Memory isolation through address translation data edit control

US 20030200402A1
Filed: 12/13/2002
Published: 10/23/2003
Est. Priority Date: 04/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:

receiving a request to write a new pointer into the storage location;

determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and

allowing the request to proceed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Isolated memory is implemented by controlling changes to address translation maps. Control over the maps can be exercised in such a way that no virtual address referring to an isolated page is exposed to any untrusted process. Requests to edit an entry in a map are evaluated to ensure that the edit will not cause the map to point to isolated memory. Requests to change which map is active are evaluated to ensure that the map to be activated does not point to isolated memory. Preferably, these evaluations are performed by a trusted component in a trusted environment, since isolation of the memory depends on the evaluation component not being compromised. In systems that require all memory access requests to identify their target by virtual address, preventing the address translation maps from pointing to a portion of memory effectively prevents access to that portion of memory, thereby creating an isolated memory.

95 Citations

View as Search Results

86 Claims

1. A method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:
- receiving a request to write a new pointer into the storage location;
  
  determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
  
  allowing the request to proceed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the system comprises a processor that operates in at least two modes, the processor operating in a first of the modes when untrusted operations are performed and operating in a second of the two modes when trusted operations are performed, wherein the request is in the form of a first executable instruction to write a datum to the storage location and is received while the processor is operating in the first mode, and wherein the method further comprises:
    - in response to receiving the request, changing control of the processor to the second mode prior to executing the instruction, whereby said determining act is performed while the processor is operating in the second mode.
  - 3. The method of claim 2, wherein the allowing act comprises:
    - in the second mode, carrying out the request by either executing the first executable instruction or executing one or more second executable instructions whose result is to write the datum to the storage location.
  - 4. The method of claim 1, wherein the system comprises a processor that is compatible or upwardly compatible with the INTEL x86 processor architecture, and wherein the storage location comprises the processor'"'"'s CR3 register.
  - 5. The method of claim 1, further comprising:
    - maintaining a set of values that can be written to said storage location;
      
      and wherein said determining act comprises;
      
      determining that said new pointer is included in said set of values.
  - 6. The method of claim 5, wherein the selectable group of address translation data is selected from a plurality of groups of address translation data, each of the groups having a base address associated therewith, wherein the set of values that can be written to said storage location comprises the base addresses of all of the groups, and wherein the act of determining that said new pointer is included in said set of values comprises determining that the new pointer is the base address of one of the groups.
  - 7. The method of claim 1, wherein the selectable group of address translation data is selected from a plurality of groups of address translation data, each of the groups having an identifier associated therewith, and wherein the act of determining that the new pointer will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address comprises determining that a set of approved identifiers includes the identifiers associated with the group of address translation data pointed to by the new pointer.
  - 8. The method of claim 1, wherein each group of address translation data comprises:
    - a page directory comprising a plurality of directory entries, the page directory having a base address associated therewith, each directory entry being identifiable relative to the base address; and
      
      one or more page tables, each of the page tables having a table address, each of the page tables comprising a plurality of page table entries, each of the page table entries being identifiable relative to the table address of the page table of which the page table entry is a member, each of the directory entries containing the table address of one of the page tables, each of the page table entries containing the physical address of one of the memory locations.
  - 9. The method of claim 8, further comprising:
    - determining that none of the directory entries or table entries in the group of address translation data pointed to by the new pointer points to a memory location that has been designated to be accessible only to a trusted source.
  - 10. The method of claim 8, further comprising:
    - determining that none of the directory entries in the group of address translation data pointed to by the new pointer contains a valid pointer to any memory location that is not a base address of either a page directory or a page table.
  - 11. The method of claim 8, wherein the plurality of memory locations are organized into pages, each page having an attribute associated therewith which indicates accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, each of the page directories and page tables being stored in one of the pages, and wherein the method further comprises:
    - determining that at least the pages that store page tables or page directories and that are also pointed to by a valid entry in the group of address translation data pointed to by the new pointer are associated with a first one of the plurality of attributes.
  - 12. The method of claim 1, wherein the new pointer identifies a first of the groups of address translation data, and wherein the determining act comprises:
    - determining that the first group of address translation data contains a mapping to at least one of the memory locations that are designated to be accessible only by the trusted source; and
      
