CN109564605A - Method and apparatus for realizing programmable safe unit for computer system - Google Patents
Method and apparatus for realizing programmable safe unit for computer system Download PDFInfo
- Publication number
- CN109564605A CN109564605A CN201680088681.9A CN201680088681A CN109564605A CN 109564605 A CN109564605 A CN 109564605A CN 201680088681 A CN201680088681 A CN 201680088681A CN 109564605 A CN109564605 A CN 109564605A
- Authority
- CN
- China
- Prior art keywords
- memory
- application program
- safe unit
- code
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims description 61
- 230000008569 process Effects 0.000 claims description 40
- 238000012544 monitoring process Methods 0.000 claims description 31
- 230000004044 response Effects 0.000 claims description 17
- 238000010801 machine learning Methods 0.000 claims description 4
- 230000009471 action Effects 0.000 claims description 2
- 238000013135 deep learning Methods 0.000 claims description 2
- 238000012546 transfer Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 14
- 230000002155 anti-virotic effect Effects 0.000 description 13
- 241000700605 Viruses Species 0.000 description 6
- 230000008859 change Effects 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000007689 inspection Methods 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000001427 coherent effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000005055 memory storage Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000000712 assembly Effects 0.000 description 1
- 238000000429 assembly Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 201000010099 disease Diseases 0.000 description 1
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000035755 proliferation Effects 0.000 description 1
- 238000009738 saturating Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002023 wood Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/02—Addressing or allocation; Relocation
- G06F12/08—Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
- G06F12/0802—Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
- G06F12/0806—Multiuser, multiprocessor or multiprocessing cache systems
- G06F12/0815—Cache consistency protocols
- G06F12/0831—Cache consistency protocols using a bus scheme, e.g. with bus monitoring or watching means
- G06F12/0833—Cache consistency protocols using a bus scheme, e.g. with bus monitoring or watching means in combination with broadcast means (e.g. for invalidation or updating)
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Microcomputers (AREA)
Abstract
A kind of computer system includes memory, processor and programmable safe unit.Programmable safe unit resides in outside memory and processor, and the data by the code access in the code and memory executed by processor in supervisory memory.
Description
Technical field
Embodiment of the disclosure is about the safety (security) provided in computer system.More specifically, the disclosure
Embodiment is related to the method and apparatus for realizing programmable safe unit for computer system.
Background technique
It is major consideration safely for modern day computing systems.It is currently by counting to virus and the monitoring threatened
The critical activity that calculation machine anti-virus software executes.Anti-virus software is originally developed, for detecting and removing computer virus.With
Computer virus evolves and continues to become to become increasingly complex and as the proliferation of the Malware of New raxa continues, and anti-virus is soft
Part has evolved to offer protection against other computer threats.Particularly, modern anti-virus software can protect from disliking
It anticipates Browser Helper Objects (BHO), Browser Hijack program, key logging program, backdoor programs, rootkit, Troy wood
Horse, worm-type virus, ad ware and spyware.Some anti-virus softwares can also provide protection against other computer prestige
The side of body, such as infected and malice URL, spam, fraud and phishing attack.
Anti-virus software can execute many different types of inspections.The inspection for the type that anti-virus software executes can
To include executing to compare to detect known viruse, worm-type virus and other kinds of Malware.Anti-virus software executes another
The inspection of one type may include execute compare with identify may be for new type threaten label or mark bad type row
For.
Many methods have been developed to solve the different types of inspection executed by anti-virus software.For example, can make
Malicious act is observed, identifies and predicted with the learning art of such as machine learning etc.Depending on being executed by anti-virus software
Task complexity, calculating needed for anti-virus software may need a large amount of computing resources.
Detailed description of the invention
Illustrate the feature and advantage of embodiment of the disclosure by way of example, and the feature and advantage not purport
The specific embodiment shown in being limited to embodiment of the disclosure.
Fig. 1 is the block diagram of the computer system according to the exemplary embodiment of the disclosure for realizing programmable safe unit.
Fig. 2 is the son of the diagram computer system according to the exemplary embodiment of the disclosure for realizing programmable safe unit
The block diagram of component.
Fig. 3 illustrates security kernel table according to the exemplary embodiment of the disclosure.
Fig. 4 is the process for illustrating the method according to the exemplary embodiment of the disclosure for management system safe unit
Figure.
Fig. 5 is that diagram is according to the exemplary embodiment of the disclosure for managing the stream of the method for security kernel administrative unit
Cheng Tu.
Fig. 6 is the block diagram of system safe unit according to the exemplary embodiment of the disclosure.
Fig. 7 is the block diagram of security kernel administrative unit according to the exemplary embodiment of the disclosure.
Fig. 8 illustrates the exemplary scene according to the exemplary embodiment of the disclosure for realizing programmable safe unit
Programmable gate array (FPGA).
Specific embodiment
In the following description, for illustrative purposes, elaborate specific term to provide to the saturating of embodiment of the disclosure
Thorough understanding.It will be apparent to those skilled in the art that, it may not be necessary to specific detail in specification practices this
Disclosed embodiment.In other instances, well known circuit, equipment, processes and procedures are shown in block diagram form, to avoid not
Necessarily obscure embodiment of the disclosure.
