CN110874468B - Application program security protection method and related equipment - Google Patents

Application program security protection method and related equipment Download PDF

Info

Publication number
CN110874468B
CN110874468B CN201811019549.XA CN201811019549A CN110874468B CN 110874468 B CN110874468 B CN 110874468B CN 201811019549 A CN201811019549 A CN 201811019549A CN 110874468 B CN110874468 B CN 110874468B
Authority
CN
China
Prior art keywords
virtual machine
enclave
springboard
operating system
application program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811019549.XA
Other languages
Chinese (zh)
Other versions
CN110874468A (en
Inventor
夏虞斌
古金宇
翟征德
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201811019549.XA priority Critical patent/CN110874468B/en
Publication of CN110874468A publication Critical patent/CN110874468A/en
Application granted granted Critical
Publication of CN110874468B publication Critical patent/CN110874468B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application program security protection method and device are applied to a server, wherein the server comprises a virtual machine operating system and an application program running in a virtual machine VM, and the method comprises the following steps: establishing a first enclave of a virtual machine operating system running a VM and a second enclave of an application program running the VM; the virtual machine operating system is a user state operating system; acquiring a first springboard, wherein the first springboard operates in a memory area outside a first enclave and a second enclave; transferring the call of the application program to the virtual machine operating system by using the first springboard; and transmitting a call return result of the virtual machine operating system to the application program. By implementing the method and the device, the safety protection of the application program in the running period can be realized by utilizing the enclave, a small attack interface is kept, the increase of TCB is avoided, and the running safety of the application program is improved.

