-
公开(公告)号:US11443034B2
公开(公告)日:2022-09-13
申请号:US17037093
申请日:2020-09-29
Applicant: Huawei Technologies Co., Ltd.
Inventor: Wenhao Li , Yubin Xia , Haibo Chen
Abstract: A trust zone-based operating system including a secure world subsystem that runs a trusted execution environment TEE, a TEE monitoring area, and a security switching apparatus is provided. When receiving a sensitive operation request sent by a trusted application TA in the TEE, the TEE writes a sensitive instruction identifier and an operation parameter of the sensitive operation request into a general-purpose register, and sends a switching request to the security switching apparatus. The security switching apparatus receives the switching request, and switches a running environment of the secure world subsystem from the TEE to the TEE monitoring area. The TEE monitoring area stores a sensitive instruction in the operating system. After the running environment is switched, the corresponding first sensitive instruction is called based on the first sensitive instruction identifier, and a corresponding first sensitive operation is performed by using the first sensitive instruction and the first operation parameter.
-
公开(公告)号:US20170374040A1
公开(公告)日:2017-12-28
申请号:US15701148
申请日:2017-09-11
Applicant: HUAWEI TECHNOLOGIES CO.,LTD.
Inventor: Zhichao Hua , Yubin Xia , Haibo Chen
CPC classification number: H04L63/0435 , G06F21/335 , G06F21/42 , G06F2221/2113 , H04L9/0844 , H04L9/3265 , H04L63/0471 , H04L63/0485 , H04L63/0823 , H04L63/0884 , H04L63/168 , H04L2463/062
Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.
-
公开(公告)号:US09832259B2
公开(公告)日:2017-11-28
申请号:US14318900
申请日:2014-06-30
Applicant: Huawei Technologies Co., Ltd.
Inventor: Cheng Tan , Xiaoxin Wu , Yubin Xia , Haibo Chen
CPC classification number: H04L67/1095 , G06F11/1464 , G06F11/1484 , G06F21/645
Abstract: A method, an apparatus, a terminal, and a server for synchronizing a terminal mirror are provided. The method includes: obtaining, by a terminal, multiple input events during running of application software; aggregating the multiple input events to obtain an aggregate event; and transmitting the aggregate event to the server, so that after parsing the aggregate event to obtain the multiple input events, the server processes the multiple input events by using a virtual machine that is of the terminal and set on the server, so as to obtain user data generated during the running of the application software. In the present invention, the terminal transmits the input events to the server in an event-driven manner, so that the server obtains the user data that is the same as that on the terminal that runs the application software, thereby ensuring that the server can back up complete user data.
-
公开(公告)号:US11301282B2
公开(公告)日:2022-04-12
申请号:US16545941
申请日:2019-08-20
Applicant: Huawei Technologies Co., Ltd.
Inventor: Yubin Xia , Jinfeng Yuan
Abstract: An information protection method includes receiving a request message sent by a virtual machine (VM), sending the request message to a VM instance corresponding to the VM or the shared service module, determining whether there is attack information included in the request message, and deleting the VM that sends the request message and the VM instance corresponding to the VM.
-
公开(公告)号:US20180096162A1
公开(公告)日:2018-04-05
申请号:US15820769
申请日:2017-11-22
Applicant: HUAWEI TECHNOLOGIES CO., LTD.
Inventor: Yutao Liu , Yubin Xia , Haibo Chen
IPC: G06F21/62 , G06F21/52 , G06F21/56 , G06F12/1009
CPC classification number: G06F21/6218 , G06F12/08 , G06F12/1009 , G06F12/145 , G06F21/51 , G06F21/52 , G06F21/563 , G06F21/566 , G06F21/577 , G06F21/62 , G06F21/74 , G06F21/78 , G06F2212/1052 , G06F2212/151 , G06F2212/657 , G06F2221/034
Abstract: A data protection method includes detecting whether critical code of an application has been called, with the critical code being used to access critical data; switching from a preconfigured first extended page table (EPT) to a preconfigured second EPT according to preset trampoline code corresponding to the critical code when an operating system calls the critical code using the first EPT, wherein memory mapping relationships of the critical data and the critical code are not configured in the first EPT, the memory mapping relationships of the critical data and the critical code are configured in the second EPT, and the critical data and the critical code are separately stored in independent memory areas; and switching from the second EPT back to the first EPT according to the trampoline code after calling and executing the critical code using the second EPT.
-
Patent Agency Ranking
公开(公告)号:US09762555B2
公开(公告)日:2017-09-12
申请号:US14808332
申请日:2015-07-24
Applicant: Huawei Technologies Co., Ltd.
Inventor: Zhichao Hua , Yubin Xia , Haibo Chen
CPC classification number: H04L63/0435 , G06F21/335 , G06F21/42 , G06F2221/2113 , H04L9/0844 , H04L9/3265 , H04L63/0471 , H04L63/0485 , H04L63/0823 , H04L63/0884 , H04L63/168 , H04L2463/062
Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.
-
公开(公告)号:US20160028701A1
公开(公告)日:2016-01-28
申请号:US14808332
申请日:2015-07-24
Applicant: Huawei Technologies Co., Ltd.
Inventor: Zhichao Hua , Yubin Xia , Haibo Chen
IPC: H04L29/06
CPC classification number: H04L63/0435 , G06F21/335 , G06F21/42 , G06F2221/2113 , H04L9/0844 , H04L9/3265 , H04L63/0471 , H04L63/0485 , H04L63/0823 , H04L63/0884 , H04L63/168 , H04L2463/062
Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.
Abstract translation: 一种数据处理方法和装置,其中所述方法包括获取在不可信执行域中运行的目标应用发送的第一网络数据分组,其中所述第一网络数据分组包括第一标识符; 在可信执行域中获取对应于所述第一标识符的第一数据; 在可信执行域中根据第一数据和第一网络数据分组生成第二网络数据分组; 通过使用第一会话密钥来获取加密的第二网络数据分组,在所述可信执行域中对所述第二网络数据分组进行加密; 并将加密的第二网络数据分组发送到目标服务器。 本发明实施例中的数据处理方法和装置可以有效地防止攻击者窃取数据。
-
公开(公告)号:US20180054732A1
公开(公告)日:2018-02-22
申请号:US15795491
申请日:2017-10-27
Applicant: Huawei Technologies Co., Ltd.
Inventor: Wenhao Li , Yubin Xia , Haibo Chen
CPC classification number: H04W12/02 , G06F21/53 , G06F2221/2149 , H04L63/0428 , H04M1/68 , H04W12/0013 , H04W12/0806
Abstract: Embodiments of the present disclosure disclose a secure communication method for a mobile terminal and a mobile terminal. The secure communication method may include: when a wireless communication connection is established between the mobile terminal and another mobile terminal, and the wireless communication connection meets a preset security processing trigger condition, prohibiting, by means of setting, a program in a common virtual kernel from accessing a shared memory between a secure virtual kernel and the common virtual kernel and accessing a peripheral that needs to be called for the wireless communication connection; performing, by using the secure virtual kernel, preset policy-based processing on communication content corresponding to the wireless communication connection; and outputting, by using the secure virtual kernel, communication content obtained by performing the preset policy-based processing.
-
公开(公告)号:US09785770B2
公开(公告)日:2017-10-10
申请号:US14572515
申请日:2014-12-16
Applicant: HUAWEI TECHNOLOGIES CO., LTD.
Inventor: Bin Tu , Haibo Chen , Yubin Xia
CPC classification number: G06F21/554 , G06F9/45558 , G06F21/53 , G06F21/54 , G06F21/568 , G06F2009/45587 , G06F2221/03
Abstract: The present invention discloses a method, an apparatus, and a system for triggering virtual machine introspection, so as to provide a timely and effective security check triggering mechanism. In the present invention, data that needs to be protected is determined; the data that needs to be protected is monitored; and when it is determined that the data that needs to be protected is modified, virtual machine introspection is triggered. The present invention avoids a performance loss and a security problem that are brought about by regularly starting a virtual machine introspection system to perform a security check, and therefore, the present invention is more applicable.
-
公开(公告)号:US20150309832A1
公开(公告)日:2015-10-29
申请号:US14795225
申请日:2015-07-09
Applicant: Huawei Technologies Co., Ltd.
Inventor: Bin Tu , Haibo Chen , Yubin Xia
IPC: G06F9/455
CPC classification number: G06F9/45558 , G06F21/53 , G06F2009/45575 , G06F2009/45587
Abstract: An isolation method for a management virtual machine and an apparatus, which resolves problems that performance of communication between service components is deteriorated, more resources are required for running a virtual machine, and security of the service components is relatively low. The method includes: acquiring a guest identifier; searching, according to the guest identifier, the management virtual machine for a kernel virtual machine; when the kernel virtual machine is not found in the management virtual machine, creating the kernel virtual machine in the management virtual machine; dividing a service provided for a guest virtual machine by the kernel virtual machine into multiple service components; and running the multiple service components in execution environments corresponding to permission of the service components, where the kernel virtual machine includes the multiple execution environments, and the multiple execution environment have different permission.
Abstract translation: 一种用于管理虚拟机和装置的隔离方法,其解决了服务组件之间的通信性能恶化的问题,运行虚拟机需要更多的资源,并且服务组件的安全性相对较低。 该方法包括:获取客户识别符; 根据客户标识符搜索内核虚拟机的管理虚拟机; 当在管理虚拟机中找不到内核虚拟机时,在管理虚拟机中创建内核虚拟机; 将由虚拟机提供的来宾虚拟机的服务划分为多个服务组件; 并且在执行环境中运行与服务组件的许可相对应的多个服务组件,其中内核虚拟机包括多个执行环境,并且多个执行环境具有不同的权限。
-
-
-
-
-
-
-
-
-
Search Results
21
records
(took 0.016 seconds)
