+

CN114528603A - Isolation dynamic protection method, device, equipment and storage medium of embedded system - Google Patents

Isolation dynamic protection method, device, equipment and storage medium of embedded system Download PDF

Info

Publication number
CN114528603A
CN114528603A CN202210432725.2A CN202210432725A CN114528603A CN 114528603 A CN114528603 A CN 114528603A CN 202210432725 A CN202210432725 A CN 202210432725A CN 114528603 A CN114528603 A CN 114528603A
Authority
CN
China
Prior art keywords
key
storage space
program
chip storage
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210432725.2A
Other languages
Chinese (zh)
Other versions
CN114528603B (en
Inventor
董文强
王亮
颜昕明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Wise Security Technology Co Ltd
Original Assignee
Guangzhou Wise Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Wise Security Technology Co Ltd filed Critical Guangzhou Wise Security Technology Co Ltd
Priority to CN202210432725.2A priority Critical patent/CN114528603B/en
Publication of CN114528603A publication Critical patent/CN114528603A/en
Application granted granted Critical
Publication of CN114528603B publication Critical patent/CN114528603B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

本发明实施例公开了一种嵌入式系统的隔离动态保护方法、装置、设备和存储介质。该方案通过从片外存储空间装载当前程序,从片内存储空间读取并更新密钥;通过当前程序向片外存储空间写入数据时,生成校验信息;根据密钥对校验信息进行加密得到加密校验信息,将加密校验信息保存到片外存储空间,并将密钥和存储时间信息保存到片内存储空间的校验区;通过当前程序从片外存储空间读取数据时,从片外存储空间读取加密校验信息;从校验区读取密钥和存储时间信息,并对应得到参考校验信息;对参考校验信息和加密校验信息进行比对确认安全性。实现了对各个程序处理的数据的独立动态保护,避免出现一个程序的密钥泄露导致所有程序的信息全部泄露的情况。

Figure 202210432725

The embodiments of the present invention disclose an isolation dynamic protection method, device, device and storage medium of an embedded system. The scheme loads the current program from the off-chip storage space, reads and updates the key from the on-chip storage space; generates verification information when writing data to the off-chip storage space through the current program; Encrypt to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and save the key and storage time information to the verification area of the on-chip storage space; when reading data from the off-chip storage space through the current program , read the encrypted verification information from the off-chip storage space; read the key and storage time information from the verification area, and obtain the reference verification information correspondingly; compare the reference verification information and the encrypted verification information to confirm the security . It realizes the independent dynamic protection of data processed by each program, and avoids the situation that the key leakage of one program leads to the leakage of all program information.

Figure 202210432725

Description

嵌入式系统的隔离动态保护方法、装置、设备和存储介质Isolation dynamic protection method, device, device and storage medium for embedded system

技术领域technical field

本发明实施例涉及嵌入式系统技术领域,尤其涉及一种嵌入式系统的隔离动态保护方法、装置、设备和存储介质。Embodiments of the present invention relate to the technical field of embedded systems, and in particular, to a method, apparatus, device, and storage medium for isolation and dynamic protection of embedded systems.

背景技术Background technique

基于嵌入式系统的设备因为灵活性和性价比高得到越来越广泛的运用,越来越多的嵌入式终端和线上互联的发展趋势也使得嵌入式系统的安全性面临更大的风险,与风险对应的是嵌入式系统的安全性也受到越来越高的重视。Devices based on embedded systems are more and more widely used because of their flexibility and high cost performance. The development trend of more and more embedded terminals and online interconnection also makes the security of embedded systems face greater risks. Corresponding to the risk, the security of the embedded system has also been paid more and more attention.

目前常见的针对嵌入式系统的攻击方式主要有硬件攻击和软件攻击。整体来说,对嵌入式系统进行恶意攻击的整体思路是通过各种方式获取到嵌入式系统内部存储或者处理的程序代码和数据,造成用户隐私信息的泄露。应对恶意攻击时,有硬件保护策略和软件保护策略。软件保护策略是基于软件的方法,如通过运行杀毒和防入侵软件来抵御攻击,这种保护策略会带来较大的功耗,同时软件本身也可能存在安全漏洞,保护的整体性价比较低。硬件保护策略相较于软件保护策略而言具有相对较好的物理隔离性、高运算速度和低资源开销,是嵌入式系统保护的优选策略。At present, the common attacks on embedded systems mainly include hardware attacks and software attacks. On the whole, the overall idea of malicious attacks on embedded systems is to obtain program codes and data stored or processed in embedded systems through various methods, resulting in leakage of user privacy information. When dealing with malicious attacks, there are hardware protection strategies and software protection strategies. Software protection strategy is a software-based method, such as running anti-virus and anti-intrusion software to defend against attacks. This protection strategy will bring greater power consumption, and the software itself may also have security loopholes, so the overall cost-effectiveness of protection is low. Compared with software protection strategy, hardware protection strategy has relatively good physical isolation, high computing speed and low resource overhead, and is the preferred strategy for embedded system protection.

在现有的嵌入式系统的硬件保护中,通常是为保存于片外存储器程序配置密钥,这种配置方式如果发生密钥泄露,可能会导致所有程序的信息连带暴露。In the hardware protection of the existing embedded system, the key is usually configured for the program stored in the off-chip memory. If the key is leaked in this configuration method, the information of all programs may be jointly exposed.

发明内容SUMMARY OF THE INVENTION

本发明提供了嵌入式系统的隔离动态保护方法、装置、设备和存储介质,以解决现有技术中为程序整体配置的密钥发生泄露时导致所有程序的信息连带暴露的技术问题。The invention provides an isolation dynamic protection method, device, device and storage medium of an embedded system, so as to solve the technical problem in the prior art that the information of all programs is jointly exposed when the key configured for the whole program is leaked in the prior art.

第一方面,本发明实施例提供了嵌入式系统的隔离动态保护方法,包括:In a first aspect, an embodiment of the present invention provides an isolation dynamic protection method for an embedded system, including:

从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;Load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time;

通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;When data is written to the off-chip storage space through the current program, verification information is generated according to the storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space ;

根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;Encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and save the key and storage time information to the on-chip storage space. The check area of the internal storage space;

通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;When the data is read from the off-chip storage space through the current program, the encrypted verification information corresponding to the data is read from the off-chip storage space;

从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;Read the key and the storage time information from the verification area, and encrypt the storage address information obtained when reading the data and the storage time information read according to the key to obtain the reference verification information;

对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。The reference verification information is compared with the read encrypted verification information, and the security of the data is confirmed according to the comparison result.

进一步地,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;Further, the off-chip storage space includes a plurality of program spaces, and the program is entirely stored in one program space;

所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including:

从片外存储空间装载当前程序,根据所述当前程序的程序标识从片存储内空间读取当前程序对应的密钥。The current program is loaded from the off-chip storage space, and the key corresponding to the current program is read from the on-chip storage space according to the program identifier of the current program.

进一步地,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;Further, the off-chip storage space includes a plurality of program spaces, and the program is entirely stored in one program space;

所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including:

从片外存储空间装载当前程序,并根据所述当前程序所在的程序空间的空间标识,从片内存储空间读取该程序空间当前对应的密钥作为所述当前程序对应的密钥。The current program is loaded from the off-chip storage space, and according to the space identifier of the program space where the current program is located, the key currently corresponding to the program space is read from the on-chip storage space as the key corresponding to the current program.

