Method and system for designating and handling confidential memory allocations

US 20070208954A1
Filed: 02/28/2006
Published: 09/06/2007
Est. Priority Date: 02/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method of protecting confidential data, said method comprising:

receiving a request to allocate space in a virtual memory for confidential data;

marking a portion of the virtual memory as confidential;

determining if a portion of a physical memory has been assigned for the confidential portion of the virtual memory; and

marking the portion of the physical memory that has been assigned for the confidential portion of the virtual memory as having confidential data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide methods and systems for designating and handling confidential memory allocations of virtual memory. In particular, the operating system provides a memory allocation flag that applications may use to indicate any arbitrary area of physical memory marked with this flag may contain confidential data and should be handled accordingly. The operating system also ensures that memory allocated with this flag can be placed in physical memory. When freeing up memory, the operating system protects any data in the memory allocated with this flag. For example, the operating system may prevent the confidential memory from being swapped out to storage or from being accessible to other applications, such as a debuggers. Alternatively, the operating system may encrypt any data in the confidential memory before it is swapped out to storage.

Citations

24 Claims

1. A method of protecting confidential data, said method comprising:
- receiving a request to allocate space in a virtual memory for confidential data;
  
  marking a portion of the virtual memory as confidential;
  
  determining if a portion of a physical memory has been assigned for the confidential portion of the virtual memory; and
  
  marking the portion of the physical memory that has been assigned for the confidential portion of the virtual memory as having confidential data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein receiving the request to allocate confidential space in the virtual memory comprises receiving data that is marked with a flag indicating that it contains confidential data.
  - 3. The method of claim 1, further comprising:
    - determining if the physical memory has space available for the confidential portion of virtual memory; and
      
      allocating the confidential portion to the physical memory only when space is available in the physical memory.
  - 4. The method of claim 1, further comprising preventing the confidential portion stored in the physical memory from being written to a storage device.
  - 5. The method of claim 1, further comprising preventing the confidential portion stored in the physical memory from being written to a socket.
  - 6. The method of claim 1, further comprising:
    - detecting when contents of the physical memory are being written to a storage device during a core dump; and
      
      preventing the confidential portion stored in the physical memory from being included in the core dump.
  - 7. The method of claim 1, further comprising:
    - detecting when contents of the virtual memory are being written to a storage device during a core dump; and
      
      preventing the confidential portion of the virtual memory from being included in the core dump.
  - 8. The method of claim 1, further comprising:
    - determining when at some of the confidential portion stored in the physical memory has been selected for eviction to a storage device; and
      
      encrypting data in the confidential portion prior to eviction to the storage device.
  - 9. An apparatus comprising means that are configured to perform the method of claim 1.
  - 10. A computer readable medium comprising executable instructions for performing the method of claim 1.

11. A method of protecting data allocated to a confidential area of virtual memory that is stored in physical memory, said method comprising:
- detecting when contents of the physical memory are being written to another location;
  
  identifying contents of the physical memory that correspond to data allocated to the confidential area of the virtual memory; and
  
  protecting the identified contents of the physical memory.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 12. The method of claim 11, wherein detecting when contents of the physical memory are being written to another location comprises detecting when contents of the physical memory are being written to socket.
  - 13. The method of claim 11, wherein detecting when contents of the physical memory are being written to another location comprises detecting when contents of the physical memory are being written to a storage device for a core dump.
  - 14. The method of claim 13, further comprising preventing the contents of the physical memory that correspond to data allocated to the confidential area of the virtual memory from being written to the storage device during the core dump.
  - 15. The method of claim 11, wherein detecting when contents of the physical memory are being written to another location comprises detecting when contents of the physical memory are being written to a storage device for transition into a power-saving mode.
  - 16. The method of claim 15, further comprising preventing the contents of the physical memory that correspond to data allocated to the confidential area of the virtual memory from being written to the storage device during the transition into the power-saving mode.
  - 17. The method of claim 11, wherein protecting the identified contents of the physical memory comprises preventing the identified contents from being written to a storage device.
  - 18. The method of claim 11, wherein protecting the identified contents of the physical memory comprises encrypting the identified contents before they are written to a storage device.
  - 19. The method of claim 11, wherein protecting the identified contents of the physical memory comprises preventing the identified contents from being accessible to a debugger.
  - 20. The method of claim 11, further comprising providing a warning message when the identified contents have been written another location.
  - 21. The method of claim 11, wherein protecting the identified contents of the physical memory comprises terminating a process using the identified contents when the process is being suspended.
  - 22. The method of claim 21, further comprising resuming the process and notifying the process that its identified contents that correspond to data allocated to the confidential area of the virtual memory was discarded during the suspension of the process.
  - 23. An apparatus comprising means that are configured to perform the method of claim 11.
  - 24. A computer readable medium comprising computer readable instructions for performing the method of claim 11.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Van Riel, Henri, Cox, Alan

Granted Patent

US 8,190,914 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/023   Free address space management

G06F 12/08   in hierarchically structure...

G06F 12/126   with special data handling,...

G06F 12/145   the protection being virtua...

G06F 21/78   to assure secure storage of...

Method and system for designating and handling confidential memory allocations

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for designating and handling confidential memory allocations

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links