WO2023173915A1 - Appareil et procédé de contrôle de ressources - Google Patents

Appareil et procédé de contrôle de ressources Download PDF

Info

Publication number
WO2023173915A1
WO2023173915A1 PCT/CN2023/071405 CN2023071405W WO2023173915A1 WO 2023173915 A1 WO2023173915 A1 WO 2023173915A1 CN 2023071405 W CN2023071405 W CN 2023071405W WO 2023173915 A1 WO2023173915 A1 WO 2023173915A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
controlled
instruction
instructions
access
Prior art date
Application number
PCT/CN2023/071405
Other languages
English (en)
Chinese (zh)
Inventor
李国柱
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2023173915A1 publication Critical patent/WO2023173915A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]

Definitions

  • the embodiments of the present application relate to the technical field of terminal equipment, and in particular, to a resource control method and device.
  • information can be isolated in the software.
  • a computer can assign different roles to different software codes and allocate resources based on the role to form an instance of the role, thereby ensuring that different instances can only access corresponding role instances (such as processes, containers , virtual machines, etc.) are allocated resources to achieve secure access to information.
  • this application provides a resource control method and device.
  • this method before the controlled module is run, by detecting that its instructions only include instructions of the preset instruction set and limiting the resource access scope of its instructions, there is no need to check the access rights of its instructions when running the controlled module. , thereby improving program execution efficiency.
  • the embodiment of the present application provides a resource control method, which is applied to a resource control device.
  • the resource control device includes a control module and a controlled module. Instructions in the resource control device are divided into Controlled instructions and uncontrolled instructions.
  • the method includes: before the controlled module is run, the control module scans the instructions in the controlled module to detect whether the instructions in the controlled module are all controlled instructions; in the control module When it is detected that the instructions in the controlled module are all the controlled class instructions, the control module allocates a target resource access range to each instruction in the controlled module.
  • the instructions executed in the resource control device are divided into two categories: one type is controlled type instructions, and the other type is uncontrolled type instructions.
  • the resource control device may be a central processing unit (CPU), or any kind of processor. This application does not limit the implementation of the resource control device. For convenience of explanation, the resource control device is implemented as a CPU as an example.
  • the controlled instructions may include the custom instruction set of the present application.
  • the instructions in the custom instruction set are executed by the CPU, they can only access a specific resource range and cannot access resources outside the specific resource range. .
  • the instructions in the custom instruction set have limited resource access scope when executed by the CPU.
  • controlled instructions may also include some traditional preset instructions that have no impact on the security of the code and data of uncontrolled modules (such as addition instructions, subtraction instructions, and other instructions that do not require access to memory resources).
  • Preset instructions that have no impact on the security of codes and data in uncontrolled modules can be flexibly set according to needs, and this application does not limit this.
  • the control module does not need to allocate target resources to the preset instructions.
  • Access scope the control module only needs to allocate the target resource access scope to each controlled class instruction that needs to access memory resources in the controlled module.
  • the accessed resource is a memory resource as an example.
  • the CPU When a controlled instruction is executed by the CPU, the CPU can only access the specific resource access range allocated by the control module to the controlled instruction, and cannot access resources outside the specific resource access range.
  • the semantics (or encoding) of controlled instructions determines the resource access scope of controlled instructions when executed by the CPU. Then when the CPU executes each controlled class instruction, it does not need to check whether the resource access address in the currently running controlled class instruction is within the resource access permission range of the currently running program by looking up the page table, etc., in order to improve CPU instruction processing efficiency.
  • the CPU When the CPU executes an uncontrolled instruction, it does not need to process the resource access address in the uncontrolled instruction. It can detect whether the resource access address in the uncontrolled instruction is pre-allocated in the traditional way.
  • the accessible address of the controlled module (such as page lookup table and other detection methods). If the resource access address is an accessible address, the CPU accesses the resource according to the resource access address. If the resource access address is an inaccessible address , the CPU interrupts execution of instructions in the controlled module.
  • control module in which uncontrolled modules can be used to call controlled modules
  • resource access scope such as the above-mentioned controlled modules
  • the CPU when a controlled class instruction is executed by the CPU, the CPU can only access a limited resource access range allocated to the controlled class instruction. Then, before the controlled module is run, the control module scans the controlled module. Whether the instructions in the controlled module are all controlled instructions, the control module can be used to check the type of instructions in the controlled module before running the controlled module. If the control module detects that the instructions in the controlled module are all controlled instructions, it can be sure that the controlled module will not access resources beyond its resource access scope at runtime to ensure safe access to resources by the controlled module at runtime. . That is, before the controlled module is run, the control module performs an instruction scan on the controlled module to determine whether the controlled module is safe.
  • the controlled module will be run only when it is determined that the controlled module is safe.
  • the embodiments of this application can realize the security check of the controlled module provided by a third party before the controlled module is run. There is no need to check in real time whether each instruction to be executed is safe during the running of the controlled module, which improves the security of the controlled module. module operating efficiency. It is possible to limit the resource access scope of the controlled module at the source of the instruction, without having to judge whether the resource requested by the instruction exceeds the resource access scope during the execution of the instruction.
  • the control module when the control module allocates a target resource access range to each instruction in the controlled module, the control module can send an uncontrolled instruction to the CPU, and the CPU executes the uncontrolled instruction. For each controlled class instruction in the controlled module, an accessible target address space can be allocated in the memory, and the target address parameters of the target address space can be determined. In addition, the control module can also send uncontrolled instructions to the CPU. When the CPU executes the uncontrolled instructions, the above target address parameters can be written into the storage unit. This achieves the allocation of the target resource access range for each instruction within the controlled module.
  • the target resource access range is allocated to each controlled class instruction in the controlled module by the CPU executing the uncontrolled class instruction.
  • the purpose is that when the controlled class instruction is executed by the CPU, the CPU can The controlled module allocates the target resource access range, and then the controlled module can send controlled class instructions confirmed by scanning to the CPU, so that the CPU can modify the target resource access range allocated to each instruction in the controlled module.
  • the controlled module modifies the target resource access scope to a resource access scope that the control module does not allow the controlled module to access, so that the resource access scope of the controlled module cannot be controlled by the control module.
  • the control module serves as a limiter on the resource access scope of the controlled module.
  • the CPU can allocate each controlled class instruction in the controlled module by executing the uncontrolled class instructions in the control module.
  • the target resource access scope makes the resource access scope of the controlled module controlled by the control module.
  • the controlled module itself cannot modify the target resource access scope that it can access, thereby ensuring the safe access of resources by the controlled module.
  • the storage unit may be built into the CPU, or the storage unit may be a storage unit in an external chip independent of the CPU, and the CPU may access the storage unit in the external chip.
  • the storage unit may be a register (including but not limited to a segment register, etc.), a magnetic head, etc.
  • the uncontrolled module can call the controlled module so that the controlled module runs in the CPU.
  • Application 1 (an example of an uncontrolled module) needs to run a plug-in developed by a third party (an example of a controlled module) to implement a new function of Application 1, then in order to ensure that the plug-in does not access sensitive data in Application 1 Information (such as user information, etc.), application 1 can embed the control program provided by this application (an example of a control module).
  • the control program can scan the instructions in the plug-in before application 1 runs the plug-in. When the scanned instructions in the plug-in are all controlled instructions, it means that the plug-in is safe. Then, the control program can set the memory resource access range for each controlled class instruction in the plug-in. The control program can specifically write the target address parameters that limit the memory access space into the CPU of this application through uncontrolled class instructions. Segment register (an example of a storage unit).
  • the instruction to write the target address parameter into the segment register can be an uncontrolled instruction, but not a controlled instruction.
  • the target address parameter can be used to determine the target address space accessible to controlled instructions in the plug-in. This can prevent the plug-in from tampering with the data in the segment register corresponding to the plug-in instruction in the CPU during operation, causing the plug-in to access the In the case of resources outside the target address space.
  • application 1 can call the plug-in, so that after the plug-in is run, it sends a controlled class instruction to the CPU, so that the CPU executes the controlled class instruction, and accesses the original memory address in the controlled class instruction according to the address parameter in the segment register. , determine the target memory access address in the restricted memory access space, and access the target memory access address in the memory to achieve restricted access to memory resources.
  • Application 1 calls a plug-in developed by a third party, it can use the functions of the plug-in while ensuring that the plug-in can only access data resources and code resources in a restricted memory address space, ensuring that the plug-in has safe access to Application 1's resources. .
  • the resource control device further includes a processing module.
  • the method further includes: the processing The module processes the first access address and accesses the target resource according to the processed first access address; wherein the first access address is the resource access address in the controlled class instruction currently running in the controlled module; Wherein, the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.
  • the processing module can execute the controlled class instruction (such as the target instruction) currently executed by the controlled module.
  • the processing module can access the original memory in the target instruction.
  • the address is mapped to the target address space allocated to the target instruction, and the target memory access address corresponding to the original memory access address in the target address space is obtained; the processing module accesses memory resources according to the target memory access address.
  • the processing module can execute the received target instruction, read the target address parameters set for the target instruction (a controlled class instruction) in the controlled module in the storage unit, and follow the preset algorithm, Based on the target address parameter and the original memory access address in the target instruction, the target memory access address is determined in the target address space corresponding to the target instruction; the processing module accesses the memory resource at the target memory access address.
  • a controlled class instruction a controlled class instruction
  • the processing module can set part of the high bits of the original memory access address to zero according to the target address parameter, so that the processed target memory access address is within the target address space.
  • the target address space is 1 to 100 and the original memory access address is 1000. Then the address length of the original memory access address can be reduced by 10 times to obtain the target memory access address 100, so that the target memory access address is in the target address space.
  • the processing module executes the target instruction according to the encoding of the target instruction.
  • the original memory access address can be processed according to the above algorithm (for example, multiple high-order addresses are set to zero). Then regardless of whether the original memory access address in the target instruction is in the target address space, the processed target memory access address is in the target address space.
  • address 1 can be mapped according to the above algorithm. to address 2 within the target address space. Then no matter where the address of the resource requested to be accessed by the controlled module is, when the processing module executes the target instruction of the controlled module, it can find a target memory access address corresponding to the original memory access address in the target address space, and access The resource at the target memory access address is used as the access result to the original memory access address.
  • the processing module of the embodiment of the present application executes the target instruction, it does not directly access the resource according to the original memory access address of the target instruction, but finds the target memory access address mapped by the original memory access address in the target address space. , and access the sub at the target memory address.
  • the resources accessible to the controlled module can be restricted from the dimension of the access address of the target instruction.
  • the resource pointed to by the target memory access address is accurate and unique. Then this refined dimension of resource restriction can ensure the access of the controlled module.
  • the resources accessed by any instruction are the only resources that have been predetermined.
  • the method further includes: after the control module detects that the controlled module When the control module includes a first instruction that matches the first preset instruction set and the first instruction is an instruction for accessing a first preset code resource, the control module controls each of the controlled modules.
  • the controlled class instructions allocate the target resource access range; wherein the uncontrolled class instructions include the first preset instruction set; the first preset code resource is located in the first resource access range, and The first resource access scope is different from the target resource access scope.
  • the uncontrolled class instructions may include a first preset instruction set and a second preset instruction set, wherein the instructions in the first preset instruction set may be part or all of the uncontrolled class jump instructions. (jump command).
  • the instructions in the second preset instruction set may be part or all of the uncontrolled jump instructions, and this application does not limit this.
  • the first preset instruction set and the second preset instruction set may be the same or different, and the same instructions may exist in the two instruction sets.
  • uncontrolled jump instructions i.e. jump instructions
  • jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this.
  • the instructions in the first preset instruction set and the second preset instruction set here are all jump instructions, but the encoding of the jump instructions between these two preset instruction sets may be different.
  • the instructions in the first preset instruction set are jump1 instructions to jump5 instructions.
  • the instructions in the second default instruction set are jump6 instructions to jump10 instructions.
  • the controlled code resources accessed are the first preset code resources that have been confirmed to be accessible through control code inspection, then these uncontrolled instructions can be allowed to exist in In the controlled code, in this way, compared with the solution of adding proxy code, in this embodiment, when calling an external function in the uncontrolled code, only one jump is needed to realize the call of the external function by the controlled code.
  • the control code detects through the processing module that the controlled code includes an uncontrolled jump instruction, that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction. , then it can be further detected whether the jump target of the first instruction satisfies the preset condition. When the jump target of each first instruction in the controlled code satisfies the preset condition, it means that the first instruction is used for Instructions to access the first preset code resource. Then the control code allows the controlled code to run, otherwise it prompts an error and refuses to run.
  • an uncontrolled jump instruction that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction.
  • the first preset code resource is a control code, or an uncontrolled code, which is a code resource that is outside the access scope of the target resource and is allowed to be accessed by the controlled code.
  • the first preset code resource is a code resource located within the first resource access range.
  • the access address of the first resource access range (for example, the fourth address space) does not overlap with the access address of the target resource access range (that is, the first address space and the second address space).
  • the first preset code resource may be a first preset function.
  • the first preset function may be one or more functions. This application does not limit this.
  • the first preset function may be one that the control module allows the controlled module to access and does not belong to the first address space. and external functions in the second address space.
  • the first instruction is a first jump instruction (for example, at least one instruction from the jump1 instruction to the jump5 instruction) used to access the first preset function;
  • each first instruction in the controlled code is an instruction used to access the first preset code resource
  • the control code can determine that the jump target of each first instruction in the controlled code satisfies the preset condition, Allow controlled code to run.
  • the first preset code resource includes a first preset function, where the first preset function is a function that the control module allows the controlled module to access.
  • the external function to which each jump instruction in the controlled code jumps is the first preset function
  • the jump target of each first instruction in the controlled code satisfies the preset condition.
  • the jump address (for example, the fourth access address) of each jump instruction in the controlled code is the second preset address
  • the second preset address is the address of the second preset function that the control code allows the controlled code to access.
  • the control code when the control code detects uncontrolled instructions when scanning instructions in the controlled code, and the uncontrolled instructions are all uncontrolled instructions that match the first preset instruction set, Jump instruction (i.e., the first instruction), and the jump target of the uncontrolled jump instruction (the first instruction) satisfies the preset conditions, for example, the code resource to which each jump instruction in the controlled code jumps is As the first preset code resource, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition. The control code can then allow the controlled code to run.
  • the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform a second jump through the proxy code.
  • the execution speed of the controlled code is faster.
  • the first preset code resource includes a first preset function
  • the first instruction is a first jump instruction used to access the first preset function
  • the first preset function is a function that the control module allows the controlled module to access.
  • the control code after the control code scans the instructions of the controlled code through the processing module, when it is detected that the instructions in the controlled code are not uniformly controlled instructions, the control code detects the controlled code through the processing module
  • the included uncontrolled instructions are all first instructions in the first preset instruction set, and the first instructions are first type jump instructions (such as short_jump instructions) used to access the first preset function.
  • the control code scans the controlled code, it can detect the uncontrolled instructions in the controlled code.
  • the jump targets of the jump instructions are all the first preset functions, which can ensure that when the controlled code accesses code resources outside the first address space and the second address space, the code resources accessed are the third ones specified by the control code.
  • the controlled class instructions in the controlled module include a first class of instructions for accessing code resources and a second class of instructions for accessing data resources
  • the control module Allocating the target resource access range to each controlled class instruction in the controlled module includes: the control module allocates a second resource access range to the first class instruction; the control module assigns the target resource access range to the first class instruction; The second type of instruction allocates a third resource access scope; wherein the resource access addresses between the second resource access scope and the third resource access scope are different.
  • control code an example of a control module
  • the control code may assign the second resource access scope to each instruction in the controlled code.
  • a first type instruction allocates a first address space and a first address parameter corresponding to the first address space.
  • the first address space is used to store code resources accessible to controlled class instructions in the controlled code.
  • the first address parameter may be used to determine the address range of the first address space.
  • control code when the control code allocates the third resource access scope to the first type of instructions in the controlled code, the control code can allocate the second address space to each second type of instruction in the controlled code, and communicate with the third type of instruction.
  • the second address parameter corresponding to the second address space.
  • the second address space is used to store data resources accessible to controlled class instructions in the controlled code.
  • the second address parameter may be used to determine the address range of the second address space.
  • the first address parameter may include a code_base parameter and a code_limit parameter.
  • the code_base parameter can represent the starting address of the first address space (i.e., the first address), and the code_limit parameter can be the address range parameter of the first address space (can be understood as the length of the first address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.
  • the first address space allocated by the control code to the first type of instruction in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.
  • the second address parameter may include a data_base parameter and a data_limit parameter.
  • the data_base parameter can represent the starting address of the second address space (i.e., the first address)
  • the data_limit parameter can be the address range parameter of the second address space (can be understood as the length of the second address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.
  • the second address space allocated by the control code to the second type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.
  • control code can write the code_base parameter and the code_limit parameter respectively into two registers in the processing module, such as register 1 and register 2, and write the data_base parameter and data_limit parameter into two other registers in the processing module respectively. within, such as register 3 and register 4.
  • the storage units corresponding to the first address parameter and the second address parameter are different.
  • the above-mentioned register can be a segment register.
  • this application is not limited to the type of storage unit in which the first address parameter or the second address parameter is written. It can be any hardware storage unit inside the processing module. Alternatively, it may also be a hardware storage unit in a chip that is independent of the processing module.
