CN108595982B - Secure computing architecture method and device based on multi-container separation processing - Google Patents
Secure computing architecture method and device based on multi-container separation processingDownload PDFInfo
- Publication number
- CN108595982B CN108595982BCN201810222816.7ACN201810222816ACN108595982BCN 108595982 BCN108595982 BCN 108595982BCN 201810222816 ACN201810222816 ACN 201810222816ACN 108595982 BCN108595982 BCN 108595982B
- Authority
- CN
- China
- Prior art keywords
- container
- security
- lock
- file
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Translated fromChinese
Description
Technical Field
The invention relates to the field of secure computer architecture, in particular to a secure computing architecture method and device based on multi-container separation processing.
Background
The operation architecture of the existing computer system adopts a single-core or multi-core design concept, and is based on the design idea of a single physical container, a software system and a file system are located in the same physical storage space, an operating system and various application software run in the same set of memory, attack codes can use various application software as an intrusion carrier, malicious software such as viruses and trojans can attack the interior of the computer system through external interfaces such as a network card, a CD driver and a USB, and the serious security threat can be formed for mobile electronic payment by recording the trojans through a keyboard. The traditional single-container operation architecture only considers the high efficiency and the reliability of the operation function, the safety of the traditional single-container operation architecture completely depends on a terminal safety protection system or cloud safety protection realized by software, due to the inherent architecture defects, the traditional single-container operation architecture has no defense elasticity and has no defense depth, the single-container operation architecture is difficult to resist various unknown safety threats, any safety hole is utilized to possibly break through the whole defense system, the safety hidden danger of the single-container processing architecture is inherent, and the defense is almost not established at present when the network attack technology is rapidly developed.
The essence of the network attack is to tamper the system software of the target computer or insert malicious code into application software, or steal sensitive data of the target, or sneak into the dynamic memory of the target to obtain an execution opportunity, or destroy the normal operation of the target. Such a computer system is highly secure in cyberspace if the security mechanism is such that the attacking software code cannot be installed into the targeted software system at all, or has no opportunity to execute at all, nor to obtain sensitive information.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the problems in the prior art, a secure computing architecture method and device based on multi-container separation processing are provided. The invention provides a novel security computing architecture for four-container split defense, wherein each container is divided and realizes a corresponding computing function and a defense mechanism according to a security defense target. Each container performs only a given function and adopts a highly targeted security defense mechanism. Various safety protection mechanisms adopted by each container work coordinately, so that the whole computing architecture has a safe and deep defense capability, the serious consequences of network attack on the computer are avoided, and the possibility of becoming a zombie computer after being attacked is eliminated.
The technical scheme adopted by the invention is as follows:
a secure computing architecture method based on multi-container separation processing comprises the following steps:
a safety computer setting step: the safety computer is provided with four independently operated processing containers which are respectively an application-oriented elastic defense container (C1), a TCP/IP protocol stack-oriented elastic defense container (C2), a safety isolation container and a safety storage container, wherein C1 and C2 are connected with the safety isolation container through an internal first high-speed communication bus, the safety storage container is connected with the safety isolation container through an internal second high-speed communication bus, and high-speed communication is realized based on an internal communication protocol format; the C1 container of the safety computer is connected with a display card, an optical drive, a mouse, a USB and a 232 serial port, the C2 container is connected with a network interface, the safety isolation container is connected with a keyboard, the safety storage container is provided with a hard disk, a sensitive file FLASH disk, a USBKey interface and a biological authentication interface, and in addition, each container is provided with a local system software FLASH disk;
a safety isolation container isolation step: as a control core of computer cooperative defense, the method implements the safety control of the whole flow of processing of all applications, executes safety isolation control between the elastic defense container and the safety storage container, and blocks attack penetration to the safety storage container;
safety protection and control steps: the safety computer is provided with an external interface lock, an external physical lock and an internal logic lock, and is used for jointly implementing safety protection and management and control;
and (4) safe operation supervision step: each processing container of the safety computer is provided with a software behavior independent monitoring module, and the safety isolation container is provided with a safety control module independently and is connected through a safety control bus for implementing safety operation supervision control.
Further, the method further comprises the following steps:
the method comprises the following steps of joint management and control of an external physical lock and an internal logic lock: the safety computer blocks the external connection of the computer by closing the external interface lock, blocks the writing of the external physical lock of the FLASH disk by closing the external physical lock, prevents the safety omission of closing the external physical lock by a user by an internal logic lock, and jointly realizes the software tampering prevention and the data stealing prevention;
and (3) the user manages and controls the external physical lock: the software can not open/close the external physical lock and the external interface lock of the system software FLASH and the sensitive file FLASH, and only a computer user can directly open/close the external physical/interface locks in a manual mode to control the writing/reading of the FLASH in an absolute permission mode;
monitoring the state of the physical lock; the software behavior independent monitoring module of each container is responsible for monitoring the open/close states of the FLASH external physical locks and the external interface locks of the containers and reporting the open/close states to the security control module through the security control bus, and the security isolation container acquires the open/close states of all the external interface locks of the computer, the FLASH external physical locks of the system software and the FLASH external physical locks of the sensitive files through the security control module;
a logic lock management and control step; each container receives an instruction of opening/closing the internal logic lock of the FLASH sent by the security isolation container through the security control bus when the work flow needs through the software behavior independent monitoring module, and executes corresponding opening/closing control operation through the local control circuit.
Further, the method further comprises the following steps:
software behavior independent monitoring step: the software behavior independent monitoring module of each container monitors the abnormal behavior of the software, and reports to the security control module through the security control bus if the abnormal operation state (such as dead cycle) of the software is monitored, or the abnormal write operation (such as system FLASH) exists in the state that the external physical lock and the internal logic lock of the FLASH are closed;
safety protection management and control steps: the safety isolation container monitors the running states of other containers in real time based on a safety control module, and after a state instruction of abnormal running of C1 or C2 or safety storage container software is received, whether a safety control instruction of container restarting system software needs to be sent out through the safety control module is determined according to the current safety workflow; and if necessary, forcibly terminating the network attack by restarting the container, and cleaning the memory to remove the malicious codes.
Furthermore, when the safety computer is started, each processing container independently finishes the starting process, namely after the whole dynamic memory is cleaned, the system software codes in the system software FLASH disk are copied to the preset dynamic memory to execute the starting process, and then the normal working state is entered; after software of the security isolation container is started, firstly, a system software FLASH logical lock and a sensitive file FLASH logical lock of each container are immediately closed, and then states of a system software FLASH external physical lock, a sensitive file FLASH external physical lock and an external interface lock of a computer are obtained through a security control bus based on a security control module; and if the security isolation container judges that the external physical lock of the system software FLASH is not closed, the external physical lock of the sensitive file FLASH is not closed or the external interface lock is not opened, sending a prompt for closing/opening the corresponding external lock to the user on the C1 interface.
Further, when the application software is installed or upgraded, the application software is registered in the safe storage container, and the executable codes of the application software file are written into the large-capacity hard disk; after receiving the request of installing the application software, the safety isolation container sends a command message of installing the application software to the safety storage container; the safe storage container records the name information of the application software in an application software registry and records a storage space distributed for the application software execution code file in a hard disk;
the safe storage container writes the executable code file of the application software into the distributed hard disk storage space, deletes the downloaded compressed software package and the decompressed installation software file, and completes software installation.
Further, when the user needs to start the application software, the C1 container sends a request message for starting the application software, and sends the request message to the secure storage container via the secure isolation container;
the method comprises the steps that a safe storage container reads application software information recorded in a registration table in a hard disk, obtains storage space information distributed for an application software execution code file in the hard disk, then reads the application software executable code file, transmits the application software executable code file to a C1 container through the forwarding of a safe isolation container in the form of data blocks, writes the application software executable code file into a dynamically distributed memory, and then executes the application software;
during the operation of the application software, the corresponding temporary file is temporarily stored in the high-capacity DDR of C1, and when the operation is finished, the configuration parameter modification file of the application software, which is obtained by a user, is transmitted to the safe storage container and is stored in the configuration file corresponding to the application software.
Further, in the sensitive file processing mode, according to the specified flow steps, closing an external interface lock of the computer, stopping internal first high-speed communication bus communication between the computer and a C2 container, executing C1 memory cleaning, opening an external physical lock and an internal logic lock of a sensitive file FLASH, reading the sensitive file in the sensitive file FLASH, transmitting the sensitive file to C1, and temporarily storing the sensitive file in a DDR temporary file system of C1; c1 starts the corresponding application software to open the sensitive file, executes the file editing process, and after the file processing is finished, the file is saved in the sensitive file FLASH; then the operations of C1 memory cleaning, closing the internal logic lock and external physical lock of the sensitive file FLASH and opening the external interface lock of the computer are executed in turn.
