controlled code is compiled, the agent code can be linked into the memory at the end of the controlled code. For example, the agent code shown in Figure 5b is located in the address space d5 to d5'. In this way, the compiled controlled code The above instruction 0 in the code may store the instruction 1' in the agent code at the address 1 accessed when executed by the processing module. The storage map of the address space of the memory can be referred to Figure 5b. The jump target of instruction 1’ is the first address of function 1 in the uncontrolled code, such as address d01 in Figure 5b.

The compiler can be configured with the address of the jump instruction of the uncontrolled class in the agent code (when the controlled code is compiled, the address has not yet been written to the instruction in the agent code), and the address accessible in the uncontrolled code The mapping relationship between preset functions, such as the mapping relationship between address 1 and function 1 (that is, the compiled instruction 1') in Figure 5c.

Take the external functions called in the controlled code as preset functions as an example. When compiling the controlled code, the compiler can compile the code calling function 1 into instruction 0 and instruction 0 according to the above mapping relationship. When executed by the processing module, address 1 is accessible. In this way, when the compiled controlled code accesses the external function, it can first access the uncontrolled jump instruction located at address 1 in the proxy code, such as instruction 1’. The processing module then accesses the first address of function 1 in the uncontrolled module by executing instruction 1', so that the controlled code can access function 1 in the uncontrolled code. ,It should be noted that when compiling the controlled ,code, you only need to determine the address where the ,corresponding uncontrolled jump instruction in the agent ,code is about to be written to the memory, so that the ,code that accesses the external function in the controlled ,code can be implemented. Purpose of jump instructions compiled into controlled classes.

After the controlled code runs, the control code allocates address space to both the controlled code and the agent code. Then the controlled code can find the memory address of instruction 1' in the agent code through instruction 0, and then through instruction 1 Jump to the external function, here function 1.

It should be noted that this application does not impose any restrictions on the compilation process and generation process of the agent code, and the compiled agent code has been preset in the control code.

For example, the uncontrolled class instructions may include a first preset instruction set and a second preset instruction set, wherein the instructions in the first preset instruction set may be part or all of the uncontrolled class jump instructions. (jump command). The instructions in the second preset instruction set may be part or all of the uncontrolled jump instructions, and this application does not limit this.

For example, the first preset instruction set and the second preset instruction set may be the same or different, and the same instructions may exist in the two instruction sets.

For example, uncontrolled jump instructions (i.e. jump instructions) can also be divided into jump instructions with multiple encodings. Although jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this. Then, the instructions in the first preset instruction set and the second preset instruction set here are all jump instructions, but the encoding of the jump instructions between these two preset instruction sets may be different. For example, the instructions in the first preset instruction set are jump1 instructions to jump5 instructions. The instructions in the second default instruction set are jump6 instructions to jump10 instructions.

For example, as shown in Figure 5a, the control code may include agent code (an example of an agent sub-module). Referring to the introduction of Figure 5c above, it can be seen that the agent code may include at least one uncontrolled class jump instruction (i.e. second instruction), when the uncontrolled jump instruction is executed by the processing module, the processing module can access the address of the second preset code resource.

For example, the uncontrolled class jump instruction in the agent code may be at least one instruction from the jump6 instruction to the jump10 instruction in the second preset instruction set.

The second preset code resource is a code resource located within the access range of the fourth resource. The access address of the fourth resource access range does not overlap with the access address of the target resource access range (ie, the above-mentioned first address space and the second address space).

For example, the second preset code resource is a control code, or an uncontrolled code, which is a code resource outside the target resource access scope that is allowed to be accessed by the controlled code.

For example, the second preset code resource may be a second preset function (for example, function 1 in the uncontrolled code in Figure 5c). The second preset function may be one or more functions, which is not limited by this application. Then the second preset function may be an external function that the control module allows the controlled module to access.

For example, referring to Figure 5b, the agent code may include uncontrolled class instructions, specifically including uncontrolled class jump instructions (ie, jump instructions). The access address (i.e. jump address) of the uncontrolled class jump instruction in the agent code is the first preset address of the second preset code resource in the uncontrolled code, and the first preset address is the control code allowed to be accessed. The access address of the external function accessible to the control code.

Described below in conjunction with Figure 5a and Figure 5b, after the controlled code is compiled and before the controlled code is run on the CPU of the present application, the control code can execute S101, S103-1 and S105 through the processing module.

S101, the control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.

S101 in this embodiment is the same as S101 in Figure 4a in Embodiment 2, and the execution principle is also the same, which will not be described again here.

Optionally, when the control code detects that the controlled code includes uncontrolled instructions, an error is prompted to refuse to execute the controlled code.

For example, when the control code detects that the instructions in the controlled code are all controlled instructions, the process goes to S103-1.

S103-1, the control code determines the first address space and the first address parameter for the controlled code based on the sum of the address lengths occupied by the controlled code and the agent code; and, the control code determines the second address space and the second address space for the controlled code. Second address parameter.

Among them, for the second type of instruction used to access data in the controlled code, the method of determining the second address space and the second address parameter is similar to the execution logic of the same step of S103 in Embodiment 2, and will not be described again here. .

For example, as shown in Figure 5b, the second address space is the address space d6 to d7 in the memory.

When the control code determines the first address space for the controlled code, the difference from Embodiment 2 can be compared with Figure 4b and Figure 5b. When there is no agent code in the control code, the access code for the controlled code The first address space allocated by the first type of instructions is address space d4 to d5. When the controlled code is running, the controlled code can be written to the address space d4 to d5, so that the controlled code can access its own code, such as a jump instruction of the controlled class.

In this embodiment, as shown in Figure 5b, the first address space allocated to the first type of instruction in the controlled code (that is, the jump instruction of the controlled type) is the address space d4 to d5', where, The address length of the first address space is the sum of the address length occupied by the controlled code (for example, d5-d4) and the address length occupied by the agent code in the control code (for example, d5'-d5).

Then after S105, or after S103-1, the control code can link (for example, write) the agent code in the control code to the address space d5 to d5'. When the controlled code is running (for example, after S105), the control code may write the controlled code into the address space address spaces d4 to d5′. Here, the agent code is located at the end of the controlled code, so that the first address space of the code accessible to the controlled code includes not only the controlled code, but also the agent code.