  • the addresses between the first address space and the second address space are different.
  • the controlled code can access the code stored in the first address space in the memory through the first type of instructions, and access the data stored in the second address space in the memory through the second type of instructions. If there are overlapping addresses in the first address space and the second address space, then the overlapping addresses can store code and data, and then the controlled code can use, for example, the store_short instruction after the control code scans that all the instructions are controlled class instructions. Access the overlapping address, and modify the code at the repeated address, so that the code (ie, instruction) in the controlled code is modified into an uncontrolled class instruction, so that it can be used between the restricted first address space and the second Access data or code outside the address space.
  • This application configures different first address spaces and second address spaces for the controlled class instructions in the controlled code, so as to prevent the controlled code from modifying the internal code again after being scanned and allowed to run, making the controlled code
  • the code includes uncontrolled instructions to access unallocated memory resources, thus evading scanning by the controlling code.
  • the processing module when executing the first type of instruction, can follow the second preset algorithm code_base+[code_limit(mask)OR addr] to execute the first type of instruction in the first address space limited by code_base and code_limit.
  • code_base code_base+[code_limit(mask)OR addr]
  • the original memory access address addr in the instruction is mapped to obtain the target access address limited to the first address space.
  • the first access address addr1 accessed by the short_jump instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the first address space.
  • the processing module of this application can modify code_limit and addr1 when executing the short_jump instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678.
  • the address length of addr2 is within the length limit of code_limit.
  • the processing module calculates code_base+addr2 and obtains the second access address addr3.
  • the jump address of the short_jump instruction is limited to addr3 (here is 0x00005678). This will not cause an error.
  • the controlled code can only access resources in the first address space.
  • addr3 is in the address range from 0 to ffff (the first address space limited by code_base and code_limit).
  • the processing module can read the data_base parameter and data_limit parameter from register 3 and register 4 respectively.
  • the data_base parameter is the first address of the second address space
  • the data_limit parameter is a binary mask that controls the size of the second address space.
  • the processing module when it executes the second type of instruction, it can obtain the memory access address addr in the second type of instruction according to the fourth preset algorithm data_base+[data_limit(mask)OR addr]. After that, data_base and data_limit In the restricted second address space, addr is mapped to obtain the accessible memory address.
  • the third access address addr1 accessed by the load_short instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the second address space.
  • the processing module of this application can modify data_limit and addr1 when executing the load_short instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678.
  • the address length of addr2 is within the length limit of data_limit.
  • the processing module calculates data_base+addr2 and obtains the fourth access address addr3.
  • addr3 is in the address range from 0 to ffff (the second address space restricted by data_base and data_limit).
  • the uncontrolled instructions include a second preset instruction set
  • the control module includes an agent submodule
  • the agent submodule includes an agent that matches the second preset instruction set.
  • a second instruction wherein the second instruction is an instruction for accessing a second preset code resource, the second preset code resource is located within a fourth resource access scope, and the fourth resource access scope is the same as the second preset code resource.
  • the resource access addresses between the target resource access scopes are different; after the control module allocates the target resource access scope to each instruction in the controlled module, the method further includes: the control module assigns the proxy submodule Write to the second resource access scope.
  • control code may include agent code (an example of an agent submodule).
  • agent code may include at least one uncontrolled class jump instruction (i.e., jump instruction).
  • the uncontrolled class jump instruction is in When executed by the processing module, the processing module can access the address of the second preset code resource.
  • the uncontrolled class jump instruction in the agent code may be at least one instruction from the jump6 instruction to the jump10 instruction in the second preset instruction set.
  • the second default code resource is a code resource located within a fourth resource access range (eg, a third address space).
  • the access address of the fourth resource access range does not overlap with the access address of the target resource access range (ie, the above-mentioned first address space and the second address space).
  • the second preset code resource is a control code, or an uncontrolled code, which is a code resource outside the target resource access scope that is allowed to be accessed by the controlled code.
  • the second preset code resource may be a second preset function.
  • the second preset function may be one or more functions, which is not limited by this application.
  • the second preset function may be an external function that the control module allows the controlled module to access.
  • the proxy code when the proxy code is included in the control code, the proxy code can be configured with a jump instruction of an uncontrolled class that allows the controlled code to access the second preset code resource in the uncontrolled code, then When allocating the first address space and the first address parameter that are allowed to be accessed to the first type of instruction in the controlled code, such as a jump instruction of the controlled type, the agent code can also be written into the area accessible to the controlled code. in the first address space. Then when the control code needs to call the second preset function in the uncontrolled code, it can first jump to the uncontrolled class in the agent code through the jump instruction, and then jump to the uncontrolled code through the agent code. A second preset code resource to achieve limited access to external code resources outside of the controlled code.
  • the processing module jumps to the agent code by executing the jump instructions of the controlled classes in the controlled code to access the jump instructions of the uncontrolled classes in the agent code. , to achieve access to external functions through the jump instructions of this uncontrolled class.
  • the address space accessed by the second type of instruction used to access data in the controlled code (such as the controlled type memory access instruction, load_short instruction) is limited to the second address space and cannot access the first address space. Therefore, The address space where the proxy code is located cannot be accessed to prevent the controlled code from modifying the code in the proxy code through the second type of instructions, thereby jumping to the illegal space through the proxy code, and preventing the controlled code from illegally calling unallowed services.
  • the so-called illegal space is the address space that the control code does not allow the controlled code to access.
  • the first preset code resource and the second preset code resource may be the same.
  • the controlled code can achieve access to the external code resources through proxy code, or by including a jump instruction of an uncontrolled class that accesses the first preset code resource within the controlled code.
  • the first preset code resource and the second preset code resource may be different.
  • the controlled code can achieve access to the external code resources by using proxy code and including jump instructions of the uncontrolled class that access the first preset code resource within the controlled code.
  • first preset function and the second preset function may be the same or different, and the first instruction and the second instruction may also be the same or different.
  • the second preset code resource includes a second preset function
  • the first type of instructions includes a second jump type instruction used to access the second instruction
  • the processing The module processes the first access address, and accesses the target resource according to the processed first access address, including: the processing module processes the second access address in the second jump instruction, and accesses the target resource according to the processed first access address.
  • the processed second access address accesses the second instruction; the processing module accesses the second preset function according to the third access address in the second instruction; wherein the second preset function is The control module allows the controlled module to access functions.
  • the first type of instruction is a jump instruction of the controlled type in the controlled code.
  • the second type of jump instruction used to access the second instruction is a short_jump instruction.
  • the processing module executes the controlled code in the controlled code.
  • the short_jump instruction can set the jump address of the short_jump instruction (i.e. the second access address) according to the algorithm described above to zero the high bit of the jump address, thereby shortening the address length of the second access address so that The processed second access address is in the address space where the agent code is located in the first address space.
  • the processing module can read the uncontrolled class jump instruction (ie, the second instruction) in the agent code from the processed second access address, such as the jump6 instruction.
  • the processing module can perform a code jump by executing the jump6 instruction, and can jump to the jump address corresponding to the jump6 instruction (i.e., the above-mentioned third access address) to access the second preset function.
  • the processing module can perform a code jump by executing the jump6 instruction, and can jump to the jump address corresponding to the jump6 instruction (i.e., the above-mentioned third access address) to access the second preset function.
  • the processing module can perform a code jump by executing the jump6 instruction, and can jump to the jump address corresponding to the jump6 instruction (i.e., the above-mentioned third access address) to access the second preset function.
  • the processing module can perform a code jump by executing the jump6 instruction, and can jump to the jump address corresponding to the jump6 instruction (i.e., the above-mentioned third access address) to access the second preset function.
  • the processing module can perform a code jump by executing the jump6 instruction, and can jump to the
  • the control code can use the processing module to scan the instructions in the controlled code.
  • the agent code is written in the first address space so that the first address space includes not only the controlled code but also the agent code.
  • the controlled code can jump to the agent code through the jump instruction of the controlled class and pass
  • the jump instruction of the uncontrolled class in the agent code jumps to the location of the fixed function that the uncontrolled code allows the controlled code to access, such as the first address of the second preset function. In this way, the controlled code can only enter the first address position of each function specified by the uncontrolled code. The code at these positions can make appropriate checks and then decide whether to provide relevant functions to ensure access to the second preset function. Safety.
  • an embodiment of the present application provides a resource control device.
  • the resource control device includes a control module and a controlled module. Instructions in the resource control device are divided into controlled instructions and uncontrolled instructions.
  • the control module is used to: before the controlled module is run, Scan the instructions in the controlled module to detect whether the instructions in the controlled module are all controlled instructions; when it is detected that the instructions in the controlled module are all controlled instructions, Each instruction within the controlled module is assigned a target resource access scope.
  • the resource control device further includes a processing module; the processing module is used to process the first access address, and access the target resource according to the processed first access address; wherein, The first access address is the resource access address in the controlled class instruction currently running in the controlled module; wherein, the processed first access address is in all the controlled class instructions corresponding to the currently running Within the access scope of the above target resources.
  • control module is further configured to, after detecting that the instructions in the controlled module are not uniformly the controlled class instructions, detect that the controlled module includes the same
  • a first instruction matches a preset instruction set and the first instruction is an instruction for accessing a first preset code resource, allocate all controlled class instructions to each controlled class instruction in the controlled module.
  • the access scope of the above target resources is different.
  • the first preset code resource includes a first preset function
  • the first instruction is a first jump instruction used to access the first preset function
  • the first preset function is a function that the control module allows the controlled module to access.
  • the controlled class instructions in the controlled module include: a first class of instructions for accessing code resources and a second class of instructions for accessing data resources; the control module , specifically used to: allocate a second resource access scope to the first type of instruction; allocate a third resource access scope to the second type of instruction; wherein the second resource access scope and the third resource access scope The resource access addresses are different between them.
  • the uncontrolled instructions include a second preset instruction set
  • the control module includes an agent submodule
  • the agent submodule includes an agent that matches the second preset instruction set.
  • a second instruction wherein the second instruction is an instruction for accessing a second preset code resource, the second preset code resource is located within a fourth resource access range, and the fourth resource access range is consistent with the The resource access addresses between the target resource access scopes are different; the control module is also used to write the proxy sub-module to the second resource access scope.
  • the second preset code resource includes a second preset function
  • the first type of instructions includes a second jump type instruction used to access the second instruction
  • the processing Module specifically used for: processing the second access address in the second jump instruction, and accessing the second instruction according to the processed second access address; according to the third instruction in the second instruction. Access the address to access the second preset function; wherein the second preset function is a function that the control module allows the controlled module to access.
  • an embodiment of the present application provides a resource control device.
  • the resource control device includes one or more interface circuits and one or more processors; the interface circuit is used to receive signals from the memory and send the signals to the processor, where the signals include computer data stored in the memory. Instructions; when the processor executes the computer instructions, the processor can implement the method in any of the above implementations.
  • the effect of the resource control device in this embodiment is similar to the effect of the resource control method in each of the above embodiments, and will not be described again here.
  • embodiments of the present application provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program When the computer program is run on a computer or processor, it causes the computer or processor to execute the method in any of the above embodiments.
  • inventions of the present application provide a computer program product.
  • the computer program product includes a software program.
  • the software program is executed by a computer or processor, the method in any of the above embodiments is executed.
  • Figure 1 is a schematic diagram illustrating exemplary code isolation
  • Figure 2a is a schematic diagram of an exemplary process isolation code
  • Figure 2b is a schematic diagram of an exemplary virtual machine isolation code
  • Figure 2c is a schematic diagram of an exemplary safe zone isolation code
  • Figure 3a is a schematic diagram of the system framework structure
  • Figure 3b is a schematic diagram of the system framework structure
  • Figure 4a is an operational flow chart of the system shown in an exemplary manner
  • Figure 4b is a schematic diagram of an exemplary memory address space
  • Figure 5a is an operational flow chart of the exemplary shown system
  • Figure 5b is a schematic diagram of an exemplary memory address space
  • Figure 5c is a schematic diagram of an exemplary compilation process of controlled code
  • Figure 6a is an operational flow chart of the exemplary system shown
  • Figure 6b is a schematic diagram of an exemplary memory address space
  • Figure 6c is a schematic diagram of an exemplary compilation process of controlled code
  • Figure 7 is a schematic diagram of an exemplary system architecture
  • Figure 8 is a schematic structural diagram of a device provided by an embodiment of the present application.
  • Figure 9 is a schematic structural diagram of a chip provided by an embodiment of the present application.
  • a and/or B can mean: A exists alone, A and B exist simultaneously, and they exist alone. B these three situations.
  • first and second in the description and claims of the embodiments of this application are used to distinguish different objects, rather than to describe a specific order of objects.
  • first target object, the second target object, etc. are used to distinguish different target objects, rather than to describe a specific order of the target objects.
  • multiple processing units refer to two or more processing units; multiple systems refer to two or more systems.
  • information can be isolated in the software.
  • the computer can assign different roles to different software codes and allocate resources based on the role to form an instance of the role, thereby ensuring that different instances can only access the resources assigned to the corresponding role instance. To achieve code isolation and ensure safe access to information.
  • role instances may include but are not limited to processes, containers, virtual machines, etc.
  • the role instance is used as a process for illustration.
  • an application (App, Application) is run on the Android operating system (Android for short) of the mobile phone.
  • Android is provided by the mobile phone vendor and represents a role.
  • the App is provided by the App provider, so for the sake of information security, Android allows the App to only access the phone function but not the location function.
  • Android can modify the permission status of the CPU from operating system permissions to process permissions before handing over the control of the central processing unit (CPU) to the App.
  • CPU central processing unit
  • Android can set permissions on the process.
  • process permissions may include access to the phone, but not access to the location.
  • the App code After the App code takes over the CPU, the App code can only access resources within the process permissions, but cannot access resources within the permissions of the process that Android has not assigned to the App. Then if the App wants to obtain higher permissions to access resources beyond the process permissions (such as accessing location information), then the App can only return control of the CPU to Android, and the Android code will take over the CPU again, and then, Android completes resource access to location information.
  • a hierarchical or classified state can be designed for the CPU, and high-privileged code (such as operating system code) controls low-privileged code (such as general user program code) , such as the code of the above App) resource access scope (such as phone access permissions). And modify the permissions of the CPU from high privilege level to low privilege level, causing the code executed by the CPU to jump to the low privilege level code, so that the low privilege level code takes over the CPU. Then low-privileged code can only access resources within the assigned permissions, and cannot access resources outside the permissions.
  • high-privileged code such as operating system code
  • low-privileged code such as general user program code
  • resource access scope such as phone access permissions
  • the low-privilege code can only give up control of the CPU actively (such as system calls) or passively (such as interrupts, etc.), causing the code executed by the CPU to jump to
  • the CPU permissions are modified from a low privilege level to a high privilege level, so that the high privilege level code regains control of the CPU.
  • the high privilege level code can be placed in the high privilege level. Access resources within the scope of authority.
  • high-privilege code (such as operating system code) can ensure the security of resource access by low-privilege code by controlling the permissions of low-privilege code, such as the security of the operation behavior of the above-mentioned App, preventing the App from obtaining Get the user's key information, such as reading the user's transaction password, etc.
  • Figure 1 is a schematic diagram illustrating exemplary code isolation.
  • Figure 1 is only an example, and the isolation structure for code isolation may have more or fewer levels than shown in the figure.
  • the CPU permissions from high to low are system-wide control permissions, virtual machine permissions, operating system permissions, and process permissions.
  • the system-wide control code runs within the permissions of the system-wide control pointed by the dotted arrow
  • the operating system management code runs within the permissions of the operating system pointed by the dotted arrow (here, the permissions of the operating system in the virtual machine)
  • the general user program code Runs within the permissions of the process pointed to by the dotted arrow.
  • the privilege codes from high to low are system-wide control code, virtual machine management code, operating system management code and general application code.
  • the low-privilege level code can only give up control of the CPU actively (such as system calls) or passively (such as interrupts, etc.), causing the CPU to execute
  • the code jumps to a specific code location with a high privilege level, and at the same time changes the CPU permissions from a low privilege level to a high privilege level, so that the high privilege level code regains control of the CPU.
  • the high privilege level code can be Access resources within the scope of high privileges.
  • the permissions of the virtual machine can be configured to limit the resource access permissions of the virtual machine; the virtual machine management code runs within the permissions of the virtual machine.
  • the permissions of the operating system can be configured to limit the resource access permissions of the operating system; the operating system management code can run within the permissions of the operating system, and the permissions of the process can be configured to limit the resource access permissions of the process.
  • high-privilege code can assign permissions to low-privilege code to control the resource access scope of low-privilege code.
  • high-privilege operating system management code (running in a virtual machine) can configure the permissions of a process running general user program code to limit the resource access scope of the process.
  • memory resources are the more important resources. Whether it is a process, a virtual machine, or an operating system, it can access memory resources.
  • the operating system management code can limit the specific addresses of the memory resources that can be accessed by the process.
  • the operating system management code can configure the page table of each process to set the address range of the memory resources that the process can access.
  • the page table can include information about the memory addresses that the process can access.
  • user program code runs within the permissions of a process.
  • a process initiates a resource access request beyond the permissions of the process, control of the CPU needs to be handed over to the operating system, which initiates the resource access request.
  • a process initiates an instruction to access system resources. If the resource access permission is not within the permissions of the process and the instruction is prohibited from accessing, then the permissions of the CPU can be modified from the permissions of the process to the permissions of the operating system, and the permissions of the CPU can be changed.
  • the code pointer points from the general user program code running in the process to the operating system management code, so that the operating system management code controls the CPU to achieve access to system resources. In this way, it can be ensured that the process accesses resources within the assigned resource access permissions.
  • user program code is isolated and runs within the permissions corresponding to the process, and cannot access unallocated resources beyond the permissions range.