Further, when the confidential document processing is performed: in the corresponding security processing mode, according to the specified flow steps, closing an external interface lock of the computer, stopping the internal first high-speed communication bus communication with a C2 container, executing C1 memory cleaning, opening an external physical lock and an internal logic lock of a sensitive file FLASH, reading a confidential file in the sensitive file FLASH, transmitting the confidential file to C1 after executing storage decryption, and temporarily storing the confidential file in a high-capacity DDR (at least 16Gbyte) temporary file system of C1; c1 starts the corresponding application software to open the confidential document, executes the editing process of the document, after the document processing, the document is stored in the sensitive document FLASH after being stored and encrypted; then sequentially executing operations of C1 memory cleaning, closing the internal logic lock and the external physical lock of the sensitive file FLASH and opening the external interface lock of the computer;
when the confidential file transmission is performed: in the corresponding security processing mode, a confidential file directory read from a hard disk is displayed on the C1, a user clicks the confidential file to be transmitted and selects a receiver of the confidential file, an internal logic lock and an external physical lock of a sensitive file FLASH are opened, and the confidential file subjected to storage decryption and communication encryption is sent to a specified destination IP address from a confidential communication special protocol port through the C2; then closing an internal logic lock and an external physical lock of the sensitive file FLASH;
when receiving the confidential document: in the non-confidential communication mode, the C2 container receives a first communication message at a confidential communication special port, transmits the first communication message to the security storage container through the security isolation container, and after decryption confirmation, opens the external physical lock and the internal logic lock of the sensitive file FLASH and then receives the confidential file; and after the file is received, firstly performing communication decryption, then performing local storage encryption, writing the encrypted file into the sensitive file FLASH, and closing the external physical lock and the internal logic lock of the sensitive file FLASH.
Furthermore, in the internet application processing mode, the browsing software can be started only in the state that the external physical lock of the system software FLASH of each container is closed; when a user browses the Internet, browsing software is opened on an operation interface of a C1 container, an Internet website to be visited is clicked through a website map, and all HTTPS protocol messages generated by the C1 container are forwarded to a C2 container through a virtual TCP/IP stack, an internal first high-speed communication bus and a security isolation container;
the C2 container transmits all TCP messages received from the network port to the security isolation container through the internal first high-speed communication bus, and the security isolation container judges that the TCP data block belongs to the communication data of the non-confidential communication port and forwards the communication data to the C1 container through the internal first high-speed communication bus.
Further, in the non-sensitive file processing mode, when a user clicks a non-sensitive file to be opened, the C1 security application program opens corresponding document processing software according to the file type scheduling, and sends an instruction message for acquiring the specified non-sensitive file to the security storage container through the security isolation container; the secure storage container reads the designated file on the hard disk, and sends the designated file to the C1 through the secure isolation container, and the C1 temporarily stores the acquired non-sensitive file in the high-capacity DDR temporary file system; c1 processing the non-sensitive file, sending it to the safe storage container and storing it in the large-capacity hard disk.
Further, when the confidential mail writing process is performed: when a user needs to compile a confidential e-mail, firstly closing an external interface lock of a computer, executing C1 memory cleaning, then opening an external physical lock and an internal logic lock of a sensitive file FLASH, completing mail compiling, carrying out storage encryption on a mail file, storing the mail file in the sensitive file FLASH, closing the external physical lock and the internal logic lock of the sensitive file FLASH, executing C1 memory cleaning, and opening the external interface lock;
when the confidential mail sending process is performed: opening an external physical lock and an internal logic lock of a FLASH sensitive file of a secure storage container, reading a confidential mail to be sent by the secure storage container, executing storage decryption firstly, then performing transmission encryption, temporarily storing the confidential mail in a DDR temporary file system of C1, and sending out C1 through an electronic mail system; finally, C1 deletes the confidential e-mail in the DDR temporary file system, and cleans the used memory space of the confidential e-mail; closing an external physical lock and an internal logic lock of the sensitive file FLASH;
when confidential mail reception processing: when a user needs to receive a confidential email, opening a website email receiving webpage interface, downloading the email, storing the email in a DDR temporary file system of C1, transferring the email to a security storage container through a security isolator, then opening an external physical lock and an internal logic lock of a sensitive file FLASH, decrypting the email by the security storage container, and encrypting and storing the email in a sensitive file FLASH disk by using a local key; then closing an internal logic lock and an external physical lock of the sensitive file FLASH;
when the confidential mail viewing process is performed: when a user needs to check the confidential e-mail, firstly closing an external interface lock and executing C1 memory cleaning; then, the user clicks the confidential mails to be checked according to the confidential mail directory stored in the hard disk; finally, opening an external physical lock and an internal logic lock of the sensitive file FLASH, reading a specified confidential mail in the sensitive file FLASH, executing storage decryption, and transmitting the confidential mail to a DDR temporary file system of C1; after the processing is finished, C1 executes memory cleaning, closes the external physical lock and the internal logic lock of the sensitive file FLASH, and opens the external interface lock.
Further, when the user needs to submit the electronic payment password, the user clicks a payment transaction session box on a webpage, and the browser requests an SSL or SET encryption session from the electronic payment Web server; the security isolator identifies an SSL or SET message of the electronic payment request from the message data stream forwarded from the C1 to the C2, and enters an electronic payment working mode;
the security isolation container identifies SSL/SET messages responded by the electronic payment Web server from data flow forwarded from the C2 container to the C1 container, copies an encrypted public key sent by the server to the payment terminal, and forwards the messages to the C1 container; c1, the virtual keyboard driver module receives the user name and password in the payment session box;
the security isolation container finds the message of the encrypted payment password carried by the SSL or SET protocol from the data stream forwarded from the C1 to the C2, and records and forwards the message to the C2; the security isolator clears the recorded password and public key.
Further, when the user confirms the upgrade system software version, the C1 container sends a request message specifying the container operating system software upgrade to the security isolation container; after receiving a request for upgrading the software of the operating system of the designated container, the security isolation container enters a security upgrading processing mode; closing an external interface lock of the computer; cleaning the whole dynamic memories of C1 and C2; opening an external physical lock and an internal logic lock of a system software FLASH of a target container; the safe storage container reads an appointed operating system upgrading software file in the large-capacity hard disk and transmits the file to the safe isolator; the safety isolation container transfers the data block of the upgrade software file of the operating system to the elastic defense container C1 or C2 according to the designated upgrade target container, or stores the data block in a dynamic memory of the safety isolation container for upgrade operation; and after the upgrade is finished, closing the external physical lock and the internal logic lock of the system software file FLASH of the target container.
In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:
the novel safety computing architecture realizes the aim of computing environment information safety in a man-machine cooperation mode of organically combining internal logic control and external physical control, and realizes elastic defense, attack isolation, software system tampering blocking, system software upgrading safety, electronic payment password input safety, sensitive/confidential file processing safety and storage and transmission safety based on multiple safety mechanisms in a cooperation mode. The novel security computing architecture can solve the operation security problem of computers in non-secure network environments (public internet and intranet), can realize a dual-purpose security computer for military and civilian use which can be accessed to the internet, and can guarantee the security of a software system of each computer, the storage and processing security of sensitive/confidential file data and the data communication security in the internet and intranet with various known and unknown security threats.
Drawings
The invention will now be described, by way of example, with reference to the accompanying drawings, in which:
FIG. 1 is a diagram of a multi-container secure computing architecture.
Fig. 2 is the functional composition of the software system of the elastic defense container C1.
Fig. 3 is a functional component diagram of the software system of the flexible defense container C2.
FIG. 4 is a functional component diagram of a secure isolated container software system.
FIG. 5 is a functional component diagram of a secure storage container software system.
FIG. 6 is a flow chart of secure computer boot up.
Fig. 7 is an internet browsing workflow diagram.
FIG. 8 is a non-sensitive file processing workflow.
FIG. 9 is a sensitive file security process flow diagram.
Fig. 10 is a flowchart of the confidential document security process.
Fig. 11 is a flowchart of the confidential document transmission processing.
Fig. 12 is a flowchart of the confidential document receiving process.
Fig. 13 is a confidential mail transmission flowchart.
Fig. 14 is a confidential mail receiving flow chart.
Fig. 15 is an electronic payment password protection processing flow diagram.
FIG. 16 is an operating system software upgrade security control flow diagram.
Fig. 17 is an application software installation control flowchart.
Fig. 18 is an application software startup control flowchart.
Fig. 19 is a safe operation supervisory control flow chart.
Reference numerals:
2 represents external interface physical Lock 3 represents external physical Lock for sensitive File
Detailed Description
All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations of features and/or steps that are mutually exclusive.
Any feature disclosed in this specification may be replaced by alternative features serving equivalent or similar purposes, unless expressly stated otherwise. That is, unless expressly stated otherwise, each feature is only an example of a generic series of equivalent or similar features.
