[go: up one dir, main page]

CN114580005B - Data access method, computer device and readable storage medium - Google Patents

Data access method, computer device and readable storage medium Download PDF

Info

Publication number
CN114580005B
CN114580005B CN202210495712.XA CN202210495712A CN114580005B CN 114580005 B CN114580005 B CN 114580005B CN 202210495712 A CN202210495712 A CN 202210495712A CN 114580005 B CN114580005 B CN 114580005B
Authority
CN
China
Prior art keywords
access
accessed
storage area
identifier
program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210495712.XA
Other languages
Chinese (zh)
Other versions
CN114580005A (en
Inventor
刘吉平
张力
熊辉兵
王翔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Hangshun Chip Technology R&D Co Ltd
Original Assignee
Shenzhen Hangshun Chip Technology R&D Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Hangshun Chip Technology R&D Co Ltd filed Critical Shenzhen Hangshun Chip Technology R&D Co Ltd
Priority to CN202210495712.XA priority Critical patent/CN114580005B/en
Publication of CN114580005A publication Critical patent/CN114580005A/en
Application granted granted Critical
Publication of CN114580005B publication Critical patent/CN114580005B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a data access method, computer equipment and a readable storage medium, wherein the data access method comprises the steps of receiving a data access request, wherein the data access request carries a storage area to be accessed; acquiring authority information and area states corresponding to the storage area to be accessed; extracting an access identifier corresponding to the data access request; and accessing the storage area to be accessed based on the access identifier, the authority information and the area state. Therefore, the security of data access can be improved.

Description

Data access method, computer device and readable storage medium
Technical Field
The present application relates to the field of chip technologies, and in particular, to a data access method, a computer device, and a readable storage medium.
Background
A Memory Protection Unit (MPU) is used as a hardware module, and is mostly integrated in a chip for use, and the MPU can implement authority setting on access to a Memory space, where the authority setting includes access authority, access address resolution, access operation type, access authorization and interception.
Currently, an MPU can perform decryption on data read from a memory or data written into the memory, but when accessing the memory, the access restriction policy of the MPU is relatively simple to set, for example, the MPU performs access control only through a decryption function, however, once an encryption key is decrypted, the data in the memory can be read and modified, and thus, the security of the current data access scheme is low.
Disclosure of Invention
In view of the foregoing technical problems, the present application provides a data access method, a computer device, and a readable storage medium, which can improve security of data access.
In order to solve the above technical problem, the present application provides a data access method, including:
receiving a data access request, wherein the data access request carries a storage area to be accessed;
acquiring authority information and a region state corresponding to the storage region to be accessed;
extracting an access identifier corresponding to the data access request;
and accessing the storage area to be accessed based on the access identifier, the authority information and the area state.
Optionally, in some embodiments of the application, the accessing the storage area to be accessed based on the access identifier, the authority information, and the area state includes:
detecting whether the area state is a preset state or not;
and when the area state is detected to be a first preset state, accessing the storage area to be accessed according to the access identification and the authority information.
Optionally, in some embodiments of the application, when it is detected that the area status is the first preset status, accessing the storage area to be accessed according to the access identifier and the permission information includes:
when the area state is detected to be a first preset state, identifying an authorized access identifier in the authority information;
detecting whether the access identifier is matched with an authorized access identifier;
and when the access identification is matched with the authorized access identification, accessing the storage area to be accessed.
Optionally, in some embodiments of the present application, the accessing the to-be-accessed storage area when the access identifier matches with the authorized access identifier includes:
when the access identifier is matched with the authorized access identifier, acquiring the access authority corresponding to the matched authorized access identifier;
and reading or writing the information stored in the storage area to be accessed according to the access authority.
Optionally, in some embodiments of the present application, the method further includes:
and when the area state is detected to be a second preset state, forbidding to access the storage area to be accessed, and outputting prompt information of access failure.
Optionally, in some embodiments of the present application, the accessing the to-be-accessed storage area when the access identifier matches with the authorized access identifier includes:
when the access identifier is matched with the authorized access identifier, acquiring a program identifier of an execution program;
detecting whether the authorization identifier is matched with a program identifier;
when the authorization identifier is matched with the program identifier, accessing the storage area to be accessed;
and when the authorization identifier is detected to be not matched with the program identifier, forbidding to access the storage area to be accessed, and outputting prompt information of access failure.
Optionally, in some embodiments of the application, before accessing the storage area to be accessed according to the access identifier and the authority information, the method includes:
detecting the security level corresponding to the storage area to be accessed;
when the security level is a preset level, encrypting the storage area to be accessed;
the accessing the storage area to be accessed based on the access identifier, the authority information and the area state comprises: and when the access identifier is matched with the authorized access identifier, extracting a decryption key from the data access request, decrypting the encrypted storage area by using the decryption key, and when the decryption is successful, accessing the storage area to be accessed.
Optionally, in some embodiments of the present application, the method further includes:
configuring an access identifier and access times corresponding to a storage area to be accessed;
establishing an incidence relation between the area identification and the access identification of the storage area to be accessed;
and outputting the authority information and the area state corresponding to the storage area to be accessed based on the incidence relation and the access times.
The present application further provides a computer device comprising a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method as described above when executing the computer program.
The present application also provides a computer storage medium having a computer program stored thereon, which, when being executed by a processor, carries out the steps of the method as described above.
As described above, according to the data access method, the computer device, and the computer storage medium of the present application, after receiving a data access request, the data access request carries a storage area to be accessed, acquires permission information and an area state corresponding to the storage area to be accessed, extracts an access identifier corresponding to the data access request, and finally accesses the storage area to be accessed based on the access identifier, the permission information, and the area state. According to the data access scheme, the storage control to be accessed is written with the authority information in advance, and when access is executed, the access identifier, the authority information and the region state are used for authentication so as to access the storage control to be accessed.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and, together with the description, serve to explain the principles of the application. In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly described below, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
FIG. 1 is a schematic flow chart diagram of a data access method provided herein;
fig. 2 is a schematic structural diagram of a data access device provided in the present application.
The implementation, functional features and advantages of the objectives of the present application will be further explained with reference to the accompanying drawings. With the above figures, there are shown specific embodiments of the present application, which will be described in more detail below. These drawings and written description are not intended to limit the scope of the inventive concepts in any manner, but rather to illustrate the inventive concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of additional like elements in a process, method, article, or apparatus that comprises the element, and further, components, features, elements, and/or steps that may be similarly named in various embodiments of the application may or may not have the same meaning, unless otherwise specified by its interpretation in the embodiment or by context with further embodiments.
It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of description of the present application, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
The following embodiments related to the present application are specifically described, and it should be noted that the order of description of the embodiments in the present application is not limited to the order of priority of the embodiments.
A Memory Protection Unit (MPU) is a programmable area located inside a Memory, and defines the attributes of the Memory and the access rights of the Memory, including access rights, resolution of access addresses and access operation types, access authorization and interception, and the like.
There are two current memory protection functions: simply limiting reading and writing of a certain block area; software methods or more complex file systems are employed to limit permissions.
The first simple restriction method is to directly determine whether a certain block can be read or written, and such restriction is too coarse. It is practical for a single simple applet, but for a complex program with multiple programs on one memory, and multiple users, more restrictions are needed to meet the application requirements.
The second method of using software also has certain disadvantages. The software can be cracked, and a hacker can obtain the highest authority after cracking the software, and then the hacker can do any thing he wants to do, and read and modify any data. Protective instantaneous collapse of data.
Based on this, the present application provides a data access apparatus, which may perform the following steps: the method comprises the steps of receiving a data access request, obtaining authority information and a region state corresponding to a storage region to be accessed, extracting an access identifier corresponding to the data access request, and accessing the storage region to be accessed based on the access identifier, the authority information and the region state.
The following are detailed descriptions. It should be noted that the description sequence of the following embodiments is not intended to limit the priority sequence of the embodiments.
A method of data access, comprising: receiving a data access request, acquiring authority information and a region state corresponding to a storage region to be accessed, extracting an access identifier corresponding to the data access request, and accessing the storage region to be accessed based on the access identifier, the authority information and the region state.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a data access method according to an embodiment of the present disclosure. The specific flow of the data access method may be as follows:
101. a data access request is received.
The data Access request may be triggered by a user through a device, where the device is any device that can Access a Memory, such as a Central Processing Unit (CPU) and a Direct Memory Access (DMA) controller, and is specifically selected according to an actual situation, and is not described herein again.
102. And acquiring the authority information and the area state corresponding to the storage area to be accessed.
The storage authority management unit divides the storage space into a plurality of storage areas, each storage area is provided with respective access authority, the access authority comprises read-write authority and access authority, the access authority comprises local access and non-local access, optionally, in some embodiments, data access which does not need to be a data access instruction source is called local access, the read-write authority comprises readable or unreadable, writable or unwritable, that is, the authority information carries the read-write authority and the access authority of the area to be accessed.
The area state comprises a display state and a hidden state, namely when the area state of the area to be accessed is the display state, the access can be subsequently carried out based on the corresponding authority information and the access identifier; and when the area state of the area to be accessed is the hidden state, the area to be accessed is not accessed.
103. And extracting an access identifier corresponding to the data access request.
The access identifier may be represented by two bytes, and is used to identify access information corresponding to the data access request, where the access information may be an identification code of a user, an identification code of a program, an identification code of a device, and the like, and is not limited herein and may be specifically selected according to an actual situation.
104. And accessing the storage area to be accessed based on the access identification, the authority information and the area state.
For example, specifically, the data access request is authenticated based on the access identifier, the permission information and the area state, and when the authentication is passed, the storage area to be accessed is accessed; and when the authentication is not passed, the access to the storage area to be accessed is refused.
It should be noted that, when the area state is the presentation state, the data access request may be authenticated based on the access identifier, the permission information, and the area state, and in this case, the storage area to be accessed is visible; when the area state is the hidden state, then access to the to-be-accessed storage area is prohibited, that is, optionally, in some embodiments, the step "accessing the to-be-accessed storage area based on the access identifier, the authority information, and the area state" may specifically include:
(11) Detecting whether the area state is a preset state or not;
(12) And when the area state is detected to be the first preset state, accessing the storage area to be accessed according to the access identifier and the authority information.
Optionally, in some embodiments, the first preset state is a presentation state, and the second preset state is a hidden state, so that when it is detected that the area state is the first preset state, the access identifier and the permission information are authenticated to access the storage area to be accessed.
It can be understood that, when it is detected that the area state is the second preset state, access to the to-be-accessed storage area is prohibited, that is, optionally, in some embodiments, the data access method of the present application may further include: and when the area state is detected to be the second preset state, prohibiting accessing the storage area to be accessed, and outputting prompt information of access failure.
The prompt message may be a text message, a voice message, or a text and voice combined prompt message, the text message may be "access failure", and the voice message may be a preset warning sound, which is not limited specifically.
In addition, in order to further improve the security of data access, before performing access, the storage space to be accessed may be further encrypted, and when performing access operation, the access to the storage-to-be-accessed access area is implemented in a manner of secondary authentication, that is, before "accessing the storage area to be accessed according to the access identifier and the permission information", the method may specifically include:
(21) Detecting a security level corresponding to a storage area to be accessed;
(22) And when the security level is a preset level, encrypting the storage area to be accessed.
Optionally, in order to avoid the situation that the shared data is encrypted to result in low data access efficiency, in the present application, a storage area with a security level greater than a preset level is encrypted to ensure the security of the data in the storage area, for example, the preset level is level 2, that is, a storage area greater than level 2 is encrypted, and a storage area less than or equal to level 2 is not encrypted, and in addition, the encryption method may include symmetric encryption and asymmetric encryption, where a symmetric encryption algorithm is public, data is encrypted by using a key, and the data is encrypted by using one key and must be decrypted by using the same key; the asymmetric encryption algorithm is disclosed to have a public key (public key) and a private key (private key); public key encryption can only be performed by private key decryption; private key encryption can only be public key decryption; the encryption and decryption use different keys, so the encryption is called asymmetric encryption, the encryption method is not limited by the application, and the encryption method can be selected according to actual conditions, and the description is omitted.
Optionally, in some embodiments, the step "accessing the storage area to be accessed based on the access identifier, the permission information, and the area state" may specifically include: and when the access identifier is matched with the authorized access identifier, extracting a decryption key from the data access request, decrypting the encrypted storage area by using the decryption key, and when the decryption is successful, accessing the storage area to be accessed.
It can be understood that, in this case, the storage area to be accessed is accessed by adopting a secondary authentication mode, and for some storage areas with higher security level, the security coefficient of the stored data is further improved, so that the security of data access can be improved.
Further, when the area status is a first preset status (i.e. a presentation status), and the access identifier matches the authorization identifier, then the to-be-accessed storage area is accessed, that is, optionally, in some embodiments, the step "accessing the to-be-accessed storage area based on the access identifier, the permission information, and the area status" may specifically include:
(31) When the area state is detected to be a first preset state, identifying an authorized access identifier in the authority information;
(32) Detecting whether the access identifier is matched with the authorized access identifier;
(33) And when the access identification is matched with the authorized access identification, accessing the storage area to be accessed.
The first preset state is a display state, the authorization access identifier in the authority information indicates an accessible access identifier, and when the access identifier is matched with the authorization access identifier, the to-be-accessed storage area is accessed. For example, the authorized access identifiers are an identifier A1, an identifier A2, and an identifier A3, and when the access identifier is the identifier A1, the storage area to be accessed may be accessed; and when the access identifier is the identifier A4, the access to the storage area to be accessed is forbidden.
Further, in some embodiments, the access permissions corresponding to each access identifier are different, and therefore, it is necessary to read or write the to-be-accessed storage area according to the access permission, that is, optionally, the step "when the access identifier matches the authorized access identifier, then accessing the to-be-accessed storage area" may specifically include:
(41) When the access identifier is matched with the authorized access identifier, acquiring the access authority corresponding to the matched authorized access identifier;
(42) And reading or writing the information stored in the storage area to be accessed according to the access authority.
For example, the access identifier is matched with the authorized access identifier a, and the function corresponding to the authorized access identifier a is reading, in this case, only data in the storage area to be accessed can be read, and the write operation is prohibited; for another example, the access identifier is matched with the authorized access identifier B, and the function corresponding to the authorized access identifier B is writing, in this case, data can only be written in the to-be-accessed storage area, and execution of a read operation is prohibited; for another example, the access identifier is matched with the authorized access identifier a and matched with the authorized access identifier B, at this time, data in the storage area to be accessed may be read, and data may also be written in the storage area to be accessed.
It should be noted that, in some cases, some malicious programs may access the to-be-accessed area through other programs, and therefore, it is necessary to determine the validity of the trigger path corresponding to the data access request, for example, the validity of the trigger path corresponding to the data access request may be determined by executing a program identifier of the program, that is, optionally, in some embodiments, the step "accessing the to-be-accessed storage area when the access identifier matches the authorized access identifier" specifically may include:
(51) When the access identification is matched with the authorized access identification, acquiring a program identification of the execution program;
(52) Detecting whether the authorization identifier is matched with the program identifier;
(53) When the authorization identifier is matched with the program identifier, accessing a storage area to be accessed;
(54) And when the authorization identifier is detected to be not matched with the program identifier, prohibiting accessing the storage area to be accessed, and outputting prompt information of access failure.
In the application, if a data access request is triggered by a program a (malicious program) through a program B, the program a is an executing program, and the program B is a triggering program, so that an access identifier of the data access request corresponds to the program B, and therefore, when the access identifier matches with an authorized access identifier, a program identifier of the executing program, that is, the program identifier of the program a is obtained, it is seen that the authorized identifier does not match with the program identifier, and therefore, the program a prohibits the access to the storage area to be accessed through the program B, and outputs a prompt message of access failure.
Optionally, in some embodiments, the data access method provided by the present application may further include:
(61) Configuring an access identifier and access times corresponding to a storage area to be accessed;
(62) Establishing an incidence relation between an area identifier and an access identifier of a storage area to be accessed;
(63) And outputting the authority information and the area state corresponding to the storage area to be accessed based on the association relation and the access times.
It can be understood that, before the step of performing data access, the access identifier and the access frequency corresponding to the to-be-accessed storage area may be configured, for example, the to-be-accessed storage area a can only be accessed 1 time, and therefore, when the to-be-accessed storage area a is accessed 0 times, the corresponding area state is the presentation state; when the storage area a to be accessed is 1 time, the corresponding area state is a hidden state. In addition, when the number of times of the storage area a to be accessed is 0, an access identifier having an access right may be defined, thereby completing configuration of the right information.
In order to further understand the data access method provided by the present application, the data access device of the present application is further described below as being integrated in an MPU, which has the following functions:
function one
Limiting read and write of the access controller: this function may restrict which access controller is prohibited from reading or writing to which block of memory. For the right to prohibit writing, i.e. to prohibit changing the contents of the memory, if the memory is a Flash memory (Flash), writing data includes both programming data and erasing data.
Function two
And limiting reading and writing of other users: each memory block may be assigned to one User, with a User ID to distinguish each User. When a User of a program is User 1, it wants to access data of User 2, and is restricted by the permission. This feature may restrict other users from reading or writing to a certain block of memory. For the right to prohibit writing, i.e. prohibit changing the contents in the memory, if the memory is Flash, writing data includes both programming data and erasing data.
Function III
And limiting other users to execute: each memory block may be assigned to one User, with a User ID to distinguish each User. When a User of a program is User 1, it wants to call some function of User 2 to execute, it must be restricted by the authority. When the program of the User 2 is prohibited from being executed by other users, if other users call the program of the User 2, a call error occurs, and the program jump fails.
Function four
Memory block hiding function: if a certain block memory is set to be hidden, it is equivalent to this block address space as a reserved area. Any access controller accessing this block area receives the access error information.
During data access, if a memory stores programs developed by two developers, they are placed in two different areas: one is a region with a User ID of 1 and a region with a User ID of 2. The developer of the program with the User ID of 1 considers that the program has certain confidentiality, and other programs are prohibited from reading the data of the program and are also prohibited from calling own functions. Then the memory block with User ID 1 may be set to disable reading and writing by another User program and disable execution by another User program. This ensures the privacy of the first program. User ID 2 program, whose developer developed many common functions and data for everyone to use. At this time, the shared program may be placed in a block of memory that is allowed to be executed by other users, but is set to be prohibited from being modified by other users. This makes it very convenient to implement complex applications.
In addition, if some applications with the startup program are used, the startup program is executed, and then the programs of other users are executed. But the initiator program expects the data to be accessible only during the first execution and thereafter inhibits access to such data. The data may be placed in a memory block that is set to be hidden after the first boot procedure has been performed, and the data is not accessible to subsequent procedures.
According to the data access method, after a data access request is received, authority information and a region state corresponding to a storage region to be accessed are obtained, then an access identifier corresponding to the data access request is extracted, and finally the storage region to be accessed is accessed based on the access identifier, the authority information and the region state.
In order to better implement the data access method of the present application, the present application further provides a data access device (access device for short) based on the foregoing. The terms are the same as those in the data access method, and details of implementation may refer to the description in the method embodiment.
Referring to fig. 2, fig. 2 is a schematic structural diagram of a data access device provided in the present application, where the processing device may include a receiving module 201, an obtaining module 202, an extracting module 203, and an accessing module 204, which may specifically be as follows:
a receiving module 201, configured to receive a data access request.
The data access request carries a storage area to be accessed, and the data access request may further include identification information of a data interface, an access identification, request time, and the like.
The obtaining module 202 is configured to obtain authority information and an area state corresponding to a storage area to be accessed.
The area state comprises a display state and a hidden state, namely when the area state of the area to be accessed is the display state, the subsequent access can be carried out based on the corresponding authority information and the access identifier; and when the area state of the area to be accessed is the hidden state, the area to be accessed is not accessed.
The extracting module 203 is configured to extract an access identifier corresponding to the data access request.
And the access module 204 is configured to access the storage area to be accessed based on the access identifier, the permission information, and the area state.
For example, specifically, the data access request is authenticated based on the access identifier, the permission information and the area state, and when the authentication is passed, the storage area to be accessed is accessed; and when the authentication is not passed, the access to the storage area to be accessed is refused.
Optionally, in some embodiments, the access module 204 may specifically include:
the detection unit is used for detecting whether the area state is a preset state or not;
and the access unit is used for accessing the storage area to be accessed according to the access identifier and the authority information when the area state is detected to be the first preset state.
Optionally, in some embodiments, the access unit may specifically include:
the identification subunit is used for identifying the authorized access identifier in the authority information when the area state is detected to be a first preset state;
the detection subunit is used for detecting whether the access identifier is matched with the authorized access identifier;
and the access subunit is used for accessing the storage area to be accessed when the access identifier is matched with the authorized access identifier.
Optionally, in some embodiments, the access subunit may be specifically configured to: when the access identifier is matched with the authorized access identifier, acquiring the access authority corresponding to the matched authorized access identifier; and reading or writing the information stored in the storage area to be accessed according to the access authority.
Optionally, in some embodiments, the access unit may specifically be configured to: when the access identification is matched with the authorized access identification, acquiring a program identification of the execution program; detecting whether the authorization identifier is matched with the program identifier; when the authorization identifier is matched with the program identifier, accessing a storage area to be accessed; and when the authorization identifier is detected to be not matched with the program identifier, forbidding to access the storage area to be accessed, and outputting prompt information of access failure.
From the above, the present application provides a data access apparatus, after a receiving module 201 receives a data access request, an obtaining module 202 obtains authority information and a region state corresponding to a storage region to be accessed, then, an extracting module 203 extracts an access identifier corresponding to the data access request, and finally, an accessing module 204 accesses the storage region to be accessed based on the access identifier, the authority information and the region state.
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, embodiments of the present application provide a storage medium, in which a plurality of instructions are stored, where the instructions can be loaded by a processor to execute steps in any one of the data access methods provided in the embodiments of the present application.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in any data detection method provided in the embodiments of the present application, beneficial effects that can be achieved by any data access method provided in the embodiments of the present application may be achieved, which are detailed in the foregoing embodiments and will not be described herein again.
Embodiments of the present application further provide a chip, which includes a memory and a processor, where the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, so that a device in which the chip is installed executes the method in the above various possible embodiments.
It is to be understood that the foregoing scenarios are only examples, and do not constitute a limitation on application scenarios of the technical solutions provided in the embodiments of the present application, and the technical solutions of the present application may also be applied to other scenarios. For example, as can be known by those skilled in the art, with the evolution of system architecture and the emergence of new service scenarios, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
The steps in the method of the embodiment of the application can be sequentially adjusted, combined and deleted according to actual needs.
The units in the device in the embodiment of the application can be merged, divided and deleted according to actual needs.
In the present application, the same or similar term concepts, technical solutions and/or application scenario descriptions will be generally described only in detail at the first occurrence, and when the description is repeated later, the detailed description will not be repeated in general for brevity, and when understanding the technical solutions and the like of the present application, reference may be made to the related detailed description before the description for the same or similar term concepts, technical solutions and/or application scenario descriptions and the like which are not described in detail later.
In the present application, each embodiment is described with emphasis, and reference may be made to the description of other embodiments for parts that are not described or illustrated in any embodiment.
The technical features of the technical solution of the present application may be arbitrarily combined, and for brevity of description, all possible combinations of the technical features in the embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the scope of the present application should be considered as being described in the present application.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). Computer-readable storage media can be any available media that can be accessed by a computer or a data storage device, such as a server, data center, etc., that includes one or more available media. The usable medium may be a magnetic medium (e.g., floppy Disk, storage Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
The data access method, the data access device, and the storage medium provided by the embodiments of the present application are described in detail above, and a specific example is applied in the present application to explain the principles and embodiments of the present invention, and the description of the above embodiments is only used to help understand the method and the core idea of the present application; meanwhile, for those skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.