  • memory resources are resources that can be accessed within the permissions of the process, and the addresses that a process can access to memory resources are limited by the page table of the process. Then every time the CPU receives a memory access instruction initiated by a process, it needs to query the page table configured for the process in user mode to determine the list of memory addresses allocated to the process. If the memory address accessed by the memory access instruction is not in the memory address list, the CPU cannot execute the memory access instruction and an exception may be generated.
  • the CPU executes instructions initiated by the process, the CPU confirms that the high-privilege code has indeed allocated specific resources to the low-privilege role instance. Every time low-privilege code accesses a resource, the CPU must check the resources allocated to the role instance (such as the page table) before running the resource access instruction, for example, confirm whether the memory resources allocated to the process are Including the memory resources pointed to by this instruction, this will reduce the execution efficiency of the CPU.
  • the resources allocated to the role instance such as the page table
  • containers are also a code isolation solution, which can be regarded as a special process solution that has nothing to do with hardware.
  • the operating system can treat multiple processes into groups.
  • the resources requested by multiple processes in the group can be provided by the CPU. Resource access requests that are not between processes are not provided.
  • This solution is similar to the solution in Figure 2a.
  • the process cannot access unallocated resources beyond the scope of the container, thereby ensuring that the code of the process within the container is safe.
  • the CPU every time the code in the process of the container accesses a resource, the CPU must check the resources allocated to the container (such as the page table) before running the resource access instruction, such as confirming the memory resources allocated to the container. Whether the memory resource pointed to by the instruction is included, then this will reduce the execution efficiency of the CPU.
  • the virtual machine is a code isolation solution, and the virtual machine solution can be regarded as a superposition of the process isolation solution shown in Figure 2a.
  • the operating system and the process can be regarded as a managed object, and the virtual machine management code can be regarded as a manager with higher privileges than the operating system management code in Figures 1 and 2a.
  • the logic of virtual machine isolation is similar to the logic of process isolation, which is briefly explained below with reference to Figure 2b.
  • the operating system code runs within the permissions of the virtual machine.
  • physical chip devices can provide two configurations of address space permissions.
  • Level 1 configuration is specified by the virtual machine
  • level 2 configuration is specified by the virtual machine management code.
  • the virtual machine management code can configure the permissions of the virtual machine to limit the resource access scope of the virtual machine.
  • memory resources are the more important resources. Whether it is a process, a virtual machine, or an operating system, it can access memory resources.
  • the virtual machine management code can place restrictions on the virtual machine as to the specific addresses of memory resources that can be accessed.
  • the virtual machine management code can configure each virtual machine's level 2 page table to set the address range of memory resources that the virtual machine can access.
  • the level 2 page table can include information about the memory address that the virtual machine can access, so that the virtual machine management code controls the virtual machine's address access rights to memory resources on the level 2 page table, thereby realizing control over the memory resources running on the virtual machine. Range control of resource access addresses in the operating system.
  • the addresses accessible to memory resources are restricted by the virtual machine's page table. Then every time the CPU receives a memory access instruction initiated by a virtual machine, it needs to query the page table configured for the virtual machine to determine the list of memory addresses allocated to the virtual machine. If the memory address accessed by the memory access instruction is not in the memory address list, the CPU cannot execute the memory access instruction and an exception may be generated.
  • the CPU executes instructions initiated by the virtual machine
  • the CPU confirms that the high-privilege code has indeed allocated specific resources to the low-privilege role instance. Every time low-privilege code accesses a resource, the CPU must check the resources allocated to the role instance (such as the page table) before running the resource access instruction, such as confirming that the memory resources allocated to the virtual machine are Whether the memory resource pointed to by this instruction is included, this will reduce the execution efficiency of the CPU.
  • the safe zone is a code isolation solution.
  • the safe zone solution can be regarded as a superposition of the virtual machine isolation solution shown in Figure 2b.
  • the code can be divided into safe zone code running in the safe zone and non-safe zone code running in the non-safe zone.
  • the security zone code may include virtual machine management code, operating system code, general user program code, etc.
  • Security zone code can run within the permissions of the security zone.
  • the security management code can be regarded as a manager with higher privileges than the virtual machine management code in Figure 2c.
  • the logic of code isolation in the safe zone is similar to the logic of process isolation shown in Figure 2a and virtual machine isolation shown in Figure 2b. The following is a brief explanation of the differences between the process isolation and virtual machine isolation solutions in conjunction with Figure 2c.
  • safe zone solutions may differ.
  • Security management codes can be used to set up secure and non-secure work environments. For example, on ARM CPUs, the memory accessible to the safe zone is not specified through the page table, but is determined by hardware hard coding. Therefore, whether the safe zone code can access the memory at a specific address depends on the hardware hard coding. If the security zone code takes over the CPU and is within the scope of authority to run the security zone, the request issued by the CPU to the security zone code will add a security mark, so that the request issued by the CPU has a security mark, otherwise the request issued by the CPU does not have this Flag (for example, the CPU is running non-safe zone code). There is a bus between the CPU and the memory.
  • the CPU sends a request to write memory to the memory through the bus.
  • the bus-related logic can decide whether to allow the request to be responded to based on this mark. If the request has the tag added, the request can access the memory, if the request does not have the tag, the request is discarded. Then the security management code can determine the instructions that the CPU can execute based on whether the request issued by the CPU has a security mark, or when the CPU issues an address access request, it can detect whether there is access permission to the address.
  • the security management code checks whether the request issued by the CPU has a preset tag to determine the range of resources that the request can access. This judgment It needs to be executed every time the CPU makes a request, which increases running costs.
  • this application provides a resource control method that can scan the instructions used by the controlled code before the code that needs to ensure safe access to resources (referred to as controlled code, such as the above-mentioned third-party code) is run. .
  • controlled code such as the above-mentioned third-party code
  • this method scans that the instructions used by the controlled code are all controlled class instructions, where the controlled class instructions can only access resources within the target resource access range of the controlled code
  • the CPU does not need to check the instructions issued by the controlled code (such as querying the resources allocated to the process to which the controlled code belongs). Then the instructions used by the controlled code will not exceed the target resource access range of the controlled code, thereby improving the execution efficiency of the CPU.
  • role instances such as processes, virtual machines, etc.
  • FIG. 3a and FIG. 3b are schematic diagrams of the system framework structure. It should be understood that the system shown in Figures 3a and 3b is only an example, and the system of the present application may have more or fewer modules than shown in the figures, two or more modules may be combined, or Can have different module configurations.
  • the various modules shown in Figures 3a, 3b may be implemented in hardware, software, or a combination of hardware and software including one or more signal processing and/or application specific integrated circuits.
  • the resource control device may include a control module and a controlled module, optionally including a processing module. Instructions in the resource control device are divided into controlled class instructions and uncontrolled class instructions. instruction.
  • the resource control device can execute the method described in the following embodiments.
  • the resource control device can be implemented as a central processing unit (CPU), or any kind of processor, etc.
  • CPU central processing unit
  • This application does not limit the implementation of the resource control device.
  • the resource control device is implemented as a CPU. Example to illustrate.
  • the processing module may be hardware including one or more signal processing and/or application-specific integrated circuits in the central processing unit.
  • the processing module may be used to execute instructions.
  • the instructions executable by the processing module are divided into controlled class instructions. With uncontrolled instructions, the processing module does not distinguish between instruction types when executing instructions, and can interpret and execute instructions according to the semantics (or encoding) of the instructions.
  • the processing module can only access the specific resource access range allocated by the control module to the controlled instruction, but cannot access resources outside the specific resource access range.
  • the semantics (or encoding) of the controlled class instructions determine that the resource access scope of the controlled class instructions is restricted when executed by the processing module. Then when the processing module executes each controlled class instruction, it does not need to check whether the resource access address in the currently running controlled class instruction is within the resource access permission range of the currently running program by looking up the page table, etc. Improve the instruction processing efficiency of the processing module.
  • resource access can be performed according to the resource access address of the uncontrolled instruction without processing the resource access address in the uncontrolled instruction.
  • the processing module can determine whether the process (or virtual machine, etc.) in which the uncontrolled instruction is located has access rights to the access address in accordance with traditional page lookup methods, so as to decide whether to continue executing the uncontrolled instruction. Controlled instructions. If the resource access address is within the authority, the processing module accesses the resource according to the resource access address. If the resource access address is outside the authority, the processing module interrupts execution of the instructions in the controlled module.
  • the processing module in the CPU provided by this application can support the execution of two types of instructions, controlled instructions and uncontrolled instructions, and execute these two types of instructions in different ways.
  • the processing module may be a hardware structure in a CPU.
  • the present application can make improvements to the above hardware structure in the CPU, so that the CPU that originally only supports the execution of uncontrolled instructions can support the interpretation and execution of controlled instructions in hardware after the improvement, and the CPU can Controlled instructions and uncontrolled instructions are interpreted and executed in different ways.
  • the processing module can perform memory access according to the memory access address in the uncontrolled instruction in a traditional way (such as page table lookup); For controlled instructions, the processing module can map the memory access address in the controlled instruction to a specific memory address space to access the memory in the specific memory address space, so that the controlled instruction can be executed by the CPU. Access to resources is limited.
  • the program running in the CPU optionally includes a controlled module, a control module, and an uncontrolled module. While the CPU is running any one of the above three modules, the processing module can execute the current Directives in the running module to implement the functionality of the currently running module.
  • the uncontrolled module can be used to call the controlled module developed by a third party.
  • the uncontrolled module can be run in the CPU provided by this application to realize the call of the controlled module.
  • the processing module can be used to execute instructions in the uncontrolled module.
  • the uncontrolled module can include uncontrolled instructions, and optionally, can also include controlled instructions. This application does not limit this.
  • the controlled module and the uncontrolled module can be regarded as two parts of one module (a program).
  • the uncontrolled module and the controlled module may have a calling and called relationship.
  • the uncontrolled module first initiates a call to the controlled module.
  • the controlled module can also call functions in the uncontrolled module to implement corresponding functions.
  • the uncontrolled module cannot fully trust the controlled module so that it can access any resources of the uncontrolled module or the module to which the uncontrolled module belongs. In order to ensure that the controlled module During the running process of the module, the operations performed are controllable to the uncontrolled module, and the uncontrolled module needs to limit the resources accessed by the controlled module.
  • this application provides the above-mentioned control module.
  • the uncontrolled module can be installed or embedded with the control module provided by this application to ensure that the uncontrolled module uses the control module when calling the controlled module.
  • controlled modules have access to limited resources.
  • the control module may include uncontrolled instructions, and optionally further include controlled instructions.
  • the control module can run in the CPU, and the control module can be used when the uncontrolled module needs to call the controlled module (such as calling a function, etc.), before the controlled module runs,
  • the control module can send an uncontrolled instruction to the processing module, so that the processing module executes the uncontrolled instruction, so as to scan the instructions in the controlled module.
  • the control module can scan whether the instructions in the controlled module are all controlled instructions.
  • the control module detects that the instructions in the controlled module are all controlled instructions, the control module can send uncontrolled instructions to the processing module.
  • Instruction mode is used to allocate the target resource access range (which may include the target address space) to each instruction within the controlled module. In this way, after the controlled module is run, the processing module can only access resources in the target address space when executing the controlled class instructions in the controlled module.
  • the resource may be the memory resource shown in Figure 3a.
  • the resources that restrict the access range to the controlled module are not limited to memory resources, and may also include but are not limited to resources within the peripheral when accessing the peripheral in memory mode.
  • the resources that can be stored in the memory may include code and data, and the memory resources may include code resources and data resources.
  • the control module can restrict the memory address space accessed by the controlled module.
  • control module may restrict the address space in the peripheral device accessed by the controlled module.
  • each embodiment of the present application takes the access restriction of memory resources as an example.
  • the resource is an accessible resource other than memory resources, the method is the same and will not be described again here.
  • control module and the controlled module may be software programs running in the CPU of this application.
  • control module can also run on a traditional CPU, which is not limited by this application.
  • the controlled instructions may include the custom instruction set of the present application.
  • the instructions in the custom instruction set are executed by the CPU, they can only access a specific resource range and cannot access resources outside the specific resource range. .
  • the instructions in the custom instruction set have limited resource access scope when executed by the CPU.
  • controlled instructions may also include some traditional instructions that have no impact on the security of the code and data of uncontrolled modules (such as addition instructions, subtraction instructions, and other instructions that do not require access to memory resources), which have no impact on the security of uncontrolled modules. Instructions that do not affect the security of the code and data in the control module can be flexibly set according to needs, and this application does not impose restrictions on this.
  • the control module does not need to allocate a target resource access range to the preset instruction, and the control module The module only needs to assign a target resource access range to each controlled class instruction that needs to access memory resources in the controlled module.
  • the accessed resource is a memory resource as an example.
  • Uncontrolled instructions can be any instructions except controlled instructions.
  • Uncontrolled instructions may include but are not limited to: third type instructions and fourth type instructions.
  • the CPU can access the code and execute the code.
  • the third type of instructions may include but is not limited to: jump instructions, which is not limited in this application.
  • the jump instruction is used for instruction jumps, can be used in function call scenarios, can be used to access code, and is also a memory access instruction.
  • a jump instruction can be classified as an instruction that accesses code in memory, and the jump instruction can be referred to as an "uncontrolled jump instruction".
  • the CPU can access data.
  • the fourth type of instructions may include but is not limited to: load instructions, store instructions, stack access instructions, etc., which are not limited in this application.
  • the CPU when the load instruction is executed, the CPU can load the data in the memory to the CPU according to the memory access address in the instruction; when the store instruction is executed, the CPU can write the data in the CPU according to the memory access address in the instruction. into memory.
  • the stack access instruction may include a push instruction and a pop instruction, where the stack access instruction is also a memory access instruction.
  • Load instructions, store instructions, push instructions, and pop instructions can be classified as instructions for accessing data in memory.
  • controlled instructions may include the custom instruction set of this application, and optionally may also include some traditional instructions that have no impact on the security of the code and data of uncontrolled modules.
  • controlled class instructions may include the custom instruction set of this application, and optionally may also include some traditional instructions that have no impact on the security of the code and data of uncontrolled modules.
  • the following text Each embodiment will be described by taking the controlled class instructions as the custom instruction set here as an example.
  • the instruction types of the custom instruction set may include but are not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, short_jump instruction.
  • instructions in a custom instruction set can only access data or code in a specific memory address space.
  • the CPU when the load_short instruction is executed by the CPU, the CPU can execute the instruction based on the semantics of the load_short instruction, thereby loading the data in the specific memory address space to the CPU according to the preset algorithm;
  • the load_short instruction can be divided into load_short instructions of multiple encodings.
  • load_shortN For ease of understanding, it can be described as load_shortN, where N is a positive integer.
  • Load_short instructions of different encodings have different N values.
  • the load_short instructions with different encodings are executed by the CPU, when the CPU loads the data in the memory address space to the CPU, for example, the loading process may be different, but the resource access scope of the load_short instructions with different encodings is limited when executed. limit.
  • other instructions in the custom instruction set (such as the store_short instruction) can also include instructions of the same type in multiple encodings.
  • the CPU can execute the store_short instruction based on the semantics of the store_short instruction to write the data in the CPU to a specific memory address space according to the preset algorithm;
  • the load instruction and the load_short instruction have different instruction encodings. They are both instructions for loading data in the memory into the CPU, but the resource range of the load_short instruction is limited; similarly, the store instruction and the store_short instruction The instruction encoding is different, and the resource access scope of the store_short instruction is limited.
  • the short_push instruction and short_pop instruction are compared with the traditional push instruction and pop instruction.
  • the CPU can proceed in a specific stack address space according to the preset algorithm of this application. Stack and pop instructions to access resources within the restricted stack address space.
  • the short_jump instruction is compared with the traditional jump instruction.
  • the CPU can perform code access in a specific memory address space according to the preset algorithm of this application.
  • the instructions in the custom instruction set can also be divided into two types of instructions:
  • the CPU can access the code resources and run the code resources.
  • the first type of instructions may include but is not limited to: short_jump instructions.
  • the first type of instructions may be referred to as "controlled type jump instructions”.
  • the CPU can access data resources.
  • the second type of instructions may include but is not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, etc.
  • the controlled class instructions are the above-mentioned custom instruction set, and the resource access range restricted by the controlled class instructions is the memory resource access range as an example.
  • the controlled class instructions are They are all memory access instructions and can be divided into the first type of instructions and the second type of instructions mentioned above.
  • XX instruction is an instruction used to access code resources
  • the "XX instruction is an instruction used to access code resources” described in the full text is used to indicate that when the XX instruction is executed by the CPU (or the processing module in the CPU), the CPU (or the processing module in the CPU) can Access the code resource and run the code resource.
  • "XX instruction is an instruction used to access data resources” is used to indicate that when the XX instruction is executed by the CPU (or the processing module in the CPU), the CPU (or the processing module in the CPU) can access the data resources.
  • the control module can scan whether the instructions in the controlled module are all controlled instructions.
  • the control module can include the above-mentioned custom instruction set.
  • the control module can scan the instructions in the controlled module and compare them with The instructions in the custom instruction set are compared to detect whether the instructions in the controlled module are all controlled instructions.
  • control module can determine that the instructions in the controlled module are all controlled instructions.
  • control module may determine that the instructions in the controlled module are not all controlled instructions.
  • control module when the control module detects that the instructions in the controlled module are all controlled instructions, the control module can write the target address parameters to the processing module by sending uncontrolled instructions to the processing module.
  • module (such as a storage unit in a processing module) to limit the target resource access range of the controlled module, such as the target address space of memory.
  • the control module when the control module allocates a target resource access range to each instruction in the controlled module, the control module may send an uncontrolled instruction to the processing module, and the processing module executes the uncontrolled instruction. For each controlled class instruction in the controlled module, an accessible target address space can be allocated in the memory, and the target address parameters of the target address space can be determined. In addition, the control module can also send an uncontrolled instruction to the processing module, and when the processing module executes the uncontrolled instruction, the above target address parameter can be written into the storage unit. This achieves the allocation of the target resource access range for each instruction within the controlled module.
