CN115422554B - Request processing method, compiling method and trusted computing system - Google Patents

Abstract

This specification provides a request processing method, compilation method, and trusted computing system based on a trusted security zone. The trusted security zone includes memory segments with the first security level and memory segments with the second security level. The memory segments with the first security level The segment includes a user data segment and a user program segment, the memory segment of the second security level includes a backup data segment and a reset program segment, and the legal access scope of the first security level includes at least a part of memory addresses in the memory segment of the first security level; The request processing method includes: in response to the task request, executing the trusted security area reset function in the reset program segment, and overwriting the memory backup stored in the backup data segment to the memory space corresponding to the legal access range of the first security level ; Execute the user target program compiled by the user source program in the user program segment, and the memory access instruction in the user source program is compiled into a safe memory access instruction whose corresponding memory access address belongs to the legal access range of the first security level.

Description

Request processing method, compiling method and trusted computing system

technical field

The embodiments of this specification belong to the field of computer technology, and in particular relate to a request processing method, a compiling method and a trusted computing system based on a trusted security zone.

Background technique

Trusted Execution Environment (TEE, Trusted Execution Environment) is a secure area within the CPU, which runs in an independent environment and runs in parallel with the operating system. With the help of hardware root of trust and fast memory encryption engine, TEE can provide an isolated memory area for data processing, called enclave (trusted security area), enclave can ensure that programs and data in it are not protected from privileges including operating system software, including any other software attacks, and ensure the confidentiality and integrity of programs running in the enclave through mechanisms such as memory encryption and remote certification.

In the scenario where the enclave is used as the task execution framework for trusted computing, the enclave runs user programs written by users and loaded into the enclave as execution components for trusted computing tasks. Every time the enclave receives a corresponding task request, it will After the enclave restarts, it invokes the user program to execute the trusted computing task corresponding to the task request. In related technologies, traditional hot or cold restarts are usually used to restart the enclave.

Although it is difficult for external programs to attack the enclave, user programs written by users and loaded into the enclave have broken through the defense line of the enclave and can attack from the inside. Therefore, if the execution of the enclave will continue to reuse the hot start of some components before restarting, although it can improve the efficiency of restarting the enclave, it may reuse some components that have been attacked, so that the enclave is still under attack. The security risks, especially when the hot start component itself is attacked, will make the enclave unable to get out of the attacked state and be completely controlled by the attacker; and if the cold start of reinitializing all components is performed on the enclave, although the hot start can be avoided For trusted computing service scenarios where most task requests require quick response, the long cold start time seriously affects the execution of trusted computing tasks efficiency.

Contents of the invention

The purpose of the present invention is to provide a request processing method, a compiling method and a trusted computing system based on a trusted security zone.

According to the first aspect of one or more embodiments of this specification, a request processing method based on a trusted security zone is proposed, and the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level , wherein the memory segment of the first security level includes the user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, and the legal access range of the first security level includes the at least a portion of a memory address in a memory segment; the method comprising:

In response to the task request, execute the trusted security area reset function in the reset program segment, and overwrite the memory backup stored in the backup data segment to the memory space corresponding to the legal access range of the first security level, the The memory backup includes a user data segment backup for overwriting to the user data segment;

After the execution of the trusted security zone reset function is completed, the user target program compiled from the user source program in the user program segment is executed; wherein, the memory access instructions in the user source program are compiled into the user For the corresponding secure memory access instruction in the target program, the memory access address corresponding to the secure memory access instruction belongs to the legal access range of the first security level.

According to a second aspect of one or more embodiments of the present specification, a compiling method is provided, including:

Acquiring a user source program for execution in a trusted security zone, the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level, wherein the memory segment with the first security level includes user data segment and user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, the legal access scope of the first security level includes at least a part of the memory address in the memory segment of the first security level, and the user program The memory access address corresponding to the secure memory access instruction in the segment belongs to the legal access range of the first security level;

compiling the user source program into a user target program, so that memory access instructions in the user source program are converted into corresponding safe memory access instructions in the user target program;

loading the user target program into the user program segment, so that the trusted security zone executes the user target program in the user program segment after reset in response to a task request; wherein, the user target program in the user program segment is executed; Resetting the trusted security zone includes: executing the trusted security zone reset function in the reset program segment, and overwriting the memory backup stored in the backup data segment to the memory space corresponding to the legal access range of the first security level , the memory backup includes a user data segment backup for overwriting to the user data segment.

According to a third aspect of one or more embodiments of the present specification, a request processing device based on a trusted security zone is proposed, the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level , wherein the memory segment of the first security level includes the user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, and the legal access range of the first security level includes the at least a portion of memory addresses in a memory segment; said means comprising:

The reset unit is configured to execute the trusted security area reset function in the reset program segment in response to the task request, and cover the memory backup stored in the backup data segment to the legal access range corresponding to the first security level memory space, the memory backup includes a user data segment backup for covering to the user data segment;

The user target program execution unit is configured to execute the user target program compiled from the user source program in the user program segment after the execution of the trusted security zone reset function is completed; wherein, the memory in the user source program The access instruction is compiled into a corresponding secure memory access instruction in the user target program, and the memory access address corresponding to the secure memory access instruction belongs to the legal access range of the first security level.

According to a fourth aspect of one or more embodiments of the present specification, a compiling device is provided, including:

The user source program acquisition unit is configured to acquire the user source program for execution in the trusted security zone, the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level, wherein the first security level The memory segment of the first security level includes the user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, and the legal access scope of the first security level includes at least a part of the memory segment of the first security level address, the memory access address corresponding to the secure memory access instruction in the user program segment belongs to the legal access range of the first security level;

a compiling unit, configured to compile the user source program into a user target program, so that memory access instructions in the user source program are converted into corresponding secure memory access instructions in the user target program;

a user target program loading unit, configured to load the user target program into the user program segment, so as to execute the user target in the user program segment after being reset by the trusted security zone in response to a task request program; wherein, resetting the trusted security zone includes: executing the trusted security zone reset function in the reset program segment, and overwriting the memory backup stored in the backup data segment to the first security level The memory space corresponding to the legal access range, the memory backup includes a user data segment backup used to overwrite the user data segment.

According to a fifth aspect of one or more embodiments of this specification, a trusted computing system is proposed, including a front-end trusted security zone and at least one back-end trusted security zone, wherein:

The front-end trusted security zone is used to receive the task request sent by the client, forward the task request to the corresponding back-end trusted security zone, and execute the task request returned by the back-end trusted security zone The result is sent to the client;

Any back-end trusted security zone is used to execute the method as described in any one of the first aspect when receiving the task request sent by the front-end trusted security zone, and execute the The execution result is returned to the front-end trusted security zone.

According to a sixth aspect of one or more embodiments of the present specification, an electronic device is provided, including:

processor;

memory for storing processor-executable instructions;

Wherein, the processor implements the method according to any one of the first aspect and the second aspect by running the executable instruction.

According to a seventh aspect of one or more embodiments of the present specification, a computer-readable storage medium is provided, on which computer instructions are stored, and when the instructions are executed by a processor, any one of the first aspect and the second aspect can be implemented. steps of the method described in the item.

The embodiment of this specification provides a security reset method for a trusted security zone, by dividing the trusted security zone into memory segments with different security levels, and placing the user target program compiled by the user source program written by the user in the first place. In the security level memory segment, after the memory access instruction in the user source program is compiled into the corresponding security memory access instruction in the user target program, the memory access address corresponding to the security memory access instruction belongs to the legal access range of the first security level , which makes the user target program only have access to the memory space of the legal access scope of the first security level, thereby preventing the user target program from doing evil, and destroying the trusted security zone from the inside by modifying the program or data in the memory segment of other security levels safety. For example, the user target program cannot modify the memory backup or trusted security zone reset function in the memory segment of the second security level, so it can ensure that the process of resetting the user data segment by using the trusted security zone reset function every time It will not be affected by the user target program already running in the trusted security zone, that is, components outside the legal access range of the first security level, including the reset function of the trusted security zone, can be in the trusted security zone Continuous reuse after zone reset. For the memory space corresponding to the legal access range of the first security level that can be accessed and modified by the user target program in the trusted security zone, this part of the memory space is backed up during the execution of the reset function of the trusted security zone. Overwriting means completely resetting the memory space corresponding to the legal access scope of the first security level. It is not difficult to find that the security reset method of the trusted security zone implemented in the embodiment of this specification is also a hot start method in essence. However, compared with the traditional hot start, the embodiment of this specification realizes only the traditional cold start. The effect of eliminating potential safety hazards can be achieved, thus taking into account both safety and efficiency. Specifically, since the memory segments of the second security level and above security level that are continuously reused cannot be attacked by user target programs, the security of the pre-reset components that are continuously multiplexed can be ensured, especially when performing reset The trusted enclave of the process resets the security of the function itself, which maintains the self-consistency of the system. At the same time, by completely resetting the memory space corresponding to the legal access range of the first security level with security risks, it can be ensured that the reset trusted security zone will not inherit the risks in the trusted security zone before reset, Even if the trusted security zone is attacked by the user's target program, it can escape from the attacked state.

Description of drawings

In order to more clearly illustrate the technical solutions of the embodiments of this specification, the following will briefly introduce the drawings that need to be used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments recorded in this specification. , for those skilled in the art, other drawings can also be obtained according to these drawings without paying creative labor.

Fig. 1 is a flowchart of a request processing method based on a trusted security zone provided by an exemplary embodiment.

Fig. 2 is a schematic diagram of a trusted security zone provided by an exemplary embodiment.

Fig. 3 is a schematic diagram of a trusted security zone after memory blocks are divided according to an exemplary embodiment.

Fig. 4 is a flowchart of a compiling method provided by an exemplary embodiment.

Fig. 5 is a schematic structural diagram of a device provided by an exemplary embodiment.

Fig. 6 is a block diagram of an apparatus for request processing based on a trusted security zone provided by an exemplary embodiment.

Fig. 7 is a block diagram of a compiling device provided by an exemplary embodiment.

Fig. 8 is a system architecture diagram of a trusted computing system provided by an exemplary embodiment.

Detailed ways

In order to enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below in conjunction with the drawings in the embodiments of this specification. Obviously, the described The embodiments are only some of the embodiments in this specification, not all of them. Based on the embodiments in this specification, all other embodiments obtained by persons of ordinary skill in the art without creative efforts shall fall within the protection scope of this specification.

Please refer to FIG. 1 . FIG. 1 is a flowchart of a request processing method based on a trusted security zone provided by an exemplary embodiment. Fig. 2 is a schematic diagram of a trusted security zone provided by an exemplary embodiment. As shown in Fig. 2, the trusted security zone includes memory segments of the first security level and memory segments of the second security level, wherein, The memory segment of the first security level includes the user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, and the legal access scope of the first security level includes the memory segment of the first security level at least a part of the memory address; as shown in Figure 1, the method includes:

S102: In response to the task request, execute the trusted security area reset function in the reset program segment, overwrite the memory backup stored in the backup data segment to the memory space corresponding to the legal access range of the first security level, The memory backup includes a user data segment backup for overwriting to the user data segment.

In the embodiment of this specification, the programs in the trusted security zone include user target programs and system target programs, wherein the user target programs are compiled from user source programs, and the system target programs are compiled from system source programs. Since the user source program is a custom program written by the user, it will bring certain security risks to the trusted security zone after it is compiled into the user target program and loaded into the trusted security zone; in contrast, the system source program The program is written by the developer of the trusted security zone, and the system target program compiled by it theoretically has no security risk. Therefore, in order to avoid the security risk that the user target program may bring to the trusted security area, the embodiment of this specification adopts a security policy that divides the trusted security area into segments according to the security level. Programs in the program cannot access the memory space in the relatively higher security level memory segment, while programs in the high security level memory segment can access the memory space in the relatively lower security level memory segment. Under the guidance of this security policy, the user program segment used to load the user target program is set in the memory segment with the lowest security level (the first security level), and other system target programs and sensitive data segments are set in the memory segment. Relatively high security level memory segment, so that the user target program with security risks can only access part of the memory space in the first security level memory segment (called the legal access scope of the first security level). For example, the stack memory segment, the heap memory segment, and the user data segment in the memory segment of the first security level shown in Figure 2 can all be used normally by the user target program, but the user target program cannot normally access the All memory spaces outside the legal access range of the level, thus protecting the system target program and sensitive data segments from the attack of the user target program.

The system target program involved in the embodiment of this description includes a trusted security zone reset function for executing trusted security zone reset logic, and the trusted security zone reset function is specifically set in the memory segment of the second security level The reset program segment, which means that the trusted security zone reset function can normally access and modify the memory space in the memory segment of the first security level, so it will not affect the trusted security zone reset function for the first security level The normal implementation of the reset process of the memory space with security risks in the memory segment of the security level (that is, the memory space corresponding to the legal access scope of the first security level). Specifically, when the interface function of the trusted security zone (the interface function belongs to the system target program) receives a task request for executing a trusted computing task from outside the trusted security zone, it needs to first trigger the reset of the trusted The process of the security zone provides a clean task execution environment for subsequent trusted computing tasks. At this time, the interface function will call and execute the trusted security zone reset function in the reset program segment. During the execution of the trusted security area reset function, the memory backup stored in the backup data segment will be overwritten to the memory space corresponding to the legal access range of the first security level, so that the memory of the legal access range of the first security level The space is completely reset to the initial memory state when the user source program is compiled, completing the process of resetting the trusted security zone. The legal access scope of the first security level involved in the embodiment of this specification includes at least the user data segment in the memory segment of the first security level.

It should be noted that when the user source program is compiled into the user target program, it not only compiles the high-level/assembly language into machine language at the instruction level (the compiled machine code set constitutes the user target program), but also loads the user target program into To the user program segment, it is also necessary to apply for memory space to store the data variables involved in the program, that is, these data variables initialized or uninitialized after the user source program is compiled are stored in the user data segment in the memory segment of the first security level , and the user data segment backup used to overwrite the user data segment included in the memory backup involved in the embodiment of this specification includes the memory status of the user data segment when the user source program is compiled.

In the case that the legal access scope of the first security level also includes the user program segment in the memory segment of the first security level, the memory backup may also include a user program segment backup for overwriting to the user program segment, the user program The segment backup refers to the memory state of the user code segment when the user source program is compiled, that is, the user target program in the initial state obtained just after the compilation is completed. In the embodiment of this specification, because the user target program can access and modify the user program segment, it may modify its own code contained in it, which will bring a greater security risk. Therefore, when resetting the trusted security zone During the process, the backup of the user program segment can also be overwritten to the corresponding memory space of the user program segment, so that the user target program can be restored to the initial state just after compiling, so as to clear the possible security risks of the user program segment before resetting.

In addition, the memory backup involved in the embodiment of this specification also includes the memory status of the stack memory segment and the heap memory segment when the user source program is compiled, which is used to overwrite the current debt memory segment and heap memory segment during the reset process. heap memory segment. Usually, the memory state of the stack memory segment and the heap memory segment is empty when the user source program is compiled, so after executing the trusted security zone reset function and completing the process of resetting the trusted security zone, the stack memory segment and the heap memory segment are empty. The data in the heap memory segment will be cleared. The user data segment involved in the embodiment of this specification may include the data segment and the bss segment, wherein the initialized global variables corresponding to the compiled user source program are stored in the data segment, while the uninitialized global variables are stored in the bss segment paragraph.

In the embodiment of this specification, it also includes: in response to the backup request or in the case that the trusted security zone completes the cold start, executing the backup function of the trusted security zone in the reset program segment, setting the first security level to The data in the legal access range is stored in the backup data segment as the memory backup. As mentioned above, the memory backup stored in the backup data segment is specifically the initial memory state of the legally accessible memory space of the first security level when the user source program is compiled, and the memory backup is actually reset by executing the program segment The backup function in the trusted security zone is stored in the backup data segment. Specifically, when the interface program receives a backup request for calling the backup function of the trusted security zone from outside the trusted security zone, or the system startup program (belonging to the system target program) responds to the completion of the cold start of the trusted security zone When (cold start includes the process of compiling the user source program and the system source program into the user target program and the system target program and loading them into the trusted security zone), it will trigger the call and execute the trusted security zone backup function. During the execution of the trusted security zone backup function, the data in the legal access range of the first security level will be copied as the memory backup and stored in the backup data segment, so that the legal access of the current first security level The memory state of the scoped memory space is fully preserved for subsequent calls of the trusted enclave reset function.

In the embodiment of this specification, the overwriting of the memory backup stored in the backup data segment to the memory space corresponding to the legal access scope of the first security level includes: enabling the user authority hardware instruction, and passing the user authority hardware instruction The instruction redistributes the memory access authority for the memory space corresponding to the legal access range of the first security level; the memory backup stored in the backup data segment is overwritten to the memory space corresponding to the legal access range of the first security level, and after completion Disable the user privilege hardware instruction. The trusted security zone enclave involved in the embodiment of this specification is implemented based on the Intel SGX (Intel Software Guard Extensions, Intel Software Guard Extensions) technology stack. The user authority hardware instruction (ENCLU) involved in the embodiment of this specification specifically refers to the Intel SGX The native instruction defined in is used to modify the memory permissions of the trusted security zone. Since this command will affect the confidentiality of the trusted security zone, we do not want this command to be called arbitrarily unless necessary, especially if the This command is prohibited from being called by the user target program. When overwriting the memory backup to the memory space corresponding to the legal access scope of the first security level, it is necessary to call the user permission hardware instruction (such as the EMODPE instruction used to expand the existing memory range of the Enclave) due to the need to reassign the memory permission. Therefore, in In this case, we need to enable user permission hardware instructions in advance at the system level, so that the reset process of the trusted security zone can be implemented normally. After the reset of the trusted security zone is completed, in order to prevent the user target program from using the user authority hardware instruction to attack the trusted security zone, the user authority hardware instruction may be disabled after each reset of the trusted security zone. Specifically, by defining a global insurance value for whether to enable user permission hardware instructions in the trusted security zone reset function, add a global security value before the override reset logic of the trusted security zone reset function The logic that is set to the enabled state, and a logic that sets the global security value to the disabled state is added after the override reset logic of the trusted security zone reset function. In addition, it is also necessary to modify the calling conditions corresponding to each user authority hardware instruction, so that it can be executed normally when the global insurance value is enabled, and when the global insurance value is disabled, it is called case does not execute and returns an error.

In the embodiment of this specification, after the interface function receives the task request, it also checks whether there is a trusted computing task that has not been completed in the trusted security zone. If it does not exist, you can continue to call and execute the trusted security zone reset function. If it exists, you can wait until the currently executing trusted computing task is completed, and then call and execute the trusted security zone reset function, so that It can prevent that the trusted computing task being executed can be completely executed without being interrupted by the task request. In addition, in addition to triggering the call and executing the trusted security zone reset function in response to the task request, the interface program can also trigger the call and execute the Trusted security zone reset function, so that after receiving a new task request, it is not necessary to reset the trusted security zone again, but can directly call the user target program to execute the trusted computing task corresponding to the task request.

S104: After the execution of the trusted security zone reset function is completed, execute the user target program compiled from the user source program in the user program segment; wherein, the memory access instruction in the user source program is compiled into the The corresponding secure memory access instruction in the user target program, the memory access address corresponding to the secure memory access instruction belongs to the legal access range of the first security level.

In the embodiment of this specification, after the interface function receives the task request, it first calls and executes the trusted security zone reset function in the reset program segment, and then after further receiving the return value of the trusted security zone reset function, It can be determined that the execution of the trusted security zone reset function is completed, and then the trusted computing task corresponding to the task request can be started to be executed. Since the module that executes the trusted computing task is the user target program, the interface function can further call and execute the user target program in the user program segment. When calling, some necessary input parameters in the task request can be introduced into the user target as calling parameters The execution process of the program.

In the embodiment of this manual, "programs in memory segments with low security levels cannot access memory space in memory segments with relatively higher security levels, while programs in memory segments with high security levels can access relatively The security policy of "memory space in memory segment with lower security level" is actually implemented through compiler technology. For example, in order to make the user target program in the memory segment of the first security level only have access to the legal access range of the first security level, it is necessary to change the Instruction conversion rules in the traditional compilation process, so that the changed instruction conversion rules are used to guide the compilation of memory access instructions in the user source program into corresponding safe memory access instructions in the user target program, and ensure that the user target program The memory access address corresponding to the secure memory access instruction in belongs to the legal access scope of the first security level. As a result, all memory access operations (including read operations and write operations) in the user target program will be restricted within the legal access scope of the first security level, and cannot access the second security level and above The memory space corresponding to the memory segment of the security level. For another example, in order to ensure that the trusted security zone reset function in the memory segment of the second security level can complete the reset process during execution, it must be able to normally access the memory segment of the first security level. Therefore, in the process of compiling the system source program into the system target program, the traditional instruction conversion rules can also be changed through compiler technology, so that the changed instruction conversion rules are used to guide the compilation of memory access instructions in the system source program. It is the corresponding secure memory access instruction in the system target program, and ensure that the memory access address corresponding to the secure memory access instruction in the trusted security area reset function belongs to the legal access range of the second security level. Due to the legal access of the second security level The scope includes the memory segment of the first security level and the backup data segment, so the trusted security zone reset function can normally complete the process of resetting the trusted security zone.