For example, the control code can write the controlled code and the agent code in the control code to the address space d4 to d5' by sending an uncontrolled instruction to the processing module. In this embodiment, the first address space allocated to the first type of instructions in the controlled code can not only be used to store the controlled code, but also can be used to store the agent code, so that the first type of instructions are executed by the processing module. When accessing code resources, you can access not only the code resources of the controlled code itself, but also the code resources of the agent code.

It should be noted that in Figure 5b, in the memory address space, the agent code is located at the end of the controlled code, and the address space where the controlled code is stored (d4 to d5) is different from the address space where the agent code is stored (d5 to d5' ) is a continuous address space, then the first address parameter is a group, such as a group of code_base parameters and code_limit parameters.

However, this application does not limit the storage order between the controlled code and the agent code in the first address space. For example, in the first address space, the agent code can be stored at the head, tail and controlled code of the controlled code. Internal location. In addition, the address space where the agent code is stored may be discontinuous with the address space where the controlled code is stored, and then the first address parameter may be multiple sets, such as multiple sets of code_base parameters and code_limit parameters.

Then when the jump instruction of the controlled class in the controlled code performs a code jump, it can not only jump within the address space d4 to d5 where the controlled code is located to access the code, but also jump to the address space where the agent code is located. Jump instructions within the address space d5 to d5' to access uncontrolled classes in the agent code. Then, the controlled code can jump to the address space d0 to d3 where the uncontrolled code is located through the jump instruction of the uncontrolled class in the agent code to call the external functions that are allowed to be accessed.

Continuing to refer to Figure 5a, after S103-1, go to S105. The principle of S105 in this embodiment is the same as that of S105 in Figure 4a in Embodiment 2, and will not be described again here.

In the embodiment of the present application, when proxy code is included in the control code, the proxy code can be configured with a jump instruction of an uncontrolled class of the second preset function in the uncontrolled code that allows the controlled code to access, then in For the first type of instruction in the controlled code, such as the jump instruction of the controlled class, when allocating the first address space and the first address parameter that are allowed to be accessed, the agent code can also be written to the third address space that is accessible to the controlled code. in an address space. Then when the control code needs to call the second preset function in the uncontrolled code, it can first jump to the uncontrolled class in the agent code through the jump instruction, and then jump to the uncontrolled code through the agent code. A second preset function to enable limited access to external functions outside of controlled code.

Optionally, continuing to refer to Figures 5a and 5b, after S105, S201, S203, S205 and S207-1 are optionally included.

S201. The processing module receives the first type of instruction from the controlled code for accessing code resources.

Exemplarily, the first type of instructions includes a second jump type instruction used to access the second instruction (for example, jump6 instruction) in the agent code.

For example, the second type of jump instruction is a short_jump instruction, which can carry the first access address addr (that is, the original memory access address addr).

After S201, the processing module can process the original memory access address in the second jump instruction, and access the second instruction according to the processed access address. Specifically, this can be achieved through S203 and S205:

S203 and S205: The processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine in the first address space based on the first address parameter and the first access address addr. The second access address, and access the code resource (ie the second instruction, jump6 instruction) from the second access address in the agent code, here is the jump instruction of the uncontrolled class.

The principles of S201, S203 and S205 in this embodiment are the same as those of S201, S203 and S205 in Figure 4a in Embodiment 2, and will not be described again here.

S207-1: The processing module calls the external function from the third address space of the memory according to the jump address of the uncontrolled class jump instruction.

Exemplarily, the processing module can execute the second instruction to access the second preset function according to the access address (ie, jump address) in the second instruction (for example, jump6 instruction); wherein, the The second preset function is a function that the control module allows the controlled module to access. The second preset function is a function in the third address space.

Among them, the processing module jumps to the jump instruction of the uncontrolled class in the agent code in the first address space (located at the second access address) through the jump instruction of the controlled class in the controlled code in the first address space. ; Then, the processing module executes the jump instruction of the uncontrolled class. The jump instruction of the uncontrolled class has a jump address, such as the fifth access address. Then the processing module can call the second preset from the fifth access address. Let function.

The fifth access address is an address in a third address space, and the third address space is different from the first address space and the second address space allocated to the controlled code.

For example, the third address space is a storage space for uncontrolled code.

For example, referring to Figure 5b, for example, the first type of instruction in S201 in this embodiment is a jump instruction of a controlled type in the controlled code, such as a short_jump instruction, and the processing module executes the instruction in the controlled code. The short_jump instruction can jump from address space d4 to d5 to the second access address d51 in the address space d5 to d5' where the agent code is located. Then the processing module can read the jump instruction of the uncontrolled class in the agent code from the second access address d51, such as the jump6 instruction. Then the processing module can perform a code jump by executing the jump6 instruction read from the second access address d51, and jump to the jump address corresponding to the jump6 instruction (i.e., the fifth access address mentioned above), for example, the one called by the jump6 instruction The address of the external function is d01. In this way, the controlled code can access the external function in the uncontrolled code through the proxy code.

In addition, it should be noted that the jump instruction of the uncontrolled class in the agent code can only jump to the address of the second preset function in the uncontrolled code.

Wherein, the second preset function is an uncontrolled code or a designated function in the uncontrolled code that the control code allows the controlled code to access.

Optionally, the above-mentioned fifth access address may be the first address of the above-mentioned second preset function. In this way, the controlled code can be prevented from jumping to the inside of the function body of the specified function in the uncontrolled code through the proxy code to prevent the controlled code from jumping. The code performs illegal operations within the function body of the specified function, such as tampering with uncontrolled code, etc.

Optionally, the code at the above-mentioned fifth access address may be provided with a logical check code. In other words, a logic check code can be set at the first address of each preset function. The logic check code can perform relevant checks on requests to access the preset function. After the check passes, the processing module can execute the code logic of the preset function. , to provide relevant functionality to controlled code.

Then the controlled code jumps to the uncontrolled code through the proxy code. After the first address position of each external function specified by the uncontrolled code, the code at these first address positions can be executed before the code logic of the external function is executed. Check, and then determine whether to provide the access function of each external function based on whether the check passes.

