本文選題：TrustZone + 可信執(zhí)行環(huán)境�。� 參考：《計算機(jī)研究與發(fā)展》2017年10期

【摘要】：針對BYOD(bring your own device)、移動云計算等兼具強(qiáng)安全性、高開放性需求的新型應(yīng)用場景,提出了一種移動嵌入式平臺敏感應(yīng)用防護(hù)方案.為滿足強(qiáng)安全性需求,方案基于ARM TrustZone硬件隔離技術(shù)構(gòu)建可信執(zhí)行環(huán)境,即使在整個操作系統(tǒng)內(nèi)核被攻破的情況下仍能保證敏感應(yīng)用的安全.為滿足高開放性需求,方案實現(xiàn)了傳統(tǒng)TrustZone安全方案不具備的兩大優(yōu)勢.首先,將TrustZone保護(hù)域擴(kuò)展至普通世界,安全世界不再實現(xiàn)具體的敏感應(yīng)用,而只實現(xiàn)一個輕量級監(jiān)控模塊用以監(jiān)控普通世界內(nèi)核的行為.因此整個系統(tǒng)可信計算基不隨敏感應(yīng)用數(shù)量的增加而增大,減少了其可攻擊面和潛在漏洞。其次,監(jiān)控模塊確保內(nèi)核為這些敏感應(yīng)用提供安全的系統(tǒng)服務(wù),從而為滿足開放性需求提供關(guān)鍵功能支持,例如提供標(biāo)準(zhǔn)系統(tǒng)調(diào)用接口、敏感應(yīng)用動態(tài)部署和加載等.最后,方案提出了內(nèi)核主動證明機(jī)制,要求內(nèi)核主動提供關(guān)鍵信息協(xié)助監(jiān)控模塊驗證其自身行為,有效提高了系統(tǒng)運(yùn)行效率.在真實設(shè)備上實現(xiàn)了原型系統(tǒng),實驗結(jié)果證明了該方案的安全性和較為理想的運(yùn)行效率.
[Abstract]:Aiming at the new application scenarios of BYOD (bring your own device), mobile cloud computing with strong security and high openness, a mobile embedded platform sensitive application protection scheme is proposed. In order to meet the requirement of strong security, the scheme builds a trusted execution environment based on arm TrustZone hardware isolation technology, which can guarantee the security of sensitive applications even if the whole operating system kernel is broken. In order to meet the requirement of high openness, the scheme realizes two advantages that the traditional TrustZone security scheme does not have. Firstly, the TrustZone protection domain is extended to the ordinary world. Instead of implementing specific sensitive applications, the secure world only implements a lightweight monitoring module to monitor the behavior of the common world kernel. Therefore, the trusted computing base of the whole system does not increase with the increase of the number of sensitive applications, which reduces its attack surface and potential vulnerabilities. Secondly, the monitoring module ensures that the kernel provides secure system services for these sensitive applications, thus providing critical functional support to meet the open requirements, such as providing standard system call interfaces, dynamic deployment and loading of sensitive applications, and so on. Finally, the scheme proposes a kernel active certification mechanism, which requires the kernel to provide key information to assist the monitoring module to verify its own behavior, which effectively improves the efficiency of the system. The prototype system is implemented on real equipment. The experimental results show that the proposed scheme is safe and efficient.
【作者單位】： 中國科學(xué)院軟件研究所可信計算與信息保障實驗室;中國科學(xué)院大學(xué);計算機(jī)科學(xué)國家重點實驗室(中國科學(xué)院軟件研究所);
【基金】：國家自然科學(xué)基金項目(91118006,61402455,61602455)~~
【分類號】：TP309

【相似文獻(xiàn)】

相關(guān)會議論文 前1條

1 焦雪;蔣海琴;張艷華;鐘穎穎;;高速公路計重系統(tǒng)雷電災(zāi)害分析與防護(hù)技術(shù)[A];第28屆中國氣象學(xué)會年會——S13雷電物理、監(jiān)測預(yù)警和防護(hù)[C];2011年

，

本文編號：2060992