A process trust measurement method, device, apparatus and storage medium
By classifying processes by importance and employing different address mapping algorithms, the problems of resource waste and startup delay in existing technologies are solved, thereby improving the accuracy of process reliability measurement and resource utilization.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- PRANUS BEIJING TECH CO LTD
- Filing Date
- 2026-02-26
- Publication Date
- 2026-06-19
AI Technical Summary
Existing dynamic process measurement methods, while ensuring reliability, suffer from resource waste and startup delays, especially in accurately detecting tampering and low resource utilization during process runtime.
By classifying processes by importance and using different address mapping algorithms to calculate baseline values, complete mapping is ensured for high-importance processes, while low-importance processes are mapped as needed, reducing resource waste.
It improves the accuracy of process reliability measurement and system resource utilization, ensures the integrity and accuracy of high-importance processes, and reduces the resource consumption of low-importance processes.
Smart Images

Figure CN122241684A_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of trusted computing, and more particularly to a method, apparatus, device, and storage medium for measuring process trust. Background Technology
[0002] With social development and the improvement of people's living standards, people are becoming increasingly reliant on mobile phones. A large number of processes run on mobile phones, and the security and reliability of these processes are of paramount importance.
[0003] Currently, trusted computing for processes is mainly divided into two categories: static measurement and dynamic measurement. Static measurement involves inspecting the binary data on flash memory before the process starts, primarily to prevent the binary data from being replaced. However, it has the limitation of not being able to measure the trustworthiness of a running process. To achieve trustworthiness measurement during process execution, dynamic measurement methods have been introduced. This method involves periodic dynamic inspections of the process during program execution to prevent tampering with the process during runtime.
[0004] However, existing dynamic measurement methods typically acquire feature values of the process code segment as a baseline during the initial process execution. Subsequent periodic acquisitions of these feature values are then compared to the baseline, and the process's reliability is determined by their consistency. Since code segments are loaded on demand during program execution, only the code segments used during the initial run are loaded into memory, not the entire process's code segment. Therefore, the baseline value acquired during the initial run is incomplete. When unloaded code segments are subsequently acquired and measured, a new feature value emerges that is not present in the baseline. This inconsistency stems from the loading mechanism, not from actual tampering, leading to problems in reliability assessment.
[0005] In another dynamic measurement method, in order to improve the accuracy of dynamic measurement, it is necessary to force the entire code segment of the process to be loaded into memory. However, although this dynamic measurement method improves the accuracy of dynamic measurement, it causes process startup delay and serious waste of system resources.
[0006] Therefore, how to improve the utilization rate of system resources while ensuring the accuracy of process credibility measurement is a technical problem that urgently needs to be solved by those skilled in the art. Summary of the Invention
[0007] In view of this, this disclosure proposes a process trust measurement method, apparatus, device and storage medium. The method uses different address mapping algorithms for processes of different importance levels to calculate the baseline value corresponding to processes of different importance levels, so as to effectively determine whether the process to be measured is trustworthy when dynamically measuring the process to be measured.
[0008] According to one aspect of this disclosure, a method for measuring process trustworthiness is provided, comprising: Obtain the importance level classification of the process to be measured; A baseline value for the process to be measured is calculated using an address mapping algorithm that matches the importance level. When the process to be measured is running, the reliability of the process to be measured is determined based on the benchmark value.
[0009] In one possible implementation, the importance ranking includes at least one of high importance and low importance.
[0010] In one possible implementation, the importance of the process to be measured is classified as high importance. When calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance level, the following steps are included: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment is successfully mapped: if the mapping is successful, calculate the base value corresponding to the physical memory page; if the mapping fails, trigger a page fault, remap the code segment, and continue until the code segment is successfully mapped, then calculate the base value corresponding to the physical memory page. After all code segments in the virtual address range are successfully mapped, a baseline value for the process to be measured is constructed based on the baseline value corresponding to each physical memory page.
[0011] In one possible implementation, calculating the base value corresponding to the physical memory page includes: Read the code segment stored in the physical memory page and calculate the hash value of the code segment; Calculate the number corresponding to the physical memory page; The number and the hash value are used as the base value corresponding to the physical memory page.