  • the target resource access range is allocated to each controlled class instruction in the controlled module by executing the uncontrolled class instruction by the processing module.
  • the purpose is that if the controlled class instruction is executed by the processing module, the processing The module can allocate the target resource access range to the controlled module, and then the controlled module can send controlled class instructions confirmed by scanning to the processing module, so that the processing module can modify the target resources allocated to each instruction in the controlled module.
  • Access scope For example, the controlled module modifies the target resource access scope to a resource access scope that the control module does not allow the controlled module to access, so that the resource access scope of the controlled module cannot be controlled by the control module.
  • the control module serves as a limiter of the resource access scope of the controlled module, and the processing module can execute each controlled class instruction in the controlled module by executing the uncontrolled class instructions in the control module. Allocate the target resource access scope so that the resource access scope of the controlled module is controlled by the control module.
  • the controlled module itself cannot modify the target resource access scope that it can access, thereby ensuring the safe access of resources by the controlled module.
  • the storage unit used to store the target address parameter may be built into the CPU.
  • the storage unit can be built into the processing module, or built into the CPU but external to the processing module (wherein the processing module can be communicatively connected with the storage unit).
  • the storage unit can also be a storage unit in an external chip that is independent of the CPU, and the processing module can access the storage unit in the external chip.
  • the storage unit may be a register (including but not limited to a segment register, etc.), a magnetic head, etc.
  • the control module can run in the CPU of this application and update the target in the storage unit through uncontrolled instructions. Address parameter to ensure that the controlled code to be called by the uncontrolled module can only access memory resources within the specific address space restricted by the target address parameter.
  • the target address parameters may include multiple sets of address parameters
  • the control module may allocate different address parameters to different types of controlled instructions according to the instruction type in the controlled module, so that When different types of controlled instructions in the controlled module are executed by the CPU, the address space accessed by the CPU is different.
  • a set of address parameters corresponds to an address space.
  • the storage units where each set of address parameters are stored may be the same or different.
  • the target address parameter can be set through an uncontrolled class instruction but cannot be set through a controlled class instruction to prevent the controlled module from modifying its accessible address space by sending a controlled class instruction to the processing module.
  • the target address parameter can be written to the storage unit by the control module by sending an uncontrolled instruction before the controlled module is run.
  • control program cannot update the target address parameters assigned to the controlled instructions in the controlled module through uncontrolled instructions.
  • control program can clear the target address parameters of the controlled module in the storage unit through uncontrolled instructions, so that the processing module can execute the code in the next controlled module.
  • the uncontrolled module can call the controlled module so that the controlled module runs in the CPU.
  • the processing module can execute the controlled class instruction (such as the target instruction) currently running by the controlled module.
  • the processing module can map the original memory access address in the target instruction to the In the target address space corresponding to the target instruction, the target memory access address corresponding to the original memory access address in the target address space is obtained; the processing module accesses memory resources according to the target memory access address.
  • the processing module can process the original memory access address in the target instruction, so that the processed memory access address (ie, the target memory access address) is in the target address space corresponding to the target instruction, and the processing module performs the processing according to the target Memory access address to access memory resources.
  • the processed memory access address ie, the target memory access address
  • the processing module performs the processing according to the target Memory access address to access memory resources.
  • the processing module can execute the received target instruction, read the target address parameters set for the target instruction (a controlled class instruction) in the controlled module in the storage unit, and follow the preset algorithm, Based on the target address parameter and the original memory access address in the target instruction, the target memory access address is determined in the target address space corresponding to the target instruction; the processing module accesses the memory resource at the target memory access address.
  • a controlled class instruction a controlled class instruction
  • the processing module can set part of the high bits of the original memory access address to zero according to the target address parameter, so that the processed target memory access address is within the target address space.
  • the target address space is 1 to 100 and the original memory access address is 1000. Then the address length of the original memory access address can be reduced by 10 times to obtain the target memory access address 100, so that the target memory access address is in the target address space.
  • the processing module executes the target instruction according to the encoding of the target instruction.
  • the original memory access address can be processed according to the above algorithm (for example, multiple high-order addresses are set to zero). Then regardless of whether the original memory access address in the target instruction is in the target address space, the processed target memory access address is in the target address space.
  • address 1 can be mapped according to the above algorithm. to address 2 within the target address space. Then no matter where the address of the resource requested to be accessed by the controlled module is, when the processing module executes the target instruction of the controlled module, it can find a target memory access address corresponding to the original memory access address in the target address space, and access The resource at the target memory access address is used as the access result to the original memory access address.
  • the processing module of the embodiment of the present application executes the target instruction, it does not directly access the resource according to the original memory access address of the target instruction, but finds the target memory access address mapped by the original memory access address in the target address space. , and access the sub at the target memory address.
  • the resources accessible to the controlled module can be restricted from the dimension of the access address of the target instruction.
  • the resource pointed to by the target memory access address is accurate and unique. Then this refined dimension of resource restriction can ensure the access of the controlled module.
  • the resources accessed by any instruction are the only resources that have been predetermined.
  • the processing module can also execute uncontrolled instructions sent by the control module to access any address space in the memory within the memory access permissions of the control module.
  • control module can prompt an error to refuse to execute the controlled module to ensure that the controlled module can only access the instructions provided by the target.
  • the control module scans that the controlled module includes an uncontrolled instruction, and the uncontrolled instruction is the above-mentioned third type instruction (when executed by the processing module, the processing module-accessible code), such as jump instructions for uncontrolled classes. Then when the control module detects that the function accessed by the jump instruction of the uncontrolled class is a preset function (which may include the first preset function and the second preset function described below), it can also explain Controlled modules (such as plug-ins) are safe, and control modules allow controlled modules to run. Among them, the preset function is a function that the control module allows the controlled module to access and is outside the resource access scope of the controlled module.
  • Application 1 (an example of an uncontrolled module) needs to run a plug-in developed by a third party (an example of a controlled module) to implement a new function of Application 1, then in order to ensure that the plug-in does not access sensitive data in Application 1 Information (such as user information, etc.), application 1 can embed the control program provided by this application (an example of a control module).
  • the control program can scan the instructions in the plug-in before application 1 runs the plug-in. When the scanned instructions in the plug-in are all controlled instructions, it means that the plug-in is safe. Then, the control program can set the memory resource access range for each controlled class instruction in the plug-in. Specifically, the control program can write the address parameters that limit the memory access space into the segment in the CPU of this application through uncontrolled class instructions. Register (an example of a storage unit).
  • the instruction to write the target address parameter into the segment register can be an uncontrolled instruction, but not a controlled instruction.
  • the target address parameter can be used to determine the target address space accessible to controlled instructions in the plug-in. This can prevent the plug-in from tampering with the data in the segment register corresponding to the plug-in instruction in the CPU during operation, causing the plug-in to access the In the case of resources outside the target address space.
  • application 1 can call the plug-in, so that after the plug-in is run, it sends a controlled class instruction to the processing module, so that the processing module executes the controlled class instruction, and accesses the original memory address in the controlled class instruction according to the segment register.
  • Address parameter determine the target memory access address in the restricted memory access space, and access the target memory access address in the memory.
  • Application 1 calls a plug-in developed by a third party, it can use the functions of the plug-in while ensuring that the plug-in can only access data resources and code resources in a restricted memory address space, ensuring that the plug-in has safe access to Application 1's resources. .
  • control program scans and detects that the plug-in includes uncontrolled instructions, it means that the plug-in is unsafe, and the control program can report an error to prohibit the plug-in from running.
  • control program scans that the plug-in includes an uncontrolled instruction, and the uncontrolled instruction is an uncontrolled jump instruction, then if the function accessed by the jump instruction is a preset function , it can also indicate that the plug-in is safe. Then perform the above operations such as allocating memory resource access ranges, which will not be described again here.
  • the preset function specifies external functions accessible to the plug-in for the control program.
  • the so-called external functions are functions in the uncontrolled program.
  • the controlled module is a controlled program
  • the controlled program is a compiled program (binary data file, such as a plug-in).
  • control module may include a compilation module.
  • the compilation module is a compiler.
  • the control module of this application can compile the program 1 through the compiler.
  • the compiler of this application compiles the high-level language program code in program 1, it can compile the program code according to the controlled class instructions, so that the compiled file (hereinafter also referred to as instructions) file) contains only controlled instructions.
  • the traditional compiler can compile it into a load instruction, and the compiler of this application can compile it into a load_short instruction.
  • the traditional compiler can compile it into a store instruction, and the compiler of this application compiles it into a store_short instruction.
  • the traditional compiler can compile it into a jump instruction, and the compiler of this application compiles it into a short_jump instruction.
  • the traditional compiler can compile it into a push instruction or a pop instruction, and the compiler of this application compiles it into a short_push instruction or a short_pop instruction.
  • the controlled module is a plug-in (which has been compiled)
  • the control module scans the plug-in, if it scans for uncontrolled instructions, it means that the plug-in may have used an illegal compiler, that is, a compilation not provided by this application. or, after being compiled by the compiler provided by this application, the compiled program was manually tampered with.
  • the control module can then refuse to execute the plug-in.
  • the compiler of this application can compile the plug-in according to the controlled class instructions and generate compiled controlled code. Then when the control module scans the instructions in the controlled code, it can determine that all the controlled codes are controlled instructions, and the controlled code can be run in the uncontrolled code.
  • the controlled module may also be a module that does not require compilation.
  • the controlled module is written in assembly language, and the compiler of the present application may not be used when controlling the resource access scope of the controlled module.
  • control module in Figure 3a scans whether the instructions in the controlled module are all controlled instructions
  • the CPU running the controlled module can be any traditional CPU.
  • control module performs the process of sending uncontrolled instructions to the processing module shown in Figure 3a to write the target address parameters that limit the resource access range of the controlled module into the storage unit, the process provided by this application is implemented in CPU.
  • the same module can be a controlled module or an uncontrolled module in different environments.
  • the operating system code of the mobile phone can be an uncontrolled module, and the code of the browser App can be a controlled module.
  • the mobile phone operating system can embed the control module provided by this application. Then before the operating system runs the browser App, the control module in the operating system can scan whether the browser App is a controlled class instruction. If so, the browser App is allowed to run. Otherwise, an error is reported and the browser App is not allowed to run. Ensure secure access to operating system resources.
  • the browser App wants to load a dynamic library and call functions in the dynamic library, then the browser App is an uncontrolled module and the dynamic library is a controlled module.
  • the browser app cannot ensure whether the code in the dynamic library has unauthorized access to the content of the browser app.
  • the browser App can embed the control module provided by this application so that when the browser App calls a program developed by any third-party platform, the third-party platform The developed programs can only be run using controlled class instructions, so the resource content accessible to programs developed on third-party platforms is limited.
  • the control program in the browser App can scan whether the functions in the dynamic library are all controlled class instructions. If so, the functions in the dynamic library are allowed to run. , otherwise an error will be reported and the functions in the dynamic library will not be allowed to run to ensure safe access to the resources of the browser App.
  • the instructions in the CPU are divided into controlled instructions and uncontrolled instructions, which can be executed according to different execution methods of the above two types of instructions, so that the CPU can support running modules that are not restricted by resource access ranges. (such as uncontrolled modules, where uncontrolled modules can be used to call controlled modules), and support for running modules restricted by resource access scope (such as the above-mentioned controlled modules), enriching the types of instructions that the CPU can execute, and Implements access control to the resource range of controlled modules running in the CPU.
  • controlled modules such as uncontrolled modules, where uncontrolled modules can be used to call controlled modules
  • resource access scope such as the above-mentioned controlled modules
  • the CPU when a controlled class instruction is executed by the CPU, the CPU can only access a limited resource access range allocated to the controlled class instruction. Then, before the controlled module is run, the control module scans the controlled module. Whether the instructions in the controlled module are all controlled instructions, the control module can be used to check the type of instructions in the controlled module before running the controlled module. If the control module detects that the instructions in the controlled module are all controlled instructions, it can be sure that the controlled module will not access resources beyond its resource access scope at runtime to ensure safe access to resources by the controlled module at runtime. . That is, before the controlled module is run, the control module performs an instruction scan on the controlled module to determine whether the controlled module is safe.
  • the controlled module will be run only when it is determined that the controlled module is safe.
  • the embodiments of this application can realize the security check of the controlled module provided by a third party before the controlled module is run. There is no need to check in real time whether each instruction to be executed is safe during the running of the controlled module, which improves the security of the controlled module. module operating efficiency.
  • the control module of this application can be used in the scenario of embedded code, that is, an uncontrolled module in a role instance (including but not limited to user mode process, virtual machine, operating system, etc.), which needs to be executed to embed the uncontrolled module
  • the control module embedded in the uncontrolled module can distinguish between controlled instructions and uncontrolled instructions to scan whether the controlled module includes uncontrolled instructions before running the controlled module.
  • To determine whether the controlled module can be called and run by the uncontrolled module it can implement security verification of external modules.
  • the instructions executable by the processing module are divided into controlled instructions and uncontrolled instructions. When the processing module executes the controlled instructions, it can perform resources within the limited address space set by the control module for the controlled instructions. Access to ensure safe access by external modules to resources of uncontrolled modules.
  • Figure 4a exemplarily shows the operation flow chart of the system of the present application.
  • the control module can be implemented as control code
  • the controlled module can implement To be controlled code
  • uncontrolled modules can be implemented as uncontrolled code.
  • the CPU of the present application includes a processing module, and the CPU optionally runs controlled code, and optionally runs control code.
  • Processing modules execute instructions in code running in the CPU.
  • Figure 4b exemplarily shows a schematic diagram of the memory address space of the embodiment of Figure 4a.
  • the CPU can run instructions of the control code, and then the control code executes S101, S103 and S105 through the processing module.
  • control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.
  • App1 has the control code of this application embedded in it.
  • the address space of the uncontrolled code of App1 in the memory is from d0 to d3, where the address space of the control code embedded in the uncontrolled code is d1 to d2, and the uncontrolled code of App1 is running in process 1.
  • the processing module executes the uncontrolled instructions of App1 within the authority of process 1, where the address spaces d0 to d3 store uncontrolled instructions.
  • the uncontrolled code may include uncontrolled instructions, and optionally may also include controlled instructions, which is not limited by this application.
  • control code can issue uncontrolled instructions to the processing module to access any address space within the permissions of process 1.
  • control code may also include controlled instructions, which is not limited by this application.
  • control code can access address spaces d3 to d4, address spaces d4 to d5, and address spaces d6 to d7 in the memory. It should be noted that this is only an example and is not used to limit this application.
  • App1 or the control code can write the code of plug-in 1 (ie, the controlled code) into the memory to implement the processing module to read the instructions of the control code from the memory to execute the instructions of the control code to control plug-in 1 Scanning of instructions.
  • the instructions executed by the processing module are instructions in the control code.
  • the processing module can scan the instructions in plug-in 1 as the data read by the processing module, and scan whether the instructions in plug-in 1 are all Controlled instructions.
  • the address space of the controlled code (such as plug-in 1) stored in the memory is d4 to d5, then the control code can scan the controlled code in the address space d4 to d5 to detect the controlled code. Whether the instructions in the code are all controlled instructions.
  • control code detects that the controlled code includes uncontrolled instructions
  • an error is prompted to refuse to execute the controlled code.
  • control code detects that the instructions in the controlled code are all controlled instructions, the process goes to S103.
  • control code determines the first address space and first address parameters, as well as the second address space and second address parameters for the controlled code.
  • controlled instructions can be divided into first type instructions and second type instructions.
  • the CPU when the first type of instruction is executed by the CPU, the CPU can access the code resource in the memory and run the code resource.
  • the first type of instructions may include but is not limited to: short_jump instructions.
  • the second type of instructions includes but is not limited to: load_short instruction, store_short instruction, short_push instruction, short_pop instruction, etc.
  • control code allocates the target resource access scope to each controlled class instruction in the controlled code
  • the control code can allocate the second resource access scope to the first class instruction in the controlled code, and assign the second resource access scope to the second class instruction.
  • Three resource access scopes wherein, the resource access addresses between the second resource access scope and the third resource access scope are different.
  • control code when the control code allocates the second resource access scope to the first type of instruction in the controlled code, the control code may allocate the first address space to each first type of instruction in the controlled code, and communicate with the first type of instruction in the controlled code.
  • the first address parameter corresponding to an address space.
  • the first address space is used to store code resources accessible to controlled class instructions in the controlled code.
  • the first address parameter may be used to determine the address range of the first address space.
  • control code when the control code allocates the third resource access scope to the first type of instructions in the controlled code, the control code can allocate the second address space to each second type of instruction in the controlled code, and communicate with the third type of instruction.
  • the second address parameter corresponding to the second address space.
  • the second address space is used to store data resources accessible to controlled class instructions in the controlled code.
  • the second address parameter may be used to determine the address range of the second address space.
  • address spaces d4 to d5 can be used as the first address space allocated to the controlled code.
  • control code may determine a second address space allocated to the controlled code within an address space of memory that is not accessible to the controlled code.
  • the size of the allocated address space can be determined according to the size of the non-direct address space into which the control code is embedded.
  • the controlled code (such as the above-mentioned App1 embedded in the control code) specifies a predetermined size space for the controlled code (such as plug-in 1), or determines the space allocated to the controlled code according to the needs of the controlled code. The size of the first address space and the second address space.
  • the first address space is the address space d4 to d5, that is, the address space where the code accessible to the controlled code is stored;
  • the second address space is the address space d6 to d7, that is, the data accessible to the controlled code (referred to as "controlled data") is stored in the address space.
  • the controlled code can access the code stored in the first address space in the memory through the first type of instructions, and access the data stored in the second address space in the memory through the second type of instructions. If there are overlapping addresses in the first address space and the second address space, then the overlapping addresses can store code and data, and then the controlled code can use, for example, the store_short instruction after the control code scans that all the instructions are controlled class instructions. Access the overlapping address, and modify the code at the repeated address, so that the code (ie, instruction) in the controlled code is modified into an uncontrolled class instruction, so that it can be used between the restricted first address space and the second Access data or code outside the address space.
