CN110502933A - A method and system for implementing a soft-hard co-timer capable of resisting cache attacks based on flush operations - Google Patents

Abstract

The invention relates to a method and system for realizing a software-hardware coordination timer capable of resisting cache attacks based on flush operations. The system includes an initialization software module, a hardware module and a runtime software module. In the initialization phase, the initialization software module and the hardware module cooperate with each other to test the highest time resolution within the safety range, and adjust the safe low-resolution timer in the hardware module to this time resolution; in the runtime phase, When there is a flush operation, it can temporarily reduce its own resolution, and when there is no flush operation, restore its own high resolution. Through this coordination mechanism of flush operation and timer resolution, cache attacks based on flush operation can be effectively resisted. At the same time, the present invention guarantees high safety through optimized design, and at the same time, its own performance loss is very low, so it is an efficient and safe timer implementation method.

Description

A Soft-Hard Cooperative Timer Implementation Against Flush-Based Cache Attacks present methods and systems

technical field

The invention belongs to the technical field of information security software-hardware collaborative design, in particular to an implementation method and system of a software-hardware collaborative timer based on an ARM-FPGA embedded SoC. Under the condition of ensuring high security and low performance loss, the invention can resist the cache attack based on the flush operation, and is an efficient and safe timer realization method.

Background technique

In recent years, with the market's increasing demand for high-performance small electronic devices, the functions of SoC (System on Chip, System on Chip) products have become more and more powerful, complex and personalized. Among them, the ARM-FPGA embedded SoC, which combines ARM and FPGA (Field-Programmable Gate Array, Field Programmable Gate Array), provides a flexible platform for system architects and ARM development engineers to meet the individuality of consumers. demand. This type of SoC is represented by Xilinx's Zynq series, which has been widely used in drones and high-performance embedded and Internet of Things devices. However, like Intel and AMD's chip products, ARM-FPGA embedded SoCs also face a variety of security threats, and microarchitecture attacks represented by cache attacks are one of the types that cannot be ignored.

In the past ten years, more and more researchers have successfully implemented micro-architecture attacks using cache (high-speed cache memory) as a breakthrough. Cache attacks have become an important security threat to modern processors and operating systems. Even more strikingly, in early 2018, Meltdown (see M. Lipp, M. Schwarz, D. Gruss, T. Presser, W. Haas, A. Fogh, J. Horn, S. Mangard, P. Kocher, D .Genkin, Y.Yarom, M.Hamburg.Meltdown: Reading Kernel Memory from User Space.In 27th USENIX Security Symposium, 2018) and Specter attacks (see P.Kocher, J.Horn, A.Fogh, D.Genkin, D .Gruss, W.Haas, M.Hamburg, M.Lipp, S.Mangard, T. Prescher, M.Schwarz, Y.Yarom. Specter Attacks: Exploiting Speculative Execution.In 40th IEEE Symposium on Security and Privacy, 2019) was published On the Internet. They combine cache attack technology with out-of-order execution and branch prediction technology, which greatly expands the data stealing ability of cache attack. In recent years, in order to reduce the noise in cache attacks and increase the resolution of attacks, many researchers have begun to use flush operations (cleaning operations) in cache attacks, such as Flush+Reload, Flush+Flush and Specter attacks based on flush operations (Specter attack using the Flush+Reload principle). We call this type of cache attack "flush-based cache attack".

Most types of modern processors have ready-made instructions or cache-related control registers that can perform cache line flush operations, which is also the most efficient way to clear cache lines. Since the flush operation of the cache is very useful and even indispensable in the system, it is not feasible to directly disable the flush operation. For example, DMA data transfers usually require a flush operation to ensure coherency in cached data. Another example is that symmetric multiprocessor (SMP) architectures without hardware cache coherency mechanisms are quite possible. In this case, a fast cache line flush operation is very useful. Therefore, how to ensure the availability of the fast flush operation while avoiding the security holes caused by it has become an urgent problem to be solved in the industry and academia.