Description

Application program security protection method and related equipment
Technical Field
The invention relates to the technical field of virtualization, in particular to an application program security protection method and related equipment.
Background
Virtualization technology is widely used due to the advantages of reasonable resource sharing, good isolation mechanism, easy maintenance, low cost and the like. The server architecture to which the virtualization technique is applied typically includes server hardware, a virtual machine monitor (virtual machine monitor, VMM), a running virtual machine operating system (Guest operating system, which may be referred to herein simply as an OS), and applications based on the virtual machine operating system. Wherein the virtual machine monitor may also be referred to as a hypervisor, which is an intermediate software layer running between server hardware and the virtual machine operating system, allowing multiple virtual machines to share the server hardware, wherein the virtual machines include the virtual machine operating system and application programs. Applications in the virtual machine may process sensitive data of the user, such as medical health data, credit card data, etc., which may also be referred to as sensitive applications. Users are pressing to want the sensitive data handled by these sensitive applications to be protected from leakage.
In conventional security hierarchies, applications are typically designed to run at a low privilege level (e.g., ring 3), the OS at a high privilege level (e.g., ring 0), and the hypervisor at a higher privilege level (Root operation), the high privilege level object has full control over the low privilege level object, which can arbitrarily read and modify code and data in the address space of the low privilege level object. Such architectures can present security threats, for example, the OS poses a direct threat to the confidentiality or code integrity of sensitive application data, as may contain malicious code or contain vulnerabilities. Hypervisors also pose a security threat to the integrity of the OS because they may contain malicious code or contain vulnerabilities. This security threat from high privilege level software to low privilege level software is very serious and difficult to defend. Aiming at such security problems, the CPU can construct an enclave (enclave) and put sensitive application codes and data into the enclave for execution, wherein the enclave is a protected software code execution area (or called a memory security area) in a memory and can be used for protecting the safe running of application codes and data of ring3 privilege level, the CPU can prevent software outside the enclave from directly accessing the application codes and data in the enclave, and the CPU is in an enclave execution mode when executing the program codes in the enclave; and when the CPU exits from the enclave (the enclave execution is completed or a program in the enclave generates a system call, etc.), the CPU is in a non-enclave execution mode. Thus, isolation of the execution environment in the enclaspe is realized, and confidentiality and integrity of sensitive application codes and sensitive data can be protected.
The Enclave technology has a significant problem in real world applications: only a portion of the code logic of an application (e.g., encryption or data analysis, etc.) may be protected by an enclave, which may be difficult to achieve complete protection for the entire application during its operation: the library of Libc functions on which the application runs, the OS functions on which the application runs, and the application code outside of enclave. This means that the application remains very vulnerable to attack at runtime, and an attacker can apply code beyond the OS, LIBC, and enclave by attacking. How to protect the complete run-time of an application using enclave is an important technical issue.
In one implementation, the Scone protocol was set forth by the university of Deloston, germany and Imperial, england, as shown in FIG. 1. The scheme encapsulates the application program and the Libc (function library of C under Linux) of the application together into enclave for execution (as shown in the gray area), and both the application and the Libc are protected by enclave.
However, many system functions that an application program depends on are completed through system calls, such as memory management, I/O, thread scheduling, etc., while the Scone scheme does not protect the OS system that the application program depends on, and if the OS system is maliciously tampered with by an attacker or invaded by utilizing a hypervisor vulnerability, the security of the application program can still be threatened. The solution still leaves a large application attack interface.
In yet another implementation, microsoft, us, proposes a Haven solution, as shown in fig. 2, in which various operating system functions on which an application depends are re-implemented into a Library OS (lib OS for short), and the lib OS is encapsulated with the application and Libc and runs in an enclave (as shown in gray areas). Thus, the application program itself and the system call on which the application program runs can be protected by the enclave.
However, haven's solution may cause the trusted computing base (Trusted Computing Base, TCB) of an application to be too large, such as the Lib OS code in enclave is large in size, which typically has millions of lines, and it is difficult to guarantee that it does not contain vulnerabilities. While enclave may prevent software code outside of enclave from directly accessing program code and data within enclave, it may not prevent security vulnerabilities contained in Lib OS code located in enclave from being exploited, because software outside of enclave may invoke methods of enclave exposure and provide specially constructed inputs to maliciously execute such code containing vulnerabilities, thereby threatening the security of the application. In addition, TCBs of huge size can also put resource pressure on enclaves, because in practice the memory size occupied by an enclave is limited.
In summary, in the prior art, the scheme of protecting the running of the application program by using the enclaspe of the CPU has a large application attack interface, or may result in a TCB with a huge scale. Currently, how to protect an application during its complete running remains a great technical challenge.
Disclosure of Invention
The embodiment of the invention provides an application program safety protection method, which can keep a small attack interface while realizing safety protection of an application program during operation by utilizing an enclave, avoid increasing TCB and improve the safety of the application program operation.
In a first aspect, an embodiment of the present invention provides an application security protection method, where the method is applied to a server, where the server includes a virtual machine operating system and an application running in a virtual machine; the method comprises the following steps: establishing a first enclave (i.e., a first enclave) running the virtual machine operating system and a second enclave (i.e., a second enclave) running the application program in a memory; the first enclave is a memory security area for protecting the operation of the virtual machine operating system, the second enclave is a memory security area for protecting the operation of the application program, the virtual machine operating system is a user state operating system (abbreviated as user state OS), the user state OS operates at the ring3 privilege level, the application program operates at the ring3 privilege level, and the first enclave can protect the program code operating at the ring3 privilege level, so that the user state OS designed by the embodiment of the present invention can operate in the first enclave, and the application program can operate in the second enclave. In order to achieve communication interaction between the virtual machine operating system in the first enclave and the application program in the second enclave in the architecture of the embodiment of the present invention, the embodiment of the present invention designs a first springboard, where the first springboard is used as a communication channel between the virtual machine operating system in the first enclave and the application program in the second enclave, and runs in a memory area outside the first enclave and the second enclave. During the running of an application program, when the application program needs to make a system call, a first springboard is obtained, and the call of the application program to the virtual machine operating system is transmitted to the virtual machine operating system by utilizing the first springboard; and then, transmitting a call return result of the virtual machine operating system to the application program by using the first springboard. Wherein the application may be a sensitive application, i.e. an application for processing sensitive data of a user.
It can be seen that in the embodiment of the present invention, different sensitive applications and user state OS can all run in respective enclaves. The application program and the user OS are in agent control flow transmission through a first springboard between the application program and the user OS, and the user OS runs in a first enclaspe which performs security protection and isolation on the user OS, so that codes and data in the user OS cannot be directly acquired or tampered by the outside. Because different sensitive application programs can run in the respective second enclaspers, the second enclaspers can protect and isolate the sensitive application safely, so that the sensitive application can resist external attacks. By implementing the embodiment of the invention, the attack interface of the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation is better and safer.
Based on the first aspect, in a specific implementation, in an embodiment of the present invention, a separate enclave (first enclave) encapsulates an operating user state OS, and provides a system call required for its operation for an application in a protected manner; a separate enclave (second enclave) is created to protect the code and data of at least one sensitive application itself and the library of functions used by the sensitive application (e.g. Libc library), respectively. In addition, when the application program in the virtual machine further includes the non-sensitive sensor, since the non-sensitive application is not required to provide additional application protection, the non-sensitive application can be run without being packaged in a separate enclave and only needs to be executed in a common memory address space.
Based on the first aspect, in a possible embodiment, the server includes a virtual machine monitor (Hypervisors) and server hardware, the virtual machine monitor being configured to implement shared access of the virtual machine to the server hardware; in order to realize communication interaction between a virtual machine operating system (i.e., a user mode OS) and a virtual machine monitor, the embodiment of the present invention relates to designing a second springboard, where the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave, and runs in a memory area outside the first enclave and the second enclave; when a virtual machine operating system (or an application program) needs to access the server hardware (such as accessing all physical devices including a memory, a network card, a magnetic disk and the like on a server), a second springboard is acquired, and the second springboard is utilized to transfer the call of the virtual machine operating system to the virtual machine monitor; and then, transmitting a return result of the call of the virtual machine monitor to the virtual machine operating system by using the second springboard.
Specifically, because the user state OS is in the enclave, the user state OS cannot directly execute the ring0 instruction, and the second springboard designed for the user state OS in the embodiment of the present invention not only assists the user state OS to call the underlying virtual machine monitor service (e.g., the user state OS may complete operations of a high privilege level such as modifying a page table based on the services of the virtual machine monitor), i.e., hypercall, but also assists the virtual machine monitor to transfer a control flow and execute upcall.
It can be seen that, in the embodiment of the present invention, since the user OS runs in the first enclave, the first enclave performs security protection and isolation on the user OS, so both an application program and a virtual machine monitor cannot directly acquire or tamper with codes and data in the user OS. Since different sensitive applications can run in respective second enclasvs, the second enclasvs secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from virtual machine operating systems, virtual machine monitors, and other applications that are not trusted or may contain vulnerabilities. Through the first springboard and the second springboard, normal system call of the application program and call of the operating system to the Hypervisors service are not affected, and normal working operation in the virtual machine is ensured while safe operation of the application program is ensured.
Based on the first aspect, in a specific embodiment, the first springboard includes a first springboard code, and shared data between the application program and the user mode operating system; the first springboard code is used for realizing the function of a communication channel of the first springboard. The shared data between the application program and the user state operating system is the data which may be needed by both the application program and the user state operating system in normal working operation, and if the shared data is placed in the enclaspe, the normal working of the application program and/or the user state operating system may be affected, so that the shared data between the application program and the user state operating system is stored in the first springboard, thereby ensuring that the normal working of the application program and the user state operating system is not affected, and improving the applicability of the invention.
Similarly, the second springboard comprises a second springboard code and shared data between the user state operating system and the virtual machine monitor; the second springboard code is used for realizing the function of a communication channel of the second springboard, the shared data between the user state operating system and the virtual machine monitor is the data which can be possibly used by the user state operating system and the virtual machine monitor in normal working operation, and if the shared data is placed in the enclaspe, the normal working of the user state operating system and/or the virtual machine monitor can be influenced, so that the shared data between the user state operating system and the virtual machine monitor is stored in the second springboard, the normal working of the user state operating system and the virtual machine monitor is not influenced, and the applicability of the invention is improved.
Based on the first aspect, in a possible embodiment, the establishing a second enclave running the application program includes: and when the application program is to be run, establishing a second enclave for running the application program through the virtual machine operating system.
In a specific implementation, when the sensitive sensing is to be started, the user state OS in the first enclave creates a second enclave of the sensitive application by calling a corresponding newly added hypercall service, so that the sensitive application can be started and run in the second enclave.
It should be noted that if a non-sensitive application needs to be started, the user state OS in the first enclave starts the non-sensitive application in the memory address space of the non-enclave by calling the corresponding newly added hypercall service.
Based on the first aspect, in a possible embodiment, the server system architecture designed by the embodiment of the present invention can also implement an attestation security verification mechanism. The attestation security protection mechanism is a verification mechanism supported by CPU for mutually proving the respective integrity between enclasps on the same physical host, such as intra-platform attestation security verification mechanism of intel SGX
In a specific embodiment, the sensitive application may verify the integrity of the user state OS through an intra-platform attestation security verification mechanism provided by the CPU enclaspe. Specifically, the sensitive application verifies the integrity measurement value of the OS in the second enclave where the sensitive application is located, and if the integrity measurement value of the user state OS meets the application preset policy requirement (for example, the value is the same as the preset value in the application), the sensitive application is started normally. If the integrity measurement value of the user state OS does not meet the predetermined policy requirement of the application, the sensitive application refuses to start or enters a non-working mode. In the non-operational mode, the sensitive application will not process sensitive data that needs to be protected.
In a specific implementation, in Intel SGX technology, the integrity measurement value is embodied as mrencleave, that is, the CPU measures the integrity measurement value generated by the encleave page content and the encleave metadata by a Hash method during the encleave creation process.
In a specific embodiment, if the integrity measurement value of the user state OS meets the policy requirement predetermined by the application, the user state OS of the first enclave and the sensitive application of the second enclave exchange the key securely to establish a secure channel, and negotiate to generate an encryption key and an integrity protection key. And then, when the sensitive application calls the system call provided by the OS, the encryption key and the integrity protection key are used for carrying out encryption protection on the call parameters, and the call parameters are transmitted to the user state OS through the first springboard. After the user OS finishes the system call, the returned value is encrypted and protected by the encryption key and the integrity protection key, and then the returned value is transmitted to the sensitive application through the first springboard.
It can be seen that, based on the in-platform enclave Attestation mechanism, the sensitive application can verify the integrity of the user state OS, identify the tampered or too low version user state OS, and refuse to start the sensitive application or refuse to execute the sensitive data processing under the condition that the user state OS does not meet the requirements, so as to prevent data leakage. The method and the device can also establish a secure channel between the sensitive application of the first enclaspe and the user OS enclaspe of the second enclaspe, and negotiate an encryption key and an integrity protection key for guaranteeing secure communication, so that parameters and return values of system call are encrypted and integrity protection is added before being submitted to a springboard code, thereby realizing secure protection of the system call and the return values, avoiding leakage to other entities (such as a virtual machine monitor) except the sensitive application and an operating system.
Based on the first aspect, in a possible embodiment, the virtual machine monitor may employ a modified Xen and the user state OS in the virtual machine may employ a modified mini-OS.
In the embodiment of the present invention, the modified Xen can implement mapping of EPC memories required by the first enclave and the second enclave to support creation of the first enclave and the second enclave, the first springboard and the second springboard, and the modified Xen also establishes communication connection between the user state OS and the first springboard and/or the second springboard, so as to be suitable for the system architecture of the embodiment of the present invention.
The Mini-OS is a paravirtualized OS kernel provided by Xen, the user OS can be modified based on the Mini-OS, and the modified Mini-OS can establish communication connection with the first springboard and the second springboard, so that the system architecture is suitable for the system architecture of the embodiment of the invention. Accordingly, the application program of the embodiment of the invention can be a Mini-OS based application.
In a possible embodiment of the present invention, the modified Mini-OS is run using a first enclave package to provide the application with system calls required for its running in a protected manner; the second enclave is used to protect the code and data of the sensitive application itself and the library of functions used. In the embodiment of the invention, the first springboard between the first enclaspe and the second enclaspe comprises a springboard code and shared data between the Mini-OS and the application program, and the first springboard can be used for forwarding the system call of the Mini-OS and returning the result sent by the sensitive application; specifically, the first springboard may be used to complete forwarding of system calls to the Mini-OS and return of results generated by a function library (e.g., libc) used by the application program. The second springboard between the Mini-OS and Xen includes springboard code and shared data between the Mini-OS and Xen. The second springboard can be used for realizing the forwarding of the call of the Mini-OS to Xen and the return of the notification of Xen to the user OS. Specifically, the second springboard not only assists the Mini-OS in invoking the underlying Xen's system services (hypercall), but also assists Xen in delivering control flows and executing upcall when Xen needs to notify the virtual machine of events.
In a second aspect, an embodiment of the present invention provides a server device, where the server device includes a processor and a memory, and the processor is connected to the memory through a bus; the memory is used for storing program codes and data, and the processor is used for running a virtual machine, wherein the virtual machine comprises a virtual machine operating system (the virtual machine operating system is a user-mode operating system) and application programs; the processor is specifically configured to establish a first enclave running the virtual machine operating system and a second enclave running the application program; and acquiring a first springboard, wherein the first springboard runs in a memory area outside the first enclave and the second enclave, the call of the application program to the virtual machine operating system is transmitted to the virtual machine operating system by using the first springboard, and the call return result of the virtual machine operating system to the application program is transmitted to the application program by using the first springboard. The processor is particularly useful for implementing the method of the first aspect.
In a third aspect, an embodiment of the present invention provides an apparatus, where the apparatus includes a virtual machine VM, where the virtual machine includes a virtual machine operating system and an application running in the virtual machine; the virtual machine is used for: establishing a first enclave running the virtual machine operating system and a second enclave running the application program; the first enclave is a memory security area for protecting the operation of the virtual machine operating system, the second enclave is a memory security area for protecting the operation of the application program, and the virtual machine operating system is a user state operating system; acquiring a first springboard; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave; transferring the call of the application program to the virtual machine operating system by using the first springboard; and transmitting a call return result of the virtual machine operating system to the application program by using the first springboard. The virtual machine is specifically configured to implement the method described in the first aspect.
In a fourth aspect, embodiments of the present invention provide a non-transitory computer-readable storage medium; the computer readable storage medium is for storing code for implementing the method of the first aspect. The program code, when executed by a computing device, is for use in a method according to the first aspect.
In a fifth aspect, embodiments of the present invention provide a computer program product; the computer program product comprises program instructions which, when executed by a computing device, cause the controller to perform the method of the first aspect described above. The computer program product may be a software installation package which may be downloaded and executed on a controller to implement the method of the first aspect in case it is desired to use the method provided by any of the possible designs of the first aspect.
It can be seen that in the embodiment of the present invention, different application programs (sensitive applications) and virtual machine operating systems (user state OS) can all run in respective enclaves. The application program and the user state OS agent the control flow transmission between each other through a first springboard positioned between the application program and the user state OS, and the user state OS agent the control flow transmission between each other through a second springboard positioned between the application program and the user state OS. Since the user state OS runs in the first enclaspe, the first enclaspe performs security protection and isolation on the user state OS, and therefore, the application program and the virtual machine monitor cannot directly acquire or tamper with codes and data in the user state OS. Since different sensitive applications can run in respective second enclasvs, the second enclasvs secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from virtual machine operating systems, virtual machine monitors, and other applications that are not trusted or may contain vulnerabilities. By implementing the embodiment of the invention, the attack interface of the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation is better and safer.
Drawings
In order to more clearly describe the embodiments of the present invention or the technical solutions in the background art, the following description will describe the drawings that are required to be used in the embodiments of the present invention or the background art.
FIG. 1 is a schematic diagram of a system architecture of a physical server in the prior art;
FIG. 2 is a schematic diagram of a system architecture of yet another physical server in the prior art;
FIG. 3 is a schematic diagram of a system architecture of a physical server according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of a system architecture of a physical server according to an embodiment of the present invention;
FIG. 5 is a flowchart illustrating a method for protecting security of an application according to an embodiment of the present invention;
FIG. 6 is a flowchart illustrating another method for protecting application security according to an embodiment of the present invention;
FIG. 7 is a flowchart of another method for protecting application security according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an apparatus according to an embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described below with reference to the accompanying drawings in the embodiments of the present invention. The terminology used in the description of the embodiments of the invention herein is for the purpose of describing particular embodiments of the invention only and is not intended to be limiting of the invention.
First, a system architecture of a physical server according to an embodiment of the present invention will be described. Referring to fig. 3, a server system architecture to which virtualization technology is applied includes server hardware, at least one virtual machine running in a virtual environment, and a virtual machine monitor (hypervisor) running between the server hardware and the virtual machine. Wherein:
