技术领域technical field
本发明涉及计算机领域,并特别涉及一种基于用户级页表的进程内数据隔离保护方法和系统。The invention relates to the field of computers, and in particular to a method and system for in-process data isolation and protection based on user-level page tables.
背景技术Background technique
传统的计算机系统,对于进程内部的数据访问,没有提供有效的保护手段。一般情况下,处理器硬件允许进程内的代码任意访问进程内的数据空间,这就为缓冲区溢出等攻击方法提供了潜在的攻击途径。攻击程序可以通过进程内局部的代码漏洞,获得整个进程地址空间的访问权限,进一步控制整个进程的数据和代码执行。很多消费电子设备都使用扩展的安全模块来确保数据安全,目前常见的方式有:Traditional computer systems do not provide effective means of protection for data access within a process. Generally, the processor hardware allows the code in the process to arbitrarily access the data space in the process, which provides a potential attack path for buffer overflow and other attack methods. The attack program can gain access to the address space of the entire process through local code vulnerabilities in the process, and further control the data and code execution of the entire process. Many consumer electronic devices use extended security modules to ensure data security. Currently, common methods include:
1.外部挂接硬件安全模块。1. Externally mount a hardware security module.
数据的处理交由外部的安全模块实现,这些模块能够保护自己的资源和密钥等数据的安全,如SIM卡、各种智能卡或连接到外部的硬件加解密模块等,但其同主芯片的通信线路暴露在外部,容易被监听破解。另外,通信的速率比较低。Data processing is implemented by external security modules, which can protect the security of data such as resources and keys, such as SIM cards, various smart cards, or hardware encryption and decryption modules connected to the outside, but they are the same as those of the main chip. The communication line is exposed to the outside and is easy to be intercepted and cracked. In addition, the communication rate is relatively low.
2.内部集成硬件安全模块。2. Internally integrated hardware security module.
将外部安全模块的功能集成到芯片内,因此一个芯片上至少有两个核,一个普通核和一个安全核。优点是核与核之间的通信在芯片内部实现,不再暴露在外面。缺点是核之间的通信速度仍然较低,而且单独的安全核性能有限,还会占用SoC面积,成本较高。The function of the external security module is integrated into the chip, so there are at least two cores on a chip, one normal core and one security core. The advantage is that the communication between cores is implemented inside the chip and is no longer exposed to the outside. The disadvantage is that the communication speed between the cores is still low, and the performance of a single safety core is limited, and it will occupy the area of the SoC, and the cost is high.
3.ARM Trustzone、Intel SGX等安全子系统。3. ARM Trustzone, Intel SGX and other security subsystems.
Trustzone安全技术自ARMv6版本开始引入ARM架构规范。在概念上将SoC的硬件和软件资源划分为安全(Secure World)和非安全(Normal World)两个世界,所有需要保密的操作在安全世界执行(如指纹识别、密码处理、数据加解密、安全认证等),其余操作在非安全世界执行(如用户操作系统、各种应用程序等),安全世界和非安全世界通过监管模式(MonitorMode)进行转换。同样存在模式切换时的性能开销。Trustzone security technology has been introduced into the ARM architecture specification since the ARMv6 version. Conceptually divide the hardware and software resources of SoC into secure (Secure World) and non-secure (Normal World) worlds, all operations that need to be kept secret are performed in the secure world (such as fingerprint identification, password processing, data encryption and Authentication, etc.), and the rest of the operations are performed in the non-secure world (such as user operating system, various applications, etc.), and the secure world and the non-secure world are converted through the supervision mode (MonitorMode). There is also a performance overhead when switching modes.
Intel SGX是Intel Software Guard Extension的缩写。SGX是Intel指令集架构(ISA)的扩展,主要提供了一些指令用于创建一个可信执行环境(Trusted ExecutionEnvironment,TEE,又称Enclave)。用户态应用程序可以在Enclave中安全执行,而不被恶意的操作系统(Operating System,OS)或管理程序(Hypervisor)所攻击。Intel SGX技术提供了应用级的隔离,需要保证机密性和完整性的安全敏感代码仅仅信任CPU,硬件、OS、应用程序等都不能影响这部分代码执行的安全性。SGX技术的主要目的,是保护应用程序的安全敏感代码不被恶意的高优先级软件中断或破坏执行。Intel SGX is an acronym for Intel Software Guard Extension. SGX is an extension of the Intel Instruction Set Architecture (ISA), which mainly provides some instructions for creating a trusted execution environment (Trusted ExecutionEnvironment, TEE, also known as Enclave). User-mode applications can be safely executed in the Enclave without being attacked by a malicious operating system (Operating System, OS) or a management program (Hypervisor). Intel SGX technology provides application-level isolation. Security-sensitive code that needs to ensure confidentiality and integrity only trusts the CPU. Hardware, OS, and application programs cannot affect the security of this part of code execution. The main purpose of SGX technology is to protect the security-sensitive code of the application from being interrupted or destroyed by malicious high-priority software.
以上分区安全子系统的技术,只保护一个封闭的子系统内部的数据安全,对于复杂大型应用程序,无法实现数据的有效保护。上述复杂大型应用程序,是指一个进程内包含多个线程,各个线程之间共享程序的内存空间;或指一个进程内的程序和数据占用的内存空间是GB量级的。The technology of the partition security subsystem above only protects the data security inside a closed subsystem, and cannot effectively protect data for complex and large-scale applications. The aforementioned complex large-scale application refers to a process that contains multiple threads, and the memory space of the program is shared between each thread; or refers to the memory space occupied by programs and data in a process that is on the order of GB.
4.Intel MPK、MPX等进程内数据保护技术。4. Intel MPK, MPX and other in-process data protection technologies.
Intel MPK(Memory ProtectionKey,内存保护关键字),是将内存的页面划分到多个域中。每个页面属于N个域之一,由页表中的M个bit来指定,这M个bit称为保护关键字(protection key)。其中N=2M。MPK技术的保护方法是,当进程访问内存时,硬件会检查当前进程的保护关键字和要访问的内存块的保护关键字是否一样,不一样则会触发异常。同时,也必须满足页表本身权限位所表示的页面的权限,这两者都满足才是合法的访存操作。Intel MPK (Memory ProtectionKey, memory protection key word) divides memory pages into multiple domains. Each page belongs to one of N domains and is specified by M bits in the page table, and these M bits are called protection keys. where N=2M . The protection method of MPK technology is that when a process accesses memory, the hardware will check whether the protection keyword of the current process is the same as that of the memory block to be accessed, and an exception will be triggered if they are not the same. At the same time, the permission of the page represented by the permission bit of the page table itself must also be satisfied, and only when the two are satisfied is a legal memory access operation.
Intel MPX(Memory Protection eXtensions,内存保护扩展),是对指针访问的内存地址范围进行检查,由硬件辅助实现,从第六代Core处理器(Skylake)开始支持。在编译器、库和操作系统的支持下,MPX通过检查指针引用,判断其正常编译时的意图,是否因缓冲区溢出而造成了运行时恶意利用,从而提高软件的安全性。Intel MPX (Memory Protection eXtensions, Memory Protection Extensions) checks the memory address range accessed by pointers, implemented with hardware assistance, and supports it from the sixth generation Core processor (Skylake). With the support of compilers, libraries, and operating systems, MPX checks pointer references to determine its intentions during normal compilation and whether it is maliciously exploited during runtime due to buffer overflows, thereby improving software security.
PULP(ProtectionbyUser Level Partition,用户级分区保护),是一种基于处理器程序计数器和访存地址关联实现进程内数据隔离与保护的方法。在同一个进程内部,限制不可信代码对安全敏感数据造成的破坏和越界访问。PULP (ProtectionbyUser Level Partition, user-level partition protection), is a method based on the association of processor program counters and memory access addresses to achieve in-process data isolation and protection. Within the same process, limit the damage and out-of-bounds access caused by untrusted code to security-sensitive data.
以上三种针对进程内数据保护的技术,MPK是基于域的隔离,MPX是基于地址的隔离,PULP是基于用户级分区的数据隔离,MPX的缺点是需要对所有的地址访问进行修改,增加判断指令,开销比较大。MPK和PULP共同的缺点是,只能以域或区为单位进行数据保护,域或区一般包含若干个页,因此是粗粒度的数据保护,无法实现以页为单位的细粒度的进程内数据隔离。The above three technologies for in-process data protection, MPK is domain-based isolation, MPX is address-based isolation, and PULP is data isolation based on user-level partitions. The disadvantage of MPX is that it needs to modify all address access and increase judgment. Instructions, the overhead is relatively large. The common disadvantage of MPK and PULP is that data protection can only be performed in units of domains or areas, which generally contain several pages, so it is coarse-grained data protection, and fine-grained in-process data in units of pages cannot be realized isolation.
发明内容Contents of the invention
本发明为实现进程内数据的细粒度保护,提出了一种将用户进程的页表放置在虚拟空间进行保护的方法,用户进程中有一段虚拟空间由用户进程自身进行管理,限制不可信用户代码对虚拟空间敏感数据的访问。本发明提出的用户级页表保护(PULPT,ProtectionbyUser Level Page Table)的安全机制,包括划分用户级页表和内核页表,管理用户级页表,限制用户级页表映射物理页面的范围,限定只有指定的程序对象才能访问用户级页表,越界访问、权限违法或缺页都会触发中断,执行用户自定义中断处理流程。其中,管理用户级页表又包括用户进程自管理区域虚拟地址和物理地址的相互转换(虚实页面间的映射过程),物理空间的管理方法,页表初始化和权限设置。In order to realize the fine-grained protection of the data in the process, the present invention proposes a method of placing the page table of the user process in the virtual space for protection. There is a section of virtual space in the user process that is managed by the user process itself to limit untrustworthy user code Access to Sensitive Data in Virtual Space. The security mechanism of the user-level page table protection (PULPT, ProtectionbyUser Level Page Table) proposed by the present invention includes dividing the user-level page table and the kernel page table, managing the user-level page table, limiting the scope of user-level page table mapping physical pages, and limiting Only specified program objects can access the user-level page table. Out-of-bounds access, permission violations or page faults will trigger interrupts, and user-defined interrupt processing procedures will be executed. Wherein, managing the user-level page table includes the conversion between the virtual address and the physical address of the user process self-management area (the mapping process between virtual and real pages), the management method of the physical space, page table initialization and permission setting.