Currently, academia and industry have proposed many methods to detect and defend against cache attacks based on flush operations. These methods are mainly divided into two broad categories, static code analysis/repair methods and runtime defense methods. Static code analysis/remediation is very effective in detecting flush-based cache attacks. However, obfuscation and packaging techniques can make malicious code effectively evade the detection of static code analysis techniques. Moreover, the use of static code repair technology will greatly increase the performance loss of the system. Another large type of defense is the runtime defense strategy. Most of the proposed runtime defense schemes utilize hardware performance counters to continuously monitor malicious programs in real time. However, this real-time monitoring strategy often results in a high false negative rate. In addition, due to the need to collect recorded data for a certain period of time, this defense solution often cannot detect malicious processes fast enough, so it cannot kill them in time. Another point is that due to its own characteristics, the Flush+Flush attack cannot be detected by the defense scheme using performance counters.

There is another runtime defense strategy - permanently reducing the resolution of the time interface. Many browser vendors and W3C organizations have made improvements in this area. Oren et al. successfully implemented cache attacks on browsers (see Y.Oren, V.P.Kemerlis, S.Sethumadhavan, A.D.Keromytis. The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications.In Proceedings of the 22nd ACM After SIGSAC Conference on Computer and Communications Security, 2015), browser vendors and W3C changed the resolution of performance.now from nanoseconds to more than 5μs. However, most operating system vendors do not disable the high-resolution time interface in user space because high-resolution time is useful in native applications of the operating system. On Intel x86 processors, the rdtsc instruction can directly get high-resolution timestamps in user space, and systems running on ARM-FPGA embedded SoCs usually provide high-resolution APIs, such as the perf_event_open system call and the POSIX function clock_gettime( ). Even if the high-resolution time interface is disabled in user space, an attacker with root privileges and the physical address of the timer can still access the high-resolution timer.

Contents of the invention

The purpose of the invention is to design a safer high-resolution timer on the ARM-FPGA embedded SoC by using the software-hardware coordination technology. The soft-hardware cooperative timer can adaptively adjust its own resolution according to whether there is a flush operation in the system. The soft-hard co-timer can not only resist the cache attack based on the flush operation launched by the attacker who has access to the timer, but also guarantee the availability of high-resolution time when the flush operation does not appear in the system.

The soft-hardware cooperative timer of the present invention is divided into two stages according to stages, which are respectively an initialization stage and a runtime stage. According to the functional modules, the soft-hardware cooperative timer of the present invention can be further divided into three modules, which are respectively an initialization software module, a runtime software module and a hardware module. Figure 1 shows the overall working principle of the soft-hardware cooperative timer. The main components of the hardware module are two timers, a safe low-resolution timer and a high-resolution timer. According to the different phases of the soft-hardware cooperative timer and whether the flush operation is called when the system is running, the hardware module adaptively makes these two timers accessible or inaccessible in the system. When a flush operation occurs in the process, the safe low-resolution timer can be accessed through the first address of the hardware module, but the high-resolution timer cannot be accessed. We call this state a safe low-resolution state. Correspondingly, when there is no flush operation in the process, the high-resolution timer can be accessed through the first address of the hardware module, but the safe low-resolution timer cannot be accessed. We call this state the high-resolution state.

The parameters used by the hardware module of the soft-hard coordinated timer of the present invention are as shown in Table 1:

Table 1: Parameters and explanations of hardware modules

The hardware module and the software module of the present invention communicate and work together through signals, and each signal and its explanation are shown in Table 2 below:

Table 2: Signals and explanations between software modules and hardware modules

signal name explain Reduced resolution signal Reduced 1 bit resolution of safe low resolution timer upscale high resolution signal Increased 1-bit resolution of safe low-resolution timer initialization complete signal Inform the hardware part that the initialization phase has been completed call flush operation signal Notify the hardware part that the flush operation is called

