Enforcing isolation among plural operating systems
First Claim
1. A system that manages the use, by a plurality of software objects, of a hardware arrangement that includes a physical address space, the system comprising:
- a security object that determines which portions of the physical address space may be accessed by said plurality of software objects based on a policy of isolation among said plurality of software objects; and
an access regulator that, for each request from one of the plurality of software objects to access a portion of the physical address space, either allows or disallows the request depending on whether the security object permits access to said portion of the physical address space.
3 Assignments
0 Petitions
Accused Products
Abstract
Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.
-
Citations
38 Claims
-
1. A system that manages the use, by a plurality of software objects, of a hardware arrangement that includes a physical address space, the system comprising:
-
a security object that determines which portions of the physical address space may be accessed by said plurality of software objects based on a policy of isolation among said plurality of software objects; and
an access regulator that, for each request from one of the plurality of software objects to access a portion of the physical address space, either allows or disallows the request depending on whether the security object permits access to said portion of the physical address space. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method of supporting the concurrent operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement, the method comprising:
-
allowing the first operating system direct access to the physical address space;
allowing the second operating system direct access to the physical address space;
maintaining a first set and a second set of units of the physical address space to which access is excluded, the first set and the second set corresponding to the first operating system and the second operating system, respectively; and
blocking a request to access the physical address space when said request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable medium encoded with computer-executable instructions to perform acts comprising:
-
hosting a first software object;
hosting a second software object;
allowing said first software object and said second software object to directly access a physical address space;
isolating said first software object and said second software object from each other in accordance with a policy. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A security object that executes on a computing device to support the execution of plural software objects on said computing device, said computing device comprising or being associated with a direct memory access device, there being a policy that governs the accessibility of resources associated with said computing device, said security object comprising:
logic that allows at least a first one of said plural software objects to control said direct memory access device without virtualization of said direct memory access device, and that employs a mechanism to prevent said direct memory access device from accessing the resources that are not accessible under the policy. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
Specification