Memory isolation through address translation data edit control
First Claim
1. A method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:
- receiving a request to write a new pointer into the storage location;
determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
allowing the request to proceed.
3 Assignments
0 Petitions
Accused Products
Abstract
Isolated memory is implemented by controlling changes to address translation maps. Control over the maps can be exercised in such a way that no virtual address referring to an isolated page is exposed to any untrusted process. Requests to edit an entry in a map are evaluated to ensure that the edit will not cause the map to point to isolated memory. Requests to change which map is active are evaluated to ensure that the map to be activated does not point to isolated memory. Preferably, these evaluations are performed by a trusted component in a trusted environment, since isolation of the memory depends on the evaluation component not being compromised. In systems that require all memory access requests to identify their target by virtual address, preventing the address translation maps from pointing to a portion of memory effectively prevents access to that portion of memory, thereby creating an isolated memory.
95 Citations
86 Claims
-
1. A method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:
-
receiving a request to write a new pointer into the storage location;
determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
allowing the request to proceed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method of controlling memory usage in a system that comprises a plurality of memory locations, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by modifiable address translation data that are storable in the plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, the method comprising:
-
receiving from a first source a request to write a datum to a first of the memory locations, the first source being different from the trusted source;
determining that carrying out the request will not cause the address translation data to be modified in a manner that causes any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
allowing the request to proceed. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. In a system that comprises:
-
a random access memory comprising a plurality of memory locations, each of the memory locations having a physical address;
a storage location that stores an identifier of one of a plurality of groups of address translation data;
an address translation component that uses the group of address translation data whose identifier is stored in the storage location to translate a virtual address into the physical address of one of the memory locations; and
a processor that processes an instruction to load a datum into the storage location;
the improvement comprising;
an evaluation component that makes a determination as to whether the datum may be loaded into the storage location and that causes the instruction either to be carried our or not carried out according to the determination, the determination being based on criteria comprising;
whether the datum is an identifier of a group of address translation data that will cause the address translation component to translate any virtual address to the physical address of a predetermined set of the memory locations. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
-
-
47. A method of managing memory in a system that comprises:
-
a memory comprising a plurality of locations, each of the locations having a physical address associated therewith;
one or more sources, each of the sources having a group of address translation data associated therewith;
a virtual addressing facility that permits each of the sources to address a location in the memory using a virtual address, the particular location that corresponds to the virtual address being determined at least in part by the group of address translation data associated with the source, there being at least some locations in the memory that do not correspond to a virtual address for a given source; and
a secure environment that is associatable with a set of locations in the memory to which none of the sources has access, the method comprising;
identifying a portion of the memory;
creating a state for the system in which none of the sources can address the portion of memory using a virtual address; and
adding to an exclusion set data indicative of said portion of memory. - View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A computer-readable medium encoded with computer-executable instructions to implement a method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:
-
receiving a request to write a new pointer into the storage location;
determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
allowing the request to proceed. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65)
-
-
66. A computer-readable medium encoded with computer-executable instructions to perform a method of controlling memory usage in a system that comprises a plurality of memory locations, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by modifiable address translation data that are storable in the plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, the method comprising:
-
receiving from a first source a request to write a datum to a first of the memory locations, the first source being different from the trusted source;
determining that carrying out the request will not cause the address translation data to be modified in a manner that causes any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
allowing the request to proceed. - View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
-
-
78. A computer-readable medium encoded with computer-executable instructions for performing a method of managing memory in a system that comprises:
-
a memory comprising a plurality of locations, each of the locations having a physical address associated therewith;
one or more sources, each of the sources having a group of address translation data associated therewith;
a virtual addressing facility that permits each of the sources to address a location in the memory using a virtual address, the particular location that corresponds to the virtual address being determined at least in part by the group of address translation data associated with the source, there being at least some locations in the memory that do not correspond to a virtual address for a given source; and
a secure environment that is associatable with a set of locations in the memory to which none of the sources has access, the method comprising;
identifying a portion of the memory;
creating a state for the system in which none of the sources can address the portion of memory using a virtual address; and
adding to an exclusion set data indicative of said portion of memory. - View Dependent Claims (79, 80, 81, 82, 83, 84, 85, 86)
-
Specification