During the initialization phase, the safe low-resolution timer of the hardware module is always accessible, ie the high-resolution timer is always inaccessible. The initialization software module uses the safe low-resolution time provided by the hardware module of the soft-hard co-timer to run the selected cache attack based on the flush operation in a loop. Depending on the result of each loop, the initialization software module sends a signal to the hardware module to adjust the resolution safe_resolution of the safe low resolution timer. When the attack fails, the initialization software module sends an increase resolution signal to the hardware module to increase the resolution of the safe low resolution timer by 1 bit, namely safe_relosution-1. When the attack is successful, the initialization software module sends a resolution reduction signal to the hardware module to reduce the resolution of the safe resolution timer by 1 bit, that is, safe_resolution+1. At the same time, the initialization software module sends an initialization completion signal to the hardware module to complete the initialization phase. After the hardware module receives the initialization completion signal, the soft-hardware cooperative timer enters the runtime phase.

In the runtime stage, the hardware module of the soft-hardware cooperative timer adaptively converts the resolution according to whether there is a flush operation in the system, so as to resist the cache attack based on the flush operation. When the flush operation occurs, the soft-hardware co-timer switches to the safe low-resolution timer state, lasts for safe_time CPU clock cycles, and then returns to the high-resolution state. When the flush operation does not occur, the soft-hard co-timer is always in the high-resolution state.

Specifically, the implementation method of a software-hardware cooperative timer that can resist the cache attack based on the flush operation provided by the present invention is divided into two working stages, namely the initialization stage and the runtime stage. in:

(1) In the initialization phase, the initialization software module and the hardware module cooperate with each other to test the highest time resolution within the safe range, and adjust the safe low-resolution timer in the hardware module to the time resolution;

(2) In the run-time stage, the run-time software module and hardware module adapt the conversion time resolution according to whether the system process calls the flush operation.

Further, in the (1) initialization stage, the steps are as follows:

Step 1: Initiate the selected cache attack based on the flush operation in a loop, and adjust the safe resolution safe_resolution of the soft-hardware cooperative timer hardware module according to the attack result of each loop.

Step 2: When the cycle attack is successful, the initialization software module of the soft-hardware cooperative timer sends an initialization completion signal to the hardware module, and the soft-hardware cooperative timer enters the runtime phase.

Further, in the step 1, the operation of the selected cache attack based on the flush operation is as follows:

Step 1: Access the data in the cache and the data not in the cache multiple times and record the time, and then calculate the average access time of the two kinds of data respectively.

Step 2: Calculate the difference between the two average access times. When the difference is less than 1 bit, it is determined that the attack has failed, and when the difference is greater than or equal to 1, it is determined that the attack is successful.

Further, in step 1, the operation of adjusting the security resolution of the hardware module according to the results of each cycle is as follows:

When the attack fails: the initialization software module sends an increase resolution signal to the hardware module to increase the safe low resolution of the hardware module by 1 bit, and then restarts the attack.

When the attack is successful: the initialization software module sends a resolution reduction signal to the hardware module, reducing the security resolution of the hardware module by 1 bit.

Further, in the step 2, after the attack is successful, the operation of initializing the software module and the hardware module is as follows:

In the first step, the initialization software module sends a resolution reduction signal to the hardware module, so that the security resolution of the hardware module is reduced by 1 bit.

Step 2: The initialization software module sends an initialization completion signal to the hardware module.

In the third step, the hardware module receives the initialization completion signal and authenticates the signal.

Step 4: After passing the authentication, the hardware module receives the initialization completion command, and the hardware module automatically adjusts to the state of the high-resolution timer.

Further, in the (2) runtime stage, the steps are as follows:

Step 1: When the flush operation is called, the runtime software module will send a call flush operation signal to the hardware module.

Step 2: After receiving the flush operation signal, the hardware module switches from the state of the high-resolution timer to the state of the safe low-resolution timer, that is, the safe low-resolution timer is accessible at the first address.

Step 3: After the hardware module has been in the safe low-resolution timer state for a certain number of CPU clock cycles, it automatically returns to the high-resolution timer state.

