[go: up one dir, main page]

CN112384923B - Memory access method, microprocessor, client and computer storage medium - Google Patents

Memory access method, microprocessor, client and computer storage medium Download PDF

Info

Publication number
CN112384923B
CN112384923B CN201980039310.5A CN201980039310A CN112384923B CN 112384923 B CN112384923 B CN 112384923B CN 201980039310 A CN201980039310 A CN 201980039310A CN 112384923 B CN112384923 B CN 112384923B
Authority
CN
China
Prior art keywords
memory
access
address
request
attribute
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201980039310.5A
Other languages
Chinese (zh)
Other versions
CN112384923A (en
Inventor
陈星�
房玲江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Zhuoyu Technology Co ltd
Original Assignee
Shenzhen Zhuoyu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Zhuoyu Technology Co ltd filed Critical Shenzhen Zhuoyu Technology Co ltd
Publication of CN112384923A publication Critical patent/CN112384923A/en
Application granted granted Critical
Publication of CN112384923B publication Critical patent/CN112384923B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A memory access method, a microprocessor, a client and a computer storage medium. The method comprises the steps of obtaining a memory access request, wherein the memory access request comprises an address to be accessed and an access key (S101), determining a memory area corresponding to the address to be accessed and a standard key (S102), and when the access key is matched with the standard key, utilizing a memory protection unit to adjust the memory attribute of the memory area to an access permission state (S103). By acquiring the memory access request, when the access key passes verification, the memory attribute of the memory area is adjusted to an access permission state, so that a user can execute corresponding data processing operation on the memory area, the memory can be prevented from being accessed or modified accidentally, and the effective protection of the memory is realized.