For example, App1 calls plug-in 1. When plug-in 1 accesses the preset function in App1, it requests user name and password information. Then the first address of the preset function can be set with a check code, and the code logic of the check code can be access The request for this preset function is checked. If the information required for the request includes preset information (which may be sensitive information), such as a password, the check result is that the check fails, thereby refusing to provide the call to the preset function to plug-in 1. , the rejection method may include but is not limited to reporting an error, etc.; if the requested information does not include preset information, the code logic of the preset function will be executed to allow plug-in 1 to call the preset function.

For another example, the controlled code requests to obtain the system time and calls the get time function. The check logic of the logic check code set at the first address of the function is to allow access to the get time when the system time is within the preset time period. function, uncontrolled code can check the code through this logic and provide the function of obtaining the system time within a preset time period.

Optionally, the agent code may include jump instructions of uncontrolled classes of all preset functions provided by the control code and allowing the controlled code to access.

Optionally, the agent code may also include a jump instruction of an uncontrolled class of a second preset function provided by the control code that allows the controlled code to access, where the second preset function may be a second preset function that the control code allows the controlled code to access. Some or all of the preset functions in the external functions accessed by the control code.

It should be noted that, as shown in Figure 5b, in this embodiment of the present application, the processing module jumps to the agent code by executing the jump instruction of the controlled class in the controlled code to access the uncontrolled code in the agent code. The jump instruction of the controlled class is used to achieve access to external functions through the jump instruction of the uncontrolled class. However, the address space accessed by the second type of instruction used to access data in the controlled code (such as the controlled type memory access instruction, load_short instruction) is limited to the second address space d6 to d7, and the first address cannot be accessed. space, so that the address space d5 to d5' where the agent code is located cannot be accessed to prevent the controlled code from modifying the code in the agent code through the second type of instructions, thereby jumping to the illegal space through the agent code, preventing the controlled code from Illegal call to an unallowed service. The so-called illegal space is the address space that the control code does not allow the controlled code to access.

In addition, it should be noted that the first type of instructions used to access code allows the CPU to fetch code in memory; the second type of instructions used to access data allows the CPU to read and write data in memory. Then, when the control code allocates an address space to the controlled code through the processing module, the first address space allocated to the first type of instructions cannot overlap with the second address space allocated to the second type of instructions.

In addition, it should be noted that Embodiment 3 may also include S301, S303 and S305 described in Embodiment 2. The principles are similar and will not be described again here.

In the embodiment of the present application, after the control code scans the instructions of the controlled code through the processing module, when it is detected that the instructions in the controlled code are controlled class instructions, the control code can use the processing module to scan the instructions in the controlled code. The agent code is written in the first address space so that the first address space includes not only the controlled code but also the agent code. Then the controlled code can jump to the agent code through the jump instruction of the controlled class and pass The jump instruction of the uncontrolled class in the agent code jumps to the location of the fixed function that the uncontrolled code allows the controlled code to access, such as the first address of the second preset function. In this way, the controlled code can only enter the first address position of each function specified by the uncontrolled code. The code at these positions can make appropriate checks and then decide whether to provide relevant functions to ensure access to the second preset function. Safety.

Example 4

Optionally combined with Figures 3a and 3b, Figures 4a and 4b, Figures 5a and 5b, Figures 6a and 6b exemplarily show the operation flow chart of the system of the present application, and Figure 6b exemplarily shows A schematic diagram of the memory address space in the embodiment of Figure 6a is shown.

The same steps in Figures 4a and 6a represent the same meanings, and the same diagrams and arrows in Figures 4b and 6b also represent the same meanings. This embodiment will not be described in detail one by one. Please refer to the implementation of Figures 4a and 4b. example.

In this embodiment, in order to enable the controlled code to obtain some services of uncontrolled code (such as a controlled plug-in execution that needs to obtain the system time), it is only necessary to ensure that the controlled code calls the external service. For controlled instructions, the external functions accessed (that is, functions in uncontrolled code) are the first preset functions that have been confirmed to be accessible by the control code check, then these uncontrolled instructions can be allowed to exist in the controlled code In this way, compared with Embodiment 3, when calling an external function in an uncontrolled code, this embodiment only needs to make one jump to realize the call of the external function by the controlled code.

For example, uncontrolled jump instructions (i.e. jump instructions) can also be divided into jump instructions with multiple encodings. Although jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this. Then, the jump instruction of the uncontrolled class that is allowed to be included in the controlled code in this embodiment may be at least one jump instruction in the first preset instruction set. The instructions in the first default instruction set and the second default instruction set in Embodiment 3 are all jump instructions, but the encoding of the jump instructions may be different between the two default instruction sets. For example, the instructions in the first preset instruction set are jump1 instructions to jump5 instructions. The instructions in the second default instruction set are jump6 instructions to jump10 instructions. Of course, in other embodiments, the same uncontrolled type of jump instructions may also exist between the first preset instruction set and the second preset instruction set, and this application does not limit this.

The technical solution of the embodiment of this application is introduced below. When the control code scans the controlled code, it can combine the redirection table to check the uncontrolled instructions in the controlled code:

For example, referring to Figure 6a, before the controlled code is run on the CPU of the present application, the control code can execute S101, S102, S103-2 and S105 through the processing module.

S101, the control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.

S101 in this embodiment is the same as S101 in Figure 4a in Embodiment 2, and the execution principle is also the same, which will not be described again here.

Optionally, when the control module detects that the instructions in the controlled code are all controlled instructions, the specific execution logic may refer to the embodiments of FIG. 4a and FIG. 5a , which will not be described again here.

In this embodiment, the control code scans the instructions in the controlled code through the processing module, and the control module can detect that the controlled code includes uncontrolled instructions. As mentioned in Embodiment 2 above, the uncontrolled class instructions may include, but are not limited to, third class instructions for accessing code and fourth class instructions for accessing data.

Then the embodiment of the present application is intended to allow controlled code to access designated function services of uncontrolled code. Optionally, when the control code detects that the controlled code includes a fourth type of instruction, such as a load instruction, it prompts an error to refuse Execute controlled code.

