An embedded storage system and method based on mimicry defense and trusted computing

By introducing heterogeneous storage channel sets, mimicry storage agents, and trusted management controllers into embedded storage systems, and combining static and dynamic metrics, the single point of failure and common-mode failure issues in embedded storage systems are resolved, achieving proactive defense and trusted health management throughout the entire lifecycle.

CN122197035APending Publication Date: 2026-06-12NANJING GUODIAN NANZI POWER GRID AUTOMATION CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
NANJING GUODIAN NANZI POWER GRID AUTOMATION CO LTD
Filing Date
2026-05-14
Publication Date
2026-06-12

Smart Images

  • Figure CN122197035A_ABST
    Figure CN122197035A_ABST
Patent Text Reader

Abstract

The application discloses an embedded storage system and method based on quasi-state defense and trusted computing, and relates to the technical field of embedded storage security. The system comprises a heterogeneous storage channel set, a quasi-state storage agent and a trusted management controller. The heterogeneous storage channel set comprises a plurality of mutually heterogeneous storage channels. The trusted management controller is used for performing a start phase static measurement on the storage channels to determine the trusted state of each storage channel, and performing a running phase dynamic measurement to generate a trusted health report of each storage channel in real time. The quasi-state storage agent is used for sending data reading instructions to the storage channels in parallel, and receiving reading results returned by the storage channels. According to the reading results and the trusted health report, a dynamic weighted optimal decision is performed. The application combines a heterogeneous architecture with a dynamic weighted decision to improve the attack resistance and data reliability of the system, and guarantees stable operation of the system through trusted measurement, so that the hardware adaptability is high, and the protection range is reasonable.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to an embedded storage system and method based on mimicry defense and trusted computing, belonging to the field of industrial control security and data storage technology. Background Technology

[0002] In power systems, relay protection devices play the role of safety guardians, and their storage systems preserve critical data such as protection settings and fault recordings. Once this data is damaged or maliciously tampered with, it may lead to malfunctions or failures to operate the protection system, thereby causing large-scale power outages and incalculable economic losses.

[0003] Current traditional embedded storage solutions typically use a single storage channel, such as direct access from the main processor to the embedded multi-media card (eMMC) or serial peripheral interface (SPI) flash memory. This approach has the following drawbacks: 1. Limitations of Static Defenses: Systems typically rely on static defenses such as access control and data encryption for security. However, once an attacker exploits a buffer overflow vulnerability to compromise the operating system, they can gain root privileges, bypassing all access control mechanisms and arbitrarily modifying or deleting stored data. Furthermore, encryption technology can only prevent unauthorized data reading and cannot effectively defend against data corruption and malicious tampering.

[0004] 2. Common Failure Risks: The storage driver contains an integer overflow vulnerability, which can be maliciously exploited by attackers to instantly paralyze the entire storage system. More seriously, if devices in the same batch use the same storage solution, a single vulnerability could simultaneously disable thousands of networked relay protection devices, posing a supply chain security disaster.

[0005] 3. Lack of runtime self-awareness: Traditional solutions only perform permission checks when data is accessed, remaining completely unaware of the storage system's own "health." Devices cannot detect whether firmware has been maliciously tampered with, including attackers replacing the eMMC controller firmware; they also cannot monitor for anomalies in device operation and behavior, such as storage driver hacking and covert data tampering; and they cannot detect whether the storage medium has been quietly replaced with malicious devices. This "blind" state allows attackers to remain dormant for extended periods, launching attacks only at critical moments.

[0006] In recent years, mimicry defense technology has provided new ideas for network security through dynamic heterogeneous redundancy architecture. However, existing mimicry storage solutions are mostly geared towards cloud computing or blockchain scenarios and have not been optimized for the resource-constrained, high-real-time, and physically exposed characteristics of embedded industrial control environments. Furthermore, they lack deep integration with hardware root of trust, making it difficult to block malicious firmware during the startup phase. Summary of the Invention

[0007] The purpose of this invention is to propose an embedded storage system and storage method based on mimicry defense and trusted computing, which aims to overcome the shortcomings of existing embedded storage systems such as single point of failure, common-mode failure, and lack of runtime awareness.