A memory access instruction in the user source program is essentially a high-level/assembly language programming statement, and a safe memory access instruction in the user target program is essentially a machine code set composed of one or more machine codes. Taking the user source program as an assembly language as an example, if the instruction conversion rules in the traditional compilation process are followed, a memory access instruction in the user source program will be compiled into a machine code; According to the instruction transformation rules, a memory access instruction in the user source program will be compiled into a safe memory access instruction containing one or more machine codes, and the operation logic contained in the safe memory access instruction is the same as a machine code obtained through traditional compilation The implied operation logic is different, which is specifically reflected in the following: when the original access address corresponding to the memory access instruction does not belong to the legal access scope of the first security level, when it is compiled into a safe memory access instruction, its implied operation logic will be Changes occur, that is, the secure memory access instruction will no longer access the original access address, but access an address that belongs to the legal access range of the first security level. It is not difficult to find that through the changed instruction conversion rules involved in the embodiments of this specification, the operation logic contained in each compiled safe memory access instruction has undergone substantial changes compared with the pre-compiled memory access instruction. This change is the reason why the memory access address of the safe memory access instruction can be limited to a certain legal access range. Since there is a one-to-one correspondence between assembly instructions and machine codes, this means that if a secure memory access instruction contains multiple machine codes, multiple assembly instructions may be obtained when the secure memory access instruction is decompiled into assembly language, that is, implemented by compiling The method of changing the operation logic contained in the memory access instruction may specifically be realized through the operation logic contained in the memory access instruction. Through the compiling method involved in the embodiment of this manual, the risk of out-of-boundary access at the source code level of the user source program written by the user can be eliminated (out-of-boundary access risk refers to accessing memory space other than the specified legal access range), Purify the user source program with the risk of out-of-bounds access to the user target program without the risk of out-of-bounds access.

In the embodiment of the present specification, it further includes: in response to the task request, returning an execution result corresponding to the task request generated by executing the user target program to the initiator of the task request. After the user target program is executed, the interface program will receive the execution result returned by calling the user target program. The execution result is the execution result of the trusted computing task corresponding to the task request. At this time, the interface program can execute the The result is returned to the initiator corresponding to the task request outside the trusted security zone, and the trusted security zone has completed a whole process of completely executing the trusted computing task.

The embodiment of this specification provides a security reset method for a trusted security zone, by dividing the trusted security zone into memory segments with different security levels, and placing the user target program compiled by the user source program written by the user in the first place. In the security level memory segment, after the memory access instruction in the user source program is compiled into the corresponding security memory access instruction in the user target program, the memory access address corresponding to the security memory access instruction belongs to the legal access range of the first security level , which makes the user target program only have access to the memory space of the legal access scope of the first security level, thereby preventing the user target program from doing evil, and destroying the trusted security zone from the inside by modifying the program or data in the memory segment of other security levels safety. For example, the user target program cannot modify the memory backup or trusted security zone reset function in the memory segment of the second security level, so it can ensure that the process of resetting the user data segment by using the trusted security zone reset function every time It will not be affected by the user target program already running in the trusted security zone, that is, components outside the legal access range of the first security level, including the reset function of the trusted security zone, can be in the trusted security zone Continuous reuse after zone reset. For the memory space corresponding to the legal access range of the first security level that can be accessed and modified by the user target program in the trusted security zone, this part of the memory space is backed up during the execution of the reset function of the trusted security zone. Overwriting means completely resetting the memory space corresponding to the legal access scope of the first security level. It is not difficult to find that the security reset method of the trusted security zone implemented in the embodiment of this specification is also a hot start method in essence. However, compared with the traditional hot start, the embodiment of this specification realizes only the traditional cold start. The effect of eliminating potential safety hazards can be achieved, thus taking into account both safety and efficiency. Specifically, since the memory segments of the second security level and above security level that are continuously reused cannot be attacked by user target programs, the security of the pre-reset components that are continuously multiplexed can be ensured, especially when performing reset The trusted enclave of the process resets the security of the function itself, which maintains the self-consistency of the system. At the same time, by completely resetting the memory space corresponding to the legal access range of the first security level with security risks, it can be ensured that the reset trusted security zone will not inherit the risks in the trusted security zone before reset, Even if the trusted security zone is attacked by the user's target program, it can escape from the attacked state.

Optionally, the trusted security zone further includes a memory segment of a third security level, and the memory segment of the third security level includes a key data segment and a certification program segment, and the method further includes:

In response to the program certification request, execute the nested certification function in the certification program segment, sign the data to be certified based on the nested certification private key stored in the key data segment to generate a trusted program certification, and the certification data to be certified The data includes data in the user program segment and/or the reset program segment;

providing the trusted program certification to the initiator of the program certification request, and receiving the task request sent when the initiator confirms that the trusted program certification is verified.

In the embodiment of this specification, the trusted security zone also includes a memory segment with a third security level. The memory segment is loaded with a nested attestation function belonging to the system target program, and in order to ensure that the nested attestation function can normally implement the corresponding The nested certification process, the third security level low legal access range includes the key data segment and the memory segment of the first security level and the second security level. For any verifier outside the trusted security zone, it can verify the integrity of the program inside the trusted security zone by initiating a program certification request to the trusted security zone. For example, the initiator of the task request can also be the verifier at the same time After verifying the program integrity of the trusted security zone, a task request is initiated to the trusted security zone, so as to ensure that the trusted security zone can perform trusted computing tasks according to expectations. Specifically, before initiating the task request, the initiator of the task request may at first certify the request to the initiator of the trusted security zone. After the interface program in the trusted security zone accepts the program certification request, it calls and executes the nested certification function in the certification program segment, and after the nested certification function returns the corresponding trusted program certification, it provides the trusted program certification The initiator of the verification request to the program is also the initiator of the follow-up task request. The initiator of the program certification request initiates a task request to the trusted security zone under the condition that the trusted program certification is verified. When executed, the nested certification function is used to: sign the data to be certified based on the nested certification private key stored in the key data segment to generate a trusted program certificate, and return the trusted program certificate to the calling point. The data to be certified includes the data in the user program segment and/or the reset program segment, that is, the user target program and/or the reset function of the trusted security zone. The hash value corresponding to the target program and/or the trusted enclave reset function.

The initiator of the program certification request can verify the signature of the trusted program certification through the pre-published nested certification public key. After the signature verification is successful, it can be determined that the source of the trusted program certification is credible. Program integrity check, in the case that the hash value corresponding to the pre-disclosed user target program and/or trusted security zone reset function is consistent with the hash value contained in the data to be certified, confirm that the user The program running in the program segment and/or the reset segment has not been tampered with. At this time, the initiator of the program certification request initiates a task request to the trusted security zone, which can ensure that the process of resetting the trusted security zone corresponding to the trusted security task and the execution process of the user target program can be carried out in a standardized and expected manner.

In the traditional remote authentication mechanism, a trusted security zone (called QuotingEnclave) dedicated to signatures uses the CPU private key to sign all programs in the trusted security zone to be verified to generate trusted program certificates (called QuotingEnclave). Quote), since the verifier does not have the corresponding CPU public key and cannot verify the credible program certificate, it needs to transfer the credible program certificate to the remote authentication server for verification. If the verification of the program certification is successful, it can be determined that the source of the trusted program certification is credible, and the program integrity check is further performed to confirm that the program in the trusted security zone of the trusted program certification source has not been tampered with. However, in the embodiment of this specification, different from the traditional remote authentication mechanism, the nested certification function in the memory segment of the third security level in the trusted security zone is used to verify the first or second security zone in the trusted security zone itself. The program in the memory segment of the second security level is signed. Since the public key of the nested certificate can be disclosed, as the verifier, it can independently verify the credible program certificate without the support of a remote authentication server, which greatly improves The efficiency and cost of verifying the integrity of the program by the verifier.

In the embodiment of this specification, the nested certification private key is assigned to the key in the trusted security zone by the key management server after confirming that the trusted security zone has passed the remote authentication of the remote authentication server. key data segment. As mentioned above, the private key of the nested certificate is stored in the key data segment, and the private key can be verified by the key management server as the verification party through the traditional remote authentication mechanism, and the verification includes the nested certificate in the certificate memory segment. After the overall program integrity of the trusted security zone including the function is completed, the nested proof private key can be distributed to the trusted security zone, and the nested proof public key corresponding to the nested proof private key can be disclosed to the outside world for use in Complete the follow-up program integrity verification process based on the nested proof function.

In the embodiment of this specification, the trusted security zone includes memory segments with different security levels, and the different security levels include at least the first security level and the second security level, wherein the legal access scope of any security level includes all At least a part of the memory address in the memory segment of any security level mentioned above and the memory segment lower than the above-mentioned any security level;

The programs in the trusted security zone include the user target program and the system target program compiled from the system source program, the system target program is in the memory segment of the second security level and above, and the system The target program includes the trusted security zone reset function; the memory access instructions in the system source program are compiled into corresponding secure memory access instructions in the system target program, wherein the memory segment of any security level The memory access address corresponding to the secure memory access instruction in is within the legal access range of any security level.

Similar to the process of compiling the user source program into the user target program, the compiling method involved in the embodiment of this specification can also be used in the process of compiling the system source program into the system target program. Specifically, it compiles the memory access instructions in the system source program into corresponding safe memory access instructions in the system target program, and ensures that the memory access instructions in a certain system target program in any security level memory segment The memory access address corresponding to the secure memory access instruction belongs to the legal access range of any security level. Through the compiling method involved in the embodiment of this specification, the risk of out-of-bounds memory access of the system source program at the source code level can be eliminated, and the system source program with out-of-bounds memory access risk can be purified into a system target program without out-of-bounds memory access risk. Taking the trusted security zone shown in Figure 2 as an example, the secure memory access instructions contained in the trusted security zone reset function of the memory segment at the second security level in Figure 2 can only access the backup data segment and the first security level , and the secure memory access instructions included in the nested attestation function of the memory segment at the third security level can access the key data segment, the memory segment at the first security level, and the memory segment at the second security level.

In the embodiment of this specification, the trusted security zone defines a global legal access range, and the global legal access range is set to any The legal access range of a security level, otherwise it is set as the legal access range of the first security level; the memory access address corresponding to the secure memory access instruction in the memory segment of any security level belongs to the global legal access range. In the embodiment of this specification, a global legal access range is defined for the trusted security zone to limit the memory access addresses corresponding to all secure memory access instructions in the trusted security zone at the same time. The global legal access range is not a fixed value. Instead, corresponding changes can be made according to the running conditions of the programs in the trusted security zone, and the values that can be changed include the legal access scope of each security level. As mentioned above, the embodiment of this specification modifies the operation logic contained in the memory access instruction in the source program through the compilation process, so that the memory access address corresponding to the corresponding safe memory access instruction in the compiled target program is guided to the global legal access within range. However, after the target program is loaded into the trusted security zone, the access addresses corresponding to the security memory access instructions in the memory segments with different security levels may belong to different legal access ranges. It is intended to be loaded into memory segments with different security levels and implemented by setting different operation logics for security internal access instructions. In fact, during the compilation process, no matter whether it is the memory access instructions in the user source program or the system source program, they are finally processed according to the unified The instruction conversion rule converts the instructions into secure memory access instructions with the same operation logic, that is, the memory access addresses corresponding to all the secure memory access instructions loaded into the trusted security zone belong to the global legal access range. The reason why the access address corresponding to the secure memory access instruction in the memory segment of any security level belongs to the legal access range of any security level is that the xth security level memory When the program in the segment jumps to the memory segment of the yth security level, the global legal access range is set to the legal access range of the yth security level. Therefore, as long as the program running in the trusted security zone is under the legal call logic, it can be realized: although the operation logic implied by all secure memory access instructions is the same, the actual memory access address is limited to the global legal access range, However, the secure memory access instructions in memory segments of different security levels have actually different legal access ranges.