具体地说,本发明公开了一种基于用户级页表的进程内数据隔离保护方法,其中包括:Specifically, the invention discloses a user-level page table-based in-process data isolation protection method, which includes:
将用户进程的虚拟空间划分出一部分由用户进程自行管理,作为用户自管理区域,将该用户自管理区域划分为用户级页表区域和用户自管理数据区域,该用户级页表区域用以存放用户级页表,该用户自管理数据区域用以存放受保护的敏感数据,该敏感数据仅由该用户级页表进行管理,管理内容包括修改虚实地址映射、设定读写执行权限、标记读写的访问状态。Divide a part of the virtual space of the user process to be managed by the user process itself, as the user self-management area, and divide the user self-management area into a user-level page table area and a user-level page table area. The user-level page table area is used to store User-level page table, the user-managed data area is used to store protected sensitive data. The sensitive data is only managed by the user-level page table. The management content includes modifying virtual and real address mapping, setting read-write execution permissions, and marking Write access status.
该基于用户级页表的进程内数据隔离保护方法,其中划分用户级页表和内核页表,具体的方法是,在该用户进程的访存指令触发硬件查找页表项时,判断该访存指令请求的虚拟地址是否属于用户自管理区域的界限内,若是,则选择用户级页表的根目录地址,在用户级页表区域查找页表项;否则选择内核页表的根目录地址,在内核区域查找页表项;The method for in-process data isolation and protection based on user-level page tables includes dividing user-level page tables and kernel page tables. Whether the virtual address requested by the instruction belongs to the boundary of the user self-management area, if so, select the root directory address of the user-level page table, and search for the page table entry in the user-level page table area; otherwise, select the root directory address of the kernel page table, and enter the The kernel area looks up the page table entry;
处理器包括虚地址界限寄存器,用于存储该用户自管理区域的上界和下界;处理器还包括地址寄存器,用于存储该用户级页表的根目录地址。The processor includes a virtual address limit register for storing the upper bound and lower bound of the user-managed area; the processor also includes an address register for storing the root directory address of the user-level page table.
该基于用户级页表的进程内数据隔离保护方法,其中该用户级页表内容由该用户进程自行管理,该用户进程执行过程中自行申请和分配该用户自管理区域的虚拟页面,并为该用户自管理区域的虚拟页面与物理页面建立映射关系,其中该物理页面由该用户进程向内核申请所得。The user-level page table-based intra-process data isolation protection method, wherein the content of the user-level page table is managed by the user process itself, and the user process applies for and allocates a virtual page in the user's self-management area during execution, and provides for the user process. A mapping relationship is established between the virtual page in the user's self-management area and the physical page, wherein the physical page is obtained by the user process from the kernel.
该基于用户级页表的进程内数据隔离保护方法,其中通过以下步骤限制该用户级页表映射物理页面的范围:在处理器写指令执行时,若该写指令的目的地址属于用户自管理区域的用户级页表区域,则该写指令的写入数据即为用户级页表区域的页表项,从该页表项中获取该目的地址映射的物理页面的物理页号,并判断该物理页号是否合法,合法是指由内核配置的属于用户级页表映射的物理页面范围,若不合法则产生中断,阻止该写指令将页表项写入用户级页表区域,否则允许该写指令将页表项写入用户级页表区域;In the user-level page table-based intra-process data isolation protection method, the scope of the user-level page table mapping physical pages is limited by the following steps: when the processor writes an instruction to execute, if the destination address of the write instruction belongs to the user's self-management area The user-level page table area of the user-level page table area, the write data of the write command is the page table entry of the user-level page table area, and the physical page number of the physical page mapped by the destination address is obtained from the page table entry, and the physical page number is determined. Is the page number legal? Legal refers to the physical page range configured by the kernel and belongs to the user-level page table mapping. If it is not legal, an interrupt will be generated to prevent the write command from writing the page table entry into the user-level page table area. Otherwise, the write command is allowed. Write the page table entry to the user-level page table area;
通过以下步骤设定该用户级页表映射的物理页面范围:由内核建立一种数据结构,该数据结构中的数据元素为映射的物理页面地址,或映射的物理页面的物理页号,或该物理页号对应的指示位,对写该用户级页表时物理页号是否合法的判断,由查找该数据元素实现。The physical page range mapped by the user-level page table is set by the following steps: a data structure is established by the kernel, and the data element in the data structure is the physical page address of the mapping, or the physical page number of the physical page of the mapping, or the The indicator bit corresponding to the physical page number is used to determine whether the physical page number is legal when writing the user-level page table, by searching the data element.
该基于用户级页表的进程内数据隔离保护方法,其中限定对该用户级页表进行访问的程序对象,以保护该用户级页表。In the user-level page table-based intra-process data isolation protection method, program objects that access the user-level page table are limited to protect the user-level page table.
该基于用户级页表的进程内数据隔离保护方法,其中该用户自管理区域的虚拟页面与物理页面映射变换之前,先初始化一个自映射的多级页表,并分别在各级页表上建立对应的页表项指向各自页表的首地址,以完成该用户级页表的初始化过程。In the method for in-process data isolation and protection based on user-level page tables, a self-mapped multi-level page table is first initialized before the virtual page and physical page mapping transformation of the user self-management area, and the page tables of each level are respectively established The corresponding page table entry points to the first address of the respective page table, so as to complete the initialization process of the user-level page table.
该基于用户级页表的进程内数据隔离保护方法,其中在该用户进程执行访存指令触发该用户自管理区域的虚拟页面与物理页面映射变换过程中,若发生中断,则执行以下步骤:In the user-level page table-based intra-process data isolation protection method, if an interruption occurs during the user process executing a memory access instruction to trigger the mapping conversion process between the virtual page and the physical page in the user self-management area, the following steps are performed:
步骤201,处理器在写回阶段检测中断,执行中断处理;Step 201, the processor detects an interrupt during the write-back stage, and performs interrupt processing;
步骤202,判断中断是否需要用户进程自行处理,若是,执行步骤203,否则执行步骤206;Step 202, determine whether the interruption needs to be handled by the user process by itself, if so, execute step 203, otherwise execute step 206;
步骤203,用户进程自行处理该中断,处理器提供一组用户专用寄存器来保存中断指令的程序计数器、中断的原因和访存的地址;Step 203, the user process handles the interrupt by itself, and the processor provides a group of user-specific registers to save the program counter of the interrupt instruction, the cause of the interrupt and the address of the memory access;
步骤204,程序转到用户中断处理函数的入口,执行用户自定义中断处理函数;Step 204, the program turns to the entry of the user interrupt processing function, and executes the user-defined interrupt processing function;
步骤205,结束;Step 205, end;
步骤206,执行常规内核中断处理流程,之后执行步骤205。Step 206, execute the routine kernel interrupt processing flow, and then execute step 205.
该基于用户级页表的进程内数据隔离保护方法,其中该用户进程向内核申请所得的物理页面,其对应的物理空间的管理方法包括:The user-level page table-based in-process data isolation protection method, wherein the user process applies for the obtained physical page from the kernel, and its corresponding physical space management method includes:
物理空间的管理步骤,获取预设的数据结构,用以记录内核分配的空闲物理页号;The physical space management step is to obtain a preset data structure for recording the number of free physical pages allocated by the kernel;
数据结构的查找步骤,在该用户自管理区域初始化或发生缺页中断时,根据申请的物理空间大小,从该数据结构中取得多个物理页面,将该多个物理页面依次映射到虚拟页面;In the step of searching the data structure, when the user self-management area is initialized or a page fault occurs, multiple physical pages are obtained from the data structure according to the size of the applied physical space, and the multiple physical pages are sequentially mapped to virtual pages;
数据结构的插入步骤,在页面回收时,把物理页面放回到记录空闲物理页号的该数据结构;The insertion step of the data structure, when the page is reclaimed, the physical page is put back into the data structure that records the free physical page number;
数据结构的删除步骤,在该用户进程退出时,把该数据结构中的物理页面还给内核。The step of deleting the data structure returns the physical pages in the data structure to the kernel when the user process exits.
本发明还公开了一种基于用户级页表的进程内数据隔离保护系统,其中包括:The invention also discloses an in-process data isolation and protection system based on user-level page tables, which includes:
预处理模块,在用户进程访问内存前,通过设置用户自管理区域的界限和设置用户级页表根目录地址,实现用户级页表区域和内核页表区域的划分;该预处理模块还用于用户级页表区域的管理,包括用户级页表初始化、用户自管理区域虚拟地址与物理地址建立映射关系、物理页面对应的物理空间管理和用户级页表项中访问权限设置;The preprocessing module, before the user process accesses the memory, realizes the division of the user-level page table area and the kernel page table area by setting the boundary of the user-managed area and setting the root directory address of the user-level page table; the preprocessing module is also used for Management of the user-level page table area, including initialization of the user-level page table, establishment of a mapping relationship between the virtual address and the physical address of the user-managed area, management of the physical space corresponding to the physical page, and setting of access rights in the user-level page table entry;
处理模块,在用户进程访问内存时,首先判断请求的虚拟地址是否属于用户自管理区域,若是,则从用户级页表区域查找页表项,用户进程开启进程内的安全保护,否则从内核页表区域查找页表项,用户进程处于常规的安全保护状态;然后判断请求是否访问用户级页表区域,若是,则进一步判断请求对象是否有权访问用户级页表,且用户级页表项中写入的物理页号是否属于该用户级页表映射的物理页面范围,若是则执行访问请求,否则开启中断;若请求访问用户自管理数据区域,则用户进程执行用户级页表项权限位违法和缺页检查,若两者其一发生,则开启中断,否则执行访问请求。The processing module, when the user process accesses the memory, first judges whether the requested virtual address belongs to the user self-management area, if so, then searches the page table entry from the user-level page table area, and the user process enables the security protection in the process, otherwise, from the kernel page The table area looks for page table entries, and the user process is in a normal security protection state; then it is judged whether the request accesses the user-level page table area, and if so, it is further judged whether the request object has the right to access the user-level page table, and the user-level page table entry Whether the written physical page number belongs to the physical page range mapped by the user-level page table, if so, execute the access request, otherwise enable the interrupt; if requesting access to the user-managed data area, the user process executes the permission bit of the user-level page table item illegally And page fault check, if one of the two occurs, the interrupt is enabled, otherwise the access request is executed.
