WO2023029835A1 - Method for protecting kernel thread, and terminal and computer readable storage medium - Google Patents

Method for protecting kernel thread, and terminal and computer readable storage medium Download PDF

Info

Publication number
WO2023029835A1
WO2023029835A1 PCT/CN2022/108692 CN2022108692W WO2023029835A1 WO 2023029835 A1 WO2023029835 A1 WO 2023029835A1 CN 2022108692 W CN2022108692 W CN 2022108692W WO 2023029835 A1 WO2023029835 A1 WO 2023029835A1
Authority
WO
WIPO (PCT)
Prior art keywords
thread
kernel
state
monitoring
running state
Prior art date
Application number
PCT/CN2022/108692
Other languages
French (fr)
Chinese (zh)
Inventor
李晖
杨超锋
刁亮
王富帅
张文
许人杰
Original Assignee
中兴通讯股份有限公司
北京邮电大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司, 北京邮电大学 filed Critical 中兴通讯股份有限公司
Publication of WO2023029835A1 publication Critical patent/WO2023029835A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring

Definitions

  • the embodiments of the present application relate to the technical field of communications, and in particular to a kernel thread protection method, a terminal, and a computer-readable storage medium.
  • kernel threads there are many kernel threads.
  • a kernel thread is a process directly started by the kernel itself. It actually entrusts the kernel function to an independent process for execution.
  • a kernel thread can be regarded as a clone of the kernel, and a clone can handle a specific thing. Kernel threads can only run in kernel mode, not user mode, and kernel threads can only access the kernel part of the virtual address space, not user space. If the user needs to perform a task, which needs to be executed automatically immediately after the system starts, and it is expected that the task will run continuously during the running of the system, then using kernel threads to perform this task is a good choice.
  • the existing kernel thread protection scheme is mainly: single-thread monitoring, that is, creating a thread to monitor other threads, but this scheme has a serious defect, that is, if the attacker kills the monitoring thread first, then the The protection measures have just lost their effect, that is, the security of kernel thread protection is low.
  • An embodiment of the present application provides a method for protecting a kernel thread, the kernel thread at least includes: a first thread and a second thread, and the method includes: executing the work to be protected through the first thread; The thread monitors the second thread, and monitors the first thread through the second thread; if the first thread is monitored to be abnormal or the second thread is monitored to be abnormal, the execution of the Intercept the memory read and write operations when the work is to be protected.
  • An embodiment of the present application also provides a terminal, including: at least one processor; and a memory connected in communication with the at least one processor; wherein, the memory stores instructions that can be executed by the at least one processor , the instruction is executed by the at least one processor, so that the at least one processor can execute the above kernel thread protection method.
  • the embodiment of the present application also provides a computer-readable storage medium, which stores a computer program, and implements the above kernel thread protection method when the computer program is executed by a processor.
  • Fig. 1 is a schematic flow chart of the protection method of the kernel thread mentioned in the embodiment of the present application
  • Fig. 2 is a schematic flow chart of the implementation of monitoring the second thread through the first thread and monitoring the first thread through the second thread mentioned in the embodiment of the present application;
  • Fig. 3 is a schematic flowchart of the implementation process of monitoring the running state of the second thread through the first thread and determining whether the running state of the second thread is a dead state or a permanently suspended state mentioned in the embodiment of the present application;
  • Fig. 4 is a schematic flow chart of the implementation process of monitoring the running state of the first thread through the second thread and determining whether the running state of the first thread is a dead state or a permanently suspended state mentioned in the embodiment of the present application;
  • Fig. 5 is a schematic diagram of the monitoring loop mentioned in the embodiment of the present application.
  • Fig. 6 is a schematic diagram of the kernel execution mode mentioned in the embodiment of the present application.
  • FIG. 7 is a schematic diagram of the TEE execution mode mentioned in the embodiment of the present application.
  • Fig. 8 is a schematic diagram of the mixed execution mode mentioned in the embodiment of the present application.
  • Fig. 9 is a schematic structural diagram of a terminal mentioned in the embodiment of the present application.
  • TEE Trusted Execution Environment
  • ARM Advanced RISC Machines introduces TrustZone technology, which divides the working status of the central processing unit (CPU) into Normal World and Normal World.
  • Secure World Secure World when the CPU works in the Normal World state, even users with root privileges cannot access any resources in the Secure World state.
  • the system can switch between the Secure World state and the Normal World state of the ARM core by calling the secure monitor call (smc) command.
  • SMC secure monitor call
  • the system calls the SMC command, the system will fall into Monitor Mode.
  • TEE trusted execution environment
  • the kernel thread includes a first thread and a second thread
  • the first thread is regarded as a working thread, which not only performs the work to be done originally, but also performs monitoring work
  • the second thread is regarded as Monitoring threads, the first thread monitors the second thread, and the second thread monitors the first thread, forming a monitoring loop.
  • the protection method of the kernel thread provided by the embodiment of the present application can refer to FIG. 1, including:
  • Step 101 Execute the work to be protected through the first thread
  • Step 102 monitor the second thread through the first thread, and monitor the first thread through the second thread;
  • Step 103 If the first thread is monitored to be abnormal or the second thread is monitored to be abnormal, intercept the memory read and write operations when performing the work to be protected.
  • the memory read and write operations are intercepted, that is, the system is directly locked to prevent the system from being further damaged.
  • an assailant wants to break through the monitoring exchange formed between the first thread and the second thread and make the attack undetectable, he must break through the first thread and the second thread simultaneously within one period of the monitoring ring protection, and It is very difficult to break through the first thread and the second thread at the same time in the same cycle, so it is more difficult to break through the protection method of the kernel thread in the embodiment of the present application, thereby improving the security of the protection of the kernel thread to ensure the protection of the kernel thread. job security.
  • the terminal may automatically execute a function, which will create and activate the first thread and the second thread in sequence.
  • the work code that needs to execute the work to be protected may be written into the first thread, so that the terminal can execute the work to be protected through the first thread.
  • the work to be protected for example, can be: payment work, face recognition work, fingerprint recognition work, etc.
  • the kernel thread protection method of this embodiment can finally protect the safety of the work to be protected during execution through the monitoring of the monitoring ring.
  • step 102 the code for monitoring the second thread can be written into the first thread, so that the terminal can monitor the second thread through the first thread.
  • the code for monitoring the first thread can be written into the second thread, so that the terminal can monitor the first thread through the second thread. That is to say, the first thread and the second thread can monitor each other.
  • step 103 if the terminal monitors that the first thread is abnormal or monitors that the second thread is abnormal, the memory read and write operations are intercepted, that is, when an abnormality is detected, the memory read and write operations are no longer performed, and the memory is directly locked. A dead system prevents further damage to the system.
  • the monitored abnormality of the first thread may include: the running state of the first thread is a dead state or a permanently suspended state, and the function code segment of the first thread is tampered with.
  • the monitored exception of the second thread is similar to the exception of the first thread, and will not be repeated here to avoid repetition. That is to say, in this step, the running state of the second thread can be monitored by the first thread to determine whether the running state of the second thread is a dead state or a permanently suspended state; The running state is monitored to determine whether the running state of the first thread is a dead state or a permanently suspended state.
  • the interception of memory read and write operations when performing work to be protected includes: invoking the TrustZone address space control component in the monitor mode of Secure World, to perform memory read and write operations when performing work to be protected Interception facilitates efficient and accurate interception of memory read and write operations.
  • the TrustZone address space control component may be a TZC400 controller or a TZC380 controller, etc., which is not specifically limited in this embodiment.
  • the attacker may obtain the task_struct structure of the attacked kernel thread through various malicious means , and then the kernel thread is killed or permanently suspended, so that the attacked kernel thread can no longer continue to perform tasks.
  • the attacker may find the memory address of the working code executed by the attacked kernel thread, and then directly modify the execution flow of the working code or tamper with the working code executed by the kernel thread to achieve the purpose of the attack.
  • the present embodiment provides two kinds of monitoring modes to kernel thread, 1) whether the running state of monitoring kernel thread is dead state or permanently suspended state, promptly the first thread that monitors kernel thread comprises at least and the second thread Whether the running state is dead or permanently suspended. 2) Monitoring whether the working code executed by the kernel thread is tampered with, that is, monitoring whether the working code executed by at least the first thread and the second thread included in the kernel thread is tampered with.
  • the two monitoring methods are described below:
  • the code read-only detection can be performed on the first thread and the second thread, when the code is only If the readability test passes, it is considered that the executed working code has not been tampered with, and when the code read-only detection fails, it is considered that the executed working code has been tampered with.
  • the implementation of monitoring the second thread through the first thread and monitoring the first thread through the second thread can refer to Figure 2, including:
  • Step 201 Obtain the first address range in the kernel space of the working code executed by the first thread, and obtain the second address range in the kernel space of the working code executed by the second thread;
  • Step 202 According to the content of the first address range and the content of the second address range, verify the work code executed by the first thread and the work code executed by the second thread, and obtain the first verification result corresponding to the first thread and The second verification result corresponding to the second thread;
  • Step 203 According to the first verification result corresponding to the first standard verification result of the first thread, monitor whether the working code executed by the first thread has been tampered with;
  • Step 204 According to the second verification result corresponding to the second standard verification result of the second thread, monitor whether the working code executed by the second thread is tampered with.
  • step 202 may be implemented by performing byte-wise XOR according to the contents of the first address range to obtain an XOR result, and using the XOR result as the first verification result corresponding to the first thread.
  • the method of XOR by byte can be: XOR the content of the first byte and the content of the second byte in the first address range to obtain an XOR value, and continue to use the XOR value XOR with the content of the third byte to get the latest XOR value, and then XOR the new XOR value with the content of the third byte to get the latest XOR value to
  • the last XOR value is the first verification result.
  • the manner of obtaining the second verification result is similar to the manner of obtaining the first verification result, and will not be repeated here to avoid repetition.
  • step 202 may be implemented by: calculating the first hash value according to the content of the first address range, using the first hash value as the first verification result corresponding to the first thread, and calculating the first hash value according to the second address interval A second hash value is calculated for the content of the section, and the second hash value is used as a second verification result corresponding to the second thread.
  • step 203 if the first verification result is the same as the first standard verification result corresponding to the first thread, it can be determined that the work code executed by the first thread has not been tampered with, thereby determining that the code read-only performed on the first thread sex test passed. If the first verification result is different from the first standard verification result corresponding to the first thread, it can be determined that the working code executed by the first thread has been tampered with, so that it is determined that the code read-only test performed on the first thread fails.
  • the first verification result is an XOR result
  • the first standard verification result is a first standard XOR result
  • the first standard XOR result is the XOR result obtained by performing code read-only detection on the first thread for the first time.
  • code read-only detection for the first time call an SMC command in the first thread to switch the system to Monitor Mode, obtain the first address range of the working code of the first thread in the kernel space, and check the content of the first address range
  • the XOR operation is performed by byte to obtain the XOR result, and the XOR result obtained for the first time can be used as the first standard verification result.
  • the first verification result is a first hash value
  • the first standard verification result is a first standard hash value.
  • the first standard hash value is a hash value obtained by performing code read-only detection on the first thread for the first time.
  • call an SMC command in the first thread to switch the system to Monitor Mode obtain the first address range of the working code of the first thread in the kernel space, and check the content of the first address range Find the first hash value, and the first hash value obtained for the first time can be used as the first standard hash value.
  • step 204 if the second verification result is the same as the second standard verification result corresponding to the second thread, it can be determined that the work code executed by the second thread has not been tampered with, thereby determining that the code read-only for the second thread is sex test passed. If the second verification result is different from the second standard verification result corresponding to the second thread, it can be determined that the working code executed by the second thread has been tampered with, so that it is determined that the code read-only test performed on the second thread fails.
  • the second verification result is an XOR result
  • the second standard verification result is a second standard XOR result.
  • the second standard XOR result is the XOR result obtained by performing code read-only detection on the second thread for the first time.
  • the determination method of the second standard XOR result is similar to the determination method of the first standard XOR result, and will not be repeated here to avoid repetition.
  • the second verification result is a second hash value
  • the second standard verification result is a second standard hash value.
  • the second standard hash value is the hash value obtained by performing code read-only detection on the second thread for the first time.
  • the method of determining the second standard hash value is similar to that of the first standard hash value, and will not be repeated here to avoid repetition.
  • code read-only testing may be performed periodically on the first thread and the second thread, and periodically determine whether the first thread and the second thread pass the code read-only testing.
  • code read-only detection fails, the system will be blocked by a defense measure.
  • the defense measure is to intercept memory read and write operations.
  • step 201 before step 201, it also includes: intercepting the target SMC instruction sent from the normal world Normal World to the secure world Secure World; wherein, the target SMC instruction is used to detect whether the function code segment has been tampered with .