Description

Memory access method, microprocessor, client and computer storage medium
Technical Field
The embodiment of the invention relates to the technical field of communication, in particular to a memory access method, a microprocessor, a client and a computer storage medium.
Background
In the field of microprocessors, memory protection is a necessary security measure. The memory access methods in the prior art have respective advantages and disadvantages, are easy to be limited by hardware structures such as a microprocessor, are complex to operate, are easy to reduce the system efficiency, can only realize the protection function, and cannot provide detection means for abnormal access.
Disclosure of Invention
The embodiment of the invention provides a memory access method, a microprocessor, a client and a computer storage medium, which can prevent memory from being accessed or modified accidentally, and can discover abnormal operation of a protected area in real time, so that the security of memory access is improved.
A first aspect of the present invention is to provide a method for accessing a memory, including:
Acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard secret key corresponding to the address to be accessed;
and when the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to the access permission state.
A second aspect of the present invention is to provide a microprocessor, comprising:
a memory for storing a computer program;
A processor for executing the computer program stored in the memory to implement:
Acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard secret key corresponding to the address to be accessed;
and when the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to the access permission state.
A third aspect of the present invention is to provide a memory access method, including:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
And receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
A fourth aspect of the present invention is to provide a client, including:
a memory for storing a computer program;
A processor for executing the computer program stored in the memory to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
And receiving key information and a memory access channel which are sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
A fifth aspect of the present invention is to provide a computer-readable storage medium, where program instructions are stored in the computer-readable storage medium, the program instructions being used in the memory access method according to the first aspect.
A sixth aspect of the present invention is to provide a computer-readable storage medium, which is a computer-readable storage medium having stored therein program instructions for the memory access method according to the third aspect.
According to the memory access method, the microprocessor, the client and the computer storage medium, the memory area and the standard key corresponding to the address to be accessed are determined by acquiring the memory access request, when the access key is matched with the standard key, the memory attribute of the memory area is adjusted to the access permission state by the memory protection unit, and the memory access state is adjusted by the memory protection unit based on the key, so that the memory is prevented from being accessed or modified accidentally, the effective protection of the memory is realized, the safety and reliability of the memory access are ensured, and the practicability of the method is effectively improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 is a schematic diagram of a method for upper and lower bound protection provided in the prior art;
FIG. 2 is a schematic diagram of a process stack protection method provided in the prior art;
FIG. 3 is a flowchart illustrating a memory access method according to an embodiment of the present invention;
FIG. 4 is a second flowchart of a memory access method according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating a memory access method according to an embodiment of the present invention;
fig. 7 is a schematic flow chart of identifying an illegally accessed user for the memory area according to an embodiment of the present invention;
fig. 8 is a flowchart of a memory access method according to an embodiment of the present invention;
Fig. 9 is a flowchart of a memory access method according to an embodiment of the present invention;
FIG. 10 is a flowchart illustrating another memory access method according to an embodiment of the present invention;
FIG. 11 is a second flowchart illustrating another memory access method according to an embodiment of the present invention;
Fig. 12 is a flowchart of a memory access method according to an embodiment of the present invention;
FIG. 13 is a schematic diagram I of a memory access method according to an embodiment of the present invention;
fig. 14 is a second flowchart of a memory access method according to an embodiment of the present invention;
FIG. 15 is a second schematic diagram of a memory access method according to an embodiment of the present invention;
FIG. 16 is a schematic diagram illustrating a microprocessor according to an embodiment of the present invention;
fig. 17 is a schematic structural diagram of a client according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein in the description of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
In order to facilitate understanding of the specific implementation process of the technical solution in this embodiment, the following description is related to the working principle of the microprocessor:
In the technical field of microprocessors, memory protection is a persistent proposition. The memory protection method of any type has the advantages and disadvantages that the method is limited by the hardware structure of the microprocessor, the operation of the memory protection process is complex, the data processing efficiency is reduced, the protection effect can only be realized, and the detection of abnormal access can not be provided.
For a microprocessor, the microprocessor may include a high-end microprocessor and a low-end microprocessor, where the high-end microprocessor includes a memory management unit (Memory Management Unit, abbreviated as MMU) for implementing virtual memory management, so as to divide a memory address into a virtual address and a physical address. For the user, the user can view the virtual address, and the virtual address is separated from the actual physical address, so that the purpose of memory protection is achieved.
In the low-end microprocessor, no MMU is provided, but a memory protection unit (Memory Protection Unit, abbreviated as MPU) is provided, and specifically, the MPU is a hardware structure that provides memory region attribute setting by taking a region as a unit. Typically, the MPU may have 8 or more zones. Each region is correspondingly provided with a memory region and a memory attribute, wherein the memory attribute comprises read-write (whether the region can read and write), execution (whether the region can directly access and execute), cache, write cache and the like. Meanwhile, different areas allow overlapping when the memory areas are set, and the different areas can correspond to different priorities, and when the memory areas of the areas overlap, the areas with high priority will cover the attributes set by the areas with low priority. When the memory operation is different from the attribute of the region setting, the abnormal operation of the hardware is generated immediately and the microprocessor is informed. Therefore, the memory protection can be realized by using the setting of the read-write attribute, and the illegal operation of the memory can be discovered by using the abnormal operation.
For a low-end microprocessor, two memory protection modes can be adopted, one is a memory protection method realized by only using a software processing algorithm without using an MPU (micro processing unit), such as an upper and lower bound protection method, and the other is a protection method using an MPU (micro processing unit), such as a process stack protection method combined with an Operating System (OS).
The upper and lower bound protection method comprises the steps of presetting an upper and lower bound register, wherein the upper and lower bound register stores a starting address and a terminating address of a memory used by an executing program, and in the process of executing data, checking memory operation through a unified software processing algorithm to judge whether the accessed address is in the upper and lower bound range. If not, determining that the current access is illegal access, otherwise, determining that the current access is legal access. Referring to fig. 1, the memory access addresses of "1#" and "3#" exceed the upper and lower bound addresses defined by the memory region, so that it can be determined that the memory access operations of "1#" and "3#" are illegal operations, and the memory access address of "2#" meets the address requirement, so that successful access will be performed.
In addition, the process stack protection method is a stack memory protection method by combining an Operating System (OS) and hardware, and can realize the protection between the stack memory of the currently running process and the stack memories of other processes, effectively prevent the occurrence of stack overflow and realize the protection of the space in the stack. As shown in fig. 2, the specific implementation principle is as follows:
(1) A memory space is allocated in advance for the stack background space of the process stack, and stacks of all processes are allocated in the space.
(2) The stack space is set to be unreadable and writable, and not executable, by a low-priority area (background area) of the MPU.
(3) At the time of starting a process, a stack space of the process to be started is set to be readable and writable, and is not executable by a high-priority area (process area) of the MPU. At this time, because the high priority of the MPU covers the principle of low priority, only the started process stack space can be read and written, and other process stacks cannot be read and written, thereby realizing the protection of other process stacks and preventing stack overflow or abnormal pointer modification.
(4) When a process is switched, a process area is set to be a stack space to be switched, so that the next process to be started becomes readable and writable, and the process which is switched out becomes unreadable and writable.
However, the above memory protection method has the following drawbacks:
(1) Memory protection in most microprocessor applications is based on software-level protection, such as the above-described upper and lower bound protection. However, protection methods based on the software layer have the risk of abnormal operation, and may cause the protection function to fail.
(2) For the protection measure at the software level, the access efficiency is reduced due to the need to check the address of each operation.
(3) The implementation mechanism of the protection measures of the software layer is based on the examination of access addresses (such as upper and lower bound protection laws), so that the memory access needs to be accessed through a fixed software channel. Thus, when an abnormal access to the system does not pass through its fixed memory channel, its protection measures will fail. Such as widely available exception pointer memory accesses. When the abnormal pointer points to the protection area, the protection function is not performed because the abnormal pointer does not pass through the fixed memory channel.
(4) Most of protection methods using MPU only realize the protection of process stack, and it is difficult to realize the protection of any memory address.
(5) The memory protection method is basically based on the memory protection of the process, and no effective measure is provided for the protection of the process.
(6) The memory protection is a protection means for a single process or a single user, so that memory sharing among multiple users is difficult to realize, and the memory sharing is protected.
Some embodiments of the present invention are described in detail below with reference to the accompanying drawings. In the case where there is no conflict between the embodiments, the following embodiments and features in the embodiments may be combined with each other.
In order to solve the above problems, the embodiment provides a memory access method, which can prevent memory from being accidentally accessed or modified, and can also discover abnormal operations of a protected area in real time, thereby improving security of memory access. In a specific application, the execution body of the memory access method may be a microprocessor, and the microprocessor may be a low-end microprocessor, and the microprocessor may be implemented as software, or a combination of software and hardware. Specifically, the method may include:
