Method and system for trusted verification of object memory in access control

Abstract

An embodiment of the present invention provides a method and system for authentically verifying object memory in access control, the method comprising: acquiring object memory in the access control process, and dividing the object memory into object process memory and IPC object shared memory; Trustworthiness verification is performed on the object process memory and the IPC object shared memory respectively. The object memory trusted verification method and system in the access control provided by the embodiment of the present invention divides the object memory data into the object process memory serving as the main service object and the IPC object shared memory serving as the inter-process communication, and respectively classifies the two types of objects Trustworthiness verification is performed on the memory separately, which realizes the trustworthiness verification of the indeterminate object data ignored by the existing schemes, and ensures the dynamic trustworthiness of the application program during operation.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a method and system for authenticating object memory in access control. Background technique [0002] With the rapid development of the Internet, the application of computer networks has gradually penetrated into all aspects of people's lives, resulting in an increasingly strong demand for building trusted network systems. Especially with the maturity of "cloud computing" technology, which is designed with the concept of dynamic resource allocation and on-demand services, the attack methods and tools it faces are becoming more and more diversified, and cloud security issues have also become constraints to the development of this emerging technology. bottleneck. With the rise of trusted computing technology, trusted operating systems have gradually become a research hotspot. The establishment of credibility not only requires the consistency measurement of the operati...

AI Technical Summary

Problems solved by technology

However, the shortcomings of the solution are: 1. TPM is used as the trusted anchor point, and there is no support for the national secret algorithm package; 2. The verification system is too cumbersome and superficial, that is, only the owner identity and creation time of the relevant static objects are passed. Create an image file of a static object for credible verification

However, the disadvantages of this scheme are: 1. The credible verification is still carried out by means of identifying the identity of the subject and the object and encrypting the dynamic object information by the TPM, which has considerable limitations; The specific information of the dynamic object is classified and processed, and the credibility is not high

[0006] In the patent document with the patent publication number CN 106295319, a security protection scheme for the operating system is disclosed by controlling the trust status of the subject and the object, but the classification of the object is mainly for the static file category, ignoring the important Dynamic objects, that is, processes, inter-process communication, etc., the security protection capability is not outstanding

[0007] Patent Publication No. CN 109992992A proposes a method of allocating sensitive data including statically allocated .data and .bss segments of trusted applications, and dynamically allocated stack and heap segments to internal random memory protected by trusted chips. The security domain of the access memory, and load the code and non-sensitive data into the security domain of the dynamic random access memory to realize the trusted protection of application data, but this solution only proposes to use the so-called "security domain" to protect sensitive data. However, there is a lack of credible dynamic verification of relevant sensitive data. Once the "security domain" is breached by an attacker, the application data is not credible.

[0008] To sum up, the existing trusted operation schemes do not classify the types of objects when dealing with trusted verification of objects, and the proposed requirements for trusted verification of objects are all aimed at those who can only act as subjects. "static objects" of the recipient, such as files, directories, devices, etc.

However, there is a lack of trusted verification of dynamic objects such as processes and inter-process communication

The credibility of the object cannot be effectively guaranteed, therefore, the trusted operation of the upper-layer application cannot be guaranteed

Images