  • the target smc_fid corresponding to the target SMC instruction may be preset, and the target smc_fid may be understood as an instruction identifier of the target SMC instruction.
  • the received SMC instruction is considered to be the target SMC instruction, so that the target SMC instruction sent from the Normal World to the Secure World can be determined to be intercepted, so as to continue to perform code read-only detection on the kernel thread.
  • the read-onlyness of the working code executed by the kernel thread can be periodically checked and protected.
  • the code executed by the kernel thread can be timely Check whether the working code has been tampered with, so that after detecting that the working code has been tampered with, the memory read and write operations are intercepted in time to prevent further damage to the system.
  • the preset first type of value can be used to represent the death state, for example, the first type of value can include: 4, 16, 32 or 128, etc.
  • the preset second type of value can be used to represent the uninterruptible suspension state , for example, the second type of value can include: 2.
  • the preset duration can be set according to actual needs, which is not specifically limited in this embodiment.
  • code for monitoring the running state of the second thread may run in the first thread, so that the terminal may monitor the running state of the second thread through the first thread.
  • the code for monitoring the running state of the first thread may run in the second thread, so that the terminal may monitor the running state of the first thread through the second thread.
  • the implementation process of monitoring the running state of the second thread through the first thread to determine whether the running state of the second thread is a dead state or a permanently suspended state can refer to FIG. 3 , including:
  • Step 301 Obtain the first pointer of the task_struct type created by the first thread
  • the first pointer points to the first task_struct structure of the second thread.
  • Step 302 while(1);
  • Step 303 Detect whether the acquired first pointer is a valid pointer; if yes, execute step 304, otherwise execute step 311;
  • Step 304 Determine whether the value of the state variable of the first task_struct structure is 4, 16, 32 or 128; if yes, execute step 311, otherwise execute step 305;
  • Step 305 Get the current time point 1;
  • Step 306 judge whether the value of the state variable of the first task_struct structure is 2; if yes, execute step 307, otherwise execute step 302;
  • Step 307 Obtain the current time point 2, and obtain the time difference between the current time point 1 and the current time point 2;
  • Step 308 Determine whether the time difference exceeds the preset duration; if yes, execute step 309, otherwise execute step 310;
  • judging whether the time difference exceeds the preset duration can be understood as judging whether the duration of the second thread in the uninterruptible suspended state exceeds the preset duration.
  • Step 309 Determine that the running state of the second thread is permanently suspended state
  • Step 310 delay for 100 milliseconds, continue to execute step 306;
  • Step 311 Determine that the running state of the second thread is a dead state.
  • step 309 and step 311 that is, it is determined that the second thread is abnormal, then the memory read and write operations may be intercepted.
  • the value of the state variable of the structure is the preset first-type value, it is determined that the running state of the first thread is dead; the value of the state variable of the second task_struct structure is the preset second-type value
  • it is determined that the running state of the first thread is an uninterruptible suspended state, and when the running state of the first thread is that the duration of the uninterruptible suspended state exceeds a preset duration, then it is determined that the running state of the first thread is permanent pending state.
  • the second thread monitors the running state of the first thread
  • the implementation process of determining whether the running state of the first thread is a dead state or a permanently suspended state can refer to FIG. 4 , including:
  • Step 401 Obtain a second pointer of task_struct type created by the second thread
  • the second pointer points to the second task_struct structure of the first thread.
  • Step 402 while(1);
  • Step 403 Detect whether the acquired second pointer is a valid pointer; if yes, go to step 404, otherwise go to step 411;
  • Step 404 Determine whether the value of the state variable of the second task_struct structure is 4, 16, 32 or 128; if yes, execute step 411, otherwise execute step 405;
  • Step 405 Get the current time point 1;
  • Step 406 Determine whether the value of the state variable of the second task_struct structure is 2; if yes, execute step 407, otherwise execute step 402;
  • Step 407 Get the current time point 2, and get the time difference between the current time point 1 and the current time point 2;
  • Step 408 Determine whether the time difference exceeds the preset duration; if yes, execute step 409; otherwise, execute step 410;
  • Step 409 Determine that the running state of the first thread is permanently suspended state
  • Step 410 delay for 100 milliseconds, continue to execute step 406;
  • Step 411 Determine that the running state of the first thread is a dead state.
  • step 409 and step 411 that is, it is determined that the first thread is abnormal
  • the memory read and write operations may be intercepted.
  • the attacker may obtain the task_struct structure of the attacked kernel thread through various malicious means.
  • the state is permanently suspended, the memory read and write operations are intercepted in time to prevent the system from being further damaged.
  • the second thread includes: a first monitoring thread and a second monitoring thread, the second thread is monitored through the first thread, and the first thread is monitored through the second thread, including: through the first thread The first monitoring thread is monitored, the second monitoring thread is monitored by the first monitoring thread, and the first thread is monitored by the second monitoring thread.
  • the kernel thread includes: a first thread, a first monitoring thread, and a second monitoring thread, and these three threads form a monitoring loop.
  • the first thread is recorded as working thread A
  • the first monitoring thread is recorded as monitoring thread B
  • the second monitoring thread is recorded as monitoring thread C
  • the monitoring ring composed of working thread A, monitoring thread B and monitoring thread C can be
  • working thread A is used for monitoring the running state of monitoring thread B
  • monitoring thread B is used for monitoring the running state of monitoring thread C
  • monitoring thread C is used for running state of working thread A
  • worker thread A is also used for code read-only detection.
  • the code read-only detection work includes: detecting whether the working code to be executed by the working thread A has been tampered with, detecting whether the working code to be executed by the monitoring thread B has been tampered with, and detecting whether the working code to be executed by the monitoring thread C has been tampered with.
  • the terminal can automatically execute a function, which will create and activate the above-mentioned worker thread A, monitoring thread B, and monitoring thread C in sequence.
  • Worker thread A not only performs the work to be done, but also performs monitoring work, and monitoring thread B and monitoring thread C perform monitoring work.
  • the monitoring relationship of the three threads is shown in Figure 5.
  • the working thread A monitors the monitoring thread B
  • the monitoring thread B monitors the monitoring thread C
  • the monitoring thread C monitors the working thread A, forming a monitoring loop.
  • the monitoring ring formed by three kernel threads is more difficult to attack, that is, if an attacker wants to break through the monitoring ring without being detected, he must simultaneously break through the worker thread and Two monitoring threads, that is, must break through three kernel threads simultaneously in one cycle, but it is very difficult to break through three kernel threads simultaneously in one cycle, therefore, the attack difficulty of the protection method of kernel thread provided in this embodiment Higher, which greatly improves the security of kernel threads.
  • the number of kernel threads in the monitoring ring can be further increased from 3 according to actual needs, so as to further increase the attack difficulty, thereby improving the security of kernel threads.
  • the working mode when the first thread performs work includes: kernel execution mode, TEE execution mode, mixed execution mode; in the kernel execution mode, the work code executed when the first thread is working is written into the first thread In the TEE execution mode, the work code executed when the first thread is working is written in the trusted application (Trusted Application, TA) created in the secure world Secure World, and the first thread executes the work code by calling TA; in In the mixed execution mode, the first type of work code executed when the first thread is working is written into the first thread, and the second type of work code executed when the first thread is working is written into the TA created in the secure world , the first thread executes the second work code by calling TA.
  • TEE execution mode the trusted application
  • TA trusted Application
  • the kernel mode execution can meet the security requirements, then the work code to be executed can be directly written in the first thread, which is the kernel execution mode.
  • the schematic diagram of the kernel execution mode can refer to FIG. 6 , that is, the working code to be executed is written in the working thread A.
  • TEE execution mode Assuming that the monitoring loop in this embodiment adopts the monitoring loop as shown in Figure 5, the schematic diagram of the TEE execution mode can refer to Figure 7, that is, the work code to be executed is written in TA, and the working thread A calls the SMC instruction to make TAs in Secure World execute working code.
  • Worker thread A calls TA in Secure World to complete tasks with high security requirements. In this way, the work code executed by worker thread A is essentially running in the TEE. Even if the attacker obtains the root authority under Normal World, he cannot know what task worker thread A performs, and the confidentiality is extremely high.
  • the code with extremely high security requirements uses the TEE execution mode, and other parts of the code (the first working code) use the kernel execution mode, which is the mixed execution mode.
  • the schematic diagram of the hybrid execution mode can refer to Figure 8, the first type of work code is written into worker thread A, and the second type of work code is written into TA , when worker thread A needs to execute the second type of work code, it can make TA in Secure World execute the second type of work code by calling the SMC instruction. That is to say, in the hybrid execution mode, the work code that really requires high security is placed in the TEE for execution, and the work code that does not require high security is placed in the worker thread A for execution. Considering that the work code Putting everything into the TEE for execution may affect the execution efficiency. Therefore, the mixed execution mode in this embodiment can take into account both security and execution efficiency.
  • the working code is written into the TA created in Secure World, it is difficult to be tampered with, and the security is very high. Therefore, in the TEE execution mode, since the work code executed when the first thread is working is written into the TA created in Secure World, it is not necessary to perform code read-only detection on the first thread. In the mixed execution mode, since the second working code in the first thread is written into the TA created in Secure World, the code read-only detection may not be performed on the second working code in the first thread. By not performing code read-only detection, the execution efficiency of the system can be improved to a certain extent.
  • This embodiment has the advantage of allowing the user to flexibly select a task execution mode. If the task code is large and requires high efficiency, the user can choose to execute the task in kernel mode; if the task code is not large and requires high security, the user can choose to execute the task in TEE mode; if security is required and task execution efficiency, then users can choose to perform tasks in a hybrid mode.
  • this embodiment is not limited to the Linux operating system, and can also be used on the Android operating system or even other operating systems that provide a trusted execution environment, so the portability is better. Moreover, this embodiment is not limited to the version of the Linux operating system, as long as the Linux operating system provides a trusted execution environment.
  • the operating system manufacturer and the TEE provider can update the operating system and the TEE respectively according to the method provided in the embodiment of the present application.
  • the user's terminal downloads the update package through the network and installs the update.
  • the user's terminal can automatically run the kernel thread protection method in the embodiment of the present application.
  • step division of the above various methods is only for the sake of clarity of description. During implementation, it can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent. ; Adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of this patent.
  • the embodiment of the present application also provides a terminal, as shown in FIG. 9 , including at least one processor 901; and a memory 902 communicatively connected to the at least one processor 901; An instruction executed by 901, the instruction is executed by at least one processor 901, so that at least one processor 901 can execute the method for protecting a kernel thread in the foregoing embodiment.
  • the memory 902 and the processor 901 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 901 and various circuits of the memory 902 together.
  • the bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein.
  • the bus interface provides an interface between the bus and the transceivers.
  • a transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium.
  • the data processed by the processor 901 is transmitted on the wireless medium through the antenna, further, the antenna also receives the data and transmits the data to the processor 901 .
  • Processor 901 is responsible for managing the bus and general processing, and may also provide various functions, including timing, peripheral interface, voltage regulation, power management, and other control functions. And the memory 902 may be used to store data used by the processor 901 when performing operations.
  • the embodiment of the present application also provides a computer-readable storage medium storing a computer program.
  • the above method embodiments are implemented when the computer program is executed by the processor.
  • a storage medium includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
  • the kernel thread includes at least: a first thread and a second thread, the first thread executes the work to be protected; the first thread monitors the second thread, and the second thread monitors the first thread ; If it is monitored that the first thread is abnormal or the second thread is abnormal, intercept the memory read and write operations when performing the work to be protected. That is, the first thread is regarded as a working thread, which not only performs the work to be protected, but also performs monitoring work.
  • the second thread is regarded as a monitoring thread. The first thread monitors the second thread, and the second thread monitors the second thread. One thread monitors to form a monitoring loop.
  • the memory read and write operations are intercepted, that is, the system is directly locked to prevent further damage to the system. If an attacker wants to break through the monitoring ring without being detected, he must simultaneously break through the first thread and the second thread within one cycle of the monitoring ring protection, and it is very difficult to break through the first thread and the second thread simultaneously within the same cycle. Therefore, the method for protecting the kernel thread in the embodiment of the present application is relatively difficult to attack, thereby improving the security of protecting the kernel thread.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

Embodiments of the present application relate to the technical field of communications, and in particular to a method for protecting a kernel thread, and a terminal and a computer readable storage medium. The kernel thread at least comprises a first thread and a second thread. The method for protecting the kernel thread comprises: executing, by means of the first thread, work for protection (101); monitoring the second thread by means of the first thread, and monitoring the first thread by means of the second thread (102); and if it is monitored that the first thread is abnormal or it is monitored that the second thread is abnormal, intercepting a memory read and write operation when the work for protection is executed (103).