Optionally, the control code, through the processing module, detects that the controlled code includes an uncontrolled jump instruction, that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction. , then it can be further detected whether the jump target of the first instruction satisfies the preset condition. When the jump target of each first instruction in the controlled code satisfies the preset condition, it means that the first instruction is used for Instructions to access the first preset code resource. Then the control code allows the controlled code to run, otherwise it prompts an error and refuses to run.

For example, the first preset code resource is a control code, or an uncontrolled code, which is a code resource that is outside the access scope of the target resource and is allowed to be accessed by the controlled code.

The first preset code resource is a code resource located within the first resource access range. The access address of the first resource access range (for example, the fourth address space) does not overlap with the access address of the target resource access range (that is, the first address space and the second address space).

For example, the first preset code resource may be a first preset function. The first preset function may be one or more functions. This application does not limit this. Then the first preset function may be one that the control module allows the controlled module to access and does not belong to the first address space. and external functions in the second address space.

Exemplarily, the first instruction is a first jump instruction (for example, at least one instruction from the jump1 instruction to the jump5 instruction) used to access the first preset function;

For example, each first instruction in the controlled code is an instruction used to access the first preset code resource, then the control code can determine that the jump target of each first instruction in the controlled code satisfies the preset condition, Allow controlled code to run.

Exemplarily, the first preset code resource includes a first preset function, where the first preset function is a function that the control module allows the controlled module to access.

For example, the external function to which each jump instruction in the controlled code jumps is the first preset function, then it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. Furthermore, if the jump address (for example, the fourth access address) of each jump instruction in the controlled code is the second preset address, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. The second preset address is the address of the second preset function that the control code allows the controlled code to access.

For example, as shown in Figure 6c, when the controlled code contains calling code for functions outside the controlled code (ie, the above-mentioned external functions), the code of function 0 in the controlled code is used to call non-controlled code. Function 1 in the controlled code, then after the compiler (can be a traditional compiler) compiles the controlled code, the compiled file can not only include the instruction file (that is, the compiled controlled code, which is expressed as an instruction sequence, The sequence of instructions may include instructions to be executed) and may also include a redirection table.

For example, function 0 in the controlled code is compiled into an uncontrolled jump instruction, such as instruction 00. Since the address of the accessed function 1 cannot be determined before the controlled code is run, in the instruction file, The jump address of instruction 00 is a null address. Similarly, the jump address of each uncontrolled class jump instruction in the compiled controlled code is a null address.

The redirection table can describe the jump instruction of an uncontrolled class that needs to call an external function in the instruction file, its location in the instruction file, and the identification of the external function that the jump instruction of the uncontrolled class needs to jump to. (e.g. function name). Moreover, these external functions in the redirection table are used to represent the addresses of these external functions, which need to be determined before the controlled code is run. For example, in the instruction file, the jump addresses of these uncontrolled class jump instructions are all empty addresses.

Then, the control code can scan the compiled controlled code. After scanning the instructions in the controlled code, when it detects that the uncontrolled instructions in the controlled code are all uncontrolled jump instructions, it can pass Query the redirection table to determine the identification of the external function that the uncontrolled class jump instruction needs to jump to; then the control code can use the identification to determine whether these external functions to be accessed are all first preset functions. to determine whether the control code is allowed to run.

Among them, if the external functions to be accessed in the control code are all first preset functions, the controlled code can be allowed to run; otherwise, the controlled code is refused to run and an error is prompted.

Wherein, the first preset function is a specified function located in the fourth address space that is accessible to the control code (or uncontrolled code) and is accessible to the controlled code in the uncontrolled code.

For example, after the control code determines that the external functions to be accessed in the controlled code are all preset functions, the control code can read the jump instruction of the uncontrolled class that calls the external function from the redirection table in the instruction file. The position in the instruction file, such as the position of instruction 00 in the instruction file in Figure 6c. Then, according to the position, the control code writes the address information (such as the first address) of each external function that needs to be called into the jump instruction of the corresponding uncontrolled class in the controlled code as the jump instruction of each uncontrolled class. The jump address of the transfer instruction. For example, the first address of function 1 can be written into instruction 00 in the instruction file as the access address (ie, jump address) of instruction 00.

It should be noted that this application does not limit the specific way in which the control code obtains the address information of each external function.

S102, the control code detects through the processing module that the uncontrolled instructions in the controlled code are uncontrolled instructions that access code resources, and the jump target of the uncontrolled instructions meets the preset conditions, then it goes to execution S103. -2.

Exemplarily, when the control code detects through the processing module that the jump address (for example, the fourth access address) of each uncontrolled instruction (for example, each jump instruction) used to access code resources in the controlled code is The address within the second preset address can allow the control code to run to execute S103-2.

The fourth access address here is the control code. According to the redirection table, the updated address of the jump address of the jump instruction of the uncontrolled class in the controlled code (that is, the address of the external function that is allowed to be accessed)

Or, for example, when the control code detects through the processing module that each uncontrolled instruction (such as a jump instruction) in the controlled code used to access code resources needs to jump to a function, it is the first preset function. function, you can allow the control code to run to execute S103-2.

S103-2: The control code determines the first address space and first address parameters for the controlled class instructions in the controlled code through the processing module, and determines the second address space and second address parameters in the controlled code.

The principle of this step is similar to S103 in the embodiment of Figure 4a, and the similarities will not be described again.

For example, the control code may determine the first address space and the first address parameter of the first address space for the first type of instruction in the controlled code used to access the code resource. And the control code can determine the second address space for the second type of instruction used to access the data resource in the controlled code, and determine the second address parameter of the second address space.

For example, as shown in Figure 6b, the control code passes through the processing module, and the first address space allocated to the controlled code is the address space d4 to d5 in the memory, and the second address space is the address space d6 to d7 in the memory.

For example, although the control code includes jump instructions of an uncontrolled class, when the control code allocates the first address space to the first type of instructions in the controlled code, it still uses the method that includes the jump instructions of the uncontrolled class. The length of the address occupied by the controlled code is used to allocate address space d4 to d5.

Then when the controlled code is running, the controlled code can be written to the address space d4 to d5, so that the controlled code can not only access the internal controlled class instructions, but also access the internal uncontrolled class jump instructions .