      changing at least one bit in the first group of address translation data so that the first group of address translation data does not contain a mapping to any of the memory locations that are designated to be accessible only by the trusted source.
  - 13. The method of claim 12, wherein the act of changing at least one bit comprises marking an entry in the first group of address translation data as not present.
  - 14. The method of claim 1, where there are virtual addresses corresponding to the group of address translation data pointed to by the new pointer, and wherein the method further comprises:
    - determining that the virtual addresses for the group of address translation data pointed to by the new pointer are within a predefined category of virtual addresses.
  - 15. The method of claim 14, wherein the predefined category comprises a numerical range of virtual addresses having upper and lower limits.

16. A method of controlling memory usage in a system that comprises a plurality of memory locations, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by modifiable address translation data that are storable in the plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, the method comprising:
- receiving from a first source a request to write a datum to a first of the memory locations, the first source being different from the trusted source;
  
  determining that carrying out the request will not cause the address translation data to be modified in a manner that causes any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
  
  allowing the request to proceed.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 17. The method of claim 16, wherein there virtual addresses for the modifiable address translation data, and wherein the method further comprises:
    - determining that the virtual addresses for the modifiable address translation data fall within a predefined category of virtual addresses.
  - 18. The method of claim 17, further comprising:
    - determining that carrying out the request will not cause the virtual addresses of any of the modifiable address translation data to fall outside of a specified range.
  - 19. The method of claim 17, wherein the predefined category comprises a numerical range of virtual addresses having upper and lower limits.
  - 20. The method of claim 16, further comprising:
    - determining that the modifiable address translation data map one or more defined virtual addresses to one or more defined memory regions.
  - 21. The method of claim 16, wherein the memory locations are grouped into one or more pages, each of said pages comprising an equal number of memory locations, wherein the address translation data comprises one or more page tables, each page table comprising pointers to one or more of the pages, wherein a first set of one or more pages comprises the one or more memory locations that are designated as being accessible only by a trusted source, and wherein the determining act comprises:
    - determining that carrying out the request will not cause any of the page tables to contain a valid pointer to any page in the first set.
  - 22. The method of claim 21, wherein each page table is divided into a plurality of entries, each entry comprising:
    - (a) space to store a pointer to one of the pages, and (b) a flag indicating whether data stored in said space should be interpreted as a pointer to one of the pages, and wherein an entry in the page table is not determined to contain a valid pointer if the entry'"'"'s flag indicates that the data stored in the entry'"'"'s space should not be interpreted as a pointer to one of the pages.
  - 23. The method of claim 16, wherein the memory locations are grouped into one or more pages, each of the pages having an attribute associated therewith which indicates accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one of more of the pages, and wherein the method further comprises:
    - determining that at least the pages to which the address translation data contains valid pointers and that also store portions of the address translation data are associated with a first one of the plurality of attributes.
  - 24. The method of claim 23, wherein the act of determining that at least the pages to which the address translation data contains valid pointers and that also store portions of the address translation data are associated with a first one of the plurality of attributes comprises:
    - determining that carrying out the request will cause the address translation data to contain a valid mapping to a page that stores a portion of the address translation data but that is not associated with the first one of the plurality of attributes; and
      
      changing the attribute associated with said page to said first one of said plurality of attributes.
  - 25. The method of claim 16, wherein the memory locations are grouped into pages, the address translation data being stored in one or more of the pages, the address translation data comprising:
    - one or more first pages that comprise entries containing pointers to the pages; and
      
      at least one second page comprising entries that contain pointers to the first pages;
      
      and wherein the method further comprises;
      
      determining that the second page does not contain any valid pointers to pages that do not store address translation data.
  - 26. The method of claim 16, wherein the system provides a write instruction that writes said datum to said first of the memory locations, the write instruction being configured to perform acts comprising:
    - detecting whether said first memory location stores address translation data;
      