Description

内核线程的保护方法、终端和计算机可读存储介质Kernel thread protection method, terminal and computer-readable storage medium
相关申请的交叉引用Cross References to Related Applications
本申请基于申请号为202111022540.6、申请日为2021年9月1日的中国专利申请提出,并要求该中国专利申请的优先权,该中国专利申请的全部内容在此引入本申请作为参考。This application is based on a Chinese patent application with application number 202111022540.6 and a filing date of September 1, 2021, and claims the priority of this Chinese patent application. The entire content of this Chinese patent application is hereby incorporated by reference into this application.
技术领域technical field
本申请实施例涉及通信技术领域,特别涉及一种内核线程的保护方法、终端和计算机可读存储介质。The embodiments of the present application relate to the technical field of communications, and in particular to a kernel thread protection method, a terminal, and a computer-readable storage medium.
背景技术Background technique
在现代计算机操作***中,多线程操作扮演着十分重要的角色,它可以允许使用者在同一时间对多个任务加以控制。在操作***内核中,存在着许多内核线程,内核线程是直接由内核本身启动的进程,它实际上是将内核函数委托给独立的进程来执行。内核线程可以看作内核的分身,一个分身可以处理一件特定的事情。内核线程只能运行在内核态,不能在用户态运行,而且内核线程只能访问虚拟地址空间的内核部分,不能访问用户空间。如果用户需要执行任务,这个任务需要在***启动后就立即自动执行,而且希望任务在***运行期间一直不停地运行,那么使用内核线程来执行这种任务是一种很好的选择。In modern computer operating systems, multithreading plays a very important role, which allows users to control multiple tasks at the same time. In the operating system kernel, there are many kernel threads. A kernel thread is a process directly started by the kernel itself. It actually entrusts the kernel function to an independent process for execution. A kernel thread can be regarded as a clone of the kernel, and a clone can handle a specific thing. Kernel threads can only run in kernel mode, not user mode, and kernel threads can only access the kernel part of the virtual address space, not user space. If the user needs to perform a task, which needs to be executed automatically immediately after the system starts, and it is expected that the task will run continuously during the running of the system, then using kernel threads to perform this task is a good choice.
现有的内核线程保护方案主要为:单线程监控,即创建一个线程,对其他的线程进行监控,但是这种方案有一个严重的缺陷,那就是如果攻击者先将监控线程杀死,那么这个保护措施就失去了作用,即对内核线程保护的安全性低。The existing kernel thread protection scheme is mainly: single-thread monitoring, that is, creating a thread to monitor other threads, but this scheme has a serious defect, that is, if the attacker kills the monitoring thread first, then the The protection measures have just lost their effect, that is, the security of kernel thread protection is low.
发明内容Contents of the invention
本申请实施例提供了一种内核线程的保护方法,所述内核线程至少包括:第一线程和第二线程,所述方法包括:通过所述第一线程执行待保护工作;通过所述第一线程对所述第二线程进行监控,并通过所述第二线程对所述第一线程进行监控;若监控到所述第一线程出现异常或监控到所述第二线程出现异常,对执行所述待保护工作时的内存读写操作进行拦截。An embodiment of the present application provides a method for protecting a kernel thread, the kernel thread at least includes: a first thread and a second thread, and the method includes: executing the work to be protected through the first thread; The thread monitors the second thread, and monitors the first thread through the second thread; if the first thread is monitored to be abnormal or the second thread is monitored to be abnormal, the execution of the Intercept the memory read and write operations when the work is to be protected.
本申请实施例还提供了一种终端,包括:至少一个处理器;以及,与所述至少一个处理器通信连接的存储器;其中,所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行,以使所述至少一个处理器能够执行上述的内核线程的保护方法。An embodiment of the present application also provides a terminal, including: at least one processor; and a memory connected in communication with the at least one processor; wherein, the memory stores instructions that can be executed by the at least one processor , the instruction is executed by the at least one processor, so that the at least one processor can execute the above kernel thread protection method.
本申请实施例还提供了一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现上述的内核线程的保护方法。The embodiment of the present application also provides a computer-readable storage medium, which stores a computer program, and implements the above kernel thread protection method when the computer program is executed by a processor.
附图说明Description of drawings
图1是本申请实施例中提到的内核线程的保护方法的流程示意图;Fig. 1 is a schematic flow chart of the protection method of the kernel thread mentioned in the embodiment of the present application;
图2是本申请实施例中提到的通过第一线程对第二线程进行监控,并通过第二线程对第一线程进行监控的实现方式的流程示意图;Fig. 2 is a schematic flow chart of the implementation of monitoring the second thread through the first thread and monitoring the first thread through the second thread mentioned in the embodiment of the present application;
图3是本申请实施例中提到的通过第一线程对第二线程的运行状态进行监控,确定第二线程的运行状态是否为死亡状态或永久挂起状态的实现过程的流程示意图;Fig. 3 is a schematic flowchart of the implementation process of monitoring the running state of the second thread through the first thread and determining whether the running state of the second thread is a dead state or a permanently suspended state mentioned in the embodiment of the present application;
图4是本申请实施例中提到的通过第二线程对第一线程的运行状态进行监控,确定第一线程的运行状态是否为死亡状态或永久挂起状态的实现过程的流程示意图;Fig. 4 is a schematic flow chart of the implementation process of monitoring the running state of the first thread through the second thread and determining whether the running state of the first thread is a dead state or a permanently suspended state mentioned in the embodiment of the present application;
图5是本申请实施例中提到的监控环的示意图;Fig. 5 is a schematic diagram of the monitoring loop mentioned in the embodiment of the present application;
图6是本申请实施例中提到的内核执行模式的示意图;Fig. 6 is a schematic diagram of the kernel execution mode mentioned in the embodiment of the present application;
图7是本申请实施例中提到的TEE执行模式的示意图;FIG. 7 is a schematic diagram of the TEE execution mode mentioned in the embodiment of the present application;
图8是本申请实施例中提到的混合执行模式的示意图;Fig. 8 is a schematic diagram of the mixed execution mode mentioned in the embodiment of the present application;
图9是本申请实施例中提到的终端的结构示意图。Fig. 9 is a schematic structural diagram of a terminal mentioned in the embodiment of the present application.
具体实施方式Detailed ways
为使本申请实施例的目的、技术方案和优点更加清楚,下面将结合附图对本申请的各实施例进行详细的阐述。然而,本领域的普通技术人员可以理解,在本申请各实施例中,为了使读者更好地理解本申请而提出了许多技术细节。但是,即使没有这些技术细节和基于以下各实施例的种种变化和修改,也可以实现本申请所要求保护的技术方案。以下各个实施例的划分是为了描述方便,不应对本申请的具体实现方式构成任何限定,各个实施例在不矛盾的前提下可以相互结合相互引用。In order to make the purpose, technical solutions and advantages of the embodiments of the present application clearer, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. However, those of ordinary skill in the art can understand that in each embodiment of the application, many technical details are provided for readers to better understand the application. However, even without these technical details and various changes and modifications based on the following embodiments, the technical solutions claimed in this application can also be realized. The division of the following embodiments is for the convenience of description, and should not constitute any limitation to the specific implementation of the present application, and the embodiments can be combined and referred to each other on the premise of no contradiction.
随着移动通信和互联网技术的飞速发展,智能终端在各个领域扮演着越来越重要的角色,智能终端的安全性变得越来越重要。如果在***中能够提供一个相对可信赖的运行环境,使用户的关键数据或应用在这个相对可信赖的环境中使用和运行,这样,即使***被攻破,入侵者也无法直接获取用户的重要信息,这就是可信执行环境(Trusted Execution Environment,TEE)的主要作用和理念。为了给终端提供安全的运行环境,精简指令集计算微处理器(Advanced RISC Machines,ARM)引入了TrustZone技术,它将中央处理器(central processing unit,CPU)的工作状态分为普通世界Normal World和安全世界Secure World,当CPU工作在Normal World状态时,即使用户拥有root权限也无法访问处于Secure World状态中的任何资源。***可以通过调用安全监控模式调用(secure monitor call,smc)指令实现ARM核的Secure World状态与Normal World状态之间的切换,当***调用SMC指令时,***会陷入Monitor Mode中。本申请实施例中结合可信执行环境(Trusted execution environment,TEE)技术,可以在TEE中进行对内核线程执行的工作代码的保护。With the rapid development of mobile communication and Internet technology, smart terminals play an increasingly important role in various fields, and the security of smart terminals becomes more and more important. If a relatively reliable operating environment can be provided in the system, so that the user's key data or applications can be used and run in this relatively reliable environment, so that even if the system is compromised, the intruder cannot directly obtain the important information of the user , which is the main role and concept of the Trusted Execution Environment (TEE). In order to provide a safe operating environment for the terminal, Advanced RISC Machines (ARM) introduces TrustZone technology, which divides the working status of the central processing unit (CPU) into Normal World and Normal World. Secure World Secure World, when the CPU works in the Normal World state, even users with root privileges cannot access any resources in the Secure World state. The system can switch between the Secure World state and the Normal World state of the ARM core by calling the secure monitor call (smc) command. When the system calls the SMC command, the system will fall into Monitor Mode. In the embodiment of the present application, combined with trusted execution environment (Trusted execution environment, TEE) technology, the working code executed by the kernel thread can be protected in the TEE.
本申请的一个实施例中,内核线程包括第一线程和第二线程,第一线程视为工作线程,它既执行本来要做的工作即待保护工作,又执行监控工作,第二线程视为监控线程,第一线程对第二线程进行监控,第二线程对第一线程进行监控,形成一个监控环。本申请实施例提供的内核线程的保护方法可以参考图1,包括:In one embodiment of the present application, the kernel thread includes a first thread and a second thread, and the first thread is regarded as a working thread, which not only performs the work to be done originally, but also performs monitoring work, and the second thread is regarded as Monitoring threads, the first thread monitors the second thread, and the second thread monitors the first thread, forming a monitoring loop. The protection method of the kernel thread provided by the embodiment of the present application can refer to FIG. 1, including:
步骤101:通过第一线程执行待保护工作;Step 101: Execute the work to be protected through the first thread;
步骤102:通过第一线程对第二线程进行监控,并通过第二线程对第一线程进行监控;Step 102: monitor the second thread through the first thread, and monitor the first thread through the second thread;
步骤103:若监控到第一线程出现异常或监控到第二线程出现异常,对执行待保护工作时的内存读写操作进行拦截。Step 103: If the first thread is monitored to be abnormal or the second thread is monitored to be abnormal, intercept the memory read and write operations when performing the work to be protected.
本申请实施例中,在监控到异常时,对内存读写操作进行拦截,即直接锁死***防止***进一步被破坏。攻击者如果想攻破第一线程和第二线程之间形成的监控换并且使该攻击行为不被检测到,就必须在监控环保护的一个周期内同时攻破第一线程和第二线程,而在同一周期内同时攻破第一线程和第二线程的难度很大,因此本申请实施例中的内核线程的保护方法的攻破难度较大,从而可以提高对内核线程保护的安全性,以确保待保护工作的安全性。In the embodiment of the present application, when an abnormality is detected, the memory read and write operations are intercepted, that is, the system is directly locked to prevent the system from being further damaged. If an assailant wants to break through the monitoring exchange formed between the first thread and the second thread and make the attack undetectable, he must break through the first thread and the second thread simultaneously within one period of the monitoring ring protection, and It is very difficult to break through the first thread and the second thread at the same time in the same cycle, so it is more difficult to break through the protection method of the kernel thread in the embodiment of the present application, thereby improving the security of the protection of the kernel thread to ensure the protection of the kernel thread. job security.
在一个例子中,在内核启动完成后,比如Linux内核启动完成后,终端可以自动执行一个函数,该函数将依次创建并激活第一线程和第二线程。In an example, after the kernel is started, for example, after the Linux kernel is started, the terminal may automatically execute a function, which will create and activate the first thread and the second thread in sequence.
在步骤101中,需要执行待保护工作的工作代码可以被写入第一线程中,从而使得终端可以通过第一线程执行待保护工作。其中,待保护工作,比如可以为:支付工作、人脸识别工作、指纹识别工作等。本实施例的内核线程的保护方法通过监控环的监控,最终可以保护待保护工作在执行过程中的安全性。In step 101, the work code that needs to execute the work to be protected may be written into the first thread, so that the terminal can execute the work to be protected through the first thread. Among them, the work to be protected, for example, can be: payment work, face recognition work, fingerprint recognition work, etc. The kernel thread protection method of this embodiment can finally protect the safety of the work to be protected during execution through the monitoring of the monitoring ring.
在步骤102中,用于对第二线程进行监控的代码可以被写入第一线程中,从而使得终端可以通过第一线程对第二线程进行监控。用于对第一线程进行监控的代码可以被写入第二线程中,从而终端可以通过第二线程对第一线程进行监控。也就是说,第一线程和第二线程之间可以互相进行监控。In step 102, the code for monitoring the second thread can be written into the first thread, so that the terminal can monitor the second thread through the first thread. The code for monitoring the first thread can be written into the second thread, so that the terminal can monitor the first thread through the second thread. That is to say, the first thread and the second thread can monitor each other.
在步骤103中,若终端监控到第一线程出现异常或监控到第二线程出现异常,则对内存读写操作进行拦截,即在监控到出现异常时,不再执行内存读写操作,直接锁死***防止***进一步被破坏。In step 103, if the terminal monitors that the first thread is abnormal or monitors that the second thread is abnormal, the memory read and write operations are intercepted, that is, when an abnormality is detected, the memory read and write operations are no longer performed, and the memory is directly locked. A dead system prevents further damage to the system.
其中,监控到第一线程的异常可以包括:第一线程的运行状态为死亡状态或永久挂起状态、第一线程的函数代码段被篡改。监控到第二线程的异常和第一线程的异常类似,为避免重复此处不再赘述。也就是说,本步骤中可以通过第一线程对所述第二线程的运行状态进行监控,确定第二线程的运行状态是否为死亡状态或永久挂起状态;通过第二线程对第一线程的运行状态进行监控,确定第一线程的运行状态是否为死亡状态或永久挂起状态。Wherein, the monitored abnormality of the first thread may include: the running state of the first thread is a dead state or a permanently suspended state, and the function code segment of the first thread is tampered with. The monitored exception of the second thread is similar to the exception of the first thread, and will not be repeated here to avoid repetition. That is to say, in this step, the running state of the second thread can be monitored by the first thread to determine whether the running state of the second thread is a dead state or a permanently suspended state; The running state is monitored to determine whether the running state of the first thread is a dead state or a permanently suspended state.
