-
公开(公告)号:US11321452B2
公开(公告)日:2022-05-03
申请号:US16043124
申请日:2018-07-23
Applicant: HUAWEI TECHNOLOGIES CO., LTD.
Inventor: Zhichao Hua , Yubin Xia , Haibo Chen
Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.
-
公开(公告)号:US10007785B2
公开(公告)日:2018-06-26
申请号:US15199200
申请日:2016-06-30
Applicant: Huawei Technologies Co., Ltd.
Inventor: Bin Tu , Haibo Chen , Yubin Xia
CPC classification number: G06F21/565 , G06F9/45558 , G06F21/53 , G06F2009/45587 , G06F2009/45591 , G06F2221/034
Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.
-
公开(公告)号:US20160314297A1
公开(公告)日:2016-10-27
申请号:US15199200
申请日:2016-06-30
Applicant: Huawei Technologies Co., Ltd.
Inventor: Bin Tu , Haibo Chen , Yubin Xia
CPC classification number: G06F21/565 , G06F9/45558 , G06F21/53 , G06F2009/45587 , G06F2009/45591 , G06F2221/034
Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.
Abstract translation: 本公开涉及信息技术领域,并且公开了一种用于实现虚拟机内省的方法和装置。 本公开中提供的方法还可以包括:确定虚拟机中的待检查数据; 开始读取待检查的数据,保存读取的被检查数据的副本,以及将读取的被检查数据的存储地址存储在硬件事务存储器中,使得硬件事务存储器 能够根据存储地址监视读取的被检查数据; 当读取的被检查数据被修改时,停止读取待检查的数据,并删除副本; 并且当读取待检查数据完成并且未检测到读取的被检查数据被修改时,对拷贝执行安全性检查。 该方法可以应用于虚拟机内省。
-
公开(公告)号:US11443034B2
公开(公告)日:2022-09-13
申请号:US17037093
申请日:2020-09-29
Applicant: Huawei Technologies Co., Ltd.
Inventor: Wenhao Li , Yubin Xia , Haibo Chen
Abstract: A trust zone-based operating system including a secure world subsystem that runs a trusted execution environment TEE, a TEE monitoring area, and a security switching apparatus is provided. When receiving a sensitive operation request sent by a trusted application TA in the TEE, the TEE writes a sensitive instruction identifier and an operation parameter of the sensitive operation request into a general-purpose register, and sends a switching request to the security switching apparatus. The security switching apparatus receives the switching request, and switches a running environment of the secure world subsystem from the TEE to the TEE monitoring area. The TEE monitoring area stores a sensitive instruction in the operating system. After the running environment is switched, the corresponding first sensitive instruction is called based on the first sensitive instruction identifier, and a corresponding first sensitive operation is performed by using the first sensitive instruction and the first operation parameter.
-
公开(公告)号:US10896253B2
公开(公告)日:2021-01-19
申请号:US15887468
申请日:2018-02-02
Applicant: Huawei Technologies Co., Ltd.
Inventor: Yutao Liu , Haibo Chen , Peitao Shi , Xinran Wang
Abstract: A computer processing node is described that is configured to perform a control flow integrity (CFI) method on a protected process operating on the processing node. The CFI method includes intercepting a system call originating from execution of the protected process executing in the runtime environment. A fast path operating within a kernel of the computer system accesses, from a kernel memory, a processor trace packet corresponding to the system call. The fast path attempts to establish a match between the processor trace packet and a program control flow (edge) entry within a credit-labeled control flow graph (CFG) definition having an associated credit value. The credit value represents a degree to which the program control flow is credible. Thereafter, the method further includes invoking, after the matching, a slow path for further processing of the processor trace packet if the associated credit value does not meet a specified threshold, and otherwise provide an indication to permit execution of the system call.
-
Patent Agency Ranking
公开(公告)号:US20170374040A1
公开(公告)日:2017-12-28
申请号:US15701148
申请日:2017-09-11
Applicant: HUAWEI TECHNOLOGIES CO.,LTD.