[0008] To achieve the above objectives, the present invention is implemented using the following technical solution: This invention proposes an embedded storage system based on mimicry defense and trusted computing, including a heterogeneous storage channel set, a mimicry storage agent, and a trusted management controller; The heterogeneous storage channel set includes several heterogeneous storage channels, which are used to respond in parallel to the data read instructions issued by the mimicry storage agent and to independently store the same target data; The trusted management controller is communicatively connected to the storage channel and is used to perform static measurements during the startup phase to determine the trusted status of each storage channel, perform dynamic measurements during the operation phase to generate a trusted health report for each storage channel in real time, and synchronize the trusted health reports of each storage channel to the mimicry storage agent. The mimicry storage agent is communicatively connected to the storage channel and the trusted management controller, and is used to send data read commands to the storage channel in parallel and receive read results returned by each storage channel; based on the read results and the trusted health report, it performs dynamic weighted selection decision; wherein, the dynamic weighted selection decision filters out valid data and marks abnormal channels according to the current weight of the storage channel; after obtaining the trusted health report, the mimicry storage agent updates its current weight according to the trusted health report score; after obtaining the read results, the mimicry storage agent updates its current weight according to the consistency verification result of the read results.

[0009] Furthermore, the heterogeneous storage channel set includes a central processing unit main channel, a microprocessor channel, and a programmable logic device hardware logic channel.

[0010] Furthermore, the trusted management controller is built on a hardware root of trust and is powered by an independent power supply that is physically isolated from the power supply of the storage channel.

[0011] Furthermore, the static measurement during the startup phase refers to performing integrity measurements on the firmware and preset software in each storage channel during the system power-on startup phase, and comparing the measurement results with pre-stored baseline values ​​to determine whether each storage channel is in a factory-clean and trustworthy state during startup; the dynamic measurement during the operation phase refers to performing real-time measurements on the key behavioral characteristics of each storage channel in a periodic or event-triggered manner during the normal operation phase of the system, generating real-time trustworthy health reports for each storage channel, wherein the key behavioral characteristics of each storage channel include system call sequence, memory access mode, and interrupt response time.

[0012] Furthermore, the initial weights of the storage channels are preset based on the heterogeneous hardware characteristics, anti-attack capabilities, and operational stability of each storage channel.

[0013] Furthermore, the current weights are updated based on the Trusted Health Report score, including: Multiply the current weight of each storage channel by the corresponding trusted health report score, and normalize each product to obtain the updated current weight of each storage channel.

[0014] Furthermore, the current weight is updated based on the consistency check result of the read results, including: Determine whether the reading results of each storage channel for the same target data are consistent. If the reading results are consistent, multiply the current weight of each storage channel by the reward factor, and normalize each product to obtain the updated current weight of each storage channel. If the read result of a certain storage channel is inconsistent with that of other storage channels, the current weight of that storage channel is compared with the sum of the current weights of the other storage channels. The channel with the larger value is selected as the accepted channel, and the others are selected as unaccepted channels. The current weight of the accepted channel is multiplied by the reward factor, and the current weight of the unaccepted channel is multiplied by the penalty factor. The products are then normalized to obtain the updated current weights of the accepted and unaccepted channels.

[0015] Furthermore, valid data is filtered out based on the current weight of the storage channel, and abnormal channels are marked, including: If the read results returned by each storage channel are the same, the read results of each storage channel at that time shall be regarded as valid data; When the read results returned by each storage channel are different, the read result of the accepted channel is taken as valid data, and the storage channel whose updated current weight is lower than the preset threshold and contradicts the read result of the accepted channel is marked as an abnormal channel.

[0016] Secondly, this invention proposes a storage method for an embedded storage system based on mimicry defense and trusted computing, applied to the aforementioned embedded storage system based on mimicry defense and trusted computing, comprising: During the system startup phase, the trusted management controller sequentially performs startup phase static measurements on each storage channel in the heterogeneous storage channel set to determine the trusted status of each storage channel. Once the system enters the ready state, it listens for data read requests based on the mimicry storage agent and synchronously sends data read instructions to the storage channels in parallel. It receives the read results returned by each storage channel and the real-time trusted health report generated by the trusted management controller during the running phase dynamic measurement, and performs dynamic weighted selection decision.

[0017] Compared with the prior art, the beneficial effects achieved by the present invention are as follows: This invention employs several heterogeneous storage channels, each responding in parallel to data read commands issued by the mimicry storage agent and independently storing the same target data. Attackers will find it virtually impossible to find an attack method that can simultaneously target all three storage channels, thus fundamentally eliminating the possibility of common-mode attacks. Furthermore, this invention overcomes the limitations of traditional mimicry defenses that rely solely on data content comparison by introducing hardware trusted health reports and dynamic weighted selection. Even if an attacker manages to make multiple storage channels output the same erroneous data, it will be identified due to time anomalies or a decline in health.

[0018] This invention integrates trusted and mimicry technologies, organically combining the "identity verification at startup" and "continuous health check" capabilities of trusted computing with the "operational monitoring" and "anomaly handling" capabilities of mimicry defense. This forms a complete closed loop of "prevention → detection → fault tolerance," enabling the storage system to have proactive defense capabilities throughout its entire lifecycle. Attached Figure Description

[0019] Figure 1 This is an architecture diagram of an embedded storage system based on mimicry defense and trusted computing proposed in an embodiment of the present invention; Figure 2 This is a diagram of a three-channel architecture for an embedded storage system based on mimicry defense and trusted computing, as proposed in an embodiment of the present invention. Figure 3 This is a graph showing the current weight update relationship under the weighted selection decision strategy proposed in this embodiment of the invention. Figure 4 This is a trust graph showing the current weight under different data conditions, as proposed in an embodiment of the present invention. Detailed Implementation

[0020] The technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present invention. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. The following description of at least one exemplary embodiment is merely illustrative and is in no way intended to limit the present invention or its application or use.

[0021] Example 1: This example proposes an embedded storage system based on mimicry defense and trusted computing, including a heterogeneous storage channel set, a mimicry storage agent, and a trusted management controller, such as... Figure 1 As shown; The heterogeneous storage channel set comprises three storage channels that differ fundamentally in processor architecture, storage medium, physical location, and data access method, enhancing the system's resilience against attacks through heterogeneity. The first storage channel includes the central processing unit (CPU) and its externally connected block storage medium, which can be defined as the CPU channel. It runs a real-time operating system and uses a file system for data access, offering high computing performance and large storage capacity. The second storage channel includes a microcontroller unit (MCU) and its integrated on-chip non-volatile memory, which can be defined as the MCU channel. It runs bare-metal programs, requiring no operating system, resulting in streamlined code and strong anti-interference capabilities and fast startup. The third storage channel includes a field-programmable gate array (FPGA) and its internal or external volatile memory, which can be defined as the FPGA channel. It directly controls the storage medium through hardware logic, using parallel or high-speed serial interfaces for data access without software intervention, exhibiting extremely low access latency and deterministic response time. Its architecture diagram is shown below. Figure 2 The three components work together in a two-way manner, while the trusted module (i.e., the trusted management controller) provides continuous security protection for the system operation process, realizing a device operation architecture that balances business performance and security protection.

[0022] The Trusted Management Controller is built on a hardware root of trust (TPM / TCM chip, TPM stands for Trusted Platform Module, and TCM stands for Trusted Cryptography Module). It is the core component for ensuring the trustworthiness of the system. It is powered by an independent power supply and is physically isolated from the power supplies of other storage channels. It can perform integrity measurements on the firmware, bootloader, kernel image and key driver modules of each storage channel. The Trusted Management Controller primarily implements static measurement during startup, dynamic measurement during execution, and trusted health report generation and synchronization. Static measurement during startup involves performing integrity measurements on the firmware and critical software of each storage channel during system power-on. The measurement results are compared with pre-stored baseline values ​​in the TPM / TCM chip to determine whether each storage channel is in a clean, trusted state at startup, thus ensuring that each storage entity is in a clean, trusted state at startup and preventing the operation of maliciously tampered firmware or software. Dynamic measurement during execution involves periodically or event-triggered measurements of system call sequences, memory access patterns, interrupt response times, etc., for each storage channel during normal system operation, generating real-time trusted health reports for each storage channel to reflect the trustworthiness of the storage channel's operating status. Trusted health report synchronization involves synchronizing the generated real-time trusted health reports for each storage channel to the mimicry storage agent in real time, serving as the core basis for trust dimension scoring in subsequent multi-dimensional adjudication processes, ensuring the scientific validity and reliability of the adjudication results.