进一步地,所述片内存储空间保存有多个密钥;Further, the on-chip storage space saves a plurality of keys;

所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including:

根据随机算法从所述多个密钥中,确认一个与当前读取的密钥不同的密钥,将确认出的密钥更新为下次读取的密钥。From the plurality of keys according to a random algorithm, a key different from the key currently read is confirmed, and the confirmed key is updated to the key read next time.

进一步地,所述片内存储空间还对应保存有每个所述密钥对应的使用次数;Further, the on-chip storage space also correspondingly stores the number of times of use corresponding to each of the keys;

所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,还包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, also includes:

更新所述使用次数。Update the usage count.

进一步地,所述更新所述使用次数之后,还包括:Further, after the update of the number of times of use, it also includes:

当所述密钥的使用次数达到预设的使用寿命,删除该密钥并新增与已有密钥不同的密钥。When the number of times of use of the key reaches the preset service life, the key is deleted and a key different from the existing key is added.

进一步地,通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息之后,还包括:Further, when writing data to the off-chip storage space through the current program, verification information is generated according to the storage parameter of the data, and the storage parameter includes the storage address information of the data in the off-chip storage space and After storing the time information, it also includes:

根据所述密钥对程序存储信息进行加密得到程序校验信息,将所述程序校验信息保存到所述片外存储空间,并将所述程序存储信息保存到所述校验区;Encrypt the program storage information according to the key to obtain program verification information, save the program verification information in the off-chip storage space, and save the program storage information in the verification area;

对应的,所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥之前,还包括:Correspondingly, before loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, it also includes:

从片外存储空间读取程序校验信息以及所述当前程序的实时存储信息,从所述校验区读取密钥和程序存储信息;Read the program verification information and the real-time storage information of the current program from the off-chip storage space, and read the key and program storage information from the verification area;

根据所述密钥对所述实时存储信息和程序存储信息分别进行加密得到实时校验信息和原始校验信息;According to the key, the real-time storage information and the program storage information are respectively encrypted to obtain real-time verification information and original verification information;

确认所述实时校验信息、原始校验信息和程序校验信息完全匹配。Confirm that the real-time verification information, the original verification information and the program verification information exactly match.

第二方面,本发明实施例提供了一种嵌入式系统的隔离动态保护装置,包括:In a second aspect, an embodiment of the present invention provides an isolation dynamic protection device for an embedded system, including:

数据加载单元,用于从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;The data loading unit is used to load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time;

写入初始化单元,用于通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;The writing initialization unit is used to generate verification information according to the storage parameter of the data when data is written to the off-chip storage space through the current program, and the storage parameter includes the value of the data in the off-chip storage space. Storage address information and storage time information;

数据写入单元,用于根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;a data writing unit, configured to encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and store the key and storage The time information is stored in the check area of the on-chip storage space;

数据读取单元,用于通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;a data reading unit, configured to read encrypted verification information corresponding to the data from the off-chip storage space when reading data from the off-chip storage space through the current program;

校验初始化单元,用于从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;The verification initialization unit is used to read the key and storage time information from the verification area, and encrypts the storage address information obtained when reading the data and the storage time information read according to the key to obtain a reference verification information;

数据比对单元,用于对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。The data comparison unit is configured to compare the reference verification information with the read encrypted verification information, and confirm the security of the data according to the comparison result.

进一步地,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;Further, the off-chip storage space includes a plurality of program spaces, and the program is entirely stored in one program space;

所述数据加载单元,包括:The data loading unit includes:

第一加载模块,用于从片外存储空间装载当前程序,根据所述当前程序的程序标识从片存储内空间读取当前程序对应的密钥。The first loading module is configured to load the current program from the off-chip storage space, and read the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.

进一步地,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;Further, the off-chip storage space includes a plurality of program spaces, and the program is entirely stored in one program space;

所述数据加载单元,包括:The data loading unit includes:

第二加载模块,用于从片外存储空间装载当前程序,并根据所述当前程序所在的程序空间的空间标识,从片内存储空间读取该程序空间当前对应的密钥作为所述当前程序对应的密钥。The second loading module is used to load the current program from the off-chip storage space, and according to the space identifier of the program space where the current program is located, read the key currently corresponding to the program space from the on-chip storage space as the current program the corresponding key.

进一步地,所述片内存储空间保存有多个密钥;Further, the on-chip storage space saves a plurality of keys;

所述数据加载单元,包括:The data loading unit includes:

密码更新模块,用于根据随机算法从所述多个密钥中,确认一个与当前读取的密钥不同的密钥,将确认出的密钥更新为下次读取的密钥。The password update module is used for confirming a key different from the currently read key from the plurality of keys according to a random algorithm, and updating the confirmed key to the key read next time.

进一步地,所述片内存储空间还对应保存有每个所述密钥对应的使用次数;Further, the on-chip storage space also correspondingly stores the number of times of use corresponding to each of the keys;

所述数据加载单元,还包括:The data loading unit also includes:

次数更新模块,用于更新所述使用次数。The times updating module is used to update the usage times.

进一步地,所述嵌入式系统的隔离动态保护装置,还包括:Further, the isolation dynamic protection device of the embedded system further includes:

密钥替换单元,用于当所述密钥的使用次数达到预设的使用寿命,删除该密钥并新增与已有密钥不同的密钥。The key replacement unit is used for deleting the key and adding a key different from the existing key when the number of times of use of the key reaches a preset service life.

进一步地,所述嵌入式系统的隔离动态保护装置,还包括:Further, the isolation dynamic protection device of the embedded system further includes:

校验信息生成单元,用于根据所述密钥对程序存储信息进行加密得到程序校验信息,将所述程序校验信息保存到所述片外存储空间,并将所述程序存储信息保存到所述校验区;The verification information generation unit is used to encrypt the program storage information according to the key to obtain the program verification information, save the program verification information to the off-chip storage space, and save the program storage information to the the verification area;

对应的,所述嵌入式系统的隔离动态保护装置,还包括:Correspondingly, the isolation dynamic protection device of the embedded system further includes:

程序信息读取单元,用于从片外存储空间读取程序校验信息以及所述当前程序的实时存储信息,从所述校验区读取密钥和程序存储信息;a program information reading unit, used for reading program verification information and the real-time storage information of the current program from the off-chip storage space, and reading the key and program storage information from the verification area;

程序信息加密单元,用于根据所述密钥对所述实时存储信息和程序存储信息分别进行加密得到实时校验信息和原始校验信息;a program information encryption unit, configured to encrypt the real-time storage information and the program storage information according to the key to obtain real-time verification information and original verification information;

程序信息校验单元,用于确认所述实时校验信息、原始校验信息和程序校验信息完全匹配。The program information verification unit is used to confirm that the real-time verification information, the original verification information and the program verification information completely match.

第三方面,本发明实施例还提供了一种计算设备,包括:In a third aspect, an embodiment of the present invention further provides a computing device, including:

一个或多个处理器;one or more processors;

存储器,用于存储一个或多个程序;memory for storing one or more programs;

当所述一个或多个程序被所述一个或多个处理器执行,使得所述计算设备实现如第一方面任一所述的嵌入式系统的隔离动态保护方法。When the one or more programs are executed by the one or more processors, the computing device implements the isolation dynamic protection method for an embedded system according to any one of the first aspect.