该基于用户级页表的进程内数据隔离保护系统,其中该预处理模块初始化一个自映射的多级页表,并分别在各级页表上建立对应的页表项指向各自页表的首地址,以完成该用户级页表的初始化过程;The in-process data isolation protection system based on the user-level page table, wherein the preprocessing module initializes a self-mapped multi-level page table, and establishes corresponding page table entries on each level of page table to point to the first address of the respective page table , to complete the initialization process of the user-level page table;
该预处理模块管理物理空间的数据结构,包括:This preprocessing module manages data structures in physical space, including:
物理空间管理模块,获取预设的数据结构,用以记录内核分配的空闲物理页号;The physical space management module obtains a preset data structure for recording the number of free physical pages allocated by the kernel;
数据结构查找模块,在该用户自管理区域初始化或发生缺页中断时,根据申请的物理空间大小,从该数据结构中取得多个物理页面,将该多个物理页面依次映射到虚拟页面;The data structure search module obtains multiple physical pages from the data structure according to the size of the applied physical space when the user self-management area is initialized or a page fault occurs, and the multiple physical pages are sequentially mapped to virtual pages;
数据结构插入模块,在页面回收时,把物理页面放回到记录空闲物理页号的该数据结构;The data structure insertion module, when the page is recycled, puts the physical page back into the data structure that records the number of the free physical page;
数据结构删除模块,在该用户进程退出时,把该数据结构中的物理页面还给内核;The data structure deletion module returns the physical pages in the data structure to the kernel when the user process exits;
该程序运行时处理模块在发生中断时,执行用户自定义中断处理过程,具体内容包括:When the program is running, the processing module executes the user-defined interrupt processing process when an interrupt occurs, and the specific content includes:
中断探测模块,用于处理器在写回阶段检测中断,执行中断处理;The interrupt detection module is used for the processor to detect interrupts in the write-back stage and perform interrupt processing;
判断模块,用于判断中断是否需要用户自行处理,若是,调用用户中断模块,否则调用系统中断模块;The judging module is used to judge whether the interrupt needs to be handled by the user, if so, call the user interrupt module, otherwise call the system interrupt module;
用户中断模块,用于供用户进程自行处理该中断,处理器提供一组用户专用寄存器来保存中断指令的程序计数器、中断的原因和访存的地址,程序转到用户中断处理函数的入口,执行用户自定义中断处理函数,之后结束中断处理;The user interrupt module is used for the user process to handle the interrupt by itself. The processor provides a set of user-specific registers to save the program counter of the interrupt instruction, the cause of the interrupt and the address of the memory access. The program transfers to the entry of the user interrupt processing function and executes User-defined interrupt processing function, and then end the interrupt processing;
系统中断模块,用于执行常规内核中断处理流程,之后结束中断处理。The system interrupt module is used to execute the routine kernel interrupt processing flow, and then end the interrupt processing.
本发明的技术进步包括:The technical progress of the present invention comprises:
1.提升虚拟内存系统的效率。1. Improve the efficiency of the virtual memory system.
用户级页表的修改和维护主要在用户态进行,不需要频繁进出内核,减少了进行上下文切换的开销。The modification and maintenance of the user-level page table is mainly carried out in the user mode, and does not need to enter and exit the kernel frequently, reducing the overhead of context switching.
2.细粒度的进程内安全防护。2. Fine-grained in-process security protection.
用户级页表可以以页面为单位进行读、写、执行等安全配置,不受MPX的区域数限制和PULP的限界寄存器数限制。用户级页表一定程度上可以使进程内部的可信代码更加灵活的为不可信代码配置可以访问的范围。其中,可信代码和不可信代码由用户进程来设定,例如用户进程可以设定主函数代码为可信代码,调用的第三方库函数代码为不可信代码。用户进程也可以根据其他安全需求设定可信代码和不可信代码。The user-level page table can be read, written, executed, and other security configurations in units of pages, and is not limited by the number of regions of MPX and the number of limit registers of PULP. To a certain extent, the user-level page table can make the trusted code inside the process more flexible to configure the accessible range for untrusted code. Wherein, the trusted code and the untrusted code are set by the user process, for example, the user process can set the main function code as the trusted code, and the called third-party library function code as the untrusted code. The user process can also set trusted code and untrusted code according to other security requirements.
附图说明Description of drawings
图1为本发明基于用户级页表的进程内数据保护示意图;Fig. 1 is a schematic diagram of in-process data protection based on user-level page tables in the present invention;
图2为本发明用户自定义中断处理流程图;Fig. 2 is a flow chart of user-defined interrupt processing in the present invention;
图3为本发明物理空间的管理方法流程图;Fig. 3 is a flow chart of the management method of the physical space of the present invention;
图4为本发明限制用户进程访问物理页面的方法流程图;4 is a flowchart of a method for restricting user processes from accessing physical pages in the present invention;
图5为现有技术的三级页表PTW过程图;FIG. 5 is a three-level page table PTW process diagram of the prior art;
图6为本发明页表初始化PTW过程图;Fig. 6 is a process diagram of page table initialization PTW in the present invention;
图7为本发明当PTE表项缺失时缺页嵌套处理流程图;Fig. 7 is a flow chart of page fault nesting processing when the PTE entry is missing in the present invention;
图8为本发明当PMD表项缺失时缺页嵌套处理流程图;Fig. 8 is a flow chart of page fault nesting processing when the PMD entry is missing in the present invention;
图9为本发明当PGD表项缺失时缺页嵌套处理流程图。FIG. 9 is a flow chart of page fault nesting processing when the PGD entry is missing in the present invention.
具体实施方式Detailed ways
为了解决上述技术问题,本发明目的在于提供一种进程内数据的细粒度保护方法,提出了将用户进程的页表放置在虚拟空间进行保护,用户进程中有一段虚拟空间由用户进程自身进行管理,限制不可信用户代码对虚拟空间敏感数据的访问。为让本发明的上述特征和效果能阐述的更明确易懂,下文特举实施例,并配合说明书附图作详细说明如下。In order to solve the above technical problems, the purpose of the present invention is to provide a fine-grained protection method for in-process data. It proposes to place the page table of the user process in the virtual space for protection, and a section of virtual space in the user process is managed by the user process itself , restricting access of untrusted user code to sensitive data in the virtual space. In order to make the above-mentioned features and effects of the present invention more clear and understandable, the following specific examples are given together with the accompanying drawings for detailed description as follows.
本发明的方法实施例:基于用户级页表的进程内数据保护Method embodiment of the present invention: in-process data protection based on user-level page table
将用户进程的一段虚拟空间设为用户自管理区域,将该区域划分为用户级页表区域和用户自管理数据区域,该用户自管理数据区域的敏感数据仅由该用户级页表区域的页表进行管理,基于用户级页表的进程内数据保护如图1所示。Set a section of virtual space of the user process as a user self-management area, and divide this area into a user-level page table area and a user-management data area. Tables are managed, and the in-process data protection based on user-level page tables is shown in Figure 1.
在预处理101阶段,处理器设置用户自管理区域的界限1013和用户级页表的根目录地址1014。在程序运行时,根据内存访问请求的虚拟地址和用户自管理区域的界限,判断1021查找页表项是在用户级页表区域进行,还是在内核区域进行。用户级页表的根目录地址不同于内核页表的根目录地址,因此可以实现对用户级页表和内核页表的划分1011。In the stage of preprocessing 101, the processor sets the limit 1013 of the user-managed area and the address 1014 of the root directory of the user-level page table. When the program is running, according to the virtual address of the memory access request and the boundary of the user's self-management area, it is judged 1021 whether the search for the page table entry is performed in the user-level page table area or in the kernel area. The root directory address of the user-level page table is different from the root directory address of the kernel page table, so the division 1011 of the user-level page table and the kernel page table can be realized.
在预处理阶段,还要进行用户级页表区域的管理1012,包括用户级页表初始化1015,用户自管理区域虚拟地址与物理地址建立映射关系1016,物理页面对应的物理空间管理1017,用户级页表项中访问权限设置1018;In the preprocessing stage, user-level page table area management 1012 is also performed, including user-level page table initialization 1015, user-managed area virtual address and physical address establishment mapping relationship 1016, physical space management 1017 corresponding to the physical page, user-level The access permission setting in the page table entry is 1018;
在程序运行时,若在内核区域查找页表项,则用户进程处于常规的安全保护状态1022;若在用户级页表区域查找页表项,则用户进程处于进程内的安全保护状态1023。When the program is running, if the page table entry is found in the kernel area, the user process is in the normal security protection state 1022; if the page table entry is found in the user-level page table area, the user process is in the security protection state 1023 in the process.
在进程内的安全保护状态下,判断请求是否访问用户级页表区域1024,若是,则既要判断程序对象是否可访问用户级页表1025,又要判断用户级页表项中写入的物理页号是否属于可映射的物理页面范围1026,若违反了两者其一的限制条件,则开启中断,进入用户自定义中断处理1029;否则,若请求访问用户自管理数据区域,则用户进程要执行用户级页表项权限位违法1027和缺页检查1028,若两者其一发生,则开启中断,进入用户自定义中断处理。In the security protection state in the process, it is judged whether the request accesses the user-level page table area 1024. Whether the page number belongs to the mappable physical page range 1026, if it violates one of the restriction conditions, then open the interrupt and enter the user-defined interrupt processing 1029; Execute user-level page table item permission bit violation 1027 and page fault check 1028, if one of the two occurs, then enable interrupt and enter user-defined interrupt processing.
本发明的方法实施例:新增的寄存器类型及其功能。Method embodiment of the present invention: newly added register type and its function.
