WO2025026327A1 - Data processing method and apparatus, and device and storage medium - Google Patents

Data processing method and apparatus, and device and storage medium Download PDF

Info

Publication number
WO2025026327A1
WO2025026327A1 PCT/CN2024/108590 CN2024108590W WO2025026327A1 WO 2025026327 A1 WO2025026327 A1 WO 2025026327A1 CN 2024108590 W CN2024108590 W CN 2024108590W WO 2025026327 A1 WO2025026327 A1 WO 2025026327A1
Authority
WO
WIPO (PCT)
Prior art keywords
memory
page
program
memory page
virtual
Prior art date
Application number
PCT/CN2024/108590
Other languages
French (fr)
Chinese (zh)
Inventor
贺培轩
王伟力
张殷乾
季洪涵
张尧
吴烨
Original Assignee
北京火山引擎科技有限公司
南方科技大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京火山引擎科技有限公司, 南方科技大学 filed Critical 北京火山引擎科技有限公司
Publication of WO2025026327A1 publication Critical patent/WO2025026327A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5016Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory

Definitions

  • Example embodiments of the present disclosure generally relate to the field of computers, and more particularly, to a data processing method, apparatus, device, and computer-readable storage medium based on a trusted execution environment.
  • Trusted execution environment builds a secure area in the central processing unit through software and hardware methods, which can provide an independent execution environment with confidentiality and integrity protection for the programs running in it.
  • program running code and confidential data can be maintained in an encrypted isolated memory, and calculations are completed in the encrypted memory. The entire calculation process is invisible to the outside, thus achieving data protection.
  • different programs can be run in a trusted execution environment in an isolated manner. While this isolation ensures data security, it also increases the complexity of sharing data between programs. Therefore, how to quickly and efficiently realize memory sharing in a trusted execution environment to achieve data sharing between programs is a technical problem that needs to be solved urgently.
  • a data processing method comprising: in a trusted execution environment, initializing a first program and a second program different from the first program; allocating a first memory space and a second memory space to the first program and the second program respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is linear A memory address space, and includes at least a first memory page; and wherein the second memory space is a linear memory address space, and includes at least a second memory page, and the second memory page is different from the first memory page; mapping the first memory page of the first memory space to the first virtual memory page in the virtual address space of the trusted execution environment; and mapping the second memory page of the second memory space to the first virtual memory page in the virtual address space.
  • a data processing device comprising: a program initialization module, configured to: initialize a first program and a second program different from the first program in a trusted execution environment; a memory allocation module, configured to allocate a first memory space and a second memory space to the first program and the second program, respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, the second memory page being different from the first memory page; a first mapping module, configured to map a first memory page of the first memory space to a first virtual memory page in a virtual address space of the trusted execution environment; and a second mapping module, configured to map a second memory page of the second memory space to a first virtual memory page in the virtual address space.
  • an electronic device in a third aspect of the present disclosure, includes at least one processing unit; and at least one memory, the at least one memory is coupled to the at least one processing unit and stores instructions for execution by the at least one processing unit. When the instructions are executed by the at least one processing unit, the electronic device executes the method of the first aspect.
  • a computer-readable storage medium wherein a computer program is stored on the computer-readable storage medium, and the computer program can be executed by a processor to implement the method of the first aspect.
  • FIG1 is a schematic diagram showing an example environment in which embodiments of the present disclosure can be implemented.
  • FIG2 shows a flow chart of a data processing method according to some embodiments of the present disclosure
  • FIG3 illustrates a block diagram of a memory map according to some embodiments of the present disclosure
  • FIG4 illustrates a block diagram of a program address according to some embodiments of the present disclosure
  • FIG5 shows a flow chart of a shared memory mapping method according to some embodiments of the present disclosure
  • FIG6 illustrates another memory mapping block diagram according to some embodiments of the present disclosure
  • FIG7 shows a schematic structural block diagram of a data processing device according to some embodiments of the present disclosure.
  • FIG8 illustrates a block diagram of an electronic device in which one or more embodiments of the present disclosure may be implemented.
  • executing a step “in response to A” does not mean executing the step immediately after “A” but may include one or more intermediate steps.
  • a prompt message is sent to the user to clearly prompt the user that the operation requested to be performed will require obtaining and using the user's personal information.
  • the user can autonomously choose whether to provide personal information to software or hardware such as an electronic device, application, server, or storage medium that performs the operation of the technical solution of the present disclosure according to the prompt message.
  • the prompt information in response to receiving an active request from the user, is sent to the user in a manner such as a pop-up window, in which the prompt information can be presented in text form.
  • the pop-up window can also carry a selection control for the user to choose "agree” or “disagree” to provide personal information to the electronic device.
  • Wasm technology has good isolation. Specifically, multiple Wasm programs can be executed simultaneously in a virtual machine based on Wasm technology. Each Wasm program has an independent linear memory address space. In this case, each Wasm program can only access the data in its own linear memory address space, and cannot observe or interfere with the execution flow and data flow of other Wasm programs.
  • Wasm technology is a lightweight instruction set. Specifically, Wasm programs are small in size, fast in cold start, and consume low system resources. Furthermore, Wasm technology has good portability and can be used as a compilation target for other high-level languages. Specifically, Wasm instructions are a binary format and are not limited to development languages. In this case, programs written in high-level languages can be compiled into Wasm bytecodes to be run in the Wasm virtual machine. Currently, languages that support Wasm instructions include C, C++, Rust, etc.
  • Wasm technology is a lightweight instruction set and has good portability and isolation, in addition to browser scenarios, Wasm technology is increasingly used in application scenarios that need to support multi-language and multi-tenant programs.
  • shared memory can be implemented through memory remapping technology to improve the efficiency of exchanging data.
  • memory remapping technology refers to remapping the physical memory space pointed to by a virtual address to another physical memory space by changing the address translation process of the operating system.
  • the virtual address VA 1 originally points to the physical address PA 1
  • the virtual address VA 1 can be remapped to point to the physical address PA 2.
  • the program can access the physical address PA 2 by accessing VA 1 .
  • memory sharing can be achieved by remapping a set of continuous virtual addresses in the linear memory address space of different Wasm programs to a shared data area.
  • the first Wasm program expects to share a memory area Region A in its linear memory address space with the second Wasm program and the third Wasm program.
  • the second Wasm program and the third Wasm program can map an unused virtual address space in their respective linear memory address spaces that meets the shared memory length to the physical memory area corresponding to Region A. Therefore, memory sharing can be achieved between Wasm programs through memory remapping technology, thereby avoiding the additional system development required to achieve data sharing through memory copying. pin.
  • Trusted execution environment technology builds a secure area in the central processor through software and hardware methods, which can provide an independent execution environment with confidentiality and integrity protection for the programs running in it.
  • the trusted execution environment can implement process-level protection. Specifically, in a trusted execution environment, program running code and confidential data can be maintained in an encrypted isolated memory, and calculations are completed in the encrypted isolated memory. The entire calculation process is invisible to the outside world, and even an operating system with a higher privilege level cannot see the execution flow and confidential data in the encrypted isolated memory.
  • Wasm technology can be applied to a trusted execution environment to more conveniently and quickly build a lightweight trusted data sandbox through Wasm technology.
  • the memory security feature of Wasm technology restricts Wasm programs from accessing address spaces outside the sandbox, and must call system-supervised application programming interfaces to access system resources, which enables Wasm programs running in a trusted execution environment to have two-way sandbox isolation protection.
  • privacy computing and cloud proxy computing scenarios based on a trusted execution environment can be effectively supported, and public cloud confidential computing services such as Function as a Service (FaaS) can be created.
  • FaaS Function as a Service
  • the technology based on software fault isolation can make multiple Wasm programs running in the same system non-interfering with each other and invisible to each other.
  • the system is required to set a continuous and independent linear memory address space for each Wasm program, and limit each Wasm program to access only its own linear memory address space.
  • this linear memory management mechanism leads to obvious lack of support for shared memory.
  • the memory sharing of multiple Wasm programs mainly depends on memory remapping technology.
  • the shared memory based on memory remapping is not very versatile. For example, it cannot support user-mode trusted execution environment.
  • the user-mode trusted execution environment does not trust the page table managed by the operating system, so it does not support the shared memory.
  • the operating system is allowed to remap the memory pages of the trusted execution environment.
  • the above memory management mechanism cannot achieve fine-grained memory access control.
  • shared memory is usually set to read and write, and it is impossible to limit a shared memory block to read-only for some Wasm programs and read and write for other Wasm programs.
  • the present disclosure proposes a data processing scheme based on a trusted execution environment.
  • the scheme includes: in a trusted execution environment, initializing a first program and a second program different from the first program; allocating a first memory space and a second memory space to the first program and the second program respectively, wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, and the second memory page is different from the first memory page; mapping the first memory page of the first memory space to the first virtual memory page in the virtual address space of the trusted execution environment; and mapping the second memory page of the second memory space to the first virtual memory page in the virtual address space.
  • shared memory can be realized between linear memory address spaces isolated from each other.
  • Fig. 1 shows a schematic diagram of an example environment 100 in which embodiments of the present disclosure can be implemented.
  • the example environment 100 may include a computing device 110.
  • the computing device 110 may be deployed with a trusted execution environment 150.
  • the trusted execution environment 150 one or more virtual machines 160 may be run.
  • Programs 170 may be run on the virtual machine 160, such as the first program 170-1 and the second program 170-2 shown in FIG1.
  • the first program 170-1 and the second program 170-2 may be collectively referred to as programs 170.
  • An example of program 170 is a Wasm program.
  • An example of trusted execution environment 150 is a trusted execution environment based on user mode, such as a trusted execution environment based on Software Guard Extensions (SGE). Guard Extensions (SGX) trusted execution environment.
  • SGE Software Guard Extensions
  • SGX Guard Extensions
  • Wasm programs have three operating modes: interpreter (Interpreter), ahead of time (Ahead Of Time, AOT) and just in time (Just In Time, JIT).
  • interpreter interpreter
  • AOT ahead of time
  • Just In Time Just In Time
  • JIT Just In Time
  • interpreter mode it is necessary to interpret Wasm instructions one by one and perform corresponding operations on the virtual machine 160.
  • Ahead-Of-Time, AOT the Wasm bytecode can be converted into machine code in advance in a compilation step similar to that of a C++ program.
  • the pre-compiled Wasm program is not an executable file that can be run directly and needs to be loaded at runtime.
  • Wasm runs in just-in-time compilation mode it is still interpreted and executed as a whole, but frequently run code will be compiled to generate machine code to speed up the operation.
  • the program 170 when the program 170 is running, it may be allocated with mutually isolated linear memory address spaces, each of which may include multiple memory pages, and at least some of the multiple memory pages may be mapped to virtual memory pages of the virtual address space 190. As shown in FIG1 , the first program 170-1 is allocated with a first memory space 180-1, and the second program 170-2 is allocated with a second memory space 180-2.
  • a linear virtual memory of size SIZE Mem is allocated.
  • This continuous linear virtual memory is represented as [ADDR Mem , ADDR Mem + SIZE Mem ], where ADDR Mem is the starting virtual memory address of the linear virtual memory.
  • ADDR Mem the starting virtual memory address of the linear virtual memory.
  • the computing device 110 can be any type of mobile terminal, fixed terminal or portable terminal, including a mobile phone, a desktop computer, a laptop computer, a notebook computer, a netbook computer, a tablet computer, a media computer, a multimedia tablet, a personal communication system (PCS) device, a personal navigation device, a personal digital assistant (PDA), an audio/video player, a digital camera/camcorder, a positioning device, a television receiver, a radio broadcast receiver, an e-book device, a gaming device, or any combination of the foregoing, including accessories and peripherals of these devices or any combination thereof.
  • the client device 120 can also support any type of interface for the user (such as a "wearable" circuit, etc.).
  • the computing device 110 may be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content distribution networks, and big data and artificial intelligence platforms.
  • the computing device 110 may include, for example, a computing system/server, such as a mainframe, an edge computing node, a computing device in a cloud environment, and the like.
  • FIG2 shows a flow chart of a data processing process 200 according to some embodiments of the present disclosure.
  • the data processing process 200 may be implemented at a computing device 110. Further, when the program 170 is a Wasm program, the process 200 may be executed by a “Wasm runtime”.
  • the Wasm program will be used as the first program In the example of 170-1/second program 170-2, a trusted execution environment based on Software Guard Extension (SGX) will be used as an example of trusted execution environment 150.
  • SGX Software Guard Extension
  • the first program 170-1/second program 170-2 can be other instruction programs with good isolation
  • the trusted execution environment 150 can be other user-mode trusted execution environments. The scope of protection of the present disclosure is not limited in this respect.
  • the second memory space 180-2 is isolated from the first memory space 180-1.
  • the first memory space 180-1 is invisible to the second program 170-2, and the second memory space 180-2 is invisible to the first program 170-1.
  • the computing device 110 initializes the first program 170 - 1 and the second program 170 - 2 .
  • the computing device 110 allocates a first memory space 180 - 1 and a second memory space 180 - 2 to the first program 170 - 1 and the second program 170 - 2 , respectively.
  • the first memory space 180 - 1 is a linear memory address space and includes at least a first memory page.
  • the second memory space 180 - 2 is a linear memory address space and includes at least a second memory page, which is different from the first memory page.
  • the computing device 110 maps a first memory page of the first memory space 180 - 1 to a first virtual memory page in the virtual address space 190 of the trusted execution environment.
  • the computing device 110 maps the second memory page of the second memory space 180-2 to the first virtual memory page in the virtual address space 190.
  • the first memory space 180-1 further includes a third memory page and a fourth memory page, wherein the third memory page and the fourth memory page are two consecutive memory pages in the first memory space 180-1.
  • the computing device 110 maps the third memory page of the first memory space 180-1 to the second virtual memory page in the virtual address space 190, and maps the first memory space 180-1 to the second virtual memory page in the virtual address space 190.
  • the fourth memory page of 180 - 1 is mapped to the third virtual memory page in the virtual address space 190 , wherein the second virtual memory page and the third virtual memory page are not continuous in the virtual address space 190 .
  • FIG3 shows a block diagram of a memory map 300 according to some embodiments of the present disclosure.
  • FIG3 shows a block diagram of a memory map 300 according to some embodiments of the present disclosure.
  • the first memory space 180-1 is allocated to the first program 170-1, which includes the first memory page 310, the third memory page 311, and the fourth memory page 312, etc.
  • the second memory space 180-2 is allocated to the first program 170-2, which includes the second memory page 320, etc.
  • the computing device 110 is responsible for maintaining the virtual address space 190, which includes the first virtual memory page 330, the second virtual memory page 331, the third virtual memory page 332, etc.
  • the computing device 110 is responsible for establishing/maintaining/interpreting the mapping of the first memory space 180-1/the second memory space 180-2 to the virtual address space 190.
  • shared memory can be implemented by modifying the address mapping/translation process.
  • the first memory page 310 and the second memory page 320 can be called shared memory pages; since the third memory page 311 and the fourth memory page 312 are not shared with other programs, the third memory page 311 and the fourth memory page 312 can also be called private memory pages of the first program 170-1.
  • the third memory page 311 and the fourth memory page are continuous in the first memory space 180 - 1 .
  • the third memory page 311 and the fourth memory page are mapped to the second virtual memory page 331 and the third virtual memory page 332 , respectively.
  • the internal memory in the system can be accessed through a page table.
  • a page table Next, how to design and maintain the page table will be described in conjunction with an exemplary embodiment.
  • the memory size of the linear memory address space can be set to an integer multiple of a predetermined memory block.
  • the size of the linear memory address space allocated to the program 170 can be an integer multiple of 65536 bytes (ie, 64KB).
  • a block diagram of a program address 400 according to some embodiments of the present disclosure is shown.
  • the size of each memory page is 64KB, then for a 32-bit program address, the high/low 16 bits can be used as a memory page index, and the low/high 16 bits can be used as an offset within the page.
  • the computing device 110 may generate a first mapping table for the first program 170-1, wherein the first mapping table includes at least one page table entry. Further, each page table entry corresponds to a corresponding memory page in the first memory space 180-1 and indicates at least one of the following: whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space 190, or virtual address information of the virtual memory page corresponding to the corresponding memory page in the virtual address space 190.
  • the first mapping table may include a first page table entry corresponding to the first memory page 310, wherein the first page table entry includes at least one of the following: first information indicating that the first memory page 310 has been mapped to the first virtual memory page 330, and second information indicating a first virtual address identifying the first virtual memory page 330.
  • mapping relationship between the Wasm address and the virtual address of the Wasm program may be stored in the page table, that is, the mapping relationship between the memory page information of the Wasm program and the virtual memory page is stored.
  • each page table can include a maximum of 65536 page table entries, each of which stores information corresponding to a memory page.
  • each page table entry may include first information, which The parameter can be a Boolean value, which is used to indicate whether the Wasm memory page has been bound to a virtual memory page, or whether the starting address of the Wasm memory page has been bound to the starting address of a virtual memory page.
  • each page table entry may also include second information, and when the first information is true/a Wasm memory page has been bound to a virtual memory page, the second information indicates the starting address of the virtual memory page to which the Wasm memory page is bound.
  • mapping relationship of memory pages can be maintained separately through the page table, which reduces the cost of memory page maintenance and improves the efficiency of memory page maintenance.
  • dynamic allocation of memory can be achieved by dynamically modifying the page table.
  • a page table is created for the program.
  • at least one page table entry in the page table can be dynamically modified, that is, an unmapped memory page is mapped to a corresponding virtual memory page.
