公开(公告)号：US20170374040A1

公开(公告)日：2017-12-28

申请号：US15701148

申请日：2017-09-11

Applicant: HUAWEI TECHNOLOGIES CO.,LTD.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06 ,  G06F21/42 ,  G06F21/33 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/0435 ,  G06F21/335 ,  G06F21/42 ,  G06F2221/2113 ,  H04L9/0844 ,  H04L9/3265 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/168 ,  H04L2463/062

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

公开(公告)号：US09762555B2

公开(公告)日：2017-09-12

申请号：US14808332

申请日：2015-07-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06 ,  G06F21/33 ,  G06F21/42 ,  H04L9/32 ,  H04L9/08

CPC classification number: H04L63/0435 ,  G06F21/335 ,  G06F21/42 ,  G06F2221/2113 ,  H04L9/0844 ,  H04L9/3265 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/168 ,  H04L2463/062

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

公开(公告)号：US20160028701A1

公开(公告)日：2016-01-28

申请号：US14808332

申请日：2015-07-24

Applicant: Huawei Technologies Co., Ltd.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06

CPC classification number: H04L63/0435 ,  G06F21/335 ,  G06F21/42 ,  G06F2221/2113 ,  H04L9/0844 ,  H04L9/3265 ,  H04L63/0471 ,  H04L63/0485 ,  H04L63/0823 ,  H04L63/0884 ,  H04L63/168 ,  H04L2463/062

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

Abstract translation: 一种数据处理方法和装置，其中所述方法包括获取在不可信执行域中运行的目标应用发送的第一网络数据分组，其中所述第一网络数据分组包括第一标识符; 在可信执行域中获取对应于所述第一标识符的第一数据; 在可信执行域中根据第一数据和第一网络数据分组生成第二网络数据分组; 通过使用第一会话密钥来获取加密的第二网络数据分组，在所述可信执行域中对所述第二网络数据分组进行加密; 并将加密的第二网络数据分组发送到目标服务器。 本发明实施例中的数据处理方法和装置可以有效地防止攻击者窃取数据。

公开(公告)号：US11436155B2

公开(公告)日：2022-09-06

申请号：US17038613

申请日：2020-09-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Yubin Xia ,  Zhichao Hua ,  Zhengde Zhai

IPC: G06F12/00 ,  G06F12/1009 ,  G06F9/455 ,  G06F12/0808 ,  G06F12/0811 ,  G06F12/0873

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.

公开(公告)号：US10243933B2

公开(公告)日：2019-03-26

申请号：US15701148

申请日：2017-09-11

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: H04L29/06 ,  G06F21/33 ,  G06F21/42 ,  H04L9/32 ,  H04L9/08

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

公开(公告)号：US11321452B2

公开(公告)日：2022-05-03

申请号：US16043124

申请日：2018-07-23

Applicant: HUAWEI TECHNOLOGIES CO., LTD.

Inventor： Zhichao Hua ,  Yubin Xia ,  Haibo Chen

IPC: G06F21/53 ,  G06F9/455 ,  G06F9/50 ,  G06F12/109 ,  G06F12/14 ,  G06F9/48 ,  G06F21/62

Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.

公开(公告)号：US20210011856A1

公开(公告)日：2021-01-14

申请号：US17038613

申请日：2020-09-30

Applicant: Huawei Technologies Co., Ltd.

Inventor： Yubin Xia ,  Zhichao Hua ,  Zhengde Zhai

IPC: G06F12/1009 ,  G06F12/0808 ,  G06F12/0873 ,  G06F12/0811 ,  G06F9/455

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.