公开(公告)号：US11765754B2

公开(公告)日：2023-09-19

申请号：US17018551

申请日：2020-09-11

Applicant: Huawei Technologies Co., Ltd.

Inventor： Fei Wang ,  Zhenning Wang ,  Haibo Chen ,  Jian Cheng ,  Hongjiang Zhao ,  Shanxi Chen

IPC: H04W72/00 ,  H04W72/52 ,  H04W72/0446 ,  H04W72/044 ,  H04W72/1263

CPC classification number: H04W72/52 ,  H04W72/0446 ,  H04W72/0466 ,  H04W72/1263

Abstract: A resource scheduling method implemented by a device, where the resource scheduling method includes determining a load characteristic of a frame drawing thread, where the frame drawing thread draws an image frame determining a target resource scheduling manner based on the load characteristic, and scheduling a resource for the frame drawing thread in the target resource scheduling manner.

公开(公告)号：US20180096162A1

公开(公告)日：2018-04-05

申请号：US15820769

申请日：2017-11-22

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Yutao Liu ,  Yubin Xia ,  Haibo Chen

IPC: G06F21/62 ,  G06F21/52 ,  G06F21/56 ,  G06F12/1009

CPC classification number: G06F21/6218 ,  G06F12/08 ,  G06F12/1009 ,  G06F12/145 ,  G06F21/51 ,  G06F21/52 ,  G06F21/563 ,  G06F21/566 ,  G06F21/577 ,  G06F21/62 ,  G06F21/74 ,  G06F21/78 ,  G06F2212/1052 ,  G06F2212/151 ,  G06F2212/657 ,  G06F2221/034

Abstract: A data protection method includes detecting whether critical code of an application has been called, with the critical code being used to access critical data; switching from a preconfigured first extended page table (EPT) to a preconfigured second EPT according to preset trampoline code corresponding to the critical code when an operating system calls the critical code using the first EPT, wherein memory mapping relationships of the critical data and the critical code are not configured in the first EPT, the memory mapping relationships of the critical data and the critical code are configured in the second EPT, and the critical data and the critical code are separately stored in independent memory areas; and switching from the second EPT back to the first EPT according to the trampoline code after calling and executing the critical code using the second EPT.

公开(公告)号：US09762555B2

公开(公告)日：2017-09-12

申请号：US14808332

申请日：2015-07-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06 ,  G06F21/33 ,  G06F21/42 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/0435 ,  G06F21/335 ,  G06F21/42 ,  G06F2221/2113 ,  H04L9/0844 ,  H04L9/3265 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/168 ,  H04L2463/062

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

公开(公告)号：US20160028701A1

公开(公告)日：2016-01-28

申请号：US14808332

申请日：2015-07-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  G06F21/335 ,  G06F21/42 ,  G06F2221/2113 ,  H04L9/0844 ,  H04L9/3265 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/168 ,  H04L2463/062

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

Abstract translation: 一种数据处理方法和装置，其中所述方法包括获取在不可信执行域中运行的目标应用发送的第一网络数据分组，其中所述第一网络数据分组包括第一标识符; 在可信执行域中获取对应于所述第一标识符的第一数据; 在可信执行域中根据第一数据和第一网络数据分组生成第二网络数据分组; 通过使用第一会话密钥来获取加密的第二网络数据分组，在所述可信执行域中对所述第二网络数据分组进行加密; 并将加密的第二网络数据分组发送到目标服务器。 本发明实施例中的数据处理方法和装置可以有效地防止攻击者窃取数据。

公开(公告)号：US20180054732A1

公开(公告)日：2018-02-22

申请号：US15795491

申请日：2017-10-27

Applicant: Huawei Technologies Co., Ltd.

Inventor： Wenhao Li ,  Yubin Xia ,  Haibo Chen

IPC: H04W12/02 ,  G06F21/53

CPC classification number: H04W12/02 ,  G06F21/53 ,  G06F2221/2149 ,  H04L63/0428 ,  H04M1/68 ,  H04W12/0013 ,  H04W12/0806

Abstract: Embodiments of the present disclosure disclose a secure communication method for a mobile terminal and a mobile terminal. The secure communication method may include: when a wireless communication connection is established between the mobile terminal and another mobile terminal, and the wireless communication connection meets a preset security processing trigger condition, prohibiting, by means of setting, a program in a common virtual kernel from accessing a shared memory between a secure virtual kernel and the common virtual kernel and accessing a peripheral that needs to be called for the wireless communication connection; performing, by using the secure virtual kernel, preset policy-based processing on communication content corresponding to the wireless communication connection; and outputting, by using the secure virtual kernel, communication content obtained by performing the preset policy-based processing.

公开(公告)号：US09785770B2

公开(公告)日：2017-10-10

申请号：US14572515

申请日：2014-12-16

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Bin Tu ,  Haibo Chen ,  Yubin Xia

IPC: G06F21/55 ,  G06F21/56 ,  G06F9/455 ,  G06F21/53 ,  G06F21/54

CPC classification number: G06F21/554 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/54 ,  G06F21/568 ,  G06F2009/45587 ,  G06F2221/03

Abstract: The present invention discloses a method, an apparatus, and a system for triggering virtual machine introspection, so as to provide a timely and effective security check triggering mechanism. In the present invention, data that needs to be protected is determined; the data that needs to be protected is monitored; and when it is determined that the data that needs to be protected is modified, virtual machine introspection is triggered. The present invention avoids a performance loss and a security problem that are brought about by regularly starting a virtual machine introspection system to perform a security check, and therefore, the present invention is more applicable.

公开(公告)号：US20150309832A1

公开(公告)日：2015-10-29

申请号：US14795225

申请日：2015-07-09

Applicant: Huawei Technologies Co., Ltd.

Inventor： Bin Tu ,  Haibo Chen ,  Yubin Xia

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F21/53 ,  G06F2009/45575 ,  G06F2009/45587

Abstract: An isolation method for a management virtual machine and an apparatus, which resolves problems that performance of communication between service components is deteriorated, more resources are required for running a virtual machine, and security of the service components is relatively low. The method includes: acquiring a guest identifier; searching, according to the guest identifier, the management virtual machine for a kernel virtual machine; when the kernel virtual machine is not found in the management virtual machine, creating the kernel virtual machine in the management virtual machine; dividing a service provided for a guest virtual machine by the kernel virtual machine into multiple service components; and running the multiple service components in execution environments corresponding to permission of the service components, where the kernel virtual machine includes the multiple execution environments, and the multiple execution environment have different permission.

Abstract translation: 一种用于管理虚拟机和装置的隔离方法，其解决了服务组件之间的通信性能恶化的问题，运行虚拟机需要更多的资源，并且服务组件的安全性相对较低。 该方法包括：获取客户识别符; 根据客户标识符搜索内核虚拟机的管理虚拟机; 当在管理虚拟机中找不到内核虚拟机时，在管理虚拟机中创建内核虚拟机; 将由虚拟机提供的来宾虚拟机的服务划分为多个服务组件; 并且在执行环境中运行与服务组件的许可相对应的多个服务组件，其中内核虚拟机包括多个执行环境，并且多个执行环境具有不同的权限。

公开(公告)号：US20150026293A1

公开(公告)日：2015-01-22

申请号：US14318900

申请日：2014-06-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Cheng Tan ,  Xiaoxin Wu ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/08

CPC classification number: H04L67/1095 ,  G06F11/1464 ,  G06F11/1484 ,  G06F21/645

Abstract: A method, an apparatus, a terminal, and a server for synchronizing a terminal mirror are provided. The method includes: obtaining, by a terminal, multiple input events during running of application software; aggregating the multiple input events to obtain an aggregate event; and transmitting the aggregate event to the server, so that after parsing the aggregate event to obtain the multiple input events, the server processes the multiple input events by using a virtual machine that is of the terminal and set on the server, so as to obtain user data generated during the running of the application software. In the present invention, the terminal transmits the input events to the server in an event-driven manner, so that the server obtains the user data that is the same as that on the terminal that runs the application software, thereby ensuring that the server can back up complete user data.

Abstract translation: 提供了一种用于同步终端镜的方法，装置，终端和服务器。 该方法包括：在运行应用软件期间，由终端获取多个输入事件; 聚合多个输入事件以获得聚合事件; 并且将聚合事件发送到服务器，使得在分析聚合事件以获得多个输入事件之后，服务器通过使用终端并设置在服务器上的虚拟机来处理多个输入事件，以便获得 在应用软件运行期间生成的用户数据。 在本发明中，终端以事件驱动的方式将输入事件发送到服务器，使得服务器获得与运行应用软件的终端上相同的用户数据，从而确保服务器可以 备份完整的用户数据。

公开(公告)号：US20230413304A1

公开(公告)日：2023-12-21

申请号：US18449790

申请日：2023-08-15

Applicant: Huawei Technologies Co., Ltd.

Inventor： Fei Wang ,  Zhenning Wang ,  Haibo Chen ,  Jian Cheng ,  Hongjiang Zhao ,  Shanxi Chen

IPC: H04W72/52 ,  H04W72/0446 ,  H04W72/044 ,  H04W72/1263

CPC classification number: H04W72/52 ,  H04W72/0446 ,  H04W72/0466 ,  H04W72/1263

Abstract: A resource scheduling method implemented by a device, where the resource scheduling method includes determining a load characteristic of a frame drawing thread, where the frame drawing thread draws an image frame determining a target resource scheduling manner based on the load characteristic, and scheduling a resource for the frame drawing thread in the target resource scheduling manner.

公开(公告)号：US11687645B2

公开(公告)日：2023-06-27

申请号：US16838935

申请日：2020-04-02

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Haibo Chen ,  Nan Wang ,  Shanxi Chen ,  Miao Xie

IPC: G06F21/54 ,  G06N20/00 ,  G06F21/74 ,  G06F16/245 ,  G06F7/58 ,  G06F21/57 ,  G06Q50/26

CPC classification number: G06F21/54 ,  G06F21/74 ,  G06N20/00 ,  G06F7/582 ,  G06F7/588 ,  G06F16/245 ,  G06F21/577 ,  G06F2221/033 ,  G06F2221/2101 ,  G06Q50/265

Abstract: A security control method and a computer system are provided. A first domain and a second domain are deployed in the computer system, the second domain is more secure than the first domain, a program is deployed in the first domain, and a control flow management module and an audit module are deployed in the second domain. The second domain is more secure than the first domain. When the program in the first domain is executed, the control flow management module obtains control flow information by using a tracer. The audit module audits the to-be-audited information according to an audit rule, and when the to-be-audited information matches the audit rule, determines that the audit succeeds and then allows the first domain to perform a subsequent operation, for example, to access a secure program in the second domain.