the virtual machine in turn includes a virtual machine operating system and an application program based on the virtual machine operating system. In the embodiment of the invention, the virtual machine operating system is a user state operating system (which can be simply referred to as user state OS), and is different from a kernel state OS running in ring0 level, and the user state OS runs in the privilege level of ring 3. Specifically, the virtual machine is provided with a user state OS in a paravirtualized mode, and one or more application programs and a used function library (such as Libc) based on the user state OS, wherein the one or more application programs comprise at least one sensitive application, and the sensitive application is an application program for processing sensitive data of a user.
The virtual machine monitor may allow multiple virtual machines to share server hardware (e.g., access all physical devices on a server including memory, CPU, network cards, disks, etc.) and implement an abstraction of the physical hardware. The virtual machine monitor not only coordinates shared access of these hardware resources, but also can impose protections between the various virtual machines.
As shown in fig. 3, in the embodiment of the present invention, a separate enclave (which may be referred to as a first enclave) is created to encapsulate an operating user state OS, and provide a system call required for the operation of the application program in a protected manner; a separate enclave (which may be referred to as a second enclave) is created to protect the code and data of at least one sensitive application itself and the library of functions used (e.g. two sensitive applications are included in fig. 3, one separate enclave protection for each sensitive application and the library of functions used). In addition, when the application program in the virtual machine further includes the non-sensitive sensor, since the non-sensitive application is not required to provide additional application protection, the non-sensitive application can be run without being packaged in a separate enclave and only needs to be executed in a common memory address space.
In a specific implementation, the virtual machine monitor is also responsible for implementing the mapping of EPC (enclave page cache) memory required by the first enclave and the second enclave to support creation of the first enclave and the second enclave.
In the embodiment of the invention, a layer of springboard (which can be called a first springboard) is introduced between the first enclaspe and the second enclaspe, wherein the first springboard is used as a communication channel between a user state OS in the first enclaspe and an application program in the second enclaspe, and the first springboard comprises a springboard code and shared data between the user state OS and the application program. The first springboard can be used for realizing the transfer of system call and call return result of user OS sent by forwarding sensitive application; specifically, the first springboard may be used to complete forwarding of system calls to the user OS generated by a function library (e.g., libc) used by the application program and return results from calls provided by the user OS to the application program.
In the embodiment of the invention, another layer of springboards (which can be called as second springboards) are introduced between the user OS and the virtual machine monitor (Hypervisors), and the second springboards comprise springboard codes and shared data between the user OS and the virtual machine monitor. The second springboard is used as a communication channel between the user OS in the first enclaspe and the virtual machine monitor, and the second springboard can be used for forwarding calls of the user OS to the virtual machine monitor and returning notices of the virtual machine monitor to the user OS. Specifically, because the user state OS is in the enclave, the user state OS cannot directly execute the ring0 instruction, and the second springboard designed for the user state OS in the embodiment of the present invention not only assists the user state OS to call the underlying virtual machine monitor service (e.g., the user state OS may complete operations of a high privilege level such as modifying a page table based on the services of the virtual machine monitor), i.e., hypercall, but also assists the virtual machine monitor to transfer a control flow and execute upcall.
In a specific implementation, the embodiment of the invention can modify the user state OS by using a paravirtualization technology, so that the user state OS is suitable for the system architecture of the embodiment of the invention, and communication connection between the user state OS and the first springboard and the second springboard is established. It can be seen that, in the embodiment of the present invention, the virtual machine operating system adopts a user OS, and by using the characteristic that the user OS operates at ring3 privilege level, the virtual machine operating system can operate in the first enclaspe designed in the embodiment of the present invention, so that the security and isolation of the virtual machine operating system (user OS) are protected by using the first enclaspe, thereby avoiding the security of the application program (sensitive application) caused by the system vulnerability being utilized by the outside. The first springboard and the second springboard are designed, so that original normal communication interaction (such as system call) between the user state OS and the application program and between the user state OS and the virtual machine monitor can be kept, and normal operation of the virtual machine is guaranteed.
For example, referring to FIG. 4, in one possible implementation of the server system architecture described in the embodiments of the present invention, the virtual machine monitor may employ modified Xen and the user-mode OS in the virtual machine may employ a modified mini-OS.
Xen is an open source virtual machine monitor based on an X86 architecture, and can safely execute a plurality of virtual machines on a set of physical hardware, and in Xen environment, the virtual machines can be called as domain. In a virtual machine created by the Xen environment, domain0 has very high privileges. An administrator may create other virtual machines (domainus) using domain0 and some Xen tools. In the embodiment of the invention, the modified Xen can realize the mapping of the EPC memories required by the first enclaspe and the second enclaspe to support the creation of the first enclaspe and the second enclaspe, the first springboard and the second springboard, and the modified Xen also establishes the communication connection between the user mode OS and the first springboard and/or the second springboard, so as to be suitable for the system architecture of the embodiment of the invention.
The Mini-OS is a paravirtualized OS kernel provided by Xen, the user OS can be modified based on the Mini-OS, and the modified Mini-OS can establish communication connection with the first springboard and the second springboard, so that the system architecture is suitable for the system architecture of the embodiment of the invention. Accordingly, the application program of the embodiment of the invention can be a Mini-OS based application.
Similarly, in the embodiment of the invention, the modified Mini-OS is operated by using a first enclave package, and system calls required by the operation of the application program are provided for the application program in a protected mode; the second enclave is used to protect the code and data of the sensitive application itself and the library of functions used. In the embodiment of the invention, the first springboard between the first enclaspe and the second enclaspe comprises a springboard code and shared data between the Mini-OS and the application program, and the first springboard can be used for forwarding the system call of the Mini-OS and returning the result sent by the sensitive application; specifically, the first springboard may be used to complete forwarding of system calls to the Mini-OS and return of results generated by a function library (e.g., libc) used by the application program. The second springboard between the Mini-OS and Xen includes springboard code and shared data between the Mini-OS and Xen. The second springboard can be used for realizing the forwarding of the call of the Mini-OS to Xen and the return of the notification of Xen to the user OS. Specifically, the second springboard not only assists the Mini-OS in invoking the underlying Xen's system services (hypercall), but also assists Xen in delivering control flows and executing upcall when Xen needs to notify the virtual machine of events.
It can be seen that in the embodiment of the present invention, different sensitive applications and user state OS can all run in respective enclaves. The application program and the user state OS agent the control flow transmission between each other through a first springboard positioned between the application program and the user state OS, and the user state OS agent the control flow transmission between each other through a second springboard positioned between the application program and the user state OS. Since the user state OS runs in the first enclaspe, the first enclaspe performs security protection and isolation on the user state OS, and therefore, the application program and the virtual machine monitor cannot directly acquire or tamper with codes and data in the user state OS. Since different sensitive applications can run in respective second enclasvs, the second enclasvs secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from virtual machine operating systems, virtual machine monitors, and other applications that are not trusted or may contain vulnerabilities. By implementing the embodiment of the invention, the attack interface of the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation is better and safer.
Based on the system architecture described in the embodiment of fig. 3, the method for protecting application security in the embodiment of the present invention is further described below, referring to fig. 5, where the method is applied to a physical server, where the physical server includes server hardware, at least one virtual machine running in a virtual environment, and a virtual machine monitor (hypervisor) running between the server hardware and the virtual machine. The virtual machine further comprises a user state OS and application programs and function libraries (such as Libc libraries) based on the user state OS. The method includes, but is not limited to, the steps of:
Step 101, creating a first enclave for protecting the user state OS.
In the embodiment of the invention, the first enclave is a protected software code execution area constructed by a CPU of a physical server, and is used for providing security protection and isolation for a user state OS, that is, the user state OS operates in the first enclave. The software code running outside the first enclave cannot directly access the code and data of the user state OS in the first enclave, but the external software code may interact with it through an interface provided by the user state OS in the first enclave.
In particular, the virtual machine monitor may be responsible for implementing a mapping of Enclave memory pages (Enclave Page Cache, EPC) required by a first Enclave to support the first Enclave creation.
Step 102, creating a second enclave, where the second enclave is used to provide security protection and isolation for the application program and the function library used by the application program, that is, the application program and the function library used by the application program run on the second enclave.
In the embodiment of the present invention, the second enclave is a protected software code execution area constructed by the CPU of the physical server, and is used to provide security protection and isolation for the application program and the function library used by the application program, that is, the application program and the function library run in the second enclave. The software code running outside the second enclave cannot directly access the code and data of the application programs and function libraries within the second enclave, but the external software code can interact with it through the interfaces provided by the application programs and function libraries within the second enclave.
In a specific embodiment, the application program protected by the second enclave is a sensitive application, so as to protect sensitive codes and sensitive data related to the sensitive application from leakage and attack.
Specifically, the virtual machine monitor may be responsible for mapping EPC memory required to implement the second enclave to support the creation of the second enclave. When the sensitive application is to be run, the second enclave for running the sensitive application is further created according to the user mode OS.
It should be noted that, according to the design of the embodiment of the present invention, since the sensitive application and the virtual machine operating system are both running in the user mode and both are running in a single enclave, the isolation between the two does not need to be performed in the conventional page table isolation manner. That is, the sensitive application and the virtual machine operating system (user mode OS) may directly share the same address space, and switching between the two does not require switching the page table.
Step 103, determining a first springboard, wherein the first springboard runs outside the first enclaspe and the second enclaspe. Specifically, the first springboard may run between the first enclave and the second enclave to proxy control flow transfer between the application/function library and the user state OS.
Wherein the determining the first springboard includes: when the first springboard is needed, the first springboard is defined by means of establishing or acquiring or searching or defining or calling or loading and the like. In the embodiment of the present invention, the first springboard operates in a memory space region other than the first enclaspe and the second enclaspe, and the corresponding CPU operation mode is a non-enclaspe operation mode, where the first springboard includes a springboard code and shared data between the user state OS and software codes (application programs and/or function libraries) in the second enclaspe. The first springboard may be used to implement the transfer of control flows, such as forwarding system calls and return values to the user mode OS issued by the software code in the second enclave, and the specific interaction process is described in steps 104 and 105 below.
