公开(公告)号：US20150026293A1

公开(公告)日：2015-01-22

申请号：US14318900

申请日：2014-06-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Cheng Tan ,  Xiaoxin Wu ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/08

CPC classification number: H04L67/1095 ,  G06F11/1464 ,  G06F11/1484 ,  G06F21/645

Abstract: A method, an apparatus, a terminal, and a server for synchronizing a terminal mirror are provided. The method includes: obtaining, by a terminal, multiple input events during running of application software; aggregating the multiple input events to obtain an aggregate event; and transmitting the aggregate event to the server, so that after parsing the aggregate event to obtain the multiple input events, the server processes the multiple input events by using a virtual machine that is of the terminal and set on the server, so as to obtain user data generated during the running of the application software. In the present invention, the terminal transmits the input events to the server in an event-driven manner, so that the server obtains the user data that is the same as that on the terminal that runs the application software, thereby ensuring that the server can back up complete user data.

Abstract translation: 提供了一种用于同步终端镜的方法，装置，终端和服务器。 该方法包括：在运行应用软件期间，由终端获取多个输入事件; 聚合多个输入事件以获得聚合事件; 并且将聚合事件发送到服务器，使得在分析聚合事件以获得多个输入事件之后，服务器通过使用终端并设置在服务器上的虚拟机来处理多个输入事件，以便获得 在应用软件运行期间生成的用户数据。 在本发明中，终端以事件驱动的方式将输入事件发送到服务器，使得服务器获得与运行应用软件的终端上相同的用户数据，从而确保服务器可以 备份完整的用户数据。

公开(公告)号：US11321452B2

公开(公告)日：2022-05-03

申请号：US16043124

申请日：2018-07-23

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: G06F21/53 ,  G06F9/455 ,  G06F9/50 ,  G06F12/109 ,  G06F12/14 ,  G06F9/48 ,  G06F21/62

Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.

公开(公告)号：US20210011856A1

公开(公告)日：2021-01-14

申请号：US17038613

申请日：2020-09-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Yubin Xia ,  Zhichao Hua ,  Zhengde Zhai

IPC: G06F12/1009 ,  G06F12/0808 ,  G06F12/0873 ,  G06F12/0811 ,  G06F9/455

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.

公开(公告)号：US10007785B2

公开(公告)日：2018-06-26

申请号：US15199200

申请日：2016-06-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bin Tu ,  Haibo Chen ,  Yubin Xia

IPC: G06F11/00 ,  G06F21/56 ,  G06F9/455 ,  G06F21/53

CPC classification number: G06F21/565 ,  G06F9/45558 ,  G06F21/53 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2221/034

Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.

公开(公告)号：US20160314297A1

公开(公告)日：2016-10-27

申请号：US15199200

申请日：2016-06-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bin Tu ,  Haibo Chen ,  Yubin Xia

IPC: G06F21/56 ,  G06F21/53 ,  G06F9/455

CPC classification number: G06F21/565 ,  G06F9/45558 ,  G06F21/53 ,  G06F2009/45587 ,  G06F2009/45591 ,  G06F2221/034

Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.

Abstract translation: 本公开涉及信息技术领域，并且公开了一种用于实现虚拟机内省的方法和装置。 本公开中提供的方法还可以包括：确定虚拟机中的待检查数据; 开始读取待检查的数据，保存读取的被检查数据的副本，以及将读取的被检查数据的存储地址存储在硬件事务存储器中，使得硬件事务存储器 能够根据存储地址监视读取的被检查数据; 当读取的被检查数据被修改时，停止读取待检查的数据，并删除副本; 并且当读取待检查数据完成并且未检测到读取的被检查数据被修改时，对拷贝执行安全性检查。 该方法可以应用于虚拟机内省。

公开(公告)号：US11436155B2

公开(公告)日：2022-09-06

申请号：US17038613

申请日：2020-09-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Yubin Xia ,  Zhichao Hua ,  Zhengde Zhai

IPC: G06F12/00 ,  G06F12/1009 ,  G06F9/455 ,  G06F12/0808 ,  G06F12/0811 ,  G06F12/0873

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.

公开(公告)号：US11347542B2

公开(公告)日：2022-05-31

申请号：US16549861

申请日：2019-08-23

Applicant: Huawei Technologies Co., Ltd.

Inventor： Yubin Xia ,  Yu Shen ,  Haibo Chen ,  Zhengde Zhai

IPC: G06F9/48 ,  G06F21/60 ,  G06F21/64 ,  G06F9/455 ,  H04L9/32

Abstract: The disclosure relates to the communications technologies field, and in particular, to a data migration method and apparatus, to implement data migration in an enclave page cache (EPC), to improve consistency between data of an application program before migration and that after migration. The method includes: obtaining, by a source host, a migration instruction, where the migration instruction is used to instruct to migrate a target application created with an enclave to a destination host; invoking, by the source host, a migration control thread preset in the enclave of the target application, to write running status data of the target application in an EPC into target memory of the source host, where the target memory is an area other than the EPC in memory of the source host; and sending, by the source host, the running status data of the target application in the target memory to the destination host.

公开(公告)号：US10243933B2

公开(公告)日：2019-03-26

申请号：US15701148

申请日：2017-09-11

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06 ,  G06F21/33 ,  G06F21/42 ,  H04L9/32 ,  H04L9/08

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

公开(公告)号：US09971623B2

公开(公告)日：2018-05-15

申请号：US14795225

申请日：2015-07-09

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bin Tu ,  Haibo Chen ,  Yubin Xia

IPC: G06F9/455 ,  G06F21/53

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F2009/45575 ,  G06F2009/45587

Abstract: An isolation method for a management virtual machine and an apparatus, which resolves problems that performance of communication between service components is deteriorated, more resources are required for running a virtual machine, and security of the service components is relatively low. The method includes: acquiring a guest identifier; searching, according to the guest identifier, the management virtual machine for a kernel virtual machine; when the kernel virtual machine is not found in the management virtual machine, creating the kernel virtual machine in the management virtual machine; dividing a service provided for a guest virtual machine by the kernel virtual machine into multiple service components; and running the multiple service components in execution environments corresponding to permission of the service components, where the kernel virtual machine includes the multiple execution environments, and the multiple execution environment have different permission.

公开(公告)号：US20170164201A1

公开(公告)日：2017-06-08

申请号：US15435507

申请日：2017-02-17

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wenhao Li ,  Yubin Xia ,  Haibo Chen

IPC: H04W12/08 ,  G06F21/62 ,  G06F12/14 ,  G06F21/57 ,  G06F13/28 ,  G06F13/40

CPC classification number: H04W12/08 ,  G06F12/14 ,  G06F13/28 ,  G06F13/4022 ,  G06F21/57 ,  G06F21/606 ,  G06F21/62 ,  G06F21/74 ,  G06F21/84 ,  G06F2212/1052

Abstract: A secure interaction method includes receiving, by a processor, a secure processing request sent by an application program, where the application program operates in a normal mode, and the processor operates in the normal mode when receiving the secure processing request, switching, by the processor, from the normal mode to a secure mode according to the secure processing request, reading, by the processor operating in the secure mode, data information into a memory operating in the secure mode, where the data information is data that the processor operating in the secure mode generates after parsing the secure processing request, and controlling, by the processor operating in the secure mode, an accessed device to operate according to the data information stored in the memory operating in the secure mode.