Inventor: Zhichao Hua , Yubin Xia , Haibo Chen
CPC classification number: H04L63/0435 , G06F21/335 , G06F21/42 , G06F2221/2113 , H04L9/0844 , H04L9/3265 , H04L63/0471 , H04L63/0485 , H04L63/0823 , H04L63/0884 , H04L63/168 , H04L2463/062
Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.
-
公开(公告)号:US09832259B2
公开(公告)日:2017-11-28
申请号:US14318900
申请日:2014-06-30
Applicant: Huawei Technologies Co., Ltd.
Inventor: Cheng Tan , Xiaoxin Wu , Yubin Xia , Haibo Chen
CPC classification number: H04L67/1095 , G06F11/1464 , G06F11/1484 , G06F21/645
Abstract: A method, an apparatus, a terminal, and a server for synchronizing a terminal mirror are provided. The method includes: obtaining, by a terminal, multiple input events during running of application software; aggregating the multiple input events to obtain an aggregate event; and transmitting the aggregate event to the server, so that after parsing the aggregate event to obtain the multiple input events, the server processes the multiple input events by using a virtual machine that is of the terminal and set on the server, so as to obtain user data generated during the running of the application software. In the present invention, the terminal transmits the input events to the server in an event-driven manner, so that the server obtains the user data that is the same as that on the terminal that runs the application software, thereby ensuring that the server can back up complete user data.
-
公开(公告)号:US20250147900A1
公开(公告)日:2025-05-08
申请号:US19013391
申请日:2025-01-08
Applicant: Huawei Technologies Co., Ltd.
Inventor: Wentai Li , Jinyu Gu , Haibo Chen , Kang Sun
Abstract: A method for extending a memory isolation domain includes allocating memories of multiple isolation domains, where the multiple isolation domains are in a correspondence with N protection keys and M extended page tables. When a first application is allowed to access a memory of a first isolation domain, the method further includes determining, based on the correspondence, a first protection key and a first extended page table that correspond to the first isolation domain, where the multiple isolation domains include the first isolation domain, the N protection keys include the first protection key, and the M extended page tables include the first extended page table. The method further includes enabling access permission for the first isolation domain based on the first protection key and the first extended page table, for the first application to access the memory of the first isolation domain.
-
公开(公告)号:US11347542B2
公开(公告)日:2022-05-31
申请号:US16549861
申请日:2019-08-23
Applicant: Huawei Technologies Co., Ltd.
Inventor: Yubin Xia , Yu Shen , Haibo Chen , Zhengde Zhai
Abstract: The disclosure relates to the communications technologies field, and in particular, to a data migration method and apparatus, to implement data migration in an enclave page cache (EPC), to improve consistency between data of an application program before migration and that after migration. The method includes: obtaining, by a source host, a migration instruction, where the migration instruction is used to instruct to migrate a target application created with an enclave to a destination host; invoking, by the source host, a migration control thread preset in the enclave of the target application, to write running status data of the target application in an EPC into target memory of the source host, where the target memory is an area other than the EPC in memory of the source host; and sending, by the source host, the running status data of the target application in the target memory to the destination host.
-
公开(公告)号:US20200250302A1
公开(公告)日:2020-08-06
申请号:US16838935
申请日:2020-04-02
Applicant: HUAWEI TECHNOLOGIES CO.,LTD.
Inventor: Haibo Chen , Nan Wang , Shanxi Chen , Miao Xie
Abstract: This application provides a security control method and a computer system. A first domain and a second domain are deployed in the computer system, the second domain is more secure than the first domain, a program is deployed in the first domain, and a control flow management module and an audit module are deployed in the second domain. The second domain is more secure than the first domain. When the program in the first domain is executed, the control flow management module obtains control flow information by using a tracer. The audit module audits the to-be-audited information according to an audit rule, and when the to-be-audited information matches the audit rule, determines that the audit succeeds and then allows the first domain to perform a subsequent operation, for example, to access a secure program in the second domain.
-
-
-
-
-
-
-
-
-
Search Results
24
records
(took 0.016 seconds)