新增寄存器分为四种,它们的名称和功能如表1所示。其中物理页面限制寄存器组只能内核才能读写,其余寄存器组只能用户安全代码可以读写。There are four types of new registers, and their names and functions are shown in Table 1. Among them, the physical page limit register group can only be read and written by the kernel, and the rest of the register group can only be read and written by user security code.
表1本发明新增的寄存器类型及其功能Table 1 The new register type and its function of the present invention
本发明实施例:新增的寄存器读写指令及其功能。Embodiment of the present invention: newly added register read and write instructions and their functions.
新增的指令分为二种,它们的名称和功能表如表2所示。There are two types of newly added instructions, and their names and functions are shown in Table 2.
表2本发明新增的指令及其功能Table 2 The new instructions and their functions of the present invention
本发明的方法实施例:用户级页表区域虚拟地址到物理地址的转换。Embodiment of the method of the present invention: conversion of virtual address to physical address in user-level page table area.
典型的虚拟地址转换成物理地址的过程是:用逻辑页号去检索页表,从页表中得到该页的物理页号,把它装入物理地址寄存器中。同时,页内地址不需要转换,直接送入物理地址寄存器的页内地址字段中。这样,物理地址寄存器中的内容就是由二者拼接成的实际访问内存的地址,从而完成了从逻辑地址(虚拟地址)到物理地址的转换。传统的操作系统中,页表维护由内核完成。指令执行过程中,页表项的查找和地址翻译是由处理器的硬件自动处理的,但是页表项的填写和修改都是由软件完成的。区分用户自管理空间和内核管理空间,用户自管理空间由用户级页表来做虚实地址翻译,提高用户细粒度修改页表的执行效率,用户程序进程自行保证这段空间数据的安全性A typical process of converting a virtual address into a physical address is: use the logical page number to retrieve the page table, get the physical page number of the page from the page table, and load it into the physical address register. At the same time, the address in the page does not need to be converted, and is directly sent to the address field in the page of the physical address register. In this way, the content in the physical address register is the address of the actual access memory spliced by the two, thus completing the conversion from the logical address (virtual address) to the physical address. In traditional operating systems, page table maintenance is done by the kernel. During instruction execution, the lookup of page table entries and address translation are automatically handled by the hardware of the processor, but the filling and modification of page table entries are all completed by software. Distinguish between user-managed space and kernel-managed space. User-managed space uses user-level page tables to perform virtual and real address translation, improving the execution efficiency of users’ fine-grained modification of page tables. User program processes can guarantee the security of data in this space.
本发明的方法实施例:用户级页表区域物理地址到虚拟地址的转换。The method embodiment of the present invention: the conversion of the physical address of the user-level page table area to the virtual address.
在常规的设计中,页表存放在内核区,内核区的虚地址和实地址之间仅相差一个偏移值(offset),由物理地址和偏移值可计算得到虚拟地址。但是用户自管理区域不存在这种对应关系。In a conventional design, the page table is stored in the kernel area, and there is only an offset value (offset) between the virtual address and the real address of the kernel area, and the virtual address can be calculated from the physical address and the offset value. However, there is no such corresponding relationship in the user self-administration area.
页表存放在用户自管理区域时,选择一种数据结构来存储页表物理页号到虚拟页号的对应关系,这种数据结构包括但不限于表(list)或哈希表(hash table)。为减少实现的复杂性,这种数据结构可以当成普通的用户进程的数据,这些数据结构的页表仍由内核进行管理,同时限制内核对它的修改。When the page table is stored in the user's self-management area, a data structure is selected to store the correspondence between the physical page number of the page table and the virtual page number. This data structure includes but is not limited to a list (list) or a hash table (hash table) . In order to reduce the complexity of implementation, this data structure can be regarded as the data of ordinary user processes, and the page tables of these data structures are still managed by the kernel, and the modification of it by the kernel is restricted at the same time.
本发明的方法实施例:用户自定义中断处理。Embodiment of the method of the present invention: user-defined interrupt processing.
用户级要自我管理一段区域的虚实映射及页表配置,这段区域内发生的缺页中断和权限违反的异常都需交由用户进程自己处理,所以,需要增加用户自定义中断设计。具体的实现方法是,区分中断处理函数入口,增加用户专用中断控制寄存器。图2是用户自定义中断处理的过程,包括下列步骤:The user level needs to self-manage the virtual-real mapping and page table configuration of a certain area. Page fault interrupts and permission violation exceptions in this area must be handled by the user process itself. Therefore, user-defined interrupt design needs to be added. The specific implementation method is to distinguish the entry of the interrupt processing function and increase the user-specific interrupt control register. Figure 2 is the process of user-defined interrupt processing, including the following steps:
步骤201,当处理器执行的指令发生中断的时候,为了精确例外,即发生中断的指令前面的所有指令都正确执行,后面的指令都没有执行,所以一般到写回阶段才会检测中断,执行中断处理,此处中断是整个计算机系统的中断,有很多种,不止缺页中断,例如计算机的溢出中断、键盘鼠标等设备中断、应用程序给出的软件中断(缺页中断属于这一种)等。典型处理器执行指令的过程分为五个阶段,被称为五级流水线,分别是取指、译码、执行、访存、写回。写回(Writeback,WB)阶段把执行阶段的运行结果数据“写回”到某种存储形式;Step 201, when an instruction executed by the processor is interrupted, for precise exceptions, that is, all instructions before the interrupted instruction are executed correctly, and the following instructions are not executed, so the interrupt is generally not detected until the write-back stage, and execution Interrupt processing, where the interrupt is the interrupt of the entire computer system, there are many kinds, not only the page fault interrupt, such as the overflow interrupt of the computer, the interrupt of the keyboard and mouse, and the software interrupt given by the application program (the page fault interrupt belongs to this type) Wait. The process of executing instructions by a typical processor is divided into five stages, known as the five-stage pipeline, which are fetching, decoding, executing, accessing memory, and writing back. The write back (Writeback, WB) stage "writes back" the running result data of the execution stage to some storage form;
步骤202,在写回阶段判断中断是否需要用户自定义中断处理,如果是,执行步骤203,否则执行步骤206。其判断标准为,检查产生中断时的虚拟地址va是否属于用户自管理区域,若是,则需要用户自定义中断处理;Step 202 , in the write-back stage, it is judged whether the interrupt needs user-defined interrupt processing, if so, execute step 203 , otherwise execute step 206 . The judgment standard is to check whether the virtual address va at the time of interruption belongs to the user self-management area, and if so, user-defined interrupt processing is required;
步骤203,用户要自己处理一部分中断,处理器要提供一组用户专用寄存器来保存中断指令的PC、中断的原因和访存的地址。其中,PC是程序计数器(program counter),用来存储和指示下一条要执行的指令的地址;In step 203, the user has to handle part of the interrupts by himself, and the processor has to provide a group of user-specific registers to save the PC of the interrupt instruction, the cause of the interrupt, and the memory access address. Among them, PC is a program counter (program counter), which is used to store and indicate the address of the next instruction to be executed;
步骤204,计算机系统中断处理程序转到用户自定义中断处理函数的入口,执行用户自定义中断处理函数;Step 204, the computer system interrupt processing program forwards to the entry of the user-defined interrupt processing function, and executes the user-defined interrupt processing function;
步骤205,结束;Step 205, end;
步骤206,执行常规内核中断处理流程,仅以开源处理器核Rocket_chip为例,包括以下内容,把发生中断指令的PC、中断的原因(异常编码)、访存的地址(访存相关的指令)写到控制状态寄存器(CSR,Control and Status Register)对应的sepc、scause、sbadaddr寄存器中,供内核的中断处理程序使用,然后再把程序转到内核的中断处理函数入口,执行中断处理函数。Step 206, execute the conventional kernel interrupt processing flow, only take the open source processor core Rocket_chip as an example, including the following content, the PC where the interrupt instruction occurs, the cause of the interrupt (abnormal code), the address of the memory access (memory access related instructions) Write to the sepc, cause, and sbadaddr registers corresponding to the control status register (CSR, Control and Status Register), for use by the interrupt handler of the kernel, and then transfer the program to the interrupt handler entry of the kernel to execute the interrupt handler.
由此可保证用户自定义管理区域内发生的缺页中断和权限违反的异常都交由用户进程自己处理,不需要用户态和内核态的上下文切换。其中,上下文就是进程执行的环境,具体来说就是各个变量和数据,包括所有的寄存器变量,进程打开的文件、内存信息等。In this way, it can be ensured that page fault interrupts and permission violation exceptions in the user-defined management area are all handled by the user process itself, without context switching between the user state and the kernel state. Among them, the context is the environment in which the process is executed, specifically, various variables and data, including all register variables, files opened by the process, memory information, etc.
本发明的方法实施例:物理空间的管理。Method Embodiment of the Invention: Management of Physical Space.
传统的设计中,用户进程不需要申请物理页面,这一过程由内核完成。而用户进程自我管理一段区域的虚实映射,所以会产生对空闲物理页面的需要,所需的空闲物理页面,由用户进程向内核申请所得,可以选取一种数据结构来记录内核分配的空闲物理页号。申请空闲物理页面这一过程没有特定的时间节点,可能在虚实映射之前,也可能在虚实映射之后。In the traditional design, the user process does not need to apply for physical pages, and this process is completed by the kernel. The user process self-manages the virtual-real mapping of a certain area, so there will be a need for free physical pages. The required free physical pages are obtained by applying for the kernel from the user process. A data structure can be selected to record the free physical pages allocated by the kernel. No. There is no specific time node for the process of applying for free physical pages, and it may be before virtual-real mapping or after virtual-real mapping.
在本发明中,用户进程有权配置用户级页表项,从而存在任意映射物理页面的风险,导致把其他用户进程空间的物理页面映射到用户自管理区域,为此需要限制用户级页表映射物理页面的范围。具体的方法是,在写指令执行时,增加对其目的地址的判断,若属于用户自管理区域的页表区范围,则限制该指令写入的数据内容,确保写入用户自管理区域页表的物理页号属于内核分配给用户进程的物理页面范围。In the present invention, user processes have the right to configure user-level page table entries, so there is a risk of arbitrarily mapping physical pages, resulting in mapping physical pages in other user process spaces to user self-management areas. For this reason, user-level page table mapping needs to be restricted The range of physical pages. The specific method is to increase the judgment of its destination address when the write command is executed. If it belongs to the page table area of the user-managed area, limit the data content written by the command to ensure that it is written into the page table of the user-managed area. The physical page number belongs to the range of physical pages allocated by the kernel to user processes.
用户进程自我管理一段区域的虚实映射及用户及页表配置,所需的空闲物理页面为用户进程向内核申请所得。用户自管理区域对物理空间的管理方法如图3所示,包括以下各部分内容:The user process self-manages the virtual-real mapping of an area and the user and page table configuration, and the required free physical pages are obtained by the user process from the kernel. The management method of physical space in the user self-management area is shown in Figure 3, including the following parts:
物理空间的管理步骤301,选择一种数据结构,用来记录内核分配的空闲物理页号。这种数据结构包括但不限于PPN表(ppn list)。仅以PPN表为例;In step 301 of managing physical space, a data structure is selected to record the number of free physical pages allocated by the kernel. Such data structures include but are not limited to PPN tables (ppn list). Only take the PPN table as an example;
数据结构的查找步骤302,在用户自管理区域初始化或发生缺页中断时,根据申请的物理空间大小从对应数据结构中取得相应个数的物理页面,然后依次逐一映射到各物理页面对应的虚拟页面。对PPN表即为执行查找操作;Data structure search step 302, when the user initializes the self-management area or when a page fault occurs, obtain a corresponding number of physical pages from the corresponding data structure according to the size of the applied physical space, and then map them to the virtual pages corresponding to each physical page one by one. page. The search operation is performed on the PPN table;
数据结构的插入步骤303,在页面回收时,把物理页面放回记录空闲物理页号的数据结构。对PPN表即为执行若干次插入操作。需要注意的是,如果没有空闲物理页面,发生缺页中断时,就无法进行物理页面到虚拟页面的映射,用户进程不能正常执行,因此需要有页面回收操作。用户进程会定期检查,当系统内空闲的物理页面数目少于特定的阈值时,就会发起页面回收的操作。这个阈值的大小由用户进程根据需要确定;Data structure insertion step 303, when the page is reclaimed, put the physical page back into the data structure that records the number of the free physical page. To the PPN table is to perform several insert operations. It should be noted that if there is no free physical page, when a page fault occurs, the mapping from the physical page to the virtual page cannot be performed, and the user process cannot be executed normally, so a page recycling operation is required. The user process will check periodically, and when the number of free physical pages in the system is less than a specific threshold, a page recycling operation will be initiated. The size of this threshold is determined by the user process as needed;
数据结构的删除步骤304,在用户进程退出时,把数据结构中的物理页面还给内核。对PPN表即为执行删除操作。In step 304 of deleting the data structure, the physical pages in the data structure are returned to the kernel when the user process exits. The delete operation is performed on the PPN table.
由此可有效防止用户进程利用对用户自管理区域页表项的配置权限,任意映射物理页面,从而访问到其他进程的物理页面。This can effectively prevent the user process from arbitrarily mapping physical pages by using the configuration authority of the page table items in the user self-management area, thereby accessing the physical pages of other processes.
本发明的方法实施例:限制用户进程任意映射物理页面。The embodiment of the method of the present invention: restrict user processes to map physical pages arbitrarily.
用户进程有权配置用户级页表项,从而存在任意映射物理页面的风险。限制用户级页表任意映射物理页面的方法是,在写指令执行时,增加对其目的地址的判断,若属于用户自管理区域的页表区范围,则限制该指令写入的数据内容,确保写入用户自管理区域页表的物理页号属于内核分配给用户进程的物理页面范围。因为写指令执行处于处理器流水线的关键路径,因此需要硬件高效的物理页面范围查询方法。User processes have the right to configure user-level page table entries, so there is a risk of arbitrarily mapping physical pages. The method of restricting the arbitrary mapping of physical pages by the user-level page table is to increase the judgment of its destination address when the write instruction is executed. If it belongs to the page table area of the user self-managed area, limit the data content written by the instruction to ensure The physical page number written to the page table of the user-managed area belongs to the physical page range allocated by the kernel to the user process. Because write instruction execution is in the critical path of the processor pipeline, a hardware efficient physical page range lookup method is required.
设置物理页面范围的方法有很多种。最直接的方案是硬件设置多组物理地址界限(physical address bound,pa_bound)寄存器,来限定用户进程可以映射的物理页面范围。这种方法实现较为简单,但是对内核分配的物理空间的连续性有一定的要求,而且pa_bound的数目较多时会影响查询的速度。There are several ways to set the physical page range. The most direct solution is that the hardware sets multiple sets of physical address bound (pa_bound) registers to limit the range of physical pages that user processes can map. This method is relatively simple to implement, but it has certain requirements on the continuity of the physical space allocated by the kernel, and when the number of pa_bound is large, the query speed will be affected.
其他可行的方案,包括但不限于利用位映射(Bitmap)记录用户进程可访问物理页面的范围,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。Other feasible solutions include but are not limited to using a bitmap (Bitmap) to record the range of physical pages accessible by user processes. The specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention.
利用Bitmap记录物理页面范围的方法是,把整个物理空间以自定义的区域大小(ZONE_SIZE,为物理页面大小的整数倍)分成若干区域,每一区域对应一个bit,为1的时候表示用户进程可以映射到这个区域。The method of using Bitmap to record the physical page range is to divide the entire physical space into several zones with a custom zone size (ZONE_SIZE, which is an integer multiple of the physical page size), and each zone corresponds to a bit. When it is 1, it means that the user process can mapped to this area.
当ZONE_SIZE较大时(MB级),Bitmap占用的空间比较小,可以整个放在片上寄存器中,查询较快,但是这样分配物理空间粒度较大,同样可能造成空间的浪费。当ZONE_SIZE较小时(KB级),内核细粒度的给用户内存分配物理空间,能够较好利用物理空间,但相对的,Bitmap的占用空间比较大,不可避免的出现需要替换片上寄存器中Bitmap的情况。When the ZONE_SIZE is large (MB level), the space occupied by the Bitmap is relatively small, and it can be placed in the on-chip register as a whole, and the query is faster, but the granularity of the physical space allocated in this way is large, which may also cause space waste. When the ZONE_SIZE is small (KB level), the kernel allocates physical space to the user memory in a fine-grained manner, which can make better use of the physical space, but relatively, the Bitmap occupies a relatively large space, and it is inevitable that the Bitmap in the on-chip register needs to be replaced. .
Bitmap的调度流程设计如图4所示。其中,PPN代表物理页号,x代表任意值,即PPNx表示任意一个物理页号。将物理页号分为两部分,PPNx[Max-1:Index]和PPNx[Index-1:0],前者为查找内存空间Bitmap的索引(Index),后者为该索引对应的内存空间地址存储的Bitmap值,图4包括以下内容:The scheduling process design of Bitmap is shown in Figure 4. Wherein, PPN represents a physical page number, and x represents any value, that is, PPNx represents any physical page number. Divide the physical page number into two parts, PPNx[Max-1:Index] and PPNx[Index-1:0]. The former is the index (Index) of the memory space Bitmap, and the latter is the memory space address storage corresponding to the index. Bitmap value, Figure 4 includes the following:
首先将整个流程分为预处理阶段401和程序运行时402两部分。其中预处理阶段按照执行的先后顺序,包括三个步骤,分别为计算参数4011,填写内存空间全部Bitmap的内容4012,填写两个片上寄存器4013,这两个寄存器分别用于保存PPNx[Max-1:Index]和PPNx[Index-1:0]。Firstly, the whole process is divided into two parts: preprocessing stage 401 and program runtime 402 . Among them, the preprocessing stage includes three steps according to the order of execution, which are respectively calculating parameters 4011, filling in the contents of all Bitmaps in the memory space 4012, and filling in two on-chip registers 4013, which are used to save PPNx[Max-1 :Index] and PPNx[Index-1:0].
程序运行时具体流程如下:The specific flow of the program is as follows:
步骤4021,判断PPNx[Max-1:Index]与片上寄存器存储的位映射的索引是否匹配,若匹配,则说明位映射已经存入片上寄存器,执行步骤4022,否则执行步骤4025;Step 4021, judge whether PPNx[Max-1:Index] matches the index of the bitmap stored in the on-chip register, if it matches, it means that the bitmap has been stored in the on-chip register, and execute step 4022, otherwise execute step 4025;
步骤4022,根据PPNx[Index-1:0]的值,将片上寄存器存储的位映射对应该值的位置存储的bit(位)取出;Step 4022, according to the value of PPNx[Index-1:0], the bit (bit) stored in the position corresponding to the value of the bit map stored in the on-chip register is taken out;
步骤4023,判断片上寄存器存储的位映射对应位是否为1,若是,则执行步骤4024,否则执行步骤4026。其中,1表示可以访问对应的物理页面,0表示禁止访问对应的物理页面;Step 4023, judge whether the bit corresponding to the bitmap stored in the on-chip register is 1, if yes, execute step 4024, otherwise execute step 4026. Among them, 1 means that the corresponding physical page can be accessed, and 0 means that the corresponding physical page is prohibited from being accessed;
步骤4024,用户进程访问物理页面,结束当前判断;Step 4024, the user process accesses the physical page, and ends the current judgment;
步骤4025,从内存地址Bitmap_base_addr+PPNx[Max-1:Index]*WIDTH/8,取出位映射数据,写入片上寄存器。其中,Bitmap_base_addr表示存储Bitmap的地址空间的基地址,WIDTH表示一个Bitmap的位宽,WIDTH/8表示存储一个Bitmap所需的字节长度;Step 4025, fetch the bitmap data from the memory address Bitmap_base_addr+PPNx[Max-1:Index]*WIDTH/8, and write it into the on-chip register. Among them, Bitmap_base_addr represents the base address of the address space storing the Bitmap, WIDTH represents the bit width of a Bitmap, and WIDTH/8 represents the byte length required to store a Bitmap;
步骤4026,禁止用户进程访问该物理页面,结束当前判断。Step 4026, prohibit the user process from accessing the physical page, and end the current judgment.
本发明的方法实施例:用户自管理空间页表初始化。Method embodiment of the present invention: user self-management space page table initialization.
对于用户自管理区域来说,若是所对应的页面还没有进行虚实映射,就没有对应的页表根地址,因此后续步骤无法进行。为解决这一问题,用户进程在地址转换操作之前,先初始化一个自映射的多级页表,称为页表初始化过程。For the user self-management area, if the corresponding page has not been mapped to virtual and real, there is no corresponding root address of the page table, so the subsequent steps cannot be performed. To solve this problem, the user process initializes a self-mapped multi-level page table before the address translation operation, which is called the page table initialization process.
为了减少页表占用的内存空间的大小,现代操作系统大都采用分级的页表结构。仅以三级页表为例,其完成虚拟地址到物理地址的转化过程如图5所示。在发生TLB miss的时候,PTW(Page Table Walker)会根据页表根地址(sptbr,systempage table baseaddress)按照页表翻译的过程一步一步取出虚地址对应的页表,若是对应的页表项没有映射物理地址,就会触发缺页中断,由系统内核进行虚实映射操作,上述过程称为PTW(PageTable Walker)。其中,sptbr是物理地址,页表包括三种类型,页全局目录(Page GlobalDirectory,PGD),页中间目录(Page Middle Directory,PMD),页表项(Page Table Entry,PTE)。In order to reduce the size of the memory space occupied by the page table, most modern operating systems adopt a hierarchical page table structure. Taking the three-level page table as an example, the conversion process from virtual address to physical address is shown in FIG. 5 . When a TLB miss occurs, PTW (Page Table Walker) will take out the page table corresponding to the virtual address step by step according to the page table root address (sptbr, systempage table baseaddress) according to the page table translation process. If the corresponding page table entry is not mapped The physical address will trigger a page fault interrupt, and the virtual-real mapping operation will be performed by the system kernel. The above process is called PTW (PageTable Walker). Among them, sptbr is the physical address, and the page table includes three types, the page global directory (Page Global Directory, PGD), the page middle directory (Page Middle Directory, PMD), and the page table entry (Page Table Entry, PTE).
地址翻译的第一步是根据sptbr里面保存的ppn,即PGD的物理页面地址,来取得PGD中对应的表项。现代操作系统中,用户进程的多级页表全都放在内核空间,内核空间的页表在系统初始化时都已经建立完善,可以方便地修改页表内容或者权限位。The first step of address translation is to obtain the corresponding entry in PGD according to the ppn stored in sptbr, that is, the physical page address of PGD. In modern operating systems, the multi-level page tables of user processes are all placed in the kernel space. The page tables in the kernel space have been established during system initialization, and the page table content or permission bits can be easily modified.
但是对于用户自管理区域来说,所对应的页面PGD还没有进行虚实映射,就没有它对应的物理页号,整个地址翻译的过程就不能进行。为解决这一问题,用户进程在负责自管理区域虚实地址映射操作之前,先初始化一个自映射的三级页表,再分别在PGD、PMD、PTE的页面上建立对应的页表项指向自身,称为页表初始化过程,如图6所示。However, for the user self-management area, the corresponding page PGD has not been mapped to real and virtual, so there is no corresponding physical page number, and the entire process of address translation cannot be performed. In order to solve this problem, before the user process is responsible for the virtual and real address mapping operation of the self-management area, it first initializes a self-mapped three-level page table, and then establishes corresponding page table entries on the pages of PGD, PMD, and PTE to point to itself. It is called the page table initialization process, as shown in Figure 6.
为和典型情况相区别,将用户级页表称为UPGD、UPMD、UPTE,其中U表示user。页表初始化过程,利用PTW的传统设计,分别完成UPGD、UPMD、UPTE的虚拟地址(VA)到物理地址(PA)转换的过程,得到UPGD_PA、UPMD_PA、UPTE_PA,增加步骤601、602、603,分别使UPGD_PA、UPMD_PA、UPTE_PA,指向各自页的首地址,完成初始化过程。为简化图示,设定UPGD、UPMD、UPTE存放在用户空间连续的三个页面(VPN3,VPN3+1,VPN3+2),实际实现中并无此限制。uptbr(userpage table base address)对应于sptbr,指代用户空间寄存器存放的用户级页表基址。To distinguish it from typical cases, the user-level page tables are called UPGD, UPMD, and UPTE, where U represents user. The page table initialization process uses the traditional design of PTW to complete the process of converting the virtual address (VA) to the physical address (PA) of UPGD, UPMD, and UPTE respectively to obtain UPGD_PA, UPMD_PA, and UPTE_PA. Steps 601, 602, and 603 are added, respectively. Make UPGD_PA, UPMD_PA, UPTE_PA point to the first address of their respective pages to complete the initialization process. To simplify the illustration, UPGD, UPMD, and UPTE are set to be stored in three consecutive pages (VPN3, VPN3+1, and VPN3+2) in the user space, and there is no such limitation in actual implementation. uptbr (userpage table base address) corresponds to sptbr, which refers to the base address of the user-level page table stored in the user space register.
本发明的方法实施例:用户自管理空间缺页嵌套处理流程。Method embodiment of the present invention: user self-management space page fault nesting processing flow.
本发明用户级页表位于用户空间,在用户进程发生缺页中断时,用户的自定义中断处理函数对页表进行读写操作,而用户空间的用户级页表可能还没有建立,导致再次发生中断,形成缺页嵌套。以三级页表为例,缺页嵌套主要分为3种情况:PGD表项缺失,PMD表项缺失,PTE表项缺失。The user-level page table of the present invention is located in the user space. When a page fault occurs in the user process, the user-defined interrupt processing function reads and writes the page table, but the user-level page table in the user space may not be established, resulting in a reoccurrence. Interrupt, forming page fault nesting. Taking the three-level page table as an example, page fault nesting is mainly divided into three situations: missing PGD entries, missing PMD entries, and missing PTE entries.
当用户自管理区域的空间大小较小时,每级页表只需要占用一个页面即可管理全部自管理区域,则只可能发生PTE表项缺失的情况。此时用户自管理区域的空间大小不能超过PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)。其计算方法为:因为每级页表仅占用一个页面,每页最多可存放PAGE_SIZE/PTE_SIZE个页表项,即用户级页表最多管理(PAGE_SIZE/PTE_SIZE)个用户自管理区域的页面,乘以页面大小,即为用户自管理区域的空间大小。缺页嵌套处理流程如图7所示。When the space size of the user self-management area is small, each level of page table only needs to occupy one page to manage the entire self-management area, and only the absence of PTE entries may occur. At this time, the space size of the user self-management area cannot exceed PAGE_SIZE*(PAGE_SIZE/PTE_SIZE). The calculation method is: because each level of page table only occupies one page, each page can store up to PAGE_SIZE/PTE_SIZE page table entries, that is, the user-level page table manages at most (PAGE_SIZE/PTE_SIZE) pages in the user's self-management area, multiplied by The page size is the space size of the user self-management area. The page fault nesting processing flow is shown in Figure 7.
步骤701,PTE表项缺失;Step 701, the PTE entry is missing;
步骤702,判断是否有空闲物理页框,若是,执行步骤703,否则执行步骤706;Step 702, judge whether there is a free physical page frame, if so, execute step 703, otherwise execute step 706;
步骤703,分配物理页框;Step 703, allocate a physical page frame;
步骤704,根据发生缺页中断的地址建立映射关系;Step 704, establishing a mapping relationship according to the address where the page fault occurs;
步骤705,结束;Step 705, end;
步骤706,输出错误提示信息。Step 706, output error prompt information.
当用户自管理区域的空间大小居中时,用户自管理区域所需的页表PTE要占用超过一个页面大小,PGD、PMD表项仅需要占用一个页面大小,此时PTE表项和PMD表项都可能发生缺失。则缺页中断产生时,首先进行PTW判断发生中断的是哪一级页表,PTE表项缺失的处理流程和第一种情况下的处理方法一样,PMD表项缺失的处理流程如图8所示。其中上述用户自管理区域的空间大小居中,是指其大于PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)且不能超过PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)*(PAGE_SIZE/PTE_SIZE)。后者的计算方法为:PMD仅占用一个页面大小,则用户级页表最多管理(PAGE_SIZE/PTE_SIZE)个PTE页表,又每个PTE页表对应用户自管理区域的大小为PAGE_SIZE*(PAGE_SIZE/PTE_SIZE),两者相乘,即为用户自管理区域的空间大小。When the space size of the user self-management area is in the middle, the page table PTE required by the user self-management area occupies more than one page size, and the PGD and PMD entries only need to occupy one page size. At this time, both the PTE entry and the PMD entry Deletions may occur. When a page fault interrupt occurs, the PTW is first used to determine which level of page table the interrupt occurred. The processing flow of the missing PTE entry is the same as that in the first case. The processing flow of the missing PMD entry is shown in Figure 8. Show. The space size of the above-mentioned user self-management area is in the middle, which means that it is larger than PAGE_SIZE*(PAGE_SIZE/PTE_SIZE) and cannot exceed PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)*(PAGE_SIZE/PTE_SIZE). The latter calculation method is: PMD only occupies one page size, then the user-level page table manages at most (PAGE_SIZE/PTE_SIZE) PTE page tables, and the size of each PTE page table corresponding to the user self-management area is PAGE_SIZE*(PAGE_SIZE/ PTE_SIZE), the multiplication of the two is the space size of the user self-management area.
步骤801,PMD表项缺失;Step 801, the PMD entry is missing;
步骤802,判断是否有空闲物理页框,若是,执行步骤803,否则执行步骤809;Step 802, determine whether there is a free physical page frame, if so, execute step 803, otherwise execute step 809;
步骤803,从空闲页框链表分配一个物理页框用来保存PTE;Step 803, allocate a physical page frame from the free page frame linked list to save the PTE;
步骤804,判断是否有空闲虚拟页面,若是,执行步骤805,否则执行步骤809;Step 804, judge whether there is a free virtual page, if so, execute step 805, otherwise execute step 809;
步骤805,从空闲虚拟页链表分配一个虚拟页(vpn);Step 805, allocate a virtual page (vpn) from the free virtual page linked list;
步骤806,将虚拟页和物理页框映射起来;Step 806, mapping the virtual page and the physical page frame;
步骤807,按图7执行PTE表项缺失处理流程;Step 807, execute the missing processing flow of the PTE entry according to FIG. 7;
步骤808,结束;Step 808, end;
步骤809,输出错误提示信息。Step 809, output error prompt information.