在一个例子中,对执行待保护工作时的内存读写操作进行拦截,包括:在安全世界Secure World的监控模式Monitor Mode中调用TrustZone地址空间控制组件,对执行待保护工作时的内存读写操作进行拦截,方便了高效、准确的拦截内存读写操作。其中,TrustZone地址空间控制组件可以为TZC400控制器或TZC380控制器等,本实施例对此不做具体限定。In one example, the interception of memory read and write operations when performing work to be protected includes: invoking the TrustZone address space control component in the monitor mode of Secure World, to perform memory read and write operations when performing work to be protected Interception facilitates efficient and accurate interception of memory read and write operations. Wherein, the TrustZone address space control component may be a TZC400 controller or a TZC380 controller, etc., which is not specifically limited in this embodiment.
在一个实施例中,考虑到目前对内核线程的攻击可以分为以下两种:1)永久挂起或杀死内核线程,攻击者可能通过各种恶意手段获取到被攻击内核线程的task_struct结构体,然后将内核线程杀死或者永久挂起,这样,被攻击的内核线程就不能再继续执行任务了。2)篡改内核线程执行的工作代码,攻击者可能找到被攻击内核线程执行的工作代码的内存地址,然后直接修改工作代码执行流程或者篡改内核线程所执行的工作代码,达到攻击的目的。基于此,本实施例提供对内核线程的两种监控方式,1)监控内核线程的运行状态是否为死亡状态或永久挂起状态,即监控内核线程所至少包括的第一线程和第二线程的运行状态是否为死亡状态或永久挂起状态。2)监控内核线程所执行的工作代码是否被篡改,即监控内核线程所至少包括的第一线程和第二线程所执行的工作代码是否被篡改。下面分别对两种监控方式进行说明:In one embodiment, considering that the current attacks on kernel threads can be divided into the following two types: 1) Permanently suspend or kill kernel threads, the attacker may obtain the task_struct structure of the attacked kernel thread through various malicious means , and then the kernel thread is killed or permanently suspended, so that the attacked kernel thread can no longer continue to perform tasks. 2) Tampering with the working code executed by the kernel thread, the attacker may find the memory address of the working code executed by the attacked kernel thread, and then directly modify the execution flow of the working code or tamper with the working code executed by the kernel thread to achieve the purpose of the attack. Based on this, the present embodiment provides two kinds of monitoring modes to kernel thread, 1) whether the running state of monitoring kernel thread is dead state or permanently suspended state, promptly the first thread that monitors kernel thread comprises at least and the second thread Whether the running state is dead or permanently suspended. 2) Monitoring whether the working code executed by the kernel thread is tampered with, that is, monitoring whether the working code executed by at least the first thread and the second thread included in the kernel thread is tampered with. The two monitoring methods are described below:
在一个实施例中,在第一线程和第二线程执行的工作代码存储在内核空间的只读代码段的情况下,可以对第一线程和第二线程进行代码只读性检测,当代码只读性检测通过则认为所执行的工作代码未被篡改,当代码只读性检测不通过则认为所执行的工作代码被篡改。通过第一线程对第二线程进行监控,并通过第二线程对第一线程进行监控的实现方式可以参考图2,包括:In one embodiment, in the case that the working code executed by the first thread and the second thread is stored in a read-only code segment of the kernel space, the code read-only detection can be performed on the first thread and the second thread, when the code is only If the readability test passes, it is considered that the executed working code has not been tampered with, and when the code read-only detection fails, it is considered that the executed working code has been tampered with. The implementation of monitoring the second thread through the first thread and monitoring the first thread through the second thread can refer to Figure 2, including:
步骤201:获取第一线程执行的工作代码在内核空间中的第一地址区间,并获取第二线程执行的工作代码在内核空间中的第二地址区间;Step 201: Obtain the first address range in the kernel space of the working code executed by the first thread, and obtain the second address range in the kernel space of the working code executed by the second thread;
步骤202:根据第一地址区间的内容和第二地址区间的内容,对第一线程执行的工作代 码和第二线程执行的工作代码进行校验,得到第一线程对应的第一校验结果和第二线程对应的第二校验结果;Step 202: According to the content of the first address range and the content of the second address range, verify the work code executed by the first thread and the work code executed by the second thread, and obtain the first verification result corresponding to the first thread and The second verification result corresponding to the second thread;
步骤203:根据第一校验结果与第一线程对应的第一标准校验结果,监控第一线程执行的工作代码是否被篡改;Step 203: According to the first verification result corresponding to the first standard verification result of the first thread, monitor whether the working code executed by the first thread has been tampered with;
步骤204:根据第二校验结果与第二线程对应的第二标准校验结果,监控第二线程执行的工作代码是否被篡改。Step 204: According to the second verification result corresponding to the second standard verification result of the second thread, monitor whether the working code executed by the second thread is tampered with.
在一个例子中,步骤202的实现方式可以为:根据第一地址区间的内容进行按字节异或,得到异或结果,将该异或结果作为第一线程对应的第一校验结果。其中,按字节异或的方式可以为:将第一地址区间内的第一个字节的内容和第二个字节的内容进行异或,得到一个异或值,继续将该异或值与第三个字节的内容进行异或,得到一个最新的异或值,再将该新的异或值与第三个字节的内容进行异或,再得到一个最新的异或值,以此类推,直到完成和最后一个字节的异或得到最后一个异或值,该最后一个异或值即为第一校验结果。第二校验结果的获取方式与第一校验结果的获取方式类似,为避免重复,此处不再赘述。In an example, step 202 may be implemented by performing byte-wise XOR according to the contents of the first address range to obtain an XOR result, and using the XOR result as the first verification result corresponding to the first thread. Wherein, the method of XOR by byte can be: XOR the content of the first byte and the content of the second byte in the first address range to obtain an XOR value, and continue to use the XOR value XOR with the content of the third byte to get the latest XOR value, and then XOR the new XOR value with the content of the third byte to get the latest XOR value to By analogy, until the XOR with the last byte is completed to obtain the last XOR value, the last XOR value is the first verification result. The manner of obtaining the second verification result is similar to the manner of obtaining the first verification result, and will not be repeated here to avoid repetition.
在一个例子中,步骤202的实现方式可以为:根据第一地址区间的内容求第一哈希值,将该第一哈希值作为第一线程对应的第一校验结果,根据第二地址区间的内容求第二哈希值,将该第二哈希值作为第二线程对应的第二校验结果。In an example, step 202 may be implemented by: calculating the first hash value according to the content of the first address range, using the first hash value as the first verification result corresponding to the first thread, and calculating the first hash value according to the second address interval A second hash value is calculated for the content of the section, and the second hash value is used as a second verification result corresponding to the second thread.
在步骤203中,如果第一校验结果与第一线程对应的第一标准校验结果相同,则可以确定第一线程执行的工作代码未被篡改,从而确定对第一线程进行的代码只读性检测通过。如果第一校验结果与第一线程对应的第一标准校验结果不同,则可以确定第一线程执行的工作代码被篡改,从而确定对第一线程进行的代码只读性检测未通过。In step 203, if the first verification result is the same as the first standard verification result corresponding to the first thread, it can be determined that the work code executed by the first thread has not been tampered with, thereby determining that the code read-only performed on the first thread sex test passed. If the first verification result is different from the first standard verification result corresponding to the first thread, it can be determined that the working code executed by the first thread has been tampered with, so that it is determined that the code read-only test performed on the first thread fails.
在一个例子中,第一校验结果为异或结果,第一标准校验结果为第一标准异或结果。其中,第一标准异或结果为初次对第一线程进行代码只读性检测得到的异或结果。初次执行代码只读性检测时,在第一线程中调用一条SMC指令将***切换到Monitor Mode,获取第一线程的的工作代码在内核空间中的第一地址区间,对第一地址区间的内容按字节进行异或操作,得到异或结果,初次得到的该异或结果即可以作为第一标准校验结果。In one example, the first verification result is an XOR result, and the first standard verification result is a first standard XOR result. Wherein, the first standard XOR result is the XOR result obtained by performing code read-only detection on the first thread for the first time. When performing code read-only detection for the first time, call an SMC command in the first thread to switch the system to Monitor Mode, obtain the first address range of the working code of the first thread in the kernel space, and check the content of the first address range The XOR operation is performed by byte to obtain the XOR result, and the XOR result obtained for the first time can be used as the first standard verification result.
在一个例子中,第一校验结果为第一哈希值,第一标准校验结果为第一标准哈希值。第一标准哈希值为初次对第一线程进行代码只读性检测得到的哈希值。初次执行代码只读性检测时,在第一线程中调用一条SMC指令将***切换到Monitor Mode,获取第一线程的的工作代码在内核空间中的第一地址区间,对第一地址区间的内容求第一哈希值,初次得到的该第一哈希值即可以作为第一标准哈希值。In one example, the first verification result is a first hash value, and the first standard verification result is a first standard hash value. The first standard hash value is a hash value obtained by performing code read-only detection on the first thread for the first time. When performing code read-only detection for the first time, call an SMC command in the first thread to switch the system to Monitor Mode, obtain the first address range of the working code of the first thread in the kernel space, and check the content of the first address range Find the first hash value, and the first hash value obtained for the first time can be used as the first standard hash value.
在步骤204中,如果第二校验结果与第二线程对应的第二标准校验结果相同,则可以确定第二线程执行的工作代码未被篡改,从而确定对第二线程进行的代码只读性检测通过。如果第二校验结果与第二线程对应的第二标准校验结果不同,则可以确定第二线程执行的工作代码被篡改,从而确定对第二线程进行的代码只读性检测未通过。In step 204, if the second verification result is the same as the second standard verification result corresponding to the second thread, it can be determined that the work code executed by the second thread has not been tampered with, thereby determining that the code read-only for the second thread is sex test passed. If the second verification result is different from the second standard verification result corresponding to the second thread, it can be determined that the working code executed by the second thread has been tampered with, so that it is determined that the code read-only test performed on the second thread fails.
在一个例子中,第二校验结果为异或结果,第二标准校验结果为第二标准异或结果。第二标准异或结果为初次对第二线程进行代码只读性检测得到的异或结果。第二标准异或结果的确定方式与第一标准异或结果的确定方式类似,为避免重复,此处不再赘述。In one example, the second verification result is an XOR result, and the second standard verification result is a second standard XOR result. The second standard XOR result is the XOR result obtained by performing code read-only detection on the second thread for the first time. The determination method of the second standard XOR result is similar to the determination method of the first standard XOR result, and will not be repeated here to avoid repetition.
在一个例子中,第二校验结果为第二哈希值,第二标准校验结果为第二标准哈希值。第二标准哈希值为初次对第二线程进行代码只读性检测得到的哈希值。第二标准哈希值的确定 方式与第一标准哈希值的确定方式类似,为避免重复,此处不再赘述。In one example, the second verification result is a second hash value, and the second standard verification result is a second standard hash value. The second standard hash value is the hash value obtained by performing code read-only detection on the second thread for the first time. The method of determining the second standard hash value is similar to that of the first standard hash value, and will not be repeated here to avoid repetition.
在一个例子中,可以周期性的对第一线程和第二线程进行代码只读性检测,周期性的判断第一线程和第二线程是否通过代码只读性检测。当代码只读性检测未通过时,触发防御措施卡死***,防御措施为对内存读写操作进行拦截。In one example, code read-only testing may be performed periodically on the first thread and the second thread, and periodically determine whether the first thread and the second thread pass the code read-only testing. When the code read-only detection fails, the system will be blocked by a defense measure. The defense measure is to intercept memory read and write operations.
在一个例子中,在步骤201之前,还包括:拦截到从普通世界Normal World向安全世界Secure World中发送的目标SMC指令;其中,所述目标SMC指令用于对函数代码段是否被篡改进行检测。在具体实现中,可以预先设置目标SMC指令对应的目标smc_fid,目标smc_fid可以理解为目标SMC指令的指令标识。当接收到从普通世界Normal World向安全世界Secure World中发送的SMC指令,获取接收的该SMC指令的smc_fid,如果接收的该SMC指令的smc_fid与目标smc_fid相同,则认为接收的该SMC指令为目标SMC指令,从而可以确定拦截到从Normal World向Secure World中发送的目标SMC指令,以继续执行对内核线程的代码只读性检测。In one example, before step 201, it also includes: intercepting the target SMC instruction sent from the normal world Normal World to the secure world Secure World; wherein, the target SMC instruction is used to detect whether the function code segment has been tampered with . In a specific implementation, the target smc_fid corresponding to the target SMC instruction may be preset, and the target smc_fid may be understood as an instruction identifier of the target SMC instruction. When receiving an SMC instruction sent from the Normal World to the Secure World, obtain the smc_fid of the received SMC instruction. If the smc_fid of the received SMC instruction is the same as the target smc_fid, the received SMC instruction is considered to be the target SMC instruction, so that the target SMC instruction sent from the Normal World to the Secure World can be determined to be intercepted, so as to continue to perform code read-only detection on the kernel thread.
本实施例中,结合了TEE技术,在TEE中即Secure World中可以对内核线程执行的工作代码的只读性进行周期性检查保护,通过对目标SMC指令的拦截,能够及时对内核线程所执行的工作代码进行是否被篡改的检测,从而在检测到工作代码被篡改后,及时对内存读写操作进行拦截,以防止***进一步被破坏。In this embodiment, combined with TEE technology, in TEE, that is, Secure World, the read-onlyness of the working code executed by the kernel thread can be periodically checked and protected. By intercepting the target SMC instruction, the code executed by the kernel thread can be timely Check whether the working code has been tampered with, so that after detecting that the working code has been tampered with, the memory read and write operations are intercepted in time to prevent further damage to the system.