Through the embodiment of this specification, it is possible to restrict programs in memory segments of different security levels from jumping from memory segments with low security levels to high After the memory segment of the security level, the safe memory access instructions in the memory segment of the high security level cannot be normally executed due to the limitation of the memory access address. For example, after the user target program in the memory segment of the first security level jumps to an instruction in the memory segment of the second security level through illegal call logic such as a custom jump instruction, if no safe memory access instruction is encountered It will continue to execute normally (because there is no access to memory, it will not leak information or modify data, and the security risk is small), but if a secure memory access instruction is encountered, the global legal access scope at this time is still the first security level Therefore, although the secure memory access instruction executed at this time is located in the memory segment of the second security level, its actual memory access address will be limited to the global legal access range, that is, the legal access of the first security level. In the access range, so that after illegally jumping from the memory segment of the first security level to the memory segment of the second security level, the subsequent execution of the security memory access instruction still cannot affect the legal access range of the first security level memory space, thereby reducing the system security risk caused by illegal call logic.

In the embodiment of this specification, the legal call logic mainly refers to the call logic realized by the boundary modification function in the system target program. When a program in the trusted security zone needs to call the Especially when the called function in the memory segment with a higher security level), it is necessary to first call the boundary modification function through the Ecall instruction to realize the legal calling process. The boundary modification function is used to: change the global legal access range to the legal access range of the security level of the memory segment where the called function actually needs to be called and executed, and then call to the called function for execution. At the same time, after the called function is executed, the global legal access range will be restored to the value before modification, and it will jump to the call point of the boundary modification function to continue executing subsequent instructions.

Optionally, the memory address of the memory segment with a low security level is higher than that of the memory segment with a high security level, and the legal access range of any security level is an address range higher than the boundary address of any security level. The boundary address of the security level belongs to the memory segment of any security level, the global legal access range is higher than the boundary address stored in the boundary register, and the legal calling logic includes modifying the function through the boundary in the system target program Implemented calling logic;

Execute any system function belonging to the system target program and in the memory segment of any security level, including:

calling the boundary modifying function to modify the original boundary address stored in the boundary register to the boundary address of any security level;

Call and execute any of the system functions in the boundary modifying function, and modify the boundary address stored in the boundary register to the original boundary address after the execution of any of the system functions is completed.

The memory address of each memory segment in the trusted security zone shown in Figure 2 is getting higher and higher from bottom to top, so as to ensure that the memory address of the memory segment with a low security level is higher than that of the memory segment with a high security level, that is, the first security level The memory address of the memory segment of the second security level is higher than the memory address of the memory segment of the second security level, and the memory address of the memory segment of the second security level is higher than the memory address of the memory segment of the third security level. In the embodiment of this specification, the legal access range of different security levels is defined by setting boundary addresses of different security levels. Specifically, the legal access range of any security level is higher than the boundary address of any security level address range, so that the legal access range of any security level includes memory segments lower than any security level. At the same time, in order to make the legal access range of any security level include at least a part of memory addresses in the memory segment of any security level, it is necessary to ensure that the boundary address of any security level belongs to the memory segment of any security level and The memory space above this boundary address contains at least one data segment. In addition, the global legal access range is defined by the boundary address in the boundary register, specifically higher than the boundary address stored in the boundary register.

As mentioned above, before any system function that belongs to the system target program and is in the memory segment of any security level needs to be called, it needs to be called through legal call logic. That is to say, the boundary modification function is first called and executed, and the boundary modification function is used to: modify the original boundary address stored in the boundary register to the boundary address of any security level, and simultaneously call and execute the boundary modification function. Any system function, and after the execution of any system function, modify the boundary address stored in the boundary register to the original boundary address, so as to complete the legal call logic for any system function. Through the embodiment of this description, the system function called by legal call logic can be executed normally, but the system function called by illegal call logic other than legal call logic cannot be executed normally, thereby reducing the number of calls caused by illegal call logic. resulting in system security risks.

Optionally, the memory segment of any security level includes a corresponding data segment and a program segment whose memory address is lower than the data segment, and the boundary address of any security level is used to separate the memory segment of any security level The data segment and program segment in the segment. As a result, combined with the operation logic contained in the aforementioned secure memory access instructions, programs in program segments in memory segments of any security level cannot access and modify programs in their own program segments, thereby reducing the The system security risk caused by tampering with the program realizes the protection mechanism inside the memory segment of a certain security level. Taking Figure 2 as an example, the boundary address of the first security level is used to separate the user data segment and the user program segment in the memory segment of the first security level, thereby restricting the user target program from tampering itself; the boundary address of the second security level It is used to separate the backup data segment and the reset program segment in the memory segment of the second security level, thereby restricting the reset function of the trusted security zone from tampering with itself; the boundary address of the third security level is used to separate the memory segment of the third security level The key data segment and the proof program segment in the memory segment, thereby restricting the nested proof function from tampering with itself.

Optionally, the memory address of the memory segment with a low security level is higher than that of the memory segment with a high security level, and the legal access range of any security level is an address range higher than the boundary address of any security level. The boundary address of the security level belongs to the memory segment of any security level, and any secure memory access instruction in the memory segment of any security level is used for:

Subtracting the original access address corresponding to the memory access instruction compiled into any one of the safe memory access instructions from the boundary address stored in the boundary register, and storing the difference obtained in the offset register, in the boundary register The stored boundary address is the boundary address of any security level;

taking the absolute value of the difference stored in the offset register and the addend obtained by adding the boundary address stored in the boundary register as the memory access address corresponding to any secure memory access instruction, And access the memory based on the access address.

The embodiment of this specification introduces the specific operation logic contained in the secure memory access instruction, so we can analyze and obtain the instruction conversion rules of the compiling method involved in the embodiment of this specification. Taking the user source program as AT&T assembly language as an example, assuming that there is a memory access instruction "movq%rax, 0x (%rdx, %rcx, 3)" in the user source program, the operation logic contained in the memory access instruction is "will The value stored in the register rax is written to the memory space whose address is 0x (%rdx, %rcx, 3), because its corresponding access address 0x (%rdx, %rcx, 3) is uncertain during actual execution, If this instruction is executed directly, there will be a risk of out-of-bounds memory access. Therefore, in order to limit it to the legal access scope of the first security level, we can change the operation logic contained in it when compiling it into a safe memory access instruction as machine code, so that the operation logic is no longer directly accessing address 0x (%rdx, %rcx, 3), instead accessing a redirection address that is higher than the boundary address of the first security level. Specifically, if we decompile the safe memory access instructions compiled in this example, we can get the following assembly instruction set: "

leaq 0x(%rdx, %rcx, 3), %r14

subq %r15, %r14

shlq $1, %r14

shrq $1, %r14

movq %rax, (%r15, %r14, 1). "

Among them, the register r15 is the boundary register storing the boundary address, and the register r14 is the offset register.

Therefore, the operation logic contained in the above assembly instruction set is also the operation logic of the compiled secure memory access instruction, specifically "write address 0x (%rdx, %rcx, 3) into register r14, and write the address stored in register r14 The difference obtained by subtracting the value stored in r15 from the value stored in r14 is written into register r14, and the highest bit of the value stored in r14 is set to 0 (since the highest bit represents the sign, this operation is regarded as an absolute value), and the The value stored in register rax is written to address (%r15, %r14, 1), which is the sum of the value stored in r14 and the value stored in r15". It is not difficult to find that if the original access address 0x (%rdx, %rcx, 3) is higher than the boundary address, the memory access address corresponding to the final safe memory access instruction is consistent with the original access address; if the original access address is lower than the boundary register boundary address, the memory access address corresponding to the final safe memory access instruction is modified to a random address higher than the boundary address. Therefore, regardless of the original access address corresponding to the memory access instruction, the memory access address corresponding to the compiled secure memory access instruction is always higher than the boundary address in the boundary register, that is, the memory access address corresponding to the secure memory access instruction always belongs to the current The global legal access scope.

Optionally, the user target program is set to prohibit calling the boundary register and the offset register, and the boundary address stored in the boundary register can only be modified by executing the boundary modification function in the system target program . In order to ensure the effectiveness of safe memory access instructions, we need to ensure that the user target program cannot call the boundary register and the offset register, and at the same time provide the only legal channel for modifying the boundary address in the boundary register, thereby avoiding modifying the function through the boundary Modify the boundary address in the boundary register in other ways to ensure that the boundary address in the boundary register used to define the global legal access range will not be modified arbitrarily, so that the safe memory access instruction can reduce the risk of out-of-bounds memory access as expected.

Optionally, the boundary address of any security level is set as inaccessible. When dealing with the special case of the push instruction in the memory segment of any security level, since the execution of the push instruction will continuously reduce the memory access address pointed by the stack pointer, it is possible to access the boundary address lower than the boundary address of any security level Memory space, that is, there is a risk of crossing the legal access range of any security level. Therefore, the boundary address in any security level can be forcibly set to be inaccessible, thereby avoiding the out-of-bounds memory access caused by the push instruction risk.

Optionally, the trusted security zone is divided into a number of end-to-end connected memory blocks, the same secure memory access instruction is included in the same memory block, and the security jump point in the trusted security zone is the same as any memory block The starting address of the trusted security zone is aligned, and the safe jump point in the trusted security zone includes the starting address of the loop, the starting address of the conditional branch and the function starting address of the non-sensitive function;

The programs in the trusted security zone include the user target program and the system target program compiled from the system source program, the system target program is in the memory segment of the second security level and above, and the system The target program includes the trusted security zone reset function; the address jump instruction in the user source program is compiled into a corresponding safe address jump instruction in the user target program, and/or in the system source program The address jump instruction is compiled into a corresponding safe address jump instruction in the system target program, wherein the jump address corresponding to any safe address jump instruction is used for compiling into any safe address jump instruction The starting address of the memory block where the original jump address corresponding to the address jump instruction is located.

As mentioned above, a safe memory access instruction is actually a set of machine codes containing one or more machine codes, and only when it is completely executed can it avoid the risk of memory access out of bounds. However, an attacker can use the address jump instruction in the user target program or the system target program to skip the secure memory access instruction, or by simultaneously modifying the value of other registers and jumping to a machine code in the middle of the secure memory access instruction , so as to disrupt the execution of a complete secure memory access instruction, and even break through the effect of the secure memory access instruction to limit the memory access address, so that the attacker can access the memory space beyond the expected legal access range. In order to prevent attackers from partially or completely circumventing the effectiveness of secure memory access instructions through address jump instructions, the embodiment of this specification proposes another security strategy, which divides the trusted security zone into several first-connected The address space is called a memory block. The sizes of these memory blocks can be the same or different. Any secure memory access instruction is completely contained in a certain memory block. At the same time, all secure address jump instructions in the trusted security zone are specified. It can only jump to the start address of a certain memory block, but not directly to the inside of any memory block.

Through the above security strategy, any safe address jump instruction can always be unable to jump to a certain machine code in the middle of a certain safe memory access instruction, which means that an attacker cannot disturb any The complete execution of the safe memory access instruction, so that any safe memory access instruction must be able to achieve its expected effect of avoiding the risk of memory access out-of-bounds as long as it is executed, because the address jump instruction in the source program will always be compiled into the corresponding safe address jump instructions. Of course, this security policy cannot prevent an attacker from completely skipping a safe memory access instruction, but in this case there is actually no risk of memory out-of-bounds access.

Similar to the aforementioned compiling method, the embodiment of this specification also uses compiler technology to implement the above security policy. When compiling user source programs and/or system source programs, the compiler technology is used to change the instructions in the traditional compilation process. Conversion rules. In the process of compiling the user/system source program into the user/system target program, the changed instruction conversion rules are used to guide the compilation of address jump instructions in the user/system source program into the user/system target program The corresponding safe address jump instruction in the program, and ensure that the jump address corresponding to any safe address jump instruction in the user/system target program is an address jump instruction for compiling into any safe address jump instruction The starting address of the memory block where the corresponding original jump address is located. Through the compiling method involved in the embodiment of this specification, the jump interference risk of the user/system source program at the source code level can be eliminated (jump interference risk means that the safety memory access instruction is invalidated by jumping to the inside of the safety memory access instruction) , purify the user/system source program with the jump interference risk into the user/system target program without the jump interference risk.

Although the above security strategy can ensure that the user/system target program does not have the risk of jump interference, objectively, compared with the address jump instruction before compiling, the operation logic contained in the safe address jump instruction has changed, so that It cannot normally jump to the original jump address corresponding to the address jump instruction, but will be guided to jump to the start address of the memory block where the original jump address is located, which may cause the user/system target program to fail to complete Its normal execution flow. In order to prevent the above-mentioned security policy from affecting the normal execution flow of the user/system target program, we also align the security jump point in the trusted security zone with the starting address of any memory block, and the security jump point in the trusted security zone The safe jump point includes the starting address of the loop, the starting address of the conditional branch, and the function starting address of the non-sensitive function. Specifically, when the compiled user/system target program is loaded into the trusted security zone, the The safe jump point contained in the user/system target program is automatically aligned with the start address of the pre-divided memory block. The safe jump points in the trusted security zone refer to some jump points necessary to enable the user/system target program to execute normally. For example, for a loop logic, there must be a loop that is repeatedly jumped. For example, for a conditional branch logic, it will jump to different conditional branch start addresses under different conditions. For example, if you need to call a non-sensitive function by jumping, you must jump to The function start address of this insensitive function. Since all security jump points in the trusted security zone are aligned with the start addresses of the corresponding memory blocks in the trusted security zone, if you want to maintain the normal execution flow of the user/system target program, you only need to use the The safe address jump instruction of the starting address of a certain memory block can be realized, that is, under the alignment design of the safe jump point and the starting address of the memory block, the jump of the user/system source program at the source code level can be eliminated. While reducing the risk of interference, it does not affect the normal execution of user/system target programs.

In addition, in order to prevent the safe address jump instruction from directly jumping to the sensitive function or sensitive instruction for execution, it is also possible to set the starting address of any memory block not to be aligned with the starting address of the sensitive instruction or sensitive function. The sensitive instructions involved in the embodiments of this specification refer to instructions that may damage the security of the trusted security zone, such as the aforementioned user authorization hardware instructions. The sensitive functions involved in the embodiments of this specification refer to instructions that may damage the trusted security zone. A function that destroys the security of the zone, such as the aforementioned boundary modification function.

Fig. 3 is a schematic diagram of a trusted security zone after memory blocks are divided according to an exemplary embodiment. As shown in Figure 3, if the operation logic contained in the address jump instruction in the user/system source program is to jump to a certain address in the middle of memory block a, then the address jump instruction is passed through the compilation involved in this specification. The safe address jump instruction obtained by compiling the method is used during execution to: jump to the starting address of memory block a (the safe jump point of memory block a in the figure).

Optionally, any safe address jump instruction is used for:

performing an AND operation on the original jump address corresponding to the address jump instruction compiled into any safe address jump instruction and the alignment constant, and using the result of the AND operation as the jump address for jumping.

The embodiment of this specification introduces the specific operation logic contained in the safe address jump instruction, so we can analyze and obtain the instruction conversion rules of the compiling method involved in the embodiment of this specification. Taking the user source program in AT&T assembly language as an example, assuming that there is an address jump instruction "jmpq*%rax" in the user source program, the operation logic contained in the address jump instruction is "use the value stored in the register rax as a jump Address to jump", because its corresponding jump address *%rax is uncertain during actual execution, if this instruction is executed directly, there will be a risk of jump interference. Therefore, in order to ensure that we will not jump to the machine code in the middle of the safe address jump instruction, we can change the operation logic contained in it when compiling it into a safe address jump instruction as machine code, so that the operation logic is no longer direct Jump to address *%rax, but jump to the start address of a memory block adjacent to address *%rax. Specifically, if we decompile the safe address jump instruction compiled in this example, we can get the following assembly instruction set: "

andq%rax,0Xfffffffffffffe0

jmpq *%rax. "

Among them, 0Xfffffffffffffffe0 is an alignment constant, and the last five bits of the start address of each memory block are all 0, so the address space of each memory block is fixed at 32 bits (each memory block can hold up to 32 instructions).

Therefore, the operation logic contained in the above assembly instruction set is also the operation logic of the compiled safe address jump instruction, which is specifically "the start of a certain memory block obtained by ANDing the value stored in the register rax and the alignment constant 0Xfffffffffffffffe0 The address is stored in the register rax, and the value stored in the register rax is used as the jump address to jump." It is not difficult to find that if the original jump address is the start address of a certain memory block (due to the alignment design between the safe jump point and the start address of the memory block, it must be a certain memory block under the normal execution flow. Block start address), then the jump address corresponding to the final safe address jump instruction is consistent with the original jump address; if the original jump address is not the start address of a certain memory block (usually means that the program is evil), Then the jump address corresponding to the final safe address jump instruction is modified to the start address of the memory block where the original jump address is located. Therefore, no matter what the original jump address corresponding to the address jump instruction is, the jump address corresponding to the compiled safe address jump instruction is always absorbed to the start address of a certain memory block.

In addition, the ret instruction as the address jump instruction in the user/system source program also needs to undergo a similar compilation process, and the address jump instruction is compiled into a safe address jump instruction in the user/system target program to eliminate the corresponding jump Interference risk. The ret instruction is usually used to jump to the call point after the called function is executed. Usually, the address of the call point will be stored on the top of the stack. However, if the attacker modifies the address stored on the top of the stack during the execution of the called function value, it may cause the ret instruction to return to any memory address, bringing the risk of jump interference.

Assuming that there is an address jump instruction "retq" in the user source program, the operation logic contained in the address jump instruction is "jump the value stored on the top of the stack as the jump address", because its corresponding jump address is in The actual execution is uncertain, and if the instruction is executed directly, there will be a risk of jump interference. Therefore, in order to ensure that we will not jump to the machine code in the middle of the safe address jump instruction, we can change the operation logic contained in it when compiling it into a safe address jump instruction as machine code, so that the operation logic is no longer direct Jump to the value stored on the top of the stack as the original jump address, but instead jump to the start address of a memory block adjacent to the original jump address. Specifically, if we decompile the safe address jump instruction compiled in this example, we can get the following assembly instruction set: "

popq%r14

andq%r14,0Xfffffffffffffe0

jmpq *%r14. "

Among them, the register r14 is used as an offset register to store the above-mentioned difference, and it is also used to store the jump address here (since the instructions must be serially executed by the CPU, r14 as a CPU register can be reused in different instructions ), 0Xfffffffffffffffe0 is an alignment constant, and the last five bits of the start address of each memory block are all 0, so the address space of each memory block is a fixed 32bit.

Therefore, the operation logic contained in the above assembly instruction set is also the operation logic of the compiled safe address jump instruction. The constant 0Xfffffffffffffe0 and the start address of a certain memory block are stored in the register rax, and the value stored in the register rax is used as the jump address to jump." Similar to the foregoing description, no matter what the original jump address corresponding to the address jump instruction is, the jump address corresponding to the compiled safe address jump instruction is always absorbed to the start address of a certain memory block.

Optionally, any sensitive function in the system target program has a shutdown instruction inserted between the function start address in the memory block it occupies and the start address of the memory block, and the shutdown instruction is executed with to trigger a system shutdown. In the embodiment of the present specification, in order to avoid breaking the security of the system by jumping to the sensitive function through the aforementioned safe address jump instruction, any sensitive function can be set to be misaligned with the memory block where it is located. Specifically, a shutdown instruction can be inserted between the function start address in the memory block occupied by any sensitive function and the start address of the memory block, so that the start address of the memory block storing the sensitive function is aligned with the shutdown instruction In this way, even if the safe address jump instruction jumps to the memory block storing the sensitive function, it will be directed to the shutdown instruction first to trigger the system shutdown, ensuring that the sensitive function cannot be executed through the safe jump instruction. Maintenance system security. As shown in Figure 3, since memory block b and memory block c both need to store sensitive function a, the starting addresses of memory block b and memory block c are both aligned with the shutdown instruction, but not with sensitive function a, which ensures When jumping to the memory block b and the memory block c through the safe address jump instruction, it can only jump to the stop instruction thereon, thereby protecting the sensitive function a from being called by random jumping. It should be noted that the halt instruction can be regarded as a non-sensitive function, so it is also regarded as a type of safe jump point.

Optionally, in the case that any sensitive function occupies at least two memory blocks, any sensitive function in the at least two memory blocks is connected through a label jump instruction.

In the embodiment of this specification, jump instructions can be divided into address jump instructions and label jump instructions according to types, wherein the address jump instruction is an instruction to jump according to the jump address given in the instruction, such as "jmpq *%rax" refers to jumping to the memory space where the address stored in the register rax is located; and the label jump instruction is an instruction to directly jump according to the label given in the instruction, for example, "jmp L1" refers to jump To the memory space marked at the globally unique label L1. In the embodiment of this specification, the address jump instruction will be compiled into a safe jump instruction according to the above-mentioned changed instruction conversion rules, while the label jump instruction will be compiled according to the instruction conversion rules in the traditional compilation process, so its implied The operating logic will not change.

In the embodiment of this specification, the same sensitive function may contain a large number of instructions, so it may not be completely stored in the same memory block, and in the case of the same sensitive function occupying at least two memory blocks, because the instruction is running For sequential execution, the junction of two memory blocks will inevitably be separated by a shutdown instruction, which will cause sensitive functions to fail to execute normally. Based on this, we connect the same sensitive function stored in different memory blocks through label jump instructions, so that no matter how large the size of the sensitive function is, it can be executed normally without being interrupted by the stop instruction. As shown in Figure 3, sensitive function a needs to occupy memory block b and memory block c at the same time, but the stop instruction at the beginning of memory block c will block the normal execution of sensitive function a, so we pass the sensitive function stored in memory block b Add a label jump instruction at the end of the first part of a, and mark the label jumped by the label jump instruction as the starting address of the second part of the sensitive function a stored in the memory block c, so that the sensitive function After executing the first part, a jumps to the second part through the label jump instruction to continue execution, without affecting the normal execution flow of the sensitive function a.