And 104, when the application program in the second enclave needs to make a system call, acquiring the system call of the application program in the second enclave to the user state OS in the first enclave by using the first springboard, and transmitting the system call to the user state OS.
And 105, correspondingly, acquiring a call return result of the user state OS to the application program by using the first springboard, and transmitting the call return result to the application program.
And 106, determining a second springboard, wherein the second springboard runs outside the first enclaspe and the second enclaspe. Specifically, the second springboard may run between the first enclave and a virtual machine monitor (hypervisors) to proxy control flow transfer between the user state OS and the hypervisors.
Wherein said determining the second springboard comprises: when a second springboard is needed, the second springboard is defined by means of establishing or acquiring or searching or defining or calling or loading and the like.
In the embodiment of the invention, the second springboard operates in a memory space region outside the first and second enclaspers, and the corresponding CPU operation mode is a non-enclaspe operation mode, and the second springboard comprises a springboard code and shared data between the user OS and the virtual machine monitor. The second springboard may be used to implement the transfer of control flows such as forwarding calls from the user state OS to the virtual machine monitor, notifications from the virtual machine monitor to the user state OS, and so on, in particular, the interactive process is described in steps 107 and 108 below.
In step 107, when the user state OS in the first enclave needs to implement privileged operation or access the server hardware resource through the virtual machine monitor, the second springboard may be used to obtain a call from the user state OS in the first enclave to the virtual machine monitor, and transfer the call to the virtual machine monitor, so as to implement privileged operation or call the server hardware resource through the virtual machine monitor.
For example, a user-mode OS based on paravirtualized techniques relies on the services of a virtual machine monitor to accomplish privileged operations such as modifying page tables. Because the user state OS is in the first enclave, the user state OS cannot directly execute the ring0 instruction, and the embodiment of the invention designs a second springboard for the user state OS, and the second springboard assists the user state OS to call the virtual machine monitor service hypercall, so that the privileged operation is realized through the virtual machine monitor.
And step 108, correspondingly, a second springboard can be utilized to acquire a notification or call return result of the virtual machine monitor to the user state OS, and the notification or call return result is transmitted to the user state OS. For example, the second springboard assists the virtual machine monitor in passing control flows to the user mode OS and executing upcall.
In addition, in a specific implementation of the embodiment of the present invention, the first springboard and the second springboard may be integrated into a functional entity, where the functional entity operates in a memory space area other than the first enclaspe and the second enclaspe, so as to implement functions of the first springboard and the second springboard. For example, a lightweight shell layer may be designed for a user-mode OS. The shell layer contains both the springboard code and shared data (i.e., the first springboard) between the application (sensitive application) and the user-mode OS, and the springboard code and shared data needed (i.e., the second springboard) between the user-mode OS and the virtual machine monitor. The shell layer is used as a functional agent to realize control flow transmission between the user OS and the application program and between the user OS and the virtual machine monitor.
It should be noted that: there is no necessary sequence between steps 103-105 and steps 106-108, steps 103-105 may be performed before or after steps 106-108, and steps 103-105 and steps 106-108 may be performed simultaneously.
It can be seen that in the embodiment of the present invention, different sensitive applications and user state OS can all run in respective enclaves. The application program and the user state OS agent the control flow transmission between each other through a first springboard positioned between the application program and the user state OS, and the user state OS agent the control flow transmission between each other through a second springboard positioned between the application program and the user state OS. Since the user state OS runs in the first enclaspe, the first enclaspe performs security protection and isolation on the user state OS, and therefore, the application program and the virtual machine monitor cannot directly acquire or tamper with codes and data in the user state OS. Since different sensitive applications can run in respective second enclasvs, the second enclasvs secure and isolate the sensitive applications, thereby enabling the sensitive applications to resist attacks from virtual machine operating systems, virtual machine monitors, and other applications that are not trusted or may contain vulnerabilities. By implementing the embodiment of the invention, the attack interface of the application program can be reduced under the condition of avoiding increasing the TCB, so that the application operation is better and safer.
Based on the system architecture described in the embodiment of fig. 4, the method for protecting application security according to the embodiment of the present invention is further described below, and referring to fig. 6, the method is applied to a physical server, where the physical server includes server hardware, at least one virtual machine (domain) running in a virtual environment, and Xen running between the server hardware and the virtual machine. The virtual machine further comprises a modified semi-virtualized kernel Mini-OS running in a user mode, and application programs and function libraries (such as Libc libraries) based on the Mini-OS, and the method comprises the following steps:
in step 201, when Xen starts, it is necessary to map the secure memory EPC, and specifically, xen maps the EPC physical memory into its own virtual address space.
Step 202, create a privileged virtual machine of Xen (i.e. domain 0), and then transfer the image file (including the virtual machine image and the application image) and the metadata related to the first and second enclaves to Xen through domain 0.
Specifically, each virtual machine (domain) in the physical server is created by Xen, but the driver of the disk is not directly accessed in Xen, so that the image file needs to be loaded from the disk to the memory through the pre-created domain0 and then transferred to Xen. Therefore, the embodiment of the invention newly adds corresponding hypercall service in Xen, and provides a loading program which can load a virtual machine image and an application program image according to domain0, wherein the virtual machine image comprises codes and data for constructing a first springboard and a second springboard.
Step 203, creating a target virtual machine through Xen based on the virtual machine image and the application program image. In a specific implementation, the embodiment of the invention can be compatible with the main stream Xen tools-based virtual machine starting flow, namely an administrator can use Xen tools (Xentiools) to create a target virtual machine, and the target virtual machine is deployed with a modified Mini-OS, an application program, a function library and the like. In addition, the shell layer of the Mini-OS can be started, the shell layer of the Mini-OS operates in a normal memory space region (namely, operates in a memory space region other than the enclaspe), and the shell layer of the Mini-OS comprises a first springboard, a springboard code of a second springboard and shared data.
Step 204, creating a first enclave for protectively running the Mini-OS.
In a specific implementation, the shell layer of the Mini-OS maps a boot information page provided by Xen, initializes a page table, and then calls a newly added hypercall service to create a first enclave of the Mini-OS. In the newly added hypercall service, xen will first set a corresponding enclave page table for the target virtual machine, i.e. map a section of EPC memory, and then use an instruction to create the first enclave of the Mini-OS according to metadata related to the first enclave.
After the first enclave is created in step 205, xen may transfer a control flow to the mini-OS inside the first enclave through the shell layer, where the control flow includes a startup instruction for the mini-OS.
Step 206, the mini-OS starts to start based on the start-up instruction in the control flow, and forwards hypercall to Xen through the shell layer during start-up to invoke Xen service.
In the specific implementation of the invention, the second springboard in the shell layer is responsible for forwarding hypercall and corresponding call return results. When the mini-OS running in the first enclave needs to call hypercall, the related call parameters are transferred to a shared memory outside the first enclave, and control flow is transferred to a second springboard, so that the second springboard is used as an agent to call real hypercall to Xen. When the hypercall is executed, the second springboard will transmit the return value of Xen and the control flow to the mini-OS in the first enclave.
In a specific application scenario, before the mini-OS in the first enclaspe transmits the control flow to the second springboard, the context of the mini-OS in the first enclaspe may be saved in a specific buffer area, and then after the second springboard returns the control flow, the mini-OS in the first enclaspe may restore its state according to the context.
In the specific implementation of the invention, the paravirtualized kernel mini-OS can distinguish own shared data and private data. Specifically, the shared data of the mini-OS itself refers to data that needs to be shared with the virtual machine monitor, such as event-channel, page table, etc., and such shared data may affect the use of the shared data by the virtual machine monitor if placed in the first enclave, and then such shared data may be placed outside the first enclave (e.g., outside the shell layer, or within the shell layer). The mini-OS private data refers to data that is generally only used by the mini-OS itself, such as stack data, etc., and such private data may be distributed inside the first enclave.
In step 207, during the running of the target virtual machine, if an event such as an interrupt is generated, xen may notify the mini-OS to process the corresponding event through the shell layer.
In a specific implementation, during the running of the target virtual machine, if an event such as an interrupt occurs, the control flow will directly dip (trap) into the virtual machine monitor Xen, and Xen will use event channel and upcall mechanisms to notify the target virtual machine to process the corresponding event. Specifically, xen first passes control flow to a second springboard in the outer shell layer, and then passes control flow to the mini-OS via the second springboard, and the mini-OS processes the related events. Thus, the mini-OS may be re-entered into processing events after interrupt execution. For this purpose, the first enclave provides a plurality of State Save Areas (SSAs) for the mini-OS to Save states, thereby enabling the mini-OS to reenter states according to SSAs. In addition, the reentry state also causes nested hypercall, and the SSA mechanism can ensure that the memory used between the nested hypercall has isolation.
Step 208, when an application (sensitive application) needs to be started, a second enclave is created for running the application in a protected manner.
In a specific implementation, when the sensitive sensing is needed to be started, the mini-OS in the first enclave creates a second enclave of the sensitive application by calling the corresponding newly added hypercall service, so that the sensitive application can be started and run in the second enclave.
It should be noted that if a non-sensitive application needs to be started, the mini-OS in the first enclave starts the non-sensitive application in the memory address space of the non-enclave by calling the corresponding newly added hypercall service.
It can be appreciated that when multiple sensitive applications need to run in the virtual machine, each sensitive application may have a respective second enclave, and the enclaves of different sensitive applications are isolated from each other and may be protected by the CPU hardware.
In step 209, when an application program (sensitive application) in the second enclave needs to make a system call, the application program in the second enclave and the mini-OS in the first enclave may perform control flow transfer based on the proxy of the inner shell layer.
In the embodiment of the invention, the application program and the mini-OS respectively run in different enclaspers, so that the application program and the mini-OS need to rely on the first springboard in the inner shell layer to carry out interaction of control flows. Specifically, the first springboard in the outer shell layer is responsible for forwarding the system call and returning the result corresponding to the call. When an application program running in the second enclave needs a system call, related call parameters are transferred to a shared memory outside the second enclave, and control flows are transferred to the first springboard, so that the first springboard is used as an agent to transfer the system call to the mini-OS in the first enclave. And when the system call is completed, the first springboard transmits the return value of the mini-OS and the control flow to an application program in the second enclave together.
Compared with the Scane scheme, the embodiment of the invention designs the use of enclaspe encapsulation to protect the user OS so as to protect the security of system call required by the operation of the sensitive application, greatly reduce the attack interface of the sensitive application and provide better security. Compared with a Haven scheme, the embodiment of the invention designs the method and the device for protecting the sensitive application and the user OS respectively by using two different enclasvs, and realizes the forwarding of system call and the return of result between the first enclaspe of the user OS and the second enclaspe of the sensitive application through the first springboard, and realizes the issuing of call and the calling up (upcall) of notification between the first enclaspe of the user OS and the hypervisors through the second springboard, so that security holes in the OS can not be used for attacking the sensitive application, smaller TCB is realized on the premise of not increasing an attack interface, and the number of potential holes in the TCB is reduced, thereby providing better security.
In the embodiment of the invention, the system architecture based on the embodiment of fig. 3 or fig. 4 can also implement the attestation security verification mechanism. The attestation security protection mechanism is a verification mechanism supported by the CPU for mutually proving the respective integrity between enclasps on the same physical host, such as an intra-platform attestation security verification mechanism of intel SGX. Based on the foregoing fig. 5 or fig. 6 embodiments, a process for implementing an in-platform attestation security verification mechanism according to an embodiment of the present invention is described below, with reference to fig. 7, where the process includes, but is not limited to, the following steps:
In step 301, the user state OS of the first enclave performs an intra-platform attestation to the sensitive application of the second enclave to prove the integrity of the user state OS.
In the embodiment of the invention, the sensitive application can verify the integrity of the user OS through an intra-platform attestation security verification mechanism provided by the CPU Enclave. Specifically, the sensitive application verifies the integrity measurement value of the OS in the second enclave where the sensitive application is located, and if the integrity measurement value of the user state OS meets the application preset policy requirement (for example, the value is the same as the preset value in the application), the sensitive application is started normally. If the integrity measurement value of the user state OS does not meet the predetermined policy requirement of the application, the sensitive application refuses to start or enters a non-working mode. In the non-operational mode, the sensitive application will not process sensitive data that needs to be protected.
In a specific implementation, in Intel SGX technology, the integrity measurement value is embodied as mrencleave, that is, the CPU measures the integrity measurement value generated by the encleave page content and the encleave metadata by a Hash method during the encleave creation process.
Step 302, the user state OS of the first enclave securely exchanges keys with the sensitive application of the second enclave to establish a secure channel, and negotiates to generate an encryption key and an integrity protection key.
Specifically, if the integrity measurement value of the user state OS meets the application preset policy requirement, the sensitive application of the second enclave securely exchanges a key with the user state OS of the first enclave based on an attach mechanism in the platform to establish a secure channel, and negotiates to generate an encryption key and an integrity protection key.
And 303, when the sensitive application calls the system call provided by the OS, the encryption key and the integrity protection key are used for carrying out encryption protection on the call parameters, and then the call parameters are transmitted to the user state OS through the first springboard.
Specifically, the sensitive application may encrypt the related data of the system call such as the call parameter by using the encryption key generated in the negotiation in step 303, add the integrity protection value by using the integrity protection key generated in the negotiation in step 303, and then send the added integrity protection value to the first springboard between the sensitive application and the user OS, where the first springboard further forwards the added integrity protection value to the user OS. The user mode OS decrypts the relevant data of the system call in an enclaspe using the integrity protection value of the integrity protection key verification data generated in the negotiation in step 303 and using the encryption key generated in the negotiation in step 303.
And step 304, after the user state OS finishes the system call, the returned value is encrypted and protected through the encryption key and the integrity protection key, and then the returned value is transmitted to the sensitive application through the first springboard.
After the user state OS finishes the system call, the return value is encrypted by using the encryption key generated by negotiation in step 303, the integrity protection value is added by using the integrity protection key generated by negotiation in step 303, and then the added integrity protection value is sent to a first springboard between the sensitive application and the user state OS, and the first springboard is further forwarded to the sensitive application. The sensitive application verifies the integrity protection value of the return value using the integrity protection key negotiated in step 303 and decrypts the return value using the encryption key negotiated in step 303.
It can be seen that, by implementing the embodiment of the invention, based on the in-platform enclave Attestation mechanism, the sensitive application can verify the integrity of the user state OS, identify the tampered or too low version user state OS, and refuse to start the sensitive application or refuse to execute the sensitive data processing under the condition that the user state OS does not meet the requirements, so as to prevent data leakage. A secure channel can be established between the sensitive application of the first enclaspe and the user OS enclaspe of the second enclaspe, and an encryption key and an integrity protection key for guaranteeing secure communication are negotiated, so that parameters and return values of system call are encrypted and integrity protection is added before being submitted to a springboard code, thereby realizing secure protection of the system call and the return values and avoiding leakage to other entities (such as a virtual machine monitor) outside the sensitive application and an operating system. In addition, because the first springboard and the second springboard designed by the embodiment of the invention are both operated outside the enclaspe, namely are exposed in the external environment, the embodiment of the invention is beneficial to avoiding the system call parameters and the return values from being acquired by the external environment through the serial change of the springboard codes by confidentiality and integrity protection of the system call parameters and the return values, and ensures the safety of the data in the process of forwarding the data by the first springboard and the second springboard.
The system architecture and method of the embodiments of the present invention are set forth in detail above, and the related devices of the embodiments of the present invention are provided below based on the same inventive concept.
Referring to fig. 8, fig. 8 is a schematic structural diagram of an apparatus 40 according to an embodiment of the present invention, where the apparatus 40 may be a server apparatus, and the apparatus 40 includes a processor 401, a memory 402, and an interface circuit 404, and the processor 401, the memory 402, and the interface circuit 404 are connected through a bus 403. Wherein:
the amount of Memory 402 is one or more and may include Volatile Memory (RAM), such as random access Memory (Random Access Memory); the Memory 402 may also include a Non-Volatile Memory (Non-Volatile Memory), such as a Read-Only Memory (ROM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); memory 402 may also include a combination of the above types of memory. Memory 402 may be used to store a set of program codes such that processor 401 invokes the program codes stored in memory 402 to implement the application security protection method of an embodiment of the present invention. The memory 402 is further configured to store codes and data of one or more virtual machines (including code data of a user-mode operating system and code data of an application program), codes and data of a virtual machine monitor, a springboard code, shared data, and the like, and the memory 402 is further configured with one or more memory area spaces, and a memory security area (i.e., an enclaspe) configurable to be established in the memory area spaces.
The processor 401 may be composed of one or more general-purpose processors such as a central processing unit (Central Processing Unit, CPU). The processor 401 may be used to run a virtual machine and a virtual machine monitor (hypervisor), invoking program code to implement the method of application security protection of the embodiments of the present invention.
Interface circuitry 404 may be used to connect server hardware, such as physical devices including hardware memory, network cards, disks, etc., interface circuitry 404 being used to enable shared access by virtual machines to the server hardware.
In the present invention, the processor 401 is specifically configured to: establishing a first enclave (i.e., a first enclave) running the virtual machine operating system and a second enclave (i.e., a first enclave) running the application program in a memory area; the first enclave is a memory security area for protecting the operation of the virtual machine operating system, the second enclave is a memory security area for protecting the operation of the application program, and the virtual machine operating system is a user state operating system; acquiring a first springboard preset by a processor; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave; transferring the call of the application program to the virtual machine operating system by using the first springboard; and transmitting a call return result of the virtual machine operating system to the application program by using the first springboard. The application program is a sensitive application program, and the sensitive application program is used for processing user sensitive data.
In a specific embodiment, the device 40 further includes server hardware and a virtual machine monitor running on the processor, where the server device is connected to the interface circuit 404 and is connected to the processor 401 and the memory 402 through the bus 403, and the virtual machine monitor is configured to implement shared access of the virtual machine to the server hardware through the interface circuit 404; the processor 401 is specifically configured to: acquiring a second springboard preset by a processor; the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave and operates in a memory area outside the first enclave and the second enclave; transferring the call of the virtual machine operating system to the virtual machine monitor by using the second springboard; and transmitting a call return result of the virtual machine monitor to the virtual machine operating system by using the second springboard.
The first springboard comprises a first springboard code and shared data between the application program and the user state operating system; the first springboard code is used for realizing the function of a communication channel of the first springboard; the second springboard comprises a second springboard code and shared data between the user state operating system and the virtual machine monitor; the second springboard code is used for realizing the function of a communication channel of the second springboard.
In a specific embodiment, the processor is specifically configured to: and when the application program is to be run, establishing a second enclave for running the application program through the virtual machine operating system.
In a specific embodiment, the processor is specifically configured to: verifying the integrity measurement value of the virtual machine operating system to the application program through a security verification station mechanism preset by the virtual machine; and running the application program in the second enclave under the condition that the integrity measurement value of the virtual machine operating system accords with a preset value. Then, negotiating, by the secure authentication mechanism, an encryption key and an integrity protection key for use in determining data transfer between a virtual machine operating system within the first enclave and an application within the second enclave. Then, encrypting the calling parameters by using the encryption key in the second enclave, and carrying out integrity protection on the calling parameters by using the integrity protection key; the calling parameters are transmitted to the virtual machine operating system by utilizing the first springboard; then, encrypting the call return result by using the encryption key in the first enclave, and performing integrity protection on the call return result by using the integrity protection key. And then, the first springboard is utilized to transmit the returned result to the application program.
In practice, the device 40 may include more or fewer components, as not limited herein. The specific functions and implementation procedures of the different devices (such as the processor 401, the memory 402, etc.) of the apparatus 4 may refer to the foregoing detailed descriptions of the embodiments of fig. 5-7, and will not be repeated herein.
In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions which, when loaded and executed on a computer, produce, in whole or in part, a process or function in accordance with embodiments of the present invention. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one network site, computer, server, or data center to another network site, computer, server, or data center via wired (e.g., coaxial cable, optical fiber, digital subscriber line) or wireless (e.g., infrared, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer and may also be a data storage device, such as a server, data center, etc., that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape, etc.), an optical medium (e.g., DVD, etc.), or a semiconductor medium (e.g., solid state disk), etc.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.

Claims (14)

1. The application program security protection method is characterized by being applied to a server, wherein the server comprises a virtual machine operating system and an application program which run in a virtual machine; the method comprises the following steps:
establishing a first enclave running the virtual machine operating system and a second enclave running the application program; the first enclave is a memory security area for protecting the operation of the virtual machine operating system, the second enclave is a memory security area for protecting the operation of the application program, and the virtual machine operating system is a user state operating system;
acquiring a first springboard; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave;
transferring the call of the application program to the virtual machine operating system by using the first springboard;
And transmitting a call return result of the virtual machine operating system to the application program by using the first springboard.
2. The method of claim 1, wherein the server comprises a virtual machine monitor and server hardware, the virtual machine monitor to enable shared access of the virtual machine to the server hardware; the method further comprises the steps of:
acquiring a second springboard; the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave and operates in a memory area outside the first enclave and the second enclave;
transferring the call of the virtual machine operating system to the virtual machine monitor by using the second springboard;
and transmitting a call return result of the virtual machine monitor to the virtual machine operating system by using the second springboard.
3. The method of claim 2, wherein the establishing a second enclave to run the application program comprises:
and when the application program is to be run, establishing a second enclave for running the application program through the virtual machine operating system.
4. A method according to claim 2 or 3, wherein the application is a sensitive application for processing user sensitive data.
5. A method according to claim 2 or 3, characterized in that,
the first springboard comprises a first springboard code and shared data between the application program and the user mode operating system; the first springboard code is used for realizing the function of a communication channel of the first springboard;
the second springboard comprises a second springboard code and shared data between the user state operating system and the virtual machine monitor; the second springboard code is used for realizing the function of a communication channel of the second springboard.
6. A method according to any one of claims 1-3, wherein the method further comprises:
verifying the integrity measurement value of the virtual machine operating system to the application program through a security verification station mechanism preset by the virtual machine;
and running the application program in the second enclave under the condition that the integrity measurement value of the virtual machine operating system accords with a preset value.
7. The method of claim 6, wherein the method further comprises:
Negotiating, by the secure authentication mechanism, an encryption key and an integrity protection key for use in determining data transfer between a virtual machine operating system in the first enclave and an application in the second enclave
Before the transferring, by the first springboard, the call from the application program in the second enclave to the virtual machine operating system in the first enclave to the virtual machine operating system, the method includes: encrypting a call parameter in the second enclave by using the encryption key, and performing integrity protection on the call parameter by using the integrity protection key;
before the call return result of the virtual machine operating system to the application program is transferred to the application program by using the first springboard, the method comprises the following steps: encrypting the call return result by using the encryption key in the first enclave, and performing integrity protection on the call return result by using the integrity protection key.
8. A server device, wherein the server device comprises a processor and a memory, and the processor is connected with the memory through a bus; the memory is used for storing program codes and data, and the processor is used for running a virtual machine, and the virtual machine comprises a virtual machine operating system and application programs; the processor is specifically configured to:
Establishing a first enclave running the virtual machine operating system and a second enclave running the application program; the first enclave is a memory security area for protecting the operation of the virtual machine operating system, the second enclave is a memory security area for protecting the operation of the application program, and the virtual machine operating system is a user state operating system;
acquiring a first springboard; the first springboard is used as a communication channel between a virtual machine operating system in the first enclave and the application program in the second enclave and runs in a memory area outside the first enclave and the second enclave;
transferring the call of the application program to the virtual machine operating system by using the first springboard;
and transmitting a call return result of the virtual machine operating system to the application program by using the first springboard.
9. The device of claim 8, wherein the server device further comprises server hardware and a virtual machine monitor running on the processor, the server device being connected to the processor and the memory through the bus, the virtual machine monitor being configured to implement shared access of the virtual machine to the server hardware;
The processor is specifically configured to:
acquiring a second springboard; the second springboard is used as a communication channel between the virtual machine monitor and the virtual machine operating system in the first enclave and operates in a memory area outside the first enclave and the second enclave;
transferring the call of the virtual machine operating system to the virtual machine monitor by using the second springboard;
and transmitting a call return result of the virtual machine monitor to the virtual machine operating system by using the second springboard.
10. The apparatus of claim 9, wherein the processor is specifically configured to:
and when the application program is to be run, establishing a second enclave for running the application program through the virtual machine operating system.
11. The device of claim 9 or 10, wherein the application is a sensitive application for processing user sensitive data.
12. The apparatus according to claim 9 or 10, wherein,
the first springboard comprises a first springboard code and shared data between the application program and the user mode operating system; the first springboard code is used for realizing the function of a communication channel of the first springboard;
The second springboard comprises a second springboard code and shared data between the user state operating system and the virtual machine monitor; the second springboard code is used for realizing the function of a communication channel of the second springboard.
13. The apparatus according to any one of claims 8-10, wherein the processor is specifically configured to:
verifying the integrity measurement value of the virtual machine operating system to the application program through a security verification station mechanism preset by the virtual machine;
and running the application program in the second enclave under the condition that the integrity measurement value of the virtual machine operating system accords with a preset value.
14. The apparatus of claim 13, wherein the processor is specifically configured to:
negotiating, by the secure authentication mechanism, an encryption key and an integrity protection key for use in determining data transfer between a virtual machine operating system in the first enclave and an application in the second enclave
Before the transferring, by the first springboard, the call from the application program in the second enclave to the virtual machine operating system in the first enclave to the virtual machine operating system, the method includes: encrypting a call parameter in the second enclave by using the encryption key, and performing integrity protection on the call parameter by using the integrity protection key;
Before the call return result of the virtual machine operating system to the application program is transferred to the application program by using the first springboard, the method comprises the following steps: encrypting the call return result by using the encryption key in the first enclave, and performing integrity protection on the call return result by using the integrity protection key.
CN201811019549.XA 2018-08-31 2018-08-31 Application program security protection method and related equipment Active CN110874468B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811019549.XA CN110874468B (en) 2018-08-31 2018-08-31 Application program security protection method and related equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811019549.XA CN110874468B (en) 2018-08-31 2018-08-31 Application program security protection method and related equipment