[0012] In one possible implementation, the importance of the process to be measured is classified as low importance. When calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance level, the following steps are included: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment is successfully mapped: if the mapping is successful, calculate the baseline value corresponding to the physical memory page; if the mapping fails, do not trigger a page fault, calculate the number corresponding to the physical memory page and mark it with a page fault identifier as the abnormal mapping identifier corresponding to the physical memory page; After all code segments in the virtual address range have undergone mapping operations, a baseline value for the process to be measured is constructed based on the baseline value or abnormal mapping identifier corresponding to each physical memory page.
[0013] In one possible implementation, determining whether the process to be measured is trustworthy based on the benchmark value includes: Calculate the characteristic values of each physical memory page corresponding to the process to be measured; Based on the characteristic values of each physical memory page and the benchmark value, it is determined whether the process to be measured is trustworthy.
[0014] In one possible implementation, calculating the characteristic values of each physical memory page corresponding to the process to be measured includes: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment was successfully mapped: if the mapping was successful, calculate the feature value corresponding to the physical memory page; if the mapping failed, execute the mapping operation of the next code segment.
[0015] According to a second aspect of this disclosure, a process trust measurement apparatus is provided, comprising: Importance grading module: Obtains the importance grading of the process to be measured; Baseline value calculation module: Calculates the baseline value of the process to be measured using an address mapping algorithm that matches the importance level. Process Trust Measurement Module: When the process to be measured is running, it determines whether the process to be measured is trustworthy based on the benchmark value.
[0016] According to a third aspect of this disclosure, a process trust measurement device is provided, comprising: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to perform the above-described method.
[0017] According to a fourth aspect of this disclosure, a non-volatile computer-readable storage medium is provided that stores computer program instructions thereon, wherein the computer program instructions, when executed by a processor, implement the above-described method.
[0018] This disclosure provides a method, apparatus, device, and storage medium for process trust measurement. The method includes: obtaining an importance level classification of the process to be measured; calculating a baseline value of the process to be measured using an address mapping algorithm that matches the importance level classification; and determining whether the process to be measured is trustworthy based on the baseline value during its execution. This disclosure improves the accuracy of process trust measurement while simultaneously increasing system resource utilization by classifying the importance of the process to be measured and employing different address mapping algorithms for processes with different importance levels.
[0019] Other features and aspects of this disclosure will become clear from the following detailed description of exemplary embodiments with reference to the accompanying drawings. Attached Figure Description
[0020] The accompanying drawings, which are included in and form part of this specification, illustrate exemplary embodiments, features, and aspects of this disclosure together with the specification and serve to explain the principles of this disclosure.
[0021] Figure 1 A flowchart illustrating a process trust measurement method according to an embodiment of this disclosure is shown; Figure 2 This diagram illustrates a flowchart of a high-importance process obtaining a baseline value in one embodiment of the present disclosure; Figure 3 A flowchart illustrating the acquisition of a baseline value for a low-importance process in one embodiment of this disclosure is shown; Figure 4 A schematic block diagram of a process trust measurement device according to an embodiment of the present disclosure is shown. Detailed Implementation
[0022] Various exemplary embodiments, features, and aspects of this disclosure will now be described in detail with reference to the accompanying drawings. The same reference numerals in the drawings denote elements that have the same or similar functions. Although various aspects of the embodiments are shown in the drawings, they are not necessarily drawn to scale unless specifically indicated otherwise.
[0023] The term “exemplary” as used herein means “serving as an example, embodiment, or illustration.” Any embodiment illustrated herein as “exemplary” is not necessarily to be construed as superior to or better than other embodiments.
[0024] Furthermore, to better illustrate this disclosure, numerous specific details are set forth in the following detailed description. Those skilled in the art will understand that this disclosure can be practiced without certain specific details. In some instances, methods, means, components, and circuits well known to those skilled in the art have not been described in detail in order to highlight the main points of this disclosure.