The computing architecture method and the device provided by the invention comprise four different processing containers (an elastic defense container C1, an elastic defense container C2, a security isolation container and a security storage container), three external physical security locks (an external interface lock of a computer, an external physical lock of a system software FLASH and an external physical lock of a sensitive file FLASH), an internal logic lock of the FLASH and a plurality of mechanisms for guaranteeing security computing processing. The flexible defense container C1 is used for defending security threats from application software, the flexible defense container C2 is used for defending security threats from a four-layer protocol below a TCP/IP protocol stack, the security isolation container is used for coordinating and implementing security control in various processing flows, and the security storage container is used for storing sensitive files with privacy, non-sensitive files without privacy and application program files. Each container has an independent monitoring module for its own software behavior. The external interface lock of the computer is used for physically blocking the communication connection between the computer and the outside, and the external physical lock and the internal logic lock of the FLASH are used for blocking the read/write operation of the FLASH. In the method and the device for the computing architecture, provided by the invention, various security mechanisms such as container security isolation, container cooperative defense, external physical lock and internal logic lock security control, dynamic memory security cleaning, software behavior independent supervision, sensitive file security processing and protection, electronic payment password protection, operating system software and application software separated installation, system software security upgrading and the like are adopted, and the purpose of security computing is finally achieved by executing strict security processing control and operation flow on the provided security computing architecture.
Multi-container secure computing architecture
A multi-container secure computing architecture is shown in fig. 1.
The multi-container novel safety computer architecture is composed of an application-oriented elastic defense container (C1), a TCP/IP protocol stack-oriented elastic defense container (C2), a safety isolation container and a safety storage container. The main design idea is to divide the functions of the traditional single-container computer architecture correspondingly according to defense targets, and each container realizes different computing functions and corresponding defense functions. Each container performs only a given function and adopts a highly targeted security defense mechanism. The containers are interconnected by an internal high speed communication bus and a security control bus.
The application-oriented elastic defense container realizes the upper layer protocol of the computer and various applications, the drive of USB, CD driver, display card, mouse and RS232 interface, and corresponding targeted security defense mechanism. The elastic defense container facing the TCP/IP protocol realizes the drive of a TCP/IP protocol stack and an internet access and a corresponding targeted security defense mechanism. The safety isolation container isolates the direct connection of the two elastic defense containers, realizes the control of the output/input flow of the computer and isolates the direct connection of the elastic defense container and the safety storage container; the security isolation container realizes the driving of the keyboard and ensures the security of the electronic payment password/password on the network. The secure storage container realizes user identity authentication, secure storage of user files and remote encryption communication protection of secret files.
Each container is provided with an independently executed software behavior monitoring hardware module, the container is subjected to targeted software behavior monitoring, unsafe software behaviors such as illegal reading/writing on a system software FLASH disk, software instruction dead cycle attack, address border crossing and the like are found in time, and an alarm instruction is sent to a safety control module. The safety management and control hardware logic can directly send a control signal to the container with abnormal behavior according to a preset safety disposal strategy to force the container to execute the operations of memory cleaning and system restarting.
The external interface lock and the FLASH external physical lock provide absolute control authority of security management for computer users, and can directly lock the external interface which can have threat, the system software FLASH disk of all containers and the sensitive file FLASH disk in the security storage container of the computer in a physical security mode. For computers with high security applications, the sensitive file FLASH disk cannot be read/written without opening an internal logical lock. The internal logic lock mechanism is used for avoiding security threats brought by management errors of the computer by users.
1. Description of the function of a resilient defensive container
The elastic defense containers C1 and C2 are specially used for dealing with various security threats, C1 is specially used for defending against the security threats faced by various applications, and C2 is specially used for defending against the security threats faced by a TCP/IP protocol stack, and the elastic defense containers C1 and C2 together realize the main functions of elastic defense. Any communication between the C1 and the C2 cannot be directly performed through the internal first high-speed communication bus, and the protocol message communication between the C1 and the C2 must be realized under the control of a security isolation container, and the security isolation container determines whether to forward or not based on the current working state of the computer.
C1 is a flexible defense subject against attacks in various application scenarios, and plays a role in greatly relieving various attack effects. C1 realizes most of the calculation functions of a common computer, but removes the network port, keyboard interface and TCP/IP protocol stack, and replaces hard disk with a large capacity DDR (16Gbyte to 32Gbyte) to store temporary files, and communicates with other containers through an internal first high-speed communication bus, mainly used for document processing, web browsing, video playing, game processing, video card driving, mouse driving, high risk interface (USB, CD-ROM, serial port) driving processing, and realizes the functions of TCP/IP protocol stack, network port and keyboard in a virtual interface mode. The C1 is installed with mainstream security protection software (e.g. 360, artificial intelligence based security defense products), and the key points of the security defense are attacks against security vulnerabilities of upper layer protocols (e.g. SMTP, FTP, HTTPS, SSL/TLS, etc.), various application layer software (IE, OFFICE, video playing, picture processing, games, etc.), and attacks against viruses and trojan injection of USB, optical drives, serial ports. Before the sensitive file is processed by the C1, all external interfaces of the computer except a video card and a mouse are directly closed by an external interface lock of the computer, memory cleaning is carried out by the C1 and the C2, the processed sensitive file is loaded, and the memory cleaning is carried out again after the processing and the storage are finished, so that the safety in the processing process of the sensitive file is ensured. The system software of C1 must be under the control of the software security upgrade mechanism and the permission control of the external physical lock and the internal logical lock of its FLASH to perform the upgrade writing. The external physical locking mechanism of the system software FLASH thoroughly eliminates the possibility of maliciously tampering the system software, ensures that the system software FLASH can not be tampered by the attack code, and ensures that the computing container has the capability of elastic defense. And C1, independently monitoring the hardware module by the software behavior in the container, monitoring the attack behavior of the software running in the container through an address bus, and reporting to the security monitoring module immediately once the application software is found to be carrying out system software FLASH disk tampering attack, CPU capacity exhaustion attack and system configuration parameter stealing attack, and taking corresponding disposal measures according to a preset security policy. The C1 container is not provided with a hard disk, and a large-capacity DDR replaces the temporary storage function of the hard disk, so that the quick cleaning is facilitated. The high-capacity DDR establishes a temporary file system during startup and is specially used for temporarily storing files processed in a file processing flow, tmp files and various log record (mainly txt type) files in the running process, and the used storage space in the file processing process can be quickly erased by executing a cleaning process.
The defense of C2 focuses on defending against attacks against the TCP/IP protocol stack, DDoS attacks. C2 runs a thin version of the operating system without a hard disk. The method is mainly used for realizing network interface drive and a TCP/IP protocol stack, is provided with mainstream safety protection software (such as 360), has the key points of safety protection of an MAC layer and the TCP/IP protocol stack, adopts an efficient mechanism for resisting TCP flow storm attack, and has the function of identifying encrypted/non-encrypted application flow (according to a protocol port). According to the principle that the simpler the system, the less the number of potential vulnerabilities, the C2 container does not run any other applications in order to minimize its functionality. The software implementation of the TCP/IP protocol stack adopts strict and provable security design to avoid stack overflow, heap overflow and other overflow loopholes. Software within the C2 container behaves independently of monitoring hardware modules, performing monitoring functions similar to those of C1. The system software of C2 must be under the control of the software security upgrade mechanism and the permission control of the external physical lock and the internal logical lock of its FLASH to perform the upgrade writing. The portal of C2 must be under the permission control of the external interface lock of the computer to open its physical interface.
The writing operation of the FLASH disk of the software systems of C1 and C2 is strictly controlled by an external physical lock, and the FLASH disk is generally read only, so that the tampering attack of malicious software such as viruses, trojans and the like from networks, USB (universal serial buses), optical drives and serial ports can be directly blocked. Even if malware enters the memory of the flexible defense container and gets an opportunity to execute, the software systems in the flexible defense containers C1 and C2 cannot be modified, and any sensitive information stored in the secure storage container cannot be acquired. And monitoring hardware logic in the software behavior independent monitoring module in the elastic defense container monitors abnormal behaviors of the C2 software through an address bus and gives an alarm to the safety control module in time.
The flexible defense container is composed of independent CPU, DDR, various interfaces, FALSHROM (BIOS), read-only FALSH disk (storing operating system and basic application processing software system, whose external physical lock and internal logic lock can prohibit its write attribute) and running state security independent monitoring logic. An operating system with a strong safety mechanism is installed on the elastic defense container, and in addition, anti-virus and anti-Trojan horse safety software is also installed.
2. Description of the function of a safety isolation Container
The defense of the security isolation container mainly aims at defending penetration attack aiming at the security storage container, defending electronic payment password stealing attack and strictly executing a preset security operation flow to block the attack intention aiming at various vulnerabilities.
The security isolation container is a key core of the security computer, and all security processing operations must be sequentially and orderly executed according to the flow under the control of the security isolation container. The safety isolation container implements safety control and isolation control on communication among other containers, indirect communication among other three containers is realized, and the design of a high-speed communication bus ensures that the other three containers cannot be directly communicated with each other.
The security isolation container does not execute any application software or TCP/IP protocol stack, and the communication with other containers adopts a special, concise and strictly designed and strictly security-checked communication protocol, so that various existing vulnerability attack means can be defended.