Corresponding to the above method, the present invention also provides a soft-hardware cooperative timer system that can resist cache attacks based on flush operations, including an initialization software module, a runtime software module and a hardware module; the hardware module includes a safe low-resolution timer and high-resolution timer; in the initialization phase, the initialization software module and the hardware module cooperate with each other to test the highest time resolution within the safety range, and adjust the safe low-resolution timer in the hardware module to the time resolution rate; in the run-time stage, the run-time software module and hardware module adapt the conversion time resolution according to whether the system process calls the flush operation.

The present invention also provides an ARM-FPGA embedded SoC, which includes the above-mentioned soft-hardware cooperative timer system that can resist the cache attack based on the flush operation.

Compared with the prior art, the present invention has the following beneficial effects:

First, the present invention is more secure than existing high-resolution timer design methods in resisting cache attacks based on flush operations. Since the resolution conversion process of the soft-hardware cooperative timer is implemented in hardware, even if an attacker has root privileges and the actual physical address of the timer, he still cannot obtain high-resolution time.

Second, since the soft-hard co-timer will only briefly reduce its resolution when the flush operation occurs, the present invention ensures that the cache attacker using the flush operation cannot obtain the necessary high-resolution time for its attack , which in turn makes the system's high-resolution timer available for most of the runtime (no flush operation occurs).

Thirdly, the present invention optimizes the design of the timer. While greatly improving the security of the high-resolution timer, it only adds a small access delay, thereby reducing the performance loss to an acceptable range.

Description of drawings

Fig. 1 is the overall working principle diagram of soft-hardware cooperative timer;

Fig. 2 is the work flowchart of initialization software module;

Fig. 3 is the working flowchart of software module when running;

Fig. 4 is the work flowchart of hardware module;

Figure 5 is a comparison result diagram of Flush+Reload attack; where (a) is the result of Flush+Reload attack using the global timer, and (b) is the result of Flush+Reload attack using PMCCNTR (performance monitoring cycle count register) Result, (c) figure is the result that utilizes soft-hard cooperative timer of the present invention to carry out Flush+Reload attack;

Figure 6 is a relationship diagram between the success rate of a Specter attack based on the flush operation and the safe resolution of the soft-hardware synergy timer safe_resolution;

Fig. 7 is a comparison diagram of time consumption between the modified flush operation and the original flush operation.

Detailed ways:

Below in conjunction with accompanying drawing, the present invention will be further described.

The present invention includes two software modules and one hardware module, which are initialization software module, runtime software module and hardware module respectively.

Fig. 2 is the workflow of the initialization software module of the present invention. The following describes the operation steps of initializing the software module in detail:

Step 1: Make 100 accesses to the data in the cache and the data not in the cache respectively, and use the safe low-resolution time provided by the soft-hardware co-timer to record each access time, and then calculate the average access of the data in the cache Time T1 and the average access time T2 of data not in the cache.

Step 2: When the difference between T1 and T2 is less than 1 bit, it is determined that the attack has failed, and the initialization software module sends an increase resolution signal to the hardware module to increase the safe low resolution of the hardware module by 1 bit, and then from Step 1 starts rerun. When the difference between T1 and T2 is greater than or equal to 1 bit, it is determined that the attack is successful, and the initialization software module sends a resolution reduction signal to the hardware module to reduce the security resolution of the hardware module by 1 bit.

Step 3: After the attack successfully sends a signal to reduce the resolution, the initialization software phase sends an initialization completion signal to the hardware module, and the initialization phase ends.

Fig. 3 is a detailed workflow of the hardware module of the present invention. The operation steps of the hardware part are described in detail below:

Step 1: Before receiving the initialization completion signal, the hardware module is always in the safe low-resolution state, and the first address can access the safe low-resolution timer. After power-on, the safe resolution of the safe low-resolution timer is safe_resolution=16, that is, the least significant bit is the 16th bit. At this time, the resolution of the hardware module is in an absolutely safe range.

Step 2: The hardware module receives 32-bit signals from two software modules, the first 8 bits of the signal represent the content of the signal, and the last 24 bits are the authentication code.

Step 3: Verify the last 24 digits of the verification code. If the authentication fails, do nothing, that is, ignore the content contained in the first 8 bits of the signal. If the authentication is successful, read the content of the first 8-bit signal.

Step 4: According to the different signal contents of the first 8 bits, the hardware module realizes different functions. When the signal content is to reduce the resolution, the hardware module reduces the resolution of the safe low resolution timer by 1 bit; when the signal content is to increase the resolution, the hardware module increases the resolution of the safe resolution timer by one Bit; when the initialization of the signal content is completed, the hardware module makes the high-resolution timer visible to the system, that is, it is accessible at the first address; when the signal content is to call the flush operation, the hardware module switches to the safe low-resolution timer state, After a duration of safe_time CPU clock cycles, the high-resolution timer state is restored.

Fig. 4 is the workflow of the runtime software module of the present invention, which mainly completes the function of the flush operation, that is, clears the data of the corresponding L1 and L2 cache lines. The following is a detailed description of the operation steps of the runtime software module:

Step 1: Turn off IRQ and FIQ interrupts - Set bits 7 and 8 of CPSR (Program Status Register) to 1 to turn off IRQ and FIQ interrupts.

Step 2: Clear the data of the corresponding L1cache row——first set the 2nd, 3rd, and 4th bits of CSSELR (cache size selection register) to 0 to select L1cache; then, write the virtual address into DCCIMVAC (MVA-based data cache Flush and Invalidate) to flush the corresponding L1cache line.

Step 3: Convert virtual address to physical address - use virt_to_phys() to convert virtual address to physical address.

Step 4: Clear the data of the corresponding L2cache line - first, write 3 to Register 15 (debug control register) in the PL310 controller, and write Register 7 in the PL310 with the physical address (clear the cache line through PA) to clear The data of the L2cache line; finally, write 0 to Register 15 of the PL310 controller to enable the write-back (write back) mode of the cache and open the linefills (cache line filling) function.

Step 5: Turn on IRQ and FIQ interrupts - Set 0 to bits 7 and 8 of the CPSR (Program Status Register) to turn off IRQ and FIQ interrupts.

Step 6: Send a call flush operation signal to the hardware module——when each flush operation ends, a call flush operation signal must be sent to the hardware module to trigger resolution conversion of the hardware module.

In order to illustrate the effect of the present invention that can resist the cache attack based on the flush operation, the comparison results of the Flush+Reload attack using different timers are first given, and then the success rate of the Specter attack based on the flush operation and the soft-hard synergy timer are given. Diagram of safe resolution (safe_resolution).

On the ARM processor, the global timer and PMCCNTR (performance monitoring cycle technology register) are two commonly used high-resolution timers, and the high-resolution time API is often implemented using these two underlying hardware timers. In order to compare the defense effect of the soft-hard cooperative timer, we designed kernel drivers for the global timer, PMCCNTR, and the soft-hard cooperative timer of the present invention to implement high-resolution time APIs, and used them to run Flush+Reload attacks respectively. Figure 5 is the comparison result of running the Flush+Reload attack with different timers. Our chosen attack object is the AES encrypted T-list implementation in OpenSSL. In Figure 5, (a) is the result of the Flush+Reload attack using the global timer, (b) is the result of the Flush+Reload attack using the PMCCNTR (performance monitoring cycle count register), (c) is the result of using The result of the Flush+Reload attack performed by the soft-hard coordinated timer of the present invention. The abscissa of the three figures represents the index of the cache line flush operation, and the ordinate represents the offset address (/4) relative to the head address of the Te0 table in the implementation of the AES encrypted T table. We encrypt 1000 times at each offset in each cache line index. The shades of the colors in the figure represent the number of cache hits.

Since the first byte k ₀ of the key key is set to 0x00, the offset address of the ordinate also corresponds to We make the first byte of the plaintext increase from 0 to 255 in steps of 16, so when the Flush+Reload attack is successful, the number of cache hits on the main diagonal should be significantly higher than other places. In other words, the main diagonal should be a light colored straight line. From the three diagrams in Figure 5, we can see the Flush+Reload attack using PMCCNTR and the global timer. The main diagonal is a very obvious light-colored straight line, indicating a successful attack. However, when the Flush+Reload attack is performed using the soft-hard synergy timer, the color distribution of the main diagonal is approximately random, indicating that the attack fails. The comparison results of the Flush+Reload attack prove that the soft-hardware synergy timer can effectively defend against the Flush+Reload attack compared with the other two high-resolution timers.

Figure 6 is a relationship diagram of the Specter attack based on the flush operation and the safe resolution safe_resolution of the soft-hard co-timer. The abscissa represents the value of safe_resolution, and the ordinate represents the success rate of the Specter attack. We put the original Specter attack source code (see P.Kocher, J.Horn, A.Fogh, D.Genkin, D.Gruss, W.Haas, M.Hamburg, M.Lipp, S.Mangard, T.Prescher, M.Schwarz, Y.Yarom. Specter Attacks: Exploiting Speculative Execution.In 40th IEEE Symposium on Security and Privacy, 2019) transplanted to the ARM-FPGA embedded SoC platform, and simply modify it to attack one byte at a time, crack If the correct byte is produced, the attack is successful.

It can be seen from Figure 6 that the overall attack success rate decreases with the increase of safe_resolution. The leftmost of the abscissa is 1, that is, the lowest significant bit is the first bit. It represents the high-resolution state of the hard-software co-timer when no flush operation is taking place in the system. When the value of the abscissa increases to 10, that is, the lowest effective bit is the 10th, the attack success rate decreases to close to 0. This value is also the location of the safe_resolution parameter at the end of initialization, marked with a red dotted line in Figure 6. The far right of the abscissa is 16, that is, the least significant bit is the 16th bit, which represents the state of safe_resolution before initialization. From Figure 6, we can clearly see that the initialized soft-hardware synergy timer can reduce the attack success rate to a level close to 0, which can effectively resist the Specter attack based on the flush operation.

In order to illustrate the performance of the present invention, a comparison table of the access time of the above three timers is first given, and then a comparison chart of the time consumption of the original and modified flush operations is given.

Table 3 below compares the average access latencies of different timers, all latencies are normalized to the 667MHz CPU clock.

Table 3: Average access latency for different timers

Timer type Average Access Latency global timer 509 PMCC CNTR 442 Soft-Hard Coordinated Timer 484

It can be seen from Table 3 that the access delay of the soft-hard cooperative timer of the present invention is 9.5% slower than the PMCCNTR, but faster than the global timer by 5%. This shows that the access delay of the soft-hard co-timer is not significantly increased compared with the global timer and PMCCNTR.

Figure 7 is the distribution of the time consumption of the two flush operation APIs. The triangle represents the original flush operation API, and the black square represents the flush operation API specially modified for the soft-hardware cooperative timer of the present invention. Overall, the modified flush operation API consumes 12% more time than the original flush operation API. This is mainly because the flush operation API of the present invention has one more function of iowrite32 () than the original flush operation API, so as to realize the communication with the hardware module.

Another embodiment of the present invention provides an ARM-FPGA embedded SoC, which includes the above-mentioned soft-hardware cooperative timer system that can resist cache attacks based on flush operations. The soft-hardware cooperative timer system includes an initialization software module, a runtime software module and a hardware module; the hardware module includes a safe low-resolution timer and a high-resolution timer; in the initialization phase, the initialization software module and the hardware module interact with each other Cooperate to test the highest time resolution within the safe range, and adjust the safe low-resolution timer in the hardware module to this time resolution; in the runtime phase, the runtime software module and hardware module are called according to whether the system process calls The flush operation comes from adaptive transformation time resolution.

The above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Those of ordinary skill in the art can modify or equivalently replace the technical solution of the present invention without departing from the spirit and scope of the present invention. The scope of protection should be determined by the claims.

Claims (10)

1. A method for implementing a soft-hard collaborative timer capable of resisting cache attacks based on flush operations, characterized in that it includes an initialization phase and a runtime phase, wherein: In the initialization phase, the initialization software module and the hardware module cooperate with each other to test the highest time resolution within the safe range, and adjust the safe low-resolution timer in the hardware module to this time resolution; In the run-time stage, the run-time software module and the hardware module adapt the conversion time resolution according to whether the system process calls the flush operation. 2. The method according to claim 1, wherein the step in the initialization phase comprises: Loop launches the selected cache attack based on the flush operation, and continuously adjusts the security resolution of the hardware module according to the attack result of each loop; When the cycle attack is successful, the initialization software module and the hardware module work together, so that the hardware module ends the initialization phase and starts to enter the runtime phase. 3. The method according to claim 2, wherein the selected cache attack based on the flush operation in the step 1 operates according to the following steps: Access the data in the cache and the data not in the cache multiple times and record the time, and then calculate the average access time of the two data respectively; Calculate the difference between the two average access times. When the difference is less than 1 bit, it is determined that the attack has failed. When the difference is greater than or equal to 1, it is determined that the attack is successful. 4. The method according to claim 2, characterized in that, in the step 1, the security resolution of the hardware module is adjusted according to each cycle result, and its operations are respectively: When the attack fails: the initialization software module sends an increase resolution signal to the hardware module to increase the safe low resolution of the hardware module by 1 bit, and then restarts the attack; When the attack is successful: the initialization software module sends a resolution reduction signal to the hardware module, reducing the security resolution of the hardware module by 1 bit. 5. The method according to claim 2, characterized in that, when the described attack is successful, the initial software module and the hardware module cooperate to work according to the following steps: In the first step, the initialization software module sends a resolution reduction signal to the hardware module, so that the security resolution of the hardware module is reduced by 1 bit; In the second step, the initialization software module sends an initialization completion signal to the hardware module; In the third step, the hardware module receives the initialization completion signal and authenticates the signal; Step 4: After passing the authentication, the hardware module receives the initialization completion command, and the hardware module self-adaptively adjusts its state to the high-resolution timer state. 6. The method according to claim 1, wherein the step in the runtime phase comprises: When the flush operation is called, the runtime software module sends a call flush operation signal to the hardware module; After the hardware module receives the flush operation signal, it switches from the high-resolution timer state to the safe low-resolution timer state, that is, the safe low-resolution timer is accessible at the first address; After the hardware module has been in the safe low-resolution timer state for a certain number of CPU clock cycles, it automatically reverts to the high-resolution timer state. 7. A kind of soft-hard cooperative timer system that can resist the cache attack based on flush operation, it is characterized in that, comprise initialization software module, runtime software module and hardware module; Hardware module comprises safe low-resolution timer and high-resolution timer Timer; in the initialization phase, the initialization software module and the hardware module cooperate with each other to test the highest time resolution within the safety range, and adjust the safety low-resolution timer in the hardware module to the time resolution; In the time stage, the runtime software module and hardware module adapt the conversion time resolution according to whether the system process calls the flush operation. 8. The system according to claim 7, wherein in the initialization phase: Initialize the software module to launch the selected cache attack based on the flush operation in a loop, and continuously adjust the security resolution of the hardware module according to the attack result of each loop; When the cycle attack is successful, the initialization software module and the hardware module work together, so that the hardware module ends the initialization phase and starts to enter the runtime phase. 9. The system of claim 7, wherein at the runtime stage: When the flush operation is called, the runtime software module sends a call flush operation signal to the hardware module; After the hardware module receives the flush operation signal, it switches from the high-resolution timer state to the safe low-resolution timer state, that is, the safe low-resolution timer is accessible at the first address; After the hardware module has been in the safe low-resolution timer state for a certain number of CPU clock cycles, it automatically reverts to the high-resolution timer state. 10. An ARM-FPGA embedded SoC, characterized in that it comprises the soft-hardware cooperative timer system capable of resisting cache attacks based on flush operations described in any one of claims 7 to 9.