  • This application configures different first address spaces and second address spaces for the controlled class instructions in the controlled code, so as to prevent the controlled code from modifying the internal code again after being scanned and allowed to run, making the controlled code
  • the code includes uncontrolled instructions to access unallocated memory resources, thus evading scanning by the controlling code.
  • control code may determine the first address parameter corresponding to the first address space.
  • the first address parameter can be used to determine the address range of the first address space.
  • the first address parameter is used to determine the mapping of the first access address in the first type of instruction in the first address space. the second access address.
  • control code can determine the first address parameter according to the first preset algorithm based on the address range of the first address space.
  • the difference in the specific algorithm of the first preset algorithm may also cause the parameter type of the determined first address parameter to be different, and the application does not impose restrictions on the specific parameters of the first address parameter.
  • the first preset algorithm for determining the first address parameter based on the address range of an address space is also not limited.
  • the first preset algorithm and the second preset algorithm, the third preset algorithm and the fourth preset algorithm mentioned in subsequent embodiments can be any algorithm that can realize the function of limiting the resource access range of the controlled code. , this application does not impose any restrictions on the specific algorithm.
  • the first address parameter may include a code_base parameter and a code_limit parameter.
  • the code_base parameter can represent the starting address of the first address space (i.e., the first address), and the code_limit parameter can be the address range parameter of the first address space (can be understood as the length of the first address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.
  • the first address space allocated by the control code to the first type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.
  • the processing module when the processing module executes the first type of instruction in the control code, it can also calculate the first access address carried in the first type of instruction based on the data_base parameter and the data_limit parameter according to the corresponding first preset algorithm. , to obtain the second access address restricted to the final access within the first address space.
  • the first address space of the controlled code in Figure 4b is the continuous address space d4 to d5.
  • the same or different first address spaces may be allocated to different instructions in the first type of instructions.
  • control code can determine the second address parameter corresponding to the second address space.
  • control code determines the second address parameter corresponding to the second address space.
  • the second address parameter can be used to determine the address range of the second address space.
  • the second address parameter is used to determine the mapping in the second address space for the third access address in the second type of instruction.
  • the fourth access address is used to determine the mapping in the second address space for the third access address in the second type of instruction.
  • control code can determine the second address parameter based on the address range of the second address space and according to the third preset algorithm.
  • the difference in the specific algorithm of the third preset algorithm may also cause the parameter type of the determined second address parameter to be different, and the application does not impose restrictions on the specific parameters of the second address parameter.
  • the third preset algorithm for determining the second address parameter based on the address range of the second address space is also not limited.
  • the second address parameter may include a data_base parameter and a data_limit parameter.
  • the data_base parameter can represent the starting address of the second address space (i.e., the first address)
  • the data_limit parameter can be the address range parameter of the second address space (can be understood as the length of the second address space), including but not limited to the space size. , or a binary mask to control the size of the space, etc.
  • the second address space allocated by the control code to the second type of instructions in the controlled code may be a continuous or discontinuous address space, and this application does not limit this.
  • the processing module when the processing module executes the second type of instruction in the control code, it can also calculate the third access address carried in the second type of instruction based on the data_base parameter and the data_limit parameter according to the corresponding third preset algorithm. , to obtain the fourth access address restricted to the final access within the second address space.
  • the control code writes the first address parameter and the second address parameter to different storage units in the processing module.
  • control code can write the code_base parameter and the code_limit parameter respectively into two registers in the processing module, such as register 1 and register 2, and write the data_base parameter and data_limit parameter into two other registers in the processing module respectively. within, such as register 3 and register 4.
  • the storage units corresponding to the first address parameter and the second address parameter are different.
  • the above-mentioned register can be a segment register.
  • this application is not limited to the type of storage unit in which the first address parameter or the second address parameter is written. It can be any hardware storage unit inside the processing module. Alternatively, it may also be a hardware storage unit in a chip that is independent of the processing module.
  • this application does not limit the timing when the control code writes the first address parameter and the second address parameter into the storage unit. They can be written sequentially or simultaneously.
  • the instructions for writing the first address parameter and the second address parameter into the storage unit are uncontrolled instructions in the control code.
  • the controlled program does not include instructions for writing the first address parameter and the second address parameter.
  • the second address parameter is an uncontrolled instruction to a storage location.
  • the plug-in called by App1 does not include uncontrolled instructions to modify the code_base parameters and code_limit parameters, and uncontrolled instructions to modify the data_base parameters and data_limit parameters, and the plug-in cannot access the ability to modify the code_base parameters and code_limit parameters. , as well as the uncontrolled class instructions of the data_base parameter and data_limit parameter.
  • Exemplary controlled stack access instructions are also controlled class instructions.
  • the operations performed by the control code on the controlled stack access instructions are the same as those performed on the memory access instructions in the above example. The operations are similar and will not be repeated here.
  • control code can allocate an address space for the controlled stack access instruction and determine the address parameters of the address space, such as the stack_base parameter (indicating the starting address of the stack) and the stack_limit parameter (indicating the size of the stack space). And the control code can write the stack_base parameter and stack_limit parameter into the register, so that when the processing module executes the short_push instruction or short_pop instruction in the controlled code, the stack address to be accessed addr, the address of the stack limited by the stack_base parameter and stack_limit parameter Determine the stack address finally accessed within the space range, and perform push or pop operations.
  • the stack_base parameter indicating the starting address of the stack
  • stack_limit parameter indicating the size of the stack space
  • control code will allow the controlled code to run, then the uncontrolled code can call the controlled code, so that the CPU in Figure 3a of the present application can run the controlled code, then the processing module can execute the instructions of the controlled code .
  • plug-in 1 ie, the controlled code
  • the processing module can execute the uncontrolled class instructions of App1 to write the controlled code into the first address space d4 to d5.
  • plug-in 1 is called through App1, so that after plug-in 1 is run, the processing module can execute the controlled class instructions in plug-in 1.
  • the processing module receives the first type of instruction sent by the controlled code for accessing code resources.
  • the first type of instruction is the short_jump instruction, which can carry the first access address addr.
  • the processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine the first address parameter in the first address space based on the first address parameter and the first access address. two access addresses, and access code resources from the second access address located in the first address space.
  • the code resource accessed by the processing module from the second access address is a jump instruction of a controlled class, such as a short_jump instruction.
  • the processing module can read the code_base parameter and code_limit parameter from register 1 and register 2 respectively.
  • the code_base parameter is the first address of the first address space
  • the code_limit parameter is a binary mask that controls the size of the first address space.
  • the processing module when executing the first type of instruction, can follow the second preset algorithm code_base+[code_limit(mask)OR addr] to execute the first type of instruction in the first address space limited by code_base and code_limit.
  • code_base code_base+[code_limit(mask)OR addr]
  • the original memory access address addr in the instruction is mapped to obtain the target access address limited to the first address space.
  • the first access address addr1 accessed by the short_jump instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the first address space.
  • the processing module of this application can modify code_limit and addr1 when executing the short_jump instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678.
  • the address length of addr2 is within the length limit of code_limit.
  • the processing module calculates code_base+addr2 and obtains the second access address addr3.
  • the jump address of the short_jump instruction is limited to addr3 (here is 0x00005678). This will not cause an error.
  • the controlled code can only access resources in the first address space.
  • addr3 is in the address range from 0 to ffff (the first address space limited by code_base and code_limit).
  • the CPU of this application executes a controlled class instruction, it only needs to access the original access address in the controlled class instruction and convert the original access address according to the corresponding algorithm.
  • the access address is mapped to the restricted address space, and the target address in the restricted address space can be obtained.
  • the speed of calculating the target address is faster than that of looking up the page table, and the CPU's instruction execution efficiency is higher.
  • first preset algorithm and the second preset algorithm are algorithms that correspond to each other.
  • first preset algorithm changes, the second preset algorithm also changes.
  • this application does not limit the parameter types of the above-mentioned first preset algorithm, second preset algorithm and first address parameter. Any traditional algorithm that can realize the functions of this application can be used to convert the Addresses that exceed the restricted address range are processed so that the processed addresses are within the address range.
  • this application does not limit the number of memory access addresses (such as the above-mentioned first access address) carried in controlled instructions. It can be one or more first access addresses, but no matter how many memory access addresses there are
  • the processing module executes the controlled class instruction, it needs to calculate the first access address carried by the controlled class instruction based on the second preset algorithm to calculate the first access address of the memory allocated to the controlled class instruction. In an address space, the final accessible second access address is determined.
  • the controlled code can jump within the controlled code, such as a function call within the controlled code.
  • the processing module of the embodiment of the present application receives the first type of instruction in the controlled code, such as the short_jump instruction, it can respectively read code_base in the segment register (such as register 1 and register 2) that stores the address parameter of the short_jump instruction. parameter and code_limit parameter to use these two parameters to process the access address (i.e. jump address) of the short_jump instruction, so that the processed access address is the first address space restricted to achieve limited access to code resources.
  • the segment register such as register 1 and register 2
  • code_limit parameter to use these two parameters to process the access address (i.e. jump address) of the short_jump instruction, so that the processed access address is the first address space restricted to achieve limited access to code resources.
  • the processing module receives the second type of instruction sent by the controlled code for accessing data resources.
  • the second type of instruction is the load_short instruction, which can carry the second access address addr.
  • the processing module can execute the second type of instruction to read the second address parameter from the second storage unit, and then determine the second address parameter in the second address space based on the second address parameter and the third access address. four access addresses, and access the data resource from the fourth access address located in the second address space.
  • the processing module can read the data_base parameter and data_limit parameter from register 3 and register 4 respectively.
  • the data_base parameter is the first address of the second address space
  • the data_limit parameter is a binary mask that controls the size of the second address space.
  • the processing module when it executes the second type of instruction, it can obtain the memory access address addr in the second type of instruction according to the fourth preset algorithm data_base+[data_limit(mask)OR addr]. After that, data_base and data_limit In the restricted second address space, addr is mapped to obtain the accessible memory address.
  • the third access address addr1 accessed by the load_short instruction in the controlled code is 0x12345678, and addr1 is not in the range of 0 to ffff in the second address space.
  • the processing module of this application can modify data_limit and addr1 when executing the load_short instruction. Perform an AND operation so that the high 8 bits of addr become 0, and the result of addr2 is 0x00005678.
  • the address length of addr2 is within the length limit of data_limit.
  • the processing module calculates data_base+addr2 and obtains the fourth access address addr3.
  • addr3 is in the address range from 0 to ffff (the second address space restricted by data_base and data_limit).
  • the processing module executes the second type of instruction (such as a memory read instruction). load_short), when calculating the third access address in the second type of instruction based on the second address parameter to obtain the fourth access address in the second address space, the fourth default algorithm used may also exist.
  • the second type of instruction such as a memory read instruction. load_short
  • this application does not limit the parameter types of the above-mentioned third preset algorithm, fourth preset algorithm and second address parameter, and any traditional resource that can implement the restricted controlled code of the present application can be used.
  • the algorithm that accesses the range function is used as the algorithm of this application.
  • this application does not limit the number of memory access addresses (such as the above-mentioned third access address) carried in controlled instructions. It can be one or more third access addresses, but no matter how many memory access addresses there are
  • the processing module executes the controlled class instruction, it needs to calculate the third access address carried by the controlled class instruction based on the second preset algorithm to calculate the third access address of the memory allocated to the controlled class instruction. In the second address space, determine the finally accessible access address.
  • the controlled code can access the controlled data in the address space d6 to d7 to read or write the memory.
  • the processing module of the embodiment of the present application When the processing module of the embodiment of the present application receives the second type of instruction in the controlled code, such as the load_short instruction or the store_short instruction, it can store the address parameters of the two instructions in the segment register, such as register 3 and register 4. Read the data_base parameter and data_limit parameter to use these two parameters to process the address (i.e., access address) requested by the oadshort instruction or the store_short instruction, so that the processed access address is limited to the second address space to implement data resources limited access.
  • the second type of instruction in the controlled code such as the load_short instruction or the store_short instruction
  • control code may allocate different second address spaces to different instructions in the second type of instructions in the controlled code, so that there may be multiple second address spaces corresponding to the controlled code.
  • the load_short instruction is assigned a set of data_base parameter 1 and data_limit parameter 1
  • the store_short instruction is assigned a set of data_base parameter 2 and data_limit parameter 2
  • the data_base parameter 1 and data_limit parameter 1 are written to register 21 and register 22 by the processing module
  • data_base Parameter 2 and data_limit parameter 2 are written to register 23 and register 23 by the processing module.
  • load_shortN any one of 1, 2, 3...n.
  • the load_short instruction can include multiple differently encoded load_short instructions with different execution methods of the CPU.
  • the control code can assign different address parameters (including data_base parameters and data_limit parameters) to different encoded load_short instructions, This makes the address parameters corresponding to different types of load_short instructions have different values. This makes the address spaces accessible to different load_short instructions different.
  • control code can also assign multiple sets of address parameters (ie, multiple sets of data_base parameters and data_limit parameters) to a load_short instruction, so that the address space accessible by the load_short instruction is a discontinuous address space.
  • the processing module when the processing module receives the load_short instruction in the controlled code, it can read data_base parameter 1 and data_limit parameter 1 from register 21 and register 22 to perform data reading within the address space limited by data_base parameter 1 and data_limit parameter 1. Pick. Then when the processing module receives the store_short instruction in the controlled code, it can read data_base parameter 2 and data_limit parameter 2 from register 231 and register 23 to perform data writing within the address space limited by data_base parameter 2 and data_limit parameter 2. enter.
  • the control module scans the instructions in the controlled module through the processing module, and determines the instructions in the controlled module.
  • controlled code is allowed to run.
  • the processing module does not need to perform operations such as page table lookup for each instruction sent by the controlled module that needs to be executed. It can be coded according to the respective codes of controlled instructions and uncontrolled instructions. Execution with different interpretive execution methods. This application can not only place the security judgment on the controlled code when it is running before the controlled code is run, but also realize the security check of the controlled module. It can also improve the operating efficiency of the controlled code and reduce the implementation and operation of the hardware. cost.
  • Figure 5a exemplarily shows the operation flow chart of the system of the present application
  • Figure 5b exemplarily shows the memory address of the embodiment of Figure 5a Schematic diagram of space.
  • the uncontrolled code may include uncontrolled instructions, and optionally may also include controlled instructions, which is not limited by this application.
  • the uncontrolled code includes control code, then the control code may include uncontrolled instructions, and optionally may also include uncontrolled instructions, which is not limited in this application.
  • the controlled code that is allowed to run still cannot include uncontrolled instructions, but only controlled instructions.
  • the embodiment of the present application can supplement the agent code (an example of an agent sub-module) in the first address space of the controlled code (for example, the memory address space defined by the code_base parameter and the code_limit parameter).
  • the agent code Can be used to jump to the first preset address in uncontrolled code outside the first address space. For example, when controlled code needs to call a function in uncontrolled code (referred to as "external function"), it can first jump to the proxy code, and then jump to the external function that needs to be accessed through the proxy code. Jump to implement the controlled code's call to the external function.
  • the controlled code before the controlled code is compiled, the controlled code includes the code of function 0, and function 0 is used to call function 1 in the uncontrolled code.
  • function 1 is an uncontrolled code that allows controlled code
  • the controlled code may include jump instructions of uncontrolled classes.
  • this application can use the compiler provided by this application to compile the controlled code, so that function 0 in the controlled code is compiled into a jump instruction of the controlled class, here is instruction 0, and this instruction 0 is processed
  • Address 1 can be accessed when the module is executed.
  • This address 1 can be an address in the memory located after the tail position d5 of the address space where the compiled controlled code is located (for example, the address spaces d4 to d5 shown in Figure 5b).
  • address 1 is d51 in Figure 5b. At this time, address d51 has not been linked to instructions in the agent code, that is, the content of current address d51 is empty.
  • the agent code is a sequence of instructions.
  • Each instruction in the agent code is a jump instruction of an uncontrolled class.
  • the jump instructions of these uncontrolled classes are
  • the transfer target is the address of an external function in uncontrolled code that is allowed to be accessed by controlled code.
  • the agent code may include: an uncontrolled class jump instruction, such as instruction 1', of an external function (such as function 1) that the controlled code can access with the permission of the uncontrolled code (or control code).
  • the agent code can be linked into the memory at the end of the controlled code.
  • the agent code shown in Figure 5b is located in the address space d5 to d5'.
  • the compiled controlled code The above instruction 0 in the code may store the instruction 1' in the agent code at the address 1 accessed when executed by the processing module.
  • the storage map of the address space of the memory can be referred to Figure 5b.
  • the jump target of instruction 1’ is the first address of function 1 in the uncontrolled code, such as address d01 in Figure 5b.
  • the compiler can be configured with the address of the jump instruction of the uncontrolled class in the agent code (when the controlled code is compiled, the address has not yet been written to the instruction in the agent code), and the address accessible in the uncontrolled code
  • the mapping relationship between preset functions such as the mapping relationship between address 1 and function 1 (that is, the compiled instruction 1') in Figure 5c.
  • the compiler can compile the code calling function 1 into instruction 0 and instruction 0 according to the above mapping relationship.
  • address 1 is accessible.
  • the compiled controlled code accesses the external function, it can first access the uncontrolled jump instruction located at address 1 in the proxy code, such as instruction 1’.
  • the processing module accesses the first address of function 1 in the uncontrolled module by executing instruction 1', so that the controlled code can access function 1 in the uncontrolled code.
  • control code allocates address space to both the controlled code and the agent code. Then the controlled code can find the memory address of instruction 1' in the agent code through instruction 0, and then through instruction 1 Jump to the external function, here function 1.
  • the uncontrolled class instructions may include a first preset instruction set and a second preset instruction set, wherein the instructions in the first preset instruction set may be part or all of the uncontrolled class jump instructions. (jump command).
  • the instructions in the second preset instruction set may be part or all of the uncontrolled jump instructions, and this application does not limit this.