The safety isolation container is a processing container realized based on a single chip microcomputer and an embedded micro-operation system, the simplest software system design is adopted, the lowest level language is adopted as far as possible to realize the safety isolation container, the potential safety loopholes are avoided, and the software flow steps adopt strict and provable safety design. The safety isolation container is mainly responsible for forwarding and controlling communication data messages between the containers, scheduling and executing each safety flow, and isolating and shielding penetration attack of malicious software running in the elastic container to the safety storage container. In addition, the drive and the safety protection of the USB keyboard are realized. Before the keyboard can be used, the keyboard with the attack virus/Trojan horse must be prohibited from being used through strict security test check. The numeric keypad is mainly used for inputting password required by electronic payment transaction, and avoids the condition that a keyboard in the elastic container is eavesdropped by a Trojan horse to steal the password input by the keyboard. The software behavior independent monitoring module in the security isolation container is used for monitoring the execution of fixed and single-function software codes besides monitoring software tampering attacks and CPU capacity exhaustion attacks.
3. Secure storage container functional description
The defense of secure storage containers is focused on the theft of sensitive and confidential files, as well as man-in-the-middle attacks against secure communication protocols and attacks against impersonating confidential terminals. The safe storage container is a native harmless safe operation supporting environment, is specially used for storing user files and executing encryption/decryption operation, and provides safety guarantee for remote encryption transmission of confidential files based on a safe communication protocol. The safety container is composed of an independent CPU, a DDR, a FLASH system disk (storing operating system software, and the writing attribute of the FLASH system disk can be forbidden by an external physical lock and an internal logic lock of the FLASH system disk), a FLASH file disk (storing sensitive files, and the reading/writing attribute of the FLASH file disk can be forbidden by the external physical lock and the internal logic lock of the FLASH system disk), a hard disk (storing a non-sensitive file system and a safety log), an administrator identity authentication interface and a USBKey interface. The operation of the sensitive file FALSH disk must be strictly controlled by fingerprint/iris biometric or USBKey identity authentication under the condition that an external physical lock is opened. The writing operation of the false file disk needs to be strictly controlled by a password receiving authentication protocol, and also needs to receive multiple security control of an external switch and a USBKey.
On the hard disk of the secure storage container, a corresponding directory of general files, sensitive files and confidential files is established.
(II) safety computer work flow
1. Starting up safety control flow
When the safety computer is powered on, the following steps are taken:
the first step is as follows: the safety isolation container is started and enters a preparation working state at first because the software is simplest. The safety isolation container is based on a safety control hardware module, and sends an instruction for closing the internal logic lock of the system software FLASH and the sensitive file FLASH to the software behavior independent monitoring module of each container through a safety control bus. The software behavior independent monitoring module of each container acquires the state of the external interface lock and/or the FLASH external physical lock connected with the processor, and reports the state to the safety control module through the safety control bus.
The second step is that: each container independently finishes the starting process of the container, namely after the whole dynamic memory is firstly cleaned, the system software codes in the system software FLASH disk are copied to the preset dynamic memory for execution, the stack is set, the memory area is divided and initialized, the normal working state is entered, the C1 container erases the trace of the high-capacity DDR temporary file storage area, and a temporary file system is created in the high-capacity DDR. And then sending a starting-up indication message to the security isolation container.
The third step: after the secure storage container is started, if the fact that the USBKey is not inserted into the user is detected, the secure isolation container informs the C1 that the user is prompted to insert the USBKey; and if the USBKey is detected, reading the boot password stored in the USBKey, packaging the boot password in a start-up finishing indication message, and sending the boot password to the security isolation container (under the condition of common application, acquiring the boot password from a hard disk file of the security storage container).
The fourth step: after the security isolation container receives the start-up completion indication messages of other containers, the security isolation container informs the C1 to prompt the user to input a power-on password on the display interface, records each password symbol input by the user, and replaces the password symbol with the symbol and sends the symbol to the C1 for display.
The fifth step: after the safe isolation container receives the carriage return symbol input by the user, if the stored password is consistent with the currently input password through comparison, C1 displays an operation interface working normally, and the next step is carried out;
and a sixth step: the security isolation container is based on a security control hardware module, and acquires states of an external interface lock of a computer, an external physical lock of each container system software FLASH and an external physical lock of a sensitive file FLASH through a security control bus. And if the external interface lock is not opened, and the external physical lock of the sensitive file FLASH or the external physical lock of system software of a certain container is not closed, sending a prompt to a user on an interface, and displaying the current state of each physical lock in a task bar at the lowest part of the safety computer.
The seventh step: and the security isolation container does not forward the data block traffic between the C1 and the C2, and returns to a normal working state when all the external physical locks and the external interface locks are detected to be in a ready state, and the process is ended.
Thus, the computer can access and browse the internet.
Eighth step: if the user needs to perform operations related to security processing, the user needs to perform detection and identification through biological characteristics (one of fingerprints, irises and 3D faces), and the user can enter a security working mode only after the user passes the detection and identification through the biological characteristics. The security storage container detects the biological authentication data input by the user, extracts the biological characteristics of the user, decrypts the biological characteristics prototype data ciphertext and the biological characteristics prototype data ciphertext stored in the large-capacity hard disk by using a corresponding key in the USBKey, and then performs model matching. And if the matching is successful, sending a report message that the safety operation is legal to the safety isolation container.
The ninth step: the safety isolation container enters a normal working state with legal safety operation.
So far, the computer can perform all security processing related to the sensitive file FLASH disk.
2. Internet browsing processing flow
When a user browses the Internet, the following steps are taken:
the first step is as follows: and opening browsing software on an operation interface, clicking an internet website to be accessed through a sitemap, sending a connection request by an HTTPS protocol in the C1 container, and sending the connection request to the security isolation container through a virtual TCP/IP stack of the security isolation container and an internal first high-speed communication bus.
The second step is that: the secure isolation container forwards this HTTPS protocol connection request message to C2 over the internal first high speed communication bus.
The third step: after receiving the HTTPS protocol connection request from the internal first high-speed communication bus, the C2 container encapsulates the HTTPS protocol connection request into a TCP protocol header via the TCP/IP protocol stack in which the HTTPS protocol connection request is executed, and transmits the TCP protocol header to the internet through the internet interface.
The fourth step: the C2 container removes the TCP protocol header from the TCP data block received by the TCP/IP protocol stack from the internet access, and sends the TCP data block to the security isolation container through the internal first high-speed communication bus.
The fifth step: after receiving the TCP data block, the security isolation container determines that the TCP data block belongs to the communication data of the non-confidential communication port, and forwards the communication data to the C1 container through the internal first high-speed communication bus.
And a sixth step: and after the first high-speed communication bus communication protocol inside the C1 container is received, the first high-speed communication bus communication protocol is transmitted to an upper HTTPS protocol interface of the C1 container through a virtual TCP/IP stack.
The seventh step: the website content is displayed on the browser, and the user can browse the webpage content.
Eighth step: if a user wants to copy the contents of a webpage and store the contents in a non-sensitive file when browsing the webpage, the user can simultaneously open OFFICE software (such as a WORD tool), and after copying and editing are finished, the user first temporarily stores the file in a temporary file system in a high-capacity DDR. And then sending a command for saving the non-sensitive file through a security application program interface, forwarding the file to a security storage container through a security isolation container according to the record in the temporary file system directory, and saving the file to a large-capacity hard disk. And finally, deleting the files temporarily stored in the temporary file system.
Thus, a complete internet browsing processing procedure is completed.
3. Non-sensitive file processing flow
When the user needs to process the non-sensitive file, the following steps are taken:
the first step is as follows: opening the security application program, clicking the non-sensitive file processing button on the operation interface, sending a request message for acquiring the non-sensitive file directory to the security isolation container by the C1 security application program, and forwarding the request message to the security storage container by the security isolation container. The secure storage container reads the non-sensitive file directory stored in its hard disk, and sends the read non-sensitive file directory to C1 via the secure isolation container.
The second step is that: the user clicks on the non-sensitive file to be opened, the C1 security application opens the corresponding document processing software according to the file type, and sends a request message for processing the non-sensitive file to the security isolation container. And after receiving the request, the safety isolation container sends an indication message for acquiring the specified non-sensitive file to the safety storage container, and the safety isolation container still keeps in a normal working mode, so that the process is ended.
The third step: the security storage container reads the non-sensitive files in the large-capacity hard disk, transmits the non-sensitive files to the security isolation container through the second high-speed communication bus by the internal high-speed bus communication protocol, transmits the non-sensitive files to the elastic defense container C1, C1 temporarily stores the whole files into a temporary file system in the large-capacity DDR, and finally displays the files on the interface of the security computer through OFFICE document processing software.
The fourth step: the user can browse, edit and play the non-sensitive file, after the processing, if the file needs to be saved (such as OFFICE file), a saving command is sent on the operation interface, and the C1 file processing software firstly saves the file to a temporary file system in a high-capacity DDR. And then sending a command for saving the non-sensitive file through a security application program interface, transmitting the whole processed and temporarily stored file content to a security storage container through an internal high-speed bus communication protocol via a first high-speed communication bus and a security isolation container, writing the whole processed and temporarily stored file content into a hard disk of a large-capacity security storage container, and replacing the original file with the same name or storing the file as a new file. Then, C1 deletes the file temporarily stored in the temporary file system.
Thus, a complete non-sensitive file processing process is completed.
4. Sensitive file safety processing flow
When a user needs to process a sensitive file, the following steps are taken:
the first step is as follows: the user opens the secure application, clicks on the computer sensitive file handling button on its interface, and the C1 secure application sends a request message to the secure isolation container to obtain a directory of sensitive files.
The second step is that: after the security isolation container receives the request of C1 to obtain the sensitive file directory, it enters into the security file processing mode, and informs C1 to prompt the user to close all the external interface locks of the computer on the display interface, and starts the timer T1.
The third step: and the safety isolation container judges that the external interface locks of the computer are completely closed based on the corresponding state information of the external interface locks acquired by the safety management and control hardware module, and then the safety isolation container enters the next step, otherwise, the safety isolation container continues to wait. If T1 is overtime, C1 is informed that the acquisition of the sensitive file directory fails, the security isolation container returns to the normal working mode, and the process is ended.
The fourth step: the safety isolation container is based on a safety control hardware module, the safety control bus controls the elastic defense containers C1 and C2 to start a cleaning mechanism, other dynamic memory areas except a memory area reserved for the operation of the operating system are cleaned, or the safety isolation container is quickly restarted to restart the process to clean the whole dynamic memory.
The fifth step: the security isolation container informs C1 to reopen the secure application and informs C1 to prompt the user on the display interface to open the external physical lock of the sensitive file FLASH, starting the timer T2. And then, judging that the external physical lock of the sensitive file FLASH is opened based on the corresponding state information acquired by the security control hardware module, entering the next step, and otherwise, continuing to wait. If T2 is overtime, C1 is informed that the acquisition of the sensitive file directory fails, the security isolation container returns to the normal working mode, and the process is ended.
And a sixth step: the security isolation container opens an internal logic lock of the sensitive file FLASH through a security control bus based on a security control hardware module, and allows the sensitive file FLASH to be read/operated and written. Meanwhile, the security isolation container only forwards the data block messages communicated between the C1 container and the security storage container, and does not forward any data block messages in the direction of the C2 container any more.
The seventh step: the secure isolation container forwards the request message to obtain the sensitive file directory to the secure storage container. The sensitive file directory stored in the hard disk of the secure storage container reader is sent to C1 through the secure isolation container, and C1 displays the sensitive file directory. The user clicks on the sensitive file to be opened, the security application opens the corresponding document processing software according to the file type, and the C1 document processing module sends a request message for processing the sensitive file to the security isolation container.
Eighth step: and the safety isolation container sends an instruction message for acquiring the specified sensitive file to the safety storage container.
The ninth step: the safe storage container reads the sensitive file appointed in the sensitive file FLASH disk, transmits the sensitive file to the safe isolation container through the second high-speed communication bus by the internal high-speed bus communication protocol, transmits the sensitive file to the elastic defense container C1, temporarily stores the sensitive file in a temporary file system in the high-capacity DDR of the safe isolation container, and finally displays the sensitive file on an interface of the document processing software.
The tenth step: the user can browse, edit, modify and play the sensitive file, after the processing, if the file (such as OFFICE file) needs to be saved, click a save button on an operation interface, and the C1 file processing software transmits the whole processed file content in the high-capacity DDR temporary file system to a safe storage container through an internal high-speed bus communication protocol via a first high-speed communication bus and a safe isolation container, writes the whole processed file content into a sensitive file disk, replaces the original file with the same name, or stores the whole file as a new file.
The eleventh step: the safety isolation container closes the internal logic lock of the FLASH disk of the sensitive file through the safety control bus, sends a memory cleaning command to the C1 again, cleans all traces of the sensitive file in the dynamic memory, and erases all traces of the document file and the tmp file in the temporary file system in the C1 high-capacity DDR.
The twelfth step: the security isolation container notification C1 prompts the user on the interface to close the external physical lock of the sensitive file FLASH disk;
the thirteenth step: the user closes the external physical lock of the sensitive file FLASH disk and opens the external interface lock of the computer.
The fourteenth step is that: the security isolation container acquires states of an external physical lock and an external interface lock of the FLASH disk of the sensitive file through a security control bus based on a security management and control hardware module, and C1 displays the states of the physical lock and the interface lock on a display screen interface task bar. And if the external physical lock of the FLASH disk of the sensitive file is in a closed state, returning to a normal working mode, and ending the process.
And finishing a complete sensitive file processing process.
5. Confidential document security processing flow
When the user needs to process the confidential document, the following steps are taken:
the first step is as follows: the user opens the secure application, clicks on the computer confidential document handling button at his interface, and C1 sends a request message to the secure isolated container for the process of obtaining confidential documents.
The second step is that: after the security isolation container receives the request message for processing the confidential document, the security isolation container enters a security document processing mode, and the notification C1 prompts the user to close all external interface locks of the computer on the display interface and starts the timer T3.
The third step: and the safety isolation container judges that the external interface lock is closed based on the corresponding state information acquired by the safety control hardware module, and then enters the next step, otherwise, the safety isolation container continues to wait. If T3 is overtime, the normal operation mode is returned and the process ends.
The fourth step: the safety isolation container is based on a safety control hardware module, the safety control bus controls the elastic defense containers C1 and C2 to start a cleaning mechanism, other dynamic memory areas except a memory area reserved for the operation of the operating system are cleaned, or the safety isolation container is quickly restarted to restart the process to clean the whole dynamic memory.
The fifth step: the security isolation container informs C1 to reopen the secure application and informs C1 to prompt the user on the display interface to open the external physical lock of the sensitive file FLASH, starting the timer T4. And then, judging that the external physical lock of the sensitive file FLASH is opened based on the corresponding state information acquired by the security control hardware module, entering the next step, and otherwise, continuing to wait. If T4 is overtime, C1 is informed that the confidential file directory acquisition fails, the security isolation container returns to the normal working mode, and the process is ended.
And a sixth step: the safety isolation container opens an internal logic lock of the sensitive file FLASH through a safety control bus based on a safety control hardware module, and allows the safety storage container to read/write the sensitive file FLASH disk; meanwhile, the security isolation container only forwards the data block messages between the C1 container and the security storage container, and does not forward any data block messages in the direction of the C2 container any more.
The seventh step: the secure isolation container forwards the request message for the confidential file process to the secure storage container. The confidential file directory stored in the hard disk of the secure storage container reader is sent to C1 via the secure isolation container, and the confidential file directory is displayed on the secure application interface. The user clicks on the confidential file to be opened, the security application program opens the corresponding document processing software according to the file type, and sends a request message for acquiring the confidential file to the security isolation container.
Eighth step: after receiving the request for obtaining the confidential file, the security isolation container sends an instruction message for obtaining the specified confidential file to the security storage container.
The ninth step: the security storage container reads the specified confidential file in the sensitive file FLASH disk, after the confidential file is decrypted by the file storage key, the confidential file is transmitted to the security isolation container through the second high-speed communication bus by the internal high-speed bus communication protocol, and the confidential file is transmitted to the elastic defense container C1 by the security isolation container, is temporarily stored in the high-capacity DDR temporary file system, and is finally displayed on the interface of the security computer through the document processing software.
The tenth step: the user can browse, edit, modify and play the confidential file temporarily stored in the temporary file system, after the processing is finished, if the file (such as an OFFICE document) needs to be stored, a storage command is sent out on an operation interface of a security application program, the C1 file processing software transmits the whole confidential file content temporarily stored in the temporary file system to a security storage container through a first high-speed communication bus and a security isolation container by an internal high-speed bus communication protocol, and after the confidential file content is encrypted by a file storage key, the confidential file content is written into a sensitive file FLASH disk to replace the original file with the same name or is stored as a new file. And after the storage is finished, the security isolation container is informed.
The eleventh step: the security isolation container sends a memory cleaning command to the C1 again to clean all traces of the confidential files in the dynamic memory, and erase all traces of the files and tmp files temporarily stored in the C1 temporary file system.
The twelfth step: the security isolation container closes the internal logical lock of the sensitive file FLASH disk and prompts the user on the interface to close the external physical lock of the sensitive file FLASH disk.
The thirteenth step: the user closes the external physical lock of the sensitive file FLASH disk and opens the external interface lock of the computer.
The fourteenth step is that: the security isolation container acquires the states of an external physical lock of the FLASH disk of the sensitive file and an external interface lock of the computer through a security control bus based on a security control hardware module, and reports C1 to display the states on an interface task bar. And if the external physical lock of the FLASH disk of the sensitive file is in a closed state, returning to a normal working mode, and opening the forwarding of the data block message in the direction of C2.
At this point, a complete confidential document processing process is completed.
6. Confidential file secure transmission processing flow
When the security computer transmits the confidential file, the following steps are taken:
the first step is as follows: the user opens the secure application, clicks the confidential file transfer button on its interface, and sends a confidential transfer request message to the secure isolated container.
The second step is that: after receiving the confidential file transmission request message, the security isolation container enters a confidential communication mode, the data block message between the C1 container and the security storage container is not forwarded any more, but the confidential communication data block between the security storage container and the C2 on a special TCP or UDP port is forwarded, and the Internet access communication data block between the C1 and the C2 is also forwarded.
The third step: the secure isolation container notification C1 prompts the user on its interface to open an external physical lock to the sensitive file FLASH disk, starting a timer T5.
The fourth step: and the security isolation container judges that the external physical lock of the sensitive file FLASH disk is opened based on the corresponding state information acquired by the security control hardware module, and then the security isolation container opens the internal logical lock of the sensitive file FLASH disk through the security control bus based on the security control hardware module, so that the read/write operation of the sensitive file FLASH disk is allowed, and the next step is carried out. If T5 times out, the process ends and returns to normal operation mode.
The fifth step: the secure isolation container forwards the confidential file transfer request message to the secure storage container, which sends the confidential file directory on its hard disk to C1 via the secure isolation container and displays the confidential file directory on the interface of the secure processing software.
And a sixth step: the user clicks on the confidential file to be transferred in the confidential file directory, and the security processing software prompts the user to select a receiver of the confidential file, includes the IP address of the receiver in the confidential file transfer command message, and transmits the confidential file to the secure storage container through the secure isolation container.
The seventh step: the secure storage container starts a secure and confidential communication protocol, reads a specified confidential file in a sensitive file FLASH disk, decrypts the confidential file by using a secure storage key in the USBKey, encrypts each data block of the file by using a communication key in the USBKey, and forwards the encrypted data block to C2 through a first internal high-speed communication bus via the secure isolation container. C2 is sent through its TCP/IP protocol stack to the specified IP address via a protocol port dedicated to confidential communications.
Eighth step: and after the confidential file is transmitted, the safe storage container sends an instruction that the transmission of the confidential file is finished to the safe isolation container.
The ninth step: and after receiving the instruction, the security isolation container closes the internal logic lock of the FLASH disk of the sensitive file through the security control bus.
The tenth step: the security isolation container forwards an indication to C1 that the transfer of the confidential file is complete, informing C1 to prompt the user to close the external physical lock of the sensitive file FLASH disk on the display interface.
The eleventh step: and the security isolation container judges that the external physical lock of the FLASH disk of the sensitive file is closed based on the corresponding state information acquired by the security management and control hardware module, and returns to the normal communication mode.
And completing a complete confidential file transmission communication process.
7. Confidential document security receiving processing flow
When the security computer receives the confidential file, the following steps are taken:
the first step is as follows: the security isolation container is in the non-confidential communication mode, receives the first communication message (confidential communication receiving request) received by the C2 container at the port dedicated to confidential communication, and transmits the first communication message to the security storage container via the security isolation container.
The second step is that: the secure storage container starts a secure communication protocol, decrypts the first communication message by using a communication key in the USBKey, verifies the authenticity and integrity of the communication message, and reports the security isolation container if the verification is passed; otherwise, it is discarded, the secure communication protocol is closed, and no further operation is performed.
The third step: the security isolation container prompts the user on the human machine interface to open an external physical lock to the sensitive file FLASH disk, starting a timer T6. If T6 times out, it indicates that the secure storage container is not allowed to receive, and the process ends.
The fourth step: and the safety isolation container judges that the external physical lock of the sensitive file FLASH disk is opened based on the corresponding state information acquired by the safety control hardware module, and then the safety isolation container opens the internal logical lock of the sensitive file FLASH disk through a safety control bus based on the safety control hardware module, allows the read/operation write of the sensitive file FLASH disk and informs the safety storage container of preparing to receive. The security isolation container no longer forwards data block messages between the C1 container and the secure storage container.
The fifth step: the secure storage container secret communication protocol sends a confidential document receiving ready message.
And a sixth step: after the safe storage container completely receives the whole confidential file, the communication secret key in the USBKey is used for decrypting each communication secret text data block, the safe storage key in the USBKey is used for encrypting the whole file, and the whole file is stored in a sensitive file FLASH disk.
The seventh step: and after the safe storage container receives the confidential file, closing the confidential communication protocol, and sending an instruction of completing the reception of the confidential file to the safe isolation container.
Eighth step: and after receiving the instruction, the security isolation container closes the internal logic lock of the FLASH disk of the sensitive file through the security control bus.
The ninth step: the security isolation container notification C1 prompts the user at the display interface to close the external physical lock of the sensitive file FLASH disk.
The tenth step: and the security isolation container judges that the external physical lock of the FLASH disk of the sensitive file is closed based on the corresponding state information acquired by the security management and control hardware module, and the confidential file receiving and processing process is finished.
At this point, a complete secret file receiving communication process is completed.
8. Confidential e-mail safe sending process
When a user needs to securely send a confidential e-mail, the following processing steps are taken:
the first step is as follows: and under the security processing mode of the sensitive file, writing the mail and storing the mail in a FLASH disk of the sensitive file of the security storage container in an encrypted manner.
The second step is that: and the user opens the security processing software, clicks a security mail sending button on the interface and sends a security mail sending request message to the security isolation container.
The third step: upon receiving the secure mail send request message, the secure isolation container enters secure mail communication mode, notification C1 prompts the user on the human machine interface to open the external physical lock of the sensitive file FLASH disk, and starts timer T7.
The fourth step: and the security isolation container judges that the external physical lock of the sensitive file FLASH disk is opened by reading the state, opens the internal logic lock of the sensitive file FLASH disk through the security control bus, and sends a security mail sending request message to the security storage container. If T7 is overtime, the normal operation mode is returned to, and the flow is ended.
The fifth step: the secure storage container reads the confidential file directory on the hard disk, sends the confidential file directory to the C1 through the secure isolation container, and displays the confidential file directory on the interface. The user selects and clicks the confidential document mail to be sent, and sends a secure mail sending command message to the secure storage container.
And a sixth step: the security storage container reads the specified confidential file in the sensitive file FLASH disk, decrypts the confidential mail by using the security storage key in the USBKey, calls the security mail encryption function, encrypts each data block of the mail by using the mail key in the USBKey, forwards the encrypted data block to the C1 through the security isolation container by the internal first high-speed communication bus, and stores the encrypted data block in the C1 high-capacity DDR file system. And after the transmission is finished, informing the security isolation container to close the internal logic lock of the FLASH disk of the sensitive file.
The seventh step: and the security isolation container immediately closes the internal logic lock of the sensitive file FLASH disk after receiving the notification, and notifies C1 to prompt the user to close the external physical lock of the sensitive file FLASH disk and to make the security mail ready.
Eighth step: the user sends the confidential e-mail temporary file temporarily stored in the high-capacity DDR temporary file system in normal operation, and deletes the temporary file after the sending is finished.
The ninth step: and the security isolation container judges that the external physical lock of the FLASH disk of the sensitive file is closed based on the corresponding state information acquired by the security management and control hardware module, and returns to the normal communication mode.
Thus, a complete secure sending process of the confidential e-mail is completed.
9. Confidential mail safe receiving processing flow
When a user needs to securely receive confidential e-mail, the following processing steps are taken:
the first step is as follows: and opening a website mail receiving webpage interface, downloading the electronic mail, and storing the electronic mail in a high-capacity DDR temporary file system of C1.
The second step is that: clicking on the mail secure store button at the C1 secure handler interface, the secure mail process first passes the confidential mail to the secure storage container via secure quarantine container forwarding and then sends an indication message to the secure quarantine container specifying secure storage of the mail.
The third step: the security isolation container indicates that an external physical lock for opening the FLASH disk of the sensitive file is prompted by a user on a C1 human-computer interface;
the fourth step: and the security isolation container judges that the external physical lock of the sensitive file FLASH disk is opened based on the acquired corresponding state information, and then opens the internal logic lock of the sensitive file FLASH disk through the security control bus to allow the read/write operation of the sensitive file FLASH.
The fifth step: the secure isolation container issues an indication message to the secure storage container to decrypt the confidential mail.
And a sixth step: the safe storage container calls a decryption function of the received mails, the received mails in the large-capacity hard disk are decrypted by using a communication key in the USBKey, the mail plaintext is temporarily stored in the dynamic memory, and after the decryption is finished, the mail plaintext is encrypted by using the safe storage key in the USBKey and is stored in a sensitive file FLASH disk.
The seventh step: after the secure storage container stores the confidential mails, the trace of the confidential mails in the large-capacity hard disk is cleared, and an instruction of receiving the confidential mails is sent to the secure isolation container.
Eighth step: and after receiving the instruction, the security isolation container closes the internal logic lock of the FLASH disk of the sensitive file through the security control bus.
The ninth step: the secure isolation container forwards an indication to C1 that the confidential mail has been received, and C1 prompts the user at the display interface to close the external physical lock of the sensitive file FLASH disk.
