Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Hardware architecture based on hardware security isolation execution environment and measurement method applying context integrity

A technology of integrity measurement and application context, applied in internal/peripheral computer component protection, instruments, electrical digital data processing, etc., can solve problems such as large attack surface, large software overhead, and large efficiency loss

Active Publication Date: 2018-09-28
XUCHANG UNIV
View PDF14 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The solution based on virtual machine isolation relies on the security of the management machine 320 and VMM310, has a large attack surface, and has a large software overhead, so it is suitable for the server environment, but it will bring a large amount to the PC terminal or mobile terminal. efficiency loss

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Hardware architecture based on hardware security isolation execution environment and measurement method applying context integrity
  • Hardware architecture based on hardware security isolation execution environment and measurement method applying context integrity
  • Hardware architecture based on hardware security isolation execution environment and measurement method applying context integrity

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0067]The hardware security isolation execution environment includes security isolation hardware 400, security domain 420 and common domain 410 divided based on security isolation hardware, security domain code can access common domain storage and computing resources, common domain code cannot access security domain storage and computing resources; The application context includes a resource request process / application 431, an interest-related process / application 433, and kernel key resources 442, which mainly include a system call table 443, an interrupt description table 444, kernel code and static data 445, and kernel data structure metadata 446 , the global descriptor table 447, etc., the resource request process / application 431 initiates the measurement, the interest-related process / application 433 is generated by the system security policy 464, the kernel code and static data, and the metadata of the kernel data structure are extracted from the kernel image and compilation...

Embodiment 2

[0078] (1) Execution environment based on hardware security isolation: Figure 4 As shown, based on Trusted Execution Environment (TEE) technology, such as the TrustZone architecture, security extension is performed, including security isolation hardware 400 , security manager 461 , security service driver layer 441 and security service interface layer 462 . The security isolation hardware 400 provides a configurable hardware isolation environment; the security manager 461 can configure the security isolation hardware 400 to work in the normal domain 410 or the security domain 420; the security service driver layer 441 is located in the kernel space 440 of the normal domain 410 Provide security services for the user space 430, such as the measurement engine client 435 accessing the security isolation hardware 400 through the security service driver layer 441; the security service interface layer 462 is located in the kernel space 460 of the security domain 420, and provides sec...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The present invention provides a hardware architecture based on a hardware security isolation execution environment and a measurement method applying context integrity. The hardware architecture comprises security isolation hardware, a security manager, a security service driver layer, and a security service interface layer, wherein the security isolation hardware provides a configurable hardwareisolation environment; the security manager can configure the security isolation hardware to work in a normal domain or a security domain; the security service driver layer is located in a kernel space of the normal domain for providing security services for a user space; and the security service interface layer is located in the kernel space of the security domain for providing security servicesfor the user space in the security domain. The security manager can perform conversion between the normal domain and the security domain, the security service driver layer calls the security manager to switch from the normal domain to the security domain, and the security service interface layer calls the security manager to switch from the security domain to the normal domain. The hardware architecture based on the hardware security isolation execution environment and the measurement method applying context integrity in the invention support both the measurement of the integrity of the code and the dynamic measurement to detect whether the code is tampered with by a malicious program.

Description

technical field [0001] The invention belongs to the technical field of trusted computing, and in particular relates to an application context integrity measurement method based on hardware security isolation execution environment. Background technique [0002] The current network attack method has changed from advanced hackers' individual combat to Advanced Persistent Threats (APTs) launched by hacker groups supported by governments or organizations. APT attacks use a number of unknown 0-Day vulnerabilities to attack enterprise core networks, important national infrastructure, and important confidential information systems. It has the characteristics of wide attack range, long duration, and strong concealment. The "Stuxnet" attack on Iran's nuclear facilities showed that even a physically isolated network cannot guarantee absolute security. The core feature of an APT attack is to use the 0-Day vulnerability of the system through media ferrying and social attacks to modify t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/74
CPCG06F21/74G06F2221/2105
Inventor 平源郝斌杨月华马慧李慧娜
Owner XUCHANG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products