  • the first preset instruction set and the second preset instruction set may be the same or different, and the same instructions may exist in the two instruction sets.
  • uncontrolled jump instructions i.e. jump instructions
  • jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this.
  • the instructions in the first preset instruction set and the second preset instruction set here are all jump instructions, but the encoding of the jump instructions between these two preset instruction sets may be different.
  • the instructions in the first preset instruction set are jump1 instructions to jump5 instructions.
  • the instructions in the second default instruction set are jump6 instructions to jump10 instructions.
  • the control code may include agent code (an example of an agent sub-module).
  • agent code an example of an agent sub-module.
  • the agent code may include at least one uncontrolled class jump instruction (i.e. second instruction), when the uncontrolled jump instruction is executed by the processing module, the processing module can access the address of the second preset code resource.
  • the uncontrolled class jump instruction in the agent code may be at least one instruction from the jump6 instruction to the jump10 instruction in the second preset instruction set.
  • the second preset code resource is a code resource located within the access range of the fourth resource.
  • the access address of the fourth resource access range does not overlap with the access address of the target resource access range (ie, the above-mentioned first address space and the second address space).
  • the second preset code resource is a control code, or an uncontrolled code, which is a code resource outside the target resource access scope that is allowed to be accessed by the controlled code.
  • the second preset code resource may be a second preset function (for example, function 1 in the uncontrolled code in Figure 5c).
  • the second preset function may be one or more functions, which is not limited by this application.
  • the second preset function may be an external function that the control module allows the controlled module to access.
  • the agent code may include uncontrolled class instructions, specifically including uncontrolled class jump instructions (ie, jump instructions).
  • the access address (i.e. jump address) of the uncontrolled class jump instruction in the agent code is the first preset address of the second preset code resource in the uncontrolled code, and the first preset address is the control code allowed to be accessed.
  • control code can execute S101, S103-1 and S105 through the processing module.
  • control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.
  • S101 in this embodiment is the same as S101 in Figure 4a in Embodiment 2, and the execution principle is also the same, which will not be described again here.
  • control code detects that the controlled code includes uncontrolled instructions
  • an error is prompted to refuse to execute the controlled code.
  • control code detects that the instructions in the controlled code are all controlled instructions, the process goes to S103-1.
  • control code determines the first address space and the first address parameter for the controlled code based on the sum of the address lengths occupied by the controlled code and the agent code; and, the control code determines the second address space and the second address space for the controlled code. Second address parameter.
  • the method of determining the second address space and the second address parameter is similar to the execution logic of the same step of S103 in Embodiment 2, and will not be described again here. .
  • the second address space is the address space d6 to d7 in the memory.
  • the control code determines the first address space for the controlled code
  • the difference from Embodiment 2 can be compared with Figure 4b and Figure 5b.
  • the access code for the controlled code The first address space allocated by the first type of instructions is address space d4 to d5.
  • the controlled code can be written to the address space d4 to d5, so that the controlled code can access its own code, such as a jump instruction of the controlled class.
  • the first address space allocated to the first type of instruction in the controlled code (that is, the jump instruction of the controlled type) is the address space d4 to d5', where,
  • the address length of the first address space is the sum of the address length occupied by the controlled code (for example, d5-d4) and the address length occupied by the agent code in the control code (for example, d5'-d5).
  • the control code can link (for example, write) the agent code in the control code to the address space d5 to d5'.
  • the control code may write the controlled code into the address space address spaces d4 to d5′.
  • the agent code is located at the end of the controlled code, so that the first address space of the code accessible to the controlled code includes not only the controlled code, but also the agent code.
  • control code can write the controlled code and the agent code in the control code to the address space d4 to d5' by sending an uncontrolled instruction to the processing module.
  • the first address space allocated to the first type of instructions in the controlled code can not only be used to store the controlled code, but also can be used to store the agent code, so that the first type of instructions are executed by the processing module.
  • accessing code resources you can access not only the code resources of the controlled code itself, but also the code resources of the agent code.
  • the agent code in the memory address space, the agent code is located at the end of the controlled code, and the address space where the controlled code is stored (d4 to d5) is different from the address space where the agent code is stored (d5 to d5' ) is a continuous address space, then the first address parameter is a group, such as a group of code_base parameters and code_limit parameters.
  • this application does not limit the storage order between the controlled code and the agent code in the first address space.
  • the agent code can be stored at the head, tail and controlled code of the controlled code. Internal location.
  • the address space where the agent code is stored may be discontinuous with the address space where the controlled code is stored, and then the first address parameter may be multiple sets, such as multiple sets of code_base parameters and code_limit parameters.
  • the jump instruction of the controlled class in the controlled code performs a code jump, it can not only jump within the address space d4 to d5 where the controlled code is located to access the code, but also jump to the address space where the agent code is located. Jump instructions within the address space d5 to d5' to access uncontrolled classes in the agent code. Then, the controlled code can jump to the address space d0 to d3 where the uncontrolled code is located through the jump instruction of the uncontrolled class in the agent code to call the external functions that are allowed to be accessed.
  • the proxy code when proxy code is included in the control code, the proxy code can be configured with a jump instruction of an uncontrolled class of the second preset function in the uncontrolled code that allows the controlled code to access, then in For the first type of instruction in the controlled code, such as the jump instruction of the controlled class, when allocating the first address space and the first address parameter that are allowed to be accessed, the agent code can also be written to the third address space that is accessible to the controlled code. in an address space. Then when the control code needs to call the second preset function in the uncontrolled code, it can first jump to the uncontrolled class in the agent code through the jump instruction, and then jump to the uncontrolled code through the agent code. A second preset function to enable limited access to external functions outside of controlled code.
  • the processing module receives the first type of instruction from the controlled code for accessing code resources.
  • the first type of instructions includes a second jump type instruction used to access the second instruction (for example, jump6 instruction) in the agent code.
  • a second jump type instruction used to access the second instruction (for example, jump6 instruction) in the agent code.
  • the second type of jump instruction is a short_jump instruction, which can carry the first access address addr (that is, the original memory access address addr).
  • the processing module can process the original memory access address in the second jump instruction, and access the second instruction according to the processed access address. Specifically, this can be achieved through S203 and S205:
  • the processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine in the first address space based on the first address parameter and the first access address addr.
  • the second access address, and access the code resource (ie the second instruction, jump6 instruction) from the second access address in the agent code, here is the jump instruction of the uncontrolled class.
  • S201, S203 and S205 in this embodiment are the same as those of S201, S203 and S205 in Figure 4a in Embodiment 2, and will not be described again here.
  • S207-1 The processing module calls the external function from the third address space of the memory according to the jump address of the uncontrolled class jump instruction.
  • the processing module can execute the second instruction to access the second preset function according to the access address (ie, jump address) in the second instruction (for example, jump6 instruction); wherein, the The second preset function is a function that the control module allows the controlled module to access.
  • the second preset function is a function in the third address space.
  • the processing module jumps to the jump instruction of the uncontrolled class in the agent code in the first address space (located at the second access address) through the jump instruction of the controlled class in the controlled code in the first address space. ; Then, the processing module executes the jump instruction of the uncontrolled class.
  • the jump instruction of the uncontrolled class has a jump address, such as the fifth access address. Then the processing module can call the second preset from the fifth access address. Let function.
  • the fifth access address is an address in a third address space, and the third address space is different from the first address space and the second address space allocated to the controlled code.
  • the third address space is a storage space for uncontrolled code.
  • the first type of instruction in S201 in this embodiment is a jump instruction of a controlled type in the controlled code, such as a short_jump instruction, and the processing module executes the instruction in the controlled code.
  • the short_jump instruction can jump from address space d4 to d5 to the second access address d51 in the address space d5 to d5' where the agent code is located.
  • the processing module can read the jump instruction of the uncontrolled class in the agent code from the second access address d51, such as the jump6 instruction.
  • the processing module can perform a code jump by executing the jump6 instruction read from the second access address d51, and jump to the jump address corresponding to the jump6 instruction (i.e., the fifth access address mentioned above), for example, the one called by the jump6 instruction
  • the address of the external function is d01. In this way, the controlled code can access the external function in the uncontrolled code through the proxy code.
  • the jump instruction of the uncontrolled class in the agent code can only jump to the address of the second preset function in the uncontrolled code.
  • the second preset function is an uncontrolled code or a designated function in the uncontrolled code that the control code allows the controlled code to access.
  • the above-mentioned fifth access address may be the first address of the above-mentioned second preset function.
  • the controlled code can be prevented from jumping to the inside of the function body of the specified function in the uncontrolled code through the proxy code to prevent the controlled code from jumping.
  • the code performs illegal operations within the function body of the specified function, such as tampering with uncontrolled code, etc.
  • the code at the above-mentioned fifth access address may be provided with a logical check code.
  • a logic check code can be set at the first address of each preset function.
  • the logic check code can perform relevant checks on requests to access the preset function.
  • the processing module can execute the code logic of the preset function. , to provide relevant functionality to controlled code.
  • the controlled code jumps to the uncontrolled code through the proxy code.
  • the code at these first address positions can be executed before the code logic of the external function is executed. Check, and then determine whether to provide the access function of each external function based on whether the check passes.
  • App1 calls plug-in 1.
  • plug-in 1 accesses the preset function in App1, it requests user name and password information.
  • the first address of the preset function can be set with a check code, and the code logic of the check code can be access
  • the request for this preset function is checked. If the information required for the request includes preset information (which may be sensitive information), such as a password, the check result is that the check fails, thereby refusing to provide the call to the preset function to plug-in 1.
  • the rejection method may include but is not limited to reporting an error, etc.; if the requested information does not include preset information, the code logic of the preset function will be executed to allow plug-in 1 to call the preset function.
  • the controlled code requests to obtain the system time and calls the get time function.
  • the check logic of the logic check code set at the first address of the function is to allow access to the get time when the system time is within the preset time period.
  • uncontrolled code can check the code through this logic and provide the function of obtaining the system time within a preset time period.
  • the agent code may include jump instructions of uncontrolled classes of all preset functions provided by the control code and allowing the controlled code to access.
  • the agent code may also include a jump instruction of an uncontrolled class of a second preset function provided by the control code that allows the controlled code to access, where the second preset function may be a second preset function that the control code allows the controlled code to access. Some or all of the preset functions in the external functions accessed by the control code.
  • the processing module jumps to the agent code by executing the jump instruction of the controlled class in the controlled code to access the uncontrolled code in the agent code.
  • the jump instruction of the controlled class is used to achieve access to external functions through the jump instruction of the uncontrolled class.
  • the address space accessed by the second type of instruction used to access data in the controlled code (such as the controlled type memory access instruction, load_short instruction) is limited to the second address space d6 to d7, and the first address cannot be accessed.
  • the so-called illegal space is the address space that the control code does not allow the controlled code to access.
  • the first type of instructions used to access code allows the CPU to fetch code in memory
  • the second type of instructions used to access data allows the CPU to read and write data in memory. Then, when the control code allocates an address space to the controlled code through the processing module, the first address space allocated to the first type of instructions cannot overlap with the second address space allocated to the second type of instructions.
  • Embodiment 3 may also include S301, S303 and S305 described in Embodiment 2. The principles are similar and will not be described again here.
  • the control code can use the processing module to scan the instructions in the controlled code.
  • the agent code is written in the first address space so that the first address space includes not only the controlled code but also the agent code.
  • the controlled code can jump to the agent code through the jump instruction of the controlled class and pass
  • the jump instruction of the uncontrolled class in the agent code jumps to the location of the fixed function that the uncontrolled code allows the controlled code to access, such as the first address of the second preset function. In this way, the controlled code can only enter the first address position of each function specified by the uncontrolled code. The code at these positions can make appropriate checks and then decide whether to provide relevant functions to ensure access to the second preset function. Safety.
  • Figures 4a and 4b exemplarily show the operation flow chart of the system of the present application
  • Figures 6a and 6b exemplarily shows the operation flow chart of the system of the present application
  • Figure 6b exemplarily shows A schematic diagram of the memory address space in the embodiment of Figure 6a is shown.
  • the controlled code in order to enable the controlled code to obtain some services of uncontrolled code (such as a controlled plug-in execution that needs to obtain the system time), it is only necessary to ensure that the controlled code calls the external service.
  • the external functions accessed that is, functions in uncontrolled code
  • these uncontrolled instructions can be allowed to exist in the controlled code
  • this embodiment when calling an external function in an uncontrolled code, this embodiment only needs to make one jump to realize the call of the external function by the controlled code.
  • uncontrolled jump instructions can also be divided into jump instructions with multiple encodings.
  • jump instructions with different encodings can access code resources when executed by the CPU, they cannot be accessed when executed by the CPU. There may be differences in the access methods to code resources, and this application does not impose restrictions on this.
  • the jump instruction of the uncontrolled class that is allowed to be included in the controlled code in this embodiment may be at least one jump instruction in the first preset instruction set.
  • the instructions in the first default instruction set and the second default instruction set in Embodiment 3 are all jump instructions, but the encoding of the jump instructions may be different between the two default instruction sets.
  • the instructions in the first preset instruction set are jump1 instructions to jump5 instructions.
  • the instructions in the second default instruction set are jump6 instructions to jump10 instructions.
  • the same uncontrolled type of jump instructions may also exist between the first preset instruction set and the second preset instruction set, and this application does not limit this.
  • control code scans the controlled code, it can combine the redirection table to check the uncontrolled instructions in the controlled code:
  • control code can execute S101, S102, S103-2 and S105 through the processing module.
  • control code scans the instructions in the controlled code through the processing module to determine whether the instructions in the controlled code are all controlled instructions.
  • S101 in this embodiment is the same as S101 in Figure 4a in Embodiment 2, and the execution principle is also the same, which will not be described again here.
  • the specific execution logic may refer to the embodiments of FIG. 4a and FIG. 5a , which will not be described again here.
  • control code scans the instructions in the controlled code through the processing module, and the control module can detect that the controlled code includes uncontrolled instructions.
  • the uncontrolled class instructions may include, but are not limited to, third class instructions for accessing code and fourth class instructions for accessing data.
  • the embodiment of the present application is intended to allow controlled code to access designated function services of uncontrolled code.
  • the control code detects that the controlled code includes a fourth type of instruction, such as a load instruction, it prompts an error to refuse Execute controlled code.
  • the control code detects that the controlled code includes an uncontrolled jump instruction, that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction. , then it can be further detected whether the jump target of the first instruction satisfies the preset condition. When the jump target of each first instruction in the controlled code satisfies the preset condition, it means that the first instruction is used for Instructions to access the first preset code resource. Then the control code allows the controlled code to run, otherwise it prompts an error and refuses to run.
  • an uncontrolled jump instruction that is, the first instruction that matches the first preset instruction set, such as at least one instruction from the jump1 instruction to the jump5 instruction.
  • the first preset code resource is a control code, or an uncontrolled code, which is a code resource that is outside the access scope of the target resource and is allowed to be accessed by the controlled code.
  • the first preset code resource is a code resource located within the first resource access range.
  • the access address of the first resource access range (for example, the fourth address space) does not overlap with the access address of the target resource access range (that is, the first address space and the second address space).
  • the first preset code resource may be a first preset function.
  • the first preset function may be one or more functions. This application does not limit this.
  • the first preset function may be one that the control module allows the controlled module to access and does not belong to the first address space. and external functions in the second address space.
  • the first instruction is a first jump instruction (for example, at least one instruction from the jump1 instruction to the jump5 instruction) used to access the first preset function;
  • each first instruction in the controlled code is an instruction used to access the first preset code resource
  • the control code can determine that the jump target of each first instruction in the controlled code satisfies the preset condition, Allow controlled code to run.
  • the first preset code resource includes a first preset function, where the first preset function is a function that the control module allows the controlled module to access.
  • the external function to which each jump instruction in the controlled code jumps is the first preset function
  • the jump target of each first instruction in the controlled code satisfies the preset condition.
  • the jump address (for example, the fourth access address) of each jump instruction in the controlled code is the second preset address
  • the second preset address is the address of the second preset function that the control code allows the controlled code to access.
  • the code of function 0 in the controlled code is used to call non-controlled code.
  • Function 1 in the controlled code then after the compiler (can be a traditional compiler) compiles the controlled code, the compiled file can not only include the instruction file (that is, the compiled controlled code, which is expressed as an instruction sequence, The sequence of instructions may include instructions to be executed) and may also include a redirection table.
  • function 0 in the controlled code is compiled into an uncontrolled jump instruction, such as instruction 00. Since the address of the accessed function 1 cannot be determined before the controlled code is run, in the instruction file, The jump address of instruction 00 is a null address. Similarly, the jump address of each uncontrolled class jump instruction in the compiled controlled code is a null address.
  • the redirection table can describe the jump instruction of an uncontrolled class that needs to call an external function in the instruction file, its location in the instruction file, and the identification of the external function that the jump instruction of the uncontrolled class needs to jump to. (e.g. function name).
  • these external functions in the redirection table are used to represent the addresses of these external functions, which need to be determined before the controlled code is run. For example, in the instruction file, the jump addresses of these uncontrolled class jump instructions are all empty addresses.
  • control code can scan the compiled controlled code. After scanning the instructions in the controlled code, when it detects that the uncontrolled instructions in the controlled code are all uncontrolled jump instructions, it can pass Query the redirection table to determine the identification of the external function that the uncontrolled class jump instruction needs to jump to; then the control code can use the identification to determine whether these external functions to be accessed are all first preset functions. to determine whether the control code is allowed to run.
  • the controlled code can be allowed to run; otherwise, the controlled code is refused to run and an error is prompted.
  • the first preset function is a specified function located in the fourth address space that is accessible to the control code (or uncontrolled code) and is accessible to the controlled code in the uncontrolled code.
  • the control code can read the jump instruction of the uncontrolled class that calls the external function from the redirection table in the instruction file.
  • the position in the instruction file such as the position of instruction 00 in the instruction file in Figure 6c.
  • the control code writes the address information (such as the first address) of each external function that needs to be called into the jump instruction of the corresponding uncontrolled class in the controlled code as the jump instruction of each uncontrolled class.
  • the jump address of the transfer instruction For example, the first address of function 1 can be written into instruction 00 in the instruction file as the access address (ie, jump address) of instruction 00.
  • control code detects through the processing module that the uncontrolled instructions in the controlled code are uncontrolled instructions that access code resources, and the jump target of the uncontrolled instructions meets the preset conditions, then it goes to execution S103. -2.
  • the control code detects through the processing module that the jump address (for example, the fourth access address) of each uncontrolled instruction (for example, each jump instruction) used to access code resources in the controlled code is The address within the second preset address can allow the control code to run to execute S103-2.
  • the jump address for example, the fourth access address
  • each uncontrolled instruction for example, each jump instruction
  • the fourth access address here is the control code.
  • the updated address of the jump address of the jump instruction of the uncontrolled class in the controlled code that is, the address of the external function that is allowed to be accessed
  • control code when the control code detects through the processing module that each uncontrolled instruction (such as a jump instruction) in the controlled code used to access code resources needs to jump to a function, it is the first preset function. function, you can allow the control code to run to execute S103-2.
  • each uncontrolled instruction such as a jump instruction
  • control code determines the first address space and first address parameters for the controlled class instructions in the controlled code through the processing module, and determines the second address space and second address parameters in the controlled code.
  • control code may determine the first address space and the first address parameter of the first address space for the first type of instruction in the controlled code used to access the code resource. And the control code can determine the second address space for the second type of instruction used to access the data resource in the controlled code, and determine the second address parameter of the second address space.
  • the control code passes through the processing module, and the first address space allocated to the controlled code is the address space d4 to d5 in the memory, and the second address space is the address space d6 to d7 in the memory.
  • control code includes jump instructions of an uncontrolled class
  • control code allocates the first address space to the first type of instructions in the controlled code
  • it still uses the method that includes the jump instructions of the uncontrolled class.
  • the length of the address occupied by the controlled code is used to allocate address space d4 to d5.
  • the controlled code when the controlled code is running, the controlled code can be written to the address space d4 to d5, so that the controlled code can not only access the internal controlled class instructions, but also access the internal uncontrolled class jump instructions .
  • the control code can write the controlled code into the first address space, that is, the address spaces d4 to d5'.
  • the control code may write the controlled code to the address spaces d4 to d5 by sending uncontrolled instructions to the processing module.
  • the first address space allocated to the first type of instructions in the controlled code can not only be used to store the controlled type instructions in the controlled code, but can also be used to store uncontrolled instructions in the controlled code. Control class jump instructions.
  • the controlled code is within the address space d4 to d5 where the controlled code is located.
  • the controlled code can jump to the address space d0 to d3 where the uncontrolled code is located through the jump instruction of the uncontrolled class in the controlled code to call the external functions that are allowed to be accessed.
  • the control code when the control code detects uncontrolled instructions when scanning instructions in the controlled code, and the uncontrolled instructions are all uncontrolled instructions that match the first preset instruction set,
  • the jump instruction i.e. the first instruction
  • the jump target of the uncontrolled jump instruction (the first instruction) satisfies the preset conditions
  • the external function to which each jump instruction in the controlled code jumps is is the first preset function
  • the jump address of each jump instruction in the controlled code is the second preset address, it can be determined that the jump target of each first instruction in the controlled code satisfies the preset condition.
  • the first preset address is the address of the first preset function that the control code allows the controlled code to access.
  • the uncontrolled class instructions only include uncontrolled class jump instructions, and the jump target of the uncontrolled class jump instructions meets the preset conditions, then the control code can allow the controlled code to run.
  • the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform a second jump through the proxy code.
  • the execution speed of the controlled code is faster. Only when the control code scans the controlled code, the scanning steps are more complicated than in Embodiment 3, and it is necessary to check whether the jump target of each uncontrolled instruction in the controlled code meets the preset conditions.
  • control code scans the instructions in the controlled code, if it is detected that the controlled code not only includes controlled class instructions, but also includes uncontrolled class jump instructions that can jump to uncontrolled code, Then the control code can check the jump target of the uncontrolled class jump instruction. If the control code detects that the jump target matches the first preset function that the uncontrolled code allows the controlled code to access, then although the controlled code includes a jump to the uncontrolled class of the uncontrolled code, instructions, but the jump instructions of uncontrolled classes can only jump to the location of the specified external function, then the controlled code is also safe, then the control code can allow the controlled code to run. This scheme ensures that the jump targets of uncontrolled instructions used in controlled code are checked.
  • the control code can query the redirection table to determine the external function that each uncontrolled class jump instruction needs to jump to. If These external functions allow uncontrolled code to call controlled code, and the controlled code jumps to the first preset function. Then the control code can use the redirection table to find the location of the jump instruction of the uncontrolled class in the controlled code, and write the address of the corresponding external function (such as the starting address) at the corresponding location.
  • Embodiment 3 and Embodiment 4 can be implemented as parallel embodiments, and Embodiment 3 and Embodiment 4 can also be combined and implemented simultaneously.
  • the first preset code resource in Embodiment 4 and the second preset code resource in Embodiment 3 may be the same.
  • the controlled code can be in the form of proxy code (that is, the method in Embodiment 3), or by including a jump instruction of an uncontrolled class that accesses the first preset code resource in the controlled code (that is, in Embodiment 4). method) to achieve access to external code resources, this application does not impose restrictions on this.
  • the first preset code resource and the second preset code resource in Embodiment 3 and Embodiment 4 may be different.
  • the controlled code can pass through the agent code (that is, the method of Embodiment 3), and the controlled code includes a jump instruction of an uncontrolled class that accesses the first preset code resource (that is, Embodiment 4). method) to achieve access to external code resources, this application does not impose restrictions on this.
  • first preset function and the second preset function may be the same or different, and the first instruction and the second instruction may also be the same or different.
  • the uncontrolled code may call the controlled code to cause the controlled code to run in the CPU.
  • the method optionally includes S201, S203, S205 and S207- 2.
  • the processing module receives the first type of instruction sent by the controlled code for accessing code resources.
  • the first type of instruction is the short_jump instruction, which can carry the first access address addr.
  • the processing module can execute the first type of instruction to read the first address parameter from the second storage unit, and then determine the first address parameter in the first address space based on the first address parameter and the first access address. Second access address, and access the uncontrolled class jump instruction from the second access address.
  • the difference between this and Embodiment 3 is that the second access address is located inside the controlled code, not inside the agent code. Therefore, the instructions in the controlled code only need to complete an external jump to implement the call of the external function.
  • S201, S203 and S205 in this embodiment are the same as those of S201, S203 and S205 in Figure 4a in Embodiment 2, and will not be described again here.
  • S207-2 The processing module calls the external function from the fourth address space of the memory according to the jump address of the uncontrolled class jump instruction.
  • the processing module jumps to the jump instruction of the uncontrolled class in the controlled code in the first address space (located at the second access address) through the jump instruction of the controlled class in the controlled code in the first address space. ), the jump process belongs to an internal jump; then, the processing module executes the jump instruction of the uncontrolled class, and the jump instruction of the uncontrolled class has a jump address, such as the sixth access address, then the processing module The first preset function can be called from the sixth access address.
  • the sixth access address is an address in a fourth address space, and the fourth address space is different from the first address space and the second address space allocated to the controlled code.
  • the fourth address space is a storage space for uncontrolled code.
  • the first type of instruction in S201 in this embodiment is a jump instruction of a controlled class in the controlled code, such as a short_jump instruction, and the processing module executes the instruction in the controlled code.
  • the short_jump instruction can perform an internal jump of controlled code from address space d4 to d5, such as a jump instruction to an uncontrolled class in address space d4 to d41.
  • the processing module can execute the uncontrolled jump instructions (such as the jump1 instruction) in the address space d4 to d41 to perform code jumps and jump to the jump address corresponding to the jump1 instruction (i.e., the sixth access address mentioned above), that is The address of the first preset function in the uncontrolled code.
  • the controlled code can access the external function in the uncontrolled code through the jump instruction of the uncontrolled class inside the controlled code.
  • the jump instruction of the uncontrolled class in the controlled code can only jump to the address of the first preset function in the uncontrolled code.
  • the limitations of the first preset function may refer to the relevant description in Embodiment 3, and the sixth access address is the same as the fifth access address in Embodiment 3.
  • the relevant description may also refer to Embodiment 3, which will not be repeated here. Let’s not go into details.
  • Embodiment 4 may also include S301, S303 and S305 described in Embodiment 2. The principles are similar and will not be described again here.
  • the controlled code accesses the external function, it only needs to perform one external jump and does not need to perform two external jumps through the proxy code.
  • the CPU executes the controlled code faster.
  • FIG. 7 is an exemplary architectural diagram of a central processing unit (CPU) of the present application.
  • the architectural diagram of the central processor shown in FIG. 7 provided by the present application can be viewed compared with FIG. 2c in the traditional technology.
  • the CPU of this application may include any program entity running in the CPU.
  • Program entities may include but are not limited to: general user program code, operating system code, virtual machine management code, etc.
  • the program entity may include safe area code (ie, uncontrolled code) and non-safe area code (ie, controlled code).
  • the non-safe area code here includes non-safe area code 1 and non-safe area code 2.
  • the code of the general user program (such as application 1) is running in the process.
  • the code of application 1 running in process 1 is the safe zone code.
  • Application 1 needs to call dynamic libraries and plug-ins. (There is no restriction on the order in which dynamic libraries and plug-ins are called.)
  • the non-safe area code 1 can be the dynamic library here
  • the non-safe area code 2 can be the plug-in here.
  • Application 1 cannot determine whether the code in the dynamic library and plug-in has unauthorized access to Application 1's resources (such as memory resources), so the control code provided by this application can be embedded inside Application 1.
  • the control code running in the CPU can scan the code in the dynamic library by sending uncontrolled class instructions to the processing module to determine that there are only controlled classes in the dynamic library. Instructions; similarly, scan the code in the plug-in to ensure that there are only controlled instructions in the plug-in.
  • control code can also allocate the address space of accessible resources for the dynamic library, and allocate the address space of accessible resources for the plug-in.
  • this dynamic library can only use controlled instructions, then this dynamic library can Access to content is limited.
  • the secure zone code (such as process 1 here) can call the non-secure zone code 1 or non-secure zone code 2 to embed the non-secure zone code 1 or non-secure zone code 2 in application 1.
  • the non-safe zone code 1 or the non-safe zone code 2 runs in the CPU and can send controlled instructions to the processing module in the CPU to access resources within the limited resource access space.
  • Application 1 can use the services provided by the controlled code (that is, the non-security zone code), but at the same time, it ensures that the non-security zone code has safe access to the resources of Application 1.
  • this application when ensuring safe access to resources of non-safe zone code (that is, controlled code), this application does not need to create separate role instances, such as processes, containers, and virtual machines, for the non-safe zone code. wait. There is no need to separate the safe zone code (i.e., uncontrolled code) in the program from the called non-safe zone code (i.e., controlled code) to isolate the non-safe zone code in processes, containers, virtual machines, etc. That is to say, the safe area code and the non-safe area code are in the same program entity, and there is no isolation between the safe area code and the non-safe area code.
  • This application scans the non-safe area code through the control code before the non-safe area code runs on the CPU.
  • the instructions in the safe zone code enable the non-safe zone code to have limited access to the resource range of the safe zone code. In this way, in any entity, the resource access permissions of different codes can be isolated, so that the CPU does not need to create separate role instances such as processes and virtual machines for the non-safe zone code to be isolated, which reduces the signaling overhead of the CPU.
  • Serverless is a cloud computing scenario in which users can provide a function to quickly complete a function.
  • the user does not apply for a server on the cloud service provider to continue running a service provided by the user.
  • the user only provides a function, which is statically stored on a certain storage of the cloud service provider. Only when other services (such as Web front-end) request to call this function will the function be started and related calculations completed. In order to ensure that the calculation process of this function is safe, it is usually necessary to prepare a process, container or even a virtual machine for this function to run the function to prevent the function from accessing resources beyond the permissions of the function.
  • the function will not be able to access resources beyond its scope of authority during operation.
  • the calculation process of this function can be completed in the service that calls the function (such as the above-mentioned web front end), or it can be completed in another process, container or virtual machine used for aggregation. Only the limited resources available to the function are allocated in the space where the function is run, and the function can complete the relevant calculations without creating additional resources (such as processes, containers, virtual machines, etc.) in order to run the function. Among them, the cost of creating role instances such as processes, containers, and virtual machines is relatively high.
  • an embodiment of the present application provides a resource control device.
  • the resource control device includes a control module and a controlled module.
  • the instructions in the resource control device are divided into controlled instructions and uncontrolled instructions.
  • the control module is used to: before the controlled module runs, control the instructions in the controlled module. Scan and detect whether the instructions in the controlled module of the resource control device are all controlled instructions; when it is detected that the instructions in the controlled module are all controlled instructions, allocate target resources to each instruction in the controlled module. Access scope.
  • the structure and function of the resource control device can be referred to the description of Figure 3a and its related method embodiments, and will not be described again here.
  • the resource control device further includes a processing module; a processing module configured to process the first access address and access the target resource according to the processed first access address; wherein the first access address is The resource access address in the controlled class instruction currently running in the controlled module; where the processed first access address is within the target resource access range corresponding to the currently running controlled class instruction.
  • control module is further configured to, after detecting that the instructions in the controlled module are not uniformly controlled instructions, detect that the controlled module includes a third instruction that matches the first preset instruction set.
  • the first instruction is an instruction for accessing the first preset code resource
  • a target resource access range is allocated to each controlled class instruction in the controlled module; wherein, the uncontrolled class instructions include the first Default instruction set; the first default code resource is located in the first resource access scope, and the first resource access scope is different from the target resource access scope.
  • the first preset code resource includes a first preset function
  • the first instruction is a first jump instruction used to access the first preset function
  • the first preset function is The control module allows the controlled module to access functions.
  • the controlled class instructions in the controlled module include: a first class of instructions for accessing code resources and a second class of instructions for accessing data resources; a control module, specifically used for: The first type of instruction is assigned a second resource access scope; the second type of instruction is assigned a third resource access scope; wherein the resource access addresses between the second resource access scope and the third resource access scope are different.
  • the uncontrolled instructions include a second preset instruction set
  • the control module includes an agent submodule
  • the agent submodule includes a second instruction that matches the second preset instruction set
  • the second The instruction is an instruction for accessing the second preset code resource
  • the second preset code resource is located within the fourth resource access range, and the resource access address between the fourth resource access range and the target resource access range is different
  • the control module Also used to write the proxy submodule to the second resource access scope.
  • the second preset code resource includes a second preset function
  • the first type of instruction includes a second jump type instruction for accessing the second instruction
  • the processing module is specifically configured to: The second access address in the second jump instruction is processed, and the second instruction is accessed according to the processed second access address; the second preset function is accessed according to the third access address in the second instruction; wherein, the second The preset functions are functions that the control module allows the controlled module to access.
  • FIG 8 is a schematic structural diagram of a resource control device provided by an embodiment of the present application.
  • the resource control device 500 may include: a processor 501, a transceiver 505, and optionally a memory 502.
  • the transceiver 505 may be called a transceiver unit, a transceiver, a transceiver circuit, etc., and is used to implement transceiver functions.
  • the transceiver 505 may include a receiver and a transmitter.
  • the receiver may be called a receiver or a receiving circuit, etc., used to implement the receiving function;
  • the transmitter may be called a transmitter, a transmitting circuit, etc., used to implement the transmitting function.
  • Computer program or software code or instructions 504 may be stored in the memory 502, which may also be referred to as firmware.
  • the processor 501 can control the MAC layer and the PHY layer by running the computer program or software code or instructions 503 therein, or by calling the computer program or software code or instructions 504 stored in the memory 502 to implement various embodiments of the present application. Provided resource control methods.
  • the processor 501 may be a central processing unit (CPU), and the memory 502 may be a read-only memory (ROM) or a random access memory (RAM).
  • the processor 501 and transceiver 505 described in this application can be implemented in integrated circuits (ICs), analog ICs, radio frequency integrated circuits RFICs, mixed signal ICs, application specific integrated circuits (ASICs), printed circuits on printed circuit board (PCB), electronic equipment, etc.
  • ICs integrated circuits
  • analog ICs analog ICs
  • radio frequency integrated circuits RFICs radio frequency integrated circuits
  • mixed signal ICs mixed signal ICs
  • ASICs application specific integrated circuits
  • PCB printed circuits on printed circuit board
  • electronic equipment etc.
  • the above-mentioned resource control device 500 may also include an antenna 506.
  • Each module included in the resource control device 500 is only an example and is not limited by this application.
  • the scope of the resource control device described in this application is not limited thereto, and the structure of the resource control device may not be limited by FIG. 8 .
  • the resource control device may be a stand-alone device or may be part of a larger device.
  • the implementation form of the resource control device may be:
  • An independent integrated circuit IC, or chip, or chip system or subsystem (2) A collection of one or more ICs.
  • the IC collection may also include storage for storing data and instructions. Components; (3) Modules that can be embedded in other equipment; (4) Electronic equipment, etc.; (5) Others, etc.
  • the resource control device is implemented in the form of a chip or a chip system
  • the chip shown in Figure 9 includes a processor 601 and an interface 602.
  • the number of processors 601 may be one or more, and the number of interfaces 602 may be multiple.
  • the chip or chip system may include memory 603 .
  • embodiments of the present application also provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program.
  • the computer program includes at least one section of code.
  • the at least one section of code can be executed by a computer or processor.
  • a computer or processor is used to control the above method embodiments.
  • embodiments of the present application also provide a computer program product including a software program, which, when executed by a computer or processor, is used to implement the above method embodiments.
  • the program may be stored in whole or in part on a storage medium packaged with the processor, or in part or in whole on a memory that is not packaged with the processor.
  • embodiments of the present application also provide a resource control device, including one or more interface circuits and one or more processors; the interface circuit is used to receive signals from the memory and send them to the processor.
  • the signal is sent, and the signal includes computer instructions stored in the memory; when the processor executes the computer instructions, the processor is used to implement the above method embodiment.
  • the steps of the methods or algorithms described in connection with the disclosure of the embodiments of this application can be implemented in hardware or by a processor executing software instructions.
  • Software instructions can be composed of corresponding software modules.
  • Software modules can be stored in random access memory (Random Access Memory, RAM), flash memory, read only memory (Read Only Memory, ROM), erasable programmable read only memory ( Erasable Programmable ROM (EPROM), electrically erasable programmable read-only memory (Electrically EPROM, EEPROM), register, hard disk, removable hard disk, compact disc (CD-ROM) or any other form of storage media well known in the art.
  • An exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write information to the storage medium.
  • the storage medium can also be an integral part of the processor.
  • the processor and storage media may be located in an ASIC.
  • Computer-readable media includes computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another.
  • Storage media can be any available media that can be accessed by a general purpose or special purpose computer.