Then after S105, when the controlled code is running, the control code can write the controlled code into the first address space, that is, the address spaces d4 to d5'. For example, the control code may write the controlled code to the address spaces d4 to d5 by sending uncontrolled instructions to the processing module. In this embodiment, the first address space allocated to the first type of instructions in the controlled code can not only be used to store the controlled type instructions in the controlled code, but can also be used to store uncontrolled instructions in the controlled code. Control class jump instructions.

Then when the jump instruction of the controlled class in the controlled code performs a code jump, as shown by the dotted arrow of the access code corresponding to the controlled code, the controlled code is within the address space d4 to d5 where the controlled code is located. When you jump to access code resources, you can access not only controlled class instructions, but also jump instructions for uncontrolled classes. Furthermore, the controlled code can jump to the address space d0 to d3 where the uncontrolled code is located through the jump instruction of the uncontrolled class in the controlled code to call the external functions that are allowed to be accessed.

Continuing to refer to Figure 6a, after S103-2, go to S105. The principle of S105 in this embodiment is the same as that of S105 in Figure 4a in Embodiment 2, and will not be described again here.

In the embodiment of the present application, when the control code detects uncontrolled instructions when scanning instructions in the controlled code, and the uncontrolled instructions are all uncontrolled instructions that match the first preset instruction set, The jump instruction (i.e. the first instruction), and the jump target of the uncontrolled jump instruction (the first instruction) satisfies the preset conditions, for example, the external function to which each jump instruction in the controlled code jumps is is the first preset function, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. For another example, if the jump address of each jump instruction in the controlled code is the second preset address, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. The first preset address is the address of the first preset function that the control code allows the controlled code to access. Then, in the controlled code, the uncontrolled class instructions only include uncontrolled class jump instructions, and the jump target of the uncontrolled class jump instructions meets the preset conditions, then the control code can allow the controlled code to run. In this embodiment, when the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform a second jump through the proxy code. The execution speed of the controlled code is faster. Only when the control code scans the controlled code, the scanning steps are more complicated than in Embodiment 3, and it is necessary to check whether the jump target of each uncontrolled instruction in the controlled code meets the preset conditions.

For example, when the control code scans the instructions in the controlled code, if it is detected that the controlled code not only includes controlled class instructions, but also includes uncontrolled class jump instructions that can jump to uncontrolled code, Then the control code can check the jump target of the uncontrolled class jump instruction. If the control code detects that the jump target matches the first preset function that the uncontrolled code allows the controlled code to access, then although the controlled code includes a jump to the uncontrolled class of the uncontrolled code, instructions, but the jump instructions of uncontrolled classes can only jump to the location of the specified external function, then the controlled code is also safe, then the control code can allow the controlled code to run. This scheme ensures that the jump targets of uncontrolled instructions used in controlled code are checked.

For example, after scanning the uncontrolled class jump instructions in the controlled code, the control code can query the redirection table to determine the external function that each uncontrolled class jump instruction needs to jump to. If These external functions allow uncontrolled code to call controlled code, and the controlled code jumps to the first preset function. Then the control code can use the redirection table to find the location of the jump instruction of the uncontrolled class in the controlled code, and write the address of the corresponding external function (such as the starting address) at the corresponding location.

Alternatively, Embodiment 3 and Embodiment 4 can be implemented as parallel embodiments, and Embodiment 3 and Embodiment 4 can also be combined and implemented simultaneously.

For example, the first preset code resource in Embodiment 4 and the second preset code resource in Embodiment 3 may be the same. Then the controlled code can be in the form of proxy code (that is, the method in Embodiment 3), or by including a jump instruction of an uncontrolled class that accesses the first preset code resource in the controlled code (that is, in Embodiment 4). method) to achieve access to external code resources, this application does not impose restrictions on this.

Optionally, the first preset code resource and the second preset code resource in Embodiment 3 and Embodiment 4 may be different. Then the controlled code can pass through the agent code (that is, the method of Embodiment 3), and the controlled code includes a jump instruction of an uncontrolled class that accesses the first preset code resource (that is, Embodiment 4). method) to achieve access to external code resources, this application does not impose restrictions on this.

Similarly, the first preset function and the second preset function may be the same or different, and the first instruction and the second instruction may also be the same or different.

Optionally, continuing to refer to Figures 6a and 6b, after S105, the uncontrolled code may call the controlled code to cause the controlled code to run in the CPU. The method optionally includes S201, S203, S205 and S207- 2.

S201. The processing module receives the first type of instruction sent by the controlled code for accessing code resources.

For example, the first type of instruction is the short_jump instruction, which can carry the first access address addr.

S203 and S205: The processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine the first address parameter in the first address space based on the first address parameter and the first access address. Second access address, and access the uncontrolled class jump instruction from the second access address. The difference between this and Embodiment 3 is that the second access address is located inside the controlled code, not inside the agent code. Therefore, the instructions in the controlled code only need to complete an external jump to implement the call of the external function.

The principles of S201, S203 and S205 in this embodiment are the same as those of S201, S203 and S205 in Figure 4a in Embodiment 2, and will not be described again here.

S207-2: The processing module calls the external function from the fourth address space of the memory according to the jump address of the uncontrolled class jump instruction.

Among them, the processing module jumps to the jump instruction of the uncontrolled class in the controlled code in the first address space (located at the second access address) through the jump instruction of the controlled class in the controlled code in the first address space. ), the jump process belongs to an internal jump; then, the processing module executes the jump instruction of the uncontrolled class, and the jump instruction of the uncontrolled class has a jump address, such as the sixth access address, then the processing module The first preset function can be called from the sixth access address.

The sixth access address is an address in a fourth address space, and the fourth address space is different from the first address space and the second address space allocated to the controlled code.

For example, the fourth address space is a storage space for uncontrolled code.