      if said first memory location stores address translation data, then performing said determining act; and
      
      writing or not writing said specified data to said first memory location according to the result of said determining act.
  - 27. The method of claim 26, wherein the memory locations are grouped into pages, each page having an attribute associated therewith indicating the accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one or more of the pages, each of the pages that stores address translation data having a first of the attributes associated therewith, and wherein the write instruction detects whether said first memory location stores address translation data based on whether the page that includes the memory location is associated with the first attribute.
  - 28. The method of claim 26, further comprising:
    - generating a fault to invoke an address translation control module.
  - 29. The method of claim 16, wherein the system provides a first write instruction and a second write instruction, said first write instruction being configured to perform acts comprising:
    - refusing to write said datum to said first memory location if said first memory location stores address translation data;
      
      and said second write instruction being configured to perform acts comprising;
      
      performing said determining act; and
      
      writing or not writing said specified data to said first memory location according to the result of said determining act.
  - 30. The method of claim 16, further comprising:
    - generating a fault to invoke an address translation control module.
  - 31. The method of claim 16, wherein the system comprises a processor that operates in at least two modes, the processor operating in a first of the modes when untrusted operations are performed and operating in a second of the two modes when trusted operations are performed, wherein the request is in the form of a first executable instruction to write said datum to the first of the memory locations and is received while the processor is operating in the first mode, and wherein the method further comprises:
    - changing control of the processor to the second mode prior to executing the instruction, whereby said determining act is performed while the processor is operating in the second mode;
      
      and wherein the allowing act comprises;
      
      in the second mode, carrying out the request by writing said datum to the first of the memory locations.
  - 32. The method of claim 31, wherein the memory locations are grouped into pages, each of the pages being associated with an attribute that indicates accessibility, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one or more of the pages, each page that stores address translation data having a first of the plurality of attributes, the system being configured to transfer control of the processor to the second mode when an attempt is made in the first mode to write to a page associated with the first of the attributes.
  - 33. The method of claim 32, wherein the first of the attributes comprises a read-only attribute.
  - 34. The method of claim 16, wherein said determining act comprises:
    - determining that carrying out the request will cause a memory location that is designated to be accessible only by the trusted source to correspond to a virtual address; and
      
      modifying the request such that carrying out the request will not cause any memory location that is designated to be accessible only by the trusted source to correspond to any virtual address.

35. In a system that comprises:
- a random access memory comprising a plurality of memory locations, each of the memory locations having a physical address;
  
  a storage location that stores an identifier of one of a plurality of groups of address translation data;
  
  an address translation component that uses the group of address translation data whose identifier is stored in the storage location to translate a virtual address into the physical address of one of the memory locations; and
  
  a processor that processes an instruction to load a datum into the storage location;
  
  the improvement comprising;
  
  an evaluation component that makes a determination as to whether the datum may be loaded into the storage location and that causes the instruction either to be carried our or not carried out according to the determination, the determination being based on criteria comprising;
  
  whether the datum is an identifier of a group of address translation data that will cause the address translation component to translate any virtual address to the physical address of a predetermined set of the memory locations.
- View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 36. The improvement of claim 35, wherein the criteria further comprise:
    - whether the group of address translation data can undergo a modification such that the group of address translation data will not cause the address translation component to translate any virtual address to the physical address of the predetermined set of the memory locations, and wherein the evaluation component performs said modification and determines that the instruction may be carried out if said modification can be made to said group of address translation data.
  - 37. The improvement of claim 35, wherein the criteria further comprise:
    - whether the group of address translation data maps one or more predetermined virtual addresses to one or more predetermined regions of said random access memory, wherein the evaluation component determines that the instruction may be carried out if the group of address translation data maps said one or more predetermined virtual addresses to said one or more regions of said random access memory.
  - 38. The improvement of claim 37, wherein the criteria further comprise:
    - whether the group of address translation data can be modified to map one or more predetermined virtual addresses to one or more predetermined regions of said random access memory, and wherein the evaluation component performs said modification and determines that the instruction may be carried out if the modification can be made to said group of address translation data.
  - 39. The improvement of claim 35, further comprising:
    - a component that maintains a list values that can be loaded into the storage location;
      