Abstract

Les modes de réalisation selon la présente demande se rapportent au champ technique des dispositifs terminaux. L'invention concerne un procédé et un appareil de contrôle de ressources. Le procédé consiste : avant d'exécuter un programme à contrôler, à effectuer un balayage sur des instructions dans le programme ; et, lorsqu'il est établi par balayage que le programme comprend uniquement des instructions dans un ensemble d'instructions prédéfini, à limiter une plage d'accès aux ressources des instructions dans le programme. De cette manière, pendant l'exécution des instructions dans le programme, le programme peut uniquement effectuer un accès à des ressources dans la plage d'accès à une ressource limitée et ne peut pas accéder à des ressources en dehors de la plage d'accès aux ressources, ce qui permet de réaliser un contrôle de sécurité du programme et d'assurer un accès sécurisé aux ressources.
PCT/CN2023/071405 2022-03-17 2023-01-09 Appareil et procédé de contrôle de ressources WO2023173915A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210262411.2A CN116795525A (zh) 2022-03-17 2022-03-17 资源控制方法及装置
CN202210262411.2 2022-03-17

Publications (1)

Publication Number Publication Date
WO2023173915A1 true WO2023173915A1 (fr) 2023-09-21

Family

ID=88022171

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/071405 WO2023173915A1 (fr) 2022-03-17 2023-01-09 Appareil et procédé de contrôle de ressources

Country Status (2)

Country Link
CN (1) CN116795525A (fr)
WO (1) WO2023173915A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1298512A (zh) * 1998-02-26 2001-06-06 太阳微系统公司 基于堆栈的访问控制
CN1700136A (zh) * 2004-05-20 2005-11-23 英特尔公司 处理器扩展和软件验证
US7162743B1 (en) * 2001-10-04 2007-01-09 Hewlett-Packard Development Company, L.P. System and method of limiting access to protected hardware addresses and processor instructions
US20140041026A1 (en) * 2012-08-01 2014-02-06 SIFTEO, Inc. Hybrid Virtual Machine
CN109840410A (zh) * 2017-12-28 2019-06-04 中国科学院计算技术研究所 一种进程内数据隔离与保护的方法和系统
CN113886288A (zh) * 2021-09-29 2022-01-04 南方科技大学 基于arm架构的资源访问控制方法、系统、设备及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1298512A (zh) * 1998-02-26 2001-06-06 太阳微系统公司 基于堆栈的访问控制
US7162743B1 (en) * 2001-10-04 2007-01-09 Hewlett-Packard Development Company, L.P. System and method of limiting access to protected hardware addresses and processor instructions
CN1700136A (zh) * 2004-05-20 2005-11-23 英特尔公司 处理器扩展和软件验证
US20140041026A1 (en) * 2012-08-01 2014-02-06 SIFTEO, Inc. Hybrid Virtual Machine
CN109840410A (zh) * 2017-12-28 2019-06-04 中国科学院计算技术研究所 一种进程内数据隔离与保护的方法和系统
CN113886288A (zh) * 2021-09-29 2022-01-04 南方科技大学 基于arm架构的资源访问控制方法、系统、设备及存储介质

Also Published As

Publication number Publication date
CN116795525A (zh) 2023-09-22

Similar Documents

Publication Publication Date Title
US10114958B2 (en) Protected regions
US9710654B2 (en) Method for validating an untrusted native code module
US10198578B2 (en) Secure privilege level execution and access protection
US9112867B2 (en) Method for enforcing resource access control in computer systems
US7380049B2 (en) Memory protection within a virtual partition
US7673109B2 (en) Restricting type access to high-trust components
JP4759059B2 (ja) メモリページをプログラムに対応付けるページカラーリング
US11171983B2 (en) Techniques to provide function-level isolation with capability-based security
US20130283017A1 (en) Hard object: constraining control flow and providing lightweight kernel crossings
EP2963560A1 (fr) Procédé d'exécution en toute sécurité d'un module de code natif non approuvé sur un dispositif informatique
US8677457B2 (en) Security for codes running in non-trusted domains in a processor core
US20060047959A1 (en) System and method for secure computing
KR20090010872A (ko) CLDC OSGi 환경에서 어플리케이션의 접속 권한을관리하는 방법 및 장치
US7647629B2 (en) Hosted code runtime protection
CN112446032B (zh) 可信执行环境构建方法、系统及存储介质
US7512768B2 (en) Dynamically sharing a stack between different code segments
WO2023173915A1 (fr) Appareil et procédé de contrôle de ressources
US20210165588A1 (en) Method and system for controlling a switch in the execution mode of a processor
JP4638505B2 (ja) 電子デバイス内の安全なプログラム解釈方法
US20210157612A1 (en) Encaching and sharing transformed libraries
Zeng et al. Refinement-based Modeling and Formal Verification for Multiple Secure Partitions of TrustZone.
JP2008521111A5 (fr)
JP2009104555A (ja) Vt環境で動作するソフトウェアエージェントの改竄防止、方法および装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23769426

Country of ref document: EP

Kind code of ref document: A1