S101, acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key.
The memory access request may be sent by a first virtual user. The first virtual user may be any one of a process, a software module located on a central processing unit and running independently, an application program, a terminal device, etc., and the number of the first virtual users may be one or more, which can be understood that the first virtual user may have different manifestations in different application scenarios. Specifically, when the first virtual user sends a memory access request to the microprocessor, the microprocessor may obtain the memory access request, where the memory access request includes an address to be accessed and an access key, where the access key is used to implement a memory access operation with respect to the address to be accessed.
S102, determining a memory area and a standard key corresponding to the address to be accessed.
After the address to be accessed is obtained, the address to be accessed may be analyzed to determine a memory area and a standard key corresponding to the address to be accessed. Specifically, the specific implementation manner of determining the memory area corresponding to the address to be accessed and the standard key is not limited, and a person skilled in the art can set the method according to specific application scenarios and application requirements, for example, the method includes the steps of obtaining address identification information corresponding to the address to be accessed, determining the memory area corresponding to the address to be accessed and the standard key according to the address identification information, wherein the standard key is used for verifying validity of the memory access request, determining that the memory access request is a legal request when the standard key is matched with the access key included in the memory access request, and determining that the memory access request is an illegal request when the standard key is not matched with the access key included in the memory access request.
And S103, when the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to the access permission state.
The access permission state comprises a state of permitting the first virtual user to execute corresponding data processing operation on the memory area.
In another alternative embodiment, other virtual users associated with the first virtual user identity may be allowed to access the memory region and perform corresponding data processing operations.
When the access key is matched with the standard key, the memory access request is determined to be a legal request, and at this time, the memory attribute in the memory area can be adjusted to an access permission state by using the memory protection unit, wherein the memory attribute can include at least one of a read-write attribute, an address execution attribute and a cache attribute, so that the first virtual user can execute a data processing operation corresponding to the memory access request for the memory area, and the memory protection unit in the embodiment can be integrated in the microprocessor.
For example, before a memory access request is received, the memory attribute of the memory area is in an access prohibition state, when the memory access request is a read-write request sent for a first address, a first access key included in the read-write request may be obtained, a standard key corresponding to the first address is determined, and when the first access key matches with the standard key, the read-write attribute of the memory area is adjusted to an allowed state by using the memory protection unit, so that a first virtual user performs a data read-write operation corresponding to the read-write request for the memory area. Or when the memory access request is an address access execution request sent for the second address, the second access key included in the address access execution request can be obtained, the standard key corresponding to the second address is determined, and when the second access key is matched with the standard key, the address access execution attribute of the memory area is adjusted to an allowable state by using the memory protection unit, so that the first virtual user executes the address access execution operation corresponding to the address access execution request for the memory area.
According to the memory access method provided by the embodiment, the memory area and the standard secret key corresponding to the address to be accessed are determined by acquiring the memory access request, when the access secret key is matched with the standard secret key, the memory attribute of the memory area is adjusted to the access permission state by using the memory protection unit, and the memory access state is adjusted by using the memory protection unit based on the secret key, so that the memory is prevented from being accessed or modified accidentally, the effective protection of the memory is realized, the safety and the reliability of the memory access are ensured, and the practicability of the method is effectively improved.
Fig. 4 is a flow chart of another memory access method according to an embodiment of the present invention, and based on the above embodiment, with continued reference to fig. 4, before obtaining a memory access request, the method in this embodiment may further include:
S201, obtaining a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected.
The second virtual user may be any one of a process, a software module located on the central processor and running independently, an application program, etc., and the number of the second virtual users may be one or more, which is understood that the second virtual user may have different manifestations in different application scenarios. In a specific application scenario, the second virtual user may be the same as or different from the first virtual user.
Before the memory access request is acquired, in order to realize effective protection of the memory, the second virtual user may send a memory protection request to the microprocessor, where the memory protection request may include address information to be protected, and specifically, the address information to be protected may include one of address information of a process stack and address information of a non-process stack, where a memory area corresponding to the address information of the non-process stack is used to store at least one of authentication information, device information, configuration information, operation information, and status information.
S202, distributing corresponding memory areas for the address information according to the memory protection request.
After the memory protection request is acquired, a corresponding memory area can be allocated for the address information to be protected based on the memory protection request, and the memory area at this time can correspond to a memory attribute, where the memory attribute can include at least one of a read-write attribute, an address fetch execution attribute, a cache attribute, and the like,
S203, the memory protection unit is utilized to adjust the memory attribute of the memory area to the access prohibition state.
After the corresponding memory area is allocated for the address information, the memory protection unit can be used for adjusting the memory attribute of the memory area to the access prohibition state, and it can be understood that after the memory attribute of the memory area is adjusted to the access prohibition state, any user cannot access the memory area, for example, the user cannot perform the read-write operation of the data, cannot perform the cache operation of the data, and cannot perform the address access execution operation, thereby effectively protecting the memory area.
And S204, generating key information corresponding to the address information, and sending the key information to the second virtual user.
After adjusting the memory attribute of the memory area to the access prohibition state, in order to enable the legitimate user to perform the access operation on the memory area, key information corresponding to the address information may be generated, and specifically, generating the key information corresponding to the address information may include:
s2041, a random key information corresponding to the address information is generated by a random number generator.
Specifically, a random number generator is preset, and the random number generator can be integrated in the microprocessor, and after the memory attribute of the memory area of the address information is adjusted to be in the access prohibition state, a random key information corresponding to the address information can be generated by using the random number generator. It is conceivable that since the random key information is generated by the random number generator, the key information corresponding to the address information is effectively ensured not to be fixed, and the strength of protecting the memory area is further ensured.
After the key information is acquired, the key information can be sent to the second virtual user, so that the second virtual user can realize legal access operation to the memory area based on the key information. In addition, after the second virtual user obtains the correspondence between the key information and the address information, the correspondence between the key information and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the key information and the address information to the first virtual user, so that the first virtual user may perform legal access operation on the memory area based on the shared key information. Specifically, the first virtual user may send a memory access request to the microprocessor, where the memory access request includes an access key, and at this time, the access key of the first virtual user may be determined according to key information shared by the second virtual user to the first virtual user, so that legal access operation of the first virtual user to the memory area is effectively implemented under authorization of the second virtual user based on the key information shared by the second virtual user. When other virtual users do not use the correct key information to send memory access requests to the microprocessor, the microprocessor can identify the virtual user as an illegal user, so that illegal access operation to a memory area can be found.
In this embodiment, by acquiring the memory protection request sent by the second virtual user, allocating a corresponding memory area for the address information according to the memory protection request, adjusting the memory attribute of the memory area to the access prohibition state by using the memory protection unit, generating the key information corresponding to the address information, and sending the key information to the second virtual user, effective protection of the memory area corresponding to the address information to be protected is effectively achieved, and the second virtual user can perform legal access operation on the memory area based on the key information, so that accidental access or modification of the memory is effectively prevented, meanwhile, abnormal access operation of the protected area can be found in real time, and illegal access operation of the virtual user can be obtained, thereby improving security of access to the memory.
On the basis of the above embodiment, with continued reference to fig. 3, the specific implementation manner of obtaining the memory access request in this embodiment is not limited, and those skilled in the art may set the method according to specific application requirements and design requirements, and preferably, the method for obtaining the memory access request in this embodiment includes:
S1011, obtaining a memory access request sent by a first virtual user through a memory access channel.
The memory access channel can be a preconfigured legal access channel corresponding to the address information, and when the first virtual user sends the memory access request, the first virtual user can send the memory access request through the memory access channel corresponding to the address information, so that the microprocessor can acquire the memory access request sent by the first virtual user through the memory access channel, and the validity of the memory access request is effectively ensured.
Fig. 5 is a flow chart of another memory access method according to an embodiment of the present invention, and based on the above embodiment, with continued reference to fig. 5, before obtaining a memory access request sent by a first virtual user through a memory access channel, the method in this embodiment may further include:
s301, corresponding memory access channels are allocated for the address information according to the memory protection request.
S302, the memory access channel is sent to a second virtual user.
After the memory protection request is obtained, a corresponding memory access channel can be allocated for the address information in the memory protection request, and it is conceivable that different address information can correspond to the same or different memory access channels, and then the memory access channel is sent to the second virtual user, so that the second virtual user can realize legal access to the memory area through the memory access channel.
In addition, after the second virtual user obtains the correspondence between the memory access channel and the address information, the correspondence between the memory access channel and the address information may be shared to other virtual users, for example, the second virtual user may share the correspondence between the memory access channel and the address information to the first virtual user, so that the first virtual user may perform legal access operation on the memory area based on the shared memory access channel. Specifically, the first virtual user can send a memory access request to the microprocessor through the memory access channel aiming at the address information, and at this time, the memory access channel of the first virtual user is the memory access channel shared by the second virtual user to the first virtual user, so that legal access operation of the first virtual user to the memory area can be realized based on the memory access channel shared by the second virtual user.
It can be understood that, when the second virtual user performs an access operation on the memory area, the memory area needs to be accessed by using the key information and the memory access channel corresponding to the address information, and only after the memory access channel and the key information pass verification, legal access operation on the memory area can be implemented. In contrast, in the case that the key information is not verified, the memory access channel is verified, or the memory access channel is not verified, the key information is verified, the second virtual user cannot realize legal access operation to the memory area.
In this embodiment, by allocating a corresponding memory access channel for address information according to a memory protection request, the memory access channel is sent to the second virtual user, so that the strength of protecting a memory area corresponding to the address information to be protected is effectively increased, the second virtual user can perform legal access operation on the memory area based on the memory access channel, the situation that the memory is accidentally accessed or modified is effectively prevented, and meanwhile, abnormal access operation of the protected area can be found in real time, that is, illegal access operation of the virtual user can be obtained, thereby improving the security of accessing the memory.
On the basis of any one of the above embodiments, after generating the key information corresponding to the address information, the method in this embodiment may further include:
and S205, storing the key information into a preset area.
The preset area may include an area located before the address information in the memory area, or the preset area may be adjacent to the memory area. For example, the preset area is an area A0-a10, where the area A0 is an area located before the address information, and after the key information is obtained, the key information may be stored in the area A0. Or the preset area is a, the area adjacent to the preset area a includes an area B and an area C, and after the key information is acquired, the key information may be stored in the area B or the area C.
Of course, a person skilled in the art may select other preset areas according to a specific application scenario, so long as the key information can be stored in the preset areas, so that the stored key information can be conveniently obtained through the preset areas.
Fig. 6 is a flow chart diagram of a memory access method according to an embodiment of the present invention, where, based on any one of the foregoing embodiments, referring to fig. 6, the method in this embodiment may further include:
s401, identifying illegal access users aiming at the memory area.
And S402, generating illegal access information corresponding to the illegal access user.
For the microprocessor, the virtual user accessing the memory area may be a legal access user or an illegal access user, where the legal access user may refer to a virtual user whose access key in the transmitted memory access request matches the standard key and whose access channel matches the preset memory access channel, and the illegal access user may refer to a virtual user whose access key in the transmitted memory access request does not match the standard key and/or whose access channel does not match the preset memory access channel. Specifically, a manner of implementing identification of an illegally accessed user for a memory region may include:
and S500, when the access key is not matched with the standard key, determining that the first virtual user is an illegal access user.
Specifically, after the memory access request sent by the first virtual user is obtained, an access key included in the memory access request can be obtained, then analysis and matching are performed between the access key and a standard key, and when the access key is not matched with the standard key, that is, it is indicated that the access key sent by the first virtual user is different from a preset standard key, it can be determined that the first virtual user at the moment is an illegal access user.
In addition, referring to fig. 7, the present embodiment further provides another manner of identifying an illegally accessed user for a memory area, which specifically includes:
s501, identifying an access channel of a first virtual user sending a memory access request by using a memory protection unit.
S502, when the access channel is not matched with a preset memory access channel, determining that the first virtual user is an illegal access user.
Specifically, after the memory access request sent by the first virtual user is obtained, the memory protection unit may identify an access channel of the first virtual user for sending the memory access request, then analyze and match the access channel with a preset memory access channel, and when the access channel is not matched with the memory access channel, that is, it is indicated that the access channel of the memory access request sent by the first virtual user is different from the preset memory access channel, it may be determined that the first virtual user at this time is an illegal access user.
Conversely, when the access channel is matched with the memory access channel, the access key included in the memory access request can be obtained, then the access key is analyzed and matched with the standard key, and when the access key is matched with the standard key, that is, the access key sent by the first virtual user is identical to the preset standard key, the first virtual user at the moment can be determined to be a legal access user.
After the illegal access user is identified, illegal access information corresponding to the illegal access user can be generated, the illegal access information can comprise user identification, access record, access time and the like of the illegal access user, and the user can be prompted through the generated illegal access information, so that the user can timely acquire abnormal access operation in the access microprocessor, accidental access or modification of the memory is effectively prevented, meanwhile, abnormal operation of a protected area can be found in real time, and the quality and effect of protecting the memory area are further improved.
Fig. 8 is a flowchart of a memory access method according to an embodiment of the present invention, where, based on any one of the embodiments described above, with continued reference to fig. 8, a memory protection request includes a first request and a second request, the first request includes a first access address, the second request includes a second access address, and an overlapping address exists between the first access address and the second access address, and in this case, memory regions corresponding to address information allocation according to the memory protection request and memory attributes corresponding to the memory regions may include:
S601, distributing a corresponding first memory area and a first memory attribute corresponding to the first memory area for a first access address according to a first request.
S602, distributing a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request.
S603, acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area.
S604, determining the overlapped memory attribute of the overlapped address according to the first attribute priority and the second attribute priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be sent by two different virtual users to the microprocessor, where after the microprocessor receives the first request and the second request, a corresponding first memory area may be allocated for the first access address according to the first request, where the first memory area may correspond to a first memory attribute, and a corresponding second memory area may be allocated for the second access address according to the second request, where the second memory area may correspond to a second memory attribute. Because the first access address to be protected and the second access address have overlapping addresses, the first memory area allocated for the first access address and the second memory area allocated for the second access address also have overlapping areas, and for the memory attribute of the overlapping areas, attribute priorities between the first memory area and the second memory attribute need to be identified, namely, the first attribute priority of the first memory area and the second attribute priority of the second memory area can be determined according to a preset rule, and then the overlapping memory attribute of the overlapping addresses is determined based on the first attribute priority and the second attribute priority. Specifically, determining the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority may include:
and S6041, determining the overlapped memory attribute of the overlapped address as the first memory attribute when the first attribute priority is higher than the second attribute priority. Or alternatively
And S6042, determining the overlapped memory attribute of the overlapped address as the second memory attribute when the first attribute priority is lower than the second attribute priority.
When the first attribute priority and the second attribute priority are acquired, a higher attribute priority may be determined, and then the overlapping memory attribute of the overlapping address is determined to be consistent with the higher attribute priority. Specifically, when the first attribute priority is higher than the second attribute priority, the overlapping memory attribute of the overlapping address is determined to be the first memory attribute, or when the first attribute priority is lower than the second attribute priority, the overlapping memory attribute of the overlapping address is determined to be the second memory attribute.
For example, the first access address included in the first request is 192.168.1.1-192.168.1.154, the second access address included in the second request is 192.168.1.100-192.168.1.254, and at this time, there is an overlapping address between the first access address and the second access address that is 192.168.1.100-192.168.1.154. Then the first memory area allocated to the first access address is an area A, the second memory area allocated to the second access address is an area B, wherein an overlapping area C exists between the area A and the area B, the overlapping area C is used for storing the overlapping addresses, and at the moment, all the areas formed by the area A and the area B can be divided into three parts, namely an area A1 used for storing a non-overlapping address part in the first access address, an overlapping area C used for storing the overlapping address and an area B1 used for storing a non-overlapping address part in the second access address, wherein the area A1 and the overlapping area C form the area A, and the area B1 and the overlapping area C form the area B.
For the above-mentioned area A1, the overlapping area C, and the area B1, the memory attribute of the area A1 corresponds to a first attribute priority, and the memory attribute of the area B1 corresponds to a second attribute priority, where the first attribute priority corresponds to the first request and the second attribute priority corresponds to the second request. And the memory attribute of the overlapped area C accords with attribute information with higher priority in the first attribute priority and the second attribute priority, so that a virtual user with high priority can access the overlapped area, and a virtual with low priority cannot access the overlapped area, different memory protection strategies are set for virtual users with different priority levels, and the flexibility and reliability of the use of the memory protection method are further improved.
Fig. 9 is a flowchart of a memory access method according to an embodiment of the present invention, where, based on any one of the embodiments described above, with continued reference to fig. 9, a memory protection request includes a first request and a second request, where the first request includes a first access address and an identity of a first virtual user, and the second request includes a second access address and an identity of a second virtual user, where, in the generating key information corresponding to address information in this embodiment may include:
s701, determining a first access priority corresponding to a first access address according to the identity of a first virtual user, and determining a second access priority corresponding to a second access address according to the identity of a second virtual user.
S702 generates first key information corresponding to the first access address, the first key information satisfying the first access priority.
S703 generating second key information corresponding to the second access address, the second key information satisfying the second access priority.
Specifically, when the memory protection request includes a first request and a second request, the first request and the second request may be sent to the microprocessor by the first virtual user and the second virtual user, respectively, at this time, after the microprocessor receives the first request and the second request, the identity of the first virtual user included in the first request may be identified, then the first access priority corresponding to the first access address may be determined according to the identity of the first virtual user, similarly, the identity of the second virtual user included in the second request may be identified, then the second access priority corresponding to the second access address may be determined according to the identity of the second virtual user, and when there is no overlapping address between the first access address and the second access address, the first key information corresponding to the first access address may be directly generated, the first key information may satisfy the first access priority, and the second key information corresponding to the second access address may be generated, and the second key information may satisfy the second access priority.
When there is an overlapping address between the first access address and the second access address, the first key information satisfying the first access priority and the second key information satisfying the second access priority correspond to the portion of the overlapping address, and at this time, the key information having the higher access priority covers the key information having the lower access priority. For example, the overlapping area corresponds to the first key information with higher access priority and the second key information with lower access priority, and then the key information corresponding to the overlapping area is the first key information, so that the virtual user with high priority can access the overlapping area, and the virtual user with low priority cannot access the overlapping area, different memory protection strategies are set for the virtual users with different priority levels, and the flexible reliability of the use of the memory protection method is further improved.
In order to solve the above problems, the embodiment provides a memory access method, which can prevent the memory from being accidentally accessed or modified, and can also discover the abnormal operation of the protected area in real time, thereby improving the security of memory access. In a specific application, the execution body of the memory access method may be a client, and it is understood that the client may be implemented as software, or a combination of software and hardware. Specifically, the method may include:
S801, a memory protection request is sent to a microprocessor, wherein the memory protection request comprises address information to be protected.
S802, receiving key information and a memory access channel sent by a microprocessor according to a memory protection request, wherein the key information corresponds to address information.
Specifically, when the client side has memory protection requirements for the address information to be protected, a memory protection request for the address information to be protected can be generated, then the memory protection request can be sent to the microprocessor, so that the microprocessor can allocate a corresponding memory area based on the address information to be protected and perform memory protection operation on the memory area, then key information and a memory access channel corresponding to the address information to be protected can be returned, so that the client side can receive the key information and the memory access channel corresponding to the memory protection request, and at the moment, the key information and the memory access channel correspond to the address information to be protected, and therefore legal data access operation of the client side through the memory access channel and the key information is achieved.
According to the memory access method, the memory protection request is sent to the microprocessor, and the key information and the memory access channel which are sent by the microprocessor according to the memory protection request are received, so that legal data access operation of the client based on the memory access channel and the key information is effectively realized, the situation that the memory is accidentally accessed or modified is further prevented, the security of memory access is improved, and the practicability of the memory access method is effectively ensured.
On the basis of the foregoing embodiment, with continued reference to fig. 10, in order to improve the flexible reliability of use of the method, the method in this embodiment may further include:
and S901, sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation on the memory area corresponding to the address information.
Specifically, after the client acquires the corresponding relation between the key information and the address information, the key information and the address information can be shared to other clients, so that other clients can execute corresponding data access operation on a memory area corresponding to the address information under the authorization of the client, the effect that the client with legal authority can execute corresponding data access operation on the memory area and the client without legal authority cannot execute corresponding data access operation on the memory area is effectively realized, the condition that the memory is accidentally accessed or modified is further prevented, and the quality and effect of protecting the memory access are improved.
Fig. 11 is a second flowchart of another memory access method according to the embodiment of the present invention, where, based on the above embodiment, with continued reference to fig. 11, the method in this embodiment may further include:
S1001, a memory access request is sent to a microprocessor based on a memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the address to be accessed to an allowed access state according to the access key.
S1002, a data processing operation corresponding to the memory access request is performed with respect to the memory area.
Specifically, after the microprocessor requests to execute the corresponding memory protection operation of the address information to be protected, the client may request to access the corresponding memory area through the microprocessor, specifically, the client may send a memory access request to the microprocessor based on a memory access channel, where the memory access request includes the address to be accessed and an access key, after the microprocessor receives the memory access request, the validity of the client may be identified based on the access key included in the memory access request, and after the client is determined to be a legal access user, the memory attribute of the memory area corresponding to the address to be accessed may be adjusted to an operation access state according to the access key, so that the client may execute the data processing operation corresponding to the memory access request with respect to the memory area.
In this embodiment, a memory access request is sent to a microprocessor based on a memory access channel, after the microprocessor adjusts a memory attribute of a memory area corresponding to an address to be accessed to an allowed access state according to an access key, a client performs a data processing operation corresponding to the memory access request with respect to the memory area, so that a client having legal authority can perform the data processing operation corresponding to the memory access request with respect to the memory area, which not only can prevent a memory from being accessed or modified accidentally, but also can realize effective protection of the memory, thereby ensuring safety and reliability of application to the memory, and effectively improving practicability of the method.
When the method is applied specifically, the embodiment of the application provides a memory access method, the memory is protected in a soft-hard combination mode, the method has the functions of high reliability, high performance, small granularity and sharability, meanwhile, information of illegal access to the memory can be reserved, the reason of illegal access is found, and illegal access operation in a protection area is prevented. In addition, the method can realize the legal access to the memory and the setting of the memory attribute and the write cache attribute, thereby being beneficial to solving the problem of memory data synchronization. Specifically, as shown in fig. 12, the method includes the steps of:
step1, obtaining a memory protection request sent by a user, wherein the memory protection request comprises address information to be protected.
Step2, distributing corresponding memory areas for the address information according to the memory protection request.
Step3, configuring address information of the memory area.
Step4, utilizing the memory protection unit to adjust the memory attribute of the memory area to the access forbidden state.
Step5, generating key information corresponding to the address information and sending the key information to the user.
Specifically, a user can apply for a memory area to the memory protection unit MPU by using an address to be protected, and after the memory area is successfully allocated, the memory attribute of the address can be adjusted to an access prohibition state, for example, read-write permission is closed (i.e. lock is closed), cache permission is closed, and the like, the memory area in the access prohibition state cannot be accessed, and if access occurs, abnormal access information can be immediately generated, so that the positioning of illegal access information is realized. Then, a random key is generated by using a random number generator, the random key is bound with an address, namely, key information corresponding to the address information is obtained, the key information can be stored in a position before the address of the memory area, and meanwhile, the obtained key information can be sent to a user, as shown in fig. 13, so that the user can unlock and access the memory area according to the held key information, and legal access operation to the memory area is realized.
Further, after the user obtains the key information, the key information can be shared, as shown in fig. 14, the user can give the key information to other users, so as to realize memory sharing in a protection state, and thus, the authorized other users can perform legal access operation on the memory area through the shared key information.
Specifically, referring to fig. 15, when a user accesses a memory area, the method includes the following steps:
step11, obtaining a transmitted memory access request, wherein the memory access request comprises an address to be accessed and an access key.
Step12, determining the memory area corresponding to the address to be accessed and the standard key, and verifying the access key by using the standard key.
Step13, when the standard key is not matched with the access key, the access key is not verified, feedback information can be sent to the user, and when the standard key is matched with the access key, the access key is verified.
Step14, after the access key passes the verification, the memory attribute of the memory area can be adjusted to the allowed access state. At this time, the user may perform an access operation on the memory area through the access key.
Step15, after the access operation is performed on the memory area, the memory attribute of the memory area can be adjusted to the access prohibition state again, so that the safe access operation on the memory area is realized.
According to the memory access method, after the memory protection request sent by the virtual user is received, the memory area is protected based on the memory protection request, so that the memory protection area is applied by taking the request of the virtual user as a unit, the small-granularity memory protection is realized, the memory division and protection inside a process can be realized, in addition, the microprocessor in the embodiment adopts the MPU hardware unit to conduct the memory protection, compared with the memory protection measure of a software layer, the memory protection method has higher read-write efficiency due to the fact that the checking of the secondary read-write address is reduced, and the memory protection is realized by setting the read-write attribute through the MPU, compared with the memory protection of the software layer, the memory protection is equivalent and reliable. In addition, the method can also find the memory abnormal operation caused by the abnormal access operation, has a stronger protection effect, and particularly, when the illegal access operation of the memory occurs, the MPU can immediately trigger the abnormal access operation and can inform the microprocessor, so that the microprocessor can perform abnormal processing, and the memory abnormal operation is positioned. On the other hand, the method in the embodiment can realize the sharing of the key information, thereby realizing the sharing of the data of the protected memory and further improving the flexible reliability of the method.
Fig. 16 is a schematic structural diagram of a microprocessor according to an embodiment of the present invention, and referring to fig. 16, the present embodiment provides a microprocessor for executing the memory access method shown in fig. 3. Specifically, the microprocessor may include:
a first memory 12 for storing a computer program;
A first processor 11 for running a computer program stored in a first memory 12 to implement:
acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
Determining a memory area and a standard secret key corresponding to an address to be accessed;
When the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to the access permission state.
Further, the memory access request is sent by a first virtual user, and the access permission state includes a state of permitting the first virtual user to perform corresponding data processing operation on the memory area.
The microprocessor may also include a first communication interface 13 in the structure for the electronic device to communicate with other devices or communication networks.
Further, the memory attribute comprises at least one of a read-write attribute, an address execution attribute and a cache attribute.
Further, before the memory access request is obtained, the first processor 11 is further configured to obtain a memory protection request sent by the second virtual user, where the memory protection request includes address information to be protected, allocate a corresponding memory area for the address information according to the memory protection request, adjust a memory attribute of the memory area to a state of prohibiting access by using the memory protection unit, generate key information corresponding to the address information, and send the key information to the second virtual user.
Further, the access key of the first virtual user is determined according to the key information shared by the second virtual user to the first virtual user.
Further, the address information to be protected comprises one of address information of a process stack and address information of a non-process stack.
Further, when the first processor 11 generates the key information corresponding to the address information, the first processor 11 is configured to generate a random key information corresponding to the address information by using the random number generator.
Further, when the first processor 11 obtains the memory access request, the first processor 11 is configured to obtain the memory access request sent by the first virtual user through the memory access channel.
Further, before obtaining the memory access request sent by the first virtual user through the memory access channel, the first processor 11 is further configured to allocate a corresponding memory access channel for the address information according to the memory protection request, and send the memory access channel to the second virtual user.
Further, the memory access channel of the first virtual user is shared by the second virtual user to the memory access channel of the first virtual user.
Further, after generating the key information corresponding to the address information, the first processor 11 is further configured to store the key information into a preset area.
Further, the preset area includes an area located before the address information in the memory area.
Further, the predetermined area is adjacent to the memory area.
Further, the first processor 11 is further configured to identify an illegitimate access user for the memory area, and generate illegitimate access information corresponding to the illegitimate access user.
Further, when the first processor 11 identifies an illegally accessed user for the memory area, the first processor 11 is configured to determine that the first virtual user is an illegally accessed user when the access key does not match the standard key.
Further, when the first processor 11 identifies an illegitimate access user for the memory area, the first processor 11 is configured to identify an access channel of the first virtual user that sends a memory access request by using the memory protection unit, and determine that the first virtual user is the illegitimate access user when the access channel does not match a preset memory access channel.
Further, the memory protection request comprises a first request and a second request, the first request comprises a first access address, the second request comprises a second access address, an overlapped address exists between the first access address and the second access address, when the first processor 11 allocates a corresponding memory area and a memory attribute corresponding to the memory area for address information according to the memory protection request, the first processor 11 is further used for allocating a corresponding first memory area and a first memory attribute corresponding to the first memory area for the first access address according to the first request, allocating a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request, acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area, and determining the overlapped memory attribute of the overlapped address according to the first attribute priority and the second attribute priority.
Further, when the first processor 11 determines the overlapping memory attribute of the overlapping address according to the first attribute priority and the second attribute priority, the first processor 11 is further configured to determine the overlapping memory attribute of the overlapping address as the first memory attribute when the first attribute priority is higher than the second attribute priority, or determine the overlapping memory attribute of the overlapping address as the second memory attribute when the first attribute priority is lower than the second attribute priority.
Further, the memory protection request comprises a first request and a second request, the first request comprises a first access address and an identity of a first virtual user, the second request comprises a second access address and an identity of a second virtual user, when the first processor 11 generates key information corresponding to the address information, the first processor 11 is further used for determining a first access priority corresponding to the first access address according to the identity of the first virtual user and determining a second access priority corresponding to the second access address according to the identity of the second virtual user, generating first key information corresponding to the first access address, the first key information meets the first access priority, and generating second key information corresponding to the second access address, and the second key information meets the second access priority.
The microprocessor shown in fig. 16 may perform the method of the embodiment shown in fig. 3-9 and fig. 12-15, and reference is made to the relevant description of the embodiment shown in fig. 3-9 and fig. 12-15 for a part of this embodiment that is not described in detail. The implementation process and technical effects of this technical solution are described in the embodiments shown in fig. 3 to 9 and fig. 12 to 15, and are not described herein.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, where the computer storage medium includes a program for executing the memory access method in the method embodiments shown in fig. 3 to 9 and 12 to 15.
Fig. 17 is a schematic structural diagram of a client according to an embodiment of the present invention, and referring to fig. 17, this embodiment provides a client for executing the memory access method shown in fig. 10. Specifically, the client may include:
a second memory 22 for storing a computer program;
a second processor 21 for executing a computer program stored in a second memory 22 to implement:
Sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
and receiving key information and a memory access channel sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information.
The structure of the client may further include a second communication interface 23, which is used for the electronic device to communicate with other devices or a communication network.
Further, the second processor 21 is further configured to share the key information and the address information to other clients, so that the other clients perform corresponding data access operations on the memory area corresponding to the address information.
Further, the second processor 21 is further configured to send a memory access request to the microprocessor based on the memory access channel, where the memory access request includes an address to be accessed and an access key, so that the microprocessor adjusts a memory attribute of a memory area corresponding to the address to be accessed to an allowed access state according to the access key, and perform a data processing operation corresponding to the memory access request with respect to the memory area.
The client shown in fig. 17 may perform the method of the embodiment shown in fig. 10 to 15, and for a part of this embodiment that is not described in detail, reference is made to the description of the embodiment shown in fig. 10 to 15. The implementation process and the technical effect of this technical solution are described in the embodiments shown in fig. 10 to 15, and are not described herein.
In addition, an embodiment of the present invention provides a computer storage medium for storing computer software instructions for an electronic device, where the computer storage medium includes a program for executing the memory access method in the method embodiments shown in fig. 10 to 15.
The technical schemes and technical features in the above embodiments can be independent or combined under the condition of conflict with the present disclosure, and all the technical schemes and technical features in the above embodiments belong to equivalent embodiments within the scope of protection of the present disclosure as long as the technical scope of the present disclosure does not exceed the cognitive scope of the person skilled in the art.
In the several embodiments provided in the present invention, it should be understood that the disclosed related remote control device and method may be implemented in other manners. For example, the remote control embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, indirect coupling or communication connection of remote control devices or units, electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or partly in the form of a software product or all or part of the technical solution, which is stored in a storage medium, and includes several instructions for causing a computer processor (processor) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
The foregoing description is only illustrative of the present invention and is not intended to limit the scope of the invention, and all equivalent structures or equivalent processes or direct or indirect application in other related technical fields are included in the scope of the present invention.
It should be noted that the above embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present invention.

Claims (36)

1. A method for memory access, comprising:
Acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard secret key corresponding to the address to be accessed;
When the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to an access permission state;
the memory access request is sent by a first virtual user, and the permission access state comprises:
and allowing the first virtual user to execute corresponding data processing operation on the memory area, and allowing other virtual users associated with the first virtual user to access the memory area and execute corresponding data processing operation, wherein the access key of the first virtual user is determined according to key information shared to the first virtual user by a second virtual user, and the second virtual user is a virtual user requesting protection on the memory area.
2. The method of claim 1, wherein prior to obtaining the memory access request, the method further comprises:
Acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected;
distributing corresponding memory areas for the address information according to the memory protection request;
adjusting the memory attribute of the memory area to be in an access forbidden state by using the memory protection unit;
generating key information corresponding to the address information, and sending the key information to the second virtual user.
3. The method of claim 2, wherein the address information to be protected comprises one of address information of a process stack, address information of a non-process stack.
4. The method of claim 2, wherein the generating key information corresponding to the address information comprises:
a random key information corresponding to the address information is generated by a random number generator.
5. The method of claim 2, wherein the obtaining the memory access request comprises:
and acquiring a memory access request sent by the first virtual user through a memory access channel.
6. The method of claim 5, wherein prior to obtaining the memory access request sent by the first virtual user via the memory access channel, the method further comprises:
Distributing corresponding memory access channels for the address information according to the memory protection request;
and sending the memory access channel to the second virtual user.
7. The method of claim 6, wherein the memory access channel of the first virtual user is shared for the second virtual user to the memory access channel of the first virtual user.
8. The method according to any one of claims 2-7, wherein after generating key information corresponding to the address information, the method further comprises:
And storing the key information into a preset area.
9. The method of claim 8, wherein the predetermined area includes an area located before the address information in the memory area.
10. The method of claim 8, wherein the predetermined area is adjacent to the memory area.
11. The method according to any one of claims 1-7, further comprising:
identifying an illegally accessed user for the memory area;
And generating illegal access information corresponding to the illegal access user.
12. The method of claim 11, wherein the identifying illegally accessed users for the memory region comprises:
and when the access key is not matched with the standard key, determining that the first virtual user is an illegal access user.
13. The method of claim 11, wherein the identifying illegally accessed users for the memory region comprises:
Identifying an access channel of the first virtual user for sending a memory access request by using the memory protection unit;
and when the access channel is not matched with a preset memory access channel, determining that the first virtual user is an illegal access user.
14. The method of any of claims 2-7, wherein the memory protection request comprises a first request and a second request, the first request comprising a first access address and the second request comprising a second access address, there being an overlapping address between the first access address and the second access address, wherein allocating a corresponding memory region and a memory attribute corresponding to the memory region for the address information according to the memory protection request comprises:
Distributing a corresponding first memory area and a first memory attribute corresponding to the first memory area for the first access address according to the first request;
Distributing a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request;
Acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area;
and determining the overlapped memory attribute of the overlapped address according to the first attribute priority and the second attribute priority.
15. The method of claim 14, wherein determining the overlapping memory attribute of the overlapping address based on the first attribute priority and the second attribute priority comprises:
Determining the overlapping memory attribute of the overlapping address as a first memory attribute when the first attribute priority is higher than the second attribute priority, or
And when the first attribute priority is lower than the second attribute priority, determining the overlapped memory attribute of the overlapped address as the second memory attribute.
16. The method of any of claims 2-7, wherein the memory protection request includes a first request and a second request, the first request includes a first access address and an identity of the first virtual user, and the second request includes a second access address and an identity of the second virtual user, and generating the key information corresponding to the address information includes:
Determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user;
Generating first key information corresponding to the first access address, wherein the first key information meets the first access priority;
generating second key information corresponding to the second access address, the second key information satisfying the second access priority.
17. A memory access method, comprising:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
Receiving key information and a memory access channel sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information;
Transmitting a memory access request to a microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the address to be accessed to an allowed access state according to the access key;
executing data processing operation corresponding to the memory access request aiming at the memory area;
the access permission state also comprises a state of permitting other associated clients to access the memory area and executing corresponding data processing operation;
The method further comprises the steps of:
and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation for the memory area corresponding to the address information.
18. A microprocessor, comprising:
a memory for storing a computer program;
A processor for executing the computer program stored in the memory to implement:
Acquiring a memory access request, wherein the memory access request comprises an address to be accessed and an access key;
determining a memory area and a standard secret key corresponding to the address to be accessed;
When the access key is matched with the standard key, the memory protection unit is utilized to adjust the memory attribute of the memory area to an access permission state;
the memory access request is sent by a first virtual user, and the permission access state comprises:
and allowing the first virtual user to execute corresponding data processing operation on the memory area, and allowing other virtual users associated with the first virtual user to access the memory area and execute corresponding data processing operation, wherein the access key of the first virtual user is determined according to key information shared to the first virtual user by a second virtual user, and the second virtual user is a virtual user requesting protection on the memory area.
19. The microprocessor of claim 18, wherein prior to obtaining the memory access request, the processor is further configured to:
Acquiring a memory protection request sent by a second virtual user, wherein the memory protection request comprises address information to be protected;
distributing corresponding memory areas for the address information according to the memory protection request;
adjusting the memory attribute of the memory area to be in an access forbidden state by using the memory protection unit;
generating key information corresponding to the address information, and sending the key information to the second virtual user.
20. The microprocessor of claim 19, wherein the address information to be protected comprises one of address information of a process stack, address information of a non-process stack.
21. The microprocessor of claim 19, wherein when the processor generates key information corresponding to the address information, the processor is configured to:
a random key information corresponding to the address information is generated by a random number generator.
22. The microprocessor of claim 19, wherein when the processor obtains a memory access request, the processor is configured to:
and acquiring a memory access request sent by the first virtual user through a memory access channel.
23. The microprocessor of claim 22, wherein prior to obtaining a memory access request sent by the first virtual user via the memory access channel, the processor is further configured to:
Distributing corresponding memory access channels for the address information according to the memory protection request;
and sending the memory access channel to the second virtual user.
24. The microprocessor of claim 23, wherein the memory access channel of the first virtual user is shared for the second virtual user to the memory access channel of the first virtual user.
25. The microprocessor according to any one of claims 19-24, wherein after generating key information corresponding to the address information, the processor is further configured to:
And storing the key information into a preset area.
26. The microprocessor according to claim 25, wherein the predetermined area comprises an area located before the address information in the memory area.
27. The microprocessor of claim 25, wherein the predetermined area is adjacent to the memory area.
28. The microprocessor according to any one of claims 18-24, wherein the processor is further configured to:
identifying an illegally accessed user for the memory area;
And generating illegal access information corresponding to the illegal access user.
29. The microprocessor of claim 28, wherein when the processor identifies an illegitimate access user to the memory region, the processor is configured to:
and when the access key is not matched with the standard key, determining that the first virtual user is an illegal access user.
30. The microprocessor of claim 28, wherein when the processor identifies an illegitimate access user to the memory region, the processor is configured to:
Identifying an access channel of the first virtual user for sending a memory access request by using the memory protection unit;
and when the access channel is not matched with a preset memory access channel, determining that the first virtual user is an illegal access user.
31. The microprocessor of any one of claims 19-24, wherein the memory protection request comprises a first request and a second request, the first request comprising a first access address and the second request comprising a second access address, there being an overlapping address between the first access address and the second access address, wherein when the processor allocates a corresponding memory region and a memory attribute corresponding to the memory region for the address information according to the memory protection request, the processor is further configured to:
Distributing a corresponding first memory area and a first memory attribute corresponding to the first memory area for the first access address according to the first request;
Distributing a corresponding second memory area and a second memory attribute corresponding to the second memory area for the second access address according to the second request;
Acquiring a first attribute priority of the first memory area and a second attribute priority of the second memory area;
and determining the overlapped memory attribute of the overlapped address according to the first attribute priority and the second attribute priority.
32. The microprocessor of claim 31, wherein when the processor determines the overlapping memory attributes of the overlapping addresses based on the first attribute priority and the second attribute priority, the processor is further configured to:
Determining the overlapping memory attribute of the overlapping address as a first memory attribute when the first attribute priority is higher than the second attribute priority, or
And when the first attribute priority is lower than the second attribute priority, determining the overlapped memory attribute of the overlapped address as the second memory attribute.
33. The microprocessor of any one of claims 19-24, wherein the memory protection request comprises a first request and a second request, the first request comprising a first access address and an identity of the first virtual user, the second request comprising a second access address and an identity of the second virtual user, and wherein when the processor generates the key information corresponding to the address information, the processor is further configured to:
Determining a first access priority corresponding to the first access address according to the identity of the first virtual user, and determining a second access priority corresponding to the second access address according to the identity of the second virtual user;
generating second key information corresponding to the second access address, the second key information satisfying the second access priority.
34. A client-side, which is provided with a client-side, characterized by comprising the following steps:
a memory for storing a computer program;
A processor for executing the computer program stored in the memory to implement:
sending a memory protection request to a microprocessor, wherein the memory protection request comprises address information to be protected;
Receiving key information and a memory access channel sent by the microprocessor according to the memory protection request, wherein the key information corresponds to the address information;
the processor is further configured to:
Transmitting a memory access request to a microprocessor based on the memory access channel, wherein the memory access request comprises an address to be accessed and an access key, so that the microprocessor adjusts the memory attribute of a memory area corresponding to the address to be accessed to an allowed access state according to the access key;
executing data processing operation corresponding to the memory access request aiming at the memory area;
the access permission state also comprises a state of permitting other associated clients to access the memory area and executing corresponding data processing operation;
the processor is further configured to:
and sharing the key information and the address information to other clients so that the other clients execute corresponding data access operation for the memory area corresponding to the address information.
35. A computer readable storage medium, characterized in that the storage medium is a computer readable storage medium, in which program instructions are stored, the program instructions being for implementing the memory access method according to any one of claims 1-16.
36. A computer readable storage medium, wherein the storage medium is a computer readable storage medium having stored therein program instructions for implementing the memory access method of claim 17.
CN201980039310.5A 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium Active CN112384923B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/121216 WO2021102729A1 (en) 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium

Publications (2)

Publication Number Publication Date
CN112384923A CN112384923A (en) 2021-02-19
CN112384923B true CN112384923B (en) 2025-03-07

Family

ID=74586596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201980039310.5A Active CN112384923B (en) 2019-11-27 2019-11-27 Memory access method, microprocessor, client and computer storage medium

Country Status (2)

Country Link
CN (1) CN112384923B (en)
WO (1) WO2021102729A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115437774A (en) * 2021-06-02 2022-12-06 深圳市万普拉斯科技有限公司 Method, device and electronic device for allocating virtual memory address space
CN114626034A (en) * 2022-03-16 2022-06-14 中电(海南)联合创新研究院有限公司 Memory access method, device, equipment and storage medium
CN115292697B (en) * 2022-10-10 2022-12-16 北京安帝科技有限公司 Memory protection method and device based on intrusion behavior analysis
CN115587348B (en) * 2022-11-24 2023-04-07 中国人民解放军国防科技大学 Configurable security control method, device and medium for PCIE device memory access

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5901311A (en) * 1996-12-18 1999-05-04 Intel Corporation Access key protection for computer system data
US6578122B2 (en) * 2001-03-01 2003-06-10 International Business Machines Corporation Using an access key to protect and point to regions in windows for infiniband
US6775750B2 (en) * 2001-06-29 2004-08-10 Texas Instruments Incorporated System protection map
GB2448149B (en) * 2007-04-03 2011-05-18 Advanced Risc Mach Ltd Protected function calling
WO2016072999A1 (en) * 2014-11-07 2016-05-12 Hewlett Packard Enterprise Development Lp Data conversion using an address space identifier
CN107533514A (en) * 2015-09-30 2018-01-02 慧与发展有限责任合伙企业 The initialization based on password of memory content
CN109766165B (en) * 2018-11-22 2022-07-08 海光信息技术股份有限公司 Memory access control method and device, memory controller and computer system

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1545023A (en) * 2003-11-21 2004-11-10 苏州国芯科技有限公司 Flushbonding CPU for information safety

Also Published As

Publication number Publication date
CN112384923A (en) 2021-02-19
WO2021102729A1 (en) 2021-06-03

Similar Documents

Publication Publication Date Title
CN112384923B (en) Memory access method, microprocessor, client and computer storage medium
US8365294B2 (en) Hardware platform authentication and multi-platform validation
US8452934B2 (en) Controlled data access to non-volatile memory
CN105447406B (en) A kind of method and apparatus for accessing memory space
US10036979B2 (en) Communicating a classification of a consumable product
TWI536264B (en) Method and system for swapping contexts used to create a secure operating environment
CA2400940C (en) Controlling access to a resource by a program using a digital signature
RU2444783C2 (en) Virtual security module architecture
US20050177724A1 (en) Authentication system and method
US20120303827A1 (en) Location Based Access Control
CN113179285B (en) High-performance password service method, device and system for video Internet of things
EP2482220A1 (en) Multi-enclave token
CN110298188A (en) Control method and system for dynamic access authority
US20100185874A1 (en) Method of Mass Storage Memory Management for Large Capacity Universal Integrated Circuit Cards
US9049189B2 (en) Multi-control password changing
KR20090094239A (en) Application dependent storage control
CN105631293A (en) Data access method, data access system and terminal
CN108881218A (en) A kind of data safety Enhancement Method and system based on cloud storage management platform
US20070028117A1 (en) Method and apparatus for facilitating multi-level computer system authentication
US20180293408A1 (en) Peripheral device security
KR20190106589A (en) Apparatus for providing a service to an electronic device and method thereof
US20170155661A1 (en) Systems and Methods for Controlling Access to a Computer Device using Traps
CN102438014B (en) Backend Constrained Delegation Model
CN107612873B (en) Access and certificate issuing method and device
EP4155957A1 (en) Method for managing access by a thread to a slave device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20240522

Address after: Building 3, Xunmei Science and Technology Plaza, No. 8 Keyuan Road, Science and Technology Park Community, Yuehai Street, Nanshan District, Shenzhen City, Guangdong Province, 518057, 1634

Applicant after: Shenzhen Zhuoyu Technology Co.,Ltd.

Country or region after: China

Address before: 518057 Shenzhen Nanshan District, Shenzhen, Guangdong Province, 6/F, Shenzhen Industry, Education and Research Building, Hong Kong University of Science and Technology, No. 9 Yuexingdao District, Nanshan District, Shenzhen City, Guangdong Province

Applicant before: SZ DJI TECHNOLOGY Co.,Ltd.

Country or region before: China

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant