Secure privilege level execution and access protection
First Claim
1. A system for enforcing code execution and data access policies comprising:
- enforcement logic configured to;
determine an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source;
receive a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and
upon determining that the chunk is the first chunk, allow the request;
orupon determining that the chunk is the second chuck, deny the request.
2 Assignments
0 Petitions
Accused Products
Abstract
The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.
25 Citations
20 Claims
-
1. A system for enforcing code execution and data access policies comprising:
enforcement logic configured to; determine an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receive a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allow the request;
orupon determining that the chunk is the second chuck, deny the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
9. A method comprising:
-
determining an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receiving a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allowing the request;
orupon determining that the chunk is the second chuck, denying the request. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A computer-readable storage memory having computer-executable instructions that are configured, upon execution, perform operations comprising:
-
determining an access designation and an execution designation of a plurality of chunks, each of the plurality of chunks comprising a plurality of bits of addressable memory space and policy settings that identify one or more execution capabilities and one or more access capabilities, wherein a policy setting for a first chunk from the plurality of chunks indicates that code in the first chunk is executable by a first source and not a second source, and wherein a policy setting for a second chunk indicates that code in the second chunk is executable by the second source and not the first source; receiving a request from the first source related to code execution at an address against the access designation of a chunk from the plurality of chunks corresponding to the address by accessing policy settings for the chunk; and upon determining that the chunk is the first chunk, allowing the request;
orupon determining that the chunk is the second chuck, denying the request. - View Dependent Claims (17, 18, 19, 20)
-
Specification