Enforcing isolation among plural operating systems

US 20040205203A1
Filed: 12/19/2003
Published: 10/14/2004
Est. Priority Date: 03/24/2003
Status: Active Grant

First Claim

Patent Images

1. A system that manages the use, by a plurality of software objects, of a hardware arrangement that includes a physical address space, the system comprising:

a security object that determines which portions of the physical address space may be accessed by said plurality of software objects based on a policy of isolation among said plurality of software objects; and

an access regulator that, for each request from one of the plurality of software objects to access a portion of the physical address space, either allows or disallows the request depending on whether the security object permits access to said portion of the physical address space.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.

Citations

38 Claims

1. A system that manages the use, by a plurality of software objects, of a hardware arrangement that includes a physical address space, the system comprising:
- a security object that determines which portions of the physical address space may be accessed by said plurality of software objects based on a policy of isolation among said plurality of software objects; and
  
  an access regulator that, for each request from one of the plurality of software objects to access a portion of the physical address space, either allows or disallows the request depending on whether the security object permits access to said portion of the physical address space.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the physical address space comprises a memory.
  - 3. The system of claim 2, wherein the memory is apportioned into a plurality of pages, wherein a request from one of the plurality of software objects comprises a request to access a unit of the memory, wherein the security object determines which portions of the memory may be accessed at page-level granularity, wherein the access regulator evaluates said request based on which of the pages includes the requested unit of memory, wherein the security object maintains a vector comprising one bit for each of the plurality of pages, said security object setting a given page'"'"'s corresponding bit to a first value if said page may be accessed by said plurality of software objects, and said security object setting said given page'"'"'s corresponding bit to a second value different from said first value if said page may not be accessed by said plurality of software objects.
  - 4. The system of claim 1, wherein said access regulator comprises circuitry that accesses data provided by said security object, said data being indicative of which portions of the physical address space may be accessed by said plurality of software objects, and allows or disallows access requests based on the accessed information, said data comprising at least one of:
    - a vector that indicates, for each portion of the physical address space, whether that page may or may not be accessed;
      
      a plurality of vectors, each vector corresponding to a particular one of said plurality of software objects;
      
      a plurality of vectors, each vector corresponding to one of a plurality of devices from which a request may originate;
      
      or data or logic that implements a function that determines the allowability of an access request based on one or more parameters.
  - 5. The system of claim 1, wherein said plurality of software objects comprise at least one operating system, said operating system comprising or being associated with a driver for a direct memory access device, said driver directly controlling said device without said device being virtualized to said driver, wherein said policy comprises a requirement that there be a portion of the physical address space to which said operating system does not have access.
  - 6. The system of claim 5, wherein said security object does not include a driver for said device.
  - 7. The system of claim 1, wherein said plurality of software objects comprise a first operating system and a second operating system, and wherein said policy of isolation comprises a requirement that there be a portion of the memory that is both accessible to the second operating system and inaccessible to the first software operating system.
  - 8. The system of claim 1, wherein said security object comprises, or is included as part of, an operating system.

9. A method of supporting the concurrent operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement, the method comprising:
- allowing the first operating system direct access to the physical address space;
  
  allowing the second operating system direct access to the physical address space;
  
  maintaining a first set and a second set of units of the physical address space to which access is excluded, the first set and the second set corresponding to the first operating system and the second operating system, respectively; and
  
  blocking a request to access the physical address space when said request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein said first set includes at least one unit of the physical address space that is not included in said second set.
  - 11. The method of claim 9, wherein the memory is apportioned into a plurality of pages, wherein the first and second sets identify pages to which access is excluded, and wherein said blocking act comprises blocking said request based on whether said unit of memory is included in a page to which access is excluded.
  - 12. The method of claim 9, further comprising:
    - using either said first set or said second set to determine whether a request should be blocked, depending upon whether said first operating system or said second operating system, respectively, is currently actively running.
  - 13. The method of claim 9, wherein said blocking act determines whether to block a request as a function of one or more factors comprising at least one of the following:
    - whether the request originates with the first operating system or the second operating system;
      
      or which one of a plurality of devices the request originates from.
  - 14. The method of claim 9, wherein said blocking act determines whether to block a request as a function of one or more factors comprising:
    - a mode for which access is requested.
  - 15. The method of claim 9, wherein said first and second sets are stored in portions of the memory to which access is excluded under at least one of said first and second sets.
  - 16. The method of claim 9, wherein at least one of said first operating system and said second operating system comprises a driver for a direct memory access device, and wherein the method further comprises:
    - enforcing a policy of isolation between said first operating system and said second operating system by permitting said driver to directly control said device without virtualizing said device to said driver.

17. A computer-readable medium encoded with computer-executable instructions to perform acts comprising:
- hosting a first software object;
  
  hosting a second software object;
  
  allowing said first software object and said second software object to directly access a physical address space;
  
  isolating said first software object and said second software object from each other in accordance with a policy.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The computer-readable medium of claim 17, wherein said first software object comprises a first operating system, and wherein said second software object comprises a second operating system.
  - 19. The computer-readable medium of claim 17, wherein said policy comprises a requirement that there be a portion of the memory that is both inaccessible to the first software object and accessible to the second software object.
  - 20. The computer-readable medium of claim 17, wherein said policy governs the accessibility of the physical address space to said first software object and said second software object, wherein said computer-executable instructions execute on a computing device that allows or blocks requests to access the physical address space based on the contents of an exclusion vector, and wherein said isolating act comprises:
    - setting the contents of said vector to block access to portions of said physical address space in accordance with enforcement of said policy.
  - 21. The computer-readable medium of claim 20, wherein the contest of said vector is set to allow direct memory access devices to access a buffer portion of said physical address space and is further set to block said direct memory access devices from accessing at least some other portion of said physical address space, and wherein isolating said first software object from said second software object from each other comprises:
    - allowing a direct memory access device controlled either by any of said first software object and said second software object to write to said buffer portion;
      
      receiving an indication that said first software object has written to said buffer portion; and
      
      copying the contents of said buffer portion to a portion of said physical address space that is accessible to said second software object but not to said first software object.
  - 22. The computer-readable medium of claim 21, wherein said second software object performs at least one validity test on the contents that is copied from said buffer portion.
  - 23. The computer-readable medium of claim 20, wherein said computing device allows or blocks requests to access the physical address space based on the content of the exclusion vector when said requests are made by a direct memory access device.
  - 24. The computer-readable medium of claim 20, wherein a request comprises a read request, and wherein the method further comprises:
    - after the request has been blocked, returning a predetermined value instead of the contents of the location to which access is requested.
  - 25. The computer-readable medium of claim 20, wherein said exclusion vector is stored in said physical address space, and wherein said policy comprises a requirement that said exclusion vector exclude access to portions of said physical address space in which said exclusion vector is stored.
  - 26. The computer-readable medium of claim 20, wherein said physical address space is apportioned into a plurality of pages, wherein said exclusion vector indicates with page-level granularity whether access to a portion of the physical address space is excluded, said exclusion vector consisting of one bit for each page of the physical address space wherein the bit indicates whether access to the bit'"'"'s corresponding page is excluded.
  - 27. The computer-readable medium of claim 17, wherein said first software object comprises a first operating system that comprises, or is associated with, a driver for a direct memory access device, said driver directly controlling said device without said device being virtualized to said driver, wherein said policy comprises a requirement that there be a portion of the memory to which said first operating system does not have access.

28. A security object that executes on a computing device to support the execution of plural software objects on said computing device, said computing device comprising or being associated with a direct memory access device, there being a policy that governs the accessibility of resources associated with said computing device, said security object comprising:
- logic that allows at least a first one of said plural software objects to control said direct memory access device without virtualization of said direct memory access device, and that employs a mechanism to prevent said direct memory access device from accessing the resources that are not accessible under the policy.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 29. The security object of claim 28, wherein said security object does not include a driver for said direct memory access device.
  - 30. The security object of claim 28, wherein said resources comprise a physical address space, and wherein said policy defines portions of the physical address space as being inaccessible to direct memory access devices.
  - 31. The security object of claim 28, wherein each of said plural software objects comprises an operating system.
  - 32. The security object of claim 28, wherein each of said plural software objects comprises an application program.
  - 33. The security object of claim 28, wherein said logic is incorporated in an operating system.
  - 34. The security object of claim 28, wherein said logic comprises a hardware device.
  - 35. The security object of claim 28, wherein said logic comprises software that is executable on said computing device.
  - 36. The security object of claim 28, wherein said policy defines accessibility of each of said resources as a function of the resource to which access is being requested.
  - 37. The security object of claim 36, wherein said policy defines accessibility of each of said resources further as a function of which entity is requesting to access the resource.
  - 38. The security object of claim 36, wherein said policy defines accessibility of each of said resources further as a function of which a mode in which access to a given resource is being requested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Thornton, Andrew John, Chen, Yuqun, England, Paul, Peinado, Marcus, Willman, Bryan Mark

Granted Patent

US 7,975,117 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 12/1425   the protection being physic...

G06F 12/1483   using an access-table, e.g....

G06F 21/78   to assure secure storage of...

Enforcing isolation among plural operating systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing isolation among plural operating systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links