Optionally, the start address of any memory block is aligned with the function start address of the corresponding security detection function, and the security detection function in any memory block is used to:

Determine the safety level of the jump point memory segment where the safety address jump instruction jumping to the safety detection function in any memory block is located;

When it is determined that the original jump address corresponding to the address jump instruction used to compile the safe address jump instruction or the start address of any memory block does not belong to the legal access range of the security level of the jump point memory segment In the case of , trigger system shutdown;

In the case of determining that the original jump address or the starting address of any memory block belongs to the legal access range of the security level of the jump point memory segment, execute the next instruction in sequence or jump to the original jump address.

The security detection function involved in the embodiment of this specification belongs to the non-sensitive function in the system target function, because it will be inserted into the beginning of each memory block and the user program segment may include one or more memory blocks, so the user program segment One or more safety detection functions will also be inserted into the user program segment, and the insertion process occurs during the process of loading the user target program into the user program segment, so that the user program segment is mixed with the user target program and the system target program. The security detection function can determine the security level of the jump point memory segment where the security address jump instruction of the security detection function in any memory block jumps to the security detection function through the value in the boundary register. Specifically, the The value in the boundary register is compared with the boundary addresses of different security levels, so that the security level of the compared boundary address is determined as the security level of the jump point memory segment. In order to enable the safety detection function to obtain the original jump address corresponding to the address jump instruction compiled as a safe address jump instruction to jump here, you can add a when compiling the address jump instruction into a safe address jump instruction Operation logic, so that the safe address jump instruction also includes the following operation logic: before performing the AND operation, the original jump address is pushed into the stack, so that the original jump address is reserved in the stack. During the execution of the security detection function, the original jump instruction can be obtained by popping the stack instruction. We can also set the boundary of the legal access range of any security level to be aligned with the boundary of the memory block, which means that any memory block will not cross the legal access range of different security levels, so as long as jump to any memory block If the start address does not cross the boundary, it means that jumping to any address in any memory block will not cross the boundary. Therefore, if the original jump address or the start address of any memory block is determined (the start address of any memory block is maintained within the safety detection function in any memory block without requiring Obtained elsewhere) belongs to the legal access range of the security level of the jump point memory segment (that is, the memory segment where the safety address jump instruction jumping to the safety detection function in any of the memory blocks is located) , it means that the jump is legal, and the next instruction can be executed sequentially or jump to the original jump address to continue execution; otherwise, it proves that the jump is illegal, and a stop instruction will be executed and the system will be stopped. The embodiment of this manual can completely eliminate the risk of out-of-bounds jumps caused by address jump instructions in the system, so that any program can not only access memory addresses outside its legal access range, but also cannot normally jump to its legal access range. external memory address.

In addition, in order to ensure that the normal execution of each user/system target program will not be interrupted by the safety detection function inserted in the memory block, it is possible to connect consecutive memory blocks through label jump instructions so that the user/system target program During the normal sequence execution of the program, the safety monitoring function is skipped, for example, a label jump instruction is inserted at the end of each memory block, and the label jumped by the label jump instruction is marked as the function of the safety detection function in the next memory block The address after the termination address.

In the embodiment of this specification, the user target program is obtained by compiling the user source program by an interpreter in the trusted security zone; or, the user target program is compiled by a trusted compilation platform from the user source program Obtained by compiling before running, the method also includes:

Acquire the user target program, and load the user target program into the user program segment when it is determined that the signature verification corresponding to the user target program provided by the trusted compilation platform is successful.

An interpreter is embedded in the trusted security zone to realize the function of compiling the user/system source program into a user/system target program. In this case, the trusted security zone can determine the compiled user target program. The compilation method involved in the example, so there is no need to further determine whether the user target program is credible. However, if it is in the AOT (Ahead-of-time, compiling before running) scenario, what the trusted security zone directly receives is the user target program, because it is impossible to determine whether the user target program uses the The compilation method involved, so its credibility needs to be verified before it can be loaded into the user program segment, so as to ensure the risk of out-of-bounds memory access and jump interference risks of the user target program loaded into the user program segment The risk has been eliminated.

The trusted security zone may verify the signature corresponding to the user target program provided by the trusted compilation platform by itself, or a trusted organization trusted by other trusted security zones may verify the signature provided by the trusted compilation platform. The signature corresponding to the user target program is verified, and then based on the trust of the trusted organization, the trusted security zone can load the user target program to the user program segment. Fig. 8 is a system architecture diagram of a trusted computing system provided by an exemplary embodiment. Taking Fig. 8 as an example, it is assumed that the back-end trusted security zone needs to load a user target program compiled by an external trusted compilation platform , then the signature corresponding to the user target program can be verified by the back-end trusted security zone itself, or it can be handed over to the front-end trusted security zone for signature verification, and then the front-end trusted security zone will be notified when the signature verification is successful. The end trusted security zone, the back-end trusted security zone can load the user target program into the user program segment based on the trust relationship with the front-end trusted security zone.

Please refer to FIG. 4 , which is a flow chart of a compiling method provided by an exemplary embodiment. As shown in Figure 1, the method includes:

S402: Obtain a user source program for execution in a trusted security zone, the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level, wherein the memory segment with the first security level includes The user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, the legal access range of the first security level includes at least a part of memory addresses in the memory segment of the first security level, the The memory access address corresponding to the secure memory access instruction in the user program segment belongs to the legal access range of the first security level.

S404: Compile the user source program into a user object program, so that memory access instructions in the user source program are converted into corresponding secure memory access instructions in the user object program.

S406: Load the user target program into the user program segment, so that the trusted security zone executes the user target program in the user program segment after being reset in response to a task request; wherein, the user target program in the user program segment is executed; Resetting the trusted security zone includes: executing the trusted security zone reset function in the reset program segment, and overwriting the memory backup stored in the backup data segment to the legal access range corresponding to the first security level memory space, the memory backup includes a user data segment backup for overwriting to the user data segment.

The compiling method involved in the embodiment of this specification has been described in detail in the foregoing embodiments, and will not be repeated here. It should be noted that the compiling methods involved in the embodiments of this specification are also applicable to compiling a system source program into a system target program.

Through the compiling method involved in the embodiment of this specification, in conjunction with the memory architecture of the trusted security zone divided into memory segments with different security levels, the memory access instructions in the user source program can be converted into corresponding secure memory access instructions in the user target program , and the memory access address corresponding to the secure memory access instruction belongs to the legal access range of the first security level, thereby purifying the user source program with the risk of jump interference into the user target program without the risk of jump interference. At the same time, after compiling the user target program based on the above compilation method and loading it into the trusted security zone, supplemented by the design of memory segments with different security levels, a secure reset method for the trusted security zone can be realized. Traditional hot start, the safety reset method involved in the embodiment of this specification achieves the effect of eliminating potential safety hazards that can only be achieved by traditional cold start, thus taking into account both safety and efficiency.

Fig. 5 is a schematic structural diagram of a device provided by an exemplary embodiment. Please refer to FIG. 5 , at the hardware level, the device includes a processor 502 , an internal bus 504 , a network interface 506 , a memory 508 and a non-volatile memory 510 , and of course it may also include hardware required by other services. One or more embodiments of this specification may be implemented based on software, for example, the processor 502 reads a corresponding computer program from the non-volatile memory 510 into the memory 508 and executes it. Of course, in addition to software implementations, one or more embodiments of this specification do not exclude other implementations, such as logic devices or a combination of software and hardware, etc., that is to say, the execution subject of the following processing flow is not limited to each A logic unit, which can also be a hardware or logic device.

As shown in FIG. 6, FIG. 6 is a block diagram of an apparatus for processing a request based on a trusted security zone according to an exemplary embodiment of this specification. This apparatus can be applied to the device shown in FIG. 5 to implement this Specifications for technical solutions. The trusted security zone includes memory segments of the first security level and memory segments of the second security level, wherein the memory segments of the first security level include user data segments and user program segments, and the memory segments of the second security level include backup For the data segment and the reset program segment, the legal access scope of the first security level includes at least a part of memory addresses in the memory segment of the first security level; the device includes:

The reset unit 601 is configured to, in response to the task request, execute the trusted security area reset function in the reset program segment, and cover the memory backup stored in the backup data segment to the legal access range of the first security level Corresponding memory space, the memory backup includes user data segment backup for covering to the user data segment;

The user target program execution unit 602 is configured to execute the user target program compiled from the user source program in the user program segment after the execution of the trusted security zone reset function is completed; wherein, in the user source program The memory access instruction is compiled into a corresponding secure memory access instruction in the user target program, and the memory access address corresponding to the secure memory access instruction belongs to the legal access range of the first security level.

Optionally, the reset unit 601 is specifically used for:

Enable the user authority hardware instruction, and redistribute the memory access authority for the memory space corresponding to the legal access range of the first security level through the user authority hardware instruction;

Overwrite the memory backup stored in the backup data segment to the memory space corresponding to the legal access scope of the first security level, and disable the user permission hardware instruction after completion.

Optionally, the memory backup further includes user program segment backup for overwriting to the user program segment.

Optionally, also include:

The execution result returning unit 603 is configured to, in response to the task request, return an execution result corresponding to the task request generated by executing the user target program to the initiator of the task request.

Optionally, also include:

The backup unit 604 is configured to execute the backup function of the trusted security zone in the reset program segment in response to a backup request or when the trusted security zone has completed a cold start, and convert the legal access scope of the first security level to The data in is stored in the backup data segment as the memory backup.

Optionally, the trusted security zone is divided into a number of end-to-end connected memory blocks, the same secure memory access instruction is included in the same memory block, and the security jump point in the trusted security zone is the same as any memory block The starting address of the trusted security zone is aligned, and the safe jump point in the trusted security zone includes the starting address of the loop, the starting address of the conditional branch and the function starting address of the non-sensitive function;

The programs in the trusted security zone include the user target program and the system target program compiled from the system source program, the system target program is in the memory segment of the second security level and above, and the system The target program includes the trusted security zone reset function; the address jump instruction in the user source program is compiled into a corresponding safe address jump instruction in the user target program, and/or in the system source program The address jump instruction is compiled into a corresponding safe address jump instruction in the system target program, wherein the jump address corresponding to any safe address jump instruction is used for compiling into any safe address jump instruction The starting address of the memory block where the original jump address corresponding to the address jump instruction is located.

Optionally, any sensitive function in the system target program has a shutdown instruction inserted between the function start address in the memory block it occupies and the start address of the memory block, and the shutdown instruction is executed with to trigger a system shutdown.

Optionally, in the case that any sensitive function occupies at least two memory blocks, any sensitive function in the at least two memory blocks is connected through a label jump instruction.

Optionally, the start address of any memory block is aligned with the function start address of the corresponding security detection function, and the security detection function in any memory block is used to:

Determine the safety level of the jump point memory segment where the safety address jump instruction jumping to the safety detection function in any memory block is located;

When it is determined that the original jump address corresponding to the address jump instruction used to compile the safe address jump instruction or the start address of any memory block does not belong to the legal access range of the security level of the jump point memory segment In the case of , trigger system shutdown;

In the case of determining that the original jump address or the starting address of any memory block belongs to the legal access range of the security level of the jump point memory segment, execute the next instruction in sequence or jump to the original jump address.

Optionally, the trusted security zone further includes a memory segment of a third security level, the memory segment of the third security level includes a key data segment and a certification program segment, and the device further includes:

The nested certification unit 605 is configured to respond to the program certification request, execute the nested certification function in the certification program segment, and sign the data to be certified based on the nested certification private key stored in the key data segment to generate a valid letter program certification, the data to be certified includes the data in the user program segment and/or reset program segment;

providing the trusted program certification to the initiator of the program certification request, and receiving the task request sent when the initiator confirms that the trusted program certification is verified.

Optionally, the nested certification private key is allocated to the key data segment in the trusted security zone by the key management server after confirming that the trusted security zone has passed the remote authentication of the remote authentication server .

Optionally, the trusted security zone includes memory segments with different security levels, and the different security levels include at least a first security level and a second security level, wherein the legal access scope of any security level includes any of the At least a part of the memory address in the memory segment of the security level and the memory segment lower than any of the security levels;

The programs in the trusted security zone include the user target program and the system target program compiled from the system source program, the system target program is in the memory segment of the second security level and above, and the system The target program includes the trusted security zone reset function; the memory access instructions in the system source program are compiled into corresponding secure memory access instructions in the system target program, wherein the memory segment of any security level The memory access address corresponding to the secure memory access instruction in is within the legal access range of any security level.

Optionally, the memory address of the memory segment with a low security level is higher than that of the memory segment with a high security level, and the legal access range of any security level is an address range higher than the boundary address of any security level. The boundary address of the security level belongs to the memory segment of any security level, and any secure memory access instruction in the memory segment of any security level is used for:

Subtracting the original access address corresponding to the memory access instruction compiled into any one of the safe memory access instructions from the boundary address stored in the boundary register, and storing the difference obtained in the offset register, in the boundary register The stored boundary address is the boundary address of any security level;

taking the absolute value of the difference stored in the offset register and the addend obtained by adding the boundary address stored in the boundary register as the memory access address corresponding to any secure memory access instruction, And access the memory based on the access address.

Optionally, the user target program is set to prohibit calling the boundary register and the offset register, and the boundary address stored in the boundary register can only be modified by executing the boundary modification function in the system target program .

Optionally, the trusted security zone defines a global legal access range, and the global legal access range is set to any security level when jumping to the memory segment of any security level through legal call logic Otherwise, it is set as the legal access range of the first security level; the memory access address corresponding to the secure memory access instruction in the memory segment of any security level belongs to the global legal access range.

Optionally, the memory address of the memory segment with a low security level is higher than that of the memory segment with a high security level, and the legal access range of any security level is an address range higher than the boundary address of any security level. The boundary address of the security level belongs to the memory segment of any security level, the global legal access range is higher than the boundary address stored in the boundary register, and the legal calling logic includes modifying the function through the boundary in the system target program Implemented calling logic;

Execute any system function belonging to the system target program and in the memory segment of any security level, including:

calling the boundary modifying function to modify the original boundary address stored in the boundary register to the boundary address of any security level;

Call and execute any of the system functions in the boundary modifying function, and modify the boundary address stored in the boundary register to the original boundary address after the execution of any of the system functions is completed.

Optionally, the memory segment of any security level includes a corresponding data segment and a program segment whose memory address is lower than the data segment, and the boundary address of any security level is used to separate the memory segment of any security level The data segment and program segment in the segment.

Optionally, the boundary address of any security level is set as inaccessible.

Optionally, the user target program is obtained by compiling the user source program with an interpreter in the trusted security zone; or,

The user target program is obtained by compiling the user source program before running on a trusted compilation platform, and the device also includes:

The signature verification unit 606 is configured to acquire the user target program, and load the user target program to the user target program when it is determined that the signature verification corresponding to the user target program provided by the trusted compilation platform is successful. program segment.

As shown in FIG. 7 , FIG. 7 is a block diagram of a compiling device provided in this specification according to an exemplary embodiment. The device can be applied to the device shown in FIG. 5 to implement the technical solution of this specification. The devices include:

The user source program acquisition unit 701 is configured to acquire a user source program for execution in a trusted security zone, the trusted security zone includes a memory segment with a first security level and a memory segment with a second security level, wherein the first security level The memory segment of the first level includes the user data segment and the user program segment, the memory segment of the second security level includes the backup data segment and the reset program segment, and the legal access range of the first security level includes at least a part of the memory segment of the first security level memory address, the memory access address corresponding to the secure memory access instruction in the user program segment belongs to the legal access range of the first security level;

A compiling unit 702, configured to compile the user source program into a user target program, so that memory access instructions in the user source program are converted into corresponding secure memory access instructions in the user target program;

A user target program loading unit 703, configured to load the user target program into the user program segment, so as to execute the user program segment in the user program segment after being reset by the trusted security zone in response to a task request. The target program; wherein, resetting the trusted security zone includes: executing the trusted security zone reset function in the reset program segment, and overwriting the memory backup stored in the backup data segment to the first security zone The memory space corresponding to the legal access scope of the level, the memory backup includes the user data segment backup used to overwrite the user data segment.

The above-mentioned device embodiment corresponds to the foregoing method embodiment, and there is no essential difference. The foregoing descriptions for the embodiments shown in FIG. 1 and FIG. 4 are applicable to the embodiments shown in FIG. 6 and FIG. repeat.

As shown in FIG. 8 , FIG. 8 is a system architecture diagram of a trusted computing system provided in this specification according to an exemplary embodiment. The trusted computing system includes a front-end trusted security zone and at least one back-end trusted security zone, wherein:

The front-end trusted security zone is used to receive the task request sent by the client, forward the task request to the corresponding back-end trusted security zone, and execute the task request returned by the back-end trusted security zone The result is sent to the client;

Any back-end trusted security zone is used to execute the request processing method based on any of the aforementioned trusted security zones when receiving the task request sent by the front-end trusted security zone, and will execute the user target program generated The execution result of is returned to the front-end trusted security zone.

As shown in Figure 8, the front-end trusted security zone in the optional computing system does not need to undertake the function of performing trusted computing tasks, but only serves as a transfer station between the client and the back-end trusted security zone to truly perform trusted computing tasks. The functions of computing tasks are undertaken by multiple back-end trusted security zones. As a client outside the trusted computing system, it only establishes a trust relationship with the front-end trusted security zone and docks, without directly establishing a trust relationship with multiple back-end trusted security zones for performing different trusted computing tasks, thus improving At the same time, multiple back-end trusted security zones only need to establish a trust relationship with the front-end trusted security zone and do not need to directly establish trust relationships with different clients. Therefore, in The system level greatly reduces the maintenance cost of network connection and trust relationship.

When the back-end trusted security zone in the trusted computing system involved in the embodiment of this specification processes task requests, it completes the fast and safe restart process through the aforementioned request processing method based on the trusted security zone, and can respond quickly And execute the trusted computing task corresponding to the task request. At the same time, the security policy adopted by the back-end trusted security zone according to the security level can also ensure that the user target program used to execute the trusted computing task is difficult to destroy the trusted security from the inside. area security.

For the process of processing the task request in the back-end trusted security zone in the embodiment of this specification, please refer to the description of the previous embodiment, and details will not be repeated here.

In the 1990s, the improvement of a technology can be clearly distinguished as an improvement in hardware (for example, improvements in circuit structures such as diodes, transistors, switches, etc.) or improvements in software (improvement in method flow). However, with the development of technology, the improvement of many current method flows can be regarded as the direct improvement of the hardware circuit structure. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by hardware physical modules. For example, a programmable logic device (Programmable Logic Device, PLD) (such as a field programmable gate array (Field Programmable GateArray, FPGA)) is such an integrated circuit, the logic function of which is determined by the user programming of the device. It is programmed by the designer to "integrate" a digital system on a PLD, instead of asking a chip manufacturer to design and make a dedicated integrated circuit chip. Moreover, nowadays, instead of making integrated circuit chips by hand, this kind of programming is mostly realized by "logic compiler (logic compiler)" software, which is similar to the software compiler used when writing programs. The original code of the computer must also be written in a specific programming language, which is called a hardware description language (Hardware Description Language, HDL), and there is not only one kind of HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., currently the most commonly used is VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that only a little logical programming of the method flow in the above-mentioned hardware description languages and programming into an integrated circuit can easily obtain a hardware circuit for realizing the logic method flow.

The controller may be implemented in any suitable way, for example, the controller may take the form of a microprocessor or a processor and a computer readable medium storing computer readable program code (such as software or firmware) executable by the (micro)processor , logic gates, switches, Application Specific Integrated Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include but are not limited to the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320, the memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art also know that, in addition to realizing the controller in a purely computer-readable program code mode, it is entirely possible to make the controller use logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded The same function can be realized in the form of a microcontroller or the like. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as structures within the hardware component. Or even, means for realizing various functions can be regarded as a structure within both a software module realizing a method and a hardware component.

The systems, devices, modules, or units described in the above embodiments can be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a server system. Of course, the present invention does not exclude that with the development of computer technology in the future, the computer that realizes the functions of the above embodiments may be, for example, a personal computer, a laptop computer, a vehicle-mounted human-computer interaction device, a cellular phone, a camera phone, a smart phone, a personal digital assistant , media players, navigation devices, email devices, game consoles, tablet computers, wearable devices, or any combination of these devices.

Although one or more embodiments of the present specification provide the operation steps of the method described in the embodiment or the flowchart, more or fewer operation steps may be included based on conventional or non-inventive means. The sequence of steps enumerated in the embodiments is only one of the execution sequences of many steps, and does not represent the only execution sequence. When executed by an actual device or terminal product, the methods shown in the embodiments or drawings can be executed sequentially or in parallel (such as a parallel processor or multi-thread processing environment, or even a distributed data processing environment). The term "comprising", "comprising" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, product, or apparatus comprising a set of elements includes not only those elements, but also other elements not expressly listed elements, or also elements inherent in such a process, method, product, or apparatus. Without further limitations, it is not excluded that there are additional identical or equivalent elements in a process, method, product or device comprising said elements. For example, if the words first, second, etc. are used, they are used to indicate names and do not indicate any specific order.

For the convenience of description, when describing the above devices, functions are divided into various modules and described separately. Of course, when implementing one or more of this specification, the functions of each module can be realized in the same or more software and/or hardware, and the modules that realize the same function can also be realized by a combination of multiple submodules or subunits, etc. . The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components can be combined or integrated. to another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be in electrical, mechanical or other forms.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and combinations of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a Means for realizing the functions specified in one or more steps of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. Memory is an example of computer readable media.

Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic cassettes, magnetic tape magnetic disk storage, graphene storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by computing devices. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

Those skilled in the art should understand that one or more embodiments of this specification may be provided as a method, system or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may employ a computer program embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The form of the product.

One or more embodiments of this specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment. In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structures, materials or features are included in at least one embodiment or example of this specification. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.

The above description is only an example of one or more embodiments of this specification, and is not intended to limit one or more embodiments of this specification. For those skilled in the art, various modifications and changes may occur in one or more embodiments of this description. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this specification shall be included in the scope of the claims.