      and wherein the criteria further comprise;
      
      whether the datum is included in said list of values.
  - 40. The improvement of claim 39, wherein the datum is not included in said list of values, and wherein the evaluation component determines that the datum may be loaded into the storage location by determining that the group of address translation data identified by the datum does not contain any pointers to the predetermined set of the memory locations.
  - 41. The improvement of claim 35, wherein each of the groups of address translation data has a base address associated therewith, and wherein each of the identifiers is the base address of a corresponding group of address translation data.
  - 42. The improvement of claim 41, wherein each of the groups of address translation data comprises:
    - a plurality of page tables, each of the page tables comprising first pointers to one or more of the memory locations; and
      
      a page directory storing second pointers to one or more of the page tables, each of the second pointers being locatable relative to the group'"'"'s base address.
  - 43. The improvement of claim 35, further comprising:
    - logic that raises an exception upon receipt of the instruction to load a datum into the storage location; and
      
      an exception handler that is activated in response to the exception, wherein the exception handler either;
      
      (1) is the evaluation component, or (2) invokes the evaluation component.
  - 44. The improvement of claim 43, wherein the system operates in at least a first mode and a second mode, untrusted operations being performed in the first mode, trusted operations being performed in the second mode, wherein the instruction is received in the first mode, and wherein the improvement further comprises:
    - logic that changes the system from the first mode to the second mode upon raising of the exception, whereupon the evaluation component makes the determination while the system is operating in the second mode.
  - 45. The improvement of claim 35, wherein the evaluation comprises hardware incorporated in, or coupled to, the system.
  - 46. The improvement of claim 35, wherein the evaluation component comprises a set of computer-executable instructions that is executable on the processor.

47. A method of managing memory in a system that comprises:
- a memory comprising a plurality of locations, each of the locations having a physical address associated therewith;
  
  one or more sources, each of the sources having a group of address translation data associated therewith;
  
  a virtual addressing facility that permits each of the sources to address a location in the memory using a virtual address, the particular location that corresponds to the virtual address being determined at least in part by the group of address translation data associated with the source, there being at least some locations in the memory that do not correspond to a virtual address for a given source; and
  
  a secure environment that is associatable with a set of locations in the memory to which none of the sources has access, the method comprising;
  
  identifying a portion of the memory;
  
  creating a state for the system in which none of the sources can address the portion of memory using a virtual address; and
  
  adding to an exclusion set data indicative of said portion of memory.
- View Dependent Claims (48, 49, 50, 51, 52, 53, 54, 55)
- - 48. The method of claim 47, wherein said act of creating a state comprises:
    - purging any mapping to said portion of memory from each one of the groups of address translation in which a mapping to said portion of memory occurs.
  - 49. The method of claim 47, further comprising:
    - receiving a request from one of the sources to create a state in which said one of the sources would be able to address said portion of memory or a sub-portion thereof;
      
      determining that the portion of memory is indicated in the exclusion set; and
      
      denying the request.
  - 50. The method of claim 47, wherein the memory is divided into a plurality of pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, and wherein the method further comprises:
    - tracking the number of sources whose corresponding group of address translation data points to a given page; and
      
      purging mappings to the given page from the groups of address translation data until the number of mappings that have been purged is equal to the number of sources that had pointed to the given page prior to the purging act.
  - 51. The method of claim 47, wherein the memory is divided into a plurality of pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, wherein at least some of the address translation data is stored in the pages, and wherein the method further comprises:
    - tracking which of the pages store address translation data.
  - 52. The method of claim 47, wherein the memory is divided into a plurality of pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, wherein at least one of the groups of address translation data is stored in a first set of the pages, at least one of the first set of pages comprising a base address for said one of the groups, wherein the virtual facility determines to use said one of the groups to associate virtual addresses with memory locations based on which the base address for said one of the groups being loaded into a storage location, and wherein the method further comprises:
    - maintaining a record of which values are base addresses for groups of address translation data.
  - 53. The method of claim 47, wherein the system further comprises a processor that operates in a first mode and a second mode, the sources comprising untrusted processes that execute when the processor is operating in the first mode, said portion of memory being accessible only when the processor is operating in the second mode.
  - 54. The method of claim 47, wherein the system further comprises:
    - a cache of virtual addresses whose corresponding memory location have previously been looked up, and wherein the method further comprises;
      
      emptying or overwriting said cache.
  - 55. The method of claim 47, further comprising:
    - waiting for all writes to complete that were pending at the time of said identifying act.