[0025] <Method Implementation> Figure 1 A flowchart of a process trust measurement method according to an embodiment of the present disclosure is shown. Specifically, it includes: step S100, obtaining the importance level of the process to be measured; step S200, calculating a baseline value for the process to be measured using an address mapping algorithm matching the importance level; and step S300, determining whether the process to be measured is trustworthy based on the baseline value during its execution.
[0026] This disclosure classifies the importance of processes to be measured into different levels, and then uses different address mapping algorithms to calculate the baseline value of the processes to be measured for processes of different importance levels, which greatly improves the accuracy of the baseline values of processes of different importance levels. Then, during the operation of the processes to be measured, based on the baseline values of processes of different importance levels, it is possible to effectively determine whether the processes to be measured are trustworthy, and further improve the resource utilization of the system.
[0027] First, it's important to clarify that the importance ranking of the processes being measured is determined by a dynamic process measurement strategy (i.e., process importance). This strategy defines the scope of process measurement—which processes are dynamically measured—and also establishes the importance ranking. It's worth noting that importance ranking includes at least one of two categories: high importance and low importance. For example, the operating system's init process (the first process to start the system) and processes of critical business applications are considered high importance processes.
[0028] In one possible implementation, the importance level of a process is determined based on its importance identifier. Specifically, when a process is created, the user assigns it an importance identifier. When the process starts, the system obtains this identifier, determines its importance level, and then uses an address mapping algorithm that matches the importance level to calculate the baseline value of the process to be measured.
[0029] In one possible implementation, the importance of the process to be measured is classified as high importance; when calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance classification, it includes: First, the virtual address range corresponding to the code segment of the process to be measured is obtained. Specifically, the system executing this method is configured with a kernel measurement module. After the kernel measurement module starts, its built-in kernel functions obtain the name of the process to be measured and obtain the PID (Process Identifier) of the process based on the name. Next, the virtual start address and virtual end address corresponding to the code segment are determined based on the PID of the process to be measured. Finally, the range determined by the determined virtual start address and virtual end address is taken as the virtual address range corresponding to the code segment of the process to be measured.
[0030] Then, according to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages. Specifically, when the virtual start address is less than the virtual end address, the virtual address range of the process code segment to be measured is traversed in units of the preset page size, and code segments of the preset page size are sequentially read from the virtual start address and mapped to the corresponding physical memory pages. The preset page size can be designed according to the CPU paging mechanism. For example, in mainstream architectures such as x86 / ARM where the MMU (Memory Management Unit) natively defines 4KB as the basic page size, the preset page size can be designed to be 4KB.
[0031] Next, it is determined whether the code segment was successfully mapped: if the mapping is successful, the base value corresponding to the physical memory page is calculated; if the mapping fails, a page fault is triggered, and the code segment is re-mapped until the code segment is successfully mapped, and then the base value corresponding to the physical memory page is calculated.
[0032] It should be noted that the system executing this method has a pre-defined kernel function (follow_page function) that can be used to determine whether a code segment has been successfully mapped. Specifically, during the mapping process of each code segment, the kernel function queries whether the code segment of the pre-defined page size has been mapped to the corresponding physical memory page. Each code segment is stored in an independent physical memory page. If it has been mapped to the corresponding physical memory page, the mapping is successful, and the base value corresponding to that physical memory page is directly calculated. If it has not been mapped to the corresponding physical memory page, the mapping has failed, and a page fault is triggered. The code segment is re-mapped, forcing it to be mapped to the corresponding physical memory page, and the base value corresponding to that physical memory page is calculated. This process is repeated for the virtual address range of the code segments of the process to be measured. When a code segment is successfully mapped, the virtual start address of the next code segment is incremented by the pre-defined page size, and the number of the physical memory page corresponding to the next code segment is incremented by 1, until the virtual start address of the next code segment is greater than the virtual end address of the virtual address range, at which point the traversal ends. This ensures that the code segments of highly important processes are all mapped into physical memory pages, thus guaranteeing that the baseline values obtained during dynamic process measurement are complete and accurate.
[0033] It should be noted that the calculation of the baseline value corresponding to the physical memory page of a high-importance process specifically includes: first, reading the code segment stored in the physical memory page and calculating the hash value of the code segment in the physical memory page; then, calculating the corresponding physical memory page number; finally, using the physical memory page number and hash value as the baseline value corresponding to the physical memory page.
[0034] Finally, after all code segments in the virtual address space are successfully mapped, a baseline value for the process to be measured is constructed based on the baseline values corresponding to each physical memory page. Specifically, the baseline values corresponding to each physical memory page are recorded sequentially into the data structure corresponding to the high-importance process, thus constructing the baseline value for the high-importance process, which is used as the baseline value when dynamically measuring the high-importance process. The sequential recording of the baseline values corresponding to each physical memory page into the data structure corresponding to the high-importance process is done according to the physical memory page numbering order.
[0035] To clearly explain the method for obtaining baseline values for the aforementioned high-importance processes, the following will combine... Figure 2 An example of obtaining baseline values for high-importance processes will be explained again. For example... Figure 2 As shown, the method includes: Step S110: Obtain the PID of the process to be measured based on its name; Step S120: Obtain the virtual start address and virtual end address of the code segment of the process to be measured based on the PID of the process to be measured, and use them as the virtual address range corresponding to the code segment of the process to be measured. Step S130: Determine whether the virtual start address of the currently read 4K code segment is less than the virtual end address of the virtual address range. If the virtual start address of the read 4K code segment is less than the virtual end address, proceed to step S140; if the virtual start address of the read 4K code segment is greater than the virtual end address of the virtual address range, proceed to step S170. Step S140: Calculate the corresponding physical address (i.e., physical page) based on the virtual start address of the currently read 4K code segment. When the 4K code segment is successfully mapped, directly calculate the hash value and number of the physical page. If the mapping fails, trigger a page fault, forcibly map the code segment to the corresponding physical page, and calculate the hash value and corresponding number of the physical page. Here, the physical page refers to the physical memory page mentioned above. Step S150: Record the physical page hash value and corresponding number in order into the data structure corresponding to the process to be measured, as the baseline value of the physical memory page. Step S160: The virtual start address of the currently read 4K code segment is incremented by one page (4K), and its corresponding physical page number is incremented by 1. Step S170, End.
[0036] In one possible implementation, the importance of the process to be measured is classified as low importance; when calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance classification, the following steps are included: First, obtain the virtual address range corresponding to the code segment of the process to be measured; see above for the specific method of obtaining it.
[0037] Then, according to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; see the above for the specific reading process.
[0038] Next, it is determined whether the code segment was successfully mapped: if the mapping is successful, the base value corresponding to the physical memory page is calculated; if the mapping fails, no page fault is triggered, the number corresponding to the physical memory page is calculated and marked with a page fault identifier as the abnormal mapping identifier corresponding to the physical memory page; the determination of whether the code segment was successfully mapped can be implemented by a system-preset kernel function. When the code segment is successfully mapped, the base value corresponding to the physical memory page is calculated. The calculation method is the same as the method for calculating the base value of high-importance processes mentioned above, and will not be repeated here.
[0039] It should be noted that when the kernel function determines that a code segment of the preset page size has not been mapped to a physical memory page, the mapping has failed. In this case, no page fault is triggered. Instead, the corresponding physical memory page number is calculated and marked with a page fault identifier as an abnormal mapping identifier for the physical memory page. This process is repeated for the virtual address range of the code segments of the process being measured. Regardless of whether the code segment mapping is successful, the virtual start address of the next code segment is incremented by the preset page size, and the physical memory page number corresponding to the next code segment is incremented by 1, until the virtual start address of the next code segment is greater than the virtual end address of the virtual address range, at which point the traversal ends. Therefore, this technical solution, for low-importance processes, does not trigger page faults, calculates the baseline value of the page used, and only records the baseline values of core code segments that are crucial to their own operation, ensuring that low-importance processes do not excessively consume system resources.
[0040] Finally, after all code segments in the virtual address space have undergone mapping operations, a baseline value for the process to be measured is constructed based on the baseline value or exception mapping identifier corresponding to each physical memory page. Specifically, the baseline value or exception mapping identifier corresponding to each physical memory page is recorded sequentially into the data structure corresponding to the low-importance process, thereby constructing the baseline value for the low-importance process, which is used as the baseline value when dynamically measuring the low-importance process. When recording the baseline value or exception mapping identifier corresponding to each physical memory page into the data structure corresponding to the low-importance process, the recording is done according to the physical memory page numbering order.
[0041] To clearly explain the method for obtaining baseline values for low-importance processes, the following will combine... Figure 3 Let's illustrate this again with an example of obtaining baseline values for low-importance processes. For example... Figure 3 As shown, the method includes: Step S210: Obtain the PID of the process to be measured based on its name; Step S220: Obtain the virtual start address and virtual end address of the code segment of the process to be measured based on the PID of the process to be measured, and use them as the virtual address range corresponding to the code segment of the process to be measured. Step S230: Determine whether the virtual start address of the currently read 4K code segment is less than the virtual end address of the virtual address range. If the virtual start address of the read 4K code segment is less than the virtual end address, proceed to step S240; if the virtual start address of the read 4K code segment is greater than the virtual end address of the virtual address range, proceed to step S290. Step S240: Calculate the corresponding physical address (i.e., physical page) based on the virtual start address of the read 4KB code segment. If the 4KB code segment is successfully mapped, calculate the hash value and number corresponding to the physical page. If the mapping fails, no page fault is triggered. Calculate the number corresponding to the physical page and mark it with a page fault flag, which serves as the abnormal mapping flag for the physical page. Here, the physical page refers to the physical memory page mentioned above. Step S250: Determine if the physical address of the 4K code segment to be read exists. If it exists, proceed to step S260; otherwise, proceed to step S270. Step S260: Record the physical page hash value and corresponding number into the data structure corresponding to the process to be measured, as the baseline value of the physical memory page; Step S270: Record the physical page number and the missing physical page marker (i.e., page fault identifier) in the corresponding data structure in sequence as the abnormal mapping identifier corresponding to the physical memory page; Step S280: The virtual start address of the currently read 4K code segment is incremented by one page (4K), and its corresponding physical page number is incremented by 1. Step S290, End.
[0042] It's important to note that because high-importance processes directly impact system security, their trustworthiness must be fully measured. Low-importance processes, on the other hand, pose a far less threat to system security. Even if these processes are tampered with, they are unlikely to pose a significant threat, and the cost of repairing them is far lower than the system resources consumed in measuring them. Therefore, this solution constructs baseline values for all code segments of high-importance processes, ensuring the accuracy and completeness of the baseline values and significantly improving the accuracy of high-importance measurements. For low-importance processes, baseline values are recorded only as needed, focusing on the core code segments that are crucial to their operation, thus avoiding wasted system resources.
[0043] After obtaining the baseline values for the high-importance and low-importance processes using the above method, the next step is to determine whether the process to be measured is reliable.
[0044] In one possible implementation, determining the trustworthiness of a process to be measured based on a benchmark value specifically includes: First, calculate the characteristic values of each physical memory page corresponding to the process to be measured; including: 1. Obtain the virtual address range corresponding to the code segment of the process to be measured. See the above for the specific method of obtaining it.
[0045] 2. According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; see above for specific reading methods.
[0046] 3. Determine if the code segment mapping was successful: If mapping is successful, calculate the feature value corresponding to the physical memory page; if mapping fails, execute the mapping operation for the next code segment. The determination of successful code segment mapping can be implemented using a pre-defined kernel function. If the kernel function determines that a code segment of the pre-defined page size has not been mapped to a physical memory page, the mapping has failed, a page fault is not triggered, and the mapping operation for the next code segment is executed directly. This process iterates through the virtual address range of the code segments of the process to be measured. Regardless of whether the code segment mapping is successful, the virtual start address of the next code segment is incremented by the pre-defined page size, and the number of the physical memory page corresponding to the next code segment is incremented by 1, until the virtual start address of the next code segment is greater than the end address of the virtual address range, at which point the traversal ends. It should be noted that when calculating the feature value corresponding to the physical memory page, the physical memory page for which the feature value needs to be calculated differs depending on the importance level of the process to be measured.
[0047] In one possible implementation, the importance of the process to be measured is classified as high importance. When calculating the physical memory page feature value, physical memory pages that have not been successfully mapped are skipped directly. Only the feature value of the physical memory page corresponding to the successfully mapped code segment is calculated. Specifically, the hash value of the physical memory page corresponding to the successfully mapped code segment and the number of the physical memory page are calculated as the feature value of the physical memory page.
[0048] In another possible implementation, the importance of the process to be measured is classified as low importance. When calculating the physical memory page feature value, physical memory pages that have not been successfully mapped are skipped directly. Physical memory pages that have been successfully mapped but are marked with an abnormal mapping identifier in the baseline value of low importance processes are also skipped. Only the hash value of the physical memory page corresponding to the code segment that has been successfully mapped and has a baseline value record in the baseline value of low importance processes and the number of that physical memory page are calculated as the feature value of that physical memory page.
[0049] Then, based on the feature values and baseline values of each physical memory page, the trustworthiness of the process to be measured is determined. Specifically, this involves comparing the feature values of each physical memory page obtained above with their corresponding baseline values one by one until all physical page feature values match their corresponding baseline values. If the comparison is successful, the process is trustworthy; otherwise, the measurement fails, and the process has been tampered with. It should be noted that during the comparison process, the number in the feature value of each physical memory page of the process to be measured is first compared with the number in its corresponding baseline value. If the numbers match, the hash value in the feature value of each physical page is then compared with the hash value in the baseline value. Only when the number and hash value in the feature value of each physical memory page of the process to be measured are completely consistent with the number and hash value in the baseline value is the measurement successful, and the process is trustworthy; otherwise, the measurement fails, and the process has been tampered with.
[0050] Therefore, this disclosure provides a method for process trustworthiness measurement, including: obtaining the importance level of the process to be measured; calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance level; and determining whether the process to be measured is trustworthy based on the baseline value during the execution of the process to be measured. This disclosure classifies the importance of the process to be measured and uses different address mapping algorithms for processes of different importance levels to calculate the baseline value of the process to be measured. For high-importance processes, page faults are forcibly triggered for code segments that fail to be mapped, ensuring that all code segments of the high-importance process are mapped to physical memory pages, and the baseline value is calculated, thereby ensuring the integrity and accuracy of the baseline value of the high-importance process. For low-importance processes, since these processes have less impact on system security, the cost of repairing them if tampered with is far lower than the system resources consumed in measuring them. Therefore, page faults are not triggered for code segments that fail to be mapped; only the baseline value of the core code segments that are crucial to their own operation and successfully mapped to physical memory pages is recorded, thereby ensuring that system performance is not excessively degraded. Therefore, different address mapping algorithms are used to calculate the baseline value for processes of different importance levels, and then the processes of different importance levels are measured, thereby ensuring the accuracy of process reliability measurement while improving the utilization of system resources.
[0051] <Device Embodiment> This disclosure discloses a process trust measurement device according to an embodiment. The device includes: an importance classification module for obtaining an importance classification of a process to be measured; a baseline value calculation module for calculating a baseline value of the process to be measured using an address mapping algorithm that matches the importance classification; and a process trust measurement module for determining whether the process to be measured is trustworthy based on the baseline value when the process to be measured is running.
[0052] <Equipment Example> Figure 4A schematic block diagram of a process trust measurement device according to an embodiment of the present disclosure is shown. Figure 4 As shown, the process trust measurement device 200 includes a processor 210 and a memory 220 for storing executable instructions of the processor 210. The processor 210 is configured to implement any of the aforementioned process trust measurement methods when executing the executable instructions.
[0053] It should be noted here that the number of processors 210 can be one or more. Furthermore, the process reliability measurement device 200 in this embodiment may also include an input device 230 and an output device 240. The processors 210, memory 220, input device 230, and output device 240 can be connected via a bus or other means, without specific limitations here.
[0054] The memory 220, as a computer-readable storage medium, can be used to store software programs, computer-executable programs, and various modules, such as the program or module corresponding to the process trust measurement method of this disclosure embodiment. The processor 210 executes various functional applications and data processing of the process trust measurement device 200 by running the software program or module stored in the memory 220.
[0055] Input device 230 can be used to receive input digital numbers or signals. These signals may include key signals related to user settings and function control of the device / terminal / server. Output device 240 may include a display device such as a screen.
[0056] <Storage Medium Examples> According to a fourth aspect of this application, a non-volatile computer-readable storage medium is also provided, on which computer program instructions are stored, which, when executed by processor 210, implement any of the preceding process trust measurement methods.
[0057] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, and are not limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical applications, or technical improvements to the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.
Claims
1. A method for measuring process reliability, characterized in that, include: Obtain the importance level classification of the process to be measured; A baseline value for the process to be measured is calculated using an address mapping algorithm that matches the importance level. When the process to be measured is running, the reliability of the process to be measured is determined based on the benchmark value.
2. The method according to claim 1, characterized in that, The importance level classification includes at least one of high importance and low importance.
3. The method according to claim 2, characterized in that, The importance level of the process to be measured is classified as high importance. When calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance level, the following steps are included: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment is successfully mapped: if the mapping is successful, calculate the base value corresponding to the physical memory page; if the mapping fails, trigger a page fault, remap the code segment, and continue until the code segment is successfully mapped, then calculate the base value corresponding to the physical memory page. After all code segments in the virtual address range are successfully mapped, a baseline value for the process to be measured is constructed based on the baseline value corresponding to each physical memory page.
4. The method according to claim 3, characterized in that, Calculating the baseline value corresponding to the physical memory page includes: Read the code segment stored in the physical memory page and calculate the hash value of the code segment; Calculate the number corresponding to the physical memory page; The number and the hash value are used as the base value corresponding to the physical memory page.
5. The method according to claim 2, characterized in that, The importance level of the process to be measured is classified as low importance. When calculating the baseline value of the process to be measured using an address mapping algorithm that matches the importance level, the following steps are included: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment is successfully mapped: if the mapping is successful, calculate the baseline value corresponding to the physical memory page; if the mapping fails, do not trigger a page fault, calculate the number corresponding to the physical memory page and mark it with a page fault identifier as the abnormal mapping identifier corresponding to the physical memory page; After all code segments in the virtual address range have undergone mapping operations, a baseline value for the process to be measured is constructed based on the baseline value or abnormal mapping identifier corresponding to each physical memory page.
6. The method according to claim 1, characterized in that, When determining whether the process to be measured is trustworthy based on the benchmark value, the following steps are included: Calculate the characteristic values of each physical memory page corresponding to the process to be measured; Based on the characteristic values of each physical memory page and the benchmark value, it is determined whether the process to be measured is trustworthy.
7. The method according to claim 6, characterized in that, When calculating the characteristic values of each physical memory page corresponding to the process to be measured, the following are included: Obtain the virtual address range corresponding to the code segment of the process to be measured; According to the preset page size, code segments of the corresponding size are sequentially read from the virtual address range and mapped to the corresponding physical memory pages; Determine whether the code segment was successfully mapped: if the mapping was successful, calculate the feature value corresponding to the physical memory page; if the mapping failed, execute the mapping operation of the next code segment.
8. A process reliability measurement device, characterized in that, include: Importance grading module: Obtains the importance grading of the process to be measured; Baseline value calculation module: Calculates the baseline value of the process to be measured using an address mapping algorithm that matches the importance level. Process Trust Measurement Module: When the process to be measured is running, it determines whether the process to be measured is trustworthy based on the benchmark value.
9. A process trust measurement device, characterized in that, include: processor; Memory used to store processor-executable instructions; The processor is configured to implement the method of any one of claims 1 to 7 when executing the executable instructions.
10. A non-volatile computer-readable storage medium storing computer program instructions thereon, characterized in that, When the computer program instructions are executed by the processor, they implement the method described in any one of claims 1 to 7.