A hardware architecture and application context integrity measurement method based on hardware security isolation execution environment

A technology of integrity measurement and application context, applied in the protection of internal/peripheral computer components, electrical digital data processing, instruments, etc., can solve problems such as large software overhead, large efficiency loss, large attack surface, etc., to achieve accurate acquisition, reduce Additional system overhead, the effect of ensuring metric completeness

Active Publication Date: 2021-08-06
XUCHANG UNIV
View PDF2 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The solution based on virtual machine isolation relies on the security of the management machine 320 and VMM310, has a large attack surface, and has a large software overhead, so it is suitable for the server environment, but it will bring a large amount to the PC terminal or mobile terminal. efficiency loss

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A hardware architecture and application context integrity measurement method based on hardware security isolation execution environment
  • A hardware architecture and application context integrity measurement method based on hardware security isolation execution environment
  • A hardware architecture and application context integrity measurement method based on hardware security isolation execution environment

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0067]The hardware security isolation execution environment includes security isolation hardware 400, security domain 420 and common domain 410 divided based on security isolation hardware, security domain code can access common domain storage and computing resources, common domain code cannot access security domain storage and computing resources; The application context includes a resource request process / application 431, an interest-related process / application 433, and kernel key resources 442, which mainly include a system call table 443, an interrupt description table 444, kernel code and static data 445, and kernel data structure metadata 446 , the global descriptor table 447, etc., the resource request process / application 431 initiates the measurement, the interest-related process / application 433 is generated by the system security policy 464, the kernel code and static data, and the metadata of the kernel data structure are extracted from the kernel image and compilation...

Embodiment 2

[0078] (1) Execution environment based on hardware security isolation: Figure 4 As shown, based on Trusted Execution Environment (TEE) technology, such as the TrustZone architecture, security extension is performed, including security isolation hardware 400 , security manager 461 , security service driver layer 441 and security service interface layer 462 . The security isolation hardware 400 provides a configurable hardware isolation environment; the security manager 461 can configure the security isolation hardware 400 to work in the normal domain 410 or the security domain 420; the security service driver layer 441 is located in the kernel space 440 of the normal domain 410 Provide security services for the user space 430, such as the measurement engine client 435 accessing the security isolation hardware 400 through the security service driver layer 441; the security service interface layer 462 is located in the kernel space 460 of the security domain 420, and provides sec...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The present invention provides a hardware architecture and application context integrity measurement method based on hardware security isolation execution environment. The hardware architecture includes security isolation hardware, a security manager, a security service driver layer, and a security service interface layer; the security isolation hardware provides The configured hardware isolation environment; the security manager can configure the security isolation hardware to work in the normal domain or the security domain; the security service driver layer is located in the kernel space of the normal domain to provide security services for the user space; the security service interface layer is located in The kernel space of the security domain provides security services for the user space of the security domain; the security manager can perform the conversion between the normal domain and the security domain, the security service driver layer calls the security manager to switch from the normal domain to the security domain, and the security service interface layer Call the security manager to switch from the security domain to the normal domain. The invention not only supports the measurement of the integrity of the code, but also supports dynamic measurement to detect whether it is tampered with by a malicious program.

Description

technical field [0001] The invention belongs to the technical field of trusted computing, and in particular relates to an application context integrity measurement method based on hardware security isolation execution environment. Background technique [0002] The current network attack method has changed from advanced hackers' individual combat to Advanced Persistent Threats (APTs) launched by hacker groups supported by governments or organizations. APT attacks use a number of unknown 0-Day vulnerabilities to attack enterprise core networks, important national infrastructure, and important confidential information systems. It has the characteristics of wide attack range, long duration, and strong concealment. The "Stuxnet" attack on Iran's nuclear facilities showed that even a physically isolated network cannot guarantee absolute security. The core feature of an APT attack is to use the 0-Day vulnerability of the system through media ferrying and social attacks to modify t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/74
CPCG06F21/74G06F2221/2105
Inventor 平源郝斌杨月华马慧李慧娜
Owner XUCHANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap