A database system integrity protection method based on a trusted subsystem
By deploying a metric agent and a trusted subsystem at the operating system kernel layer, a dual-system architecture is constructed, which solves the problem that existing technologies cannot protect database integrity throughout its entire lifecycle, and achieves proactive protection and efficient integrity assurance for the database system.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING UNIV OF TECH
- Filing Date
- 2026-03-12
- Publication Date
- 2026-06-12
AI Technical Summary
Existing database security mechanisms cannot defend against attacks during operation at startup, traditional security chips lack proactive blocking capabilities, middleware architectures are easily bypassed, and frequent measurements introduce performance bottlenecks, making it impossible to effectively guarantee the integrity of the database system throughout its entire lifecycle.
A dual-system architecture is built using an independently designed trusted subsystem. By deploying a measurement agent at the operating system kernel layer, combined with TPCM and a trusted software base, the integrity measurement and proactive protection of the database system throughout its entire lifecycle are achieved, including dynamic measurement during trusted startup and runtime.
It achieves full lifecycle integrity protection for the database system, can resist high-privilege attacks, reduces the need to modify the database system, improves security and stability, and reduces performance overhead.
Smart Images

Figure CN122197032A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of information security, specifically relating to a method for protecting the integrity of a database system based on a trusted subsystem. Background Technology
[0002] With the development of information technology and cloud computing, database applications are becoming increasingly widespread, and the scale of stored data is growing ever larger. Threats from external sources, such as viruses, Trojans, and hacker attacks, as well as malicious actions from internal personnel, can all seriously harm database systems. Common security mechanisms used by database systems to address these threats include access control, data encryption, and auditing. However, once attackers gain access, they can bypass access control and auditing, or even directly tamper with database-related security mechanisms or files, causing extremely serious damage to the database system and compromising its integrity.
[0003] In summary, current database security mechanisms lack a database security method that can provide integrity protection throughout the entire lifecycle of a database system.
[0004] CN104794410A discloses a database security protection method based on trusted computing technology. This method establishes the security-related data of the database management system on the basis of a trusted system environment and hardware security. By using a security chip, it ensures that sensitive data such as key files and configuration information are not tampered with when the database system starts up, thereby improving the security of the database management system's security mechanism.
[0005] Background limitations: While performing integrity measurements on critical files at startup can ensure the trustworthiness of the database system's operating environment, it only guarantees integrity at the time of startup and cannot defend against attacks occurring during operation after startup. It also cannot effectively guarantee the integrity and unbreakability of the system itself. Traditional security chips used in this invention, such as TPMs, lack the ability to actively block attacks. Therefore, if the database system is attacked or maliciously interfered with during operation, the entire system will be at risk of being compromised.
[0006] CN107392014A discloses a method and system for preventing SQL injection attacks based on random changes in database structure, involving the concept of proactive defense. This invention first actively and randomly changes the names of key metadata in the database and synchronizes this process with the application, causing the metadata names of the entire database application system to change randomly within a certain parameter space, increasing the difficulty of SQL injection attacks. Then, by designing an appropriate time interval for these random parameter changes, the name space is increased, effectively reducing the success probability of SQL injection attacks and minimizing the adverse effects on normal users during the random changes. This invention effectively prevents attackers from guessing the database structure, thereby achieving defense against SQL injection attacks.
[0007] Background and shortcomings of the proposed solution: While this invention can effectively block external attacks, the defense boundary is located at the network layer, which cannot defend against internal personnel or attackers with host privileges. Attackers can bypass the gateway by directly logging into the database and manipulating it directly. Furthermore, using a proxy to clean up all traffic can lead to a decrease in database performance under high concurrency scenarios.
[0008] CN104615947B proposes a trusted database integrity protection method involving the encryption protection of signature keys by a hardware security chip, thus achieving hardware-based security. When sensitive data requires integrity protection, a trusted measurement technique is used to check whether the current system environment matches the environment required for sensitive data integrity protection. The trustworthiness of the system environment is also checked before verifying the integrity measurement value signature. The integrity verification in this invention is implemented through middleware, ensuring both the integrity verification of sensitive data and the normal operating efficiency of the system. This invention establishes a secure database system for storing sensitive data based on a security chip in industrial control environments, improving the strength of sensitive data integrity protection.
[0009] Background technical limitations: This invention employs a middleware architecture to implement a security module, implementing security mechanisms outside the database management system. This poses a risk that attackers may bypass the middleware and directly connect to the database. Furthermore, the operating system's underlying files are not within the middleware's detection scope, increasing the risk of tampering that could allow signature and measurement to be bypassed. This invention requires data signature verification and system environment measurement when processing queries or write requests for sensitive data. Frequent overall system environment measurement introduces significant overhead, leading to severe performance bottlenecks. Summary of the Invention
[0010] This invention constructs a dual-architecture system based on an independently designed trusted subsystem to protect the integrity of the database system. It aims to achieve a complete set of functional logic that can guarantee the integrity measurement of the operating system and other key components during the host machine startup phase, as well as the integrity measurement throughout the entire lifecycle of the database system, while minimizing the modification and reconstruction of the database system.
[0011] The solution of this invention mainly consists of two parts, and the architecture and deployment locations are as follows: Figure 1 As shown.
[0012] Host System: As a computing component, the host system runs the database system and deploys a measurement agent in the operating system kernel layer. The main task of the measurement agent is to obtain the status of key measurement objects related to the database. In this invention, baseline or summary values of data such as executable files and library files, database extensions, key kernel structures and kernel code segments, and application process code segments of the database system are collected, and the collected data is submitted to the trusted subsystem. The measurement agent can also collect information on specified measurement objects according to the measurement strategy given by the trusted subsystem.
[0013] Trusted Subsystem: As a protective component, the trusted subsystem uses TPCM as the root of trust and designs and deploys a trusted software base as the upper-layer software, providing various mechanisms to protect the integrity of the database system. Specifically, this includes a trusted benchmark library, a trusted policy library, proactive monitoring mechanisms, collaboration mechanisms, and support mechanisms.
[0014] The integrity protection process of the Trusted Subsystem mainly consists of two phases. The first is the Trusted Boot Measurement phase, during which TPCM proactively performs integrity checks on the BIOS, firmware boot image, and operating system image. After entering the operating system, it measures critical static files of the database system. The second phase is the runtime proactive measurement phase, which proactively measures process code segments, dynamic libraries, database script tools, kernel code segments, and kernel modules. Additionally, based on the measurement strategy, it also performs integrity measurements on specific memory objects.
[0015] The Trusted Benchmark Library is responsible for storing benchmark values for measurement objects and performing integrity measurements by comparing them with the measured values. Upon receiving data from the measurement agent, the Trusted Benchmark Library first performs a type determination to identify whether it is a benchmark value or a measurement value. For measurement values, it compares them with benchmark values in the Trusted Benchmark Library and generates integrity measurement results based on the comparison results. For benchmark values, its relevant information is added to the Trusted Benchmark Library.
[0016] The trusted policy library is responsible for receiving and storing trusted policies issued by the management center, and sending the policies to the host system to achieve proactive control over the measurement process.
[0017] Active monitoring mechanisms can be divided into control mechanisms, measurement mechanisms, and decision-making mechanisms based on their functions. The control mechanism implements corresponding control measures based on the decisions of the decision-making mechanism. The measurement mechanism is responsible for measuring the object according to a trusted benchmark library and determining its trust status. The decision-making mechanism determines the current security measures based on the measurement results and trusted policies, and invokes different security mechanisms to implement these measures.
[0018] The collaboration mechanism is responsible for receiving various information and data between the trusted subsystem, the host system, and the trusted management center, distributing them to other mechanisms, and transmitting the data to the host system and the trusted management center.
[0019] The support mechanism is responsible for transmitting the trusted support functions of trusted hardware and conveying trusted management information. Attached Figure Description
[0020] Figure 1 Architecture diagram of a database system integrity protection method based on a trusted subsystem.
[0021] Figure 2 Flowchart of a database system integrity protection method based on a trusted subsystem. Detailed Implementation
[0022] The present invention will now be described in detail with reference to the accompanying drawings and embodiments.
[0023] This invention provides a database system integrity protection method based on a trusted subsystem, specifically including: constructing a trusted operating environment for the database system; and performing dynamic trusted verification of the database system based on the trusted operating environment during database operation. Specifically, constructing the trusted operating environment includes trusted startup of the underlying platform and operating system, construction of trusted policies, and establishment of a trusted benchmark library; dynamic trusted verification of the database system includes: verifying the integrity of the database system during operation based on the trusted benchmark library, trusted policies, and trusted subsystems. The method provided by this invention, based on an independently designed and implemented trusted subsystem, can achieve full lifecycle trusted verification of the operating system startup, the database system loading from disk to memory, and the entire operation process after loading into memory, without modifying the database system itself, through integrity measurement, verification, and enforcement control mechanisms.
[0024] like Figure 1-2 As shown, this invention proposes a database system integrity protection method based on a trusted subsystem, and the implementation method includes the following process.
[0025] Process 1: Trusted Startup Measurement Phase.
[0026] Upon initial system startup, the Trusted Subsystem (S1.1) first powers on and completes a self-test, measuring the trusted software base and other critical configurations to ensure its own trustworthiness. Then, the S1.1 S1.1 measures the host system's startup process, establishing baseline values for the BIOS, firmware boot image, and operating system image, and storing these values in the Trusted Baseline Library. During subsequent system startups, the S1.1 S1.1 subsystem verifies the measured values obtained during the startup process against the baseline values in the library. If the verification passes, the system starts successfully; if the verification fails, the system hangs and refuses to start, sending an alarm message to the management center.
[0027] After S1.2 successfully starts for the first time, the system calls the scanning tool to scan the entire disk, calculates and records the baseline value list of database-related applications, dynamic libraries, scripts and kernel modules, generates a baseline value file and stores it in the trusted baseline library as a baseline value whitelist for subsequent measurement.
[0028] Process 2: Runtime Active Measurement Phase
[0029] During the subsequent operation of the S2.1 system, the Trusted Management Center will issue a Trusted Policy File. The policy file is encrypted and stored in the Trusted Policy Library of the Trusted Subsystem. When used, it is decrypted and sent to the Measurement Agent of the Host System to collect information on the specified measurement object.
[0030] After obtaining the measurement policy (S2.2), the system starts the runtime active measurement module, the executable file and dynamic link library file measurement module, the critical data operation measurement module, and the process measurement module. The measurement agent obtains the measurement data from different modules and sends it to the trusted subsystem, which then completes the measurement process. Communication between the host system and the trusted subsystem is accomplished through a secure interface.
[0031] This invention proposes a database system integrity protection method based on a trusted subsystem. It employs a dual-architecture trusted computing system with independent trusted subsystems. The trusted subsystems construct protection components, while the host system constructs the computing components to run the database system. The host system proactively obtains measurement values of critical application processes and components of the database system through a measurement agent, and transmits these values to the trusted subsystems for measurement and adjudication, achieving integrity protection for the entire lifecycle of the data system from host machine startup to operation. The method has a simple interface, is easy to implement and extend, and reduces the need for database system modifications.
[0032] This invention can resist high-privilege attackers without large-scale reconstruction of the database kernel. Even if the host operating system is controlled, the system can still be determined to be untrustworthy through the trusted subsystem, thereby realizing the identification and interception of attack behavior.
[0033] By employing trusted policies and proactive runtime metrics, the flexibility of security mechanisms is enhanced, performance overhead is reduced, and a balance between security and operational robustness is achieved, facilitating large-scale deployment and maintenance.
Claims
1. A database system integrity protection method based on a trusted subsystem, characterized in that, include: To build a trusted operating environment for database systems, including trusted booting of the underlying platform and operating system, construction of trusted policies, and establishment of a trusted benchmark library; During database operation, dynamic trust verification of the database system is performed based on the trusted operating environment, including: verifying the integrity of the database system during operation based on the trusted benchmark library, trusted policies and trusted subsystems.
2. The method according to claim 1, characterized in that, The trusted operating environment is implemented using a dual-architecture system consisting of a host system and a trusted subsystem, wherein: The host system, as a computing component, runs the database system and deploys a metrics agent at the operating system kernel layer to collect status information of key metrics objects related to the database. The Trusted Subsystem, as a protective component, uses TPCM as the root of trust and deploys a trusted software base to provide integrity protection mechanisms, including a trusted benchmark library, a trusted policy library, a proactive monitoring mechanism, a collaboration mechanism, and a support mechanism.
3. The method according to claim 2, characterized in that, The measurement objects collected by the measurement agent include: baseline or summary values of data such as executable files and library files of the database system, database extensions, kernel key structures and kernel code segments, and application process code segments.
4. The method according to claim 2, characterized in that, The trusted benchmark library is used to store the benchmark values of the measurement objects and to complete the integrity measurement by comparing the measurement values with the benchmark values; the trusted policy library is used to receive and store the trusted policies issued by the trusted management center and send the policies to the host system to realize active control over the measurement process.
5. The method according to claim 2, characterized in that, The active monitoring mechanism includes: Control mechanisms are used to implement control measures based on the decisions made by the judgment mechanism; The measurement mechanism is used to measure the measurement object according to a trusted benchmark library; A decision mechanism is used to determine the current security measures based on measurement results and trusted policies.
6. The method according to claim 1, characterized in that, The trusted startup measurement phase includes: Upon initial startup, the trusted subsystem performs a self-check and measures its own trustworthiness, then establishes and stores baseline values for the host system's BIOS, firmware boot image, and operating system image. During subsequent startup, the metric values obtained during the startup process will be verified against the benchmark values in the benchmark library. If the verification fails, the system will be suspended and an alarm will be issued.
7. The method according to claim 1, characterized in that, The runtime proactive measurement phase includes: The Trusted Management Center issues trusted policies to the Trusted Policy Library, decrypts them, and then issues them to the Measurement Agent. The measurement agent collects information about the specified measurement object according to the policy and sends it to the trusted subsystem through a secure interface. The trusted subsystem compares and adjudicates the measurement values to complete the integrity verification.
8. The method according to claim 1, characterized in that, The method further includes: after the system starts up successfully for the first time, scanning the entire disk with a scanning tool to generate a benchmark list of database-related applications, dynamic libraries, scripts and kernel modules, and storing it in a trusted benchmark library as a whitelist basis for subsequent measurements.
9. The method according to claim 1, characterized in that, The method does not require modification of the database system kernel. By deploying a metric agent at the operating system kernel layer, it enables trusted verification and proactive defense of the entire process of the database system from startup to operation.
10. The method according to claim 1, characterized in that, The trusted subsystem has proactive blocking capabilities, enabling it to implement control measures according to policies when measurement results are abnormal, thus resisting malicious behavior by high-privilege attackers or after the host operating system has been controlled.