  • the computing device 110 in response to the first program 170 - 1 being executed, the computing device 110 generates a first mapping table for the first program 170 - 1 , wherein the first mapping table has a preset number of page table entries, for example, equal to (or less than) 65536 page table entries.
  • the computing device 110 modifies at least one page table entry in the first mapping table to indicate a mapping relationship between at least one newly allocated memory page in the first memory space 180-1 and at least one virtual memory page in the virtual address space 190.
  • the program 170 may be allowed to release the previously established mapping.
  • the program 170 may call a mapping release interface provided by the system to release a portion of the memory page mapping according to the program 170's requirements.
  • the Wasm program is used as an example for further description.
  • the Wasm program bytecode specifies its initial memory size and maximum memory size. Therefore, when creating a page table, the computing device 110 may first map part of the Wasm page to a virtual memory page to meet the program's initial memory size requirement. For example, a page table with 65536 page table entries is created, and 4096 of the entries are modified. Change to mapped entry.
  • the Wasm program has a memory growth requirement later, more mappings are created through the Wasm memory growth instruction to achieve memory expansion, that is, by modifying the unmapped page table entries to mapped page table entries.
  • the Wasm program can also call the system instruction to release the mapped page table entries.
  • the system's memory can be allocated on demand as needed and released promptly when not needed, thereby improving the utilization of system resources.
  • different read and write permissions can be configured for different memory pages.
  • the memory page is a shared memory page, the security of data management can be effectively improved.
  • the first mapping table includes a first sub-mapping table and/or a second sub-mapping table.
  • the first sub-mapping table includes at least one first page table entry, and the at least one first page table entry corresponds to at least one memory page for which the first program 170-1 has read-only permission.
  • the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program 170-1 has write permission.
  • each page table entry may include third information in addition to the first information and the second information, and the third information indicates the read and write permission information of the corresponding program for the memory page corresponding to the page table entry.
  • the traditional solution cannot achieve read and write control of shared memory. Specifically, in the traditional solution, permission control is effective for all Wasm programs. Therefore, in the traditional solution, when a Wasm program obtains access to a piece of shared memory, it has both read and write permissions. Under this restriction, a Wasm program cannot limit another Wasm program to only read shared memory, because in the traditional solution, if the shared memory page is set to read-only, all Wasm programs in the system cannot obtain write permissions.
  • memory access control can be optimized by setting up a read page table (i.e., the first sub-mapping table) and a write page table (i.e., the second sub-mapping table).
  • the computing device 110 maintains two single pages for each Wasm program.
  • the Wasm program uses the read page table to translate the address, and the write page table to translate the address. In this way, a Wasm program can implement read/write access control for different memory pages.
  • FIG5 shows a flow chart of a shared memory mapping method 500 according to some embodiments of the present disclosure.
  • the computing device 110 has mapped a first memory page to a first virtual memory page.
  • the computing device 110 detects a request for creating a shared memory initiated by the first program 170-1, and the shared memory creation request indicates the first memory address information of the first memory page, the read and write permission information set by the first program for the first memory page, and the first identification information of the first memory page.
  • the computing device 110 in response to detecting a request initiated by the second program 170 - 2 to query the shared memory, the computing device 110 returns an identification information list of the shared memory to the second program 170 - 2 , the identification information list including the first identification information of the first memory page.
  • the computing device 110 detects a shared memory mapping request initiated by the second program 170 - 2 , the shared memory mapping request indicating second memory address information of the second memory page and first identification information of the first memory page.
  • the computing device 110 maps the second memory page to the first virtual memory page.
  • the first Wasm program can call a preset function to create a shared memory page.
  • the input parameters of the preset function may include: 1) information indicating a section of shared memory that the first Wasm program expects to share; 2) information indicating the access control policy of this shared area, that is, the read and write permissions of other Wasm programs to this area; 3) an identifier for identifying this section of shared memory.
  • the first Wasm program expects to share the first memory page and restrict other Wasm programs from modifying it. Change the content of the first memory page and set the flag of the first memory page to "1".
  • the second Wasm program may send a shared memory query request.
  • the computing device 110 returns a list to the second Wasm program, in which the identifiers of the currently existing shared memory areas are stored, for example, the identifier "1" of the first memory page.
  • the second Wasm program can remap a memory area in its own linear memory address space to the corresponding shared memory by sending a shared memory mapping request. For example, if the second Wasm program expects to map its second memory page to the first memory page of the first Wasm program, the second Wasm program sends a shared memory mapping request indicating the second memory page address and the first memory page identifier "1".
  • the computing device 110 can map the second memory page to the first virtual memory page, that is, the virtual memory page corresponding to the first memory page.
  • computing device 110 may set boundary checking rules to prevent out-of-bounds access by program 170. Specifically, computing device 110 performs boundary checking on each access initiated to the linear memory address space to ensure that a program can only access its own linear memory address space.
  • an exception memory page may be used to assist in implementing boundary checking.
  • FIG. 6 it shows a block diagram of another memory map 600 according to some embodiments of the present disclosure.
  • the computing device 110 detects a data access request initiated by the first program 170-1. In response to detecting the data access request initiated by the first program 170-1, the computing device 110 determines whether the memory address corresponding to the data is within the first memory space 180-1, and if the memory address is not within the first memory space 180-1, maps the memory address to an abnormal virtual memory page 610 of the virtual address space 190.
  • the computing device 110 can maintain a 64KB memory area for each Wasm program, which is called an abnormal memory page.
  • the computing device 110 pre-modifies the address of the virtual memory page in the unmapped page table entry to point to the virtual memory address of the abnormal memory page. Therefore, when the Wasm program accesses the unmapped memory page, it actually accesses its own abnormal memory page.
  • the abnormal memory page when the memory access is legal, the abnormal memory page will never be accessed. Only when the memory is out of bounds, the abnormal memory page will be accessed. Since the abnormal memory page does not store any meaningful information, the out-of-bounds access can only touch the abnormal memory page and will not affect the original sandbox design of Wasm.
  • a paging memory management method is proposed, which is particularly suitable for the Wasm-based SGX environment.
  • the paging memory management disclosed in the present disclosure can effectively solve the shortcomings of insufficient support for shared memory in the linear memory model and the inability to flexibly set read-only permissions.
  • the virtual address corresponding to the linear memory of the Wasm program can be non-contiguous, and it supports dynamically increasing or decreasing the linear memory by establishing or canceling the corresponding mapping on the page table.
  • the shared memory solution implemented according to the paging-based memory management and maintenance mechanism disclosed in the present invention is more versatile (applicable to various types of trusted execution environments including SGX), and can implement flexible read and write permission control on shared memory areas between multiple programs.
  • FIG. 7 shows a schematic structural block diagram of a data processing apparatus 700 according to some embodiments of the present disclosure.
  • the apparatus 700 may be implemented as or included in a computing device 110.
  • Each module/component in the apparatus 700 may be implemented by hardware, software, firmware, or any combination thereof.
  • the apparatus 700 includes: a program initialization module 710, configured to: in a trusted execution environment, initialize a first program and a second program different from the first program; a memory allocation module 720, configured to allocate a first memory space and a second memory space to the first program and the second program, respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, the second memory page being different from the first memory page; a first mapping module 730, configured to map a first memory page of the first memory space to the trusted execution environment; and a second mapping module 740, configured to map a second memory page of the second memory space to the first virtual memory page in the virtual address space.
  • a program initialization module 710 configured to: in a trusted execution environment, initialize
  • the device 700 also includes an out-of-bounds check module, which is configured to determine whether the memory address corresponding to the data is within the first memory space in response to detecting an access request for data initiated by the first program; and based on determining that the memory address is not within the first memory space, map the memory address to an abnormal virtual memory page of the virtual address space.
  • an out-of-bounds check module configured to determine whether the memory address corresponding to the data is within the first memory space in response to detecting an access request for data initiated by the first program; and based on determining that the memory address is not within the first memory space, map the memory address to an abnormal virtual memory page of the virtual address space.
  • the device 700 also includes: a page table generation module, configured to: generate a first mapping table for the first program, the first mapping table including at least one page table entry, each page table entry corresponding to a corresponding memory page in the first memory space and indicating at least one of the following: whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space, or virtual address information of the virtual memory page corresponding to the corresponding memory page in the virtual address space.
  • a page table generation module configured to: generate a first mapping table for the first program, the first mapping table including at least one page table entry, each page table entry corresponding to a corresponding memory page in the first memory space and indicating at least one of the following: whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space, or virtual address information of the virtual memory page corresponding to the corresponding memory page in the virtual address space.
  • the page table generation module is further configured to: in response to detecting that the first program is initialized, generate a first mapping table for the first program, the first mapping table having a preset number of page table entries.
  • the device 700 also includes: a memory modification module, configured to, in response to detecting an increase memory instruction for the first program, modify at least one page table entry in the first mapping table to indicate a mapping relationship between at least one newly allocated memory page in the first memory space and at least one virtual memory page in the virtual address space.
  • the first mapping table includes a first page table entry corresponding to the first memory page, the first mapping table entry including at least one of the following: first information indicating that the first memory page has been mapped to a first virtual memory page, second information indicating a first virtual address identifying the first virtual memory page, and third information indicating read and write permission information of the first program for the first memory page.
  • the first mapping table includes at least one of the following: a first sub-mapping table, the first sub-mapping table includes at least one first page table entry, and the at least one first page table entry corresponds to at least one memory page for which the first program has read-only permission; a second sub-mapping table, the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program has write permission.
  • the first memory space also includes a third memory page and a fourth memory page, and the third memory page and the fourth memory page are two consecutive memory pages in the first memory space.
  • the device 700 also includes: a second mapping module, configured to map the third memory page to a second virtual memory page in the virtual address space; and a third mapping module, configured to map the fourth memory page to a third virtual memory page in the virtual address space, and the second virtual memory page and the third virtual memory page are not consecutive in the virtual address space.
  • the device 700 also includes: a shared request detection module, configured to: during the execution of the first program, detect a request for creating a shared memory initiated by the first program, the request for creating a shared memory indicates the following information: first memory address information of the first memory page, read and write permission information set by the first program for the first memory page, and first identification information of the first memory page; a shared memory query request processing module, configured to: in response to detecting a request for querying shared memory initiated by the second program, return a list of identification information of the shared memory in the trusted execution environment to the second program, the list of identification information including the first identification information of the first memory page; a shared memory mapping request processing module, configured to: detect a shared memory mapping request initiated by the second program, the shared memory mapping request indicates the second memory address information of the second memory page and the first identification information of the first memory page; and a shared memory mapping module, configured to: in response to detecting a shared memory mapping request, map the second memory page to the first virtual memory page.
  • a shared request detection module configured to
  • FIG8 shows a block diagram of an electronic device 800 in which one or more embodiments of the present disclosure may be implemented. It should be understood that the electronic device 800 shown in FIG8 is merely exemplary and should not constitute any limitation on the functionality and scope of the embodiments described herein. The electronic device 800 shown in FIG8 may be used to implement the computing device 110 of FIG1 .
  • the electronic device 800 is in the form of a general electronic device or computing device.
  • the components of the electronic device 800 may include, but are not limited to, one or more processors or processing units 810, a memory 820, a storage device 830, one or more communication units 840, one or more input devices 850, and one or more output devices 860.
  • the processing unit 810 may be an actual or virtual processor and is capable of performing various processes according to a program stored in the memory 820. In a multi-processor system, multiple processing units execute computer executable instructions in parallel to improve the parallel processing capability of the electronic device 800.
  • the electronic device 800 typically includes a plurality of computer storage media. Such media may be any accessible media that is accessible to the electronic device 800, including but not limited to volatile and non-volatile media, removable and non-removable media.
  • the memory 820 may be a volatile memory (e.g., a register, a cache, a random access memory (RAM)), a non-volatile memory (e.g., a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof.
  • the storage device 830 may be a removable or non-removable medium, and may include a machine-readable medium, such as a flash drive, a disk, or any other medium, which may be capable of being used to store information and/or data (e.g., training data for training) and may be accessed within the electronic device 800.
  • a machine-readable medium such as a flash drive, a disk, or any other medium, which may be capable of being used to store information and/or data (e.g., training data for training) and may be accessed within the electronic device 800.
  • the electronic device 800 may further include additional removable/non-removable, volatile/non-volatile storage media.
  • a disk drive for reading or writing from a removable, non-volatile disk e.g., a “floppy disk”
  • an optical drive for reading or writing from a removable, non-volatile optical disk may be provided.
  • each drive may be connected to a bus (not shown) by one or more data media interfaces.
  • the memory 820 may include a computer program product 825 having one or more program modules configured to perform various methods or actions of various embodiments of the present disclosure.
  • the communication unit 840 implements communication with other electronic devices through a communication medium. Additionally, the functions of the components of the electronic device 800 can be implemented with a single computing cluster or multiple computing machines that can communicate through a communication connection. Therefore, the electronic device 800 can operate in a networked environment using a logical connection with one or more other servers, a network personal computer (PC), or another network node.
  • PC network personal computer
  • the input device 850 may be one or more input devices, such as a mouse, a keyboard, a tracking ball, etc.
  • the output device 860 may be one or more output devices, such as a display, a speaker, a printer, etc.
  • the electronic device 800 may also communicate with one or more external devices (not shown) through the communication unit 840 as needed, such as a storage device, a display device, etc., communicate with one or more devices that allow a user to interact with the electronic device 800, or communicate with any device that allows the electronic device 800 to communicate with one or more other electronic devices (e.g., a network card, a modem, etc.). Such communication may be performed via This is performed by an input/output (I/O) interface (not shown).
  • I/O input/output
  • a computer-readable storage medium on which computer-executable instructions are stored, wherein the computer-executable instructions are executed by a processor to implement the method described above.
  • a computer program product is also provided, which is tangibly stored on a non-transitory computer-readable medium and includes computer-executable instructions, and the computer-executable instructions are executed by a processor to implement the method described above.
  • These computer-readable program instructions can be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing device, thereby producing a machine, so that when these instructions are executed by the processing unit of the computer or other programmable data processing device, a device that implements the functions/actions specified in one or more boxes in the flowchart and/or block diagram is generated.
  • These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause the computer, programmable data processing device, and/or other equipment to work in a specific manner, so that the computer-readable medium storing the instructions includes a manufactured product, which includes instructions for implementing various aspects of the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
  • Computer-readable program instructions can be loaded onto a computer, other programmable data processing apparatus, or other device so that a series of operational steps are performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, so that the instructions executed on the computer, other programmable data processing apparatus, or other device implement the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
  • each box in the flowchart or block diagram may represent a module, a program segment, or a portion of an instruction, which includes one or more functions for implementing a specified logic.
  • the blocks may be executable instructions for performing a specific function or action.
  • the functions noted in the blocks may occur in a different order than that noted in the accompanying drawings. For example, two consecutive blocks may actually be executed substantially in parallel, or they may sometimes be executed in reverse order, depending on the functions involved.
  • each block in the block diagram and/or flow chart, and combinations of blocks in the block diagram and/or flow chart may be implemented using a dedicated hardware-based system that performs the specified functions or actions, or may be implemented using a combination of dedicated hardware and computer instructions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

Provided in the embodiments of the present disclosure are a data processing method and apparatus, and a device and a storage medium. The method comprises: in a trusted execution environment, initializing a first program and a second program that is different from the first program; respectively allocating a first memory space and a second memory space for the first program and the second program, wherein the first memory space is a linear memory address space and comprises at least a first memory page, the second memory space is a linear memory address space and comprises at least a second memory page, and the second memory page is different from the first memory page; mapping the first memory page of the first memory space to a first virtual memory page in a virtual address space of the trusted execution environment; and mapping the second memory page of the second memory space to the first virtual memory page in the virtual address space.