56. A computer-readable medium encoded with computer-executable instructions to implement a method of controlling memory usage in a system that comprises a plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by a selectable group of address translation data that is storable in the memory locations, the system further comprising a writeable storage location that contains, at any given point in time, a pointer to the particular group of address translation data that has been selected to partly determine which of the memory locations corresponds to a given virtual address, the method comprising:
- receiving a request to write a new pointer into the storage location;
  
  determining that loading the new pointer into the storage location will not cause any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
  
  allowing the request to proceed.
- View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 57. The computer-readable medium of claim 56, wherein the system comprises a processor that operates in at least two modes, the processor operating in a first of the modes when untrusted operations are performed and operating in a second of the two modes when trusted operations are performed, wherein the request is in the form of a first executable instruction to write a datum to the storage location and is received while the processor is operating in the first mode, and wherein the method further comprises:
    - in response to receiving the request, changing control of the processor to the second mode prior to executing the instruction, whereby said determining act is performed while the processor is operating in the second mode.
  - 58. The computer-readable medium of claim 56, wherein the allowing act comprises:
    - in the second mode, carrying out the request by either executing the first executable instruction or executing one or more second executable instructions whose result is to write the datum to the storage location.
  - 59. The computer-readable medium of claim 56, wherein the system comprises a processor that is compatible or upwardly compatible with the INTEL x86 processor architecture, and wherein the storage location comprises the processor'"'"'s CR3 register.
  - 60. The computer-readable medium of claim 56, wherein the method further comprises:
    - maintaining a set of values that can be written to said storage location;
      
      and wherein said determining act comprises;
      
      determining that said new pointer is included in said set of values.
  - 61. The computer-readable medium of claim 60, wherein the selectable group of address translation data is selected from a plurality of groups of address translation data, each of the groups having a base address associated therewith, wherein the set of values that can be written to said storage location comprises the base addresses of all of the groups, and wherein the act of determining that said new pointer is included in said set of values comprises determining that the new pointer is the base address of one of the groups.
  - 62. The computer-readable medium of claim 56, wherein each group of address translation data comprises:
    - a page directory comprising a plurality of directory entries, the page directory having a base address associated therewith, each directory entry being identifiable relative to the base address; and
      
      one or more page tables, each of the page tables having a table address, each of the page tables comprising a plurality of page table entries, each of the page table entries being identifiable relative to the table address of the page table of which the page table entry is a member, each of the directory entries containing the table address of one of the page tables, each of the page table entries containing the physical address of one of the memory locations.
  - 63. The computer-readable medium of claim 62, wherein the method further comprises:
    - determining that none of the directory entries or table entries in the group of address translation data pointed to by the new pointer points to a memory location that has been designated to be accessible only to a trusted source.
  - 64. The computer-readable medium of claim 62, wherein the method further comprises:
    - determining that none of the directory entries in the group of address translation data pointed to by the new pointer contains a valid pointer to any memory location that is not a base address of either a page directory or a page table.
  - 65. The computer-readable medium of claim 62, wherein the plurality of memory locations are organized into pages, each page having an attribute associated therewith which indicates accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, each of the page directories and page tables being stored in one of the pages, and wherein the method further comprises:
    - determining that at least the pages that store page tables or page directories and that are also pointed to by a valid entry in the group of address translation data pointed to by the new pointer are associated with a first one of the plurality of attributes.