Claims (25)

1. A request processing method based on a trusted security zone comprises a memory segment with a first security level and a memory segment with a second security level, wherein the memory segment with the first security level comprises a user data segment and a user program segment, the memory segment with the second security level comprises a backup data segment and a reset program segment, and a legal access range of the first security level comprises at least one part of memory addresses in the memory segment with the first security level; the method comprises the following steps:

responding to a task request, executing a trusted security zone reset function in the reset program segment, and covering a memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level, wherein the memory backup comprises a user data segment backup covered to the user data segment;

after the execution of the reset function of the trusted safe area is finished, executing a user target program compiled by a user source program in the user program section; and compiling a memory access instruction in the user source program into a corresponding safe memory access instruction in the user target program, wherein a memory access address corresponding to the safe memory access instruction belongs to a legal access range of a first safety level.

2. The method of claim 1, wherein the overwriting the memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level comprises:

starting a user authority hardware instruction, and reallocating memory access authority to the memory space corresponding to the legal access range of the first security level through the user authority hardware instruction;

and covering the memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level, and forbidding the user authority hardware instruction after the memory backup is completed.

3. The method of claim 1, the memory backup further comprising a user program segment backup for overwriting the user program segment.

4. The method of claim 1, further comprising:

and responding to the task request, and returning an execution result corresponding to the task request generated by executing the user target program to an initiator of the task request.

5. The method of claim 1, further comprising:

and responding to a backup request or under the condition that the trusted security zone finishes cold start, executing a trusted security zone backup function in the reset program segment, and storing data in a legal access range of a first security level as the memory backup to the backup data segment.

6. The method according to claim 1, wherein the trusted security zone is divided into a plurality of memory blocks connected end to end, the same secure memory access instruction is contained in the same memory block, a security jump point in the trusted security zone is aligned with a start address of any memory block, the security jump point in the trusted security zone includes a loop start address, a conditional branch start address, and a function start address of a non-sensitive function, the trusted security zone includes memory segments of different security levels, the different security levels include at least a first security level and a second security level, wherein an mth security level is higher than an nth security level, and is a positive integer and m > n;

the programs in the trusted security zone comprise the user object program and a system object program compiled from a system source program, the system object program is positioned in a memory segment with a second security level and above, and the system object program comprises a trusted security zone reset function; and compiling the address jump instruction in the user source program into a corresponding safe address jump instruction in the user target program, and/or compiling the address jump instruction in the system source program into a corresponding safe address jump instruction in the system target program, wherein the jump address corresponding to any safe address jump instruction is a starting address of a memory block where an original jump address corresponding to the address jump instruction compiled into any safe address jump instruction is located.

7. The method according to claim 6, wherein any sensitive function in the system object program inserts a halt instruction between a function start address in a memory block occupied by the sensitive function and a start address of the memory block, and the halt instruction is used for triggering system halt when executed.

8. The method according to claim 7, wherein, when at least two memory blocks are occupied by any sensitive function, any sensitive function in the at least two memory blocks is connected by a tag jump instruction.

9. The method according to claim 6, wherein a start address of any memory block is aligned with a function start address of a corresponding security detection function, and the security detection function in any memory block is configured to, when executed:

determining the security level of a jump point memory segment where a security address jump instruction jumping to a security detection function in any memory block is located;

under the condition that the original jump address corresponding to the address jump instruction used for compiling the safe address jump instruction or the starting address of any memory block does not belong to the legal access range of the safety level of the jump point memory segment, triggering the system to stop;

and under the condition that the original jump address or the starting address of any memory block is determined to belong to a legal access range of the security level of the memory segment of the jump point, sequentially executing a next instruction or jumping to the original jump address.

10. The method of claim 1, the trusted secure zone further comprising a memory segment of a third security level, the memory segment of the third security level comprising a key data segment and an attestation program segment, the method further comprising:

executing a nested certification function in the certification program segment in response to a program certification request, and signing to-be-certified data based on a nested certification private key stored in the key data segment to generate a trusted program certification, wherein the to-be-certified data comprises data in the user program segment and/or the reset program segment;

providing the trusted program attestation to an initiator of the program attestation request, and receiving the task request sent if the initiator confirms that the trusted program attestation verifies.

11. The method of claim 10, the nested proof private key being assigned to the key data segment in the trusted secure zone by a key management server upon confirmation that the trusted secure zone is remotely authenticated by a remote authentication server.

12. The method according to claim 1 or 10, wherein the trusted secure zone comprises memory segments of different security levels, the different security levels comprising at least a first security level and a second security level, wherein a legal access range of any security level comprises at least a part of memory addresses in the memory segment of any security level and memory segments lower than any security level, and the m security level is higher than the n security level, is a positive integer and m > n;

the program in the trusted security zone comprises the user target program and a system target program obtained by compiling a system source program, the system target program is in a memory segment with a second security level and above, and the system target program comprises a trusted security zone reset function; and compiling the memory access instruction in the system source program into a corresponding safe memory access instruction in the system target program, wherein the memory access address corresponding to the safe memory access instruction in the memory segment of any safety level belongs to the legal access range of any safety level.

13. The method of claim 12, wherein the memory address of the memory segment with the low security level is higher than the memory segment with the high security level, the legal access range of any security level is an address range higher than the boundary address of any security level, the boundary address of any security level belongs to the memory segment with any security level, and any secure memory access instruction in the memory segment with any security level is used for:

subtracting an original access address corresponding to a memory access instruction used for being compiled into any one of the secure memory access instructions from a boundary address stored in a boundary register, and storing an obtained difference value into an offset register, wherein the boundary address stored in the boundary register is the boundary address of any one of the secure levels;

and taking the addend obtained by adding the absolute difference value stored in the offset register and the boundary address stored in the boundary register as the access address corresponding to any one of the secure memory access instructions, and accessing the memory based on the access address.

14. The method of claim 13, the user object program being arranged to disable invocation of the bound register and the offset register, the bound address stored in the bound register being modifiable only by execution of a bound-modifying function in the system object program.

15. The method according to claim 12, wherein the trusted security zone defines a global legal access scope, and the global legal access scope is set as a legal access scope of any security level when jumping to the memory segment of any security level through legal call logic, otherwise, is set as a legal access scope of a first security level; and the memory access address corresponding to the secure memory access instruction in the memory segment with any security level belongs to the global legal access range.

16. The method of claim 15, wherein the memory address of the memory segment with low security level is higher than that of the memory segment with high security level, the legal access range of any security level is the address range of the boundary address higher than any security level, the boundary address of any security level belongs to the memory segment with any security level, the global legal access range is the boundary address stored in the boundary register, and the legal call logic comprises the call logic realized by the boundary modification function in the system target program;

executing any system function belonging to the system target program and in the memory segment of any security level, including:

calling the boundary modification function to modify the original boundary address stored in the boundary register into the boundary address of any security level;

and calling and executing any system function in the boundary modification function, and modifying the boundary address stored in the boundary register into the primary boundary address after the execution of any system function is completed.

17. The method of claim 16, wherein the memory segment of any security level comprises a corresponding data segment and a program segment having a lower memory address than the data segment, and the boundary address of any security level is used to separate the data segment from the program segment in the memory segment of any security level.

18. The method of claim 16, wherein the boundary address of any security level is set to be inaccessible.

19. The method of claim 1, the user target program being compiled from the user source program by an interpreter in the trusted secure zone; or,

the user target program is obtained by compiling the user source program before running through a trusted compiling platform, and the method further comprises the following steps:

and acquiring the user target program, and loading the user target program to the user program section under the condition that the signature verification corresponding to the user target program provided by the trusted compiling platform is determined to be successful.

20. A compilation method comprising:

the method comprises the steps that a user source program executed in a trusted security zone is obtained, wherein the trusted security zone comprises a memory segment with a first security level and a memory segment with a second security level, the memory segment with the first security level comprises a user data segment and a user program segment, the memory segment with the second security level comprises a backup data segment and a reset program segment, the legal access range of the first security level comprises at least one part of memory addresses in the memory segment with the first security level, and the access address corresponding to a security memory access instruction in the user program segment belongs to the legal access range of the first security level;

compiling the user source program into a user target program so as to convert a memory access instruction in the user source program into a corresponding safe memory access instruction in the user target program;

loading the user target program to the user program segment to execute the user target program in the user program segment after the trusted secure zone is reset in response to a task request; wherein resetting the trusted secure zone comprises: and executing a trusted security zone reset function in the reset program segment, and covering the memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level, wherein the memory backup comprises a user data segment backup used for covering the user data segment.

21. A request processing device based on a trusted security zone, wherein the trusted security zone comprises a memory segment with a first security level and a memory segment with a second security level, the memory segment with the first security level comprises a user data segment and a user program segment, the memory segment with the second security level comprises a backup data segment and a reset program segment, and a legal access range of the first security level comprises at least one part of memory addresses in the memory segment with the first security level; the device comprises:

a resetting unit, configured to execute a trusted security region resetting function in the resetting program segment in response to a task request, and cover a memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level, where the memory backup includes a user data segment backup for covering the user data segment;

the user target program execution unit is used for executing a user target program obtained by compiling a user source program in the user program segment after the execution of the reset function of the trusted security zone is finished; and compiling a memory access instruction in the user source program into a corresponding safe memory access instruction in the user target program, wherein a memory access address corresponding to the safe memory access instruction belongs to a legal access range of a first safety level.

22. A compiling apparatus comprising:

the system comprises a user source program obtaining unit, a trusted security zone and a processing unit, wherein the trusted security zone comprises a memory segment with a first security level and a memory segment with a second security level, the memory segment with the first security level comprises a user data segment and a user program segment, the memory segment with the second security level comprises a backup data segment and a reset program segment, the legal access range of the first security level comprises at least one part of memory addresses in the memory segment with the first security level, and the memory access address corresponding to a security memory access instruction in the user program segment belongs to the legal access range of the first security level;

the compiling unit is used for compiling the user source program into a user target program so as to convert the memory access instruction in the user source program into a corresponding safe memory access instruction in the user target program;

a user target program loading unit, configured to load the user target program into the user program segment, so as to execute the user target program in the user program segment after being reset by the trusted secure area in response to a task request; wherein resetting the trusted secure zone comprises: and executing a trusted security zone reset function in the reset program segment, and covering the memory backup stored in the backup data segment to a memory space corresponding to a legal access range of a first security level, wherein the memory backup comprises a user data segment backup used for covering the user data segment.

23. A trusted computing system comprising a front-end trusted security zone and at least one back-end trusted security zone, wherein:

the front-end trusted security zone is used for receiving a task request sent by a client, forwarding the task request to a corresponding rear-end trusted security zone, and sending an execution result aiming at the task request returned by the rear-end trusted security zone to the client;

any back-end trusted secure zone is used for executing the method according to any one of claims 1-19 when receiving a task request sent by the front-end trusted secure zone, and returning an execution result generated by executing a user target program to the front-end trusted secure zone.

24. An electronic device, comprising:

a processor;

a memory for storing processor-executable instructions;

wherein the processor implements the method of any one of claims 1-20 by executing the executable instructions.

25. A computer readable storage medium having stored thereon computer instructions which, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 20.

Images