The tenth step: and the security isolation container judges that the external physical lock of the FLASH disk of the sensitive file is closed based on the corresponding state information acquired by the security management and control hardware module, and returns to the normal communication mode.
At this point, a complete confidential mail receiving process is completed.
10. Electronic payment password security protection process
When the user needs to submit the electronic payment password, the following security protection processing steps are adopted:
the first step is as follows: the user clicks the payment transaction session box on the Web page and the browser sends a "client call" message to the electronic payment Web server requesting an SSL (secure socket protocol) or SET (secure electronic transaction protocol) encrypted session.
The second step is that: and the security isolation container identifies the SSL/SET message of the electronic payment request from the message data stream forwarded from the C1 container to the C2 container, and enters an electronic payment working mode.
The third step: and the security isolation container identifies the SSL/SET message responded by the electronic payment Web server from the data stream forwarded from the C2 container to the C1 container, copies out the encrypted public key sent by the server to the payment terminal, and forwards the message to the C1 container continuously.
The fourth step: in the payment session box, the username is entered with the large keypad and the password is entered with the numeric keys on the keypad, and the security isolation container forwards the username to C1 for receipt by the virtual keyboard driver of C1.
The fifth step: the security isolation container records each password number input by the user on the numeric keys of the keypad, replaces each password number input by a random number except the input number, and then sends the password number to the C1 container to be received by the virtual keyboard driver of C1.
And a sixth step: the security isolation container finds the message of the SSL/SET protocol carrying the encrypted payment password from the data stream forwarded from the C1 container to the C2 container, encrypts the recorded payment password number string by the copied public key, replaces the byte content of the corresponding domain in the protocol message with the encryption result, and forwards the protocol message to the C2 container continuously.
The seventh step: the secure isolation container clears the recorded password and public key information.
And finishing a complete electronic payment password protection processing process.
11. Safety control flow for operating system software upgrade
The operating system software upgrade includes the upgrade of the whole operating system software, the upgrade of partial system software functions, patch upgrade and the installation of new operating system functions.
When the user needs to upgrade the software of the operating system, the following steps are taken:
the first step is as follows: the user confirms that the operating system upgrading software compressed package is downloaded through a remote or USB disk, the safety of the version is verified through a digital certificate, and the version is decompressed and stored in a large-capacity hard disk of the safe storage container.
The second step is that: and opening the security processing program, clicking an operating system software upgrading button on an interface of the security processing program, selecting a container needing upgrading, and sending a request message for specifying the container operating system software upgrading to the security isolation container by the C1 container.
The third step: after the security isolation container receives the request of the specified container operating system software upgrade, the security isolation container enters a security upgrade processing mode, the notification C1 prompts the user to close all external interface locks on the display interface, and the timer T8 is started.
The fourth step: and the security isolation container judges that the external interface lock is closed based on the corresponding state information acquired by the security management and control hardware module, then the next step is carried out, otherwise, the security isolation container continues to wait, if T8 is overtime, the security isolation container returns to the normal working mode, and the process is ended.
The fifth step: the safety isolation container is based on a safety control hardware module, the safety control bus controls the elastic defense containers C1 and C2 to start a cleaning mechanism, other dynamic memory areas except a memory area reserved for the operation of the operating system are cleaned, or the safety isolation container is quickly restarted to restart the process to clean the whole dynamic memory.
And a sixth step: the security isolation container notification C1 prompts the user on the display interface to open the external physical lock of the system software FLASH for the specified container, starting the timer T9. And then, judging that the external physical lock of the system software FLASH is opened based on the corresponding state information acquired by the safety control hardware module, entering the next step, and otherwise, continuing to wait. If T9 times out, the normal operation mode is returned to, and the process ends.
The seventh step: the safety isolation container opens an internal logic lock of the FLASH of the appointed container opening system software under the control of the safety control module.
Eighth step: the safety isolation container sends an indication message for acquiring the upgrade file of the operating system to the safety storage container;
the ninth step: the safe storage container reads an appointed operating system upgrading software file in the large-capacity hard disk, and sequentially transmits each data block of the file to the safe isolation container through the second high-speed communication bus through the internal high-speed bus communication protocol.
The tenth step: the security isolation container transfers the data block of the upgrade software file of the operating system to a flexible defense container C1 (the upgrade software file may be large and temporarily stored in a high-capacity DDR temporary file system in C1) or to C2 (the upgrade software file is small and temporarily stored in a dynamic memory) according to a target container for designating upgrade, or stores the data block in the dynamic memory of the security isolation container. If the target container of the upgrade is designated as a safe storage container, the software upgrade file does not need to be transmitted to the safe isolation container.
The eleventh step: and the specified upgraded target container upgrading management software calls an operating system software installation function and executes the upgrading operation on the system software FLASH disk. And after the upgrade is finished, sending an upgrade finishing indication message to the safety isolation container.
The twelfth step: after the security isolation container receives the indication message of finishing the upgrading of the operating system, the security control module immediately controls and closes the internal logic lock of the system software FLASH, and prompts a user to close the external physical lock of the system software FLASH on an interface.
The thirteenth step: and the user closes the external physical lock of the system software FLASH and opens the external interface lock.
The fourteenth step is that: the security isolation container is based on a security control hardware module, obtains states of an external physical lock and an external interface lock of the system software FLASH through a security control bus, and displays the states of a display on a display interface. And if the external physical lock of the system software FLASH is in a closed state, returning to a normal working mode.
Thus, a complete operating system software upgrading process is completed.
12. Application software installation control flow
The upgrading process of the application software mainly comprises the steps of carrying out 'registration' of the application software in a safe storage container and writing the executable codes of the application software files into a large-capacity hard disk.
When the user needs to install the application software, the following steps are taken:
the first step is as follows: the user confirms that the operating system upgrading software compressed package is downloaded through a remote or USB disk, the safety, the authenticity and the integrity of the version are verified through a digital certificate, and the version is decompressed and stored in a large-capacity hard disk of a safe storage container.
The second step is that: the security handler is opened and the application installation button is clicked on its interface, and the C1 container sends a request message for application installation to the secure isolation container.
The third step: and after receiving the application software installation request, the security isolation container sends a command message of application software installation to the security storage container.
The fourth step: the secure storage container records the application name information in an application registry (i.e., directory file) and records the storage space allocated in the hard disk for the application execution code file.
The fifth step: the safe storage container writes the executable code file of the application software into the allocated hard disk storage space, deletes the downloaded compressed software package and the decompressed installation software file.
And a sixth step: the secure storage container sends an indication message to the secure isolation container that the installation of the application software is complete, and the secure isolation container notifies C1 to display a prompt on the human machine interface indicating that the installation process is complete.
And finishing a complete application software installation processing process.
13. Control flow of application software starting process
When a user needs to launch application software that can be executed in the operating system environment of the C1 container, the following steps are taken:
the first step is as follows: the security handler is opened and the application launch button is clicked on its interface, and the C1 container sends a request message to the secure isolation container for the application to run.
The second step is that: and after receiving the request of starting the application software, the security isolation container sends a command message of starting the application software to the security storage container.
The third step: and the safe storage container reads the application software information recorded in the registration table in the hard disk and acquires the storage space information distributed for the application software execution code file in the hard disk.
The fourth step: the secure storage container reads the application software executable code file and transfers the application software executable code file in the form of data blocks to the C1 container via forwarding of the secure isolation container.
The fifth step: the C1 container writes the received application software executable code to the dynamically allocated memory and then executes the application software.
And a sixth step: during the operation of the application software, the corresponding temporary file is temporarily stored in the high-capacity DDR of C1, and when the operation is finished, the configuration parameter modification file of the application software, which is obtained by a user, is transmitted to the safe storage container and is stored in the configuration file corresponding to the application software.
And finishing a complete application software starting processing process.
14. Safety operation supervision control flow
When the safety computer works and operates, the safety operation supervision control adopts the following steps:
the first step is as follows: the software behavior independent monitoring module of each container acquires the states of the external interface lock and the FLASH external physical lock connected with the processor, and reports the states to the safety control module through the safety control bus.
The second step is that: after the security isolation container is started or in the running process, according to the requirement of flow management and control, the security management and control hardware module sends an instruction for closing the internal logic lock of the system software FLASH and the sensitive file FLASH to the software behavior independent monitoring module of each container through the security control bus.
The third step: and each independent monitoring module for software behavior of the container independently monitors the abnormal behavior of the local software, and if the monitoring finds that the software possibly has a dead cycle phenomenon due to the attack of energy exhaustion or has illegal write/read operation on the FLASH under the condition that an external physical lock and a logic lock of the FLASH disk are closed, immediately reports the abnormal behavior to the safety monitoring module through the safety control bus.
The fourth step: after the security isolation container detects an abnormal behavior indication of some container software through the security monitoring module, if the container is judged to suffer from serious network attack and needs to be managed and controlled according to the current security workflow state, the security control module sends an indication of restarting system software to the software behavior independent monitoring module of the container through the security control bus.
The fifth step: and after the software behavior independent monitoring module receives an indication signal for restarting system software sent by the safety control module, the system software of the container is restarted immediately through the local control logic circuit, and malicious codes in the memory are stopped and cleaned through the restarting process.
Five, beneficial effects and advantages
The existing secure computer technology is either based on a trusted computing mechanism, or antivirus trojan-proof security protection software, or based on a sandbox mechanism to monitor and control software behavior, or based on a mobile target defense mechanism. There are a large number of security events that indicate that all security mechanisms have been breached! At present, the security defense of a computer mainly depends on installed security protection software, a security company discovers a bug, and releases a patch based on the internet or a user actively downloads upgrade software. Often before a security hole patch is applied to a user computer, a significant security consequence may have been created.
The novel multi-container-based security computer architecture is combined with an absolute control mechanism of an external physical lock and an internal logic lock on a file system, under the control of a strict isolation mechanism of a security isolation container, an intrusion attack code cannot modify system software, cannot acquire a sensitive/confidential file protected by a computer, can defend against the attack of viruses, trojans and various malicious codes, can ensure the computing environment security of sensitive file processing, can ensure the password security of electronic payment, and can also realize the secure communication of the confidential file and the secure transmission of confidential e-mail on the Internet.
The novel security computer framework designed by the invention has the characteristics of strong elastic defense and deep defense, can defend various known and unknown security threats, and can be used as a security computer for confidential communication of parties and politics, and can also be used as a common civil computer.
The invention is not limited to the foregoing embodiments. The invention extends to any novel feature or any novel combination of features disclosed in this specification and any novel method or process steps or any novel combination of features disclosed.
Claims (12)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810222816.7ACN108595982B (en) | 2018-03-19 | 2018-03-19 | Secure computing architecture method and device based on multi-container separation processing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810222816.7ACN108595982B (en) | 2018-03-19 | 2018-03-19 | Secure computing architecture method and device based on multi-container separation processing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108595982A CN108595982A (en) | 2018-09-28 |
| CN108595982Btrue CN108595982B (en) | 2021-09-10 |
Family
ID=63626767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810222816.7AActiveCN108595982B (en) | 2018-03-19 | 2018-03-19 | Secure computing architecture method and device based on multi-container separation processing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108595982B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109801050B (en)* | 2019-01-22 | 2023-12-26 | 瑞银信支付技术有限公司 | Mobile payment SDK and payment method for online mall |
| US11979334B2 (en) | 2019-07-22 | 2024-05-07 | International Business Machines Corporation | Internet activity compartmentalization |
| CN112347481B (en)* | 2019-08-06 | 2024-04-23 | 华为技术有限公司 | Safe starting method, controller and control system |
| CN111177701B (en)* | 2019-12-11 | 2022-09-13 | 北京握奇智能科技有限公司 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
| US11647049B2 (en) | 2020-04-14 | 2023-05-09 | Google Llc | Dynamic application security posture change based on physical vulnerability |
| CN112069555B (en)* | 2020-08-13 | 2022-03-18 | 中国电子科技集团公司第三十研究所 | Safe computer architecture based on double-hard-disk cold switching operation |
| CN112069535B (en)* | 2020-08-13 | 2023-01-31 | 中国电子科技集团公司第三十研究所 | Dual-system safety intelligent terminal architecture based on access partition physical isolation |
| CN113849811B (en)* | 2021-09-03 | 2025-08-12 | 支付宝(杭州)信息技术有限公司 | Shared virtual resource analysis method and device |
| CN114546598B (en)* | 2022-02-25 | 2022-10-21 | 北京小佑网络科技有限公司 | Control method for processes, files and network access in container |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1183841A (en)* | 1995-02-13 | 1998-06-03 | 英特特拉斯特技术公司 | System and method for secure transaction management and electronic rights protection |
| CN101236535A (en)* | 2007-07-31 | 2008-08-06 | 北京理工大学 | Hard Disk Encryption Method Based on CD-ROM in Windows Environment |
| CN101477471A (en)* | 2009-01-07 | 2009-07-08 | 杭州海康威视数字技术股份有限公司 | Embedded system firmware on-line upgrading system |
| US7603713B1 (en)* | 2009-03-30 | 2009-10-13 | Kaspersky Lab, Zao | Method for accelerating hardware emulator used for malware detection and analysis |
| CN106326699A (en)* | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN106529331A (en)* | 2016-10-31 | 2017-03-22 | 用友网络科技股份有限公司 | Multi-tenant data isolation scheme applied to PaaS (Platform-as-a-Service) platform |
| CN106778110A (en)* | 2016-11-29 | 2017-05-31 | 北京元心科技有限公司 | Method and device for authenticating application program in multiple systems |
| CN106991321A (en)* | 2017-04-18 | 2017-07-28 | 北京元心科技有限公司 | Method and device for running application program in multi-container system without trace |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR102015118B1 (en)* | 2016-06-16 | 2019-10-21 | 단국대학교 천안캠퍼스 산학협력단 | A Vessels Pattern Recognition Based Biometrics Machine using Laser Speckle Imaging and Methods Thereof |
| CN107203378A (en)* | 2017-05-09 | 2017-09-26 | 深圳市海派通讯科技有限公司 | A kind of storehouse based on android containers relies on solution |
| CN107194245A (en)* | 2017-05-12 | 2017-09-22 | 南京大学 | A kind of funcall remodeling method isolated for linux kernel page table |
- 2018
- 2018-03-19CNCN201810222816.7Apatent/CN108595982B/enactiveActive
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1183841A (en)* | 1995-02-13 | 1998-06-03 | 英特特拉斯特技术公司 | System and method for secure transaction management and electronic rights protection |
| CN101236535A (en)* | 2007-07-31 | 2008-08-06 | 北京理工大学 | Hard Disk Encryption Method Based on CD-ROM in Windows Environment |
| CN101477471A (en)* | 2009-01-07 | 2009-07-08 | 杭州海康威视数字技术股份有限公司 | Embedded system firmware on-line upgrading system |
| US7603713B1 (en)* | 2009-03-30 | 2009-10-13 | Kaspersky Lab, Zao | Method for accelerating hardware emulator used for malware detection and analysis |
| CN106326699A (en)* | 2016-08-25 | 2017-01-11 | 广东七洲科技股份有限公司 | Method for reinforcing server based on file access control and progress access control |
| CN106529331A (en)* | 2016-10-31 | 2017-03-22 | 用友网络科技股份有限公司 | Multi-tenant data isolation scheme applied to PaaS (Platform-as-a-Service) platform |
| CN106778110A (en)* | 2016-11-29 | 2017-05-31 | 北京元心科技有限公司 | Method and device for authenticating application program in multiple systems |
| CN106991321A (en)* | 2017-04-18 | 2017-07-28 | 北京元心科技有限公司 | Method and device for running application program in multi-container system without trace |
Non-Patent Citations (1)
| Title |
|---|
| 基于Linux名字空间的Web服务器动态防御方法;陈刚 等;《计算机应用》;20171210(第12期);第3442-3446页* |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108595982A (en) | 2018-09-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108595982B (en) | Secure computing architecture method and device based on multi-container separation processing | |
| US12299147B2 (en) | Secure computing system | |
| US10162975B2 (en) | Secure computing system | |
| US7743260B2 (en) | Firewall+storage apparatus, method and system | |
| RU2714607C2 (en) | Double self-test of memory for protection of multiple network endpoints | |
| US8474032B2 (en) | Firewall+ storage apparatus, method and system | |
| CN104335548B (en) | A secure data processing device and method | |
| Pham et al. | Universal serial bus based software attacks and protection solutions | |
| Popoola et al. | Ransomware: Current trend, challenges, and research directions | |
| Suciu et al. | Horizontal privilege escalation in trusted applications | |
| Alzahrani et al. | Ransomware in windows and android platforms | |
| Atapour et al. | Modeling Advanced Persistent Threats to enhance anomaly detection techniques | |
| RU84594U1 (en) | STORAGE WITH PROTECTION FROM UNAUTHORIZED ACCESS TO MEMORY | |
| Iglio | Trustedbox: a kernel-level integrity checker | |
| Anand et al. | Comparative study of ransomwares | |
| Srinivasan | Protecting anti-virus software under viral attacks | |
| Martsenyuk et al. | Features of multifunctional Backdoor technology in the personal space of users. | |
| Caruso | Forensic Analysis of Mobile Spyware: Investigating Security, Vulnerabilities, and Detection Challenges in Android and iOS Platforms | |
| Angayarkanni et al. | Security Analysis on Full Disc Encryption | |
| Duc | Offensive Security Lab | |
| Арустамов et al. | Профессиональный иностранный язык для специалистов в области компьютерной безопасности: учебное пособие | |
| Subedi | A Framework for Analyzing Advanced Malware and Software | |
| Qattan et al. | Deficiencies in Current Software Protection Mechanisms and Alternatives for Securing Computer Integrity | |
| Decloedt et al. | Rootkits, Trojans, backdoors and new developments | |
| Korsakov | Cryptovirology and malicious software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |