Abstract: A trust zone-based operating system including a secure world subsystem that runs a trusted execution environment TEE, a TEE monitoring area, and a security switching apparatus is provided. When receiving a sensitive operation request sent by a trusted application TA in the TEE, the TEE writes a sensitive instruction identifier and an operation parameter of the sensitive operation request into a general-purpose register, and sends a switching request to the security switching apparatus. The security switching apparatus receives the switching request, and switches a running environment of the secure world subsystem from the TEE to the TEE monitoring area. The TEE monitoring area stores a sensitive instruction in the operating system.

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.

Abstract: The disclosure relates to the communications technologies field, and in particular, to a data migration method and apparatus, to implement data migration in an enclave page cache (EPC), to improve consistency between data of an application program before migration and that after migration. The method includes: obtaining, by a source host, a migration instruction, where the migration instruction is used to instruct to migrate a target application created with an enclave to a destination host; invoking, by the source host, a migration control thread preset in the enclave of the target application, to write running status data of the target application in an EPC into target memory of the source host, where the target memory is an area other than the EPC in memory of the source host; and sending, by the source host, the running status data of the target application in the target memory to the destination host.

Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.

Abstract: An information protection method includes receiving a request message sent by a virtual machine (VM), sending the request message to a VM instance corresponding to the VM or the shared service module, determining whether there is attack information included in the request message, and deleting the VM that sends the request message and the VM instance corresponding to the VM.

Abstract: A method for inter-process communication, a related apparatus for implementing the method, a computer device, and the like are provided. The method may be applied to an intelligent terminal, a self-driving device, and the like. The method mainly includes: A communication engine running at a hardware layer or a high-level software layer provides a context switching instruction, and when a caller running in a user mode calls a callee, context switching is directly implemented by calling the context switching instruction without trapping into a kernel mode. Therefore, kernel intervention in context switching is avoided to some extent, and an execution time of inter-process communication IPC is shortened.

Abstract: A trust zone-based operating system including a secure world subsystem that runs a trusted execution environment TEE, a TEE monitoring area, and a security switching apparatus is provided. When receiving a sensitive operation request sent by a trusted application TA in the TEE, the TEE writes a sensitive instruction identifier and an operation parameter of the sensitive operation request into a general-purpose register, and sends a switching request to the security switching apparatus. The security switching apparatus receives the switching request, and switches a running environment of the secure world subsystem from the TEE to the TEE monitoring area. The TEE monitoring area stores a sensitive instruction in the operating system.

Abstract: A method and an apparatus for enhancing isolation of user space from kernel space, to divide an extended page table into a kernel-mode extended page table and a user-mode extended page table, such that user-mode code cannot access some or all content in the kernel space, and/or kernel-mode code cannot access some content in the user space, thereby enhancing isolation of the user space from the kernel space and preventing content leakage of the kernel space.

Abstract: Embodiments of the present disclosure disclose a secure communication method for a mobile terminal and a mobile terminal. The secure communication method may include: when a wireless communication connection is established between the mobile terminal and another mobile terminal, and the wireless communication connection meets a preset security processing trigger condition, prohibiting, by means of setting, a program in a common virtual kernel from accessing a shared memory between a secure virtual kernel and the common virtual kernel and accessing a peripheral that needs to be called for the wireless communication connection; performing, by using the secure virtual kernel, preset policy-based processing on communication content corresponding to the wireless communication connection; and outputting, by using the secure virtual kernel, communication content obtained by performing the preset policy-based processing.

Abstract: A data protection method includes detecting whether critical code of an application has been called, with the critical code being used to access critical data; switching from a preconfigured first extended page table (EPT) to a preconfigured second EPT according to preset trampoline code corresponding to the critical code when an operating system calls the critical code using the first EPT, wherein memory mapping relationships of the critical data and the critical code are not configured in the first EPT, the memory mapping relationships of the critical data and the critical code are configured in the second EPT, and the critical data and the critical code are separately stored in independent memory areas; and switching from the second EPT back to the first EPT according to the trampoline code after calling and executing the critical code using the second EPT.

Abstract: The present invention relates to the field of communications technologies, and in particular, to a data migration method and apparatus, to implement data migration in an EPC, to improve consistency between data of an application program before migration and that after migration. The method includes: obtaining, by a source host, a migration instruction, where the migration instruction is used to instruct to migrate a target application created with an enclave to a destination host; invoking, by the source host, a migration control thread preset in the enclave of the target application, to write running status data of the target application in an EPC into target memory of the source host, where the target memory is an area other than the EPC in memory of the source host; and sending, by the source host, the running status data of the target application in the target memory to the destination host.

Abstract: An information protection method includes receiving a request message sent by a virtual machine (VM), sending the request message to a VM instance corresponding to the VM or the shared service module, determining whether there is attack information included in the request message, and deleting the VM that sends the request message and the VM instance corresponding to the VM.

Abstract: A secure interaction method includes receiving, by a processor, a secure processing request sent by an application program, where the application program operates in a normal mode, and the processor operates in the normal mode when receiving the secure processing request, switching, by the processor, from the normal mode to a secure mode according to the secure processing request, reading, by the processor operating in the secure mode, data information into a memory operating in the secure mode, where the data information is data that the processor operating in the secure mode generates after parsing the secure processing request, and controlling, by the processor operating in the secure mode, an accessed device to operate according to the data information stored in the memory operating in the secure mode.

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.

Abstract: The present disclosure provides an execution environment virtualization method. The method includes: creating an ordinary virtual machine and a trusted virtual machine for a user in the ordinary execution environment, where the ordinary virtual machine executes an ordinary application of the user, and the trusted virtual machine executes a security application of the user; allocating memories to the ordinary virtual machine and the trusted virtual machine; establishing a mapping relationship between an ordinary memory of the ordinary virtual machine and a physical memory, to obtain a first memory mapping table; and establishing a mapping relationship between a virtual physical memory of the trusted virtual machine and a physical memory, to obtain a second memory mapping table. Therefore, the ordinary application and the security application run in execution environments independent of each other, thereby ensuring data security of the user.

Abstract: The present disclosure relates to the field of information technologies and discloses a method and an apparatus for implementing virtual machine introspection. The method provided in the present disclosure may further include: determining to-be-checked data in a virtual machine; starting to read the to-be-checked data, saving a copy of the read to-be-checked data, and storing a storage address of the read to-be-checked data in a hardware transactional memory, so that the hardware transactional memory is capable of monitoring the read to-be-checked data according to the storage address; when the read to-be-checked data is modified, stop reading the to-be-checked data, and delete the copy; and when reading the to-be-checked data is completed and it is not detected that the read to-be-checked data is modified, performing security check on the copy. The method can be applied to virtual machine introspection.

Abstract: An isolation method for a management virtual machine and an apparatus, which resolves problems that performance of communication between service components is deteriorated, more resources are required for running a virtual machine, and security of the service components is relatively low. The method includes: acquiring a guest identifier; searching, according to the guest identifier, the management virtual machine for a kernel virtual machine; when the kernel virtual machine is not found in the management virtual machine, creating the kernel virtual machine in the management virtual machine; dividing a service provided for a guest virtual machine by the kernel virtual machine into multiple service components; and running the multiple service components in execution environments corresponding to permission of the service components, where the kernel virtual machine includes the multiple execution environments, and the multiple execution environment have different permission.

Abstract: A data protection method includes detecting whether critical code of an application has been called, with the critical code being used to access critical data; switching from a preconfigured first extended page table (EPT) to a preconfigured second EPT according to preset trampoline code corresponding to the critical code when an operating system calls the critical code using the first EPT, wherein memory mapping relationships of the critical data and the critical code are not configured in the first EPT, the memory mapping relationships of the critical data and the critical code are configured in the second EPT, and the critical data and the critical code are separately stored in independent memory areas; and switching from the second EPT back to the first EPT according to the trampoline code after calling and executing the critical code using the second EPT.

Abstract: Embodiments of the present disclosure disclose a secure communication method for a mobile terminal and a mobile terminal. The secure communication method may include: when a wireless communication connection is established between the mobile terminal and another mobile terminal, and the wireless communication connection meets a preset security processing trigger condition, prohibiting, by means of setting, a program in a common virtual kernel from accessing a shared memory between a secure virtual kernel and the common virtual kernel and accessing a peripheral that needs to be called for the wireless communication connection; performing, by using the secure virtual kernel, preset policy-based processing on communication content corresponding to the wireless communication connection; and outputting, by using the secure virtual kernel, communication content obtained by performing the preset policy-based processing.

Abstract: A data processing method and apparatus, where the method includes acquiring a first network data packet that is sent by a target application that runs in an untrusted execution domain, where the first network data packet includes a first identifier; acquiring, in a trusted execution domain, first data corresponding to the first identifier; generating, in the trusted execution domain, a second network data packet according to the first data and the first network data packet; performing, in the trusted execution domain, encryption on the second network data packet by using a first session key to acquire an encrypted second network data packet; and sending the encrypted second network data packet to the target server. The data processing method and apparatus in the embodiments of the present invention can effectively prevent an attacker from stealing data.