Publications (2)

Publication Number Publication Date
CN110874468A CN110874468A (en) 2020-03-10
CN110874468B true CN110874468B (en) 2024-02-09

Family

ID=69716592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811019549.XA Active CN110874468B (en) 2018-08-31 2018-08-31 Application program security protection method and related equipment

Country Status (1)

Country Link
CN (1) CN110874468B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113591091A (en) * 2020-04-30 2021-11-02 华为技术有限公司 Application processing method and device, cloud environment and storage medium
CN111934860B (en) * 2020-08-06 2024-01-05 山东省计算中心(国家超级计算济南中心) Implementation method and system for mobile terminal key storage
CN112651018B (en) * 2020-12-18 2022-08-02 卓尔智联(武汉)研究院有限公司 SGX-based trusted input and output control method, device, equipment and storage medium
CN114791854B (en) * 2022-05-11 2023-03-24 科东(广州)软件科技有限公司 Scheduling method, device, equipment and storage medium of user-state virtual machine task
CN116048735B (en) * 2023-03-23 2023-08-29 阿里云计算有限公司 Information processing method and object sharing method

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5970250A (en) * 1994-03-24 1999-10-19 International Business Machines Corporation System, method, and computer program product for scoping operating system semanticis in a computing environment supporting multi-enclave processes
CN101655798A (en) * 2008-08-18 2010-02-24 联想(北京)有限公司 Method for deployment and operation of application in computer and virtual machine environments
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method
CN104781783A (en) * 2012-08-28 2015-07-15 云思易有限责任公司 Integrated computing platform deployed in an existing computing environment
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
CN106844007A (en) * 2016-12-29 2017-06-13 中国科学院计算技术研究所 A kind of virtual method and system based on spatial reuse
CN107544918A (en) * 2017-08-17 2018-01-05 致象尔微电子科技(上海)有限公司 A kind of page sharing method
CN107667347A (en) * 2015-06-26 2018-02-06 英特尔公司 The technology of the security service provided for virtualized access by fusion type manageability and security engine
CN108279967A (en) * 2017-10-25 2018-07-13 国云科技股份有限公司 A kind of virtual machine and container mixed scheduling method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9525564B2 (en) * 2013-02-26 2016-12-20 Zentera Systems, Inc. Secure virtual network platform for enterprise hybrid cloud computing environments

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5970250A (en) * 1994-03-24 1999-10-19 International Business Machines Corporation System, method, and computer program product for scoping operating system semanticis in a computing environment supporting multi-enclave processes
CN101655798A (en) * 2008-08-18 2010-02-24 联想(北京)有限公司 Method for deployment and operation of application in computer and virtual machine environments
CN102129531A (en) * 2011-03-22 2011-07-20 北京工业大学 Xen-based active defense method
CN104781783A (en) * 2012-08-28 2015-07-15 云思易有限责任公司 Integrated computing platform deployed in an existing computing environment
CN107667347A (en) * 2015-06-26 2018-02-06 英特尔公司 The technology of the security service provided for virtualized access by fusion type manageability and security engine
CN105389513A (en) * 2015-11-26 2016-03-09 华为技术有限公司 Trusted execution method and apparatus for virtual trusted platform module (vTPM)
CN106844007A (en) * 2016-12-29 2017-06-13 中国科学院计算技术研究所 A kind of virtual method and system based on spatial reuse
CN107544918A (en) * 2017-08-17 2018-01-05 致象尔微电子科技(上海)有限公司 A kind of page sharing method
CN108279967A (en) * 2017-10-25 2018-07-13 国云科技股份有限公司 A kind of virtual machine and container mixed scheduling method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于AMD硬件内存加密机制的关键数据保护方案;吴宇明;刘宇涛;陈海波;;信息安全学报(第01期);全文 *
基于Trustzone的强安全需求环境下可信代码执行方案;张英骏;冯登国;秦宇;杨波;;计算机研究与发展(第10期);全文 *

Also Published As

Publication number Publication date
CN110874468A (en) 2020-03-10

Similar Documents

Publication Publication Date Title
Sev-Snp Strengthening VM isolation with integrity protection and more
EP3281146B1 (en) Isolating guest code and data using multiple nested page tables
CN107077428B (en) Method, electronic system and computer storage medium for protecting application secret
CN110874468B (en) Application program security protection method and related equipment
US9983894B2 (en) Method and system for providing secure system execution on hardware supporting secure application execution
US9342343B2 (en) Wrapped nested virtualization
KR102255767B1 (en) Systems and methods for virtual machine auditing
Strackx et al. Efficient isolation of trusted subsystems in embedded systems
US8627414B1 (en) Methods and apparatuses for user-verifiable execution of security-sensitive code
US8220029B2 (en) Method and system for enforcing trusted computing policies in a hypervisor security module architecture
US9069586B2 (en) System and method for kernel rootkit protection in a hypervisor environment
US10922402B2 (en) Securing secret data embedded in code against compromised interrupt and exception handlers
US8893306B2 (en) Resource management and security system
US20110307888A1 (en) Protection of virtual machines executing on a host device
KR20160030385A (en) Process Evaluation for Malware Detection in Virtual Machines
US10108800B1 (en) ARM processor-based hardware enforcement of providing separate operating system environments for mobile devices with capability to employ different switching methods
AU2020287873B2 (en) Systems and methods for processor virtualization
WO2016164424A1 (en) Isolating guest code and data using multiple nested page tables
Xia et al. Colony: A privileged trusted execution environment with extensibility
Zhu et al. HA-VMSI: A lightweight virtual machine isolation approach with commodity hardware for ARM
Shen et al. H-binder: A hardened binder framework on android systems
Nimgaonkar et al. Ctrust: A framework for secure and trustworthy application execution in cloud computing
Zhang et al. An efficient TrustZone-based in-application isolation schema for mobile authenticators
aw Ideler Cryptography as a service in a cloud computing environment
Vasudevan Practical Security Properties on Commodity Computing Platforms: The Uber EXtensible Micro-Hypervisor Framework

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant