CN105956466A - TPM-based active measurement and exception reporting system and method - Google Patents

TPM-based active measurement and exception reporting system and method Download PDF

Info

Publication number
CN105956466A
CN105956466A CN201610273752.4A CN201610273752A CN105956466A CN 105956466 A CN105956466 A CN 105956466A CN 201610273752 A CN201610273752 A CN 201610273752A CN 105956466 A CN105956466 A CN 105956466A
Authority
CN
China
Prior art keywords
file
abnormal
module
fileversion
tpm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610273752.4A
Other languages
Chinese (zh)
Inventor
杨博中
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Inspur Electronic Information Industry Co Ltd
Original Assignee
Inspur Electronic Information Industry Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Inspur Electronic Information Industry Co Ltd filed Critical Inspur Electronic Information Industry Co Ltd
Priority to CN201610273752.4A priority Critical patent/CN105956466A/en
Publication of CN105956466A publication Critical patent/CN105956466A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2153Using hardware token as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a TPM-based active measurement and exception reporting system and method, relating to the technical field of computer security, wherein a file is mapped into a memory through a memory mapping module, a file version control and exception reporting module is called to judge the version of the file, if the file version meets the measurement requirement, the content of the file mapped into the memory is measured, the measurement result is compared with a standard measurement result, and the control of the subsequent operation of the file is completed according to the measurement result: and if the comparison result is consistent, allowing the file to continue to operate, otherwise, preventing the file from operating, submitting the abnormal result to the monitoring module, and feeding the abnormal information back to the administrator by the monitoring module. The invention ensures that the file safety is protected in all directions, and can solve the defects of the traditional computer safety equipment.

Description

A kind of active based on TPM tolerance and abnormal reporting system and method
Technical field
The present invention relates to computer security technique field, in a kind of active based on TPM tolerance and exception Reporting system and method.
Background technology
Along with the universal of computer and people's attention to personal information security, how to ensure computer or even individual's letter The safety of breath becomes a vital problem.Traditional computer security equipment is often based upon virus and wooden horse scanning skill Art, this technology is used for whether scanning file comprises virus or wooden horse, belongs to specific aim protection, can not ensure computer completely Safety.Therefore, the safety of the most omnibearing guarantee computer becomes for a urgent problem.
Summary of the invention
The present invention is directed to current needs and the weak point of prior art development, it is provided that a kind of active degree based on TPM Amount and abnormal reporting system and method.
A kind of active based on TPM of the present invention tolerance and abnormal reporting system and method, solve above-mentioned technical problem The technical scheme used is as follows: described active based on TPM tolerance and abnormal reporting system, its system architecture mainly includes (1) TPM chip;(2) internal memory mapping block;(3) metric module;(4) FileVersion controls and abnormal reporting module;(5) monitoring mould Block;Wherein, described TPM chip is responsible for recording the iterative value of each Documents Metric result;Described internal memory mapping block is responsible for file Content map is to internal memory, when calling for CPU, is additionally responsible for calling FileVersion control and abnormal reporting module, has come The Version Control of paired file and tolerance work;Described metric module is responsible for the file content read is carried out Hash calculation, And the Hash result obtained be recorded in metrics logs, and use TPM that metric is signed;Described FileVersion controls And abnormal reporting module is responsible for when using file, it is judged that whether FileVersion changes, if comparison result is consistent, then allows File carries out next step operation, otherwise stops file continue operation and abnormal results is fed back to monitoring module;Described monitoring mould Block is responsible for receiving the abnormal information that FileVersion controls and abnormal reporting module is sent, and with mail he, information is prompted to pipe Reason person.
Preferably, described FileVersion controls and abnormal reporting module is responsible for when using file, it is judged that FileVersion is No changing, if changing, then, after internal memory mapping block completes to map, calling metric module to file content degree of carrying out Amount, calculating Hash result, and verify the signature value of this document in metrics logs, after signature verification is passed through, Hash now is tied Fruit is compared with the Hash result in metrics logs.
Described active based on TPM tolerance and abnormal report method, by internal memory mapping block, by File Mapping to internal memory In, and call FileVersion control and the version of file is judged by abnormal reporting module, if FileVersion meets tolerance and wants Ask, then the content that File Mapping enters internal memory is measured, and is compared with gauge result by measurement results, according to degree Amount result completes the control to file subsequent operation.
Preferably, and measurement results is compared with gauge result, if comparison result is consistent, then allow file to continue Continuous operation, otherwise stops file operation and abnormal results is submitted to monitoring module, monitoring module abnormal information being fed back to Manager.
A kind of active based on TPM of the present invention tolerance and abnormal reporting system and method compared with prior art have Provide the benefit that: present invention introduces actively measurement technology, and unique using the integrity measurement value of file as file security Standard, makes file security obtain omnibearing protection, compensate for conventional security software for protecting the protection brought excessively Unilateral problem, can solve the deficiency existing for traditional computer safety equipment.
Figure of description
Accompanying drawing 1 is the schematic flow sheet of the method for described centralized management platform form.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with specific embodiment, to this Bright described a kind of active based on TPM tolerance and abnormal reporting system and method further describe.
The present invention proposes a kind of active based on TPM tolerance and abnormal reporting system and method, uses for the first time at file The Standard Hash metric of its memory information of Shi Jilu, when FileVersion changes, recalculates the Kazakhstan of its memory information Uncommon value, and this cryptographic Hash is compared with Standard Hash metric, the most unanimously whether judge file according to comparison result Safety.The present invention uses the internal memory metric of file as the sole criterion of file whether safety, the file fundamentally ensured Omnibearing safety, solves the deficiency existing for traditional computer safety equipment, compensate for conventional security software for protection The problem that the protection that brought is the most unilateral.
Embodiment:
A kind of active based on TPM tolerance described in the present embodiment and abnormal reporting system, its system architecture mainly includes (1) TPM Chip;(2) internal memory mapping block;(3) metric module;(4) FileVersion controls and abnormal reporting module;(5) monitoring module;Its In, described TPM chip is responsible for recording the iterative value of each Documents Metric result;Described internal memory mapping block is responsible for reflecting file content It is mapped to internal memory, when calling for CPU, is additionally responsible for calling FileVersion control and abnormal reporting module, completes literary composition The Version Control of part and tolerance work;The responsible Hash calculation that the file content read is carried out of described metric module, and will To Hash result recorded in metrics logs, and use TPM that metric is signed;Described FileVersion controls and abnormal Reporting module is responsible for when using file, it is judged that whether FileVersion changes, if comparison result is consistent, then allows file to enter Next step operation of row, otherwise stops file continue operation and abnormal results is fed back to monitoring module;Described monitoring module is responsible for Receive the abnormal information that FileVersion controls and abnormal reporting module is sent, and information is prompted to manager with mail he.
In active based on TPM tolerance described in the present embodiment and abnormal reporting system, described metric module is responsible for reading To file content carry out Hash calculation, and the Hash result obtained be recorded in metrics logs, metrics logs contains PCR Call number, PCR Current Content, Documents Metric value, TPM signature contents, filename.Described FileVersion controls and extremely reports mould Block is responsible for when using file, it is judged that whether FileVersion changes, if changing, then completes to reflect at internal memory mapping block After penetrating, call metric module and file content is measured, calculate Hash result, and verify the signature of this document in metrics logs Value, after signature verification is passed through, compares Hash result now with the Hash result in metrics logs, if comparison result one Cause, then allow file to carry out next step operation, otherwise stop file continue operation and abnormal results is fed back to monitoring module.
Active based on TPM tolerance described in the present embodiment and abnormal report method, by internal memory mapping block, reflect file It is mapped in internal memory, and calls FileVersion control and the version of file is judged by abnormal reporting module, if FileVersion symbol Close metric requirements, then the content that File Mapping enters internal memory is measured, and is compared with gauge result by measurement results Right, complete the control to file subsequent operation according to measurement results: comparison result is consistent, then allow file to continue operation, otherwise Stop file operation and abnormal results is submitted to monitoring module, monitoring module abnormal information being fed back to manager.
The method by amendment internal memory mapped system, by file (can be executable file, binary file, configuration File, reading and writing of files) be mapped into internal memory while, call metric module and calculate the Hash result of this document, and record this result. When next time uses this document, if FileVersion changes, then calculate the Hash result that this document is up-to-date, with tolerance before Result is compared, and comparison result the most then allows file to continue operation, otherwise stops file operation and by these abnormal conditions master Move and report monitoring programme.
Active based on TPM tolerance described in the present embodiment and abnormal report method, recorded TPM's by Documents Metric result In PCR space, using the mode of iteration record, the most up-to-date PCR content is the Kazakhstan of current PC R content and present section part measurement results Uncommon value.Owing to this is recorded as iterative manner successively, when the measurement results of the most any file changes, all final by causing Measurement results changes, thus has ensured the safety of All Files.
In order to make the object, technical solutions and advantages of the present invention clearer, below in conjunction with the accompanying drawings the present invention is done into one Step ground describes in detail.The present invention passes through internal memory mapping block, when using file, is mapped in internal memory by file content, subsequently Calling FileVersion control and abnormal reporting module, this module is used for calculating and comparison File Mapping enters the tolerance of content of internal memory Value (cryptographic Hash), and determine whether that file carries out next step operation according to comparison result.
Accompanying drawing 1 is described active based on TPM tolerance and the flow chart of abnormal report method, illustrates below in conjunction with Fig. 1 The present invention actively tolerance and the working method of abnormal reporting system:
(1), operating system use file time, first file content is mapped into internal memory, now calls internal memory mapping block, complete The mapping of file content;
(2), first check for whether this document version changes, without changing, under the most directly allowing file to carry out Single stepping, if FileVersion changes, then calculation document is mapped into the metric of memory content, and verifies that this document is at degree Signature value in amount daily record, after signature verification is passed through, compares this metric with the gauge value in metrics logs, continues Continuous step 3;If file is for use first, owing to there is not the metric record of this document in metrics logs, therefore this uses not Carry out metric comparison, but the metric of presents is write in metrics logs, hereafter continue the operation of this document;
(3) if the comparison result of step 3 is consistent, then allow file to continue operation, otherwise, continue step 4;
(4), stoping file to continue operation, and call monitoring module, monitoring module is responsible for sending out abnormal information with the form of mail Give manager.
Use active based on TPM of the present invention tolerance and abnormal reporting system and method, by above operation, permissible Discovery file is abnormal, and stops next step operation of file, sends abnormal information to manager, in the safety of safeguards system simultaneously Meanwhile, also help manager and process exception, provide a sound assurance for computer security.
Above-mentioned detailed description of the invention is only the concrete case of the present invention, and the scope of patent protection of the present invention includes but not limited to Above-mentioned detailed description of the invention, any that meet claims of the present invention and any person of an ordinary skill in the technical field The suitably change being done it or replacement, all should fall into the scope of patent protection of the present invention.

Claims (4)

1. an active based on TPM tolerance and abnormal reporting system and method, it is characterised in that its system architecture is mainly wrapped Include (1) TPM chip;(2) internal memory mapping block;(3) metric module;(4) FileVersion controls and abnormal reporting module;(5) prison Control module;Wherein, described TPM chip is responsible for recording the iterative value of each Documents Metric result;Described internal memory mapping block be responsible for by File content is mapped to internal memory, when calling for CPU, and is responsible for calling FileVersion control and abnormal reporting module, has come The Version Control of paired file and tolerance work;Described metric module is responsible for the file content read is carried out Hash calculation, The Hash result obtained be recorded in metrics logs, and use TPM that metric is signed;Described FileVersion control and Abnormal reporting module is responsible for when using file, it is judged that whether FileVersion changes, if comparison result is consistent, then allows literary composition Part carries out next step operation, otherwise stops file continue operation and abnormal results is fed back to monitoring module;Described monitoring module It is responsible for receiving the abnormal information that FileVersion controls and abnormal reporting module is sent, and information is prompted to management with mail he Member.
A kind of active based on TPM tolerance and abnormal reporting system and method, it is characterised in that Described FileVersion controls and abnormal reporting module is responsible for when using file, it is judged that whether FileVersion changes, if sending out Changing, then, after internal memory mapping block completes to map, call metric module and measure file content, calculates Hash knot Really, and verify the signature value of this document in metrics logs, after signature verification is passed through, by Hash result now with in metrics logs Hash result compare.
3. active based on a TPM tolerance and abnormal report method, it is characterised in that by internal memory mapping block, by file It is mapped in internal memory, and calls FileVersion control and the version of file is judged by abnormal reporting module, if FileVersion Meet metric requirements, then the content that File Mapping enters internal memory is measured, and is carried out with gauge result by measurement results Comparison, completes the control to file subsequent operation according to measurement results.
A kind of active based on TPM tolerance and abnormal reporting system and method, it is characterised in that And measurement results is compared with gauge result, if comparison result is consistent, then allows file to continue operation, otherwise stop Abnormal results is also submitted to monitoring module by file operation, monitoring module abnormal information is fed back to manager.
CN201610273752.4A 2016-04-28 2016-04-28 TPM-based active measurement and exception reporting system and method Pending CN105956466A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610273752.4A CN105956466A (en) 2016-04-28 2016-04-28 TPM-based active measurement and exception reporting system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610273752.4A CN105956466A (en) 2016-04-28 2016-04-28 TPM-based active measurement and exception reporting system and method

Publications (1)

Publication Number Publication Date
CN105956466A true CN105956466A (en) 2016-09-21

Family

ID=56916868

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610273752.4A Pending CN105956466A (en) 2016-04-28 2016-04-28 TPM-based active measurement and exception reporting system and method

Country Status (1)

Country Link
CN (1) CN105956466A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111914303A (en) * 2020-08-07 2020-11-10 中科方德软件有限公司 Security measurement and security verification method for running state of Linux system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101038556A (en) * 2007-04-30 2007-09-19 中国科学院软件研究所 Trusted bootstrap method and system thereof
CN101271498A (en) * 2008-03-25 2008-09-24 浙江大学 Method for implementing reliable computation through threatened linked list and safety linked list in Linux operating system
CN101593324A (en) * 2009-06-17 2009-12-02 浙江师范大学 The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique
CN102436566A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Dynamic trusted measurement method and safe embedded system
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN103916246A (en) * 2014-03-31 2014-07-09 中国科学院软件研究所 Method and system for preventing cheating during examination based on trusted computing
US9280659B2 (en) * 2006-12-29 2016-03-08 Intel Corporation Methods and apparatus for remeasuring a virtual machine monitor
CN105516207A (en) * 2016-01-28 2016-04-20 浪潮电子信息产业股份有限公司 Certificate management method in remote authentication

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9280659B2 (en) * 2006-12-29 2016-03-08 Intel Corporation Methods and apparatus for remeasuring a virtual machine monitor
CN101038556A (en) * 2007-04-30 2007-09-19 中国科学院软件研究所 Trusted bootstrap method and system thereof
CN101271498A (en) * 2008-03-25 2008-09-24 浙江大学 Method for implementing reliable computation through threatened linked list and safety linked list in Linux operating system
CN101593324A (en) * 2009-06-17 2009-12-02 浙江师范大学 The network multi-level measures and procedures for the examination and approval and system based on dependable computing application technique
CN102436566A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Dynamic trusted measurement method and safe embedded system
CN103093150A (en) * 2013-02-18 2013-05-08 中国科学院软件研究所 Dynamic integrity protection method based on credible chip
CN103916246A (en) * 2014-03-31 2014-07-09 中国科学院软件研究所 Method and system for preventing cheating during examination based on trusted computing
CN105516207A (en) * 2016-01-28 2016-04-20 浪潮电子信息产业股份有限公司 Certificate management method in remote authentication

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111914303A (en) * 2020-08-07 2020-11-10 中科方德软件有限公司 Security measurement and security verification method for running state of Linux system
WO2022027154A1 (en) * 2020-08-07 2022-02-10 中科方德软件有限公司 Security metric and security verification method for run-time state of linux system
CN111914303B (en) * 2020-08-07 2023-08-18 中科方德软件有限公司 Security measurement and security verification method for Linux system running state

Similar Documents

Publication Publication Date Title
CN107959568B (en) A kind of measurement verification calibration digital certificates intelligent generation method and system
CN111538963A (en) Block chain copyright protection system and method based on double chains
WO2021114406A1 (en) Blockchain-based vaccine information monitoring method and apparatus, and computer device
CN108363929B (en) System and method for generating information elimination report of storage device and preventing tampering
US10853197B2 (en) Data recovery with authenticity
US20130191642A1 (en) Nested digital signatures with constant file size
CN105930733A (en) Trust chain construction method and apparatus
CN109598519B (en) Vehicle auditing method, device, computer equipment and storage medium
CN111475570A (en) Concrete quality supervision method, device, equipment and storage medium
CN107015911A (en) The code review method and device of continuous integrating
CN106096421A (en) TPM-based high-security host security protection system and method
CN110223035A (en) Fire control acceptance intelligent quantization method and fire control acceptance intelligent quantization system
CN115270193B (en) Data file secure sharing method and device based on block chain and collaborative synchronization
CN110830257A (en) File signature method and device, electronic equipment and readable storage medium
CN105956466A (en) TPM-based active measurement and exception reporting system and method
US20110099368A1 (en) Cable modem and certificate testing method thereof
CN106250726A (en) Software version state management-control method
CN112019586B (en) Method and system for verification of blockchains
JP5788681B2 (en) Handwritten signature acquisition apparatus, handwritten signature acquisition program, and handwritten signature acquisition method
CN115795565A (en) Log tamper-proofing method, device, equipment and storage medium
CN106295331A (en) Design method of active defense and exception reporting system
CN113723071B (en) Electronic archive verification method, system, storage medium and equipment
WO2020253373A1 (en) Methods for generating and processing electronic file having business logic embedded
CN113706056A (en) Bidding unit performance identification early warning method, device, equipment and storage medium
CN111652458A (en) Engineering auditing method based on block chain technology

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160921