Adaptive integrity verification of software and authorization of memory access

US 10,379,888 B2
Filed: 07/12/2017
Issued: 08/13/2019
Est. Priority Date: 03/30/2007
Status: Active Grant

First Claim

Patent Images

1. A method for integrity verification of memory access operations between virtualized execution environments in a computing system, the method comprising:

identifying a memory access operation, wherein the memory access operation involves memory access attempted by a source software component to memory associated with a destination software component, and wherein the source software component operates in one of an execution environment or a secure execution environment and the destination software component operates in the other of the execution environment or the secure execution environment;

intercepting the memory access operation, in response to the identified memory access operation attempting access to a memory location of the secure execution environment or attempting access from the secure execution environment to a memory location of the execution environment;

performing integrity verification of the source software component and authorization of the memory access operation; and

allowing the memory access operation to be performed in response to successful verification of the source software component and successful authorization of the memory access operation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are described herein that discuss how a computing platform executing a virtualized environment, in one example, can be integrity verified adaptively and on demand. This may occur at initial runtime, as well as during continued operations, and allows the platform user to install software from various vendors without sacrificing the integrity measurement and therefore the trustworthiness of the platform.

Citations

24 Claims

1. A method for integrity verification of memory access operations between virtualized execution environments in a computing system, the method comprising:
- identifying a memory access operation, wherein the memory access operation involves memory access attempted by a source software component to memory associated with a destination software component, and wherein the source software component operates in one of an execution environment or a secure execution environment and the destination software component operates in the other of the execution environment or the secure execution environment;
  
  intercepting the memory access operation, in response to the identified memory access operation attempting access to a memory location of the secure execution environment or attempting access from the secure execution environment to a memory location of the execution environment;
  
  performing integrity verification of the source software component and authorization of the memory access operation; and
  
  allowing the memory access operation to be performed in response to successful verification of the source software component and successful authorization of the memory access operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the method is performed by an integrity verification agent of the computing system, and wherein the integrity verification agent operates in the secure execution environment.
  - 3. The method of claim 2, wherein the integrity verification agent is configured to prevent execution of a third software component in the execution environment in response to unsuccessful verification of the third software component or unsuccessful verification of a memory access operation initiated by the third software component.
  - 4. The method of claim 1, further comprising:
    - blocking execution of memory access operations associated with the source software component in the computing system until the successful verification of the source software component and successful authorization of the memory access operation.
  - 5. The method of claim 1, wherein the integrity verification of the source software component is performed by comparing information that indicates a security policy for the source software component.
  - 6. The method of claim 5, wherein the information is provided from a list of allowed software components.
  - 7. The method of claim 1, wherein the authorization of the memory access operation is based on information that identifies a memory page.
  - 8. The method of claim 1, wherein the memory access operation attempts access with a memory location corresponding to a kernel.

9. A computing system, comprising:
- at least one processor;
  
  a first virtual processor implemented with instructions executing via the at least one processor;
  
  a second virtual processor implemented with instructions executing via the at least one processor; and
  
  an integrity verification agent implemented with instructions executing via the at least one processor, the integrity verification agent adapted to perform verification of memory access operations between the first virtual processor and the second virtual processor, the integrity verification agent to perform operations comprising;
  
  identifying a memory access operation, wherein the memory access operation involves memory access attempted by a source software component to memory associated with a destination software component, and wherein the source software component operates in one of an execution environment or a secure execution environment and the destination software component operates in the other of the execution environment or the secure execution environment;
  
  intercepting the memory access operation, in response to the identified memory access operation attempting access to a memory location of the secure execution environment or attempting access from the secure execution environment to a memory location of the execution environment;
  
  performing integrity verification of the source software component and authorization of the memory access operation; and
  
  allowing the memory access operation to be performed in response to successful verification of the source software component and successful authorization of the memory access operation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computing system of claim 9, wherein the integrity verification agent operates in the secure execution environment.
  - 11. The computing system of claim 9, wherein the integrity verification agent is configured to prevent execution of a third software component in the execution environment in response to unsuccessful verification of the third software component or unsuccessful verification of a memory access operation initiated by the third software component.
  - 12. The computing system of claim 9, the integrity verification agent to perform further operations comprising:
    - blocking execution of memory access operations associated with the source software component in the computing system until the successful verification of the source software component and successful authorization of the memory access operation.
  - 13. The computing system of claim 9, wherein the integrity verification of the source software component is performed by comparing information that indicates a security policy for the source software component.
  - 14. The computing system of claim 13, wherein the information is provided from a list of allowed software components.
  - 15. The computing system of claim 9, wherein the authorization of the memory access operation is based on information that identifies a memory page.
  - 16. The computing system of claim 9, wherein the memory access operation attempts access with a memory location corresponding to a kernel.

17. At least one non-transitory machine readable storage medium, comprising a plurality of instructions adapted for integrity verification of memory access operations between virtualized execution environments, wherein the instructions, responsive to being executed with processor circuitry of a computing machine, cause the processor circuitry to perform integrity verification operations comprising:
- identifying a memory access operation, wherein the memory access operation involves memory access attempted by a source software component to memory associated with a destination software component, and wherein the source software component operates in one of an execution environment or a secure execution environment and the destination software component operates in the other of the execution environment or the secure execution environment;
  
  intercepting the memory access operation, in response to the identified memory access operation attempting access to a memory location of the secure execution environment or attempting access from the secure execution environment to a memory location of the execution environment;
  
  performing integrity verification of the source software component and authorization of the memory access operation; and
  
  allowing the memory access operation to be performed in response to successful verification of the source software component and successful authorization of the memory access operation.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The machine readable storage medium of claim 17, wherein the integrity verification operations are performed by an integrity verification agent of the computing machine, and wherein the integrity verification agent operates in the secure execution environment.
  - 19. The machine readable storage medium of claim 18, wherein the integrity verification agent is configured to prevent execution of a third software component in the execution environment in response to unsuccessful verification of the third software component or unsuccessful verification of a memory access operation initiated by the third software component.
  - 20. The machine readable storage medium of claim 17, the instructions to further cause the computing machine to perform operations comprising:
    - blocking execution of memory access operations associated with the source software component in the computing machine until the successful verification of the source software component and successful authorization of the memory access operation.
  - 21. The machine readable storage medium of claim 17, wherein the integrity verification of the source software component is performed by comparing information that indicates a security policy for the source software component.
  - 22. The machine readable storage medium of claim 21, wherein the information is provided from a list of allowed software components.
  - 23. The machine readable storage medium of claim 17, wherein the authorization of the memory access operation is based on information that identifies a memory page.
  - 24. The machine readable storage medium of claim 17, wherein the memory access operation attempts access with a memory location corresponding to a kernel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sahita, Ravi L., Savagaonkar, Uday
Primary Examiner(s)
Wu, Benjamin C

Application Number

US15/647,646
Publication Number

US 20180067758A1
Time in Patent Office

762 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/57   Certifying or maintaining t...

G06F 9/45533   Hypervisors; Virtual machin...

Adaptive integrity verification of software and authorization of memory access

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Adaptive integrity verification of software and authorization of memory access

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links