From the point of view of calculating angle, anti-virus software may be intrusive.Anti-virus software may need largely to calculate week
Phase.When being executed on the processor that user application is shared to monitor user application between at runtime, diseases prevention
Malicious software may interfere with the experience of user.In accordance with an embodiment of the present disclosure, a kind of programmable safe unit is disclosed, is resided in
Outside the memory and processor of computer system.The generation executed by processor in programmable safe monitoring units memory
Code.Programmable safe unit provides the potential advantage for supplying additional computing resource, and the additional computing resource allows to supervise
Threat in the associated code of application program depending on being executed with processor, the execution without interfering application program.Programmable peace
Full unit additionally provides the potential advantage for monitoring multiple application programs parallel, and can be configured to allow application programmer or user
Specifying 1) for each application program will use to monitor code corresponding with the application program in memory and data
Process, 2) memory range corresponding with the application program in memory, 3) to for monitoring the memory of the application program
The limitation of bandwidth and 4) in response to detected in the code and data threat and the movement to be executed.
Fig. 1 is the block diagram of computer system 100 according to the exemplary embodiment of the disclosure.Computer system 100 can be with
It is realized by desktop computer, laptop computer, smart phone, tablet computer, intelligent appliance or other calculating equipment.Department of computer science
System 100 includes the processor 101 of processing data-signal.Fig. 1 shows the computer system 100 with single processor.However,
It is operated it should be understood that computer system 100 can use multiple processors.Processor 101 can be single by (one or more)
Core or multi-core processor are realized.
Processor 101 is coupled to input/output (I/O) subsystem 110.I/O subsystem 110 may include memory control
Device maincenter, I/O control axis, communication link and/or other assemblies and subsystem are to promote I/O operation.According to calculating equipment 100
Embodiment, I/O subsystem 110 calculate equipment 100 in component between transmit data-signal.In this embodiment, I/O
System 110 may include the combination of single bus or multiple buses.Calculating equipment 100 includes memory 102.102 coupling of memory
Close I/O subsystem 110.Memory 102 can be dynamic random access memory device, static random access memory device
And/or other memory devices.Memory 102 can store the finger by that can indicate with the data-signal that device 101 processed executes
Order and code.Data storage device 103 is coupled to I/O subsystem 110.It can be with being configured for the short-term of data or deposit for a long time
Equipment (such as solid state drive, memory card or other mass-memory units) Lai Shixian data storage device 103 of storage.
Peripheral equipment 104 is coupled to I/O subsystem 110.Peripheral equipment 104 may include various I/O equipment, such as support
The equipment of communication and display.Peripheral equipment 104 may include display and touch screen, button, switch, keyboard, mouse, loudspeaker,
Microphone and/or other peripheral equipments.Network controller 105 is coupled to I/O subsystem 110.Network controller can will calculate
Machine system 100 is linked to computer network (not shown) and supports the communication between machine.It will be appreciated that having different frameworks
Or the calculating equipment with different components can also be used for realizing computer system 100.
In accordance with an embodiment of the present disclosure, one or more application program 120 can be assigned in the memory 102 and by
Device 101 is managed to execute.Can be monitored by programmable safe unit 130 corresponding with the application program in memory code and data with
Mark is potential to threaten.Programmable safe unit 130 resides in outside processor 101 and memory 102, and can apply and refer to
Fixed process monitors code corresponding with one or more of application programs and data.In accordance with an embodiment of the present disclosure, may be used
Programming safe unit 130 reads to scan the row in memory 102 using non-uniform memory, to avoid described in snooping access
Other capable processors or processor core.
Programmable safe unit 130 provides engine to computer system 100, to hold during the runing time of application program
Row security monitoring, without exceedingly adding burden in processor 101 when processor 101 runs application program.According to the disclosure
Embodiment, programmable safe unit 130 can be realized by field programmable gate array (FPGA) or other calculating equipment.
Fig. 2 is the diagram computer system according to the exemplary embodiment of the disclosure for realizing programmable safe unit 220
The block diagram of sub-component in 200.Processor 210, programmable safe unit 220 and the memory 230 illustrated in Fig. 2 can be used for
Realize processor 101, programmable safe unit 130 and the memory 102 illustrated in Fig. 1.
Processor 210 includes system safe unit 211.The registration of system safe unit 211 will be by programmable safe unit 220
The application program of monitoring.For each application program to be monitored, system safe unit 211 identify in memory 230 will be
Memory range or the region of corresponding with application program code and data are monitored at it.System safe unit 211 mark in order to
Supervision application program and the process to be utilized.The process may include one or more algorithms, by the code and data with
Other codes and data for being known as malice be compared or from the code sum number according to observations, mark and prediction malice row
For.The process is properly termed as " bit stream ".System safe unit 211 is also identified in response to detecting prestige in the code and data
It coerces and the movement to be executed.The movement may include the notice (such as interrupt) that will be identified be transferred to identified component and/
Or program.System safe unit 211 can also be identified for supervision application program and the service type or service quality to be distributed
(QoS).Service quality works to establish the limitation to the bandwidth of memory used when monitoring the code and data.According to this
Disclosed embodiment, system safe unit 211 can be identified from user, operating system and/or monitored application program itself
The information of the information description of offer.It will be appreciated that system safe unit 211 can be stored in memory 200 and by
Manage the program that device 210 executes.
Programmable safe unit 220 includes security kernel administrative unit 221.Security kernel administrative unit 221 is stepped on from safety
Remember that unit 211 is received about the information for the application program to be monitored, code corresponding with the application program to be monitored and data
Memory range, the process to be utilized in monitoring, the movement of Yao Zhihang and the service quality to be distributed for monitoring.Peace
The information is written to the security kernel table 222 in programmable safe unit 220 by full inner core managing unit 221, and is directed to quilt
It identifies each application program to be monitored and generates kernel.Each kernel that security kernel administrative unit 221 generates is by may be programmed
Safe unit 220 executes, and works with the supervision application journey in by the specified parameter of the information in security kernel table 222
Sequence.As shown in this example, security kernel administrative unit 221 generates kernel 1 225, kernel 2 226 and kernel 3 227, with prison
Depending on three application programs executed in processor 210.
Security kernel administrative unit 221 also adjusts the service quality of the data flow between kernel and memory 230.According to this
Disclosed embodiment, security kernel administrative unit 221 control the amount for the business permitted between kernel and memory 230 to defer to
The limitation recorded in kernel table 222.Security kernel administrative unit 221 can also be controlled permits between kernel and memory 230
Business type so that kernel can only access the storage in the memory associated there such as recorded in kernel table 222
Device range or region.The storage between programmable safe unit 220 and memory 230 can be carried out via memory interface 223
Device access.Memory interface 223 passes through 210 route memory access request of processor using consistency storage channel.According to
Embodiment of the disclosure, consistency storage channel can use the memory access process transmitted through tunnel.It will be appreciated that peace
Full inner core managing unit 221 can be realized by the combination of the software, hardware component or the hardware and software that execute on a processor.
Memory 230 stores code associated with the application program executed by processor 210 and data.In such as example
Shown, memory 230 includes three memory area 231-233, and three for storing and executing in processor 210 apply journey
The associated code of sequence and data.In accordance with an embodiment of the present disclosure, it is tieed up between processor 210 and programmable safe unit 220
Hold the consistent address space in memory 230.
Fig. 3 illustrates the expression of security kernel table 300 according to the exemplary embodiment of the disclosure.Security kernel table 300
It can be used to implement the security kernel table 222 illustrated in Fig. 2.For being registered to be answered by each of programmable safe monitoring units
With program, security kernel table 300 lists identifier of the mark for the kernel of the application program in column 315.Security kernel
Table 300 includes column 313, and the column 313 identify code associated with application program and data are located at its and will be at which
Monitored memory range.Security kernel table 300 includes column 314, identify the movement to be executed when detecting threat or
The notice to be generated.Security kernel table 300 includes column 311, and mark is used to receive the generation of the movement or notice that identify from column 314
Reason.Security kernel table 300 includes column 312, for identifying limitation for supervision application program and the bandwidth of memory to be distributed
Service type.
For each application program to be monitored, security kernel table 300 is also identified to be monitored and the mistake to be utilized for executing
Journey or " bit stream ".It will be appreciated that the process can be uploaded to programmable safe unit in external never same component.Substitution
Ground, the process may can obtain on programmable safe unit, and the multiple choosings in the process that can be listed from kernel table 300
It selects.As shown in Figure 3, the bit stream of multiple machine learning optimizations can be used for being chosen so as to being used as corresponding with application program for monitoring
Code and data process.The list of available processes may include that such as machine status register(MSR) (MSR) 321 or can be used for
Establish other mechanism, bit stream identifier 322, service type 323 and metadata 324 associated with the process of bit stream etc
Information.As shown in this example, kernel 0 is shown using bit stream 0, and kernel 1 is shown using bit stream 1, and kernel 2 is shown
Utilize ML bit stream 0.It will be appreciated that security kernel table 300 can list other information, and can by with shown in Fig. 3
The different mode of mode is formatted or arranges.
Fig. 4 is the process for illustrating the method according to the exemplary embodiment of the disclosure for management system safe unit
Figure.The system safe unit that described method can be realized by processor executes.At 401, for the application journey to be monitored
Sequence identifies register information.In accordance with an embodiment of the present disclosure, register information may include to monitor and answer at which in memory
With memory range or the region of the corresponding code of program and data.Register information may include wanting for supervision application program
The process (bit stream) utilized.Register information may include being executed in response to detecting threat in the code and data
The recipient of movement and movement.Register information may include the service type or service to be distributed for supervision application program
Quality (QoS).Service quality works to establish the limitation to the bandwidth of memory used when monitoring the code and data.
In accordance with an embodiment of the present disclosure, the message identification that can be provided from user, operating system and/or monitored application program itself
Register information out.
At 402, register information is transferred to programmable safe unit.In accordance with an embodiment of the present disclosure, programmable safe
Unit resides at portion outside the processor and on the component that separates with processor.Designated lane can be used to be transferred to register information
Programmable safe unit.Register information can be used to generate kernel with supervision application program in programmable safe unit.
At 403, determine whether programmable safe unit is requesting memory access.In accordance with an embodiment of the present disclosure,
The kernel executed in programmable safe unit can use identified process, and the procedure request is to the region in memory
Access to monitor code corresponding with application program and data.Programmable safe unit can be by utilizing non-uniform (non-
Coherent) reading order requests memory access.Coherent memory, which is read, allows memory access, while avoiding spying upon
It is able to access that the processor core of the memory.If it is determined that programmable safe unit is requesting memory access, then before controlling
Enter 404.If it is determined that programmable safe unit does not request memory access, then control returns to 403.