Claims (5)

1. A data access method is applied to a storage protection unit and is characterized by comprising the following steps:
receiving a data access request triggered by an executive program through a trigger program, wherein the data access request carries a storage area to be accessed;
acquiring authority information and area states corresponding to the storage area to be accessed;
extracting an access identifier corresponding to the data access request, wherein the access identifier corresponds to the trigger program;
detecting whether the area state is a preset state or not;
when the area state is detected to be a first preset state, identifying an authorized access identifier in the authority information;
detecting whether the access identifier is matched with an authorized access identifier;
when the access identification is matched with the authorized access identification, acquiring a program identification of the execution program;
detecting whether the authorized access identifier is matched with a program identifier;
when the authorized access identifier is detected to be matched with the program identifier corresponding to the execution program, accessing the storage area to be accessed;
when the fact that the authorized access identification is not matched with the program identification corresponding to the executive program is detected, the executive program is forbidden to access the storage area to be accessed through the trigger program, and prompt information of access failure is output;
wherein, before accessing the storage area to be accessed when it is detected that the authorized access identifier matches with the program identifier corresponding to the execution program, the method further includes:
detecting the security level corresponding to the storage area to be accessed;
when the security level is a preset level, encrypting the storage area to be accessed;
the accessing the storage area to be accessed comprises: and extracting a decryption key from the data access request, decrypting the encrypted storage area by using the decryption key, and accessing the storage area to be accessed when the decryption is successful.
2. The data access method of claim 1, further comprising:
and when the area state is detected to be a second preset state, forbidding to access the storage area to be accessed, and outputting prompt information of access failure.
3. A data access method according to claim 1 or 2, characterized in that the method further comprises:
configuring an access identifier and access times corresponding to a storage area to be accessed;
establishing an incidence relation between the area identification and the access identification of the storage area to be accessed;
and outputting the authority information and the area state corresponding to the storage area to be accessed based on the incidence relation and the access times.
4. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor when executing the computer program implements the steps of the data access method of any one of claims 1 to 3.
5. A readable storage medium, characterized in that a computer program is stored thereon, which computer program, when being executed by a processor, carries out the steps of the data access method according to any one of claims 1 to 3.
CN202210495712.XA 2022-05-09 2022-05-09 Data access method, computer device and readable storage medium Active CN114580005B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210495712.XA CN114580005B (en) 2022-05-09 2022-05-09 Data access method, computer device and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210495712.XA CN114580005B (en) 2022-05-09 2022-05-09 Data access method, computer device and readable storage medium

Publications (2)

Publication Number Publication Date
CN114580005A CN114580005A (en) 2022-06-03
CN114580005B true CN114580005B (en) 2023-02-28

Family

ID=81768997

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210495712.XA Active CN114580005B (en) 2022-05-09 2022-05-09 Data access method, computer device and readable storage medium

Country Status (1)

Country Link
CN (1) CN114580005B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115238308A (en) * 2022-07-21 2022-10-25 Oppo广东移动通信有限公司 Data protection method and device, electronic equipment and storage medium
CN115730286A (en) * 2022-12-06 2023-03-03 广州众诺电子技术有限公司 Data access authentication method and device, electronic equipment and storage medium
CN120524510A (en) * 2024-08-30 2025-08-22 深圳引望智能技术有限公司 Data access method, device and vehicle

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090240907A1 (en) * 2008-03-19 2009-09-24 Crandell Jeffrey L Remote storage access control system
CN102110060A (en) * 2009-12-25 2011-06-29 联想(北京)有限公司 Method and terminal for managing and accessing multiple storage areas
CN104123506B (en) * 2013-04-28 2018-03-09 北京壹人壹本信息科技有限公司 Data access method, device, data encryption, storage and access method, device
CN106469124A (en) * 2015-08-20 2017-03-01 深圳市中兴微电子技术有限公司 A kind of memory access control method and device
CN107168894B (en) * 2017-06-30 2020-08-25 联想(北京)有限公司 Memory sharing access method and electronic equipment
CN107832635A (en) * 2017-11-29 2018-03-23 鼎信信息科技有限责任公司 Access right control method, device, equipment and computer-readable recording medium
CN109766165B (en) * 2018-11-22 2022-07-08 海光信息技术股份有限公司 Memory access control method and device, memory controller and computer system
CN109753810B (en) * 2018-12-12 2021-06-29 北京世纪互联宽带数据中心有限公司 Data hierarchical storage method and device, electronic equipment and computer readable medium
CN112905962B (en) * 2021-03-04 2021-11-30 深圳市航顺芯片技术研发有限公司 Method for protecting program codes in MCU, intelligent terminal and storage medium
CN114254346A (en) * 2021-12-17 2022-03-29 深圳壹账通智能科技有限公司 Data storage processing method, system, equipment and medium

Also Published As

Publication number Publication date
CN114580005A (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN112513857B (en) Personalized cryptographically secure access control in a trusted execution environment
CN105447406B (en) A kind of method and apparatus for accessing memory space
CN100407174C (en) Data protection device and data protection method
US12052356B2 (en) Method and apparatus for data storage and verification
CN114580005B (en) Data access method, computer device and readable storage medium
US8402269B2 (en) System and method for controlling exit of saved data from security zone
US20140108755A1 (en) Mobile data loss prevention system and method using file system virtualization
RU2631136C2 (en) Method of protected access and device for protected access of applied program
WO2015124018A1 (en) Method and apparatus for application access based on intelligent terminal device
US20120137372A1 (en) Apparatus and method for protecting confidential information of mobile terminal
JP2002318719A (en) Highly reliable computer system
EP3525127A1 (en) Method and system for blocking phishing or ransomware attack
WO2015124017A1 (en) Method and apparatus for application installation based on intelligent terminal device
WO2005081115A1 (en) Application-based access control system and method using virtual disk
CN104318176A (en) Terminal and data management method and device thereof
US20170329963A1 (en) Method for data protection using isolated environment in mobile device
US10713381B2 (en) Method and apparatus for securely calling fingerprint information, and mobile terminal
US9460305B2 (en) System and method for controlling access to encrypted files
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
US11841970B1 (en) Systems and methods for preventing information leakage
KR101227187B1 (en) Output control system and method for the data in the secure zone
CN110807186A (en) Method, device, equipment and storage medium for safe storage of storage equipment
CN117390652A (en) Optical disc encryption method, system, medium and equipment based on double-factor authentication
CN104866761B (en) A kind of high security Android intelligent terminal
US7694154B2 (en) Method and apparatus for securely executing a background process

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant