阅读说明：本技术 面向sgx安全应用的内部隔离方法 (Internal insulation method towards SGX security application ) 是由 古金宇 夏虞斌 陈海波 臧斌宇 于 2019-08-19 设计创作，主要内容包括：本发明提供了一种面向SGX安全应用的内部隔离方法,利用面向SGX安全应用的内部隔离系统,该系统能够实现设定的系统库,包括一个或多个enclave；所述enclave包括一个或多个线程；所述enclave中的每个线程均包括PKRU寄存器,且所述enclave中每个线程的PKRU寄存器值互不相同,从而所述enclave中的每个线程都能够都有私有的地址空间区域,只能由本线程访问；将运行enclave的操作系统记为不可信的操作系统；本发明利用MPK性能牺牲几乎为零的优势,能够进行内存区域划分,不仅进一步减小了enclave内部程序可信计算基,而且能够满足当前云计算服务应用的安全需求。(The present invention provides a kind of internal insulation methods towards SGX security application, and using the internal insulation system towards SGX security application, which can be realized the system library of setting, including one or more enclave；The enclave includes one or more threads；Per thread in the enclave includes PKRU register, and in the enclave per thread PKRU register value it is different, can only be by this thread accesses so that the per thread in the enclave can have privately owned address space region；The operating system for running enclave is denoted as incredible operating system；The present invention sacrifices almost nil advantage using MPK performance, is able to carry out region of memory division, not only further reduces enclave internal processes trusted computing base, but also can satisfy the demand for security of current cloud computing service application.)

1. a kind of internal insulation method towards SGX security application, which is characterized in that utilize the inside towards SGX security application Shielding system；The system library that can be realized setting towards the internal insulation system of SGX security application, including one or more enclave；

The enclave includes one or more threads；Per thread in the enclave includes PKRU register, and The PKRU register value of per thread is different in the enclave, so that the per thread in the enclave can There is privately owned address space region, it can only be by this thread accesses；

The operating system for running enclave is denoted as incredible operating system；

The internal insulation method towards SGX security application includes security isolation step；

Security isolation step: realizing cross-thread security isolation mechanism by MPK technology in enclave, i.e., sharp in enclave The memory of enclave is divided into different page groups with MPK technology, and makes enclave by the way that PKRU register is arranged Middle different threads are different to the access authority of associated internal memory page group, to realize cross-thread security isolation.

2. the internal insulation method according to claim 1 towards SGX security application, which is characterized in that described towards SGX The internal insulation method of security application further includes page table entry verification step；

Page table entry verification step: incredible operating system is waited to be that page table entry is arranged in enclave program, and by corresponding page table Item content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct.

3. the internal insulation method according to claim 2 towards SGX security application, which is characterized in that the page table entry Verification step includes access verification steps and/or dirty verification steps；

Access verification steps: it is arranged in access expression process implementation procedures whether accessed the page table in page table entry Page represented by, access initial values are 0, if accessing the data in page in implementation procedure, access By hardware it can be automatically set to 1, otherwise, then access holding initial values；

Dirty verification steps: whether it is arranged in dirty expression process implementation procedures in page table entry to the page table entry institute table The page shown has modification to operate, and dirty initial values are 0, if having modified the data of page, dirty in implementation procedure Position can be automatically set to 1 by hardware, otherwise, then dirty holding initial values.

4. the internal insulation method according to claim 1 towards SGX security application, which is characterized in that described towards SGX The internal insulation method of security application further includes SSA structural body judgment step；

SSA structural body judgment step: judge whether interrupt in checking process by reading SSA structural body during the inspection process To learn whether insincere operating system intervenes in this inspection；

The execution number of the SSA structural body judgment step is greater than primary.

5. the internal insulation method according to claim 1 towards SGX security application, which is characterized in that described towards SGX The internal insulation method of security application further includes RTM protection step；

RTM protects step: the application program in enclave guarantees that page table mapping will not be included insincere in execution using RTM Potential attacker's modification including operating system；

Wherein, beginning and end that the RTM technology passes through Xbegin and Xend instruction one affairs of statement.Xbegin and Xend Between, affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, the affairs It can be terminated；Otherwise, then it continues to execute.

6. the internal insulation method according to claim 1 towards SGX security application, which is characterized in that described towards SGX The internal insulation method of security application further includes binary system checking step；

Binary system checking step: the method for binary system inspection guarantees path of the enclave program to set before being run using program Operation.

7. the internal insulation method according to claim 6 towards SGX security application, which is characterized in that the binary system Scanning step includes that WRPKRU checks sub-step；

WRPKRU checks sub-step: the method for binary system inspection guarantees in addition to Initialize installation thread before being run using program Other than the code for occurring WRPKRU at the value of PKRU register, other parts are instructed there can be no WRPKRU and it refers to accordingly Enable coding.

8. the internal insulation method according to claim 6 towards SGX security application, which is characterized in that the binary system Scanning step includes that ROP checks sub-step and/or RTM around sub-step is checked；

ROP checks sub-step: the method for binary system inspection guarantees that journey is not present between Xend and Xbegin before being run using program Sequence control stream changes instruction；

RTM is around checking sub-step: before being run with program the method for binary system inspection guarantee between Xbegin and Xend two into Code processed cannot piece together out Xbegin and Xend two instructions.

9. a kind of internal insulation method towards SGX security application, which is characterized in that utilize the inside towards SGX security application Shielding system；The system library that can be realized setting towards the internal insulation system of SGX security application, including one or more enclave；

The enclave includes one or more threads；Per thread in the enclave includes PKRU register, and The PKRU register value of per thread is different in the enclave, so that the per thread in the enclave can There is privately owned address space region, it can only be by this thread accesses；

The operating system for running enclave is denoted as incredible operating system；

The internal insulation method towards SGX security application includes security isolation step；

Security isolation step: realizing cross-thread security isolation mechanism by MPK technology in enclave, i.e., sharp in enclave The memory of enclave is divided into different page groups with MPK technology, and makes enclave by the way that PKRU register is arranged Middle different threads are different to the access authority of associated internal memory page group, to realize cross-thread security isolation；

The internal insulation method towards SGX security application further includes page table entry verification step；

Page table entry verification step: incredible operating system is waited to be that page table entry is arranged in enclave program, and by corresponding page table Item content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct；

The page table entry verification step includes access verification steps and/or dirty verification steps；

Access verification steps: it is arranged in access expression process implementation procedures whether accessed the page table in page table entry Page represented by, access initial values are 0, if accessing the data in page in implementation procedure, access By hardware it can be automatically set to 1, otherwise, then access holding initial values；

Dirty verification steps: whether it is arranged in dirty expression process implementation procedures in page table entry to the page table entry institute table The page shown has modification to operate, and dirty initial values are 0, if having modified the data of page, dirty in implementation procedure Position can be automatically set to 1 by hardware, otherwise, then dirty holding initial values；

The internal insulation method towards SGX security application further includes SSA structural body judgment step；

SSA structural body judgment step: judge whether interrupt in checking process by reading SSA structural body during the inspection process To learn whether insincere operating system intervenes in this inspection；

The execution number of the SSA structural body judgment step is greater than primary；

The internal insulation method towards SGX security application further includes RTM protection step；

RTM protects step: the application program in enclave guarantees that page table mapping will not be included insincere in execution using RTM Potential attacker's modification including operating system；

Wherein, beginning and end that the RTM technology passes through Xbegin and Xend instruction one affairs of statement.Xbegin and Xend Between, affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, the affairs It can be terminated；Otherwise, then it continues to execute；

The internal insulation method towards SGX security application further includes binary system checking step；

Binary system checking step: the method for binary system inspection guarantees path of the enclave program to set before being run using program Operation；

The Binary Scanning step includes that WRPKRU checks sub-step；

WRPKRU checks sub-step: the method for binary system inspection guarantees in addition to Initialize installation thread before being run using program Other than the code for occurring WRPKRU at the value of PKRU register, other parts are instructed there can be no WRPKRU and it refers to accordingly Enable coding；

The Binary Scanning step includes that ROP checks sub-step and/or RTM around sub-step is checked；

ROP checks sub-step: the method for binary system inspection guarantees that journey is not present between Xend and Xbegin before being run using program Sequence control stream changes instruction；

RTM is around checking sub-step: before being run with program the method for binary system inspection guarantee between Xbegin and Xend two into Code processed cannot piece together out Xbegin and Xend two instructions.

10. a kind of computer readable storage medium for being stored with computer program, which is characterized in that the computer program is located The step of reason device realizes the internal insulation method described in any one of claims 1 to 9 towards SGX security application when executing.

Technical field

The present invention relates to computer security technical fields, and in particular, to a kind of internal insulation towards SGX security application Method.

Background technique

Trusted computing base (TCB) refer to for guarantee computer system security operation all set, including firmware, hardware, Software etc..

A kind of safe-guard system for connecting TCB component, the system as disclosed in patent document CN101635016B include: Application layer TCB component is used to implement the security strategy of each trusted software itself setting；Operating system layer TCB component, is used for The security strategy of implementation information system setting；And pipeline, between application layer TCB component and operating system layer TCB component It establishes, for realizing the credible message transmission between trusted component and trusted component.A kind of connection TCB component is also disclosed in the application Method for protecting be used to implement each trusted software itself setting this method comprises: application layer TCB safety guarantee step Security strategy；Operating system layer TCB safety guarantee step is used for the security strategy of implementation information system setting；Pipeline disappears Cease transmission step, establish pipeline between application layer TCB component and operating system layer TCB component, trusted component with it is credible Credible message transmission is carried out between component.

For the similar above-mentioned prior art based on TCB, once there are security risk or program errors in trusted computing base Accidentally, the safety of whole system will be on the hazard.Opposite, it, will not be to whole system if there is loopholes for the part except TCB And the program of system operation significantly affects.In current most of program operation process, trusted computing base includes CPU hard The code etc. of part, BIOS/firmware, operating system and program itself.With the continuous development of hardware-software, above-mentioned trust computing The size of code of base is very huge, such as linux kernel lines of code has reached the up to ten million orders of magnitude.With credible meter The increase of base code quantity is calculated, potential program bug also correspondingly increases with mistake.Once these loopholes are by malicious attack Person utilizes, and attack computer user's program is possibly realized.It currently is in mobile internet era and big data information age, respectively The processing and calculating of kind information require the help by means of computer.If the loophole in huge trusted computing base is maliciously attacked The person of hitting utilizes, and steals the sensitive data of computer user, such as trade secret, health data etc., will to computer user with Carry out immeasurable loss.

In view of the above-mentioned problems, research circle and industry propose many software, hardware approach for reducing trusted computing base. IntelSGX technology is one of them.Using the technology, User space application program can create privately owned region of memory, referred to as enclave.Data in enclave are stored in memory in an encrypted form, only when in enclave process access when at Reason device is just decrypted, and the other parts outside enclave, the operating system including higher operation permission can not all obtain in plain text Data.Using SGX technology, enclave program in the process of running, trusted computing base only include Intel processor and its Enclave native codes do not include the other parts such as operating system etc. outside enclave, in this way since substantially reduce journey Trusted computing base when sort run.

SGX technology can be effectively reduced the trusted computing base size of application program, to greatly promote the peace of application program Quan Xing.The enclave how to be provided using SGX is abstract to carry out program development as key.On the one hand, when the journey in enclave When sequence needs to complete corresponding function by program outside enclave, the operations such as entry and exit enclave can be generated, bring one Fixed performance cost.On the other hand, with the fast development of hardware, the secure memory capacity of enclave is in the future also can be significantly Increase.LibOS application program is put into enclave and can be become by entire application program, or even directly by the considerations of for performance The trend of SGX exploitation.But this way increases the size of application program trusted computing base.

Meanwhile it being currently in the upward period of big data and cloud computing development, a large amount of data calculating is required in cloud End carries out.In order to reduce trusted computing base, achieve the purpose that safe, the application program that service is provided in most of Cloud Servers needs It to be executed in enclave environment.If there is multiple users to request same item service to cloud simultaneously, it may appear that one, cloud The situation that application program in enclave is shared simultaneously by multiple users.Due to that cannot trust between user and user, user it Between data cannot share, need to be isolated inside enclave at this time.To sum up, either reduce enclave trust computing Base, still meets the growth requirement of current big data, cloud computing, and the isolation inside enclave is necessary.

If the method using software carries out enclave internal insulation, such as SFI (Software- BasedFaultIsolation) technology can bring very important loss in performance；If related hardware technology realizes isolation, example If IntelMPK is supported, good effect can be harvested.

The page that one process uses can be divided different region of memory by IntelMPK technology, and pass through setting The value of PKRU register specifies currently running process to the access authority of each region of memory in CPU.Process can be by straight The mode for connecing modification PKRU register changes different region of memory access authority, and no longer needs expensive modification page table manipulation. Using IntelMPK technology, the region of memory of application process in enclave can be divided into different page groups by we, be led to The value for crossing specified PKRU makes different threads have different access authority, therefore enclave to different page groups when running In per thread can possess the privately owned address space region that other threads can not access.Different from generally utilizing page table The method being isolated, different threads use same page table, will not bring such as TLB during thread scheduling and switching The performance of cache invalidation etc. is lost.Therefore IntelMPK technology is utilized, can be realized on the basis of performance sacrifices almost nil Enclave internal insulation.

However trusted computing base and trusted computing base in SGX technology are not compatible in MPK technology.It is program in MPK technology It modifies page table entry and correctly divides page group needs by the help of operating system, therefore operating system belongs to trust computing Base；And operating system belongs to insincere calculating base in SGX technology.Therefore insincere before how guaranteeing the operation of enclave program Operating system page table entry, and related page table entry can be dimensioned correctly for the application program in enclave in enclave Potential attacker's modification including insincere operating system is not included in program process becomes key.

IntelRTM technology is a kind of solution of hardware transaction memory.Transaction internal memory is provided for program developer Transaction functionality programming is abstract.Using RTM technology, program developer can be instructed by two, Xbegin and Xend, and label is crucial Path, when which executes, CPU, which is regarded as one, can guarantee atomicity, the affairs of consistency and isolation. If the data for reading and using in a certain affairs implementation procedure are modified by other offices, then this behavior can be by hardware institute Capture, and interrupt this affairs.The present invention can guarantee related page table entry in enclave program process by utilizing RTM technology It is not modified.

Summary of the invention

For the defects in the prior art, the object of the present invention is to provide a kind of internal insulations towards SGX security application Method.

A kind of internal insulation method towards SGX security application provided according to the present invention, using towards SGX security application Internal insulation system；The system library that can be realized setting towards the internal insulation system of SGX security application, including one Or multiple enclave；

The enclave includes one or more threads；Per thread in the enclave includes PKRU deposit Device, and in the enclave per thread PKRU register value it is different, thus the per thread in the enclave There can be privately owned address space region, it can only be by this thread accesses；

The operating system for running enclave is denoted as incredible operating system；

The internal insulation method towards SGX security application includes security isolation step；

Security isolation step: cross-thread security isolation mechanism is realized in enclave by MPK technology, i.e., in enclave It is middle that the memory of enclave is divided into different page groups using MPK technology, and made by the way that PKRU register is arranged Different threads are different to the access authority of associated internal memory page group in enclave, to realize cross-thread security isolation.

Preferably, the internal insulation method towards SGX security application further includes page table entry verification step；

Page table entry verification step: waiting incredible operating system is enclave program setting page table entry, and will be corresponding Page table entry content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct.

Preferably, the page table entry verification step includes access verification steps and/or dirty verification steps；

Access verification steps: it is arranged in access expression process implementation procedures whether accessed this in page table entry Page represented by page table entry, access initial values are 0, if accessing the data in page in implementation procedure, Access can be automatically set to 1 by hardware, otherwise, then access holding initial values；

Dirty verification steps: whether it is arranged in dirty expression process implementation procedures in page table entry to the page table entry Represented page has modification to operate, and dirty initial values are 0, if having modified the data of page in implementation procedure, Dirty can be automatically set to 1 by hardware, otherwise, then dirty holding initial values.

Preferably, the internal insulation method towards SGX security application further includes SSA structural body judgment step；

SSA structural body judgment step: judge whether occur in checking process by reading SSA structural body during the inspection process It interrupts to learn whether insincere operating system intervenes in this inspection；

The execution number of the SSA structural body judgment step is greater than primary.

Preferably, the internal insulation method towards SGX security application further includes RTM protection step；

RTM protects step: the application program in enclave guarantees that page table mapping will not be included not in execution using RTM Potential attacker's modification including trusted operating system；

Wherein, beginning and end that the RTM technology passes through Xbegin and Xend instruction one affairs of statement.Xbegin and Between Xend, affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, should Affairs can be terminated；Otherwise, then it continues to execute.

Preferably, the internal insulation method towards SGX security application further includes binary system checking step；

Binary system checking step: the method for binary system inspection guarantees enclave program to set before being run using program Path operation.

Preferably, the Binary Scanning step includes that WRPKRU checks sub-step；

WRPKRU checks sub-step: the method for binary system inspection guarantees in addition to Initialize installation thread before being run using program PKRU register value at occur other than the code of WRPKRU, other parts are instructed there can be no WRPKRU and it is corresponding Instruction encoding.

Preferably, the Binary Scanning step includes that ROP checks sub-step and/or RTM around sub-step is checked；

ROP checks sub-step: the method for binary system inspection guarantees not deposit between Xend and Xbegin before being run using program Change in program control flow and instructs；

RTM is around inspection sub-step: the method for binary system inspection guarantees between Xbegin and Xend before being run with program Binary code cannot piece together out Xbegin and Xend two instructions.

A kind of internal insulation method towards SGX security application provided according to the present invention, using towards SGX security application Internal insulation system；The system library that can be realized setting towards the internal insulation system of SGX security application, including one Or multiple enclave；

The enclave includes one or more threads；Per thread in the enclave includes PKRU deposit Device, and in the enclave per thread PKRU register value it is different, thus the per thread in the enclave There can be privately owned address space region, it can only be by this thread accesses；

The operating system for running enclave is denoted as incredible operating system；

The internal insulation method towards SGX security application includes security isolation step；

Security isolation step: cross-thread security isolation mechanism is realized in enclave by MPK technology, i.e., in enclave It is middle that the memory of enclave is divided into different page groups using MPK technology, and made by the way that PKRU register is arranged Different threads are different to the access authority of associated internal memory page group in enclave, to realize cross-thread security isolation；

The internal insulation method towards SGX security application further includes page table entry verification step；

Page table entry verification step: waiting incredible operating system is enclave program setting page table entry, and will be corresponding Page table entry content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct；

The page table entry verification step includes access verification steps and/or dirty verification steps；

Access verification steps: it is arranged in access expression process implementation procedures whether accessed this in page table entry Page represented by page table entry, access initial values are 0, if accessing the data in page in implementation procedure, Access can be automatically set to 1 by hardware, otherwise, then access holding initial values；

Dirty verification steps: whether it is arranged in dirty expression process implementation procedures in page table entry to the page table entry Represented page has modification to operate, and dirty initial values are 0, if having modified the data of page in implementation procedure, Dirty can be automatically set to 1 by hardware, otherwise, then dirty holding initial values；

The internal insulation method towards SGX security application further includes SSA structural body judgment step；

SSA structural body judgment step: judge whether occur in checking process by reading SSA structural body during the inspection process It interrupts to learn whether insincere operating system intervenes in this inspection；

The execution number of the SSA structural body judgment step is greater than primary；

The internal insulation method towards SGX security application further includes RTM protection step；

RTM protects step: the application program in enclave guarantees that page table mapping will not be included not in execution using RTM Potential attacker's modification including trusted operating system；

Wherein, beginning and end that the RTM technology passes through Xbegin and Xend instruction one affairs of statement.Xbegin and Between Xend, affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, should Affairs can be terminated；Otherwise, then it continues to execute；

The internal insulation method towards SGX security application further includes binary system checking step；

Binary system checking step: the method for binary system inspection guarantees enclave program to set before being run using program Path operation；

The Binary Scanning step includes that WRPKRU checks sub-step；

WRPKRU checks sub-step: the method for binary system inspection guarantees in addition to Initialize installation thread before being run using program PKRU register value at occur other than the code of WRPKRU, other parts are instructed there can be no WRPKRU and it is corresponding Instruction encoding；

The Binary Scanning step includes that ROP checks sub-step and/or RTM around sub-step is checked；

ROP checks sub-step: the method for binary system inspection guarantees not deposit between Xend and Xbegin before being run using program Change in program control flow and instructs；

RTM is around inspection sub-step: the method for binary system inspection guarantees between Xbegin and Xend before being run with program Binary code cannot piece together out Xbegin and Xend two instructions.

A kind of computer readable storage medium for being stored with computer program provided according to the present invention, the computer journey The step of above-mentioned internal insulation method towards SGX security application is realized when sequence is executed by processor.

Compared with prior art, the present invention have it is following the utility model has the advantages that

1, the internal insulation method provided by the invention towards SGX security application, have isolation effect is good, high reliablity, The strong advantage of wide usage；

2, the internal insulation method provided by the invention towards SGX security application, using the technical support of MPK and RTM, with SGX technology combines, and proposes and realizes efficient partition method inside enclave；

3, the internal insulation method provided by the invention towards SGX security application, is sacrificed almost nil using MPK performance Advantage can carry out region of memory division for enclave internal applications, so that thread possesses in other threads can not access Region is deposited, enclave internal processes trusted computing base is not only further reduced, but also can satisfy current cloud computing service and answer Demand for security.

Detailed description of the invention

Upon reading the detailed description of non-limiting embodiments with reference to the following drawings, other feature of the invention, Objects and advantages will become more apparent upon:

Fig. 1 is the schematic diagram using WRPKRU instruction illegal modifications PKRU register；

Fig. 2 is the configuration diagram of system in present example；

Fig. 3 is the schematic diagram of enclave internal insulation；

Fig. 4 be in present example enclave program from the flow diagram for being created to operational process.

Specific embodiment

The present invention is described in detail combined with specific embodiments below.Following embodiment will be helpful to the technology of this field Personnel further understand the present invention, but the invention is not limited in any way.It should be pointed out that the ordinary skill of this field For personnel, without departing from the inventive concept of the premise, several changes and improvements can also be made.These belong to the present invention Protection scope.

Abbreviation involved in the present invention and Key Term are defined as follows:

- TCB:Trusted Computing Base, trusted computing base；

- SGX:Software Guard Extension, software protecting extension；

- MPK:Memory Protection Key, memory protecting；

- RTM:Restricted Transactional Memory, hardware transaction memory technology；

- SSA:State Save Area, status save area.

A kind of internal insulation method towards SGX security application provided according to the present invention, using towards SGX security application Internal insulation system；The system library that can be realized setting towards the internal insulation system of SGX security application, including one Or multiple enclave；

The enclave includes one or more threads；Per thread in the enclave includes PKRU deposit Device, and in the enclave per thread PKRU register value it is different, thus the per thread in the enclave There can be privately owned address space region, it can only be by this thread accesses；

The operating system for running enclave is denoted as incredible operating system；

The internal insulation method towards SGX security application includes security isolation step；

Security isolation step: cross-thread security isolation mechanism is realized in enclave by MPK technology, i.e., in enclave It is middle that the memory of enclave is divided into different page groups using MPK technology, and made by the way that PKRU register is arranged Different threads are different to the access authority of associated internal memory page group in enclave, to realize cross-thread security isolation；

The internal insulation method towards SGX security application further includes page table entry verification step；

Page table entry verification step: waiting incredible operating system is enclave program setting page table entry, and will be corresponding Page table entry content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct；

The page table entry verification step includes access verification steps and/or dirty verification steps；

Access verification steps: it is arranged in access expression process implementation procedures whether accessed this in page table entry Page represented by page table entry, access initial values are 0, if accessing the data in page in implementation procedure, Access can be automatically set to 1 by hardware, otherwise, then access holding initial values；

Dirty verification steps: whether it is arranged in dirty expression process implementation procedures in page table entry to the page table entry Represented page has modification to operate, and dirty initial values are 0, if having modified the data of page in implementation procedure, Dirty can be automatically set to 1 by hardware, otherwise, then dirty holding initial values；

The internal insulation method towards SGX security application further includes SSA structural body judgment step；

SSA structural body judgment step: judge whether occur in checking process by reading SSA structural body during the inspection process It interrupts to learn whether insincere operating system intervenes in this inspection；

The execution number of the SSA structural body judgment step is greater than primary；

The internal insulation method towards SGX security application further includes RTM protection step；

RTM protects step: the application program in enclave guarantees that page table mapping will not be included not in execution using RTM Potential attacker's modification including trusted operating system；

Wherein, beginning and end that the RTM technology passes through Xbegin and Xend instruction one affairs of statement.Xbegin and Between Xend, affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, should Affairs can be terminated；Otherwise, then it continues to execute；

The internal insulation method towards SGX security application further includes binary system checking step；

Binary system checking step: the method for binary system inspection guarantees enclave program to set before being run using program Path operation；

The Binary Scanning step includes that WRPKRU checks sub-step；

WRPKRU checks sub-step: the method for binary system inspection guarantees in addition to Initialize installation thread before being run using program PKRU register value at occur other than the code of WRPKRU, other parts are instructed there can be no WRPKRU and it is corresponding Instruction encoding；

The Binary Scanning step includes that ROP checks sub-step and/or RTM around sub-step is checked；

ROP checks sub-step: the method for binary system inspection guarantees not deposit between Xend and Xbegin before being run using program Change in program control flow and instructs；

RTM is around inspection sub-step: the method for binary system inspection guarantees between Xbegin and Xend before being run with program Binary code cannot piece together out Xbegin and Xend two instructions.

A kind of computer readable storage medium for being stored with computer program provided according to the present invention, the computer journey The step of above-mentioned internal insulation method towards SGX security application is realized when sequence is executed by processor.

Further, method proposed by the invention, mainly solves following problems:

1. how to check the page table entry of incredible operating system setting how such check not by not is guaranteed Is believable operating system intercepted and is bypassed

2. how to guarantee in enclave implementation procedure potential including related page table entry is not included insincere operating system Is attacker modified

The technology of the present invention realize technical point be implemented as follows:

The present invention includes following technical point:

1. realizing cross-thread security isolation mechanism in enclave using MPK technology, i.e., MPK skill is utilized in enclave The memory of enclave is divided into different page groups by art, and by be arranged PKRU register make it is not collinear in enclave Journey is different to the access authority of associated internal memory page group, achievees the effect that isolation；

2. needing after incredible operating system is that enclave program sets up page table entry by corresponding page table entry Content shows enclave program, and the corresponding page table entry setting of enclave program validation is correct, and particular technique method is as follows: Whether enclave program needs to carry out corresponding memory random read-write, and changed by the position access/dirty in page table entry Whether change judges the page table entry to be true；

3. to prevent the read-write behavior of incredible operating system interception enclave in checking process and modifying false page table The position access/dirty, judge whether to occur in checking process to interrupt by reading SSA structural body during the inspection process thus Learn whether insincere operating system intervenes in this inspection；In order to prevent other insincere threads during the inspection process with can not Corresponding page table position is modified in the operating system cooperation of letter, and above-mentioned inspection needs to carry out multiple；

4. the application program in enclave guarantees that page table mapping is not in execution using RTM by after page table validity check It can be modified by the potential attacker including insincere operating system；

It is posted 5. the method guarantee enclave program of binary system inspection before being run using program will not be modified in the process of running The value of storage PKRU；It will not be attacked simultaneously by ROP, around the protection of RTM.

It is the supplementary explanation to above-mentioned technical point below:

Since the instruction WRPKRU of modification PKRU register can arbitrarily be called in User space, and will not trigger any It interrupts and abnormal, therefore insincere thread has an opportunity during execution by calling the instruction modification in enclave program The value of PKRU achievees the purpose that modify associated internal memory access to web page permission to steal credible Thread-sensitive data.As shown in Figure 1, Since X86-based has the characteristic of instruction random length, if occurring illegal position in code segment there is the instruction encoding of WRPKRU (0x0f01ef), although in the normal implementation procedure of CPU will not associated binary codes segment will not be translated into WRPKRU and refer to It enables, but attacker carries out ROP attack possibly also with the loophole of program, jumps in code segment at the beginning of 0x0f01ef, CPU It can be construed as WRPKRU instruction, achieve the purpose that illegal modifications PKRU register.Therefore it is needed before the operation of enclave program Guarantee, other than there is the code of WRPKRU at the value of the PKRU register of Initialize installation thread, other parts cannot There is WRPKRU instruction and its corresponding instruction encoding (0x0f01ef).

The position access/dirty initial value in page table entry is all 0.Whether visited in access expression process implementation procedures Asked page represented by the page table entry, if accessing the data in page in implementation procedure, access can be by hardware It is automatically set to 1.Whether there is modification to operate page represented by the page table entry in Dirty expression process implementation procedures, If having modified the data of page in implementation procedure, dirty can be automatically set to 1 by hardware.

Between before executing after page table validity check with enclave program, page table is possible to be tampered.Due to can not Believe that other untrusted process can not learn when page table validity check terminates in operating system and enclave, therefore can not Believe that operating system distorts page table between executing by page table validity check and enclave using RTM in enclave program Probability very little.Simultaneously enclave program can be read at the beginning of RTM SSA value judge insincere operating system whether there is or not Intervention.Wherein, SSA is that SGX technology designs to save enclave application program interruption context.When enclave application journey The interruption of program process generation includes that interrupt instruction address can be all saved in by SGXCPU interrupting the operating status at moment In the SSA of the enclave.

The beginning and end that RTM technology passes through Xbegin and Xend instruction one affairs of statement.Between Xbegin and Xend, Affairs are read or the content of modification, if modified by other processes, the behavior can be captured by hardware, which can be by end Only.If the enclave execution using RTM protection does not terminate, show in implementation procedure corresponding page table entry not by including can not Potential attacker including letter operating system distorts, and the performing environment of enclave is safe.

In order to reduce the probability of affairs interruption, the code protected using Xbegin and Xend is unsuitable too long, so enclave Code is by multiple Xbegin and Xend to forming.Attacker may be attacked by ROP, be controlled using the instruction reprogramming such as jmp Stream, is jumped after Xend, jumps out continuous Xbegin and Xend；Or jump in the process of implementation Xbegin and Code segment among Xend, using the characteristic of X86 instruction random length, CPU is construed as defining not with application developer Same instruction, such as Xend instruction, end transaction protect the page table entry set around RTM.Following binary system simultaneously The corresponding binary code of Xbegin and Xend in code can also be construed as other instructions, thus program development later Personnel realize all Xbegin for defining and Xend instruction, all fail to page table entry protection, reach distort page table entry without It is found purpose.

So needing to carry out the program code in enclave Binary Scanning, on the one hand before enclave creation Guarantee to be previously mentioned WRPKRU instruction and its position of instruction encoding appearance is legal, on the other hand guarantees between Xend and Xbegin There is no jmp instructions, while the binary code between Xbegin and Xend cannot piece together out Xbegin and Xend two instructions.

Fig. 2 is the architecture diagram of system in present example.The framework substantially conforms to currently with SGX technical application program Frame.Each enclave program is linked to the system library that the present invention is realized, operates in incredible operating system, Application program is multithreading in enclave.Since the value of the per thread PKRU register in enclave program is different, because Per thread in this enclave can have privately owned address space region, can only be by this thread accesses, cannot be by other Thread accesses realize the effect of enclave internal insulation.As shown in figure 3, by taking thread 1 and thread 2 as an example, although two threads Using same page table, since the value of PKRU register in thread context is different, thread 1 can not access institute in page group 2 There is the content of page, thread 2 can not access the content of all pages in page group 1.

Fig. 4 be in present example enclave program from the flow chart for being created to operational process, the specific steps are as follows:

1. user input instruction runs enclave program, SGX driving creation enclave, and loads correlative code；

2. system library checks enclave program binary code.Ensure following two points: in addition to Initialize installation line Other than the code for occurring WRPKRU at the value of the PKRU register of journey, other parts are instructed there can be no WRPKRU and it is corresponding Instruction encoding (0x0f01ef)；There is no the jump instructions such as jmp by attacker's benefit with the code before Xbegin after Xend With carrying out ROP attack, while the binary code between Xbegin and Xend can not piece together out Xbegin and Xend instruction；

3. system library creates thread, MPK relevant interface is called, the page of setting page is requested to incredible operating system List item, is divided into corresponding page group, while the value of PKRU being arranged for thread, and it is privately owned interior to guarantee that per thread has Deposit region；

4. system library requests to be arranged related page table entry to insincere operating system, and by page where the page table entry being provided with Table page is mapped at specified address；

After 5. incredible operating system sets up the page table entry of enclave program, by its content map to specified At address, enclave program will be checked accordingly；

6.enclave program is at random written and read different memory address, it is every carried out read-write operation after, check Whether the value of the position access/dirty in corresponding page table entry is correct, and reads SSA, it is ensured that there is no interrupting simultaneously during this The behavior for insincere operating system of sinking.It is multiple to repeat above-mentioned inspection, it is ensured that the memory mapping for reading page table entry every time is identical, The position access/dirty of corresponding page table entry is set with after the read/write operation of enclave progress simultaneously, if once incorrect, Then show that the page table entry is to forge, enclave is exited；

7. the application program in enclave starts to execute by after page table entry validity check.Application in enclave Program guarantees that corresponding page table entry is not changed in implementation procedure using the hardware supported of RTM.

Further, a kind of method being efficiently isolated inside Intel SGX that preference provides according to the present invention, packet It includes:

1. proposing cross-thread security isolation mechanism, efficiently isolation is realized inside SGX using MPK technology, is efficiently realized Thread possesses the function of region of memory that privately owned, other threads can not access；

2. being enclave program setting MPK correlation page table to verify insincere operating system correctly, the present invention is proposed Check whether access/dirty be set with after enclave program random read-write associated internal memory page in page table entry, and reads The method for taking the insincere operating system of SSA structure decision whether to intervene in verification process is judged；

3. proposition protects related page table entry to be not modified using RTM technology in enclave program operation process；

4. enclave program calls WRPRKU to distort the value of PKRU register, Yi Jiwei in the process of running in order to prevent It prevents from protecting using RTM, the present invention detects enclave journey using the method for Binary Scanning before enclave program is run The binary code of sequence carries out binary rewrite to undesirable code, prevents enclave program from occurring against regulation WRPKRU, Xbegin and Xend instruction encoding；

5. it is complete the invention proposes one, suitable for the system architecture of mainstream, internal efficiently isolation is carried out for SGX Method.

In the description of the present application, it is to be understood that term " on ", "front", "rear", "left", "right", " is erected at "lower" Directly ", the orientation or positional relationship of the instructions such as "horizontal", "top", "bottom", "inner", "outside" is orientation based on the figure or position Relationship is set, description the application is merely for convenience of and simplifies description, rather than the device or element of indication or suggestion meaning are necessary It with specific orientation, is constructed and operated in a specific orientation, therefore should not be understood as the limitation to the application.

One skilled in the art will appreciate that in addition to realizing system provided by the invention in a manner of pure computer readable program code It, completely can be by the way that method and step be carried out programming in logic come so that provided by the invention other than system, device and its modules System, device and its modules are declined with logic gate, switch, specific integrated circuit, programmable logic controller (PLC) and insertion The form of controller etc. realizes identical program.So system provided by the invention, device and its modules may be considered that It is a kind of hardware component, and the knot that the module for realizing various programs for including in it can also be considered as in hardware component Structure；It can also will be considered as realizing the module of various functions either the software program of implementation method can be Hardware Subdivision again Structure in part.

Specific embodiments of the present invention are described above.It is to be appreciated that the invention is not limited to above-mentioned Particular implementation, those skilled in the art can make a variety of changes or modify within the scope of the claims, this not shadow Ring substantive content of the invention.In the absence of conflict, the feature in embodiments herein and embodiment can any phase Mutually combination.