Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Central processing unit design method supporting software code data confidentiality and credibility execution

A technology of central processing unit and design method, applied in the direction of electrical digital data processing, digital data protection, internal/peripheral computer component protection, etc.

Pending Publication Date: 2020-01-07
陈昶宇
View PDF9 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

However, the security technology of these two types of CPUs is difficult to prevent side channel attacks
Attackers can use specially designed hardware to intercept or forge the data exchange between the CPU and the device. Attackers can also modify the operating system to bypass the isolation mechanism of the CPU. Attackers can also use software virtual machines or software virtual CPUs. The method of execution intercepts the memory distribution of code and data in the software and conducts further attacks based on this. These attack methods limit the applicability and effectiveness of the above techniques
[0005] At present, the widely used SSL / TLS protocol can ensure the confidential transmission of data in the communication channel, but the encrypted data transmitted over the network will eventually need to be restored in the application program or browser in the user terminal. If the user terminal application program, browser or operating system is not secure It also cannot guarantee the security of communication data. For example, implanting a malicious plug-in in the browser can steal user communication data. Information security also depends on the security of the executed software. To ensure the trusted execution of applications, common methods Relying on the trust chain formed by checking whether the developer's signature of the application file is credible, and relying on the layer-by-layer verification of the system from initialization to the final execution of the environment established by the application software, but this process and method are too It is cumbersome, there are too many intermediate links, and it is difficult to configure and quickly adapt to changes in the environment. It is only suitable for special scenarios with relatively fixed environments. For example, the upgrade of software and hardware systems will make some security measures that rely too much on the old system go wrong or fail. Too many All intermediate links can become unreliable due to user behavior, and often cannot guarantee the trustworthiness of people who come into contact with the system, such as malicious users or users with bad habits
[0006] At present, many security technologies assume that the users of the application software are trustworthy, but in fact the attackers of the application software are also one of the users of the application software, and even some ordinary users even actively use cracking software, Plug-ins and other software to modify commercial software. These unauthorized modifications will damage the normal use of the software. For example, adding a plug-in to an online game will destroy the fairness of the game and affect the experience of other players. Another example is that pirated users modify programs to bypass software authorization. These modifications may eventually damage the interests of users. For example, attackers can implant Trojan horses, viruses, and malware into applications or user operating systems, and further intercept user accounts and passwords or other user privacy information entered by users. On the other hand, software developers usually only hope that software users simply use the functions of the application software, and do not want malicious parties, especially competitors, to reverse-analyze the software code or restore the source code of the software to intercept the core algorithm and production method of the software. and internal logic or tampering with the software to achieve some bad purpose, but the most unguaranteed thing in the process of using the software is the diversity of user groups and user behaviors. It cannot be assumed that all users who use the application are trustworthy, especially public Software with a huge number of users on sale will bring huge gray benefits to those who crack such software, and it will be even more difficult to suppress the cracking behavior of a large number of crackers. If there is no CPU hardware architecture and top-level design of the operating system for software security To provide effective support, it is very difficult for developers to hide information (such as hiding keys, hiding confidential data, and hiding algorithmic logic of confidential codes) and anti-tampering and anti-cheating in software released to the outside world, as well as implementing strict copyright protection. You can only rely on the complexity of the code in this unreliable way, hoping that the attacker is not highly skilled, impatient or unlucky

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Central processing unit design method supporting software code data confidentiality and credibility execution

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0023] See attached figure 1 , assuming that the original CPU architecture has 32-bit address lines, the physical address space range is 0x00000000~0xFFFFFFFF, each physical address stores data in Byte (8bit) units, and the total address space is 4GByte. Expand the CPU In the new CPU architecture, the 512MByte address space of 0xE0000000~0xFFFFFFFF in the address space is set as the on-chip security area reserved address space, among which the 128M Byte address space of 0xF8000000~0xFFFFFFFF is allocated to the on-chip security ROM, and the 384M Byte of 0xE0000000~0xF7FFFFFF is allocated For the on-chip security RAM, 128M Byte OPTROM is integrated inside the CPU, and the address space is 0xF8000000~0xFFFFFFFF. This is the on-chip security ROM in this example. Secure RAM. When the new CPU is packaged, the image file synthesized by the pre-prepared "secure kernel code" and "CPU built-in private key certificate library" is written into the OPTROM packaged on-chip at one time. W...

Embodiment 2

[0041] This example continues to add logic circuits on the basis of the new CPU structure in Example 1, so as to make full use of the internal cache of the CPU, reduce the frequency of repeated decryption of encrypted segment data, and improve efficiency. The specific implementation method of this example is as follows:

[0042] In this example, the CPU's internal CACHE is connected to the CPU core with a Look-aside structure. In this example, the CPU uses the Write-through mode to write back data to the memory. Two control lines are added to the CPU's internal bus, one is called "CACHE shutdown control line", The control line is connected to the on-chip CACHE "chip select interface" through a logic circuit. When the control line outputs 1 (high level signal), the internal CACHE unit is closed; one is called the "external bus shutdown control line", and the control line passes through The logic circuit is connected with the "chip select interface" of the "CPU external interfac...

Embodiment 3

[0047] This example is different from Embodiments 1 and 2 without using the "address monitoring event interruption mechanism" and using another method "decryption cache mechanism for the entire encrypted segment" described in the present invention to realize. The specific implementation method of this example is as follows:

[0048] This example continues the setting of Example 1 and integrates 128M Byte OPTROM inside the CPU with an address space of 0xF8000000~0xFFFFFFFF as an on-chip security ROM; integrates an SRAM with an address space of 0xE0000000~0xF7FFFFFF inside the CPU as an on-chip security RAM. 0xE0000000~0xFFFFFFFF 512M Byte address space is reserved for the on-chip security area. Implement the "on-chip security area access restriction" in the same way as in Embodiment 1, that is, only the instruction code within the address range of 0xE0000000~0xFFFFFFFF can read and write the data within the address range of 0xE0000000~0xFFFFFFFF, and the data within the address...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides a central processing unit design method. Belonging to the field of digital circuits, the method comprises the following steps: 1, processing; dividing and reserving a memory address range for adding a read-only memory and a random access memory in a chip; the instruction in the off-chip memory is limited to be invalid when the content of the on-chip memory is read and written; a private key certificate and a safety kernel code are persistently stored in a chip, memory access is monitored, address monitoring event interruption is triggered, an address monitoring event interruption processing program is written to achieve real-time decryption and encryption of to-be-accessed data, and a to-be-executed instruction is preset to a register and executed from the register.A trusted computing system can be realized on the novel central processing unit, an application program accommodating an encrypted ciphertext form code segment and a data segment can be loaded and executed in real time. Meanwhile, confidential information of the application program is prevented from being accessed unauthorized and leaked to an external bus, and the confidentiality, integrity and authenticity of the confidential information in the application program are protected.

Description

technical field [0001] The present invention relates to the architecture and function design of several central processing units (CPU), which can be used to protect the information security of application software codes and data, mainly belonging to the field of digital circuits. Background technique [0002] Information security has four aspects: equipment security, data security, content security and behavioral security. Data security can be guaranteed through data encryption. For example, the SSL and TLS protocols provide methods to ensure channel data security in network communication. The signature certification of the data content by the data producer can ensure the safety and reliability of the content source. Trusted computing belongs to behavioral security. According to the description of Chinese information security experts in the book "Software Behavior", behavioral security should include: behavioral confidentiality, behavioral integrity, and behavioral authenti...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/12G06F21/60G06F21/64G06F21/75
CPCG06F21/755G06F21/602G06F21/125G06F21/64
Inventor 陈昶宇
Owner 陈昶宇
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products