For example, referring to Figure 6b, for example, the first type of instruction in S201 in this embodiment is a jump instruction of a controlled class in the controlled code, such as a short_jump instruction, and the processing module executes the instruction in the controlled code. The short_jump instruction can perform an internal jump of controlled code from address space d4 to d5, such as a jump instruction to an uncontrolled class in address space d4 to d41. Then the processing module can execute the uncontrolled jump instructions (such as the jump1 instruction) in the address space d4 to d41 to perform code jumps and jump to the jump address corresponding to the jump1 instruction (i.e., the sixth access address mentioned above), that is The address of the first preset function in the uncontrolled code. In this way, the controlled code can access the external function in the uncontrolled code through the jump instruction of the uncontrolled class inside the controlled code.

In addition, it should be noted that the jump instruction of the uncontrolled class in the controlled code can only jump to the address of the first preset function in the uncontrolled code.

Among them, the limitations of the first preset function may refer to the relevant description in Embodiment 3, and the sixth access address is the same as the fifth access address in Embodiment 3. The relevant description may also refer to Embodiment 3, which will not be repeated here. Let’s not go into details.

In addition, it should be noted that Embodiment 4 may also include S301, S303 and S305 described in Embodiment 2. The principles are similar and will not be described again here.

In this embodiment, when the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform two external jumps through the proxy code. The CPU executes the controlled code faster.

Example 5

FIG. 7 is an exemplary architectural diagram of a central processing unit (CPU) of the present application. The architectural diagram of the central processor shown in FIG. 7 provided by the present application can be viewed compared with FIG. 2c in the traditional technology.

The CPU of this application may include any program entity running in the CPU. Program entities may include but are not limited to: general user program code, operating system code, virtual machine management code, etc.

The program entity may include safe area code (ie, uncontrolled code) and non-safe area code (ie, controlled code). The non-safe area code here includes non-safe area code 1 and non-safe area code 2.

Take the program entity as a general user program code as an example. The code of the general user program (such as application 1) is running in the process. The code of application 1 running in process 1 is the safe zone code. Application 1 needs to call dynamic libraries and plug-ins. (There is no restriction on the order in which dynamic libraries and plug-ins are called.) Then the non-safe area code 1 can be the dynamic library here, and the non-safe area code 2 can be the plug-in here.

However, Application 1 cannot determine whether the code in the dynamic library and plug-in has unauthorized access to Application 1's resources (such as memory resources), so the control code provided by this application can be embedded inside Application 1.

In this way, before application 1 calls the dynamic library or plug-in, the control code running in the CPU can scan the code in the dynamic library by sending uncontrolled class instructions to the processing module to determine that there are only controlled classes in the dynamic library. Instructions; similarly, scan the code in the plug-in to ensure that there are only controlled instructions in the plug-in.

Furthermore, the control code can also allocate the address space of accessible resources for the dynamic library, and allocate the address space of accessible resources for the plug-in. However, if we control this dynamic library and can only use controlled instructions, then this dynamic library can Access to content is limited.

Then, the secure zone code (such as process 1 here) can call the non-secure zone code 1 or non-secure zone code 2 to embed the non-secure zone code 1 or non-secure zone code 2 in application 1. Then the non-safe zone code 1 or the non-safe zone code 2 runs in the CPU and can send controlled instructions to the processing module in the CPU to access resources within the limited resource access space. In this way, Application 1 can use the services provided by the controlled code (that is, the non-security zone code), but at the same time, it ensures that the non-security zone code has safe access to the resources of Application 1.

As can be seen from Figure 7 and the above description, when ensuring safe access to resources of non-safe zone code (that is, controlled code), this application does not need to create separate role instances, such as processes, containers, and virtual machines, for the non-safe zone code. wait. There is no need to separate the safe zone code (i.e., uncontrolled code) in the program from the called non-safe zone code (i.e., controlled code) to isolate the non-safe zone code in processes, containers, virtual machines, etc. That is to say, the safe area code and the non-safe area code are in the same program entity, and there is no isolation between the safe area code and the non-safe area code. This application scans the non-safe area code through the control code before the non-safe area code runs on the CPU. The instructions in the safe zone code enable the non-safe zone code to have limited access to the resource range of the safe zone code. In this way, in any entity, the resource access permissions of different codes can be isolated, so that the CPU does not need to create separate role instances such as processes and virtual machines for the non-safe zone code to be isolated, which reduces the signaling overhead of the CPU.

Illustratively, the above solution of this application can be applied to Serverless (Serverless computing) scenarios. The so-called Serverless is a cloud computing scenario in which users can provide a function to quickly complete a function.

Among them, the user does not apply for a server on the cloud service provider to continue running a service provided by the user. The user only provides a function, which is statically stored on a certain storage of the cloud service provider. Only when other services (such as Web front-end) request to call this function will the function be started and related calculations completed. In order to ensure that the calculation process of this function is safe, it is usually necessary to prepare a process, container or even a virtual machine for this function to run the function to prevent the function from accessing resources beyond the permissions of the function.

However, in this application, as long as the control module checks that the function only contains controlled instructions, the function will not be able to access resources beyond its scope of authority during operation. In addition, the calculation process of this function can be completed in the service that calls the function (such as the above-mentioned web front end), or it can be completed in another process, container or virtual machine used for aggregation. Only the limited resources available to the function are allocated in the space where the function is run, and the function can complete the relevant calculations without creating additional resources (such as processes, containers, virtual machines, etc.) in order to run the function. Among them, the cost of creating role instances such as processes, containers, and virtual machines is relatively high.

In a possible implementation, an embodiment of the present application provides a resource control device. The resource control device includes a control module and a controlled module. The instructions in the resource control device are divided into controlled instructions and uncontrolled instructions. The control module is used to: before the controlled module runs, control the instructions in the controlled module. Scan and detect whether the instructions in the controlled module of the resource control device are all controlled instructions; when it is detected that the instructions in the controlled module are all controlled instructions, allocate target resources to each instruction in the controlled module. Access scope. The structure and function of the resource control device can be referred to the description of Figure 3a and its related method embodiments, and will not be described again here.

In a possible implementation, the resource control device further includes a processing module; a processing module configured to process the first access address and access the target resource according to the processed first access address; wherein the first access address is The resource access address in the controlled class instruction currently running in the controlled module; where the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.

In a possible implementation, the control module is further configured to, after detecting that the instructions in the controlled module are not uniformly controlled instructions, detect that the controlled module includes a third instruction that matches the first preset instruction set. When there is an instruction, and the first instruction is an instruction for accessing the first preset code resource, a target resource access range is allocated to each controlled class instruction in the controlled module; wherein, the uncontrolled class instructions include the first Default instruction set; the first default code resource is located in the first resource access scope, and the first resource access scope is different from the target resource access scope.

In a possible implementation, the first preset code resource includes a first preset function, and the first instruction is a first jump instruction used to access the first preset function; wherein the first preset function is The control module allows the controlled module to access functions.

In a possible implementation, the controlled class instructions in the controlled module include: a first class of instructions for accessing code resources and a second class of instructions for accessing data resources; a control module, specifically used for: The first type of instruction is assigned a second resource access scope; the second type of instruction is assigned a third resource access scope; wherein the resource access addresses between the second resource access scope and the third resource access scope are different.

In a possible implementation, the uncontrolled instructions include a second preset instruction set, the control module includes an agent submodule, and the agent submodule includes a second instruction that matches the second preset instruction set; wherein, the second The instruction is an instruction for accessing the second preset code resource, the second preset code resource is located within the fourth resource access range, and the resource access address between the fourth resource access range and the target resource access range is different; the control module, Also used to write the proxy submodule to the second resource access scope.

In a possible implementation, the second preset code resource includes a second preset function, the first type of instruction includes a second jump type instruction for accessing the second instruction; the processing module is specifically configured to: The second access address in the second jump instruction is processed, and the second instruction is accessed according to the processed second access address; the second preset function is accessed according to the third access address in the second instruction; wherein, the second The preset functions are functions that the control module allows the controlled module to access.

The effects and implementation methods of the resource control devices in the above embodiments are similar to the effects of the methods in the above embodiments, and will not be described again here.

The following introduces a device provided by the embodiment of the present application. As shown in Figure 8:

Figure 8 is a schematic structural diagram of a resource control device provided by an embodiment of the present application. As shown in Figure 8, the resource control device 500 may include: a processor 501, a transceiver 505, and optionally a memory 502.

The transceiver 505 may be called a transceiver unit, a transceiver, a transceiver circuit, etc., and is used to implement transceiver functions. The transceiver 505 may include a receiver and a transmitter. The receiver may be called a receiver or a receiving circuit, etc., used to implement the receiving function; the transmitter may be called a transmitter, a transmitting circuit, etc., used to implement the transmitting function.

Computer program or software code or instructions 504 may be stored in the memory 502, which may also be referred to as firmware. The processor 501 can control the MAC layer and the PHY layer by running the computer program or software code or instructions 503 therein, or by calling the computer program or software code or instructions 504 stored in the memory 502 to implement various embodiments of the present application. Provided resource control methods. The processor 501 may be a central processing unit (CPU), and the memory 502 may be a read-only memory (ROM) or a random access memory (RAM).

The processor 501 and transceiver 505 described in this application can be implemented in integrated circuits (ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (ASICs), printed circuits on printed circuit board (PCB), electronic equipment, etc.

The above-mentioned resource control device 500 may also include an antenna 506. Each module included in the resource control device 500 is only an example and is not limited by this application.

The scope of the resource control device described in this application is not limited thereto, and the structure of the resource control device may not be limited by FIG. 8 . The resource control device may be a stand-alone device or may be part of a larger device. For example, the implementation form of the resource control device may be:

(1) An independent integrated circuit IC, or chip, or chip system or subsystem; (2) A collection of one or more ICs. Optionally, the IC collection may also include storage for storing data and instructions. Components; (3) Modules that can be embedded in other equipment; (4) Electronic equipment, etc.; (5) Others, etc.

For the case where the resource control device is implemented in the form of a chip or a chip system, please refer to the schematic structural diagram of the chip shown in FIG. 9 . The chip shown in Figure 9 includes a processor 601 and an interface 602. The number of processors 601 may be one or more, and the number of interfaces 602 may be multiple. Optionally, the chip or chip system may include memory 603 .

Wherein, all relevant contents of each step involved in the above method embodiment can be quoted from the functional description of the corresponding functional module of the resource control device, and will not be described again here.

Based on the same technical concept, embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. The computer program includes at least one section of code. The at least one section of code can be executed by a computer or processor. A computer or processor is used to control the above method embodiments.

Based on the same technical concept, embodiments of the present application also provide a computer program product including a software program, which, when executed by a computer or processor, is used to implement the above method embodiments.

The program may be stored in whole or in part on a storage medium packaged with the processor, or in part or in whole on a memory that is not packaged with the processor.

Based on the same technical concept, embodiments of the present application also provide a resource control device, including one or more interface circuits and one or more processors; the interface circuit is used to receive signals from the memory and send them to the processor. The signal is sent, and the signal includes computer instructions stored in the memory; when the processor executes the computer instructions, the processor is used to implement the above method embodiment.

The steps of the methods or algorithms described in connection with the disclosure of the embodiments of this application can be implemented in hardware or by a processor executing software instructions. Software instructions can be composed of corresponding software modules. Software modules can be stored in random access memory (Random Access Memory, RAM), flash memory, read only memory (Read Only Memory, ROM), erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), register, hard disk, removable hard disk, compact disc (CD-ROM) or any other form of storage media well known in the art. An exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write information to the storage medium. Of course, the storage medium can also be an integral part of the processor. The processor and storage media may be located in an ASIC.

Those skilled in the art should realize that in one or more of the above examples, the functions described in the embodiments of the present application can be implemented using hardware, software, firmware, or any combination thereof. When implemented using software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. Storage media can be any available media that can be accessed by a general purpose or special purpose computer.

The embodiments of the present application have been described above in conjunction with the accompanying drawings. However, the present application is not limited to the above-mentioned specific implementations. The above-mentioned specific implementations are only illustrative and not restrictive. Those of ordinary skill in the art will Inspired by this application, many forms can be made without departing from the purpose of this application and the scope protected by the claims, all of which fall within the protection of this application.

Claims (17)

1. A resource control method, characterized in that it is applied to a resource control device. The resource control device includes a control module and a controlled module. Instructions in the resource control device are divided into controlled instructions and uncontrolled instructions. , the method includes:

   Before the controlled module is run, the control module scans the instructions in the controlled module and detects whether the instructions in the controlled module are all controlled instructions;

   When the control module detects that all instructions in the controlled module are the controlled class instructions, the control module allocates a target resource access range to each instruction in the controlled module.
2. The method according to claim 1, characterized in that the resource control device further includes a processing module, and after the control module allocates a target resource access range to each instruction in the controlled module, the method further includes :

   The processing module processes the first access address and accesses the target resource according to the processed first access address;

   Wherein, the first access address is the resource access address in the controlled class instruction currently running in the controlled module;

   Wherein, the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.
3. The method according to claim 1 or 2, characterized in that, after the control module detects that the instructions in the controlled module are not uniformly the controlled class instructions, the method further includes:

   When the control module detects that the controlled module includes a first instruction that matches the first preset instruction set and the first instruction is an instruction for accessing a first preset code resource, the control module Allocate the target resource access scope to each controlled class instruction in the controlled module;

   Wherein, the uncontrolled instructions include the first preset instruction set;

   The first preset code resource is located in a first resource access scope, and the first resource access scope is different from the target resource access scope.
4. The method of claim 3, wherein the first preset code resource includes a first preset function, and the first instruction is a first jump class used to access the first preset function. instruction;

   Wherein, the first preset function is a function that the control module allows the controlled module to access.
5. The method according to any one of claims 1 to 4, characterized in that the controlled class instructions in the controlled module include first class instructions for accessing code resources and first class instructions for accessing data resources. In the second type of instructions, the control module allocates the target resource access scope to each controlled type instruction in the controlled module, including:

   The control module allocates a second resource access scope to the first type of instruction;

   The control module allocates a third resource access scope to the second type of instruction;

   Wherein, the resource access addresses between the second resource access scope and the third resource access scope are different.
6. The method according to any one of claims 1 to 5, characterized in that the uncontrolled instructions include a second preset instruction set, the control module includes an agent sub-module, and the agent sub-module includes and The second instruction matched by the second preset instruction set, wherein the second instruction is an instruction for accessing a second preset code resource, and the second preset code resource is located within the fourth resource access range, And the resource access addresses between the fourth resource access scope and the target resource access scope are different;

   After the control module allocates a target resource access range to each instruction in the controlled module, the method further includes:

   The control module writes the proxy sub-module to the second resource access scope.
7. The method of claim 6, wherein the second preset code resource includes a second preset function, and the first type of instructions includes a second jump type instruction for accessing the second instruction. ;

   The processing module processes the first access address and accesses the target resource according to the processed first access address, including:

   The processing module processes the second access address in the second jump instruction, and accesses the second instruction according to the processed second access address;

   The processing module accesses the second preset function according to the third access address in the second instruction;

   Wherein, the second preset function is a function that the control module allows the controlled module to access.
8. A resource control device, characterized in that the resource control device includes a control module and a controlled module, and instructions in the resource control device are divided into controlled instructions and uncontrolled instructions; the control module uses At:

   Before the controlled module is run, scan the instructions in the controlled module to detect whether the instructions in the controlled module are all controlled instructions;

   When it is detected that the instructions in the controlled module are all the controlled class instructions, a target resource access range is assigned to each instruction in the controlled module.
9. The device according to claim 8, wherein the resource control device further includes a processing module;

   The processing module is used to process the first access address and access the target resource according to the processed first access address;

   Wherein, the first access address is the resource access address in the controlled class instruction currently running in the controlled module;

   Wherein, the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.
10. The device according to claim 8 or 9, characterized in that,

    The control module is also configured to, after detecting that the instructions in the controlled module are not uniform instructions of the controlled type, detecting that the controlled module includes a first instruction set that matches the first preset instruction set. instruction, and when the first instruction is an instruction for accessing a first preset code resource, allocate the target resource access scope to each controlled class instruction in the controlled module;

    Wherein, the uncontrolled instructions include the first preset instruction set;

    The first preset code resource is located in a first resource access scope, and the first resource access scope is different from the target resource access scope.
11. The device according to claim 10, wherein the first preset code resource includes a first preset function, and the first instruction is a first jump class used to access the first preset function. instruction;

    Wherein, the first preset function is a function that the control module allows the controlled module to access.
12. The device according to any one of claims 8 to 11, characterized in that the controlled class instructions in the controlled module include: a first class instruction for accessing code resources and a first class instruction for accessing data resources. Category II instructions;

    The control module is specifically used for:

    Allocate a second resource access scope to the first type of instruction;

    Allocate a third resource access scope to the second type of instruction;

    Wherein, the resource access addresses between the second resource access scope and the third resource access scope are different.
13. The device according to any one of claims 8 to 12, wherein the uncontrolled instructions include a second preset instruction set, the control module includes an agent sub-module, and the agent sub-module includes The second instruction matched by the second preset instruction set;

    Wherein, the second instruction is an instruction for accessing a second preset code resource, the second preset code resource is located within a fourth resource access range, and the fourth resource access range is consistent with the target resource access range. Resource access addresses are different between ranges;

    The control module is also used to write the agent sub-module to the second resource access scope.
14. The device according to claim 13, wherein the second preset code resource includes a second preset function, and the first type of instructions includes a second jump type instruction for accessing the second instruction. ;

    The processing module is specifically used for:

    Process the second access address in the second jump instruction, and access the second instruction according to the processed second access address;

    Access the second preset function according to the third access address in the second instruction;

    Wherein, the second preset function is a function that the control module allows the controlled module to access.
15. A computer-readable storage medium, characterized by comprising a computer program, which when the computer program is run on a computer or processor, causes the computer or processor to execute any one of claims 1 to 7 the method described.
16. A resource control device, characterized in that it includes one or more interface circuits and one or more processors; the interface circuit is used to receive a signal from a memory and send the signal to the processor, and the signal Comprising computer instructions stored in a memory; when the processor executes the computer instructions, the processor is configured to perform the method according to any one of claims 1 to 7.
17. A computer program product, characterized in that the computer program product includes a software program, which when executed by a computer or processor causes the steps of the method described in any one of claims 1 to 7 to be executed.

Images