第四方面,本发明实施例还提供了一种存储计算机可执行指令的存储介质,所述计算机可执行指令在由计算机处理器执行时用于执行如第一方面任一所述的嵌入式系统的隔离动态保护方法。In a fourth aspect, an embodiment of the present invention further provides a storage medium for storing computer-executable instructions, where the computer-executable instructions are used to execute the embedded system according to any one of the first aspect when executed by a computer processor The isolation dynamic protection method.

上述嵌入式系统的隔离动态保护方法、装置、设备和存储介质,通过从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。通过片内存储且对应于不同程序动态配置的密钥,实现对各个程序处理的数据的独立动态保护,避免出现一个程序的密钥泄露导致所有程序的信息全部泄露的情况。The isolation dynamic protection method, device, device and storage medium of the above-mentioned embedded system, by loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time When writing data to the off-chip storage space by the current program, generate check information according to the storage parameter of the data, and the storage parameter includes the storage address information and storage time of the data in the off-chip storage space information; encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and save the key and storage time information to the The verification area of the on-chip storage space; when reading data from the off-chip storage space through the current program, read the encrypted verification information corresponding to the data from the off-chip storage space; from the verification District reading key and storage time information, according to the key, the obtained storage address information and the read storage time information when reading the data are encrypted to obtain reference verification information; the reference verification information and The read encrypted verification information is compared, and the security of the data is confirmed according to the comparison result. Through the on-chip storage of keys corresponding to different programs dynamically configured, the independent dynamic protection of data processed by each program is realized, avoiding the situation that the key leakage of one program leads to the leakage of all program information.

附图说明Description of drawings

图1为本发明实施例一提供的一种嵌入式系统的隔离动态保护方法的流程图;1 is a flowchart of a method for isolating dynamic protection of an embedded system according to Embodiment 1 of the present invention;

图2为本发明实施例一提供的嵌入式系统的隔离动态保护方法的密钥配置示意图;FIG. 2 is a schematic diagram of a key configuration of an isolated dynamic protection method for an embedded system according to Embodiment 1 of the present invention;

图3为本发明实施例二提供的一种嵌入式系统的隔离动态保护装置的结构示意图;3 is a schematic structural diagram of an isolation dynamic protection device for an embedded system according to Embodiment 2 of the present invention;

图4为本发明实施例三提供的一种计算设备的结构示意图。FIG. 4 is a schematic structural diagram of a computing device according to Embodiment 3 of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步的详细说明。可以理解的是,此处所描述的具体实施例用于解释本发明,而非对本发明的限定。另外还需要说明的是,为了便于描述,附图中仅示出了与本发明相关的部分而非全部结构。The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are used to explain the present invention, but not to limit the present invention. In addition, it should be noted that, for the convenience of description, the drawings only show some but not all structures related to the present invention.

需要注意的是,由于篇幅所限,本申请说明书没有穷举所有可选的实施方式,本领域技术人员在阅读本申请说明书后,应该能够想到,只要技术特征不互相矛盾,那么技术特征的任意组合均可以构成可选的实施方式。It should be noted that, due to space limitations, the description of this application does not exhaustively list all optional implementations. After reading the description of this application, those skilled in the art should be able to imagine that as long as the technical features are not contradictory to each other, then any Combinations can constitute alternative embodiments.

下面对各实施例进行详细说明。Each embodiment will be described in detail below.

实施例一Example 1

图1为本发明实施例一提供的一种嵌入式系统的隔离动态保护方法的流程图。实施例中提供的嵌入式系统的隔离动态保护方法可以由各种基于嵌入式系统的计算设备执行,该计算设备可以通过软件和/或硬件的方式实现,该计算设备可以是两个或多个物理实体构成,也可以是一个物理实体构成。FIG. 1 is a flowchart of an isolation dynamic protection method for an embedded system according to Embodiment 1 of the present invention. The isolation dynamic protection method for an embedded system provided in the embodiment can be executed by various embedded system-based computing devices, the computing device can be implemented by means of software and/or hardware, and the computing device can be two or more Physical entity composition, can also be a physical entity composition.

参考图1,本发明实施例一中的嵌入式系统的隔离动态保护方法,包括:Referring to FIG. 1 , the isolation dynamic protection method for an embedded system in Embodiment 1 of the present invention includes:

步骤S110:从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥。Step S110: Load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time.

在基于嵌入式系统的设备中,通常认为片内存储空间是可信空间,整体可以实现发生在片外和总线上的攻击,保护片上系统数据的机密性和完整性,但是嵌入式系统处理器的存储和计算资源因硬件本身而受到限制,如果在嵌入式系统处理器增加繁复的安全机制,势必影响整个嵌入式系统的基础功能实现,带来不必要的硬件开销,所以要尽可能减少片上系统在核心业务之外的资源占用。但是片外存储空间通常与外界有较多数据交互,可读写的设置可以认为片外存储空间是不可信空间。In devices based on embedded systems, the on-chip storage space is generally considered to be a trusted space, and attacks that occur off-chip and on the bus can be implemented as a whole to protect the confidentiality and integrity of the data of the on-chip system, but the embedded system processor The storage and computing resources of the embedded system are limited by the hardware itself. If a complex security mechanism is added to the embedded system processor, it will inevitably affect the implementation of the basic functions of the entire embedded system and bring unnecessary hardware overhead. Therefore, it is necessary to reduce the on-chip as much as possible The resource occupation of the system outside the core business. However, the off-chip storage space usually has a lot of data interaction with the outside world, and the read-write setting can be considered as an untrusted space.

在本方案中,程序整体保存于片外存储空间,当有程序运行需求,则从片外存储空间状态当前程序,为保证不可信空间中数据的安全性,本方案中为当前程序动态分配密钥,用于保证向不可信空间写入和从不可信空间读取的数据提供完整性保护,从而能发现片外存储空间中的数据被攻击篡改的情形,提高了嵌入式系统数据的安全性。具体将密钥保存于片内存储空间,因片内存储空间属于可信空间,能有效保证密钥本身的安全性,而且当前程序对应的密钥动态变化,同一程序前后两次运行对应的密钥不同,从而可以保证对每次数据安全需要的独立支持。In this scheme, the entire program is stored in the off-chip storage space. When there is a program running demand, the current program is state from the off-chip storage space. In order to ensure the security of the data in the untrusted space, in this scheme, the current program is dynamically assigned a password. The key is used to ensure the integrity protection of data written to and read from the untrusted space, so that the data in the off-chip storage space can be found to be attacked and tampered, and the security of embedded system data can be improved. . Specifically, the key is stored in the on-chip storage space, because the on-chip storage space belongs to the trusted space, which can effectively ensure the security of the key itself, and the key corresponding to the current program changes dynamically. different keys, thus ensuring independent support for each data security need.

步骤S120:通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息。Step S120: When data is written to the off-chip storage space through the current program, verification information is generated according to the storage parameter of the data, and the storage parameter includes the storage address information of the data in the off-chip storage space and Store time information.