Description

数据处理方法、装置、设备和存储介质Data processing method, device, equipment and storage medium

本申请要求2023年8月2日递交的、标题为“数据处理方法、装置、设备和存储介质”、申请号为202310967247.X的中国发明专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims priority to the Chinese invention patent application entitled “Data processing method, device, equipment and storage medium” and application number 202310967247.X filed on August 2, 2023. The entire contents of this application are incorporated by reference into this application.

技术领域Technical Field

本公开的示例实施例总体涉及计算机领域,特别地涉及基于可信执行环境的数据处理方法、装置、设备和计算机可读存储介质。Example embodiments of the present disclosure generally relate to the field of computers, and more particularly, to a data processing method, apparatus, device, and computer-readable storage medium based on a trusted execution environment.

背景技术Background Art

可信执行环境(Trusted execution environment,TEE)通过软硬件方法在中央处理器中构建一个安全区域,能够为运行在其中的程序提供一个具备机密性和完整性保护的独立执行环境。在可信执行环境中,程序运行代码和机密数据可以被维护在一块加密的隔离内存中,并在加密内存中完成计算,整个计算过程对外部不可见,以此方式来实现数据的保护。换言之,不同的程序可以以彼此隔离的方式在可信执行环境被运行。这种隔离性在保证数据安全的同时,也增加了程序间分享数据间的复杂度。因此,如何在可信执行环境中快捷高效地实现内存的共享以实现程序间的数据共享是当前亟待解决的技术问题。Trusted execution environment (TEE) builds a secure area in the central processing unit through software and hardware methods, which can provide an independent execution environment with confidentiality and integrity protection for the programs running in it. In a trusted execution environment, program running code and confidential data can be maintained in an encrypted isolated memory, and calculations are completed in the encrypted memory. The entire calculation process is invisible to the outside, thus achieving data protection. In other words, different programs can be run in a trusted execution environment in an isolated manner. While this isolation ensures data security, it also increases the complexity of sharing data between programs. Therefore, how to quickly and efficiently realize memory sharing in a trusted execution environment to achieve data sharing between programs is a technical problem that needs to be solved urgently.

发明内容Summary of the invention

在本公开的第一方面,提供了一种数据处理方法,包括:在可信执行环境中,初始化第一程序和与第一程序不同的第二程序;分别为第一程序和第二程序分配第一内存空间和第二内存空间;其中,第一内存空间对第一程序可见并且对第二程序不可见,并且第二内存空间对第二程序可见并且对第一程序不可见;其中,第一内存空间为线性 内存地址空间,并且包括至少包括第一内存页;并且其中,第二内存空间为线性内存地址空间,并且包括至少包括第二内存页,第二内存页与第一内存页不同;将第一内存空间的第一内存页映射至可信执行环境的虚拟地址空间中的第一虚拟内存页;以及将第二内存空间的第二内存页映射至虚拟地址空间中的第一虚拟内存页。In a first aspect of the present disclosure, a data processing method is provided, comprising: in a trusted execution environment, initializing a first program and a second program different from the first program; allocating a first memory space and a second memory space to the first program and the second program respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is linear A memory address space, and includes at least a first memory page; and wherein the second memory space is a linear memory address space, and includes at least a second memory page, and the second memory page is different from the first memory page; mapping the first memory page of the first memory space to the first virtual memory page in the virtual address space of the trusted execution environment; and mapping the second memory page of the second memory space to the first virtual memory page in the virtual address space.

在本公开的第二方面,提供了一种数据处理装置,包括:程序初始化模块,被配置为:在可信执行环境中,初始化第一程序和与第一程序不同的第二程序;内存分配模块,被配置为分别为第一程序和第二程序分配第一内存空间和第二内存空间;其中,第一内存空间对第一程序可见并且对第二程序不可见,并且第二内存空间对第二程序可见并且对第一程序不可见;其中,第一内存空间为线性内存地址空间,并且包括至少包括第一内存页;并且其中,第二内存空间为线性内存地址空间,并且包括至少包括第二内存页,第二内存页与第一内存页不同;第一映射模块,被配置为将第一内存空间的第一内存页映射至可信执行环境的虚拟地址空间中的第一虚拟内存页;以及第二映射模块,被配置为将第二内存空间的第二内存页映射至虚拟地址空间中的第一虚拟内存页。In a second aspect of the present disclosure, a data processing device is provided, comprising: a program initialization module, configured to: initialize a first program and a second program different from the first program in a trusted execution environment; a memory allocation module, configured to allocate a first memory space and a second memory space to the first program and the second program, respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, the second memory page being different from the first memory page; a first mapping module, configured to map a first memory page of the first memory space to a first virtual memory page in a virtual address space of the trusted execution environment; and a second mapping module, configured to map a second memory page of the second memory space to a first virtual memory page in the virtual address space.

在本公开的第三方面,提供了一种电子设备。该设备包括至少一个处理单元;以及至少一个存储器,至少一个存储器被耦合到至少一个处理单元并且存储用于由至少一个处理单元执行的指令。指令在由至少一个处理单元执行时使电子设备执行第一方面的方法。In a third aspect of the present disclosure, an electronic device is provided. The device includes at least one processing unit; and at least one memory, the at least one memory is coupled to the at least one processing unit and stores instructions for execution by the at least one processing unit. When the instructions are executed by the at least one processing unit, the electronic device executes the method of the first aspect.

在本公开的第四方面,提供了一种计算机可读存储介质。该计算机可读存储介质上存储有计算机程序,计算机程序可由处理器执行以实现第一方面的方法。In a fourth aspect of the present disclosure, a computer-readable storage medium is provided, wherein a computer program is stored on the computer-readable storage medium, and the computer program can be executed by a processor to implement the method of the first aspect.

应当理解,本内容部分中所描述的内容并非旨在限定本公开的实施例的关键特征或重要特征,也不用于限制本公开的范围。本公开的其它特征将通过以下的描述而变得容易理解。It should be understood that the contents described in this content section are not intended to limit the key features or important features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become easily understood through the following description.

附图说明 BRIEF DESCRIPTION OF THE DRAWINGS

结合附图并参考以下详细说明,本公开各实施例的上述和其他特征、优点及方面将变得更加明显。在附图中,相同或相似的附图标记表示相同或相似的元素,其中:The above and other features, advantages and aspects of the embodiments of the present disclosure will become more apparent with reference to the following detailed description in conjunction with the accompanying drawings. In the accompanying drawings, the same or similar reference numerals represent the same or similar elements, wherein:

图1示出了本公开的实施例能够在其中实现的示例环境的示意图;FIG1 is a schematic diagram showing an example environment in which embodiments of the present disclosure can be implemented;

图2示出了根据本公开的一些实施例的数据处理方法的流程图;FIG2 shows a flow chart of a data processing method according to some embodiments of the present disclosure;

图3示出了根据本公开的一些实施例的内存映射的框图;FIG3 illustrates a block diagram of a memory map according to some embodiments of the present disclosure;

图4示出了根据本公开的一些实施例的程序地址的框图;FIG4 illustrates a block diagram of a program address according to some embodiments of the present disclosure;

图5示出了根据本公开的一些实施例的共享内存映射方法的流程图;FIG5 shows a flow chart of a shared memory mapping method according to some embodiments of the present disclosure;

图6示出了根据本公开的一些实施例的另一内存映射框图;FIG6 illustrates another memory mapping block diagram according to some embodiments of the present disclosure;

图7示出了根据本公开的一些实施例的数据处理装置的示意性结构框图;以及FIG7 shows a schematic structural block diagram of a data processing device according to some embodiments of the present disclosure; and

图8示出了其中可以实施本公开的一个或多个实施例的电子设备的框图。FIG8 illustrates a block diagram of an electronic device in which one or more embodiments of the present disclosure may be implemented.

具体实施方式DETAILED DESCRIPTION

下面将参照附图更详细地描述本公开的实施例。虽然附图中示出了本公开的某些实施例,然而应当理解的是,本公开可以通过各种形式来实现,而且不应该被解释为限于这里阐述的实施例,相反,提供这些实施例是为了更加透彻和完整地理解本公开。应当理解的是,本公开的附图及实施例仅用于示例性作用,并非用于限制本公开的保护范围。Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, these embodiments are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are only for exemplary purposes and are not intended to limit the scope of protection of the present disclosure.

在本公开的实施例的描述中,术语“包括”及其类似用语应当理解为开放性包含,即“包括但不限于”。术语“基于”应当理解为“至少部分地基于”。术语“一个实施例”或“该实施例”应当理解为“至少一个实施例”。术语“一些实施例”应当理解为“至少一些实施例”。下文还可能包括其他明确的和隐含的定义。In the description of the embodiments of the present disclosure, the term "including" and similar terms should be understood as open inclusion, that is, "including but not limited to". The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions may also be included below.

在本文中,除非明确说明,“响应于A”执行一个步骤并不意味着在“A”之后立即执行该步骤,而是可以包括一个或多个中间步骤。 Herein, unless explicitly stated, executing a step “in response to A” does not mean executing the step immediately after “A” but may include one or more intermediate steps.

可以理解的是,本技术方案所涉及的数据(包括但不限于数据本身、数据的获取或使用)应当遵循相应法律法规及相关规定的要求。It is understandable that the data involved in this technical solution (including but not limited to the data itself, the acquisition or use of the data) shall comply with the requirements of relevant laws, regulations and relevant provisions.

可以理解的是,在使用本公开各实施例公开的技术方案之前,均应当根据相关法律法规通过适当的方式对本公开所涉及个人信息的类型、使用范围、使用场景等告知用户并获得用户的授权。It is understandable that before using the technical solutions disclosed in the embodiments of the present disclosure, the types, scope of use, usage scenarios, etc. of the personal information involved in the present disclosure should be informed to the user and the user's authorization should be obtained in an appropriate manner in accordance with relevant laws and regulations.

例如,在响应于接收到用户的主动请求时,向用户发送提示信息,以明确地提示用户,其请求执行的操作将需要获取和使用到用户的个人信息。从而,使得用户可以根据提示信息来自主地选择是否向执行本公开技术方案的操作的电子设备、应用程序、服务器或存储介质等软件或硬件提供个人信息。For example, in response to receiving an active request from a user, a prompt message is sent to the user to clearly prompt the user that the operation requested to be performed will require obtaining and using the user's personal information. Thus, the user can autonomously choose whether to provide personal information to software or hardware such as an electronic device, application, server, or storage medium that performs the operation of the technical solution of the present disclosure according to the prompt message.

作为一种可选的但非限制性的实施例,响应于接收到用户的主动请求,向用户发送提示信息的方式,例如可以是弹出窗口的方式,弹出窗口中可以以文字的方式呈现提示信息。此外,弹出窗口中还可以承载供用户选择“同意”或“不同意”向电子设备提供个人信息的选择控件。As an optional but non-limiting embodiment, in response to receiving an active request from the user, the prompt information is sent to the user in a manner such as a pop-up window, in which the prompt information can be presented in text form. In addition, the pop-up window can also carry a selection control for the user to choose "agree" or "disagree" to provide personal information to the electronic device.

可以理解的是,上述通知和获取用户授权过程仅是示意性的,不对本公开的实施例构成限定,其他满足相关法律法规的方式也可应用于本公开的实施例中。It is understandable that the above notification and the process of obtaining user authorization are merely illustrative and do not constitute a limitation to the embodiments of the present disclosure. Other methods that meet relevant laws and regulations may also be applied to the embodiments of the present disclosure.

近年来,虚拟机技术得到了广泛地应用。为了优化虚拟机的处理,提出了一种适用于虚拟机场景的二进制指令集,即,WebAssembly(在本公开中,将其简称为Wasm)。In recent years, virtual machine technology has been widely used. In order to optimize the processing of virtual machines, a binary instruction set suitable for virtual machine scenarios is proposed, namely, WebAssembly (abbreviated as Wasm in this disclosure).

Wasm技术具有较好的隔离性。具体而言,一个基于Wasm技术的虚拟机内可以同时执行多个Wasm程序。每个Wasm程序拥有独立的线性内存地址空间。在这种情况下,每个Wasm程序只能访问自身线性内存地址空间内的数据,而无法观察、干扰其他Wasm程序的执行流和数据流等。Wasm technology has good isolation. Specifically, multiple Wasm programs can be executed simultaneously in a virtual machine based on Wasm technology. Each Wasm program has an independent linear memory address space. In this case, each Wasm program can only access the data in its own linear memory address space, and cannot observe or interfere with the execution flow and data flow of other Wasm programs.

此外,Wasm技术属于轻量级指令集。具体而言,Wasm程序具有体积小、冷启动速度快以及对系统资源的消耗低的特点。进一步地,Wasm技术具有较好的可移植性,可作为其他高级语言的编译目标。 具体而言,Wasm指令是一种二进制格式并且不限定开发语言。在这种情况下,使用高级语言编写的程序可以被编译成Wasm字节码以在Wasm虚拟机中被运行。目前对Wasm指令支持较为成熟的语言包括C、C++、Rust等。In addition, Wasm technology is a lightweight instruction set. Specifically, Wasm programs are small in size, fast in cold start, and consume low system resources. Furthermore, Wasm technology has good portability and can be used as a compilation target for other high-level languages. Specifically, Wasm instructions are a binary format and are not limited to development languages. In this case, programs written in high-level languages can be compiled into Wasm bytecodes to be run in the Wasm virtual machine. Currently, languages that support Wasm instructions include C, C++, Rust, etc.

由于Wasm技术属于轻量级指令集,并且具有较好的可移植性和隔离性,因此,除浏览器场景外,Wasm技术被越来越多地应用于需要支持多语言多租户的程序的应用场景。Since Wasm technology is a lightweight instruction set and has good portability and isolation, in addition to browser scenarios, Wasm technology is increasingly used in application scenarios that need to support multi-language and multi-tenant programs.

然而,Wasm技术良好的隔离性在增强数据安全性的同时,也让Wasm程序间的数据交换变得更为复杂。如上所讨论的。Wasm程序在运行时,每个Wasm程序只能访问到自身的线性内存地址空间而无法访问自身线性内存地址空间之外的任何区域。在这种限制下,如果两个Wasm程序之间要想交换数据,通常只能通过内存复制的方式将数据从一个Wasm程序的线性内存地址空间复制到另一个Wasm程序的线性内存地址空间中,这导致交换在Wasm程序间交换数据的效率很低。However, while the good isolation of Wasm technology enhances data security, it also makes data exchange between Wasm programs more complicated. As discussed above. When a Wasm program is running, each Wasm program can only access its own linear memory address space and cannot access any area outside its own linear memory address space. Under this limitation, if two Wasm programs want to exchange data, they can usually only copy the data from the linear memory address space of one Wasm program to the linear memory address space of another Wasm program through memory copying, which results in low efficiency in exchanging data between Wasm programs.

在一些实施例中,可以通过内存重映射技术来实现共享内存以提高交换数据的效率。具体而言,内存重映射技术是指通过改变操作系统的地址翻译流程,将一个虚拟地址指向的物理内存空间重映射至另一片物理内存空间。例如,虚拟地址VA1原本指向物理地址PA1,可以对虚拟地址VA1进行重映射,使其指向物理地址PA2。这样程序可以通过访问VA1实现对物理地址PA2的访问。In some embodiments, shared memory can be implemented through memory remapping technology to improve the efficiency of exchanging data. Specifically, memory remapping technology refers to remapping the physical memory space pointed to by a virtual address to another physical memory space by changing the address translation process of the operating system. For example, the virtual address VA 1 originally points to the physical address PA 1 , and the virtual address VA 1 can be remapped to point to the physical address PA 2. In this way, the program can access the physical address PA 2 by accessing VA 1 .