66. A computer-readable medium encoded with computer-executable instructions to perform a method of controlling memory usage in a system that comprises a plurality of memory locations, each of the memory locations having a physical address, the system supporting the use of virtual addresses to address the memory locations, the memory location that corresponds at a given point in time to a given virtual address being at least partly determined by modifiable address translation data that are storable in the plurality of memory locations, some of the memory locations being designated to be accessible only by a trusted source, the method comprising:
- receiving from a first source a request to write a datum to a first of the memory locations, the first source being different from the trusted source;
  
  determining that carrying out the request will not cause the address translation data to be modified in a manner that causes any of the memory locations that are designated to be accessible only by the trusted source to correspond to any virtual address; and
  
  allowing the request to proceed.
- View Dependent Claims (67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
- - 67. The computer-readable medium of claim 66, wherein the memory locations are grouped into one or more pages, each of said pages comprising an equal number of memory locations, wherein the address translation data comprises one or more page tables, each page table comprising pointers to one or more of the pages, wherein a first set of one or more pages comprises the one or more memory locations that are designated as being accessible only by a trusted source, and wherein the determining act comprises:
    - determining that carrying out the request will not cause any of the page tables to contain a valid pointer to any page in the first set.
  - 68. The computer-readable medium of claim 67, wherein each page table is divided into a plurality of entries, each entry comprising:
    - (a) space to store a pointer to one of the pages, and (b) a flag indicating whether data stored in said space should be interpreted as a pointer to one of the pages, and wherein an entry in the page table is not determined to contain a valid pointer if the entry'"'"'s flag indicates that the data stored in the entry'"'"'s space should not be interpreted as a pointer to one of the pages.
  - 69. The computer-readable medium of claim 66, wherein the memory locations are grouped into one or more pages, each of the pages having an attribute associated therewith which indicates accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one of more of the pages, and wherein the method further comprises:
    - determining that at least the pages to which the address translation data contains valid pointers and that also store portions of the address translation data are associated with a first one of the plurality of attributes.
  - 70. The computer-readable medium of claim 66, wherein the memory locations are grouped into pages, the address translation data being stored in one or more of the pages, the address translation data comprising:
    - one or more first pages that comprise entries containing pointers to the pages; and
      
      at least one second page comprising entries that contain pointers to the first pages;
      
      and wherein the method further comprises;
      
      determining that the second page does not contain any valid pointers to pages that do not store address translation data.
  - 71. The computer-readable medium of claim 66, wherein the system provides a write instruction that writes said datum to said first of the memory locations, the write instruction being configured to perform acts comprising:
    - detecting whether said first memory location stores address translation data;
      
      if said first memory location stores address translation data, then performing said determining act; and
      
      writing or not writing said specified data to said first memory location according to the result of said determining act.
  - 72. The computer-readable medium of claim 71, wherein the memory locations are grouped into pages, each page having an attribute associated therewith indicating the accessibility of the page, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one or more of the pages, each of the pages that stores address translation data having a first of the attributes associated therewith, and wherein the write instruction detects whether said first memory location stores address translation data based on whether the page that includes the memory location is associated with the first attribute.
  - 73. The computer-readable medium of claim 66, wherein the system provides a first write instruction and a second write instruction, said first write instruction being configured to perform acts comprising:
    - refusing to write said datum to said first memory location if said first memory location stores address translation data;
      
      and said second write instruction being configured to perform acts comprising;
      
      performing said determining act; and
      
      writing or not writing said specified data to said first memory location according to the result of said determining act.
  - 74. The computer-readable medium of claim 66, wherein the system comprises a processor that operates in at least two modes, the processor operating in a first of the modes when untrusted operations are performed and operating in a second of the two modes when trusted operations are performed, wherein the request is in the form of a first executable instruction to write said datum to the first of the memory locations and is received while the processor is operating in the first mode, and wherein the method further comprises:
    - changing control of the processor to the second mode prior to executing the instruction, whereby said determining act is performed while the processor is operating in the second mode;
      
      and wherein the allowing act comprises;
      
      in the second mode, carrying out the request by writing said datum to the first of the memory locations.
  - 75. The computer-readable medium of claim 74, wherein the memory locations are grouped into pages, each of the pages being associated with an attributes that indicates accessibility, each page'"'"'s attribute being selected from a plurality of attributes, the address translation data being stored in one or more of the pages, each page that stores address translation data having a first of the plurality of attributes, the system being configured to transfer control of the processor to the second mode when an attempt is made in the first mode to write to a page associated with the first of the attributes.
  - 76. The computer-readable medium of claim 75, wherein the first of the attributes comprises a read-only attribute.
  - 77. The computer-readable medium of claim 66, wherein said determining act is performed after said allowing act.

78. A computer-readable medium encoded with computer-executable instructions for performing a method of managing memory in a system that comprises:
- a memory comprising a plurality of locations, each of the locations having a physical address associated therewith;
  
  one or more sources, each of the sources having a group of address translation data associated therewith;
  
  a virtual addressing facility that permits each of the sources to address a location in the memory using a virtual address, the particular location that corresponds to the virtual address being determined at least in part by the group of address translation data associated with the source, there being at least some locations in the memory that do not correspond to a virtual address for a given source; and
  
  a secure environment that is associatable with a set of locations in the memory to which none of the sources has access, the method comprising;
  
  identifying a portion of the memory;
  
  creating a state for the system in which none of the sources can address the portion of memory using a virtual address; and
  
  adding to an exclusion set data indicative of said portion of memory.
- View Dependent Claims (79, 80, 81, 82, 83, 84, 85, 86)
- - 79. The computer-readable medium of claim 78, wherein said act of creating a state comprises:
    - purging any mapping to said portion of memory from each one of the groups of address translation in which a mapping to said portion of memory occurs.
  - 80. The computer-readable medium of claim 78, wherein the method further comprises:
    - receiving a request from one of the sources to create a state in which said one of the sources would be able to address said portion of memory or a sub-portion thereof;
      
      determining that the portion of memory is indicated in the exclusion set; and
      
      denying the request.
  - 81. The computer-readable medium of claim 78, wherein the memory is divided into a plurality of pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, and wherein the method further comprises:
    - tracking the number of sources whose corresponding group of address translation data points to a given page; and
      
      purging mappings to the given page from the groups of address translation data until the number of mappings that have been purged is equal to the number of sources that had pointed to the given page prior to the purging act.
  - 82. The computer-readable medium of claim 78, wherein the memory is divided into a plurality of pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, wherein at least some of the address translation data is stored in the pages, and wherein the method further comprises:
    - tracking which of the pages store address translation data.
  - 83. The computer-readable medium of claim 78, wherein the memory is divided into a plurality of contiguous pages, wherein each source is assigned a set of virtually-addressable memory locations on a per-page basis, wherein at least one of the groups of address translation data is stored in a first set of the pages, at least one of the first set of pages comprising a base address for said one of the groups, wherein the virtual facility determines to use said one of the groups to associate virtual addresses with memory locations based on which the base address for said one of the groups being loaded into a storage location, and wherein the method further comprises:
    - maintaining a record of which values are base addresses for groups of address translation data.
  - 84. The computer-readable medium of claim 78, wherein the system further comprises a processor that operates in a first mode and a second mode, the sources comprising untrusted processes that execute when the processor is operating in the first mode, said portion of memory being accessible only when the processor is operating in the second mode.
  - 85. The computer-readable medium of claim 78, wherein the system further comprises:
    - a cache of virtual addresses whose corresponding memory location have previously been looked up, and wherein the method further comprises;
      
      emptying or overwriting said cache.
  - 86. The computer-readable medium of claim 78, wherein the method further comprises:
    - waiting for all write to complete that were pending at the time of said identifying act.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
England, Paul, Willman, Bryan Mark, Peinado, Marcus

Granted Patent

US 7,058,768 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/154
CPC Class Codes

G06F 12/145 the protection being virtua...

Memory isolation through address translation data edit control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

95 Citations

86 Claims

Specification

Solutions

Use Cases

Quick Links

Memory isolation through address translation data edit control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

95 Citations

86 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links