通过程序具体向片外存储空间进行数据写入的过程中,需要获取数据存储的关键信息,这种关键信息通常是唯一且敏感的,恶意攻击很可能会导致这些关键信息发生变化,因此在本方案中基于数据存储的关键信息来保证数据的完整性和安全性,在本方案中主要是数据的存储地址信息和存储时间信息。In the process of writing data to the off-chip storage space through the program, it is necessary to obtain the key information of the data storage. This key information is usually unique and sensitive. Malicious attacks are likely to cause these key information to change. Therefore, in this paper In the scheme, the key information of data storage is used to ensure the integrity and security of the data. In this scheme, it is mainly the storage address information and storage time information of the data.

步骤S130:根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区。Step S130: Encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and save the key and storage time information to the off-chip storage space. The parity area of the on-chip storage space.

根据密钥对数据存储的关键信息进行加密后得到加密校验信息,整体用于记录初始的存储状态信息,加密校验信息直接随数据保存到片外存储空间。同时将存储时间信息和密钥保存到片内存储空间的校验区,以供后续与加密校验信息进行比对校验。The key information stored in the data is encrypted according to the key to obtain the encrypted verification information, which is used to record the initial storage state information as a whole, and the encrypted verification information is directly saved to the off-chip storage space along with the data. At the same time, the storage time information and the key are saved in the verification area of the on-chip storage space for subsequent comparison and verification with the encrypted verification information.

步骤S140:通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息。Step S140: When reading data from the off-chip storage space through the current program, read encrypted verification information corresponding to the data from the off-chip storage space.

对应于向片外存储空间写入数据时写入加密校验信息,在读取该数据时也对应读取之前存储的加密校验信息。Corresponding to writing encrypted verification information when writing data to the off-chip storage space, and corresponding to reading the encrypted verification information stored before when reading the data.

步骤S150:从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息。Step S150: Read the key and storage time information from the verification area, and encrypt the storage address information and storage time information obtained when reading the data according to the key to obtain reference verification information.

步骤S160:对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。Step S160: Compare the reference verification information with the read encrypted verification information, and confirm the security of the data according to the comparison result.

对片内存储空间的数据,认为是可信的;对于片外存储空间的数据,如果没有因为收到攻击而发生变化,那么认为存储地址应该就是最初的存储地址,对应的存储地址信息和片内存储空间中保存的存储时间信息经过密钥加密得到参考校验信息,在所有信息和密钥都不变的情况下,参考校验信息和加密校验信息是完全一致,对应也就可以确认数据的安全性。当然,如果参考校验信息和加密校验信息不一致,对应也就可以确认数据因为恶意攻击而发生变化,对一个触发防御机制。For the data in the on-chip storage space, it is considered to be credible; for the data in the off-chip storage space, if there is no change due to the attack, then the storage address is considered to be the original storage address, the corresponding storage address information and the chip The storage time information stored in the internal storage space is encrypted by the key to obtain the reference verification information. When all the information and the key remain unchanged, the reference verification information and the encrypted verification information are exactly the same, and the correspondence can be confirmed. Data security. Of course, if the reference verification information and the encrypted verification information are inconsistent, it can be confirmed that the data has changed due to malicious attacks, and a defense mechanism can be triggered.

通过本方案,在基本不增加片内存储空间的存储和处理负担的情况下,可以有效保证每个程序独立有动态的密钥安全机制,有效提高了每个程序应对恶意攻击的能力,即使某一程序的密钥发生泄露,也不会导致其他程序被连带破解。Through this solution, under the condition of basically not increasing the storage and processing burden of the on-chip storage space, it can effectively ensure that each program has an independent dynamic key security mechanism, and effectively improve the ability of each program to deal with malicious attacks, even if a certain program has an independent dynamic key security mechanism. If the key of one program is leaked, it will not cause other programs to be cracked together.

在具体实现过程中,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;步骤S110对应可以包括步骤S111:In a specific implementation process, the off-chip storage space includes a plurality of program spaces, and the program is stored in one program space as a whole; step S110 correspondingly may include step S111:

步骤S111:从片外存储空间装载当前程序,根据所述当前程序的程序标识从片存储内空间读取当前程序对应的密钥。Step S111: Load the current program from the off-chip storage space, and read the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.

该实施例相当于将每个程序整体保存于一个程序空间,每个程序对应一套密钥,当然,不同程序对应的一套密钥可以相同,但是各自按各自的方式进行使用更新。如图2所示,片外存储空间100有5个程序空间,每个程序空间保存一个程序,所有程序对应片内存储空间200中的同一套密钥,在最近一段时间内,5个程序空间中的第一个、第二个和第四个依次作为当前程序运行,对应的密钥分别为一套密钥的第三个、第二个和第一个。This embodiment is equivalent to storing each program as a whole in one program space, and each program corresponds to a set of keys. Of course, the set of keys corresponding to different programs may be the same, but each is used and updated in its own way. As shown in Figure 2, the off-chip storage space 100 has 5 program spaces, each program space saves a program, and all programs correspond to the same set of keys in the on-chip storage space 200. In a recent period of time, the 5 program spaces The first, second and fourth in the set are run as the current program in turn, and the corresponding keys are the third, second and first of a set of keys, respectively.

在另一个具体的实现过程中,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;步骤S110对应可以包括步骤S112:In another specific implementation process, the off-chip storage space includes multiple program spaces, and the entire program is stored in one program space; step S110 correspondingly may include step S112:

步骤S112:从片外存储空间装载当前程序,并根据所述当前程序所在的程序空间的空间标识,从片内存储空间读取该程序空间当前对应的密钥作为所述当前程序对应的密钥。Step S112: Load the current program from the off-chip storage space, and according to the space identifier of the program space where the current program is located, read the key currently corresponding to the program space from the on-chip storage space as the key corresponding to the current program .

该实施例中每个程序空间对应一套密钥,一个程序空间内的程序在运行时,按该程序空间的整体密码更新过程确认当前程序对应的密钥。In this embodiment, each program space corresponds to a set of keys. When a program in one program space is running, the key corresponding to the current program is confirmed according to the overall password update process of the program space.

关于密钥,可以在所述片内存储空间保存有多个密钥;步骤S110对应可以包括步骤S113:Regarding the key, a plurality of keys may be stored in the on-chip storage space; step S110 correspondingly may include step S113:

步骤S113:根据随机算法从所述多个密钥中,确认一个与当前读取的密钥不同的密钥,将确认出的密钥更新为下次读取的密钥。Step S113 : confirm a key different from the key currently read from the plurality of keys according to the random algorithm, and update the confirmed key to the key read next time.

根据随机算法确认密钥的更新是一种可选的实现方式,在具体实现过程中国,还可以按设定的规则进行切换。Confirming the update of the key according to the random algorithm is an optional implementation method. In the specific implementation process, it can also be switched according to the set rules.

本方案还可以对密钥的使用状态进行记录,即所述片内存储空间还对应保存有每个所述密钥对应的使用次数;步骤S110对应可以包括步骤S114:This solution can also record the use state of the key, that is, the on-chip storage space also stores the corresponding use times of each key; step S110 correspondingly may include step S114:

步骤S114:更新所述使用次数。Step S114: Update the usage times.

更新使用次数可以对密钥的使用情况进行评估,进一步还可以结合使用次数的增长速度判断是否有攻击导致的次数增加异常。By updating the usage times, the usage of the key can be evaluated, and further, it can be judged whether there is an abnormal increase in the number of times caused by an attack in combination with the growth rate of the usage times.