At 404, allow memory access.In accordance with an embodiment of the present disclosure, pass through place using consistency storage channel
It manages device and coordinates memory access.However, memory access is carried out without requiring memory consistency.This allows programmable safe
Unit is from memory read data without generating invalid (invalidation) and not executing snooping.Therefore, memory access
The performance of the memory for other applications is not influenced.
At 405, it is determined whether have detected that threat.In accordance with an embodiment of the present disclosure, it is transported on programmable safe unit
The process that capable kernel uses can be detected from information of the analysis from memory access and be threatened.If detecting threat,
It will receive and notify from programmable safe unit.If detecting threat, control proceeds to 406.If threat is not detected,
Control proceeds to 407.
At 406, execute from the received required movement of programmable safe unit.In accordance with an embodiment of the present disclosure, it specifies dynamic
Work may include the notice to component or program.
At 407, it is determined whether made a change to kernel.In accordance with an embodiment of the present disclosure, the change in kernel may
As update kernel or cancels the registration of kernel or change caused by register information associated with kernel.If it is determined that internally
Core makes a change, then control identifies the register information of kernel back to 401.If it is determined that not made a change to kernel, then
Control returns to 403.
Fig. 5 is that diagram is according to the exemplary embodiment of the disclosure for managing the stream of the method for security kernel administrative unit
Cheng Tu.Described method can be by residing in the programmable safe list outside the processor for executing just monitored application program
Member is carried out.Security kernel administrative unit can be realized by the combination of hardware component, software or hardware and software.At 501,
Update security kernel table.In accordance with an embodiment of the present disclosure, new register information is received from system safe unit whenever, it can
To update security kernel table.Register information may include memory range or region in memory, wherein to monitor and apply
The corresponding code of program and data.Register information may include monitoring generation corresponding with application program at which in memory
The memory range or region of code and data.Register information may include the process (position to be utilized for supervision application program
Stream).Register information may include threatening and the movement and movement to be executed in response to detecting in the code and data
Recipient.Register information may include the service type or service quality (QoS) to be distributed for supervision application program.Clothes
Business quality works to establish the limitation to the bandwidth of memory used when monitoring the code and data.According to the disclosure
Embodiment can go out register information from the message identification that user, operating system and/or monitored application program itself provide.
At 502, kernel is generated for each application program to be monitored.In accordance with an embodiment of the present disclosure, kernel be
The program run on programmable safe unit.Kernel is generated using register information associated with the application program to be monitored.
At 503, it is determined whether request memory access.It in accordance with an embodiment of the present disclosure, can be in programmable peace
One or more request memory accesses in the kernel executed in full unit.If requesting memory access, before control
Enter 504.If not requesting memory access, control returns to 503.
At 504, it is determined whether allow the memory access.It in accordance with an embodiment of the present disclosure, will be with the memory
Access associated memory range with and the associated memory range of the application program that is monitoring of kernel be compared, with
Determine whether the memory access.Accessible security kernel table searches relevant information with for comparing.If permitted
Perhaps the described memory access, then control proceeds to 505.If not allowing the memory access, control is back to 503 with true
It is fixed whether to request another memory access.
At 505, it is determined whether be the enough bandwidth of the memory access allocation.According to the implementation of the disclosure
Example, bandwidth needed for the memory access and the limit that is licensed for the bandwidth of memory for being allocated for kernel are compared
Compared with.Accessible security kernel table searches relevant information with for comparing.If not distributing enough bandwidth, before control
Enter 506.If having been allocated for enough bandwidth, control proceeds to 507.
At 506, make the memory access throttling (throttle).It in accordance with an embodiment of the present disclosure, can be by drawing
Divide the memory range for the memory access request and requests to be directed to divided memory model whithin a period of time
The access enclosed makes memory access throttle.This will allow to execute the memory in the bandwidth distributed being used by memory
Access.
At 507, read requests are generated for the memory access.In accordance with an embodiment of the present disclosure, use is non-uniform
Reading order makes the read requests.Non-uniform reading order allow to obtain from memory data without generate it is any invalid and
Do not execute snooping.
At 508, it is determined whether have detected that threat.It in accordance with an embodiment of the present disclosure, can be by programmable safe
The one or more kernels executed in unit threaten to detect.Kernel can be received from the memory access in response to analyzing
Code and data threaten to detect.If it is determined that having detected that threat, then control proceeds to 509.If it is determined that not detecting
It threatens, then control returns to 503.
At 509, movement is executed when detecting threat.In accordance with an embodiment of the present disclosure, security kernel table can be quoted
To identify in response to the detection and the appropriate movement to be executed.The movement may include providing to lead to specified program or component
Know.
Figure 4 and 5 are the flow charts for illustrating embodiment of the disclosure.Process described in these figures can be performed, can be with
It is executed by the combination of software, hardware component or hardware and software by executing on a processor.It can be sequentially, in parallel
Or it executes some in illustrated technology to be different from the sequence of described sequence and described process can be repeated.
It is to be appreciated that not needing to be implemented all described technologies, supplementary technology can be added, and institute can be replaced with other technologies
It is some in the technology of diagram.
Fig. 6 is the block diagram of system safe unit 600 according to the exemplary embodiment of the disclosure.System safe unit 600
It can be used to implement the system safe unit 211 illustrated in Fig. 2.Fig. 6 illustrates the embodiment of realization system safe unit 600
Module.According to one embodiment, the module indicates software module, and providing system safely can be by executing by showing in Fig. 6
Processor (all processors as illustrated in Figure 1) Lai Shihang for the instruction sequence that module out indicates.The execution of instruction sequence makes
It obtains processor and system safety is provided.In alternative embodiments, can replace or in conjunction with software instruction come using hard-wired circuitry with
Realize embodiment of the disclosure.Therefore, embodiment of the disclosure is not limited to any specific combination of hardware circuit and software.System
Safe unit 600 includes system safe unit manager 610.System safe unit manager 610 is connected to system safe unit
600 component simultaneously transmits data between the component.
System safe unit 600 includes register information identifier element 620.Register information identifier element 620 identifies needle
To the register information for the application program to be monitored.In accordance with an embodiment of the present disclosure, it from user, operating system and/or can be supervised
Depending on the message identification that provides of application program itself go out register information.Register information may include to supervise at which in memory
Depending on memory range or the region of code corresponding with application program and data.Register information may include for supervision application journey
Sequence and the process to be utilized (bit stream).Register information may include wanting in response to detecting threat in the code and data
The movement of execution and the recipient of movement.Register information may include the service type to be distributed for supervision application program
Or service quality (QoS).Service quality works to establish to the bandwidth of memory used when monitoring the code and data
Limitation.
System safe unit 600 includes register information transmission unit 630.Register information transmission unit 630 is by register information
It is transferred to the programmable safe unit for residing at portion outside the processor and on the component that separates with processor.According to the reality of the disclosure
Example is applied, designated lane can be used by register information and be transferred to programmable safe unit.
System safe unit 600 includes memory access unit 640.In response to determining that programmable safe unit is being requested
The reading to memory is coordinated in memory access.In accordance with an embodiment of the present disclosure, can by receive non-uniform reading order come
The request of access memory of the identification from programmable safe unit.Consistency storage channel can be used to execute to storage
The reading of device.Memory access can be carried out without requiring memory consistency.This allows programmable safe unit from memory
Data are read without generating invalid and not executing snooping.Therefore, memory access will not influence for other applications
The availability of the memory.
System safe unit 600 includes notification unit 650.In response to determining programmable safe unit from memory access
Detect threat, it will the notice from programmable safe unit is forwarded to specified component or program.
Fig. 7 is the block diagram of security kernel administrative unit 700 according to the exemplary embodiment of the disclosure.Security kernel management
Unit 700 can be used for realizing the security kernel administrative unit 221 illustrated in Fig. 2.Fig. 7, which is illustrated, realizes security kernel administrative unit
The module of 700 embodiment.According to one embodiment, the module indicates software module, and managing security kernel can be by
The processor for executing instruction sequence represented by module shown in Fig. 7 is carried out.The execution of instruction sequence is so that processor management
Security kernel.In alternative embodiments, can replace or in conjunction with software instruction come using hard-wired circuitry to realize the disclosure
Embodiment.Therefore, embodiment of the disclosure is not limited to any specific combination of hardware circuit and software.Security kernel administrative unit
700 include security kernel manager 710.Security kernel manager 710 be connected to the component of security kernel administrative unit 700 and
Data are transmitted between the component.
Security kernel administrative unit 700 includes security control unit 720.In accordance with an embodiment of the present disclosure, whenever from
System safe unit receives new register information, and security control unit 720 updates security kernel table.Register information may include
Memory range or the region that monitor code corresponding with application program and data at which in memory.Register information can
To include the process to be utilized (bit stream) for supervision application program.Register information may include in response in the code and
It detects and threatens and the recipient for the movement and movement to be executed in data.Register information may include for supervision application journey
Sequence and the service type or service quality (QoS) to be distributed.Security control unit 720 is according to registration associated with application program
Information generates kernel for each application program to be monitored.In accordance with an embodiment of the present disclosure, kernel is in programmable safe list
The program run in member.
Security kernel administrative unit 700 includes service quality (QOS) bandwidth control units 730.According to the implementation of the disclosure
Example is determining that QOS bandwidth control units 730 pass through will be associated with memory access request when requesting memory access
Memory range with and the associated memory range of the application program that is monitoring of kernel be compared to determine for making
Whether the kernel of request allows memory access.QOS bandwidth control units 730 can also be by will be needed for the memory access
Bandwidth and setting for kernel be licensed that bandwidth of memory is compared to determine whether be the memory access
Distribute enough bandwidth.QOS bandwidth control units 730 can be used for the memory model of the memory access request by dividing
It encloses and requests the access for divided memory range whithin a period of time to make the memory access throttle.This will
Allow to carry out the memory access in the bandwidth distributed being used by memory.In accordance with an embodiment of the present disclosure, QOS bandwidth
Control unit 730 generates read requests using non-uniform reading order, for the memory access.Non-uniform reading order is permitted
Perhaps data are obtained without generating any invalid and not executing snooping from memory.
Security kernel administrative unit 700 includes movement generation unit 740.The memory is come from from analysis in response to kernel
To threatening, movement generation unit 740 can forward the movement specified by kernel or execute in security kernel the content detection of access
The movement specified in table.The movement may include providing notice to specified program or component.
Fig. 8 illustrates the exemplary scene according to the exemplary embodiment of the disclosure for realizing programmable safe unit
Programmable gate array (FPGA).FPGA 900 can be used for realizing the programmable safe unit 220 illustrated in Fig. 2.FPGA 800 is wrapped
Include multiple logic array blocks (LAB).In accordance with an embodiment of the present disclosure, FPGA 800 can be realized on a single integrated circuit.Often
A LAB can be formed by multiple logical blocks, carry chain, LAB control signal, look-up table (LUT) chain and register chain connecting line.It patrols
Collect the small logic unit efficiently realized that block is to provide user logic function.Logical block includes one or more assembled units,
In each assembled unit there is single output and register.According to one embodiment of the disclosure, logical block can be with logic
Element (LE) similarly operates, and the logic element (LE) is all to be manufactured by altera corp, gathered around now by Intel Company in this way
Those of discovery in some Stratix or Cyclone equipment.LAB is grouped into the row and column of striding equipment 900.The column of LAB are shown
It is out 811-816.It is to be appreciated that logical block may include additional or substitution component.
FPGA 800 includes memory block.Memory block can be such as dual-port random access memory (RAM) block,
It provides in the case where reaching various frequencies, reach dedicated true dual-port, simple dual-port or the one-port memory of various bit wides.Storage
Device block can be grouped into the column of the striding equipment among selected LAB, or individually or be in couples located in FPGA
In 800.The column of memory block are shown as 821-824.
FPGA 800 includes Digital Signal Processing (DSP) block.DSP block, which can be used for realizing, has each of addition or subtraction features
The multiplier of kind configuration.DSP block includes shift register, multiplier, adder and accumulator.DSP block can be grouped into across
The column of FPGA 800, and it is shown as 831.
FPGA 800 includes multiple input/output elements (IOE) 840.I/O pin on each IOE feed-in FFPGA 800
(not shown).IOE 840 is located around the end of the LAB row and column of the periphery of FPGA 800.Each IOE may include two-way
I/O buffer and multiple registers are for registering input, output and output enable signal.
FPGA 800 may include route resource, such as LAB local interconnection line, row interconnection line (" H-type line ") and column interconnection
Line (" V-type line ") (not shown) is with route signal between the component on FPGA 800.
In accordance with an embodiment of the present disclosure, FPGA 800 can be programmed to realize security kernel administrative unit, security kernel
Table and memory interface.Particularly, FPGA 800 be may include on-chip processor or be realized soft place using its programmable resource
Manage kernel of the device to execute one or more components in security kernel administrative unit or be generated by security kernel administrative unit.
The following examples are for further examples.In one embodiment, a kind of computer system includes memory.Institute
Stating computer system includes processor.The computer system include reside in outside the memory and the processor can
Safe unit is programmed, monitors passing through in the code executed by the processor and the memory in the memory
The data of the code access.
In a further embodiment, the programmable safe unit can be used to monitor the generation by user configuration at specified
The process of code and data.
In a further embodiment, the process includes machine/deep learning process.
In a further embodiment, the programmable safe unit can be by user configuration at specifying in the memory
For monitoring the memory range of the code and data.
In a further embodiment, the programmable safe unit can be by user configuration at being limited in the monitoring code
With the bandwidth of the memory used when data.
In a further embodiment, the programmable safe unit can by user configuration at specified response in the generation
It detects and threatens and the movement to be executed in code and data.
In a further embodiment, the movement includes interrupting to the operating system Transmission system of the processor.
In a further embodiment, the movement includes to application transfer associated with the code and data
It interrupts.
In a further embodiment, the programmable safe unit uses the memory access process transmitted through tunnel to pass through
The memory is accessed by the processor.
In a further embodiment, the programmable safe unit accesses the memory using non-uniform reading,
Without requiring invalid or snooping.
In a further embodiment, the programmable safe unit concurrently monitors generation corresponding with multiple application programs
Code and data.
In a further embodiment, the programmable safe unit can be configured in the multiple application program
It is each specified 1) for monitoring the process of corresponding with application program code and data, 2) in the memory with the application
The corresponding memory range of program, 3) for the limitation for monitoring the bandwidth of the memory of the application program, and
4) it is threatened and the movement to be executed in response to being detected in the code and data.
In a further embodiment, the programmable safe unit is realized by field programmable gate array.
In another embodiment, a kind of non-transitory computer-readable medium with instruction sequence, described instruction sequence
Including instruction, described instruction makes processor carry out the method for being used for management system safe unit, the method when executed
Including identifying the application program to be monitored.Identify register information associated with the application program.To residing in described in execution
Programmable safe unit outside the processor of application program registers the application program and the register information.
In a further embodiment, identifying register information associated with the application program includes in mark memory
Storage corresponding with the application program code and data range.
In a further embodiment, identifying register information associated with the application program includes mark to for supervising
Depending on the limitation of the memory access bandwidth of the application program.
In a further embodiment, identifying register information associated with the application program includes that mark is used to monitor
The process of the application program.
In a further embodiment, the application program to be monitored and the register information are by user, operating system
It is specified with one in the application program.
In a further embodiment, the method further includes coordinating the programmable safe unit to memory
Access, without requiring memory consistency.
In another embodiment, a kind of programmable safe unit includes the processor for executing kernel, kernel monitoring with
It manages in the outside and executes and be stored in the corresponding code of the application program on external memory on device, and monitor and answered with described
The data for being associated and being stored on the external memory with program.The programmable safe unit further includes service quality
Bandwidth control units control the amount for the bandwidth from the external memory that the kernel uses.
In a further embodiment, the programmable safe unit further comprises the security control for generating the kernel
Unit.
In a further embodiment, the security control unit is used for the code and the memory range of data letter
Breath, the identity of process for monitoring the code and data and specified response are in the kernel in the code and data
Detect threat and the action message of the movement to be executed updates security kernel table.
In a further embodiment, the programmable safe unit is realized by field programmable logic device.
In another embodiment, a kind of programmable safe unit includes the processor component for executing kernel, the kernel prison
Depending on the corresponding code of the application program on external memory is executed and be stored on device with managing in the outside, and monitor and institute
State the data that application program is associated and is stored on the external memory.The programmable safe unit further includes service
Quality bandwidth control unit controls the amount for the bandwidth from the external memory that the kernel uses.
In a further embodiment, the programmable safe unit further comprises the security control for generating the kernel
Component.
In another embodiment, a kind of method for management system safe unit includes the mark application journey to be monitored
Sequence.Identify register information associated with the application program.To residing in outside the processor for executing the application program
Programmable safe unit registers the application program and the register information.
In a further embodiment, identifying register information associated with the application program includes in mark memory
Storage corresponding with the application program code and data range.
In a further embodiment, identifying register information associated with the application program includes mark to for supervising
Depending on the limitation of the memory access bandwidth of the application program.
In a further embodiment, identifying register information associated with the application program includes that mark is used to monitor
The process of the application program.
In a further embodiment, the application program to be monitored and the register information are by user, operating system
It is specified with one in the application program.
In a further embodiment, the method further includes coordinating the programmable safe unit to memory
Access, without requiring memory consistency.
In a further embodiment, a kind of non-transitory computer-readable medium with instruction sequence, described instruction
Sequence includes instruction, the method that described instruction makes processor carry out any of previous embodiment when executed.
It may include having the machine-accessible instructed or machine readable Jie that embodiment of the disclosure, which may be provided as,
The computer program product or software of product in matter.Instruction in machine-accessible or machine readable media can be used for calculating
Machine system or other electronic equipments are programmed.Machine readable media can include but is not limited to floppy disk, CD, CD-ROM and magnetic
CD or other kinds of medium/machine readable media suitable for storage or transmission e-command.Technology described herein
It is not limited to any specific software configuration.They may be found that the applicability in any calculating or processing environment.Make herein
Term " machine accessible medium " or " machine readable media " should include that can store or encode for being executed simultaneously by machine
And any medium of the instruction sequence of any one of method that machine implementation is described herein.In addition, in ability
In domain will in the form of one or another form (for example, code, program, process, routine, application program, module, unit, logic,
Block etc.) software say for take movement or cause the result is that common.Such expression is only that statement passes through processing system to soft
The execution of part is so that processor implementation is acted to generate the shorthand way of result.
In the foregoing specification, embodiment of the disclosure is described by reference to the certain exemplary embodiments of the disclosure.
However, it will be apparent that, in the case where not departing from embodiment of the disclosure, various modifications and change can be made to it.This
Outside, it will be appreciated that the details in the example presented can be used in any in one or more of the disclosed embodiments
Place.
Claims (25)
1. a kind of computer system comprising:
Memory;
Processor;And
The programmable safe unit outside the memory and the processor is resided in, monitors passing through in the memory
The data by the code access in code and the memory that the processor executes.
2. computer system according to claim 1, wherein the programmable safe unit can be by user configuration at specified
For monitoring the process of the code and data.
3. computer system according to claim 2, wherein the process includes machine/deep learning process.
4. computer system according to claim 1, wherein the programmable safe unit can be by user configuration at specified
The memory range for being used to monitor the code and data in the memory.
5. computer system according to claim 1, wherein the programmable safe unit can be by user configuration at limitation
The bandwidth of the memory used when monitoring the code and data.
6. computer system according to claim 1, wherein the programmable safe unit can be by user configuration at specified
It is threatened and the movement to be executed in response to being detected in the code and data.
7. computer system according to claim 6, wherein the movement includes passing to the operating system of the processor
Defeated system break.
8. computer system according to claim 6, wherein the movement includes to associated with the code and data
Application transfer interrupt.
9. computer system according to claim 1, wherein the programmable safe unit is deposited using what is transmitted through tunnel
Reservoir access process accesses the memory via the processor.
10. computer system according to claim 9, wherein the programmable safe unit is come to visit using non-uniform read
The memory is asked, without requiring invalid or snooping.
11. computer system according to claim 1, wherein the programmable safe unit is concurrently monitored and answered with multiple
With the corresponding code of program and data.
12. computer system according to claim 11, wherein the programmable safe unit can be configured to for described
Each of multiple application programs are specified 1) for monitoring the process of corresponding with application program code and data, 2) storage
Memory range corresponding with the application program in device, 3) for the memory for monitoring the application program
The limitation of bandwidth and 4) in response to detected in the code and data threat and the movement to be executed.
13. computer system according to claim 1, wherein the programmable safe unit is by field programmable gate array
It realizes.
14. a kind of non-transitory computer-readable medium with instruction sequence, described instruction sequence includes instruction, described instruction
Processor is made to carry out the method for being used for management system safe unit when executed, which comprises
Identify the application program to be monitored;
Identify register information associated with the application program;And
The application program and institute are registered to the programmable safe unit resided in outside the processor for executing the application program
State register information.
15. non-transitory computer-readable medium according to claim 14, wherein mark is related to the application program
The register information of connection includes the range for identifying storage corresponding with the application program code and data in memory.
16. non-transitory computer-readable medium according to claim 14, wherein mark is related to the application program
The register information of connection includes the limitation identified to for monitoring the memory access bandwidth of the application program.
17. non-transitory computer-readable medium according to claim 14, wherein mark is related to the application program
The register information of connection includes the process that mark is used to monitor the application program.
18. non-transitory computer-readable medium according to claim 14, wherein the application program to be monitored and
The register information is specified by one in user, operating system and the application program.
19. non-transitory computer-readable medium according to claim 14 further comprises coordinating the programmable peace
Full access of the unit to memory, without requiring memory consistency.
20. a kind of programmable safe unit comprising:
The processor of kernel is executed, executes and is stored on external memory in the kernel monitoring and reason device in the outside
The corresponding code of application program, and monitor number that is associated with the application program and being stored on the external memory
According to;And
Service quality bandwidth control units control the amount for the bandwidth from the external memory that the kernel uses.
21. programmable safe unit according to claim 20 further comprises the security control list for generating the kernel
Member.
22. programmable safe unit according to claim 21, wherein the security control unit, which is used, is directed to the code
The identity and specified response of process with the memory range information of data, for monitoring the code and data are in described interior
Core detects in the code and data threat and the action message for the movement to be executed updates security kernel table.
23. programmable safe unit according to claim 20, wherein the programmable safe unit is by field-programmable
Logical device is realized.
24. a kind of programmable safe unit comprising:
The processor component of kernel is executed, is executed in the kernel monitoring and reason device in the outside and is stored in external memory
On the corresponding code of application program, and monitor associated with the application program and be stored on the external memory
Data;And
Service quality bandwidth control component controls the amount for the bandwidth from the external memory that the kernel uses.
25. programmable safe unit according to claim 20 further comprises the safety control unit for generating the kernel
Part.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/US2016/053349 WO2018056997A1 (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for implementing a programmable security unit for a computer system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109564605A true CN109564605A (en) | 2019-04-02 |
Family
ID=61689683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201680088681.9A Pending CN109564605A (en) | 2016-09-23 | 2016-09-23 | Method and apparatus for realizing programmable safe unit for computer system |
Country Status (4)
| Country | Link |
|---|---|
| JP (1) | JP2019530066A (en) |
| CN (1) | CN109564605A (en) |
| DE (1) | DE112016007258T5 (en) |
| WO (1) | WO2018056997A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7660984B1 (en) * | 2003-05-13 | 2010-02-09 | Quicksilver Technology | Method and system for achieving individualized protected space in an operating system |
| US7631107B2 (en) * | 2002-06-11 | 2009-12-08 | Pandya Ashish A | Runtime adaptable protocol processor |
| US8145871B2 (en) * | 2008-06-09 | 2012-03-27 | International Business Machines Corporation | Dynamic allocation of virtual real memory for applications based on monitored usage |
| US9633547B2 (en) * | 2014-05-20 | 2017-04-25 | Ooma, Inc. | Security monitoring and control |
| US9910481B2 (en) * | 2015-02-13 | 2018-03-06 | Intel Corporation | Performing power management in a multicore processor |
-
2016
- 2016-09-23 DE DE112016007258.9T patent/DE112016007258T5/en not_active Withdrawn
- 2016-09-23 JP JP2019510275A patent/JP2019530066A/en active Pending
- 2016-09-23 CN CN201680088681.9A patent/CN109564605A/en active Pending
- 2016-09-23 WO PCT/US2016/053349 patent/WO2018056997A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018056997A1 (en) | 2018-03-29 |
| JP2019530066A (en) | 2019-10-17 |
| DE112016007258T5 (en) | 2019-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11620396B2 (en) | Secure firewall configurations | |
| US20230074151A1 (en) | Multi-representational learning models for static analysis of source code | |
| US10924517B2 (en) | Processing network traffic based on assessed security weaknesses | |
| US9813445B2 (en) | Taint injection and tracking | |
| US10868821B2 (en) | Electronic mail security using a heartbeat | |
| US10997289B2 (en) | Identifying malicious executing code of an enclave | |
| US9740857B2 (en) | Threat-aware microvisor | |
| US9576147B1 (en) | Security policy application through data tagging | |
| US20150128262A1 (en) | Taint vector locations and granularity | |
| US20130024939A1 (en) | Conditional security response using taint vector monitoring | |
| US20190190929A1 (en) | Electronic mail security using root cause analysis | |
| US20190108332A1 (en) | Taint injection and tracking | |
| KR20150006042A (en) | Systems and methods for providing mobile security based on dynamic attestation | |
| US20220046030A1 (en) | Simulating user interactions for malware analysis | |
| US10621365B1 (en) | Obfuscation for high-performance computing systems | |
| Akram et al. | Security, privacy and trust of user-centric solutions | |
| US20250071095A1 (en) | Automatic network signature generation | |
| Muheidat et al. | Mobile and cloud computing security | |
| US11822651B2 (en) | Adversarial resilient malware detector randomization method and devices | |
| JP7431844B2 (en) | game engine based computer security | |
| CN109564605A (en) | Method and apparatus for realizing programmable safe unit for computer system | |
| GB2572471A (en) | Detecting lateral movement by malicious applications | |
| US20250168150A1 (en) | Securing collection of information of tenant container | |
| Weiser | Secure I/O with Intel SGX |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20190402 |
|
| WD01 | Invention patent application deemed withdrawn after publication |