当用户自管理区域的空间很大时,用户自管理区域所需的页表PMD要占用超过一个页面大小,此时PTE表项,PMD表项,PGD表项都可能发生缺失。缺页中断产生时,同样进行PTW判断发生中断的是哪一级页表,PTE表项缺失和PMD表项缺失的处理流程如上述两种情况,PGD表项缺失的处理流程如图9所示。其中上述用户自管理区域的空间很大,是指其大于PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)*(PAGE_SIZE/PTE_SIZE)。When the space in the user self-management area is large, the page table PMD required by the user self-management area occupies more than one page size. At this time, PTE entries, PMD entries, and PGD entries may all be missing. When a page fault interrupt occurs, the PTW is also used to determine which level of page table the interrupt occurred. The processing flow of the missing PTE entry and the missing PMD entry is as the above two cases, and the processing flow of the missing PGD entry is shown in Figure 9. . The above-mentioned user self-management area has a large space, which means that it is larger than PAGE_SIZE*(PAGE_SIZE/PTE_SIZE)*(PAGE_SIZE/PTE_SIZE).
步骤901,PGD表项缺失;Step 901, the PGD entry is missing;
步骤902,判断是否有空闲物理页框,若是,执行步骤803,否则执行步骤809;Step 902, determine whether there is a free physical page frame, if so, execute step 803, otherwise execute step 809;
步骤903,从空闲页框链表分配一个物理页框用来保存PMD;Step 903, allocating a physical page frame from the free page frame linked list is used to preserve the PMD;
步骤904,判断是否有空闲虚拟页面,若是,执行步骤805,否则执行步骤809;Step 904, judge whether there is a free virtual page, if so, execute step 805, otherwise execute step 809;
步骤905,从空闲虚拟页链表分配一个虚拟页(vpn);Step 905, allocate a virtual page (vpn) from the free virtual page linked list;
步骤906,将虚拟页和物理页框映射起来;Step 906, mapping the virtual page and the physical page frame;
步骤907,按图8执行PMD表项缺失处理流程;Step 907, execute the missing processing flow of the PMD entry according to Figure 8;
步骤908,结束;Step 908, end;
步骤909,输出错误提示信息。Step 909, output error prompt information.
以下为与上述方法实施例对应的系统实施例,本实施方式可与上述实施方式互相配合实施。上述施方式中提到的相关技术细节在本实施方式中依然有效,为了减少重复,这里不再赘述。相应地,本实施方式中提到的相关技术细节也可应用在上述实施方式中。The following are system embodiments corresponding to the foregoing method embodiments, and this implementation manner may be implemented in cooperation with the foregoing implementation manners. The relevant technical details mentioned in the foregoing implementation manners are still valid in this implementation manner, and will not be repeated here in order to reduce repetition. Correspondingly, the relevant technical details mentioned in this implementation manner may also be applied in the foregoing implementation manners.
本发明还公开了一种基于用户级页表的进程内数据隔离保护系统,其中包括:The invention also discloses an in-process data isolation and protection system based on user-level page tables, which includes:
预处理模块,在用户进程访问内存前,通过设置用户自管理区域的界限和设置用户级页表根目录地址,实现用户级页表区域和内核页表区域的划分;该预处理模块还用于用户级页表区域的管理,包括用户级页表初始化、用户自管理区域虚拟地址与物理地址建立映射关系、物理页面对应的物理空间管理和用户级页表项中访问权限设置;The preprocessing module, before the user process accesses the memory, realizes the division of the user-level page table area and the kernel page table area by setting the boundary of the user-managed area and setting the root directory address of the user-level page table; the preprocessing module is also used for Management of the user-level page table area, including initialization of the user-level page table, establishment of a mapping relationship between the virtual address and the physical address of the user-managed area, management of the physical space corresponding to the physical page, and setting of access rights in the user-level page table entry;
处理模块,在用户进程访问内存时,首先判断请求的虚拟地址是否属于用户自管理区域,若是,则从用户级页表区域查找页表项,用户进程开启进程内的安全保护,否则从内核页表区域查找页表项,用户进程处于常规的安全保护状态;然后判断请求是否访问用户级页表区域,若是,则进一步判断请求对象是否有权访问用户级页表,且用户级页表项中写入的物理页号是否属于该用户级页表映射的物理页面范围,若是则执行访问请求,否则开启中断;若请求访问用户自管理数据区域,则用户进程执行用户级页表项权限位违法和缺页检查,若两者其一发生,则开启中断,否则执行访问请求。The processing module, when the user process accesses the memory, first judges whether the requested virtual address belongs to the user self-management area, if so, then searches the page table entry from the user-level page table area, and the user process enables the security protection in the process, otherwise, from the kernel page The table area looks for page table entries, and the user process is in a normal security protection state; then it is judged whether the request accesses the user-level page table area, and if so, it is further judged whether the request object has the right to access the user-level page table, and the user-level page table entry Whether the written physical page number belongs to the physical page range mapped by the user-level page table, if so, execute the access request, otherwise enable the interrupt; if requesting access to the user-managed data area, the user process executes the permission bit of the user-level page table item illegally And page fault check, if one of the two occurs, the interrupt is enabled, otherwise the access request is executed.
该基于用户级页表的进程内数据隔离保护系统,其中该预处理模块初始化一个自映射的多级页表,并分别在各级页表上建立对应的页表项指向各自页表的首地址,以完成该用户级页表的初始化过程;The in-process data isolation protection system based on the user-level page table, wherein the preprocessing module initializes a self-mapped multi-level page table, and establishes corresponding page table entries on each level of page table to point to the first address of the respective page table , to complete the initialization process of the user-level page table;
该预处理模块管理物理空间的数据结构,包括:This preprocessing module manages data structures in physical space, including:
物理空间管理模块,获取预设的数据结构,用以记录内核分配的空闲物理页号;The physical space management module obtains a preset data structure for recording the number of free physical pages allocated by the kernel;
数据结构查找模块,在该用户自管理区域初始化或发生缺页中断时,根据申请的物理空间大小,从该数据结构中取得多个物理页面,将该多个物理页面依次映射到虚拟页面;The data structure search module obtains multiple physical pages from the data structure according to the size of the applied physical space when the user self-management area is initialized or a page fault occurs, and the multiple physical pages are sequentially mapped to virtual pages;
数据结构插入模块,在页面回收时,把物理页面放回到记录空闲物理页号的该数据结构;The data structure insertion module, when the page is recycled, puts the physical page back into the data structure that records the number of the free physical page;
数据结构删除模块,在该用户进程退出时,把该数据结构中的物理页面还给内核;The data structure deletion module returns the physical pages in the data structure to the kernel when the user process exits;
该程序运行时处理模块在发生中断时,执行用户自定义中断处理过程,具体内容包括:When the program is running, the processing module executes the user-defined interrupt processing process when an interrupt occurs, and the specific content includes:
中断探测模块,用于处理器在写回阶段检测中断,执行中断处理;The interrupt detection module is used for the processor to detect interrupts in the write-back stage and perform interrupt processing;
判断模块,用于判断中断是否需要用户自行处理,若是,调用用户中断模块,否则调用系统中断模块;The judging module is used to judge whether the interrupt needs to be handled by the user, if so, call the user interrupt module, otherwise call the system interrupt module;
用户中断模块,用于供用户进程自行处理该中断,处理器提供一组用户专用寄存器来保存中断指令的程序计数器、中断的原因和访存的地址,程序转到用户中断处理函数的入口,执行用户自定义中断处理函数,之后结束中断处理;The user interrupt module is used for the user process to handle the interrupt by itself. The processor provides a set of user-specific registers to save the program counter of the interrupt instruction, the cause of the interrupt and the address of the memory access. The program transfers to the entry of the user interrupt processing function and executes User-defined interrupt processing function, and then end the interrupt processing;
系统中断模块,用于执行常规内核中断处理流程,之后结束中断处理。The system interrupt module is used to execute the routine kernel interrupt processing flow, and then end the interrupt processing.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810589291.0ACN109002706B (en) | 2018-06-08 | 2018-06-08 | In-process data isolation protection method and system based on user-level page table |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810589291.0ACN109002706B (en) | 2018-06-08 | 2018-06-08 | In-process data isolation protection method and system based on user-level page table |
| Publication Number | Publication Date |
|---|---|
| CN109002706Atrue CN109002706A (en) | 2018-12-14 |
| CN109002706B CN109002706B (en) | 2021-04-06 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810589291.0AActiveCN109002706B (en) | 2018-06-08 | 2018-06-08 | In-process data isolation protection method and system based on user-level page table |
| Country | Link |
|---|---|
| CN (1) | CN109002706B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069935A (en)* | 2019-03-20 | 2019-07-30 | 上海交通大学 | Inside protecting sensitive data method and system based on label memory |
| CN110147670A (en)* | 2019-05-21 | 2019-08-20 | 电子科技大学 | Persistence method for protecting EMS memory between a kind of process working in kernel state |
| CN110532767A (en)* | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
| CN111143900A (en)* | 2019-12-24 | 2020-05-12 | 海光信息技术有限公司 | Data processing, access control method, system, device, device, storage medium |
| CN111367831A (en)* | 2020-03-26 | 2020-07-03 | 超验信息科技(长沙)有限公司 | Deep prefetching method and component for translation page table, microprocessor and computer equipment |
| CN111597124A (en)* | 2020-04-21 | 2020-08-28 | 重庆大学 | Persistent memory file system data organization method, system and storage medium |
| EP3757804A1 (en)* | 2019-06-28 | 2020-12-30 | INTEL Corporation | Page tables for granular allocation of memory pages |
| CN112182560A (en)* | 2020-09-17 | 2021-01-05 | 上海交通大学 | Efficient isolation method, system and medium for Intel SGX interior |