[0023] The mimicry storage agent is used to uniformly schedule the heterogeneous storage channel set, send data read commands to the three storage channels in parallel, and receive the read results returned by each storage channel. Based on the read results and trusted health reports, it performs dynamic weighted selection, outputs valid data, and marks abnormal channels. The weighted selection strategy is implemented based on the heterogeneous storage architecture of the three storage channels. Specifically, it filters valid data and marks abnormal channels according to the current weight of the storage channels, maximizing the protective performance and fault tolerance of mimicry defense. During system initialization, the normalized initial weights of the three storage channels are preset according to the heterogeneous hardware characteristics, anti-attack capabilities, and operational stability of each storage channel, ensuring the initial weight ω of the CPU channel. C MCU channel initial weight ω M and FPGA channel initial weight ω F The sum is 1, i.e., ω C +ω M +ω F=1, and at the same time, a maximum weight is set to ensure that the system can make a normal decision on the best option when inconsistent read results occur at the beginning. The size of the weight represents the reliability of a certain storage channel. If a read result conflict occurs and the system must use the read result to continue operating, the system will trust the storage object with the higher weight.

[0024] During system operation, the current weight is updated in two levels: first, based on the trusted health report score, and second, based on the consistency check result of the read results. These two updates do not need to occur simultaneously, nor do they have a strict order; they are decoupled and independent of each other. Figure 3 As shown, once a trusted health report is obtained, a first-level update is performed based on the score; once the reading result is obtained and its consistency is verified, a second-level update is performed.

[0025] Assume that at time i, the current weights of the three memory channels (i.e., CPU channel, MCU channel, and FPGA channel) are respectively , Once a reliable health report is obtained, each storage channel will receive a real-time score, which can be denoted as {Q}. C Q M Q F The score range is [0, 100]. The current weight of each storage channel is multiplied by the corresponding trusted health report score, and the products are normalized to obtain the updated current weight of each storage channel. The formula can be expressed as: ; ; ; In the formula, These are the current weights of the CPU channel, MCU channel, and FPGA channel after the first-level update. .

[0026] Similarly, assuming that the object to be processed at time i is D, i The storage media corresponding to the CPU, MCU, and FPGA each provide three copies of the read results, denoted as follows: If the three read results are consistent, all three results are considered reliable, and all three storage channels are adopted. The current weight of each storage channel is multiplied by the reward factor, and the products are normalized to obtain the updated current weight of each storage channel. If one read result is inconsistent, the current weights are compared: the current weights of all storage channels with the same read result are added together to obtain the corresponding weight sum. The weight sum is compared with the current weight of the storage channels with different read results. The one with the larger value is adopted, and the rest are not adopted. The current weight of the adopted channel is multiplied by the reward factor, and the current weight of the not adopted channel is multiplied by the penalty factor. The products are normalized to obtain the updated current weight of the adopted channel and the updated current weight of the not adopted channel. If the three read results are different, the storage channel with the highest current weight is trusted and adopted, but its current weight is not updated.

[0027] See also Figure 4 As shown, weight 1, weight 2, and weight 3 are the current weights of the CPU channel, MCU channel, and FPGA channel, respectively. If the data of the three channels are the same, then all three are accepted channels (i.e., the trust zone includes the three channels). If the data of the CPU channel are different and weight 1 is less than the sum of weight 2 and weight 3, then the MCU channel and FPGA channel are accepted channels. If the data of the CPU channel are different and weight 1 is greater than the sum of weight 2 and weight 3, then the CPU channel is accepted channel. If the data of the three channels are all different and weight 1 is the largest, then the CPU channel is accepted channel.

