Method and apparatus for securing and validating paged memory system

US 20070005935A1
Filed: 06/30/2005
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus comprising:

at least one host processor;

at least one virtual memory support circuit;

a service processor to monitor a state of the at least one virtual memory support circuit;

a first memory accessible to every host processor and to the service processor; and

a second memory accessible to the service processor only.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A service processor monitors the state of a physical memory and a virtual memory support circuit of a host processor. A second memory, accessible only to the service processor, stores information to permit the service processor to detect changes to pages of the physical memory. Other similar apparatus, and methods to use such apparatus, are described and claimed.

Citations

30 Claims

1. An apparatus comprising:
- at least one host processor;
  
  at least one virtual memory support circuit;
  
  a service processor to monitor a state of the at least one virtual memory support circuit;
  
  a first memory accessible to every host processor and to the service processor; and
  
  a second memory accessible to the service processor only.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The apparatus of claim 1, further comprising:
    - access control logic to control access from the at least one host processor to the first memory, wherein the access control logic is separate and distinct from the virtual memory support circuit, and wherein the access control logic is inaccessible and transparent to the at least one host processor.
  - 3. The apparatus of claim 1, further comprising:
    - a machine-readable medium containing instructions to cause the service processor to perform operations including;
      
      calculating a first hash of a first physical page of the first memory;
      
      storing the first hash in the second memory;
      
      detecting a change of the state of the at least one virtual memory support circuit;
      
      calculating a second hash of a second physical page of the first memory;
      
      comparing the second hash to the first hash; and
      
      if the first hash is not equal to the second hash, producing an alarm signal.
  - 4. The apparatus of claim 1, further comprising:
    - a mass storage device to store a hash value calculated by the service processor.
  - 5. The apparatus of claim 1, further comprising:
    - a signal generator to generate a signal to disable one of a network interface and a mass storage interface.

6. An apparatus comprising:
- a first processor;
  
  a second processor;
  
  a first means for mediating access from the first processor to a memory according to a configuration;
  
  authentication means for computing a hash of a portion of the memory;
  
  protected storage means for recording the hash so that it cannot be accessed by the first processor;
  
  confirmation means for comparing the hash of the portion of the memory to a previously-computed hash of the portion of the memory; and
  
  alarm means for signaling a failed confirmation.
- View Dependent Claims (7, 8, 9)
- - 7. The apparatus of claim 6, further comprising:
    - a second, independent means for controlling access from the first processor to a memory, the second means protected against reconfiguration by the first processor.
  - 8. The apparatus of claim 6 wherein the alarm means comprises:
    - an interrupt means for disabling the first processor.
  - 9. The apparatus of claim 6 wherein the alarm means comprises:
    - a network disconnector for disabling a network interface.

10. A method comprising:
- calculating a first hash value of a memory page;
  
  monitoring an association between a virtual memory address and the memory page;
  
  if the association between the virtual memory address and the memory page changes, calculating a second hash value of the memory page and issuing a tampering alert if the first hash value differs from the second hash value.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising:
    - arresting a processor if the association between the virtual memory address and the memory page changes; and
      
      releasing the processor if the first hash value equals the second hash value.
  - 12. The method of claim 10 wherein issuing a tampering alert comprises:
    - disabling at least one of a mass storage interface and a network interface.
  - 13. The method of claim 10 wherein issuing a tampering alert comprises:
    - contacting a security administrator through one of a modem connection and a network connection.
  - 14. The method of claim 10 wherein issuing a tampering alert comprises:
    - causing a processor to enter one of a halt, suspend, sleep, and shutdown state.
  - 15. The method of claim 10 wherein calculating a first hash value comprises:
    - computing one of a MD5 message digest, a SHA-1 hash, a SHA-256 hash, and a SHA-512 hash over a contents of a memory page.
  - 16. The method of claim 15 wherein calculating a first hash value further comprises:
    - using a random seed value to perturb a hash calculation.

17. A method comprising:
- registering a first physical page that is mapped at a virtual address of a host agent; and
  
  if a second physical page is mapped at the virtual address of the host agent, verifying the second physical page; and
  
  if a contents of the second physical page differs from a contents of the first physical page, signaling a possible tampering condition.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 wherein registering comprises:
    - calculating a hash of the contents of the first physical page; and
      
      storing the hash in a protected memory.
  - 19. The method of claim 17 wherein registering comprises:
    - validating a cryptographic signature of the host agent.
  - 20. The method of claim 17 wherein the first physical page is different from the second physical page.
  - 21. The method of claim 17 wherein registering comprises:
    - calculating a hash of the contents of the first physical page; and
      
      storing the hash on a mass media device.

22. A system comprising:
- a service processor;
  
  a plurality of host processors;
  
  a first memory that is accessible to the service processor and to the plurality of host processors;
  
  a second memory that is accessible to the service processor and inaccessible to the plurality of host processors; and
  
  an operating system;
  
  wherein the service processor is to calculate a first hash of a page of the first memory; and
  
  if a state of a virtual memory map is changed, the service processor calculates a second hash of the page of the first memory.
- View Dependent Claims (23, 24, 25, 26)
- - 23. The system of claim 22, further comprising:
    - a network interface;
      
      wherein if the first hash is not equal to the second hash, the service processor disables the network interface.
  - 24. The system of claim 22, further comprising:
    - a communication device;
      
      wherein if the first hash is not equal to the second hash, the service processor contacts a security administrator using the communication device.
  - 25. The system of claim 22, further comprising:
    - a mass storage device;
      
      wherein the operating system is to load data from the mass storage device into a swap-in page of the first memory; and
      
      the service processor is to calculate a hash of the swap-in page.
  - 26. The system of claim 22 wherein the operating system is one of Windows, Mac OS X, and Linux.

27. A machine-readable medium containing instructions that, when executed by a service processor, cause the service processor to perform operations comprising:
- reconstructing a state of a virtual memory support system;
  
  calculating a first hash of a contents of a first physical page that is mapped by the virtual memory support system;
  
  monitoring the virtual memory support system for changes to a mapping; and
  
  calculating a second hash of a contents of a second physical page that is mapped by the virtual memory support system.
- View Dependent Claims (28, 29, 30)
- - 28. The machine-readable medium of claim 27, containing additional instructions that, when executed by the service processor, cause the service processor to perform further operations comprising:
    - verifying a cryptographic signature of a portion of memory.
  - 29. The machine-readable medium of claim 27 wherein the first physical page is different than the second physical page;
    - and the first physical page and the second physical page are mapped at the same virtual address.
  - 30. The machine-readable medium of claim 27 wherein calculating a first hash of a contents of a first physical page comprises:
    - perturbing a hash calculation with a random seed value; and
      
      calculating one of a MD5 message digest, a SHA-1 hash, a SHA-256 hash, and a SHA-512 hash.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Khosravi, Hormuzd, Durham, David

Application Number

US11/173,301
Publication Number

US 20070005935A1
Time in Patent Office

Days
Field of Search
US Class Current

711/216
CPC Class Codes

G06F 12/08   in hierarchically structure...

G06F 12/1416   by checking the object acce...

G06F 12/145   the protection being virtua...

G06F 21/79   in semiconductor storage me...

Method and apparatus for securing and validating paged memory system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for securing and validating paged memory system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links