在记录使用状态的基础上,还可以通过步骤S115对密钥进行替换:On the basis of recording the usage status, the key can also be replaced by step S115:

步骤S115:当所述密钥的使用次数达到预设的使用寿命,删除该密钥并新增与已有密钥不同的密钥。Step S115: When the number of times of use of the key reaches a preset service life, delete the key and add a key different from the existing key.

为保证数据的安全性,可以基于密钥的使用次数进行密钥的删除和新增,避免密钥的使用寿命过程导致安全性降低。To ensure data security, keys can be deleted and added based on the number of times the keys are used, so as to avoid security degradation during the lifetime of the keys.

除了对数据的隔离保护,还可以对程序本身进行隔离保护,在步骤S130之后,还包括步骤S131,在步骤S110之前,对应还包括步骤S101-步骤S103,从而综合实现对程序本身的隔离保护:In addition to the isolation protection of data, the program itself can also be isolated and protected. After step S130, it also includes step S131, and before step S110, it also includes steps S101-step S103, so as to comprehensively realize the isolation protection of the program itself:

步骤S131:根据所述密钥对程序存储信息进行加密得到程序校验信息,将所述程序校验信息保存到所述片外存储空间,并将所述程序存储信息保存到所述校验区。Step S131: Encrypt the program storage information according to the key to obtain program verification information, save the program verification information to the off-chip storage space, and save the program storage information to the verification area .

步骤S101:从片外存储空间读取程序校验信息以及所述当前程序的实时存储信息,从所述校验区读取密钥和程序存储信息。Step S101: Read program verification information and real-time storage information of the current program from an off-chip storage space, and read a key and program storage information from the verification area.

步骤S102:根据所述密钥对所述实时存储信息和程序存储信息分别进行加密得到实时校验信息和原始校验信息。Step S102: Encrypt the real-time storage information and the program storage information respectively according to the key to obtain real-time verification information and original verification information.

步骤S103:确认所述实时校验信息、原始校验信息和程序校验信息完全匹配。Step S103: Confirm that the real-time verification information, the original verification information and the program verification information completely match.

以上处理验证过程与数据的校验过程大体相同的,但是程序本身相较于数据有着更高的安全性要求,所以最终提出了基于实时校验信息、原始校验信息和程序校验信息的全面匹配。只有步骤S103的确认完全匹配,才有本方案中的程序装载和运行过程。如果其中有一个不匹配,也就没有后续的数据装载和数据读写过程。另外,如果数据读写过程中出现数据验证不通过,也不会有后续的处理,并且会触发相应的安全机制,具体嵌入式系统应对恶意攻击的策略不是本方案的保护重点,在此不做重复说明。The above processing verification process is roughly the same as the data verification process, but the program itself has higher security requirements than the data, so a comprehensive verification based on real-time verification information, original verification information and program verification information is finally proposed. match. Only if the confirmation in step S103 is completely matched, there is a program loading and running process in this solution. If one of them does not match, there is no subsequent data loading and data reading and writing process. In addition, if the data verification fails during the data reading and writing process, there will be no follow-up processing, and the corresponding security mechanism will be triggered. The specific embedded system's strategy for dealing with malicious attacks is not the protection focus of this scheme, and it is not done here. Repeat instructions.

上述,嵌入式系统的隔离动态保护方法,通过从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。通过片内存储且对应于不同程序动态配置的密钥,实现对各个程序处理的数据的独立动态保护,避免出现一个程序的密钥泄露导致所有程序的信息全部泄露的情况。The above, the isolation dynamic protection method of the embedded system, by loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time; through the current program When data is written to the off-chip storage space, verification information is generated according to the storage parameters of the data, and the storage parameters include the storage address information and storage time information of the data in the off-chip storage space; The key encrypts the verification information to obtain encrypted verification information, saves the encrypted verification information to the off-chip storage space, and saves the key and storage time information to the on-chip storage space. verification area; when reading data from the off-chip storage space through the current program, read the encrypted verification information corresponding to the data from the off-chip storage space; read the key and the data from the verification area The storage time information is encrypted according to the key to the storage address information obtained when reading the data and the read storage time information to obtain reference verification information; the reference verification information and the read encrypted verification information are encrypted. The verification information is compared, and the safety of the data is confirmed according to the comparison results. Through the on-chip storage of keys corresponding to different programs dynamically configured, the independent dynamic protection of data processed by each program is realized, avoiding the situation that the key leakage of one program leads to the leakage of all program information.

实施例二Embodiment 2

图3为本发明实施例二提供的一种嵌入式系统的隔离动态保护装置的结构示意图。参考图3,该嵌入式系统的隔离动态保护装置包括:数据加载单元210、写入初始化单元220、数据写入单元230、数据读取单元240、校验初始化单元250和数据比对单元260。FIG. 3 is a schematic structural diagram of an isolation dynamic protection device for an embedded system according to Embodiment 2 of the present invention. 3 , the isolation dynamic protection device of the embedded system includes: a data loading unit 210 , a writing initialization unit 220 , a data writing unit 230 , a data reading unit 240 , a verification initialization unit 250 and a data comparison unit 260 .

其中,数据加载单元210,用于从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;写入初始化单元220,用于通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;数据写入单元230,用于根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;数据读取单元240,用于通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;校验初始化单元250,用于从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;数据比对单元260,用于对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。Among them, the data loading unit 210 is used to load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time; the writing initialization unit 220 is used for When data is written to the off-chip storage space through the current program, verification information is generated according to the storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space The data writing unit 230 is used to encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and store the encryption key in the off-chip storage space. and storage time information are stored in the check area of the on-chip storage space; the data reading unit 240 is used to read data from the off-chip storage space through the current program when reading data from the off-chip storage space Get the encrypted verification information corresponding to the data; the verification initialization unit 250 is used to read the key and the storage time information from the verification area, according to the storage address information and the storage address information obtained when reading the data according to the key pair The read storage time information is encrypted to obtain reference verification information; the data comparison unit 260 is used to compare the reference verification information and the read encrypted verification information, and confirm the data according to the comparison result. safety.

在上述实施例的基础上,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;On the basis of the above embodiment, the off-chip storage space includes a plurality of program spaces, and the entire program is stored in one program space;

所述数据加载单元210,包括:The data loading unit 210 includes:

第一加载模块,用于从片外存储空间装载当前程序,根据所述当前程序的程序标识从片存储内空间读取当前程序对应的密钥。The first loading module is configured to load the current program from the off-chip storage space, and read the key corresponding to the current program from the on-chip storage space according to the program identifier of the current program.

在上述实施例的基础上,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;On the basis of the above embodiment, the off-chip storage space includes a plurality of program spaces, and the entire program is stored in one program space;

所述数据加载单元210,包括:The data loading unit 210 includes:

第二加载模块,用于从片外存储空间装载当前程序,并根据所述当前程序所在的程序空间的空间标识,从片内存储空间读取该程序空间当前对应的密钥作为所述当前程序对应的密钥。The second loading module is used to load the current program from the off-chip storage space, and according to the space identifier of the program space where the current program is located, read the key currently corresponding to the program space from the on-chip storage space as the current program the corresponding key.

在上述实施例的基础上,所述片内存储空间保存有多个密钥;On the basis of the above embodiment, the on-chip storage space stores multiple keys;

所述数据加载单元210,包括:The data loading unit 210 includes:

密码更新模块,用于根据随机算法从所述多个密钥中,确认一个与当前读取的密钥不同的密钥,将确认出的密钥更新为下次读取的密钥。The password update module is used for confirming a key different from the currently read key from the plurality of keys according to a random algorithm, and updating the confirmed key to the key read next time.

在上述实施例的基础上,所述片内存储空间还对应保存有每个所述密钥对应的使用次数;On the basis of the above embodiment, the on-chip storage space also correspondingly stores the usage times corresponding to each of the keys;

所述数据加载单元210,还包括:The data loading unit 210 further includes:

次数更新模块,用于更新所述使用次数。The times updating module is used to update the usage times.

在上述实施例的基础上,所述嵌入式系统的隔离动态保护装置,还包括:On the basis of the above embodiment, the isolation dynamic protection device of the embedded system further includes:

密钥替换单元,用于当所述密钥的使用次数达到预设的使用寿命,删除该密钥并新增与已有密钥不同的密钥。The key replacement unit is used for deleting the key and adding a key different from the existing key when the number of times of use of the key reaches a preset service life.

在上述实施例的基础上,所述嵌入式系统的隔离动态保护装置,还包括:On the basis of the above embodiment, the isolation dynamic protection device of the embedded system further includes:

校验信息生成单元,用于根据所述密钥对程序存储信息进行加密得到程序校验信息,将所述程序校验信息保存到所述片外存储空间,并将所述程序存储信息保存到所述校验区;The verification information generation unit is used to encrypt the program storage information according to the key to obtain the program verification information, save the program verification information to the off-chip storage space, and save the program storage information to the the verification area;

对应的,所述嵌入式系统的隔离动态保护装置,还包括:Correspondingly, the isolation dynamic protection device of the embedded system further includes:

程序信息读取单元,用于从片外存储空间读取程序校验信息以及所述当前程序的实时存储信息,从所述校验区读取密钥和程序存储信息;a program information reading unit, used for reading program verification information and the real-time storage information of the current program from the off-chip storage space, and reading the key and program storage information from the verification area;

程序信息加密单元,用于根据所述密钥对所述实时存储信息和程序存储信息分别进行加密得到实时校验信息和原始校验信息;a program information encryption unit, configured to encrypt the real-time storage information and the program storage information according to the key to obtain real-time verification information and original verification information;

程序信息校验单元,用于确认所述实时校验信息、原始校验信息和程序校验信息完全匹配。The program information verification unit is used to confirm that the real-time verification information, the original verification information and the program verification information completely match.

本发明实施例提供的嵌入式系统的隔离动态保护装置包含在计算设备中,且可用于执行上述实施例一中提供的任一嵌入式系统的隔离动态保护方法,具备相应的功能和有益效果。The device for isolating dynamic protection of an embedded system provided by the embodiment of the present invention is included in a computing device, and can be used to execute any of the methods for isolating dynamic protection of an embedded system provided in the first embodiment, with corresponding functions and beneficial effects.

实施例三Embodiment 3

图4为本发明实施例三提供的一种计算设备的结构示意图,如图所示,该计算设备包括处理器310和存储器320,另外还可以包括输入装置330、输出装置340以及通信装置350;计算设备中处理器310的数量可以是一个或多个,图4中以一个处理器310为例;计算设备中的处理器310、存储器320、输入装置330、输出装置340以及通信装置350可以通过总线或其他方式连接,图4中以通过总线连接为例。4 is a schematic structural diagram of a computing device according to Embodiment 3 of the present invention. As shown in the figure, the computing device includes a processor 310 and a memory 320, and may also include an input device 330, an output device 340, and a communication device 350; The number of processors 310 in the computing device may be one or more, and one processor 310 is taken as an example in FIG. 4; the processor 310, memory 320, input device 330, output device 340 and communication device 350 in the computing device can be It is connected by bus or other means. In FIG. 4 , the connection by bus is taken as an example.

存储器320作为一种计算机可读存储介质,可用于存储软件程序、计算机可执行程序以及模块,如本发明实施例中的嵌入式系统的隔离动态保护方法对应的程序指令/模块(例如,嵌入式系统的隔离动态保护装置中的数据加载单元210、写入初始化单元220、数据写入单元230、数据读取单元240、校验初始化单元250和数据比对单元260)。处理器310通过运行存储在存储器320中的软件程序、指令以及模块,从而执行终端设备的各种功能应用以及数据处理,即实现上述的嵌入式系统的隔离动态保护方法。As a computer-readable storage medium, the memory 320 can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the method for isolating and dynamically protecting an embedded system in this embodiment of the present invention (for example, an embedded The data loading unit 210 , the writing initialization unit 220 , the data writing unit 230 , the data reading unit 240 , the verification initialization unit 250 and the data comparison unit 260 in the isolation dynamic protection device of the system). The processor 310 executes various functional applications and data processing of the terminal device by running the software programs, instructions and modules stored in the memory 320 , that is, to implement the above-mentioned method for dynamic isolation of embedded systems.

存储器320可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序;存储数据区可存储根据终端设备的使用所创建的数据等。此外,存储器320可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。在一些实例中,存储器320可进一步包括相对于处理器310远程设置的存储器,这些远程存储器可以通过网络连接至终端设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 320 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal device, and the like. Additionally, memory 320 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some instances, the memory 320 may further include memory located remotely from the processor 310, and these remote memories may be connected to the terminal device through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

输入装置330可用于接收输入的数字或字符信息,以及产生与终端设备的用户设置以及功能控制有关的键信号输入。输出装置340可包括显示屏等显示设备。The input device 330 may be used to receive input numerical or character information, and generate key signal input related to user setting and function control of the terminal device. The output device 340 may include a display device such as a display screen.

上述终端设备包含嵌入式系统的隔离动态保护装置,可以用于执行任意嵌入式系统的隔离动态保护方法,具备相应的功能和有益效果。The above terminal equipment includes an isolation dynamic protection device for an embedded system, which can be used to execute an isolation dynamic protection method for any embedded system, and has corresponding functions and beneficial effects.

实施例四Embodiment 4

本发明实施例还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现如本申请任意实施例中提供的嵌入式系统的隔离动态保护方法中的相关操作,且具备相应的功能和有益效果。Embodiments of the present invention further provide a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the method for isolating dynamic protection of an embedded system as provided in any embodiment of the present application. related operations, and have corresponding functions and beneficial effects.

本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product.

因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowcharts and/or block diagrams, and combinations of flows and/or blocks in the flowcharts and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams. These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions An apparatus implements the functions specified in a flow or flows of the flowcharts and/or a block or blocks of the block diagrams. These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。存储器可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。存储器是计算机可读介质的示例。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory. Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD) 或其他光学存储、磁盒式磁带,磁带磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media, such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also Other elements not expressly listed, or which are inherent to such a process, method, article of manufacture, or apparatus are also included. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article of manufacture or apparatus that includes the element.

注意,上述仅为本发明的较佳实施例及所运用技术原理。本领域技术人员会理解,本发明不限于这里所述的特定实施例,对本领域技术人员来说能够进行各种明显的变化、重新调整和替代而不会脱离本发明的保护范围。因此,虽然通过以上实施例对本发明进行了较为详细的说明,但是本发明不仅仅限于以上实施例,在不脱离本发明构思的情况下,还可以包括更多其他等效实施例,而本发明的范围由所附的权利要求范围决定。Note that the above are only preferred embodiments of the present invention and applied technical principles. Those skilled in the art will understand that the present invention is not limited to the specific embodiments described herein, and various obvious changes, readjustments and substitutions can be made by those skilled in the art without departing from the protection scope of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and can also include more other equivalent embodiments without departing from the concept of the present invention. The scope is determined by the scope of the appended claims.

Claims (10)

1.嵌入式系统的隔离动态保护方法,其特征在于,包括:1. the isolation dynamic protection method of embedded system, is characterized in that, comprises: 从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;Load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time; 通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;When data is written to the off-chip storage space through the current program, verification information is generated according to the storage parameters of the data, where the storage parameters include storage address information and storage time information of the data in the off-chip storage space ; 根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;Encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and save the key and storage time information to the on-chip storage space. The check area of the internal storage space; 通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;When the data is read from the off-chip storage space through the current program, the encrypted verification information corresponding to the data is read from the off-chip storage space; 从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;Read the key and the storage time information from the verification area, and encrypt the storage address information obtained when reading the data and the storage time information read according to the key to obtain the reference verification information; 对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。The reference verification information is compared with the read encrypted verification information, and the security of the data is confirmed according to the comparison result. 2.根据权利要求1所述的嵌入式系统的隔离动态保护方法,其特征在于,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;2. The isolation dynamic protection method of an embedded system according to claim 1, wherein the off-chip storage space comprises a plurality of program spaces, and the program is stored in a program space as a whole; 所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including: 从片外存储空间装载当前程序,根据所述当前程序的程序标识从片存储内空间读取当前程序对应的密钥。The current program is loaded from the off-chip storage space, and the key corresponding to the current program is read from the on-chip storage space according to the program identifier of the current program. 3.根据权利要求1所述的嵌入式系统的隔离动态保护方法,其特征在于,所述片外存储空间包括多个程序空间,所述程序整体保存于一个程序空间;3. The isolation dynamic protection method of an embedded system according to claim 1, wherein the off-chip storage space comprises a plurality of program spaces, and the program is stored in a program space as a whole; 所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including: 从片外存储空间装载当前程序,并根据所述当前程序所在的程序空间的空间标识,从片内存储空间读取该程序空间当前对应的密钥作为所述当前程序对应的密钥。The current program is loaded from the off-chip storage space, and according to the space identifier of the program space where the current program is located, the key currently corresponding to the program space is read from the on-chip storage space as the key corresponding to the current program. 4.根据权利要求1-3任一项所述的嵌入式系统的隔离动态保护方法,其特征在于,所述片内存储空间保存有多个密钥;4. The isolation dynamic protection method of an embedded system according to any one of claims 1-3, wherein the on-chip storage space preserves a plurality of keys; 所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, including: 根据随机算法从所述多个密钥中,确认一个与当前读取的密钥不同的密钥,将确认出的密钥更新为下次读取的密钥。From the plurality of keys according to a random algorithm, a key different from the key currently read is confirmed, and the confirmed key is updated to the key read next time. 5.根据权利要求4所述的嵌入式系统的隔离动态保护方法,其特征在于,所述片内存储空间还对应保存有每个所述密钥对应的使用次数;5. The isolation dynamic protection method of embedded system according to claim 4, is characterized in that, described on-chip storage space also correspondingly preserves the usage times corresponding to each described key; 所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥,还包括:Loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, also includes: 更新所述使用次数。Update the usage count. 6.根据权利要求5所述的嵌入式系统的隔离动态保护方法,其特征在于,所述更新所述使用次数之后,还包括:6 . The method for isolating dynamic protection of an embedded system according to claim 5 , wherein after updating the usage times, the method further comprises: 6 . 当所述密钥的使用次数达到预设的使用寿命,删除该密钥并新增与已有密钥不同的密钥。When the number of times of use of the key reaches the preset service life, the key is deleted and a key different from the existing key is added. 7.根据权利要求1所述的嵌入式系统的隔离动态保护方法,其特征在于,所述通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息之后,还包括:7. The isolation dynamic protection method of an embedded system according to claim 1, characterized in that, when writing data to off-chip storage space through the current program, verification information is generated according to the storage parameter of the data , the storage parameter includes the storage address information and storage time information of the data in the off-chip storage space, and further includes: 根据所述密钥对程序存储信息进行加密得到程序校验信息,将所述程序校验信息保存到所述片外存储空间,并将所述程序存储信息保存到所述校验区;Encrypt the program storage information according to the key to obtain program verification information, save the program verification information in the off-chip storage space, and save the program storage information in the verification area; 对应的,所述从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥之前,还包括:Correspondingly, before loading the current program from the off-chip storage space, reading the key corresponding to the current program from the on-chip storage space, and updating the key read next time, it also includes: 从片外存储空间读取程序校验信息以及所述当前程序的实时存储信息,从所述校验区读取密钥和程序存储信息;Read the program verification information and the real-time storage information of the current program from the off-chip storage space, and read the key and program storage information from the verification area; 根据所述密钥对所述实时存储信息和程序存储信息分别进行加密得到实时校验信息和原始校验信息;According to the key, the real-time storage information and the program storage information are respectively encrypted to obtain real-time verification information and original verification information; 确认所述实时校验信息、原始校验信息和程序校验信息完全匹配。Confirm that the real-time verification information, the original verification information and the program verification information exactly match. 8.嵌入式系统的隔离动态保护装置,其特征在于,包括:8. The isolation dynamic protection device of the embedded system is characterized in that, comprising: 数据加载单元,用于从片外存储空间装载当前程序,从片内存储空间读取当前程序对应的密钥,并更新下次读取的密钥;The data loading unit is used to load the current program from the off-chip storage space, read the key corresponding to the current program from the on-chip storage space, and update the key read next time; 写入初始化单元,用于通过所述当前程序向片外存储空间写入数据时,根据所述数据的存储参数生成校验信息,所述存储参数包括所述数据在所述片外存储空间的存储地址信息和存储时间信息;The writing initialization unit is used to generate verification information according to the storage parameter of the data when data is written to the off-chip storage space through the current program, and the storage parameter includes the value of the data in the off-chip storage space. Storage address information and storage time information; 数据写入单元,用于根据所述密钥对所述校验信息进行加密得到加密校验信息,将所述加密校验信息保存到所述片外存储空间,并将所述密钥和存储时间信息保存到所述片内存储空间的校验区;a data writing unit, configured to encrypt the verification information according to the key to obtain encrypted verification information, save the encrypted verification information to the off-chip storage space, and store the key and storage The time information is stored in the check area of the on-chip storage space; 数据读取单元,用于通过所述当前程序从所述片外存储空间读取数据时,从所述片外存储空间读取该数据对应的加密校验信息;a data reading unit, configured to read encrypted verification information corresponding to the data from the off-chip storage space when reading data from the off-chip storage space through the current program; 校验初始化单元,用于从所述校验区读取密钥和存储时间信息,根据所述密钥对读取数据时的获取的存储地址信息和读取到的存储时间信息进行加密得到参考校验信息;The verification initialization unit is used to read the key and storage time information from the verification area, and encrypts the storage address information obtained when reading the data and the storage time information read according to the key to obtain a reference verification information; 数据比对单元,用于对所述参考校验信息和读取到的加密校验信息进行比对,根据比对结果确认数据的安全性。The data comparison unit is configured to compare the reference verification information with the read encrypted verification information, and confirm the security of the data according to the comparison result. 9.一种计算设备,其特征在于,包括:9. A computing device, comprising: 一个或多个处理器;one or more processors; 存储器,用于存储一个或多个程序;memory for storing one or more programs; 当所述一个或多个程序被所述一个或多个处理器执行,使得所述计算设备实现如权利要求1-7任一所述的嵌入式系统的隔离动态保护方法。When the one or more programs are executed by the one or more processors, the computing device implements the isolation dynamic protection method for an embedded system according to any one of claims 1-7. 10.一种存储计算机可执行指令的存储介质,其特征在于,所述计算机可执行指令在由计算机处理器执行时用于执行如权利要求1-7任一项所述的嵌入式系统的隔离动态保护方法。10. A storage medium storing computer-executable instructions, wherein the computer-executable instructions, when executed by a computer processor, are used to perform the isolation of the embedded system according to any one of claims 1-7 Dynamic protection method.
CN202210432725.2A 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system Active CN114528603B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210432725.2A CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210432725.2A CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Publications (2)

Publication Number Publication Date
CN114528603A true CN114528603A (en) 2022-05-24
CN114528603B CN114528603B (en) 2022-07-15

Family

ID=81627990

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210432725.2A Active CN114528603B (en) 2022-04-24 2022-04-24 Isolation dynamic protection method, device, equipment and storage medium of embedded system

Country Status (1)

Country Link
CN (1) CN114528603B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management device and method
CN115408730A (en) * 2022-08-29 2022-11-29 南京芯驰半导体科技有限公司 Data processing method, chip, electronic device and storage medium
CN116028958A (en) * 2023-02-21 2023-04-28 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2415334A1 (en) * 2002-12-31 2004-06-30 Protexis Inc. System for persistently encrypting critical software data to control operation of an executable software program
US20100281273A1 (en) * 2009-01-16 2010-11-04 Lee Ruby B System and Method for Processor-Based Security
US20140189373A1 (en) * 2011-08-19 2014-07-03 Gemalto Sa Method for hard partitioning the resources of a secure computer system
US20160103994A1 (en) * 2014-10-08 2016-04-14 Nintendo Co., Ltd. Storage medium having stored therein boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and storage medium having stored therein program
CN106778291A (en) * 2016-11-22 2017-05-31 北京奇虎科技有限公司 The partition method and isolating device of application program
CN107220560A (en) * 2017-06-22 2017-09-29 北京航空航天大学 A kind of embedded system data completeness protection method expanded based on data buffer storage
CN109086612A (en) * 2018-07-06 2018-12-25 北京航空航天大学 One kind being based on hard-wired embedded system dynamic data guard method
CN111723383A (en) * 2019-03-22 2020-09-29 阿里巴巴集团控股有限公司 Data storage, verification method and device
CN113946375A (en) * 2021-10-19 2022-01-18 珠海全志科技股份有限公司 Rapid and safe starting method and device of embedded system and electronic equipment

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2415334A1 (en) * 2002-12-31 2004-06-30 Protexis Inc. System for persistently encrypting critical software data to control operation of an executable software program
US20100281273A1 (en) * 2009-01-16 2010-11-04 Lee Ruby B System and Method for Processor-Based Security
US20140189373A1 (en) * 2011-08-19 2014-07-03 Gemalto Sa Method for hard partitioning the resources of a secure computer system
US20160103994A1 (en) * 2014-10-08 2016-04-14 Nintendo Co., Ltd. Storage medium having stored therein boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and storage medium having stored therein program
CN106778291A (en) * 2016-11-22 2017-05-31 北京奇虎科技有限公司 The partition method and isolating device of application program
CN107220560A (en) * 2017-06-22 2017-09-29 北京航空航天大学 A kind of embedded system data completeness protection method expanded based on data buffer storage
CN109086612A (en) * 2018-07-06 2018-12-25 北京航空航天大学 One kind being based on hard-wired embedded system dynamic data guard method
CN111723383A (en) * 2019-03-22 2020-09-29 阿里巴巴集团控股有限公司 Data storage, verification method and device
CN113946375A (en) * 2021-10-19 2022-01-18 珠海全志科技股份有限公司 Rapid and safe starting method and device of embedded system and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
邓程方: "基于流密码的安全处理器架构研究", 《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115408730A (en) * 2022-08-29 2022-11-29 南京芯驰半导体科技有限公司 Data processing method, chip, electronic device and storage medium
CN115391845A (en) * 2022-10-28 2022-11-25 摩尔线程智能科技(北京)有限责任公司 Key management device and method
CN115391845B (en) * 2022-10-28 2023-01-06 摩尔线程智能科技(北京)有限责任公司 Key management device and method
CN116028958A (en) * 2023-02-21 2023-04-28 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium
CN116028958B (en) * 2023-02-21 2024-04-12 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium

Also Published As

Publication number Publication date
CN114528603B (en) 2022-07-15

Similar Documents

Publication Publication Date Title
CN114528603B (en) Isolation dynamic protection method, device, equipment and storage medium of embedded system
US10796009B2 (en) Security engine for a secure operating environment
EP3961974B1 (en) Block content editing methods and apparatuses
CN102945355B (en) Fast Data Encipherment strategy based on sector map is deferred to
US11663145B2 (en) Off-chip memory address scrambling apparatus and method for system on chip
KR20190063264A (en) Method and Apparatus for Device Security Verification Utilizing a Virtual Trusted Computing Base
US20110016330A1 (en) Information leak prevention device, and method and program thereof
US9053346B2 (en) Low-overhead cryptographic method and apparatus for providing memory confidentiality, integrity and replay protection
US10614254B2 (en) Virus immune computer system and method
CN116011041B (en) Key management method, data protection method, system, chip and computer equipment
CN106100834B (en) A method for generating and updating algorithm keystore
CN102799539A (en) Safe USB flash disk and data active protection method thereof
CN110807205A (en) A file security protection method and device
ES2996869T3 (en) Methods and system of preventing duplication of encrypted data
CN118535279A (en) Data storage method, system, electronic device and storage medium
CN115374483B (en) Data security storage method and device, electronic equipment, medium, chip
CN115310136B (en) Data security guarantee method based on SATA bridging chip
Parvizimosaed et al. Protection against ransomware in industrial control systems through decentralization using blockchain
CN118041518A (en) Key protection method, device, system and storage medium
CN115801446A (en) Encryption database system based on trusted hardware
KR20180038732A (en) Apparatus for managing crypto key and apparatus for accelerating encryption-decryption
US10713373B2 (en) Computing system with information storage mechanism and method of operation thereof
US11977760B1 (en) Secure data and instruction loading
CN119377920B (en) Method, device, equipment and medium for preventing reverse and abuse of HSM firmware
CN116541894A (en) Domestic encryption platform and server

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载