在一些实施例中,通过将不同Wasm程序的线性内存地址空间中的一组连续虚拟地址重映射至共享数据区,可以实现内存共享。例如,第一Wasm程序期望将其线性内存地址空间中的一段内存区域RegionA,分享给第二Wasm程序和第三Wasm程序。第二Wasm程序和第三Wasm程序可以将其各自的线性内存地址空间中的一段未使用的且满足共享内存长度的虚拟地址空间映射至RegionA所对应的物理内存区域。因此,通过内存重映射技术可以在Wasm程序间实现内存共享,从而避免通过内存复制来实现数据共享所带来的额外系统开 销。In some embodiments, memory sharing can be achieved by remapping a set of continuous virtual addresses in the linear memory address space of different Wasm programs to a shared data area. For example, the first Wasm program expects to share a memory area Region A in its linear memory address space with the second Wasm program and the third Wasm program. The second Wasm program and the third Wasm program can map an unused virtual address space in their respective linear memory address spaces that meets the shared memory length to the physical memory area corresponding to Region A. Therefore, memory sharing can be achieved between Wasm programs through memory remapping technology, thereby avoiding the additional system development required to achieve data sharing through memory copying. pin.

近年来,为了提高数据的安全性,可信执行环境技术也被广泛应用于虚拟机的管理和维护场景。可信执行环境技术通过软硬件方法在中央处理器中构建一个安全区域,能够为运行在其中的程序提供一个具备机密性和完整性保护的独立执行环境。In recent years, in order to improve data security, trusted execution environment technology has also been widely used in virtual machine management and maintenance scenarios. Trusted execution environment technology builds a secure area in the central processor through software and hardware methods, which can provide an independent execution environment with confidentiality and integrity protection for the programs running in it.

在一些实施例中,可信执行环境可以实现进程级别的保护。具体而言,在可信执行环境中,程序运行代码和机密数据可以被维护在一块加密的隔离内存中,并在加密的隔离内存中完成计算,整个计算过程对外部不可见,即使是具有更高特权级的操作系统也无法看到加密的隔离内存中的执行流和机密数据。In some embodiments, the trusted execution environment can implement process-level protection. Specifically, in a trusted execution environment, program running code and confidential data can be maintained in an encrypted isolated memory, and calculations are completed in the encrypted isolated memory. The entire calculation process is invisible to the outside world, and even an operating system with a higher privilege level cannot see the execution flow and confidential data in the encrypted isolated memory.

在一些实施例中,由于Wasm技术可以实现更安全的内存隔离并未可以很好地支持多语言的架构,可以将Wasm技术应用于可信执行环境中,以通过Wasm技术来更方便、快速地构建轻量级的可信数据沙箱。在将Wasm技术应用于可信执行环境时,Wasm技术的内存安全特性限制了Wasm程序不能访问沙箱以外的地址空间,并且必须调用受到系统监管的应用程序编程接口来访问系统资源,这使得运行在可信执行环境内的Wasm程序具有双向沙箱的隔离保护。以此方式,可以有效地支持基于可信执行环境的隐私计算和云代理计算场景,并且可以打造公有云机密计算服务,诸如,功能即服务(Function as a Service,FaaS)。In some embodiments, since Wasm technology can achieve safer memory isolation and can well support multi-language architecture, Wasm technology can be applied to a trusted execution environment to more conveniently and quickly build a lightweight trusted data sandbox through Wasm technology. When Wasm technology is applied to a trusted execution environment, the memory security feature of Wasm technology restricts Wasm programs from accessing address spaces outside the sandbox, and must call system-supervised application programming interfaces to access system resources, which enables Wasm programs running in a trusted execution environment to have two-way sandbox isolation protection. In this way, privacy computing and cloud proxy computing scenarios based on a trusted execution environment can be effectively supported, and public cloud confidential computing services such as Function as a Service (FaaS) can be created.

在一些实施例中,基于软件故障隔离(Software-based fault isolation,SFI)的技术可以使得运行在同一系统内的多个Wasm程序之间互不干扰,互不可见。在该方案中,要求系统为每个Wasm程序设置连续且独立的线性内存地址空间,并限制每个Wasm程序只能访问自己的线性内存地址空间。然而,该线性内存管理机制导致对于共享内存的支持明显不足。具体而言,在使用线性内存模型时,多个Wasm程序的内存共享主要依赖于内存重映射技术。但是基于内存重映射的共享内存通用性不强,例如,无法支持用户态可信执行环境。这是因为用户态可信执行环境并不信任操作系统管理的页表,因此不 允许操作系统对可信执行环境的内存页进行重映射。此外,上述内存管理机制也无法实现细粒度的内存访问控制。在这种情况下,共享内存通常被设置为可读写的,而无法限定某个共享内存块对于一些Wasm程序只读,同时对于另一些Wasm程序可读写。In some embodiments, the technology based on software fault isolation (SFI) can make multiple Wasm programs running in the same system non-interfering with each other and invisible to each other. In this solution, the system is required to set a continuous and independent linear memory address space for each Wasm program, and limit each Wasm program to access only its own linear memory address space. However, this linear memory management mechanism leads to obvious lack of support for shared memory. Specifically, when using the linear memory model, the memory sharing of multiple Wasm programs mainly depends on memory remapping technology. However, the shared memory based on memory remapping is not very versatile. For example, it cannot support user-mode trusted execution environment. This is because the user-mode trusted execution environment does not trust the page table managed by the operating system, so it does not support the shared memory. The operating system is allowed to remap the memory pages of the trusted execution environment. In addition, the above memory management mechanism cannot achieve fine-grained memory access control. In this case, shared memory is usually set to read and write, and it is impossible to limit a shared memory block to read-only for some Wasm programs and read and write for other Wasm programs.

更重要的是,上述内存管理机制的安全性不够强。具体而言,Wasm程序的共享内存中的所有区域都是可读写的,不能单独配置只读权限,导致已有页表可以通过缓冲区溢出攻击来修改Wasm程序的常量变量,从而改变程序执行流。More importantly, the security of the above memory management mechanism is not strong enough. Specifically, all areas of the shared memory of the Wasm program are readable and writable, and read-only permissions cannot be configured separately, resulting in the existing page table being able to modify the constant variables of the Wasm program through buffer overflow attacks, thereby changing the program execution flow.

为了解决上述问题中的至少部分,本公开提出了一种基于可信执行环境的数据处理方案。该方案包括:在可信执行环境中,初始化第一程序和与第一程序不同的第二程序;分别为第一程序和第二程序分配第一内存空间和第二内存空间,其中第一内存空间为线性内存地址空间,并且包括至少包括第一内存页;并且其中第二内存空间为线性内存地址空间,并且包括至少包括第二内存页,第二内存页与第一内存页不同;将第一内存空间的第一内存页映射至可信执行环境的虚拟地址空间中的第一虚拟内存页;以及将第二内存空间的第二内存页映射至虚拟地址空间中的第一虚拟内存页。以此方式,可以在彼此隔离的线性内存间地址空间之实现共享内存。In order to solve at least part of the above problems, the present disclosure proposes a data processing scheme based on a trusted execution environment. The scheme includes: in a trusted execution environment, initializing a first program and a second program different from the first program; allocating a first memory space and a second memory space to the first program and the second program respectively, wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, and the second memory page is different from the first memory page; mapping the first memory page of the first memory space to the first virtual memory page in the virtual address space of the trusted execution environment; and mapping the second memory page of the second memory space to the first virtual memory page in the virtual address space. In this way, shared memory can be realized between linear memory address spaces isolated from each other.

示例环境Example Environment

图1示出了本公开的实施例能够在其中实现的示例环境100的示意图。如图1所示,示例环境100可以包括计算设备110。如图1所示,计算设备110可以被部署有可信执行环境150。在该可信执行环境150中,可以运行一个或多个虚拟机160。Fig. 1 shows a schematic diagram of an example environment 100 in which embodiments of the present disclosure can be implemented. As shown in Fig. 1, the example environment 100 may include a computing device 110. As shown in Fig. 1, the computing device 110 may be deployed with a trusted execution environment 150. In the trusted execution environment 150, one or more virtual machines 160 may be run.

虚拟机160上可以运行有多个程序,如图1所示的第一程序170-1和第二程序170-2。为便于讨论,第一程序170-1和第二程序170-2可以被统称为程序170。Multiple programs may be run on the virtual machine 160, such as the first program 170-1 and the second program 170-2 shown in FIG1. For ease of discussion, the first program 170-1 and the second program 170-2 may be collectively referred to as programs 170.

程序170的一个示例是Wasm程序,可信执行环境150的一个示例是基于用户态的可信执行环境,诸如,基于软件防护扩展(Software  Guard Extensions,SGX)的可信执行环境。An example of program 170 is a Wasm program. An example of trusted execution environment 150 is a trusted execution environment based on user mode, such as a trusted execution environment based on Software Guard Extensions (SGE). Guard Extensions (SGX) trusted execution environment.

Wasm程序具有解释器(Interpreter)、预先编译(Ahead Of Time,AOT)以及即时编译(Just In Time,JIT)三种运行模式。当Wasm运行在解释器模式时,需要逐一解释Wasm指令,并在虚按机160上执行对应操作。当Wasm运行在预先编译(Ahead-Of-Time,AOT)模式时,可以提前以类似于C++程序的编译步将Wasm字节码转换成机器码。经过预先编译的Wasm程序并不是一个可以直接运行的可执行文件,需要在运行时进行加载。当Wasm运行在即时编译模式时,其整体上还是解释执行,但会对频繁运行的代码进行编译以生成机器码来加速运行。Wasm programs have three operating modes: interpreter (Interpreter), ahead of time (Ahead Of Time, AOT) and just in time (Just In Time, JIT). When Wasm runs in interpreter mode, it is necessary to interpret Wasm instructions one by one and perform corresponding operations on the virtual machine 160. When Wasm runs in ahead of time (Ahead-Of-Time, AOT) mode, the Wasm bytecode can be converted into machine code in advance in a compilation step similar to that of a C++ program. The pre-compiled Wasm program is not an executable file that can be run directly and needs to be loaded at runtime. When Wasm runs in just-in-time compilation mode, it is still interpreted and executed as a whole, but frequently run code will be compiled to generate machine code to speed up the operation.

进一步地,程序170在运行时,可以被分配有彼此隔离的线性内存地址空间,每个线性内存地址空间可以包括有多个内存页,多个内存页中的至少部分页可以被映射至虚拟地址空间190的虚拟内存页上。如图1所示,第一程序170-1被分配有第一内存空间180-1,第二程序170-2被分配有第二内存空间180-2。Furthermore, when the program 170 is running, it may be allocated with mutually isolated linear memory address spaces, each of which may include multiple memory pages, and at least some of the multiple memory pages may be mapped to virtual memory pages of the virtual address space 190. As shown in FIG1 , the first program 170-1 is allocated with a first memory space 180-1, and the second program 170-2 is allocated with a second memory space 180-2.

接下来,以预先编译模式为例,来描述Wasm程序的地址映射机制。在Wasm程序执行时,可以使用32位地址去访问64位的虚拟内存地址。进一步地,Wasm程序只能看到32位的地址,把这种地址称为Wasm地址/程序地址,其取值区间为[0,4294967296],其中4294967296为32位无符号整数的最大值。在Wasm程序运行时,需要将Wasm地址转换为虚拟内存地址。从Wasm地址到虚拟地址的地址翻译流程如下所述。Next, we will take the pre-compilation mode as an example to describe the address mapping mechanism of the Wasm program. When the Wasm program is executed, a 32-bit address can be used to access a 64-bit virtual memory address. Furthermore, the Wasm program can only see a 32-bit address, which is called a Wasm address/program address, and its value range is [0, 4294967296], where 4294967296 is the maximum value of a 32-bit unsigned integer. When the Wasm program is running, the Wasm address needs to be converted to a virtual memory address. The address translation process from Wasm address to virtual address is described as follows.

在一些实施例中,Wasm程序在运行时,会被分配有大小为SIZEMem的线性虚拟内存。这段连续的线性虚拟内存被表示为[ADDRMem,ADDRMem+SIZEMem],其中ADDRMem为线性虚拟内存的起始虚拟内存地址。当Wasm程序访问线性内存时,Wasm地址ADDRWasm到虚拟地址ADDRVirt的映射为ADDRVirt=ADDRWasm+ADDRMemIn some embodiments, when the Wasm program is running, a linear virtual memory of size SIZE Mem is allocated. This continuous linear virtual memory is represented as [ADDR Mem , ADDR Mem + SIZE Mem ], where ADDR Mem is the starting virtual memory address of the linear virtual memory. When the Wasm program accesses the linear memory, the mapping of the Wasm address ADDR Wasm to the virtual address ADDR Virt is ADDR Virt = ADDR Wasm + ADDR Mem .

由于Wasm程序在运行时使用了连续的虚拟地址作为Wasm程序 的线性内存,整个翻译流程只要将Wasm地址和线性内存的起始地址相加即可,地址翻译流程变得非常简洁。Since Wasm programs use continuous virtual addresses as Wasm programs at runtime The linear memory of the Wasm address is simply the sum of the starting address of the linear memory, making the address translation process very simple.

在一些实施例中,计算设备110可以是任意类型的移动终端、固定终端或便携式终端,包括移动手机、台式计算机、膝上型计算机、笔记本计算机、上网本计算机、平板计算机、媒体计算机、多媒体平板、个人通信系统(PCS)设备、个人导航设备、个人数字助理(PDA)、音频/视频播放器、数码相机/摄像机、定位设备、电视接收器、无线电广播接收器、电子书设备、游戏设备或者前述各项的任意组合,包括这些设备的配件和外设或者其任意组合。在一些实施例中,客户端设备120也能够支持任意类型的针对用户的接口(诸如“可佩戴”电路等)。In some embodiments, the computing device 110 can be any type of mobile terminal, fixed terminal or portable terminal, including a mobile phone, a desktop computer, a laptop computer, a notebook computer, a netbook computer, a tablet computer, a media computer, a multimedia tablet, a personal communication system (PCS) device, a personal navigation device, a personal digital assistant (PDA), an audio/video player, a digital camera/camcorder, a positioning device, a television receiver, a radio broadcast receiver, an e-book device, a gaming device, or any combination of the foregoing, including accessories and peripherals of these devices or any combination thereof. In some embodiments, the client device 120 can also support any type of interface for the user (such as a "wearable" circuit, etc.).

备选地,在一些实施例中,计算设备110可以是独立的物理服务器,也可以是多个物理服务器构成的服务器集群或者分布式系统,还可以是提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、内容分发网络、以及大数据和人工智能平台等基础云计算服务的云服务器。计算设备110例如可以包括计算系统/服务器,诸如大型机、边缘计算节点、云环境中的计算设备,等等。Alternatively, in some embodiments, the computing device 110 may be an independent physical server, or a server cluster or distributed system composed of multiple physical servers, or a cloud server that provides basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, content distribution networks, and big data and artificial intelligence platforms. The computing device 110 may include, for example, a computing system/server, such as a mainframe, an edge computing node, a computing device in a cloud environment, and the like.

应当理解,仅出于示例性的目的描述环境100中各个元素的结构和功能,而不暗示对于本公开的范围的任何限制。换言之,环境100中的元素的结构、功能、数量和链接关系可以根据实际需要而发生改变。本公开在此方面不受限制。It should be understood that the structure and function of each element in the environment 100 are described only for exemplary purposes, and do not imply any limitation on the scope of the present disclosure. In other words, the structure, function, quantity and link relationship of the elements in the environment 100 can be changed according to actual needs. The present disclosure is not limited in this respect.

示例方法Example Method

图2示出根据本公开的一些实施例的数据处理过程200的流程图。为便于讨论,参考图1的环境100进行讨论。数据处理过程200可以被实现在计算设备110处。进一步地,当程序170为Wasm程序时,过程200可以由“Wasm运行时(Runtime)”来执行。FIG2 shows a flow chart of a data processing process 200 according to some embodiments of the present disclosure. For ease of discussion, the discussion is made with reference to the environment 100 of FIG1 . The data processing process 200 may be implemented at a computing device 110. Further, when the program 170 is a Wasm program, the process 200 may be executed by a “Wasm runtime”.

在如下的一些示例实施例中,Wasm程序将被作为第一程序 170-1/第二程序170-2的示例,基于软件防护扩展(SGX)的可信执行环境将被作为可信执行环境150的示例。应当理解,上述示例不能理解为对本公开保护范围的限定。在其他实施例中,第一程序170-1/第二程序170-2可以为其他具有良好隔离性的指令程序,可信执行环境150可以为其他用户态可信执行环境。本公开的保护范围在此方面不受限制。In some example embodiments as follows, the Wasm program will be used as the first program In the example of 170-1/second program 170-2, a trusted execution environment based on Software Guard Extension (SGX) will be used as an example of trusted execution environment 150. It should be understood that the above example cannot be understood as a limitation on the scope of protection of the present disclosure. In other embodiments, the first program 170-1/second program 170-2 can be other instruction programs with good isolation, and the trusted execution environment 150 can be other user-mode trusted execution environments. The scope of protection of the present disclosure is not limited in this respect.

在一些实施例中,第二内存空间180-2与第一内存空间180-1相互隔离。此外,第一内存空间180-1对第二程序170-2不可见,并且第二内存空间180-2对第一程序170-1不可见。In some embodiments, the second memory space 180-2 is isolated from the first memory space 180-1. In addition, the first memory space 180-1 is invisible to the second program 170-2, and the second memory space 180-2 is invisible to the first program 170-1.

在框210,在可信执行环境150中,计算设备110初始化第一程序170-1和第二程序170-2。At block 210 , in the trusted execution environment 150 , the computing device 110 initializes the first program 170 - 1 and the second program 170 - 2 .

在框220,计算设备110分别为第一程序170-1和第二程序170-2分配第一内存空间180-1和第二内存空间180-2。At block 220 , the computing device 110 allocates a first memory space 180 - 1 and a second memory space 180 - 2 to the first program 170 - 1 and the second program 170 - 2 , respectively.

在一些实施例中,第一内存空间180-1为线性内存地址空间,并且包括至少包括第一内存页。In some embodiments, the first memory space 180 - 1 is a linear memory address space and includes at least a first memory page.

在一些实施例中,第二内存空间180-2为线性内存地址空间,并且包括至少包括第二内存页,第二内存页与第一内存页不同。In some embodiments, the second memory space 180 - 2 is a linear memory address space and includes at least a second memory page, which is different from the first memory page.

在框230,计算设备110将第一内存空间180-1的第一内存页映射至可信执行环境的虚拟地址空间190中的第一虚拟内存页。At block 230 , the computing device 110 maps a first memory page of the first memory space 180 - 1 to a first virtual memory page in the virtual address space 190 of the trusted execution environment.

在框240,计算设备110将第二内存空间180-2的第二内存页映射至虚拟地址空间190中的第一虚拟内存页。In box 240, the computing device 110 maps the second memory page of the second memory space 180-2 to the first virtual memory page in the virtual address space 190.

可见,通过把分配给程序170的线性内存地址空间以内存页为单位进行划分,并且以内存页为单元映射至虚拟内存页上,可以在可信执行环境中建立基于分页的内存管理和维护机制。以此方式,可以在彼此隔离的线性内存地址空间之间实现共享内存。It can be seen that by dividing the linear memory address space allocated to the program 170 into memory pages and mapping the memory pages into virtual memory pages, a paging-based memory management and maintenance mechanism can be established in a trusted execution environment. In this way, shared memory can be implemented between isolated linear memory address spaces.

在一些实施例中,第一内存空间180-1还包括第三内存页和第四内存页,其中第三内存页和第四内存页为第一内存空间180-1中的两个连续内存页。计算设备110将第一内存空间180-1的第三内存页映射至虚拟地址空间190中的第二虚拟内存页,并且将第一内存空间 180-1的第四内存页映射至可虚拟地址空间190中的第三虚拟内存页,其中第二虚拟内存页和第三虚拟内存页在虚拟地址空间190中不连续。In some embodiments, the first memory space 180-1 further includes a third memory page and a fourth memory page, wherein the third memory page and the fourth memory page are two consecutive memory pages in the first memory space 180-1. The computing device 110 maps the third memory page of the first memory space 180-1 to the second virtual memory page in the virtual address space 190, and maps the first memory space 180-1 to the second virtual memory page in the virtual address space 190. The fourth memory page of 180 - 1 is mapped to the third virtual memory page in the virtual address space 190 , wherein the second virtual memory page and the third virtual memory page are not continuous in the virtual address space 190 .

参考图3以更好地理解上述过程,其中图3示出了根据本公开的一些实施例的内存映射300的框图。为便于讨论,参考图1的环境100进行讨论。The above process is better understood with reference to FIG3 , which shows a block diagram of a memory map 300 according to some embodiments of the present disclosure. For ease of discussion, reference is made to the environment 100 of FIG1 .

在图3实施例中,第一内存空间180-1被分配给第一程序170-1,其包括第一内存页310、第三内存页311以及第四内存页312等。第二内存空间180-2被分配给第一程序170-2,其包括第二内存页320等。3, the first memory space 180-1 is allocated to the first program 170-1, which includes the first memory page 310, the third memory page 311, and the fourth memory page 312, etc. The second memory space 180-2 is allocated to the first program 170-2, which includes the second memory page 320, etc.

计算设备110负责维护虚拟地址空间190,虚拟地址空间190包括第一虚拟内存页330、第二虚拟内存页331、第三虚拟内存页332等。当第一程序170-1(或第二程序170-2)需要使用第一内存空间180-1/第二内存空间180-2时,由计算设备110来负责建立/维护/解释第一内存空间180-1/第二内存空间180-2到虚拟地址空间190的映射。The computing device 110 is responsible for maintaining the virtual address space 190, which includes the first virtual memory page 330, the second virtual memory page 331, the third virtual memory page 332, etc. When the first program 170-1 (or the second program 170-2) needs to use the first memory space 180-1/the second memory space 180-2, the computing device 110 is responsible for establishing/maintaining/interpreting the mapping of the first memory space 180-1/the second memory space 180-2 to the virtual address space 190.

如图3所示,第一程序170-1的第一内存页310和第二程序170-2的第二内存页320均被映射至了第一虚拟内存页330。换句话说,根据本公开的一些实施例中,可以通过修改地址映射/翻译过程来实现共享内存。3 , the first memory page 310 of the first program 170 - 1 and the second memory page 320 of the second program 170 - 2 are both mapped to the first virtual memory page 330. In other words, according to some embodiments of the present disclosure, shared memory can be implemented by modifying the address mapping/translation process.

进一步地,在图3的特定实施例中,第一内存页310和第二内存页320可以被称为共享内存页;由于第三内存页311和第四内存页312不与其他程序共享,因此第三内存页311和第四内存页312也可以被称为第一程序170-1的私有内存页。Further, in the specific embodiment of Figure 3, the first memory page 310 and the second memory page 320 can be called shared memory pages; since the third memory page 311 and the fourth memory page 312 are not shared with other programs, the third memory page 311 and the fourth memory page 312 can also be called private memory pages of the first program 170-1.

在图3中,第三内存页311和第四内存页在第一内存空间180-1中连续。在操作中,第三内存页311和第四内存页被分别映射至第二虚拟内存页331和第三虚拟内存页332。3 , the third memory page 311 and the fourth memory page are continuous in the first memory space 180 - 1 . In operation, the third memory page 311 and the fourth memory page are mapped to the second virtual memory page 331 and the third virtual memory page 332 , respectively.

以此方式,线性内存地址空间中的连续内存页可以以非线性的方式映射至虚拟地址空间190的非连续虚拟内存页上。以此方式,内存映射的方式将更加灵活。In this way, continuous memory pages in the linear memory address space can be mapped in a non-linear manner to non-contiguous virtual memory pages in the virtual address space 190. In this way, the memory mapping method will be more flexible.

根据本公开的一些实施例,可以通过页表的方式来对系统中的内 存页进行管理和维护。接下来,将结合示例实施例对如何设计和维护页表进行描述。According to some embodiments of the present disclosure, the internal memory in the system can be accessed through a page table. Next, how to design and maintain the page table will be described in conjunction with an exemplary embodiment.

在一些实施例中,可以将线性内存地址空间的内存大小设置为预定内存块的整数倍。例如,当程序170为Wasm程序时,分配给程序170的线性内存地址空间的大小可以为65536字节(即,64KB)的整数倍。In some embodiments, the memory size of the linear memory address space can be set to an integer multiple of a predetermined memory block. For example, when the program 170 is a Wasm program, the size of the linear memory address space allocated to the program 170 can be an integer multiple of 65536 bytes (ie, 64KB).

参见图4,示出了根据本公开的一些实施例的程序地址400的框图。在图4的特定实施例中,每个内存页的大小为64KB,则对于32位的程序地址而言,高/低16位可以被作为内存页索引,低/高16位可以作为页内偏移量。Referring to Fig. 4, a block diagram of a program address 400 according to some embodiments of the present disclosure is shown. In the specific embodiment of Fig. 4, the size of each memory page is 64KB, then for a 32-bit program address, the high/low 16 bits can be used as a memory page index, and the low/high 16 bits can be used as an offset within the page.

在一些实施例中,计算设备110可以为第一程序170-1生成第一映射表,其中第一映射表包括至少一个页表条目。进一步地,每个页表条目与第一内存空间180-1中的一个相应的内存页相对应并且指示以下至少一项:相应的内存页是否已经被映射至虚拟地址空间190中的一虚拟内存页,或与相应的内存页相对应的虚拟内存页的在虚拟地址空间190中的虚拟地址信息。In some embodiments, the computing device 110 may generate a first mapping table for the first program 170-1, wherein the first mapping table includes at least one page table entry. Further, each page table entry corresponds to a corresponding memory page in the first memory space 180-1 and indicates at least one of the following: whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space 190, or virtual address information of the virtual memory page corresponding to the corresponding memory page in the virtual address space 190.

继续参考图3。在图3中,第一映射表可以包括与第一内存页310相对应的第一页表条目,其中第一页表条目包括以下至少一项:第一信息,第一信息指示第一内存页310已经被映射至第一虚拟内存页330,以及第二信息,第二信息指示标识第一虚拟内存页330的第一虚拟地址。Continue to refer to Figure 3. In Figure 3, the first mapping table may include a first page table entry corresponding to the first memory page 310, wherein the first page table entry includes at least one of the following: first information indicating that the first memory page 310 has been mapped to the first virtual memory page 330, and second information indicating a first virtual address identifying the first virtual memory page 330.

在程序170为Wasm程序的示例实施例中,可以将Wasm程序的Wasm地址与虚拟地址的映射关系储存在该页表中,即,存储Wasm程序的内存页信息与虚拟内存页的映射关系。In an example embodiment where program 170 is a Wasm program, the mapping relationship between the Wasm address and the virtual address of the Wasm program may be stored in the page table, that is, the mapping relationship between the memory page information of the Wasm program and the virtual memory page is stored.

进一步地,在Wasm程序被分配的最大内存为4G并且每个内存页为64KB的情况下,每个Wasm程序最多可以被分配有65536个内存页(因为64KB*65536=4GB)。在这种情况下,每个页表中可以包括最多65536个页表条目,每个页表条目里面存储与一个内存页相对应的信息。在一些实施例中,每个页表条目可以包括第一信息,该 参数可以为一布尔值,用来表示该Wasm内存页是否已经与一个虚拟内存页相绑定,或者Wasm内存页的起始地址是否已经与一个虚拟内存页的起始地址相绑定。如果一个Wasm内存页已经与一个虚拟内存页相绑定,则该第一信息值为true,对应的页表条目可以被称为已映射页表条目。相应地,如果一个Wasm内存页尚未与一个虚拟内存页相绑定,则该第一信息值为false,对应的页表条目可以被称为未映射页表条目。备选地,每个页表条目还可以包括第二信息,在第一信息为true/一个Wasm内存页已经与一个虚拟内存页相绑定的情况下,该第二信息指示该Wasm内存页所绑定的虚拟内存页的起始地址。Furthermore, when the maximum memory allocated to the Wasm program is 4G and each memory page is 64KB, each Wasm program can be allocated a maximum of 65536 memory pages (because 64KB*65536=4GB). In this case, each page table can include a maximum of 65536 page table entries, each of which stores information corresponding to a memory page. In some embodiments, each page table entry may include first information, which The parameter can be a Boolean value, which is used to indicate whether the Wasm memory page has been bound to a virtual memory page, or whether the starting address of the Wasm memory page has been bound to the starting address of a virtual memory page. If a Wasm memory page has been bound to a virtual memory page, the first information value is true, and the corresponding page table entry can be called a mapped page table entry. Correspondingly, if a Wasm memory page has not yet been bound to a virtual memory page, the first information value is false, and the corresponding page table entry can be called an unmapped page table entry. Alternatively, each page table entry may also include second information, and when the first information is true/a Wasm memory page has been bound to a virtual memory page, the second information indicates the starting address of the virtual memory page to which the Wasm memory page is bound.

以此方式,内存页的映射关系可以通过页表来单独维护,降低了内存页维护的成本,提高了内存页维护的效率。In this way, the mapping relationship of memory pages can be maintained separately through the page table, which reduces the cost of memory page maintenance and improves the efficiency of memory page maintenance.

进一步地,可以通过动态修改页表的方式来实现内存的动态分配。具体而言,当计算设备110加载一个程序170时,会为该程序创建页表,在执行过程中,页表中的至少一个页表条目可以被动态修改,即,将未映射的内存页映射至对应的虚拟内存页上。Furthermore, dynamic allocation of memory can be achieved by dynamically modifying the page table. Specifically, when the computing device 110 loads a program 170, a page table is created for the program. During execution, at least one page table entry in the page table can be dynamically modified, that is, an unmapped memory page is mapped to a corresponding virtual memory page.

在一些实施例中,响应于第一程序170-1被运行,计算设备110为第一程序170-1生成第一映射表,其中第一映射表具有预设数目的页表条目,例如,等于(或小于)65536个页表条目。In some embodiments, in response to the first program 170 - 1 being executed, the computing device 110 generates a first mapping table for the first program 170 - 1 , wherein the first mapping table has a preset number of page table entries, for example, equal to (or less than) 65536 page table entries.

进一步地,响应于检测到针对第一程序170-1的增加内存指令,计算设备110在第一映射表中修改至少一个页表条目以指示第一内存空间180-1中的至少一个新分配的内存页与虚拟地址空间190中的至少一个虚拟内存页的映射关系。Further, in response to detecting an increase memory instruction for the first program 170-1, the computing device 110 modifies at least one page table entry in the first mapping table to indicate a mapping relationship between at least one newly allocated memory page in the first memory space 180-1 and at least one virtual memory page in the virtual address space 190.

附加地,在程序170释放之前,可以允许程序170释放之前已经建立的映射。例如,程序170可以调用系统提供的映射释放接口,按照程序170的要求释放一部分内存页映射。Additionally, before the program 170 is released, the program 170 may be allowed to release the previously established mapping. For example, the program 170 may call a mapping release interface provided by the system to release a portion of the memory page mapping according to the program 170's requirements.

以Wasm程序为例进行进一步描述。Wasm程序字节码指定了其初始内存大小和最大内存大小,因此创建页表时,计算设备110可以首先映射部分Wasm页到虚拟内存一页,以满足程序初始内存大小需求,例如,创建65536个页表条目的页表,将其中的4096个条目修 改为已映射条目。The Wasm program is used as an example for further description. The Wasm program bytecode specifies its initial memory size and maximum memory size. Therefore, when creating a page table, the computing device 110 may first map part of the Wasm page to a virtual memory page to meet the program's initial memory size requirement. For example, a page table with 65536 page table entries is created, and 4096 of the entries are modified. Change to mapped entry.

后续如果Wasm程序有内存增长需求,则通过Wasm内存增长指令来建立更多的映射以实现内存扩容,即通过将未映射页表条目修改为已映射页表条目。相应地,在Wasm程序释放前,Wasm程序也可以调用系统指令来释放已映射页表条目。If the Wasm program has a memory growth requirement later, more mappings are created through the Wasm memory growth instruction to achieve memory expansion, that is, by modifying the unmapped page table entries to mapped page table entries. Correspondingly, before the Wasm program is released, the Wasm program can also call the system instruction to release the mapped page table entries.

以此方式,系统的内存可以根据需要按需分配,并且可以在不需要时及时释放,由此提高了系统资源的利用率。In this way, the system's memory can be allocated on demand as needed and released promptly when not needed, thereby improving the utilization of system resources.

根据本公开的一些实施例,可以为不同的内存页配置不同的读写权限。当内存页为共享内存页时,可以有效地提高数据管理的安全性。According to some embodiments of the present disclosure, different read and write permissions can be configured for different memory pages. When the memory page is a shared memory page, the security of data management can be effectively improved.

在一些实施例中,第一映射表包括第一子映射表和/或第二子映射表。第一子映射表包括至少一个第一页表条目,该至少一个第一页表条目与第一程序170-1具有只读权限的至少一个内存页相对应。相应地,第二子映射表包括至少一个第二页表条目,该至少一个第二页表条目与第一程序170-1具有写权限的至少一个内存页相对应。In some embodiments, the first mapping table includes a first sub-mapping table and/or a second sub-mapping table. The first sub-mapping table includes at least one first page table entry, and the at least one first page table entry corresponds to at least one memory page for which the first program 170-1 has read-only permission. Accordingly, the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program 170-1 has write permission.

在另一些实现内存页读写权项控制的实施例中,每个页表条目出包括第一信息和第二信息外,还可以包括第三信息,第三信息指示相应程序针对该页表条目所对应的内存页的读写权限信息。In other embodiments of implementing memory page read and write permission control, each page table entry may include third information in addition to the first information and the second information, and the third information indicates the read and write permission information of the corresponding program for the memory page corresponding to the page table entry.

依然以Wasm程序为例描述读写控制权项的实施例。在一些实施例中,当多个Wasm程序互相共享内存时,需要对共享内存的写权限进行限制,以防止无关程序对共享内存做修改。Still taking the Wasm program as an example to describe the embodiment of the read-write control right item. In some embodiments, when multiple Wasm programs share memory with each other, it is necessary to restrict the write permission of the shared memory to prevent irrelevant programs from modifying the shared memory.

然而,传统的方案无法实现对共享内存实现读写控制。具体而言,在传统的方案中,权限控制对所有的Wasm程序生效。因此在传统方案中,当一个Wasm程序获得一块共享内存的访问权限时,它同时拥有读写权限。在这种限制下,Wasm程序也无法限制另一个Wasm程序只能读取共享内存,因为在传统的方案中,如果共享内存页被设置为只读时,系统内的所有Wasm程序都无法获得写权限。However, the traditional solution cannot achieve read and write control of shared memory. Specifically, in the traditional solution, permission control is effective for all Wasm programs. Therefore, in the traditional solution, when a Wasm program obtains access to a piece of shared memory, it has both read and write permissions. Under this restriction, a Wasm program cannot limit another Wasm program to only read shared memory, because in the traditional solution, if the shared memory page is set to read-only, all Wasm programs in the system cannot obtain write permissions.

根据本公开的基于分页的内存管理和维护机制,可以通过设立读页表(即,第一子映射表)和写页表(即,第二子映射表)来优化内存访问控制。具体而言,计算设备110为每个Wasm程序维护两个单 级页表,也即读页表和写页表。读页表记录了程序有只读权限的地址映射,写页表则记录程序有写权限的地址映射;当Wasm程序执行读内存指令时,使用读页表进行地址翻译,当Wasm程序写内存时,则使用写页表进行地址翻译。以此方式,可以实现一个Wasm程序对不同内存页读/写的访问控制。According to the paging-based memory management and maintenance mechanism disclosed in the present invention, memory access control can be optimized by setting up a read page table (i.e., the first sub-mapping table) and a write page table (i.e., the second sub-mapping table). Specifically, the computing device 110 maintains two single pages for each Wasm program. The Wasm program uses the read page table to translate the address, and the write page table to translate the address. In this way, a Wasm program can implement read/write access control for different memory pages.

根据本公开的基于分页的内存管理和维护机制,还可以在内存页粒度上修改程序地址到虚拟地址的映射关系,从而很方便地实现跨程序的共享内存。接下来,将参考图5进一步描述夸程序的共享内存的创建。图5示出了根据本公开的一些实施例的共享内存映射方法500的流程图。在图5的实施例中,计算设备110已经将第一内存页映射至第一虚拟内存页。According to the paging-based memory management and maintenance mechanism disclosed herein, the mapping relationship between program addresses and virtual addresses can also be modified at the memory page granularity, thereby conveniently realizing cross-program shared memory. Next, the creation of cross-program shared memory will be further described with reference to FIG5. FIG5 shows a flow chart of a shared memory mapping method 500 according to some embodiments of the present disclosure. In the embodiment of FIG5, the computing device 110 has mapped a first memory page to a first virtual memory page.

在框510,在第一程序运行期间,计算设备110检测由第一程序170-1发起的创建共享内存的请求,该共享内存创建请求指示第一内存页的第一内存地址信息、第一程序针对第一内存页所设置的读写权限信息以及第一内存页的第一标识信息。In box 510, during the execution of the first program, the computing device 110 detects a request for creating a shared memory initiated by the first program 170-1, and the shared memory creation request indicates the first memory address information of the first memory page, the read and write permission information set by the first program for the first memory page, and the first identification information of the first memory page.

在框520,响应于检测到由第二程序170-2发起的查询共享内存的请求,计算设备110向第二程序170-2返回共享内存的标识信息列表,该标识信息列表包括第一内存页的第一标识信息。In block 520 , in response to detecting a request initiated by the second program 170 - 2 to query the shared memory, the computing device 110 returns an identification information list of the shared memory to the second program 170 - 2 , the identification information list including the first identification information of the first memory page.

在框530,计算设备110检测由第二程序170-2发起的共享内存映射请求,该共享内存映射请求指示第二内存页的第二内存地址信息以及第一内存页的第一标识信息。In block 530 , the computing device 110 detects a shared memory mapping request initiated by the second program 170 - 2 , the shared memory mapping request indicating second memory address information of the second memory page and first identification information of the first memory page.

在框540,响应于检测到共享内存映射请求,计算设备110将第二内存页映射至第一虚拟内存页。At block 540 , in response to detecting the shared memory mapping request, the computing device 110 maps the second memory page to the first virtual memory page.

依然以Wasm程序为例来进行描述。在一些实施例中,第一Wasm程序可以调用预设函数来创建共享内存页,该预设函数的输入参数可以包括:1)指示第一Wasm程序期望共享的一段共享内存的信息;2)指示这块共享区域的访问控制策略的信息,也即其他Wasm程序对这块区域的读写权限;3)用于标识这段共享内存的标识。作为示例,第一Wasm程序期望共享第一内存页,并限制其他Wasm程序不能修 改第一内存页的内容,并设置第一内存页的标识为“1”。Still taking the Wasm program as an example for description. In some embodiments, the first Wasm program can call a preset function to create a shared memory page. The input parameters of the preset function may include: 1) information indicating a section of shared memory that the first Wasm program expects to share; 2) information indicating the access control policy of this shared area, that is, the read and write permissions of other Wasm programs to this area; 3) an identifier for identifying this section of shared memory. As an example, the first Wasm program expects to share the first memory page and restrict other Wasm programs from modifying it. Change the content of the first memory page and set the flag of the first memory page to "1".

第二Wasm程序可以发送共享内存查询请求。计算设备110向第二Wasm程序返回一个列表,该列表中存放了当前所存在的共享内存区域的标识,例如,第一内存页的标识“1”。The second Wasm program may send a shared memory query request. The computing device 110 returns a list to the second Wasm program, in which the identifiers of the currently existing shared memory areas are stored, for example, the identifier "1" of the first memory page.

第二Wasm程序可以通过发送共享内存映射请求来将自己线性内存地址空间内的一内存区域重映射至相应的共享内存。例如,第二Wasm程序期望将自己的第二内存页映射至第一Wasm程序的第一内存页,则第二Wasm程序发送指示第二内存页地址和第一内存页标识“1”的共享内存映射请求。计算设备110可以将第二内存页映射至第一虚拟内存页,即,与第一内存页对应的虚拟内存页。The second Wasm program can remap a memory area in its own linear memory address space to the corresponding shared memory by sending a shared memory mapping request. For example, if the second Wasm program expects to map its second memory page to the first memory page of the first Wasm program, the second Wasm program sends a shared memory mapping request indicating the second memory page address and the first memory page identifier "1". The computing device 110 can map the second memory page to the first virtual memory page, that is, the virtual memory page corresponding to the first memory page.

以此方式,可以在不引入过多开销的前提下,方便快捷地实现内存共享,并且可以实现不同Wasm程序享有不同的读写权限控制。In this way, memory sharing can be achieved quickly and easily without introducing too much overhead, and different Wasm programs can have different read and write permission controls.

此外,为了进一步提高数据的安全性,计算设备110可以设置边界检查规则,以避免程序170的越界访问。具体而言,计算设备110会对每一次针对线性内存地址空间发起的访问进行边界检查,以确保一个程序只能访问自己的线性内存地址空间。In addition, to further improve data security, computing device 110 may set boundary checking rules to prevent out-of-bounds access by program 170. Specifically, computing device 110 performs boundary checking on each access initiated to the linear memory address space to ensure that a program can only access its own linear memory address space.

在分页内存管理模式下,可以使用异常内存页来辅助实现边界检查。参考图6,其示出了根据本公开的一些实施例的另一内存映射600的框图。In the paging memory management mode, an exception memory page may be used to assist in implementing boundary checking. Referring to FIG. 6 , it shows a block diagram of another memory map 600 according to some embodiments of the present disclosure.

在一些实施例中,计算设备110检测由第一程序170-1发起的数据的访问请求。响应于检测到由第一程序170-1发起的数据的访问请求,计算设备110确定该数据所对应的内存地址是否在第一内存空间180-1内,如果内存地址不在第一内存空间180-1内,则将该内存地址映射至虚拟地址空间190的异常虚拟内存页610。In some embodiments, the computing device 110 detects a data access request initiated by the first program 170-1. In response to detecting the data access request initiated by the first program 170-1, the computing device 110 determines whether the memory address corresponding to the data is within the first memory space 180-1, and if the memory address is not within the first memory space 180-1, maps the memory address to an abnormal virtual memory page 610 of the virtual address space 190.

以Wasm程序为例,计算设备110可以为每个Wasm程序单独维护一个64KB大小的内存区域,称为异常内存页。在一些实施例中,计算设备110预先将未映射页表项中的虚拟内存页的地址修改为指向异常内存页的虚拟内存地址。因此,当Wasm程序访问未映射的内存页时,实际上访问的是自己的异常内存页。 Taking the Wasm program as an example, the computing device 110 can maintain a 64KB memory area for each Wasm program, which is called an abnormal memory page. In some embodiments, the computing device 110 pre-modifies the address of the virtual memory page in the unmapped page table entry to point to the virtual memory address of the abnormal memory page. Therefore, when the Wasm program accesses the unmapped memory page, it actually accesses its own abnormal memory page.

以此方式,在内存访问合法的情况下,异常内存页永远不会被访问到,只有当内存越界时,异常内存页才会被访问。由于异常内存页内不存放任何有意义的信息,因此越界访问时仅能接触异常内存页而并不会影响Wasm原有的沙箱设计。In this way, when the memory access is legal, the abnormal memory page will never be accessed. Only when the memory is out of bounds, the abnormal memory page will be accessed. Since the abnormal memory page does not store any meaningful information, the out-of-bounds access can only touch the abnormal memory page and will not affect the original sandbox design of Wasm.

根据本公开的一些实施例,提出了一种分页内存管理方法,尤其适用于基于Wasm的SGX环境。本公开的分页内存管理能够有效解决线性内存模型共享内存支持不足、无法灵活设置只读权限的缺点。According to some embodiments of the present disclosure, a paging memory management method is proposed, which is particularly suitable for the Wasm-based SGX environment. The paging memory management disclosed in the present disclosure can effectively solve the shortcomings of insufficient support for shared memory in the linear memory model and the inability to flexibly set read-only permissions.

此外,根据本公开的基于分页的内存管理和维护机制,Wasm程序的线性内存所对应的虚拟地址可以是非连续的,并且支持通过在页表上建立或取消相应映射来动态地增加或减少线性内存。In addition, according to the paging-based memory management and maintenance mechanism disclosed in the present invention, the virtual address corresponding to the linear memory of the Wasm program can be non-contiguous, and it supports dynamically increasing or decreasing the linear memory by establishing or canceling the corresponding mapping on the page table.

更要的是,根据本公开的基于分页的内存管理和维护机制实现的共享内存方案,通用性更强(适用于包括SGX在内的多种类型的可信执行环境),而且能在多个程序间对共享内存区域实现灵活的读写权限控制。More importantly, the shared memory solution implemented according to the paging-based memory management and maintenance mechanism disclosed in the present invention is more versatile (applicable to various types of trusted execution environments including SGX), and can implement flexible read and write permission control on shared memory areas between multiple programs.

示例装置和设备Example devices and equipment

图7示出了根据本公开的某些实施例的数据处理装置700的示意性结构框图。装置700可以被实现为或者被包括在计算设备110中。装置700中的各个模块/组件可以由硬件、软件、固件或者它们的任意组合来实现。7 shows a schematic structural block diagram of a data processing apparatus 700 according to some embodiments of the present disclosure. The apparatus 700 may be implemented as or included in a computing device 110. Each module/component in the apparatus 700 may be implemented by hardware, software, firmware, or any combination thereof.

如图7所示,装置700包括:程序初始化模块710,被配置为:在可信执行环境中,初始化第一程序和与第一程序不同的第二程序;内存分配模块720,被配置为分别为第一程序和第二程序分配第一内存空间和第二内存空间;其中,第一内存空间对第一程序可见并且对第二程序不可见,并且第二内存空间对第二程序可见并且对第一程序不可见;其中,第一内存空间为线性内存地址空间,并且包括至少包括第一内存页;并且其中,第二内存空间为线性内存地址空间,并且包括至少包括第二内存页,第二内存页与第一内存页不同;第一映射模块730,被配置为将第一内存空间的第一内存页映射至可信执行环 境的虚拟地址空间中的第一虚拟内存页;以及第二映射模块740,被配置为将第二内存空间的第二内存页映射至虚拟地址空间中的第一虚拟内存页。As shown in FIG. 7 , the apparatus 700 includes: a program initialization module 710, configured to: in a trusted execution environment, initialize a first program and a second program different from the first program; a memory allocation module 720, configured to allocate a first memory space and a second memory space to the first program and the second program, respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page, the second memory page being different from the first memory page; a first mapping module 730, configured to map a first memory page of the first memory space to the trusted execution environment; and a second mapping module 740, configured to map a second memory page of the second memory space to the first virtual memory page in the virtual address space.

在一些实施例中,装置700还包括越界检查模块,被配置为响应于检测到由第一程序发起的数据的访问请求,确定数据所对应的内存地址是否在第一内存空间内;以及根据确定内存地址不在第一内存空间内,将内存地址映射至虚拟地址空间的异常虚拟内存页。In some embodiments, the device 700 also includes an out-of-bounds check module, which is configured to determine whether the memory address corresponding to the data is within the first memory space in response to detecting an access request for data initiated by the first program; and based on determining that the memory address is not within the first memory space, map the memory address to an abnormal virtual memory page of the virtual address space.

在一些实施例中,装置700还包括:页表生成模块,被配置为:为第一程序生成第一映射表,第一映射表包括至少一个页表条目,每个页表条目与第一内存空间中的一个相应的内存页相对应并且指示以下至少一项:相应的内存页是否已经被映射至虚拟地址空间中一虚拟内存页,或与相应的内存页相对应的虚拟内存页的在虚拟地址空间中的虚拟地址信息。In some embodiments, the device 700 also includes: a page table generation module, configured to: generate a first mapping table for the first program, the first mapping table including at least one page table entry, each page table entry corresponding to a corresponding memory page in the first memory space and indicating at least one of the following: whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space, or virtual address information of the virtual memory page corresponding to the corresponding memory page in the virtual address space.

在一些实施例中,页表生成模块还被配置为:响应于检测到第一程序被初始化,为第一程序生成第一映射表,第一映射表具有预设数目的页表条目。装置700还包括:内存修改模块,被配置为响应于检测到针对第一程序的增加内存指令,在第一映射表中修改至少一个页表条目以指示第一内存空间中的至少一个新分配的内存页与虚拟地址空间中的至少一个虚拟内存页的映射关系。In some embodiments, the page table generation module is further configured to: in response to detecting that the first program is initialized, generate a first mapping table for the first program, the first mapping table having a preset number of page table entries. The device 700 also includes: a memory modification module, configured to, in response to detecting an increase memory instruction for the first program, modify at least one page table entry in the first mapping table to indicate a mapping relationship between at least one newly allocated memory page in the first memory space and at least one virtual memory page in the virtual address space.

在一些实施例中,第一映射表包括与第一内存页相对应的第一页表条目,第一映射表条目包括以下至少一项:第一信息,第一信息指示第一内存页已经被映射至第一虚拟内存页,第二信息,第二信息指示标识第一虚拟内存页的第一虚拟地址,以及第三信息,第三信息指示第一程序针对第一内存页的读写权限信息。In some embodiments, the first mapping table includes a first page table entry corresponding to the first memory page, the first mapping table entry including at least one of the following: first information indicating that the first memory page has been mapped to a first virtual memory page, second information indicating a first virtual address identifying the first virtual memory page, and third information indicating read and write permission information of the first program for the first memory page.

在一些实施例中,第一映射表包括以下至少一项:第一子映射表,第一子映射表包括至少一个第一页表条目,至少一个第一页表条目与第一程序具有只读权限的至少一个内存页相对应;第二子映射表,第二子映射表包括至少一个第二页表条目,至少一个第二页表条目与第一程序具有写权限的至少一个内存页相对应。 In some embodiments, the first mapping table includes at least one of the following: a first sub-mapping table, the first sub-mapping table includes at least one first page table entry, and the at least one first page table entry corresponds to at least one memory page for which the first program has read-only permission; a second sub-mapping table, the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program has write permission.

在一些实施例中,第一内存空间还包括第三内存页和第四内存页,第三内存页和第四内存页为第一内存空间中的两个连续内存页,装置700还包括:第二映射模块,被配置为将第三内存页映射至虚拟地址空间中的第二虚拟内存页;以及第三映射模块,被配置为将第四内存页映射至虚拟地址空间中的第三虚拟内存页,第二虚拟内存页和第三虚拟内存页在虚拟地址空间中不连续。In some embodiments, the first memory space also includes a third memory page and a fourth memory page, and the third memory page and the fourth memory page are two consecutive memory pages in the first memory space. The device 700 also includes: a second mapping module, configured to map the third memory page to a second virtual memory page in the virtual address space; and a third mapping module, configured to map the fourth memory page to a third virtual memory page in the virtual address space, and the second virtual memory page and the third virtual memory page are not consecutive in the virtual address space.

在一些实施例中,装置700还包括:共享请求检测模块,被配置为:在第一程序运行期间,检测由第一程序发起的创建共享内存的请求,创建共享内存的请求指示如下信息:第一内存页的第一内存地址信息、第一程序针对第一内存页所设置的读写权限信息以及第一内存页的第一标识信息;共享内存查询请求处理模块,被配置为:响应于检测到由第二程序发起的查询共享内存的请求,向第二程序返回在可信执行环境中的共享内存的标识信息列表,标识信息列表包括第一内存页的第一标识信息;共享内存映射请求处理模块,被配置为:检测由第二程序发起的共享内存映射请求,共享内存映射请求指示第二内存页的第二内存地址信息以及第一内存页的第一标识信息;以及共享内存映射模块,被配置为:响应于检测到共享内存映射请求,将第二内存页映射至第一虚拟内存页。In some embodiments, the device 700 also includes: a shared request detection module, configured to: during the execution of the first program, detect a request for creating a shared memory initiated by the first program, the request for creating a shared memory indicates the following information: first memory address information of the first memory page, read and write permission information set by the first program for the first memory page, and first identification information of the first memory page; a shared memory query request processing module, configured to: in response to detecting a request for querying shared memory initiated by the second program, return a list of identification information of the shared memory in the trusted execution environment to the second program, the list of identification information including the first identification information of the first memory page; a shared memory mapping request processing module, configured to: detect a shared memory mapping request initiated by the second program, the shared memory mapping request indicates the second memory address information of the second memory page and the first identification information of the first memory page; and a shared memory mapping module, configured to: in response to detecting a shared memory mapping request, map the second memory page to the first virtual memory page.

图8示出了其中可以实施本公开的一个或多个实施例的电子设备800的框图。应当理解,图8所示出的电子设备800仅仅是示例性的,而不应当构成对本文所描述的实施例的功能和范围的任何限制。图8所示出的电子设备800可以用于实现图1的计算设备110。FIG8 shows a block diagram of an electronic device 800 in which one or more embodiments of the present disclosure may be implemented. It should be understood that the electronic device 800 shown in FIG8 is merely exemplary and should not constitute any limitation on the functionality and scope of the embodiments described herein. The electronic device 800 shown in FIG8 may be used to implement the computing device 110 of FIG1 .

如图8所示,电子设备800是通用电子设备或计算设备的形式。电子设备800的组件可以包括但不限于一个或多个处理器或处理单元810、存储器820、存储设备830、一个或多个通信单元840、一个或多个输入设备850以及一个或多个输出设备860。处理单元810可以是实际或虚拟处理器并且能够根据存储器820中存储的程序来执行各种处理。在多处理器系统中,多个处理单元并行执行计算机可执行指令,以提高电子设备800的并行处理能力。 As shown in FIG8 , the electronic device 800 is in the form of a general electronic device or computing device. The components of the electronic device 800 may include, but are not limited to, one or more processors or processing units 810, a memory 820, a storage device 830, one or more communication units 840, one or more input devices 850, and one or more output devices 860. The processing unit 810 may be an actual or virtual processor and is capable of performing various processes according to a program stored in the memory 820. In a multi-processor system, multiple processing units execute computer executable instructions in parallel to improve the parallel processing capability of the electronic device 800.

电子设备800通常包括多个计算机存储介质。这样的介质可以是电子设备800可访问的任何可以获取的介质,包括但不限于易失性和非易失性介质、可拆卸和不可拆卸介质。存储器820可以是易失性存储器(例如寄存器、高速缓存、随机访问存储器(RAM))、非易失性存储器(例如,只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、闪存)或它们的某种组合。存储设备830可以是可拆卸或不可拆卸的介质,并且可以包括机器可读介质,诸如闪存驱动、磁盘或者任何其他介质,其可以能够用于存储信息和/或数据(例如用于训练的训练数据)并且可以在电子设备800内被访问。The electronic device 800 typically includes a plurality of computer storage media. Such media may be any accessible media that is accessible to the electronic device 800, including but not limited to volatile and non-volatile media, removable and non-removable media. The memory 820 may be a volatile memory (e.g., a register, a cache, a random access memory (RAM)), a non-volatile memory (e.g., a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof. The storage device 830 may be a removable or non-removable medium, and may include a machine-readable medium, such as a flash drive, a disk, or any other medium, which may be capable of being used to store information and/or data (e.g., training data for training) and may be accessed within the electronic device 800.

电子设备800可以进一步包括另外的可拆卸/不可拆卸、易失性/非易失性存储介质。尽管未在图8中示出,可以提供用于从可拆卸、非易失性磁盘(例如“软盘”)进行读取或写入的磁盘驱动和用于从可拆卸、非易失性光盘进行读取或写入的光盘驱动。在这些情况中,每个驱动可以由一个或多个数据介质接口被连接至总线(未示出)。存储器820可以包括计算机程序产品825,其具有一个或多个程序模块,这些程序模块被配置为执行本公开的各种实施例的各种方法或动作。The electronic device 800 may further include additional removable/non-removable, volatile/non-volatile storage media. Although not shown in FIG. 8 , a disk drive for reading or writing from a removable, non-volatile disk (e.g., a “floppy disk”) and an optical drive for reading or writing from a removable, non-volatile optical disk may be provided. In these cases, each drive may be connected to a bus (not shown) by one or more data media interfaces. The memory 820 may include a computer program product 825 having one or more program modules configured to perform various methods or actions of various embodiments of the present disclosure.

通信单元840实现通过通信介质与其他电子设备进行通信。附加地,电子设备800的组件的功能可以以单个计算集群或多个计算机器来实现,这些计算机器能够通过通信连接进行通信。因此,电子设备800可以使用与一个或多个其他服务器、网络个人计算机(PC)或者另一个网络节点的逻辑连接来在联网环境中进行操作。The communication unit 840 implements communication with other electronic devices through a communication medium. Additionally, the functions of the components of the electronic device 800 can be implemented with a single computing cluster or multiple computing machines that can communicate through a communication connection. Therefore, the electronic device 800 can operate in a networked environment using a logical connection with one or more other servers, a network personal computer (PC), or another network node.

输入设备850可以是一个或多个输入设备,例如鼠标、键盘、追踪球等。输出设备860可以是一个或多个输出设备,例如显示器、扬声器、打印机等。电子设备800还可以根据需要通过通信单元840与一个或多个外部设备(未示出)进行通信,外部设备诸如存储设备、显示设备等,与一个或多个使得用户与电子设备800交互的设备进行通信,或者与使得电子设备800与一个或多个其他电子设备通信的任何设备(例如,网卡、调制解调器等)进行通信。这样的通信可以经 由输入/输出(I/O)接口(未示出)来执行。The input device 850 may be one or more input devices, such as a mouse, a keyboard, a tracking ball, etc. The output device 860 may be one or more output devices, such as a display, a speaker, a printer, etc. The electronic device 800 may also communicate with one or more external devices (not shown) through the communication unit 840 as needed, such as a storage device, a display device, etc., communicate with one or more devices that allow a user to interact with the electronic device 800, or communicate with any device that allows the electronic device 800 to communicate with one or more other electronic devices (e.g., a network card, a modem, etc.). Such communication may be performed via This is performed by an input/output (I/O) interface (not shown).

根据本公开的示例性实现方式,提供了一种计算机可读存储介质,其上存储有计算机可执行指令,其中计算机可执行指令被处理器执行以实现上文描述的方法。根据本公开的示例性实现方式,还提供了一种计算机程序产品,计算机程序产品被有形地存储在非瞬态计算机可读介质上并且包括计算机可执行指令,而计算机可执行指令被处理器执行以实现上文描述的方法。According to an exemplary implementation of the present disclosure, a computer-readable storage medium is provided, on which computer-executable instructions are stored, wherein the computer-executable instructions are executed by a processor to implement the method described above. According to an exemplary implementation of the present disclosure, a computer program product is also provided, which is tangibly stored on a non-transitory computer-readable medium and includes computer-executable instructions, and the computer-executable instructions are executed by a processor to implement the method described above.

这里参照根据本公开实现的方法、装置、设备和计算机程序产品的流程图和/或框图描述了本公开的各个方面。应当理解,流程图和/或框图的每个方框以及流程图和/或框图中各方框的组合,都可以由计算机可读程序指令实现。Various aspects of the present disclosure are described herein with reference to the flowcharts and/or block diagrams of the methods, devices, equipment, and computer program products implemented according to the present disclosure. It should be understood that each box in the flowchart and/or block diagram and the combination of each box in the flowchart and/or block diagram can be implemented by computer-readable program instructions.

这些计算机可读程序指令可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理单元,从而生产出一种机器,使得这些指令在通过计算机或其他可编程数据处理装置的处理单元执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer-readable program instructions can be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing device, thereby producing a machine, so that when these instructions are executed by the processing unit of the computer or other programmable data processing device, a device that implements the functions/actions specified in one or more boxes in the flowchart and/or block diagram is generated. These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause the computer, programmable data processing device, and/or other equipment to work in a specific manner, so that the computer-readable medium storing the instructions includes a manufactured product, which includes instructions for implementing various aspects of the functions/actions specified in one or more boxes in the flowchart and/or block diagram.

可以把计算机可读程序指令加载到计算机、其他可编程数据处理装置、或其他设备上,使得在计算机、其他可编程数据处理装置或其他设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其他可编程数据处理装置、或其他设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer-readable program instructions can be loaded onto a computer, other programmable data processing apparatus, or other device so that a series of operational steps are performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, so that the instructions executed on the computer, other programmable data processing apparatus, or other device implement the functions/actions specified in one or more boxes in the flowchart and/or block diagram.

附图中的流程图和框图显示了根据本公开的多个实现的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,模块、程序段或指令的一部分包含一个或多个用于实现规定的逻 辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowcharts and block diagrams in the accompanying drawings show possible architectures, functions, and operations of systems, methods, and computer program products according to various implementations of the present disclosure. In this regard, each box in the flowchart or block diagram may represent a module, a program segment, or a portion of an instruction, which includes one or more functions for implementing a specified logic. The blocks may be executable instructions for performing a specific function or action. In some alternative implementations, the functions noted in the blocks may occur in a different order than that noted in the accompanying drawings. For example, two consecutive blocks may actually be executed substantially in parallel, or they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagram and/or flow chart, and combinations of blocks in the block diagram and/or flow chart, may be implemented using a dedicated hardware-based system that performs the specified functions or actions, or may be implemented using a combination of dedicated hardware and computer instructions.

以上已经描述了本公开的各实现,上述说明是示例性的,并非穷尽性的,并且也不限于所公开的各实现。在不偏离所说明的各实现的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实现的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其他普通技术人员能理解本文公开的各个实现方式。 The above descriptions of various implementations of the present disclosure are exemplary, non-exhaustive, and not limited to the disclosed implementations. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described implementations. The selection of terms used herein is intended to best explain the principles of the implementations, practical applications, or improvements to the technology in the market, or to enable other persons of ordinary skill in the art to understand the various implementations disclosed herein.

Claims (18)

一种数据处理方法,包括:A data processing method, comprising: 在可信执行环境中,初始化第一程序和与所述第一程序不同的第二程序;In a trusted execution environment, initializing a first program and a second program different from the first program; 分别为所述第一程序和所述第二程序分配第一内存空间和第二内存空间;Allocate a first memory space and a second memory space to the first program and the second program respectively; 其中,所述第一内存空间对所述第一程序可见并且对所述第二程序不可见,并且所述第二内存空间对所述第二程序可见并且对所述第一程序不可见;wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; 其中,所述第一内存空间为线性内存地址空间,并且包括至少包括第一内存页;并且Wherein, the first memory space is a linear memory address space and includes at least a first memory page; and 其中,所述第二内存空间为线性内存地址空间,并且包括至少包括第二内存页,所述第二内存页与所述第一内存页不同;The second memory space is a linear memory address space and includes at least a second memory page, and the second memory page is different from the first memory page; 将所述第一内存空间的所述第一内存页映射至所述可信执行环境的虚拟地址空间中的第一虚拟内存页;以及Mapping the first memory page of the first memory space to a first virtual memory page in the virtual address space of the trusted execution environment; and 将所述第二内存空间的第二内存页映射至所述虚拟地址空间中的所述第一虚拟内存页。A second memory page of the second memory space is mapped to the first virtual memory page in the virtual address space. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising: 响应于检测到由所述第一程序发起的数据的访问请求,确定所述数据所对应的内存地址是否在所述第一内存空间内;以及In response to detecting a data access request initiated by the first program, determining whether a memory address corresponding to the data is within the first memory space; and 根据确定所述内存地址不在所述第一内存空间内,将所述内存地址映射至所述虚拟地址空间的异常虚拟内存页。Based on determining that the memory address is not in the first memory space, the memory address is mapped to an abnormal virtual memory page of the virtual address space. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising: 为所述第一程序生成第一映射表,所述第一映射表包括至少一个页表条目,每个页表条目与所述第一内存空间中的一个相应的内存页相对应并且指示以下至少一项:A first mapping table is generated for the first program, the first mapping table comprising at least one page table entry, each page table entry corresponding to a corresponding memory page in the first memory space and indicating at least one of the following: 所述相应的内存页是否已经被映射至所述虚拟地址空间中的一虚拟内存页,或 Whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space, or 与所述相应的内存页相对应的虚拟内存页的在所述虚拟地址空间中的虚拟地址信息。Virtual address information of a virtual memory page corresponding to the corresponding memory page in the virtual address space. 根据权利要求3所述的方法,其中为所述第一程序生成所述第一映射表包括:The method according to claim 3, wherein generating the first mapping table for the first program comprises: 响应于检测到所述第一程序被初始化,为所述第一程序生成所述第一映射表,所述第一映射表具有预设数目的页表条目;In response to detecting that the first program is initialized, generating the first mapping table for the first program, the first mapping table having a preset number of page table entries; 并且所述方法还包括:And the method further comprises: 响应于检测到针对所述第一程序的增加内存指令,在所述第一映射表中修改至少一个页表条目以指示所述第一内存空间中的至少一个新分配的内存页与所述虚拟地址空间中的至少一个虚拟内存页的映射关系。In response to detecting an increase memory instruction for the first program, at least one page table entry is modified in the first mapping table to indicate a mapping relationship between at least one newly allocated memory page in the first memory space and at least one virtual memory page in the virtual address space. 根据权利要求3所述的方法,其中所述第一映射表包括与所述第一内存页相对应的第一页表条目,所述第一页表条目包括以下至少一项:The method according to claim 3, wherein the first mapping table includes a first page table entry corresponding to the first memory page, and the first page table entry includes at least one of the following: 第一信息,所述第一信息指示所述第一内存页已经被映射至第一虚拟内存页,first information, the first information indicating that the first memory page has been mapped to a first virtual memory page, 第二信息,所述第二信息指示标识所述第一虚拟内存页的第一虚拟地址,以及second information indicating a first virtual address identifying the first virtual memory page, and 第三信息,所述第三信息指示所述第一程序针对所述第一内存页的读写权限信息。The third information indicates the read and write permission information of the first program with respect to the first memory page. 根据权利要求3所述的方法,其中所述第一映射表包括以下至少一项:The method according to claim 3, wherein the first mapping table includes at least one of the following: 第一子映射表,所述第一子映射表包括至少一个第一页表条目,所述至少一个第一页表条目与所述第一程序具有只读权限的至少一个内存页相对应;以及a first sub-mapping table, the first sub-mapping table comprising at least one first page table entry, the at least one first page table entry corresponding to at least one memory page for which the first program has read-only permission; and 第二子映射表,所述第二子映射表包括至少一个第二页表条目,所述至少一个第二页表条目与所述第一程序具有写权限的至少一个内存页相对应。A second sub-mapping table, wherein the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program has write permission. 根据权利要求1所述的方法,其中所述第一内存空间还包括第 三内存页和第四内存页,所述第三内存页和所述第四内存页为所述第一内存空间中的两个连续内存页,所述方法还包括:The method according to claim 1, wherein the first memory space also includes a A third memory page and a fourth memory page, wherein the third memory page and the fourth memory page are two consecutive memory pages in the first memory space, and the method further includes: 将所述第一内存空间的所述第三内存页映射至所述虚拟地址空间中的第二虚拟内存页;以及Mapping the third memory page of the first memory space to a second virtual memory page in the virtual address space; and 将所述第四内存页映射至所述虚拟地址空间中的第三虚拟内存页,所述第二虚拟内存页和所述第三虚拟内存页在所述虚拟地址空间中不连续。The fourth memory page is mapped to a third virtual memory page in the virtual address space, and the second virtual memory page and the third virtual memory page are not continuous in the virtual address space. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising: 在所述第一程序运行期间,检测由所述第一程序发起的创建共享内存的请求,所述创建共享内存的请求指示如下信息:所述第一内存页的第一内存地址信息、所述第一程序针对所述第一内存页所设置的读写权限信息以及所述第一内存页的第一标识信息;During the execution of the first program, detecting a request for creating a shared memory initiated by the first program, the request for creating a shared memory indicating the following information: first memory address information of the first memory page, read and write permission information set by the first program for the first memory page, and first identification information of the first memory page; 响应于检测到由所述第二程序发起的查询共享内存的请求,向所述第二程序返回在所述可信执行环境中的共享内存的标识信息列表,所述标识信息列表包括所述第一内存页的所述第一标识信息;In response to detecting a request for querying the shared memory initiated by the second program, returning to the second program a list of identification information of the shared memory in the trusted execution environment, the list of identification information including the first identification information of the first memory page; 检测由所述第二程序发起的共享内存映射请求,所述共享内存映射请求指示所述第二内存页的第二内存地址信息以及所述第一内存页的所述第一标识信息;以及detecting a shared memory mapping request initiated by the second program, the shared memory mapping request indicating second memory address information of the second memory page and the first identification information of the first memory page; and 响应于检测到所述共享内存映射请求,将所述第二内存页映射至所述第一虚拟内存页。In response to detecting the shared memory mapping request, mapping the second memory page to the first virtual memory page. 一种数据处理装置,包括:A data processing device, comprising: 程序初始化模块,被配置为:在可信执行环境中,初始化第一程序和与所述第一程序不同的第二程序;A program initialization module is configured to: initialize a first program and a second program different from the first program in a trusted execution environment; 内存分配模块,被配置为分别为所述第一程序和所述第二程序分配第一内存空间和第二内存空间;其中,所述第一内存空间对所述第一程序可见并且对所述第二程序不可见,并且所述第二内存空间对所述第二程序可见并且对所述第一程序不可见;其中,所述第一内存空间为线性内存地址空间,并且包括至少包括第一内存页;并且其中,所述第二内存空间为线性内存地址空间,并且包括至少包括第二内存 页,所述第二内存页与所述第一内存页不同;A memory allocation module, configured to allocate a first memory space and a second memory space to the first program and the second program respectively; wherein the first memory space is visible to the first program and invisible to the second program, and the second memory space is visible to the second program and invisible to the first program; wherein the first memory space is a linear memory address space and includes at least a first memory page; and wherein the second memory space is a linear memory address space and includes at least a second memory page. page, the second memory page is different from the first memory page; 第一映射模块,被配置为将所述第一内存空间的所述第一内存页映射至所述可信执行环境的虚拟地址空间中的第一虚拟内存页;以及A first mapping module is configured to map the first memory page of the first memory space to a first virtual memory page in the virtual address space of the trusted execution environment; and 第二映射模块,被配置为将所述第二内存空间的第二内存页映射至所述虚拟地址空间中的所述第一虚拟内存页。The second mapping module is configured to map the second memory page of the second memory space to the first virtual memory page in the virtual address space. 根据权利要求9所述的装置,还包括越界检查模块,被配置为:The apparatus according to claim 9, further comprising an out-of-bounds checking module configured to: 响应于检测到由所述第一程序发起的数据的访问请求,确定所述数据所对应的内存地址是否在所述第一内存空间内;以及In response to detecting a data access request initiated by the first program, determining whether a memory address corresponding to the data is within the first memory space; and 根据确定所述内存地址不在所述第一内存空间内,将所述内存地址映射至所述虚拟地址空间的异常虚拟内存页。Based on determining that the memory address is not in the first memory space, the memory address is mapped to an abnormal virtual memory page of the virtual address space. 根据权利要求9所述的装置,还包括页表生成模块,被配置为:The apparatus according to claim 9, further comprising a page table generation module configured to: 为所述第一程序生成第一映射表,所述第一映射表包括至少一个页表条目,每个页表条目与所述第一内存空间中的一个相应的内存页相对应并且指示以下至少一项:A first mapping table is generated for the first program, the first mapping table comprising at least one page table entry, each page table entry corresponding to a corresponding memory page in the first memory space and indicating at least one of the following: 所述相应的内存页是否已经被映射至所述虚拟地址空间中的一虚拟内存页,或Whether the corresponding memory page has been mapped to a virtual memory page in the virtual address space, or 与所述相应的内存页相对应的虚拟内存页的在所述虚拟地址空间中的虚拟地址信息。Virtual address information of a virtual memory page corresponding to the corresponding memory page in the virtual address space. 根据权利要求11所述的装置,其中所述页表生成模块还被配置为:The apparatus according to claim 11, wherein the page table generation module is further configured to: 响应于检测到所述第一程序被初始化,为所述第一程序生成所述第一映射表,所述第一映射表具有预设数目的页表条目;In response to detecting that the first program is initialized, generating the first mapping table for the first program, the first mapping table having a preset number of page table entries; 并且所述装置还包括:And the device also includes: 内存修改模块,被配置为响应于检测到针对所述第一程序的增加内存指令,在所述第一映射表中修改至少一个页表条目以指示所述第一内存空间中的至少一个新分配的内存页与所述虚拟地址空间中的至少一个虚拟内存页的映射关系。 A memory modification module is configured to modify at least one page table entry in the first mapping table in response to detecting an increase memory instruction for the first program to indicate a mapping relationship between at least one newly allocated memory page in the first memory space and at least one virtual memory page in the virtual address space. 根据权利要求11所述的装置,其中所述第一映射表包括与所述第一内存页相对应的第一页表条目,所述第一页表条目包括以下至少一项:The apparatus according to claim 11, wherein the first mapping table comprises a first page table entry corresponding to the first memory page, the first page table entry comprising at least one of the following: 第一信息,所述第一信息指示所述第一内存页已经被映射至第一虚拟内存页,first information, the first information indicating that the first memory page has been mapped to a first virtual memory page, 第二信息,所述第二信息指示标识所述第一虚拟内存页的第一虚拟地址,以及second information indicating a first virtual address identifying the first virtual memory page, and 第三信息,所述第三信息指示所述第一程序针对所述第一内存页的读写权限信息。The third information indicates the read and write permission information of the first program for the first memory page. 根据权利要求11所述的装置,其中所述第一映射表包括以下至少一项:The apparatus according to claim 11, wherein the first mapping table comprises at least one of the following: 第一子映射表,所述第一子映射表包括至少一个第一页表条目,所述至少一个第一页表条目与所述第一程序具有只读权限的至少一个内存页相对应;以及a first sub-mapping table, the first sub-mapping table comprising at least one first page table entry, the at least one first page table entry corresponding to at least one memory page for which the first program has read-only permission; and 第二子映射表,所述第二子映射表包括至少一个第二页表条目,所述至少一个第二页表条目与所述第一程序具有写权限的至少一个内存页相对应。A second sub-mapping table, wherein the second sub-mapping table includes at least one second page table entry, and the at least one second page table entry corresponds to at least one memory page for which the first program has write permission. 根据权利要求9所述的装置,其中所述第一内存空间还包括第三内存页和第四内存页,所述第三内存页和所述第四内存页为所述第一内存空间中的两个连续内存页,所述装置还包括:The device according to claim 9, wherein the first memory space further includes a third memory page and a fourth memory page, the third memory page and the fourth memory page are two consecutive memory pages in the first memory space, and the device further includes: 第二映射模块,被配置为将所述第三内存页映射至所述虚拟地址空间中的第二虚拟内存页;以及A second mapping module is configured to map the third memory page to a second virtual memory page in the virtual address space; and 第三映射模块,被配置为将所述第四内存页映射至所述虚拟地址空间中的第三虚拟内存页,所述第二虚拟内存页和所述第三虚拟内存页在所述虚拟地址空间中不连续。The third mapping module is configured to map the fourth memory page to a third virtual memory page in the virtual address space, and the second virtual memory page and the third virtual memory page are not continuous in the virtual address space. 根据权利要求9所述的装置,还包括:The apparatus according to claim 9, further comprising: 共享请求检测模块,被配置为:在所述第一程序运行期间,检测由所述第一程序发起的创建共享内存的请求,所述创建共享内存的请求指示如下信息:所述第一内存页的第一内存地址信息、所述第一程 序针对所述第一内存页所设置的读写权限信息以及所述第一内存页的第一标识信息;The sharing request detection module is configured to: during the running of the first program, detect a request initiated by the first program to create a shared memory, wherein the request to create a shared memory indicates the following information: first memory address information of the first memory page, information of the first program, the read and write permission information set for the first memory page and the first identification information of the first memory page; 共享内存查询请求处理模块,被配置为:响应于检测到由所述第二程序发起的查询共享内存的请求,向所述第二程序返回在所述可信执行环境中的共享内存的标识信息列表,所述标识信息列表包括所述第一内存页的所述第一标识信息;a shared memory query request processing module, configured to: in response to detecting a request for querying the shared memory initiated by the second program, return to the second program a list of identification information of the shared memory in the trusted execution environment, the list of identification information including the first identification information of the first memory page; 共享内存映射请求处理模块,被配置为:检测由所述第二程序发起的共享内存映射请求,所述共享内存映射请求指示所述第二内存页的第二内存地址信息以及所述第一内存页的所述第一标识信息;以及a shared memory mapping request processing module, configured to: detect a shared memory mapping request initiated by the second program, the shared memory mapping request indicating second memory address information of the second memory page and the first identification information of the first memory page; and 共享内存映射模块,被配置为:响应于检测到所述共享内存映射请求,将所述第二内存页映射至所述第一虚拟内存页。The shared memory mapping module is configured to: in response to detecting the shared memory mapping request, map the second memory page to the first virtual memory page. 一种电子设备,包括:An electronic device, comprising: 至少一个处理单元;以及at least one processing unit; and 至少一个存储器,所述至少一个存储器被耦合到所述至少一个处理单元并且存储用于由所述至少一个处理单元执行的指令,所述指令在由所述至少一个处理单元执行时使所述电子设备执行根据权利要求1至8中任一项所述的方法。At least one memory, the at least one memory being coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions causing the electronic device to perform the method according to any one of claims 1 to 8 when executed by the at least one processing unit. 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现根据权利要求1至8中任一项所述的方法。 A computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the method according to any one of claims 1 to 8.
PCT/CN2024/108590 2023-08-02 2024-07-30 Data processing method and apparatus, and device and storage medium WO2025026327A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310967247.X 2023-08-02
CN202310967247.XA CN116933271B (en) 2023-08-02 2023-08-02 Data processing method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2025026327A1 true WO2025026327A1 (en) 2025-02-06

Family

ID=88387734

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/108590 WO2025026327A1 (en) 2023-08-02 2024-07-30 Data processing method and apparatus, and device and storage medium

Country Status (2)

Country Link
CN (1) CN116933271B (en)
WO (1) WO2025026327A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116933271B (en) * 2023-08-02 2024-12-13 北京火山引擎科技有限公司 Data processing method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180330081A1 (en) * 2016-02-03 2018-11-15 Huawei Technologies Co., Ltd. Execution environment virtualization method and apparatus and virtual execution environment access method and apparatus
CN109460373A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 A kind of data sharing method, terminal device and storage medium
CN115098279A (en) * 2022-06-28 2022-09-23 蚂蚁区块链科技(上海)有限公司 Memory address sharing access method and device
CN116108454A (en) * 2023-04-06 2023-05-12 支付宝(杭州)信息技术有限公司 Memory page management method and device
CN116933271A (en) * 2023-08-02 2023-10-24 北京火山引擎科技有限公司 Data processing methods, devices, equipment and storage media

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11640361B2 (en) * 2019-03-08 2023-05-02 International Business Machines Corporation Sharing secure memory across multiple security domains
CN110119302B (en) * 2019-04-23 2023-07-21 上海隔镜信息科技有限公司 Virtual machine monitor and virtual trusted execution environment construction method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180330081A1 (en) * 2016-02-03 2018-11-15 Huawei Technologies Co., Ltd. Execution environment virtualization method and apparatus and virtual execution environment access method and apparatus
CN109460373A (en) * 2017-09-06 2019-03-12 阿里巴巴集团控股有限公司 A kind of data sharing method, terminal device and storage medium
CN115098279A (en) * 2022-06-28 2022-09-23 蚂蚁区块链科技(上海)有限公司 Memory address sharing access method and device
CN116108454A (en) * 2023-04-06 2023-05-12 支付宝(杭州)信息技术有限公司 Memory page management method and device
CN116933271A (en) * 2023-08-02 2023-10-24 北京火山引擎科技有限公司 Data processing methods, devices, equipment and storage media

Also Published As

Publication number Publication date
CN116933271B (en) 2024-12-13
CN116933271A (en) 2023-10-24

Similar Documents

Publication Publication Date Title
US10564997B2 (en) Computing system for securely executing a secure application in a rich execution environment
JP4237190B2 (en) Method and system for guest physical address virtualization within a virtual machine environment
US9355262B2 (en) Modifying memory permissions in a secure processing environment
US7620766B1 (en) Transparent sharing of memory pages using content comparison
US7490191B2 (en) Sharing information between guests in a virtual machine environment
US10157146B2 (en) Local access DMA with shared memory pool
US8661181B2 (en) Memory protection unit in a virtual processing environment
CN109359487B (en) Extensible security shadow storage and tag management method based on hardware isolation
US8677457B2 (en) Security for codes running in non-trusted domains in a processor core
CN109002706A (en) Data isolation guard method and system in a kind of process based on user class page table
US20240264768A1 (en) Request Processing Method, Apparatus, and System
CN112035272A (en) Method, apparatus and computer equipment for interprocess communication
US20020046305A1 (en) Method for effective binary translation between different instruction sets using emulated supervisor flag and multiple page tables
CN106716435B (en) Interface between a device and a secure processing environment
US10664304B2 (en) Application memory protection using an extended page table switching virtual machine function
WO2025026327A1 (en) Data processing method and apparatus, and device and storage medium
US8458434B2 (en) Unified virtual contiguous memory manager
CN108491249A (en) A kind of kernel module partition method and system based on module powers and functions
US20060143411A1 (en) Techniques to manage partition physical memory
CN114676465A (en) Method and apparatus for runtime memory isolation across different execution domains
CN118395421A (en) Kernel data isolation method and system based on multi-kernel page table template
US12019733B2 (en) Compartment isolation for load store forwarding
GB2568301A (en) Address space access control
WO2024199671A1 (en) Managing memory permissions
CN116579030A (en) Memory optimization method for expanding security resources on Internet of things equipment

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24848282

Country of ref document: EP

Kind code of ref document: A1