[0028] If at time i the CPU channel and FPGA channel are considered reliable, while the MCU channel is unreliable, the current weight update formula is as follows: ; ; ; In the formula, These are the updated current weights for the CPU channel, MCU channel, and FPGA channel, respectively. α and β are the reward factor greater than 1 and the penalty factor less than 1, respectively.

[0029] The updated current weight at the other level will serve as the criterion for judging the trust level of the next read result. The update frequencies of the two levels of current weights may differ, but both will be normalized, so forced synchronization is not required. However, it's important to consider the possibility of simultaneous updates; at the software level, a mutex lock can be added to ensure independent and orderly updates. Furthermore, the system has a current weight monitoring task that records and saves the current weight of each storage channel in real time. When the current weight of a storage channel falls below a weight threshold... If this happens, the storage channel will be marked as abnormal and "unavailable" in the scheduling pool, and subsequent read / write requests will no longer be scheduled for it. Ultimately, the monitoring personnel will decide whether to restart and restore the storage channel.

[0030] Example 2: Based on Example 1, this example proposes a storage method for an embedded storage system based on mimicry defense and trusted computing, including the following steps: During the system startup phase, the trusted management controller sequentially performs startup phase static measurements on each storage channel in the heterogeneous storage channel set to determine the trusted status of each storage channel. Once the system enters the ready state, it listens for data read requests based on the mimicry storage agent and synchronously sends data read instructions to the storage channels in parallel. It receives the read results returned by each storage channel and the real-time trusted health report generated by the trusted management controller during the running phase, and performs dynamic weighted selection decision.

[0031] Example 3: Based on the method described in Example 2, this example proposes a specific implementation scheme.

[0032] Based on the design concept of integrating mimicry defense and trusted computing, three completely heterogeneous hardware storage channels were built, along with a trusted management controller. The entire hardware architecture is independent yet complementary, laying a solid underlying hardware foundation for mimicry defense. The hardware selection, electrical connections, and software operating environment for each storage channel are as follows.

[0033] The CPU is a Rockchip 3568, featuring a quad-core ARM Cortex-A55 architecture with a clock speed of 1.6GHz; the storage medium is a Longetech eMMC 5.1 chip with a capacity of 64GB; the connection method is that the Rockchip 3568 has an integrated eMMC controller, which is directly connected to the eMMC chip through 8-bit parallel data lines, synchronous clock lines, and command control lines; the processor runs the RT-Thread operating system and uses the FAT32 file system to standardize the management of the eMMC storage partitions.

[0034] The MCU uses GigaDevice's 32-bit microprocessor, based on the ARM Cortex-M4 core, with a main frequency of 108MHz; the storage medium adopts on-chip integrated memory, including on-chip Flash, of which 32KB space is specially allocated as a dedicated data storage area, eliminating the need for external storage chips; the software runs bare-metal programs, without any operating system or file system, and reads and writes to the on-chip Flash are achieved through the flash memory controller.

[0035] The FPGA used is a domestically produced FPGA from Ziguang Tongchuang, with 20K equivalent logic units and a built-in 1MB BRAM (Block Random Access Memory) block. The hardware logic execution is completely deterministic, with no software execution risks. The storage medium is divided into two parts: one is an internal dual-port BRAM for high-speed caching of critical data, and the other is an external domestically produced Synchronous Dynamic Random Access Memory (SDRAM) with a capacity of 32MB and an operating frequency of 166MHz, which is read and written through the FPGA's built-in SDRAM controller. This storage channel does not run any software program; all functions are implemented through a finite state machine written in a hardware description language.

[0036] The CPU and MCU are connected via a UART3 serial port (UART, Universal Asynchronous Receiver / Transmitter) to achieve bidirectional communication with the Rockchip 3568's UART1 serial port. The baud rate is configured at 115200bps, with 8 data bits, 1 stop bit, and no parity bit. The communication protocol is simple and stable. The CPU is connected to the FPGA via an SPI (Serial Peripheral Interface) slave mode to the Rockchip 3568's SPI0 (Serial Peripheral Interface) interface, with a clock frequency of 25MHz. It is also connected to the Rockchip 3568's General Purpose Input / Output (GPIO) interface via a parallel bus as a dedicated control signal line to achieve fast interaction of instructions and status. The three storage channels are heterogeneous in three dimensions: processor architecture, physical location of storage media, and software form factor. The processor architecture encompasses high-performance CPUs, low-power MCUs, and hardware logic FPGAs. The physical location of the storage media includes off-chip discrete chips, on-chip integrated Flash, and FPGA built-in memory (BRAM). The software form factor includes file systems of Real-Time Operating Systems (RTOS), bare-metal direct operation, and pure hardware without software. Attackers will find it virtually impossible to find an attack method that can simultaneously target all three storage channels, fundamentally eliminating the possibility of a common-mode attack.

[0037] The Trusted Management Controller uses the domestically produced Unisplendour Microelectronics TPM 2.0 Trusted Root chip, which communicates with Rockchip 3568 via the SPI2 bus, with a clock frequency configured at 10MHz. To ensure the security of the Trusted Root, the chip is powered by a dedicated 3.3V independent power supply, which is completely isolated from the power supplies of other storage channels to avoid power interference or malicious power supply attacks affecting the Trusted Measurement results. It is responsible for the static and dynamic measurements and Trusted Health Report generation of all storage channels in the entire system.

[0038] After the system powers on, a full-channel trusted static measurement is performed according to the preset startup sequence to ensure that the firmware and software of each storage channel have not been tampered with and are in a trusted initial state. The specific steps are as follows: Trusted CPU Boot: The Rockchip 3568 reads the U-Boot (Universal Boot Loader) bootloader from the SPI Flash, compares the hash value using a 256-bit secure hash algorithm with the baseline value in the TPM chip platform configuration register 0, and immediately locks the CPU if the comparison result is abnormal. After U-Boot completes boot, it performs hash value measurement on the real-time thread kernel and extends the measurement result into PCR2 (Peripheral Control Register). If the comparison fails, the subsequent boot process is terminated. After the kernel boots normally, it sequentially measures the hash values ​​of the eMMC driver and storage agent and synchronously extends them to the PCR4 register, completing the end-to-end static measurement.

[0039] MCU Trusted Boot: The microprocessor's on-chip bootloader reads the on-chip Flash user firmware and compares a 32-bit cyclic redundancy check (CRC) code with the baseline value at the end of the firmware. If the comparison results match, the boot process is normal; otherwise, it enters ISP (In-System Programming) mode and waits for re-programming. After booting, a boot completion report is sent to the Rockchip 3568 via a Universal Asynchronous Receiver / Transmitter (UART). The Rockchip 3568 has a 5-second timeout; if the report is not received within the timeout period, the boot process is considered a failure and the system degrades to lower performance.

[0040] FPGA Trusted Startup: The Rockchip 3568 reads the raw bitstream from the FPGA's SPI Flash, performs a 256-bit secure hash algorithm to compare it with the TCM chip's PCR6 reference value, and after the comparison is successful, sends the bitstream byte by byte to the FPGA via SPI to complete the configuration. After the configuration is complete, the FPGA sends a high-level confirmation signal via GPIO.

[0041] After all three storage channels have successfully completed trusted boot and passed the measurement, the Rockchip 3568 records the boot measurement results of each storage channel in the secure storage area for use in subsequent mimicry storage agent weight initialization. The initial weights for the CPU, MCU, and FPGA storage channels are set to 0.4, 0.3, and 0.3 respectively. Two levels of current weight update tasks are initiated for each channel, awaiting read and write requests from applications. The system then officially enters the ready-to-work state. If any storage channel fails to boot, the system will automatically disable that storage channel and record the fault information in the operation log.

[0042] In this embodiment, during the first-level current weight update, the current weight of each storage channel is directly derived from the trusted health report score generated by the trusted management controller. After performing static and dynamic measurements on each storage channel, the trusted management controller generates a trusted health report score ranging from 0 to 100, which is used by the mimicry storage agent in the weighted selection decision.

[0043] The Trusted Management Controller measures each storage channel every 1 second and generates a Trusted Health Report. This report includes a comprehensive score, which consists of three parts: static measurement score, runtime behavior score, and real-time response score. The total score is calculated by adding these three scores together. The static measurement score accounts for 40 points and is determined based on the measurement results recorded at system startup. For the CPU, the hash values ​​of the real-time thread kernel, eMMC driver, and storage agent must completely match the TPM baseline value to receive 40 points; any mismatch results in 0 points. For the MCU, the firmware 32-bit cyclic redundancy check code must be consistent with the startup value to receive 40 points; otherwise, 0 points are awarded. For the FPGA, the FPGA configuration file hash value must match the TCM baseline value to receive 40 points; otherwise, 0 points are awarded. Furthermore, if the static measurement score is 0, the storage channel is considered "untrusted."

[0044] The runtime behavior score also accounts for 40 points, based on runtime monitoring data within the current cycle. For the CPU, the main focus is on monitoring whether there are crash records in the kernel log and whether there are timeout errors in the driver. 40 points are awarded for no abnormalities, and 10 points are deducted for each abnormality, until all points are deducted. For the MCU, the focus is on monitoring the Flash self-test error count, watchdog reset count, and UART communication error rate. 40 points are awarded for no abnormalities, and 8 points are deducted for each abnormality. For the FPGA, the focus is on monitoring the BRAM parity error count, SDRAM self-test status, and temperature reading. 40 points are awarded for no abnormalities, 5 points are deducted for each BRAM error, 15 points are deducted for each SDRAM abnormality, and 10 points are deducted for temperatures exceeding 85℃.

[0045] Real-time response accounts for 20 points. Based on the read / write response latency assessment within the current cycle, each storage channel needs to pre-calculate the historical response time baseline, which is the average of the past 100 successful responses. Within the current cycle, if the average response time deviates from the baseline by no more than ±20%, 20 points are awarded; if it deviates by 20% to 50%, 10 points are awarded; and if the deviation exceeds 50% or a timeout occurs, 0 points are awarded. For example, if the MCU scores 40 points for firmware matching, 40 points for no operational anomalies, and 20 points for normal response time in this cycle, its total score is 100 points.

[0046] After each Trusted Health Report update, the task will perform a normalization update on the current storage channel weights. Assuming the current weights of the three storage channels are {0.4, 0.3, 0.3}, and the Trusted Health Report scores of the three storage channels are {90, 95, 100}, the updated weights of the three storage channels will be {0.38, 0.30, 0.32}.

[0047] In this embodiment, the reward factor α and the penalty factor β are set to 1.05 and 0.95, respectively. After receiving the data read instruction from the relay protection application, the mimicry storage agent synchronously sends read instructions for the same set of target data to the three storage channels according to the preset full-channel scheduling strategy. If the read results of the three storage channels are completely consistent, they are directly output, and the current weights of the three storage channels are updated according to the current weight update formula, i.e., multiplied by the reward factor. If there are differences in the read results, based on the test scenario of this embodiment, assuming that the read results of the CPU channel and the FPGA channel are consistent, and the read results of the MCU channel are different, the current weights of the CPU channel and the FPGA channel are compared with the current weight of the same MCU channel. (0.38+0.32)>0.3, so the data output result is the read result of the CPU channel or the FPGA channel, and then the current weight is updated to {0.39,0.28,0.33}. If the read results of the three storage channels are different, the read result with the largest current weight is selected for output, but the current weight is not updated at this time. At the same time, the weight threshold of the three storage channels is set to When the current weight of a storage channel falls below this threshold, the storage channel will be marked as an abnormal channel and will no longer participate in the subsequent weighted selection decision strategy.

[0048] The mimicry storage agent returns the results of the adjudication to the application, while recording the details of the adjudication, including data consistency, weight values, and anomaly marking results for each storage channel. It also updates the current weight of each storage channel and retains security audit logs.

[0049] The embodiments of the present invention have been described above with reference to the accompanying drawings. However, the present invention is not limited to the specific embodiments described above. The specific embodiments described above are merely illustrative and not restrictive. Those skilled in the art can make many other forms under the guidance of the present invention without departing from the spirit and scope of the claims. All of these forms are within the protection scope of the present invention.

Claims

1. An embedded storage system based on mimicry defense and trusted computing, characterized in that, This includes heterogeneous storage channel sets, mimicry storage agents, and trusted management controllers; The heterogeneous storage channel set includes several heterogeneous storage channels, which are used to respond in parallel to the data read instructions issued by the mimicry storage agent and to independently store the same target data; The trusted management controller is communicatively connected to the storage channel and is used to perform static measurements during the startup phase to determine the trusted status of each storage channel, perform dynamic measurements during the operation phase to generate a trusted health report for each storage channel in real time, and synchronize the trusted health reports of each storage channel to the mimicry storage agent. The mimicry storage agent is communicatively connected to the storage channel and the trusted management controller, and is used to send data read commands to the storage channel in parallel and receive read results returned by each storage channel; based on the read results and the trusted health report, it performs dynamic weighted selection decision; wherein, the dynamic weighted selection decision filters out valid data and marks abnormal channels according to the current weight of the storage channel; after obtaining the trusted health report, the mimicry storage agent updates its current weight according to the trusted health report score; after obtaining the read results, the mimicry storage agent updates its current weight according to the consistency verification result of the read results.

2. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The heterogeneous storage channel set includes a central processing unit main channel, a microprocessor channel, and a programmable logic device hardware logic channel.

3. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The trusted management controller is built on a hardware root of trust and is powered by an independent power supply that is physically isolated from the power supply of the storage channel.

4. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The static measurement during the startup phase refers to the integrity measurement of the firmware and preset software in each storage channel during the system power-on startup phase, and the measurement results are compared with the pre-stored benchmark values ​​to determine whether each storage channel is in a clean and reliable state at startup. The dynamic measurement during the operation phase refers to the real-time measurement of key behavioral characteristics of each storage channel in a periodic or event-triggered manner during the normal operation of the system, generating a real-time reliable health report for each storage channel. The key behavioral characteristics of each storage channel include system call sequence, memory access pattern, and interrupt response time.

5. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The initial weights of the storage channels are preset based on the heterogeneous hardware characteristics, anti-attack capabilities, and operational stability of each storage channel.

6. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The current weights are updated based on the Trusted Health Report score, including: Multiply the current weight of each storage channel by the corresponding trusted health report score, and normalize each product to obtain the updated current weight of each storage channel.

7. The embedded storage system based on mimicry defense and trusted computing according to claim 1, characterized in that, The current weight is updated based on the consistency check result of the read result, including: Determine whether the reading results of each storage channel for the same target data are consistent. If the reading results are consistent, multiply the current weight of each storage channel by the reward factor, and normalize each product to obtain the updated current weight of each storage channel. If the read result of a certain storage channel is inconsistent with that of other storage channels, the current weight of that storage channel is compared with the sum of the current weights of the other storage channels. The channel with the larger value is selected as the accepted channel, and the others are selected as unaccepted channels. The current weight of the accepted channel is multiplied by the reward factor, and the current weight of the unaccepted channel is multiplied by the penalty factor. The products are then normalized to obtain the updated current weights of the accepted and unaccepted channels.

8. The embedded storage system based on mimicry defense and trusted computing according to claim 7, characterized in that, Valid data is filtered out based on the current weight of the storage channel, and abnormal channels are marked, including: If the read results returned by each storage channel are the same, the read results of each storage channel at that time shall be regarded as valid data; When the read results returned by each storage channel are different, the read result of the accepted channel is taken as valid data, and the storage channel whose updated current weight is lower than the preset threshold and contradicts the read result of the accepted channel is marked as an abnormal channel.

9. An embedded storage method based on mimicry defense and trusted computing, characterized in that, The system applied to any one of claims 1 to 8 comprises: During the system startup phase, the trusted management controller sequentially performs startup phase static measurements on each storage channel in the heterogeneous storage channel set to determine the trusted status of each storage channel. Once the system enters the ready state, it listens for data read requests based on the mimicry storage agent and synchronously sends data read instructions to the storage channels in parallel. It receives the read results returned by each storage channel and the real-time trusted health report generated by the trusted management controller during the running phase dynamic measurement, and performs dynamic weighted selection decision.