在一个实施例中,通过第一线程对第二线程的运行状态进行监控,确定第二线程的运行状态是否为死亡状态或永久挂起状态,包括:检测通过第一线程创建的task_struct类型的第一指针是否为有效指针;其中,第一指针指向第二线程的第一task_struct结构体;在第一指针为有效指针的情况下,检测第一task_struct结构体的state变量的值;在第一task_struct结构体的state变量的值为预设的第一类值的情况下,则确定第二线程的运行状态为死亡状态;在第一task_struct结构体的state变量的值为预设的第二类值的情况下,则确定第二线程的运行状态为不可中断的挂起状态,当第二线程的运行状态为不可中断的挂起状态的持续时长超过预设时长,则确定第二线程的运行状态为永久挂起状态。其中,预设的第一类值可以用于表征死亡状态,比如第一类值可以包括:4、16、32或128等,预设的第二类值可以用于表征不可中断的挂起状态,比如第二类值可以包括:2。预设时长可以根据实际需要进行设置,本实施例对此不做具体限定。In one embodiment, the running state of the second thread is monitored by the first thread, and determining whether the running state of the second thread is a dead state or a permanently suspended state includes: detecting the first task_struct type created by the first thread Whether a pointer is a valid pointer; Wherein, the first pointer points to the first task_struct structure of the second thread; in the case that the first pointer is a valid pointer, detect the value of the state variable of the first task_struct structure; in the first task_struct If the value of the state variable of the structure is the preset first-type value, it is determined that the running state of the second thread is dead; the value of the state variable of the first task_struct structure is the preset second-type value In the case of , it is determined that the running state of the second thread is an uninterruptible suspended state, and when the running state of the second thread is that the duration of the uninterruptible suspended state exceeds a preset duration, then the running state of the second thread is determined is permanently suspended. Among them, the preset first type of value can be used to represent the death state, for example, the first type of value can include: 4, 16, 32 or 128, etc., and the preset second type of value can be used to represent the uninterruptible suspension state , for example, the second type of value can include: 2. The preset duration can be set according to actual needs, which is not specifically limited in this embodiment.
在具体实现中,第一线程中可以运行用于监控第二线程的运行状态的代码,从而终端可以通过第一线程对第二线程的运行状态进行监控。第二线程中可以运行用于监控第一线程的运行状态的代码,从而终端可以通过第二线程对第一线程的运行状态进行监控。当内核线程环即监控环中有线程被杀死或者永久挂起时(即监控到内核线程环中某个线程的运行状态为死亡状态或永久挂起状态),内核线程环就会启动防御措施卡死***。In a specific implementation, code for monitoring the running state of the second thread may run in the first thread, so that the terminal may monitor the running state of the second thread through the first thread. The code for monitoring the running state of the first thread may run in the second thread, so that the terminal may monitor the running state of the first thread through the second thread. When a thread in the kernel thread ring, that is, the monitoring ring, is killed or permanently suspended (that is, the running state of a thread in the kernel thread ring is monitored to be dead or permanently suspended), the kernel thread ring will start defense measures The system is stuck.
在一个例子中,通过第一线程对第二线程的运行状态进行监控,确定第二线程的运行状态是否为死亡状态或永久挂起状态的实现过程可以参考图3,包括:In one example, the implementation process of monitoring the running state of the second thread through the first thread to determine whether the running state of the second thread is a dead state or a permanently suspended state can refer to FIG. 3 , including:
步骤301:获取通过第一线程创建的task_struct类型的第一指针;Step 301: Obtain the first pointer of the task_struct type created by the first thread;
其中,第一指针指向第二线程的第一task_struct结构体。Wherein, the first pointer points to the first task_struct structure of the second thread.
步骤302:while(1);Step 302: while(1);
步骤303:检测获取的第一指针是否为有效指针;如果是,则执行步骤304,否则执行步 骤311;Step 303: Detect whether the acquired first pointer is a valid pointer; if yes, execute step 304, otherwise execute step 311;
步骤304:判断第一task_struct结构体的state变量的值是否为4、16、32或128;如果是,则执行步骤311,否则执行步骤305;Step 304: Determine whether the value of the state variable of the first task_struct structure is 4, 16, 32 or 128; if yes, execute step 311, otherwise execute step 305;
步骤305:获取当前时间点1;Step 305: Get the current time point 1;
步骤306:判断第一task_struct结构体的state变量的值是否为2;如果是,则执行步骤307,否则执行步骤302;Step 306: judge whether the value of the state variable of the first task_struct structure is 2; if yes, execute step 307, otherwise execute step 302;
步骤307:获取当前时间点2,并获取当前时间点1和当前时间点2之间的时间差;Step 307: Obtain the current time point 2, and obtain the time difference between the current time point 1 and the current time point 2;
步骤308:判断时间差是否超过预设时长;如果是则执行步骤309,否则执行步骤310;Step 308: Determine whether the time difference exceeds the preset duration; if yes, execute step 309, otherwise execute step 310;
其中,判断时间差是否超过预设时长,即可以理解为判断第二线程处于不可中断的挂起状态的持续时长是否超过预设时长。Wherein, judging whether the time difference exceeds the preset duration can be understood as judging whether the duration of the second thread in the uninterruptible suspended state exceeds the preset duration.
步骤309:确定第二线程的运行状态为永久挂起状态;Step 309: Determine that the running state of the second thread is permanently suspended state;
步骤310:延迟100毫秒,继续执行步骤306;Step 310: delay for 100 milliseconds, continue to execute step 306;
步骤311:确定第二线程的运行状态为死亡状态。Step 311: Determine that the running state of the second thread is a dead state.
在具体实现中,在步骤309和步骤311之后,即已经确定第二线程出现异常,则可以对内存读写操作进行拦截。In a specific implementation, after step 309 and step 311, that is, it is determined that the second thread is abnormal, then the memory read and write operations may be intercepted.
在一个实施例中,通过第二线程对第一线程的运行状态进行监控,确定第一线程的运行状态是否为死亡状态或永久挂起状态,包括:检测通过第二线程创建的task_struct类型的第二指针是否为有效指针;其中,第二指针指向第一线程的第二task_struct结构体;在第二指针为有效指针的情况下,检测第二task_struct结构体的state变量的值;在第二task_struct结构体的state变量的值为预设的第一类值的情况下,确定第一线程的运行状态为死亡状态;在第二task_struct结构体的state变量的值为预设的第二类值的情况下,确定第一线程的运行状态为不可中断的挂起状态,当第一线程的运行状态为不可中断的挂起状态的持续时长超过预设时长,则确定第一线程的运行状态为永久挂起状态。其中,第一类值、第二类值、预设时长的介绍可以参考上文的相关介绍,为避免重复,此处不再赘述。In one embodiment, the running state of the first thread is monitored by the second thread, and determining whether the running state of the first thread is a dead state or a permanently suspended state includes: detecting the first task_struct type created by the second thread Whether the second pointer is a valid pointer; wherein, the second pointer points to the second task_struct structure of the first thread; in the case that the second pointer is a valid pointer, detect the value of the state variable of the second task_struct structure; in the second task_struct When the value of the state variable of the structure is the preset first-type value, it is determined that the running state of the first thread is dead; the value of the state variable of the second task_struct structure is the preset second-type value In this case, it is determined that the running state of the first thread is an uninterruptible suspended state, and when the running state of the first thread is that the duration of the uninterruptible suspended state exceeds a preset duration, then it is determined that the running state of the first thread is permanent pending state. Among them, the introduction of the first type of value, the second type of value, and the preset duration can refer to the relevant introduction above, and will not be repeated here to avoid repetition.
在一个例子中,通过第二线程对第一线程的运行状态进行监控,确定第一线程的运行状态是否为死亡状态或永久挂起状态的实现过程可以参考图4,包括:In one example, the second thread monitors the running state of the first thread, and the implementation process of determining whether the running state of the first thread is a dead state or a permanently suspended state can refer to FIG. 4 , including:
步骤401:获取通过第二线程创建的task_struct类型的第二指针;Step 401: Obtain a second pointer of task_struct type created by the second thread;
其中,第二指针指向第一线程的第二task_struct结构体。Wherein, the second pointer points to the second task_struct structure of the first thread.
步骤402:while(1);Step 402: while(1);
步骤403:检测获取的第二指针是否为有效指针;如果是,则执行步骤404,否则执行步骤411;Step 403: Detect whether the acquired second pointer is a valid pointer; if yes, go to step 404, otherwise go to step 411;
步骤404:判断第二task_struct结构体的state变量的值是否为4、16、32或128;如果是,则执行步骤411,否则执行步骤405;Step 404: Determine whether the value of the state variable of the second task_struct structure is 4, 16, 32 or 128; if yes, execute step 411, otherwise execute step 405;
步骤405:获取当前时间点1;Step 405: Get the current time point 1;
步骤406:判断第二task_struct结构体的state变量的值是否为2;如果是,则执行步骤407,否则执行步骤402;Step 406: Determine whether the value of the state variable of the second task_struct structure is 2; if yes, execute step 407, otherwise execute step 402;
步骤407:获取当前时间点2,并获取当前时间点1和当前时间点2之间的时间差;Step 407: Get the current time point 2, and get the time difference between the current time point 1 and the current time point 2;
步骤408:判断时间差是否超过预设时长;如果是则执行步骤409,否则执行步骤410;Step 408: Determine whether the time difference exceeds the preset duration; if yes, execute step 409; otherwise, execute step 410;
步骤409:确定第一线程的运行状态为永久挂起状态;Step 409: Determine that the running state of the first thread is permanently suspended state;
步骤410:延迟100毫秒,继续执行步骤406;Step 410: delay for 100 milliseconds, continue to execute step 406;
步骤411:确定第一线程的运行状态为死亡状态。Step 411: Determine that the running state of the first thread is a dead state.
在具体实现中,在步骤409和步骤411之后,即已经确定第一线程出现异常,则可以对内存读写操作进行拦截。In a specific implementation, after step 409 and step 411, that is, it is determined that the first thread is abnormal, then the memory read and write operations may be intercepted.
本申请实施例中,可以及时检测到攻击者可能通过各种恶意手段获取到被攻击内核线程的task_struct结构体,通过对内核线程的工作状态的监控,能够在监控到运行状态为死亡状态或是永久挂起状态时,及时对内存读写操作进行拦截,以防止***进一步被破坏。In the embodiment of this application, it can be detected in time that the attacker may obtain the task_struct structure of the attacked kernel thread through various malicious means. When the state is permanently suspended, the memory read and write operations are intercepted in time to prevent the system from being further damaged.
在一个实施例中,第二线程包括:第一监控线程和第二监控线程,通过第一线程对第二线程进行监控,并通过第二线程对第一线程进行监控,包括:通过第一线程对第一监控线程进行监控,通过第一监控线程对第二监控线程进行监控,并通过第二监控线程对第一线程进行监控。也就是说,内核线程包括:第一线程、第一监控线程、第二监控线程,这三个线程构成监控环。In one embodiment, the second thread includes: a first monitoring thread and a second monitoring thread, the second thread is monitored through the first thread, and the first thread is monitored through the second thread, including: through the first thread The first monitoring thread is monitored, the second monitoring thread is monitored by the first monitoring thread, and the first thread is monitored by the second monitoring thread. That is to say, the kernel thread includes: a first thread, a first monitoring thread, and a second monitoring thread, and these three threads form a monitoring loop.
在一个例子中,第一线程记为工作线程A,第一监控线程记为监控线程B,第二监控线程记为监控线程C,工作线程A、监控线程B和监控线程C组成的监控环可以参考图5,图5中,工作线程A用于对监控线程B的运行状态进行监控,监控线程B用于对监控线程C的运行状态进行监控,监控线程C用于对工作线程A的运行状态进行监控,工作线程A还用于进行代码只读性检测工作。该代码只读性检测工作包括:检测工作线程A要执行的工作代码是否被篡改、检测监控线程B要执行的工作代码是否被篡改、检测监控线程C要执行的工作代码是否被篡改。In one example, the first thread is recorded as working thread A, the first monitoring thread is recorded as monitoring thread B, and the second monitoring thread is recorded as monitoring thread C, and the monitoring ring composed of working thread A, monitoring thread B and monitoring thread C can be With reference to Fig. 5, in Fig. 5, working thread A is used for monitoring the running state of monitoring thread B, and monitoring thread B is used for monitoring the running state of monitoring thread C, and monitoring thread C is used for running state of working thread A For monitoring, worker thread A is also used for code read-only detection. The code read-only detection work includes: detecting whether the working code to be executed by the working thread A has been tampered with, detecting whether the working code to be executed by the monitoring thread B has been tampered with, and detecting whether the working code to be executed by the monitoring thread C has been tampered with.
在一个例子中,在Linux内核启动完成后,终端可以自动执行一个函数,该函数将依次创建并激活上述的工作线程A、监控线程B、监控线程C。工作线程A既执行本来要做的工作,又执行监控工作,监控线程B和监控线程C执行监控工作。三个线程的监控关系如图5所示,工作线程A对监控线程B进行监控,监控线程B对监控线程C进行监控,监控线程C对工作线程A进行监控,形成一个监控环。In an example, after the Linux kernel is started, the terminal can automatically execute a function, which will create and activate the above-mentioned worker thread A, monitoring thread B, and monitoring thread C in sequence. Worker thread A not only performs the work to be done, but also performs monitoring work, and monitoring thread B and monitoring thread C perform monitoring work. The monitoring relationship of the three threads is shown in Figure 5. The working thread A monitors the monitoring thread B, the monitoring thread B monitors the monitoring thread C, and the monitoring thread C monitors the working thread A, forming a monitoring loop.
本申请实施例中,通过三个内核线程形成的监控环,攻击难度更高,即攻击者如果想攻破监控环并且不被检测到,那么必须在监控环保护的一个周期内同时攻破工作线程和两个监控线程,即必须在一个周期内同时攻破三个内核线程,然而在一个周期内同时攻破三个内核线程是十分困难的,因此,本实施例中提供的内核线程的保护方法的攻击难度更高,极大的提升了内核线程的安全性。In the embodiment of this application, the monitoring ring formed by three kernel threads is more difficult to attack, that is, if an attacker wants to break through the monitoring ring without being detected, he must simultaneously break through the worker thread and Two monitoring threads, that is, must break through three kernel threads simultaneously in one cycle, but it is very difficult to break through three kernel threads simultaneously in one cycle, therefore, the attack difficulty of the protection method of kernel thread provided in this embodiment Higher, which greatly improves the security of kernel threads.
值得一提的是,在具体实现中,根据实际需要监控环中的内核线程的数量可以在3个的基础上进一步增加,以进一步增加攻击难度,从而提高内核线程的安全性。It is worth mentioning that in actual implementation, the number of kernel threads in the monitoring ring can be further increased from 3 according to actual needs, so as to further increase the attack difficulty, thereby improving the security of kernel threads.
在一个实施例中,第一线程执行工作时的工作模式包括:内核执行模式、TEE执行模式、混合执行模式;在内核执行模式下,第一线程工作时执行的工作代码被写入第一线程中;在TEE执行模式下,第一线程工作时执行的工作代码被写入在安全世界Secure World中创建的可信应用(Trusted Application,TA)中,第一线程通过调用TA执行工作代码;在混合执行模式下,第一线程工作时执行的第一种工作代码被写入第一线程中,第一线程工作时执行的 第二种工作代码被写入在安全世界Secure World中创建的TA中,第一线程通过调用TA执行第二种工作代码。下面对三种工作模式进行具体说明:In one embodiment, the working mode when the first thread performs work includes: kernel execution mode, TEE execution mode, mixed execution mode; in the kernel execution mode, the work code executed when the first thread is working is written into the first thread In the TEE execution mode, the work code executed when the first thread is working is written in the trusted application (Trusted Application, TA) created in the secure world Secure World, and the first thread executes the work code by calling TA; in In the mixed execution mode, the first type of work code executed when the first thread is working is written into the first thread, and the second type of work code executed when the first thread is working is written into the TA created in the secure world , the first thread executes the second work code by calling TA. The three working modes are described in detail below:
如果需要执行的工作代码量比较大,而且要求执行效率比较高的时候,如果内核态执行可以满足安全性要求,那么可以直接将要执行的工作代码写在第一线程中,这就是内核执行模式。假设,本实施例中的监控环采用如图5所示的监控环,则内核执行模式的示意图可以参考图6,即要执行的工作代码写在工作线程A中。If the amount of work code to be executed is relatively large and the execution efficiency is relatively high, if the kernel mode execution can meet the security requirements, then the work code to be executed can be directly written in the first thread, which is the kernel execution mode. Assuming that the monitoring loop in this embodiment adopts the monitoring loop shown in FIG. 5 , the schematic diagram of the kernel execution mode can refer to FIG. 6 , that is, the working code to be executed is written in the working thread A.
如果需要执行的工作代码量很小,而且对工作的安全性要求很高,内核态执行不足以满足安全要求的话,那么就可以选择在TEE中执行此工作。在Secure World中创建一个TA,然后将安全性要求很高的工作代码写在TA中,然后第一线程通过TEE驱动等调用SMC指令使Secure World中的TA执行工作,这就是TEE执行模式。假设,本实施例中的监控环采用如图5所示的监控环,则TEE执行模式的示意图可以参考图7,即要执行的工作代码写在TA中,工作线程A通过调用SMC指令,使Secure World中的TA执行工作代码。由工作线程A调用Secure World中的TA来完成安全性要求很高的任务。这样,工作线程A执行的工作代码实质上是在TEE中运行的,即使攻击者获得了Normal World下的root权限,也不能知道工作线程A执行了什么任务,保密性极高。If the amount of work code that needs to be executed is small, and the safety requirements for the work are very high, and the execution in kernel mode is not enough to meet the safety requirements, then you can choose to perform this work in TEE. Create a TA in Secure World, then write the work code with high security requirements in TA, and then the first thread calls SMC instructions through the TEE driver to make TA in Secure World perform work. This is the TEE execution mode. Assuming that the monitoring loop in this embodiment adopts the monitoring loop as shown in Figure 5, the schematic diagram of the TEE execution mode can refer to Figure 7, that is, the work code to be executed is written in TA, and the working thread A calls the SMC instruction to make TAs in Secure World execute working code. Worker thread A calls TA in Secure World to complete tasks with high security requirements. In this way, the work code executed by worker thread A is essentially running in the TEE. Even if the attacker obtains the root authority under Normal World, he cannot know what task worker thread A performs, and the confidentiality is extremely high.
如果需要执行的工作代码量比较大,但是只有一部分代码对安全性要求极高,内核态不足以满足它执行的安全性,而其他部分代码的执行完全可以由内核态执行的话,那么就可以选择将安全性要求极高的代码(第二种工作代码)使用TEE执行模式,其他部分代码(第一种工作代码)使用内核执行模式,这就是混合执行模式。假设,本实施例中的监控环采用如图5所示的监控环,则混合执行模式的示意图可以参考图8,第一种工作代码写入工作线程A中,第二种工作代码写入TA中,当工作线程A需要执行第二种工作代码时,可以通过调用SMC指令,使Secure World中的TA执行第二种工作代码。也就是说,在混合执行模式下,将真正对安全性要求很高的工作代码放到TEE中执行,对安全性要求不太高的工作代码放到工作线程A下执行,考虑到将工作代码全部放到TEE中执行中,可能影响执行效率,因此,本实施例中的混合执行模式可以兼顾安全性和执行效率。If the amount of working code that needs to be executed is relatively large, but only a part of the code has extremely high security requirements, and the kernel mode is not enough to meet the security of its execution, and the execution of other parts of the code can be executed by the kernel mode, then you can choose The code with extremely high security requirements (the second working code) uses the TEE execution mode, and other parts of the code (the first working code) use the kernel execution mode, which is the mixed execution mode. Assuming that the monitoring loop in this embodiment adopts the monitoring loop shown in Figure 5, then the schematic diagram of the hybrid execution mode can refer to Figure 8, the first type of work code is written into worker thread A, and the second type of work code is written into TA , when worker thread A needs to execute the second type of work code, it can make TA in Secure World execute the second type of work code by calling the SMC instruction. That is to say, in the hybrid execution mode, the work code that really requires high security is placed in the TEE for execution, and the work code that does not require high security is placed in the worker thread A for execution. Considering that the work code Putting everything into the TEE for execution may affect the execution efficiency. Therefore, the mixed execution mode in this embodiment can take into account both security and execution efficiency.
在具体实现中,考虑到工作代码被写入在Secure World中创建的TA中时,很难被篡改,安全性很高。因此,在TEE执行模式下,由于第一线程工作时执行的工作代码被写入在Secure World中创建的TA中,则可以不对第一线程进行代码只读性检测。在混合执行模式中,由于第一线程中的第二种工作代码被写入在Secure World中创建的TA中,则可以不对第一线程中的第二种工作代码进行代码只读性检测。通过不进行代码只读性检测,在一定程度上可以提高***的执行效率。In the specific implementation, considering that the working code is written into the TA created in Secure World, it is difficult to be tampered with, and the security is very high. Therefore, in the TEE execution mode, since the work code executed when the first thread is working is written into the TA created in Secure World, it is not necessary to perform code read-only detection on the first thread. In the mixed execution mode, since the second working code in the first thread is written into the TA created in Secure World, the code read-only detection may not be performed on the second working code in the first thread. By not performing code read-only detection, the execution efficiency of the system can be improved to a certain extent.
本实施例,具备让用户灵活选择任务执行模式的优势。如果任务代码量大,且要求效率高,用户可以选择在内核模式下执行任务;如果任务代码量不大,对安全性要求很高,用户可以选择在TEE模式下执行任务;如果需要兼顾安全性和任务执行效率,那么用户可以选择在混合模式下执行任务。并且,本实施例并不局限于Linux操作***,还可以在Android操作***甚至其他提供可信执行环境的操作***上使用,因此可移植性更好。而且,本实施例并不对Linux操作***的版本有限制,只要Linux操作***提供可信执行环境即可。This embodiment has the advantage of allowing the user to flexibly select a task execution mode. If the task code is large and requires high efficiency, the user can choose to execute the task in kernel mode; if the task code is not large and requires high security, the user can choose to execute the task in TEE mode; if security is required and task execution efficiency, then users can choose to perform tasks in a hybrid mode. Moreover, this embodiment is not limited to the Linux operating system, and can also be used on the Android operating system or even other operating systems that provide a trusted execution environment, so the portability is better. Moreover, this embodiment is not limited to the version of the Linux operating system, as long as the Linux operating system provides a trusted execution environment.
在具体实现中,操作***厂商和TEE提供商可以按照本申请实施例提供的方法分别对操作***和TEE进行更新,用户的终端通过网络下载更新包后安装更新,当操作***和TEE 均完成更新后,用户的终端即可自动运行本申请实施例中的内核线程的保护方法。In a specific implementation, the operating system manufacturer and the TEE provider can update the operating system and the TEE respectively according to the method provided in the embodiment of the present application. The user's terminal downloads the update package through the network and installs the update. When both the operating system and the TEE are updated After that, the user's terminal can automatically run the kernel thread protection method in the embodiment of the present application.
需要说明的是,本申请实施例中的上述各示例均为为方便理解进行的举例说明,并不对本申请的技术方案构成限定。It should be noted that the above-mentioned examples in the embodiments of the present application are illustrations for the convenience of understanding, and do not limit the technical solution of the present application.
上面各种方法的步骤划分,只是为了描述清楚,实现时可以合并为一个步骤或者对某些步骤进行拆分,分解为多个步骤,只要包括相同的逻辑关系,都在本专利的保护范围内;对算法中或者流程中添加无关紧要的修改或者引入无关紧要的设计,但不改变其算法和流程的核心设计都在该专利的保护范围内。The step division of the above various methods is only for the sake of clarity of description. During implementation, it can be combined into one step or some steps can be split and decomposed into multiple steps. As long as they include the same logical relationship, they are all within the scope of protection of this patent. ; Adding insignificant modifications or introducing insignificant designs to the algorithm or process, but not changing the core design of the algorithm and process are all within the scope of protection of this patent.
本申请实施例还提供了一种终端,如图9所示,包括至少一个处理器901;以及,与至少一个处理器901通信连接的存储器902;其中,存储器902存储有可被至少一个处理器901执行的指令,指令被至少一个处理器901执行,以使至少一个处理器901能够执行上述实施例中的内核线程的保护方法。The embodiment of the present application also provides a terminal, as shown in FIG. 9 , including at least one processor 901; and a memory 902 communicatively connected to the at least one processor 901; An instruction executed by 901, the instruction is executed by at least one processor 901, so that at least one processor 901 can execute the method for protecting a kernel thread in the foregoing embodiment.
其中,存储器902和处理器901采用总线方式连接,总线可以包括任意数量的互联的总线和桥,总线将一个或多个处理器901和存储器902的各种电路连接在一起。总线还可以将诸如***设备、稳压器和功率管理电路等之类的各种其他电路连接在一起,这些都是本领域所公知的,因此,本文不再对其进行进一步描述。总线接口在总线和收发机之间提供接口。收发机可以是一个元件,也可以是多个元件,比如多个接收器和发送器,提供用于在传输介质上与各种其他装置通信的单元。经处理器901处理的数据通过天线在无线介质上进行传输,进一步,天线还接收数据并将数据传送给处理器901。Wherein, the memory 902 and the processor 901 are connected by a bus, and the bus may include any number of interconnected buses and bridges, and the bus connects one or more processors 901 and various circuits of the memory 902 together. The bus may also connect together various other circuits such as peripherals, voltage regulators, and power management circuits, all of which are well known in the art and therefore will not be further described herein. The bus interface provides an interface between the bus and the transceivers. A transceiver may be a single element or multiple elements, such as multiple receivers and transmitters, providing means for communicating with various other devices over a transmission medium. The data processed by the processor 901 is transmitted on the wireless medium through the antenna, further, the antenna also receives the data and transmits the data to the processor 901 .
处理器901负责管理总线和通常的处理,还可以提供各种功能,包括定时,***接口,电压调节、电源管理以及其他控制功能。而存储器902可以被用于存储处理器901在执行操作时所使用的数据。 Processor 901 is responsible for managing the bus and general processing, and may also provide various functions, including timing, peripheral interface, voltage regulation, power management, and other control functions. And the memory 902 may be used to store data used by the processor 901 when performing operations.
本申请实施例还提供了一种计算机可读存储介质,存储有计算机程序。计算机程序被处理器执行时实现上述方法实施例。The embodiment of the present application also provides a computer-readable storage medium storing a computer program. The above method embodiments are implemented when the computer program is executed by the processor.
即,本领域技术人员可以理解,实现上述实施例方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。That is, those skilled in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be completed by instructing related hardware through a program, the program is stored in a storage medium, and includes several instructions to make a device ( It may be a single-chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage media include: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disk or optical disc, etc., which can store program codes. .
本申请实施例中,内核线程至少包括:第一线程和第二线程,通过第一线程执行待保护工作;通过第一线程对第二线程进行监控,并通过第二线程对第一线程进行监控;若监控到第一线程出现异常或监控到第二线程出现异常,对执行待保护工作时的内存读写操作进行拦截。即第一线程视为工作线程,它既执行本来要做的工作即待保护工作,又执行监控工作,第二线程视为监控线程,第一线程对第二线程进行监控,第二线程对第一线程进行监控,形成一个监控环。在监控到异常时,对内存读写操作进行拦截,即直接锁死***防止***进一步被破坏。攻击者如果想攻破监控环并且不被检测到,就必须在监控环保护的一个周期内同 时攻破第一线程和第二线程,而在同一周期内同时攻破第一线程和第二线程的难度很大,因此本申请实施例中的内核线程的保护方法的攻破难度较大,从而可以提高对内核线程保护的安全性。In the embodiment of the present application, the kernel thread includes at least: a first thread and a second thread, the first thread executes the work to be protected; the first thread monitors the second thread, and the second thread monitors the first thread ; If it is monitored that the first thread is abnormal or the second thread is abnormal, intercept the memory read and write operations when performing the work to be protected. That is, the first thread is regarded as a working thread, which not only performs the work to be protected, but also performs monitoring work. The second thread is regarded as a monitoring thread. The first thread monitors the second thread, and the second thread monitors the second thread. One thread monitors to form a monitoring loop. When abnormalities are detected, the memory read and write operations are intercepted, that is, the system is directly locked to prevent further damage to the system. If an attacker wants to break through the monitoring ring without being detected, he must simultaneously break through the first thread and the second thread within one cycle of the monitoring ring protection, and it is very difficult to break through the first thread and the second thread simultaneously within the same cycle. Therefore, the method for protecting the kernel thread in the embodiment of the present application is relatively difficult to attack, thereby improving the security of protecting the kernel thread.
本领域的普通技术人员可以理解,上述各实施方式是实现本申请的具体实施例,而在实际应用中,可以在形式上和细节上对其作各种改变,而不偏离本申请的精神和范围。Those of ordinary skill in the art can understand that the above-mentioned implementation modes are specific examples for realizing the present application, and in practical applications, various changes can be made to it in form and details without departing from the spirit and spirit of the present application. scope.

Claims (10)

  1. 一种内核线程的保护方法,所述内核线程至少包括:第一线程和第二线程,所述方法包括:A method for protecting a kernel thread, the kernel thread at least includes: a first thread and a second thread, and the method includes:
    通过所述第一线程执行待保护工作;Execute the work to be protected by the first thread;
    通过所述第一线程对所述第二线程进行监控,并通过所述第二线程对所述第一线程进行监控;monitoring the second thread through the first thread, and monitoring the first thread through the second thread;
    若监控到所述第一线程出现异常或监控到所述第二线程出现异常,对执行所述待保护工作时的内存读写操作进行拦截。If it is monitored that the first thread is abnormal or the second thread is abnormal, intercept the memory read and write operations when performing the work to be protected.
  2. 根据权利要求1所述的内核线程的保护方法,其中在所述第一线程和第二线程执行的工作代码存储在内核空间的只读代码段的情况下,所述通过所述第一线程对所述第二线程进行监控,并通过所述第二线程对所述第一线程进行监控,包括:The method for protecting a kernel thread according to claim 1, wherein when the working code executed by the first thread and the second thread is stored in a read-only code segment of the kernel space, the pair of The second thread monitors, and monitors the first thread through the second thread, including:
    获取所述第一线程执行的工作代码在所述内核空间中的第一地址区间,并获取所述第二线程执行的工作代码在所述内核空间中的第二地址区间;Obtain a first address range in the kernel space of the working code executed by the first thread, and obtain a second address range in the kernel space of the working code executed by the second thread;
    根据所述第一地址区间的内容和所述第二地址区间的内容,对所述第一线程执行的工作代码和所述第二线程执行的工作代码进行校验,得到所述第一线程对应的第一校验结果和所述第二线程对应的第二校验结果;According to the content of the first address range and the content of the second address range, the work code executed by the first thread and the work code executed by the second thread are verified to obtain the correspondence of the first thread The first verification result of and the second verification result corresponding to the second thread;
    根据所述第一校验结果与所述第一线程对应的第一标准校验结果,监控所述第一线程执行的工作代码是否被篡改;According to the first standard verification result corresponding to the first verification result and the first thread, monitor whether the working code executed by the first thread is tampered with;
    根据所述第二校验结果与所述第二线程对应的第二标准校验结果,监控所述第二线程执行的工作代码是否被篡改。According to the second verification result corresponding to the second standard verification result of the second thread, it is monitored whether the working code executed by the second thread is tampered with.
  3. 根据权利要求2所述的内核线程的保护方法,其中在所述获取所述第一线程执行的工作代码在所述内核空间中的第一地址区间,并获取所述第二线程执行的工作代码在所述内核空间中的第二地址区间之前,还包括:The method for protecting a kernel thread according to claim 2, wherein said obtaining the first address range of the working code executed by the first thread in the kernel space, and obtaining the working code executed by the second thread Before the second address range in the kernel space, it also includes:
    拦截到从普通世界Normal World向安全世界Secure World中发送的目标SMC指令;其中,所述目标SMC指令用于对工作代码是否被篡改进行检测。Intercepting the target SMC command sent from the Normal World to the Secure World; wherein, the target SMC command is used to detect whether the working code has been tampered with.
  4. 根据权利要求1所述的内核线程的保护方法,其中所述通过所述第一线程对所述第二线程进行监控,并通过所述第二线程对所述第一线程进行监控,包括:The method for protecting a kernel thread according to claim 1, wherein said monitoring said second thread through said first thread, and monitoring said first thread through said second thread comprises:
    通过所述第一线程对所述第二线程的运行状态进行监控,确定所述第二线程的运行状态是否为死亡状态或永久挂起状态;Monitor the running state of the second thread through the first thread, and determine whether the running state of the second thread is a dead state or a permanently suspended state;
    通过所述第二线程对所述第一线程的运行状态进行监控,确定所述第一线程的运行状态是否为死亡状态或永久挂起状态。The second thread monitors the running state of the first thread to determine whether the running state of the first thread is a dead state or a permanently suspended state.
  5. 根据权利要求4所述的内核线程的保护方法,其中所述通过所述第一线程对所述第二线程的运行状态进行监控,确定所述第二线程的运行状态是否为死亡状态或永久挂起状态,包括:The method for protecting a kernel thread according to claim 4, wherein the first thread monitors the running state of the second thread to determine whether the running state of the second thread is a dead state or a permanent hang starting status, including:
    检测通过所述第一线程创建的task_struct类型的第一指针是否为有效指针;其中,所述第一指针指向所述第二线程的第一task_struct结构体;Detecting whether the first pointer of the task_struct type created by the first thread is a valid pointer; wherein the first pointer points to the first task_struct structure of the second thread;
    在所述第一指针为有效指针的情况下,检测所述第一task_struct结构体的state变量的值;When the first pointer is a valid pointer, detect the value of the state variable of the first task_struct structure;
    在所述第一task_struct结构体的state变量的值为预设的第一类值的情况下,确定所述第二线程的运行状态为死亡状态;In the case where the value of the state variable of the first task_struct structure is a preset first-type value, determine that the running state of the second thread is a dead state;
    在所述第一task_struct结构体的state变量的值为预设的第二类值的情况下,确定所述第二线程的运行状态为不可中断的挂起状态,当所述第二线程的运行状态为不可中断的挂起状态的持续时长超过预设时长,则确定所述第二线程的运行状态为永久挂起状态;In the case where the value of the state variable of the first task_struct structure is a preset second type value, it is determined that the running state of the second thread is an uninterruptible suspended state, when the running state of the second thread If the duration of the uninterruptible suspended state exceeds a preset duration, then it is determined that the running state of the second thread is a permanently suspended state;
    所述通过所述第二线程对所述第一线程的运行状态进行监控,确定所述第一线程的运行状态是否为死亡状态或永久挂起状态,包括:The monitoring the running state of the first thread through the second thread, and determining whether the running state of the first thread is a dead state or a permanently suspended state includes:
    检测通过所述第二线程创建的task_struct类型的第二指针是否为有效指针;其中,所述第二指针指向所述第一线程的第二task_struct结构体;Detecting whether the second pointer of the task_struct type created by the second thread is a valid pointer; wherein the second pointer points to the second task_struct structure of the first thread;
    在所述第二指针为有效指针的情况下,检测所述第二task_struct结构体的state变量的值;When the second pointer is a valid pointer, detect the value of the state variable of the second task_struct structure;
    在所述第二task_struct结构体的state变量的值为预设的第一类值的情况下,确定所述第一线程的运行状态为死亡状态;In the case where the value of the state variable of the second task_struct structure is a preset first type value, it is determined that the running state of the first thread is a dead state;
    在所述第二task_struct结构体的state变量的值为预设的第二类值的情况下,确定所述第一线程的运行状态为不可中断的挂起状态,当所述第一线程的运行状态为不可中断的挂起状态的持续时长超过预设时长,则确定所述第一线程的运行状态为永久挂起状态。In the case where the value of the state variable of the second task_struct structure is a preset second type value, it is determined that the running state of the first thread is an uninterruptible suspended state, when the running state of the first thread If the duration of the uninterruptible suspended state exceeds a preset duration, it is determined that the running state of the first thread is permanently suspended.
  6. 根据权利要求1所述的内核线程的保护方法,其中所述第一线程执行待保护工作时的工作模式包括:内核执行模式、TEE执行模式、混合执行模式;The method for protecting a kernel thread according to claim 1, wherein the working mode when the first thread executes the work to be protected comprises: a kernel execution mode, a TEE execution mode, and a mixed execution mode;
    在所述内核执行模式下,所述第一线程执行的工作代码被写入所述第一线程中;In the kernel execution mode, the working code executed by the first thread is written into the first thread;
    在所述TEE执行模式下,所述第一线程执行的工作代码被写入在安全世界Secure World中创建的可信应用TA中,所述第一线程通过调用所述TA执行所述工作代码;In the TEE execution mode, the work code executed by the first thread is written in the trusted application TA created in the Secure World, and the first thread executes the work code by calling the TA;
    在所述混合执行模式下,所述第一线程执行的第一种工作代码被写入所述第一线程中,所述第一线程执行的第二种工作代码被写入在安全世界Secure World中创建的可信应用TA中,所述第一线程通过调用所述TA执行所述第二种工作代码。In the mixed execution mode, the first type of work code executed by the first thread is written into the first thread, and the second type of work code executed by the first thread is written into the Secure World In the trusted application TA created in , the first thread executes the second type of work code by calling the TA.
  7. 根据权利要求1至6任一项所述的内核线程的保护方法,其中所述第二线程包括:第一监控线程和第二监控线程,所述通过所述第一线程对所述第二线程进行监控,并通过所述第二线程对所述第一线程进行监控,包括:The method for protecting a kernel thread according to any one of claims 1 to 6, wherein the second thread comprises: a first monitoring thread and a second monitoring thread, and the second thread is controlled by the first thread Monitor, and monitor the first thread through the second thread, including:
    通过所述第一线程对所述第一监控线程进行监控,通过所述第一监控线程对所述第二监控线程进行监控,并通过所述第二监控线程对所述第一线程进行监控。The first monitoring thread is monitored by the first thread, the second monitoring thread is monitored by the first monitoring thread, and the first thread is monitored by the second monitoring thread.
  8. 根据权利要求1至6任一项所述的内核线程的保护方法,其中所述对执行所述待保护工作时的内存读写操作进行拦截,包括:The method for protecting a kernel thread according to any one of claims 1 to 6, wherein said intercepting memory read and write operations when performing the work to be protected includes:
    在安全世界Secure World的监控模式Monitor Mode中调用TrustZone地址空间控制组件,对执行所述待保护工作时的内存读写操作进行拦截。Call the TrustZone address space control component in the Monitor Mode of the Secure World to intercept the memory read and write operations when performing the work to be protected.
  9. 一种终端,包括:至少一个处理器;以及,A terminal comprising: at least one processor; and,
    与所述至少一个处理器通信连接的存储器;其中,a memory communicatively coupled to the at least one processor; wherein,
    所述存储器存储有可被所述至少一个处理器执行的指令,所述指令被所述至少一个处理器执行时,使所述至少一个处理器能够执行如权利要求1至8中任一所述的内核线程的保护方法。The memory stores instructions that can be executed by the at least one processor, and when the instructions are executed by the at least one processor, the at least one processor can perform the operation described in any one of claims 1 to 8. The protection method of the kernel thread.
  10. 一种计算机可读存储介质,存储有计算机程序,所述计算机程序被处理器执行时实现权利要求1至8中任一项所述的内核线程的保护方法。A computer-readable storage medium storing a computer program, the computer program implementing the method for protecting a kernel thread according to any one of claims 1 to 8 when the computer program is executed by a processor.
PCT/CN2022/108692 2021-09-01 2022-07-28 Method for protecting kernel thread, and terminal and computer readable storage medium WO2023029835A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202111022540.6 2021-09-01
CN202111022540.6A CN115729771A (en) 2021-09-01 2021-09-01 Kernel thread protection method, terminal and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2023029835A1 true WO2023029835A1 (en) 2023-03-09

Family

ID=85292186

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/108692 WO2023029835A1 (en) 2021-09-01 2022-07-28 Method for protecting kernel thread, and terminal and computer readable storage medium

Country Status (2)

Country Link
CN (1) CN115729771A (en)
WO (1) WO2023029835A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150339480A1 (en) * 2014-05-21 2015-11-26 Bitdefender IPR Management Ltd. Hardware-Enabled Prevention of Code Reuse Attacks
CN106201690A (en) * 2016-07-07 2016-12-07 乐视控股(北京)有限公司 Application progress control method and device
CN106599690A (en) * 2016-12-21 2017-04-26 哈尔滨安天科技股份有限公司 Method and system for managing and controlling mobile medium access authority in domestic operating system
CN106933658A (en) * 2015-12-29 2017-07-07 北京明朝万达科技股份有限公司 The method and apparatus of the anti-kill of background process in a kind of operating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150339480A1 (en) * 2014-05-21 2015-11-26 Bitdefender IPR Management Ltd. Hardware-Enabled Prevention of Code Reuse Attacks
CN106933658A (en) * 2015-12-29 2017-07-07 北京明朝万达科技股份有限公司 The method and apparatus of the anti-kill of background process in a kind of operating system
CN106201690A (en) * 2016-07-07 2016-12-07 乐视控股(北京)有限公司 Application progress control method and device
CN106599690A (en) * 2016-12-21 2017-04-26 哈尔滨安天科技股份有限公司 Method and system for managing and controlling mobile medium access authority in domestic operating system

Also Published As

Publication number Publication date
CN115729771A (en) 2023-03-03

Similar Documents

Publication Publication Date Title
CN109871695B (en) Trusted computing platform with computing and protection parallel dual-architecture
CN109918916B (en) Dual-system trusted computing system and method
US8621628B2 (en) Protecting user mode processes from improper tampering or termination
CN110334521B (en) Trusted computing system construction method and device, trusted computing system and processor
US9990490B2 (en) Generic privilege escalation prevention
KR20180097527A (en) Dual Memory Introspection to Protect Multiple Network Endpoints
CN109948344A (en) A kind of system interaction method based on dual Architecture credible calculating platform
CN111353162B (en) TrustZone kernel-based asynchronous execution active trusted computing method and system
US20180012025A1 (en) Dynamic security module terminal device and method of operating same
CN110321714A (en) The dynamic measurement method and device of credible calculating platform based on dual Architecture
TWI678615B (en) Debugging in a data processing apparatus
CN113051034A (en) Container access control method and system based on kprobes
CN112948086A (en) Credible PLC control system
CN109889477A (en) Server based on trusted cryptography's engine starts method and device
CN107045605A (en) A kind of real-time metrics method and device
CN115879099A (en) DCS controller, operation processing method and protection subsystem
WO2023029835A1 (en) Method for protecting kernel thread, and terminal and computer readable storage medium
CN109495436B (en) Trusted cloud platform measurement system and method
US8925077B2 (en) Mobile devices with inhibited application debugging and methods of operation
CN112363797B (en) Virtual machine safe operation method, electronic equipment and storage medium
CN113821790A (en) Industrial credible computing dual-system architecture implementation method based on Trustzone
CN112269995A (en) Trusted computing platform for parallel computing and protection of smart power grid environment
CN111480160B (en) System, method, and medium for process verification
CN112269996A (en) Dynamic measurement method of block chain main node-oriented active immune trusted computing platform
CN112199673A (en) Method and device for detecting authority lifting behavior and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22862976

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE