摘要
目前,各类信息系统已成为现代社会运转的重要基石,然而,这些系统也面临着来自各方的安全威胁和挑战。在这种背景下,确保信息系统的安全稳定运行显得尤为重要。可信执行环境作为一种安全机制,旨在提供隔离、保护关键数据和代码执行的安全空间,从而增强系统的安全性和可靠性。设计一种基于通用硬件平台的可信执行环境安全构造方案,提升其应用的广泛性和灵活性。基于TrustZone与ARM架构设计安全隔离方案,与普通应用及OS隔离,仅可信代码可以在TEE中执行。设计对安全区域内二进制程序实施指令级控制或调停的通用框架-Ratel-RIO,在DynamoRIO上实现该通用框架并将该框架移植进安全区域内。设计可信执行环境访问控制机制,实现可信执行环境的安全构造。测试结果表明,对于设计方案,各种病毒在该可信执行环境中均无法运行,能够使实验云计算平台得到完善保护。在采用允许rootkit加载执行的策略后,设计方案成功实现了对于3种rootkit的全面防御。
Currently,various information systems have become important cornerstones for the operation of modern society.However,these systems also face security threats and challenges from all parties.In this context,ensuring the safe and stable operation of information systems is particularly important.The trusted execution environment,as a security mechanism,aims to provide a secure space for isolating and protecting critical data and code execution,thereby enhancing the security and reliability of the system.Design a secure construction scheme for a trusted execution environment based on a universal hardware platform to enhance its applicability and flexibility.Design a security isolation scheme based on TrustZone and ARM architecture,which is isolated from ordinary applications and OS,and only trusted code can be executed in TEE.Design a universal framework,Ritel RIO,for implementing instruction level control or mediation of binary programs within a secure area.Implement this universal framework on DynamoRIO and port it into the secure area.Design a trusted execution environment access control mechanism to achieve secure construction of a trusted execution environment.The test results show that for the design scheme,various viruses cannot run in this trusted execution environment,which can provide comprehensive protection for the experimental cloud computing platform.After adopting the strategy of allowing rootkits to load and execute,the design scheme successfully achieved comprehensive defense against three types of rootkits.
作者
胡健
吕垚
向华伟
杭菲璐
HU Jian;LV Yao;XIANG Huawei;HANG Feilu(Information Center,China Southern Power Grid Yunnan Power Grid Co.,Ltd.,Kunming 650217,China)
出处
《自动化与仪器仪表》
2025年第7期48-51,56,共5页
Automation & Instrumentation
基金
云南省重大科技专项项目(202302AD080002)。
关键词
通用硬件平台
ARM架构
ARM处理器
可信执行环境
虚拟机
安全构造方案
universal hardware platform
ARM architecture
ARM processor
trusted execution environment
virtual machine
security construction plan