| CN112379927A (en)* | 2020-11-17 | 2021-02-19 | 深圳市和讯华谷信息技术有限公司 | Method and device for remotely executing code instructions, computer equipment and storage medium |
| CN112817780A (en)* | 2021-02-01 | 2021-05-18 | 上海交通大学 | Method and system for realizing safety and high-performance interprocess communication |
| CN113032086A (en)* | 2019-12-25 | 2021-06-25 | 中兴通讯股份有限公司 | Virtual machine deployment and live migration method, VMM (virtual machine monitor) upgrading method and server |
| CN113626843A (en)* | 2019-04-09 | 2021-11-09 | 杨力祥 | A runtime access control apparatus and method |
| CN114218125A (en)* | 2021-04-09 | 2022-03-22 | 无锡江南计算技术研究所 | Fork memory supporting method based on heterogeneous processor |
| CN114579482A (en)* | 2022-01-17 | 2022-06-03 | 上海交通大学 | Hybrid physical memory protection method and system |
| CN115061954A (en)* | 2022-08-18 | 2022-09-16 | 统信软件技术有限公司 | Missing page interrupt processing method, computing device and storage medium |
| CN115421789A (en)* | 2022-08-30 | 2022-12-02 | 贵州电网有限责任公司贵阳供电局 | Fuxi processor-based address conversion method, device, equipment and medium |
| CN115904502A (en)* | 2021-08-18 | 2023-04-04 | 华为技术有限公司 | Virtual machine management method, related system, and storage medium |
| CN115934002A (en)* | 2023-03-08 | 2023-04-07 | 阿里巴巴(中国)有限公司 | Solid state disk access method, solid state disk, storage system and cloud server |
| CN116185902A (en)* | 2023-04-13 | 2023-05-30 | 阿里云计算有限公司 | Table segmentation method, system, electronic equipment and readable medium |
| WO2023098536A1 (en)* | 2021-11-30 | 2023-06-08 | 华为技术有限公司 | Method and apparatus for running process |
| WO2023098653A1 (en)* | 2021-11-30 | 2023-06-08 | 华为技术有限公司 | Kernel protecting method, apparatus and system |
| CN119003186A (en)* | 2024-10-23 | 2024-11-22 | 浙江大华技术股份有限公司 | Isolated kernel, process running method and device and computer storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737761A (en)* | 2004-08-18 | 2006-02-22 | 中兴通讯股份有限公司 | The method of protecting the private data area and stack area of the specified process |
| CN103699498A (en)* | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
| CN104092743A (en)* | 2014-06-27 | 2014-10-08 | 清华大学 | Method and system for protecting user data in cloud environment |
| CN105335306A (en)* | 2014-06-30 | 2016-02-17 | 华为技术有限公司 | Memory control method and memory control device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1737761A (en)* | 2004-08-18 | 2006-02-22 | 中兴通讯股份有限公司 | The method of protecting the private data area and stack area of the specified process |
| CN103699498A (en)* | 2013-11-25 | 2014-04-02 | 南京大学 | Application key data protection system and protection method |
| CN104092743A (en)* | 2014-06-27 | 2014-10-08 | 清华大学 | Method and system for protecting user data in cloud environment |
| CN105335306A (en)* | 2014-06-30 | 2016-02-17 | 华为技术有限公司 | Memory control method and memory control device |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069935A (en)* | 2019-03-20 | 2019-07-30 | 上海交通大学 | Inside protecting sensitive data method and system based on label memory |
| CN113626843A (en)* | 2019-04-09 | 2021-11-09 | 杨力祥 | A runtime access control apparatus and method |
| CN110147670A (en)* | 2019-05-21 | 2019-08-20 | 电子科技大学 | Persistence method for protecting EMS memory between a kind of process working in kernel state |
| CN110147670B (en)* | 2019-05-21 | 2020-10-27 | 电子科技大学 | Inter-process persistent memory protection method working in kernel mode |
| EP3757804A1 (en)* | 2019-06-28 | 2020-12-30 | INTEL Corporation | Page tables for granular allocation of memory pages |
| CN110532767A (en)* | 2019-08-19 | 2019-12-03 | 上海交通大学 | Internal insulation method towards SGX security application |
| CN111143900A (en)* | 2019-12-24 | 2020-05-12 | 海光信息技术有限公司 | Data processing, access control method, system, device, device, storage medium |
| CN111143900B (en)* | 2019-12-24 | 2023-09-26 | 海光信息技术(苏州)有限公司 | Data processing and access control method, system, device, equipment and storage medium |
| CN113032086A (en)* | 2019-12-25 | 2021-06-25 | 中兴通讯股份有限公司 | Virtual machine deployment and live migration method, VMM (virtual machine monitor) upgrading method and server |
| CN111367831A (en)* | 2020-03-26 | 2020-07-03 | 超验信息科技(长沙)有限公司 | Deep prefetching method and component for translation page table, microprocessor and computer equipment |
| CN111597124A (en)* | 2020-04-21 | 2020-08-28 | 重庆大学 | Persistent memory file system data organization method, system and storage medium |
| CN112182560A (en)* | 2020-09-17 | 2021-01-05 | 上海交通大学 | Efficient isolation method, system and medium for Intel SGX interior |
| CN112182560B (en)* | 2020-09-17 | 2022-04-26 | 上海交通大学 | Efficient isolation methods, systems and media for Intel SGX internals |
| CN112379927A (en)* | 2020-11-17 | 2021-02-19 | 深圳市和讯华谷信息技术有限公司 | Method and device for remotely executing code instructions, computer equipment and storage medium |
| CN112379927B (en)* | 2020-11-17 | 2024-01-23 | 深圳市和讯华谷信息技术有限公司 | Method, device, computer equipment and storage medium for remotely executing code instructions |
| CN112817780A (en)* | 2021-02-01 | 2021-05-18 | 上海交通大学 | Method and system for realizing safety and high-performance interprocess communication |
| CN112817780B (en)* | 2021-02-01 | 2022-03-11 | 上海交通大学 | A method and system for implementing secure and high-performance interprocess communication |
| CN114218125A (en)* | 2021-04-09 | 2022-03-22 | 无锡江南计算技术研究所 | Fork memory supporting method based on heterogeneous processor |
| CN114218125B (en)* | 2021-04-09 | 2025-05-20 | 无锡江南计算技术研究所 | Fork memory supporting method based on heterogeneous processor |
| CN115904502A (en)* | 2021-08-18 | 2023-04-04 | 华为技术有限公司 | Virtual machine management method, related system, and storage medium |
| WO2023098536A1 (en)* | 2021-11-30 | 2023-06-08 | 华为技术有限公司 | Method and apparatus for running process |
| WO2023098653A1 (en)* | 2021-11-30 | 2023-06-08 | 华为技术有限公司 | Kernel protecting method, apparatus and system |
| CN114579482A (en)* | 2022-01-17 | 2022-06-03 | 上海交通大学 | Hybrid physical memory protection method and system |
| CN114579482B (en)* | 2022-01-17 | 2024-12-24 | 上海交通大学 | Hybrid physical memory protection method and system |
| CN115061954A (en)* | 2022-08-18 | 2022-09-16 | 统信软件技术有限公司 | Missing page interrupt processing method, computing device and storage medium |
| CN115061954B (en)* | 2022-08-18 | 2022-11-29 | 统信软件技术有限公司 | Missing page interrupt processing method, computing device and storage medium |
| CN115421789A (en)* | 2022-08-30 | 2022-12-02 | 贵州电网有限责任公司贵阳供电局 | Fuxi processor-based address conversion method, device, equipment and medium |
| CN115934002A (en)* | 2023-03-08 | 2023-04-07 | 阿里巴巴(中国)有限公司 | Solid state disk access method, solid state disk, storage system and cloud server |
| CN115934002B (en)* | 2023-03-08 | 2023-08-04 | 阿里巴巴(中国)有限公司 | Solid state disk access method, solid state disk, storage system and cloud server |
| CN116185902A (en)* | 2023-04-13 | 2023-05-30 | 阿里云计算有限公司 | Table segmentation method, system, electronic equipment and readable medium |
| CN119003186A (en)* | 2024-10-23 | 2024-11-22 | 浙江大华技术股份有限公司 | Isolated kernel, process running method and device and computer storage medium |
| Publication number | Publication date |
|---|---|
| CN109002706B (en) | 2021-04-06 |
| Publication | Publication Date | Title |
|---|---|---|
| CN109002706B (en) | In-process data isolation protection method and system based on user-level page table | |
| JP5581403B2 (en) | Store secure mode page table data in secure and non-secure areas of memory | |
| US7620766B1 (en) | Transparent sharing of memory pages using content comparison | |
| CN109359487B (en) | Extensible security shadow storage and tag management method based on hardware isolation | |
| US7870336B2 (en) | Operating system protection against side-channel attacks on secrecy | |
| US8296538B2 (en) | Storing secure mode page table data in secure and non-secure regions of memory | |
| US7069389B2 (en) | Lazy flushing of translation lookaside buffers | |
| US5845331A (en) | Memory system including guarded pointers | |
| TWI796414B (en) | Apparatus, method, computer program, and storage medium for region fusing | |
| US8677457B2 (en) | Security for codes running in non-trusted domains in a processor core | |
| US11461248B2 (en) | Code realms | |
| WO2020057394A1 (en) | Method and device for monitoring memory access behavior of sample process | |
| JP2020527777A (en) | Invalidating the target realm in the realm hierarchy | |
| JP2009516310A (en) | Page coloring that maps memory pages to programs | |
| EP3867763B1 (en) | Trusted intermediary realm | |
| EP3818447B1 (en) | Memory access control | |
| TW202439129A (en) | Tag protecting instruction | |
| CN118395421A (en) | Kernel data isolation method and system based on multi-kernel page table template | |
| CN116635855A (en) | Apparatus and method for managing access of executable code to data memory based on execution context | |
| US20250284530A1 (en) | Static Trusted Execution Environment for Inter-Architecture Processor Program Compatibility | |
| CN119004489B (en) | Trusted Execution Environment System | |
| US20230342289A1 (en) | Apparatus and method for managing capabilities | |
| Zhou et al. | PointerLock: Protecting Function Pointers with Access Control on Page |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |