System and Method for Securely Saving a Program Context to a Shared Memory

US 20080066074A1
Filed: 09/12/2006
Published: 03/13/2008
Est. Priority Date: 09/12/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for securely saving a program'"'"'s context, the method comprising:

interrupting a secured program running on a special purpose processor core included in a heterogeneous processor that includes a plurality of heterogeneous processor cores including the special purpose processor core that is running in an isolation mode, wherein the isolated special purpose processor core includes a local memory that is inaccessible from other processor cores included in the heterogeneous processor while the special purpose processor core is running in the isolation mode, wherein each of the heterogeneous processor'"'"'s cores can access a shared memory;

in response to the interrupting, securely saving the secured program'"'"'s context to the shared memory, wherein the context comprises code lines and data values, the saving including;

generating a random persistent security data;

reading the code lines from the isolated special purpose processor core'"'"'s local memory;

reading the data values from the isolated special purpose processor core'"'"'s local memory;

encrypting the code lines and the data values using the generated persistent security data; and

storing the encrypted code lines and data values in the shared memory.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and program product for securely saving a program context to a shared memory is presented. A secured program running on an special purpose processor core running in isolation mode is interrupted. The isolated special purpose processor core is included in a heterogeneous processing environment, that includes purpose processors and general purpose processor cores that each access a shared memory. In isolation mode, the special purpose processor core'"'"'s local memory is inaccessible from the other heterogeneous processors. The secured program'"'"'s context is securely saved to the shared memory using a random persistent security data. The lines of code stored in the isolated special purpose processor core'"'"'s local memory are read along with data values, such as register settings, set by the secured program. The lines of code and data values are encrypted using the persistent security data, and the encrypted code lines and data values are stored in the shared memory.

Citations

23 Claims

1. A computer implemented method for securely saving a program'"'"'s context, the method comprising:
- interrupting a secured program running on a special purpose processor core included in a heterogeneous processor that includes a plurality of heterogeneous processor cores including the special purpose processor core that is running in an isolation mode, wherein the isolated special purpose processor core includes a local memory that is inaccessible from other processor cores included in the heterogeneous processor while the special purpose processor core is running in the isolation mode, wherein each of the heterogeneous processor'"'"'s cores can access a shared memory;
  
  in response to the interrupting, securely saving the secured program'"'"'s context to the shared memory, wherein the context comprises code lines and data values, the saving including;
  
  generating a random persistent security data;
  
  reading the code lines from the isolated special purpose processor core'"'"'s local memory;
  
  reading the data values from the isolated special purpose processor core'"'"'s local memory;
  
  encrypting the code lines and the data values using the generated persistent security data; and
  
  storing the encrypted code lines and data values in the shared memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - saving the generated persistent security data in a persistent storage register, wherein the persistent security data is a nonce, wherein one of the data values that is encrypted is the nonce, and wherein the encrypting is performed using a static encryption key.
  - 3. The method of claim 1 wherein the persistent security data is an encryption key used in performing the encrypting, the method further including saving the persistent security data in a persistent storage register.
  - 4. The method of claim 1 wherein at least one of the data values is a register value corresponding to a register included in the isolated special processing unit.
  - 5. The method of claim 1 wherein the isolated special processing unit includes an unprotected open memory space used for transferring data between the isolated special purpose processor core and the shared memory, the method further comprising:
    - reading the values stored in the unprotected open space memory; and
      
      writing the unprotected open space memory to the shared memory.
  - 6. The method of claim 1 further comprising:
    - retrieving a program counter corresponding to a location within the secured program where the secured program was interrupted;
      
      encrypting the program counter; and
      
      storing the encrypted program counter in the shared memory.
  - 7. The method of claim 1 further comprising:
    - after the storing;
      
      clearing the isolated special purpose processor core'"'"'s local memory, the clearing leaving the persistent storage register intact;
      
      returning the special purpose processor core to a non-isolation mode; and
      
      loading a second program in the special processing unit running in non-isolation mode, wherein the persistent storage register is only accessible when the special purpose processor core is running in isolation mode.
  - 8. The method of claim 1 further comprising:
    - inputting the encrypted code lines and data values to a signature generation function, the signature generation function resulting in an signature result; and
      
      storing the signature result in the shared memory.

9. An information handling system comprising:
- a heterogeneous processor having one or more special purpose processor cores and one or more general purpose processor cores, wherein one of the special purpose processor cores is running in an isolation mode;
  
  a shared memory accessible by the special purpose processor cores and the general purpose processor cores;
  
  a local memory corresponding to each of the plurality of heterogeneous processors, wherein the local memory corresponding to the isolated special purpose processor core is inaccessible by the other heterogeneous processors;
  
  a set of instructions stored in one of the local memories, wherein one or more of the heterogeneous processors executes the set of instructions in order to perform actions of;
  
  interrupting a secured program running on one of the special purpose processor cores that is running in an isolation mode wherein the isolated special purpose processor core includes a local memory that is inaccessible from the other heterogeneous processor cores;
  
  in response to the interrupting, securely saving the secured program'"'"'s context to the shared memory, wherein the context comprises code lines and data values, the saving including;
  
  generating a random persistent security data;
  
  reading the code lines from the isolated special purpose processor core'"'"'s local memory;
  
  reading the data values from the isolated special purpose processor core'"'"'s local memory;
  
  encrypting the code lines and the data values using the generated persistent security data; and
  
  storing the encrypted code lines and data values in the shared memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The information handling system of claim 9 further comprising:
    - one or more persistent storage registers, wherein each persistent storage register corresponds to one of the special purpose processor cores and wherein data stored in the persistent storage register is only accessible when the special purpose processor core is running in isolation mode, wherein the set of instructions further performs actions of;
      
      saving the generated persistent security data in the persistent storage register, wherein the persistent security data is a nonce, wherein one of the data values that is encrypted is the nonce, and wherein the encrypting is performed using a static encryption key.
  - 11. The information handling system of claim 9 further comprising:
    - one or more persistent storage registers, wherein each persistent storage register corresponds to one of the special purpose processor cores and wherein data stored in the persistent storage register is only accessible when the special purpose processor core is running in isolation mode, wherein the set of instructions further performs actions of;
      
      randomly generating an encryption key, wherein the persistent security data is the randomly generated encryption key;
      
      using the randomly generated encryption key to perform the encrypting; and
      
      saving the persistent security data in the persistent storage register.
  - 12. The information handling system of claim 9 wherein at least one of the data values is a register value corresponding to a register included in the isolated special processing unit.
  - 13. The information handling system of claim 9 further comprising:
    - an unprotected open memory space included in the isolated special processor core, the unprotected open memory space used for transferring data between the isolated special purpose processor core and the shared memory, wherein the set of instructions further performs actions of;
      
      reading the values stored in the unprotected open memory space; and
      
      writing the unprotected open memory space to the shared memory.
  - 14. The information handling system of claim 9 further comprising:
    - a program counter corresponding to a location within the secured program where the secured program was interrupted, wherein the set of instructions further performs actions of;
      
      retrieving the program counter;
      
      encrypting the program counter; and
      
      storing the encrypted program counter in the shared memory.
  - 15. The information handling system of claim 9 further comprising the set of instructions further performing actions of:
    - after the storing;
      
      clearing the isolated special purpose processor core'"'"'s local memory, the clearing leaving the persistent storage register intact;
      
      returning the isolated special purpose processor core to a non-isolation mode; and
      
      loading a second program in the special processing unit running in non-isolation mode, wherein the persistent storage register is only accessible when the special purpose processor core is running in isolation mode.
  - 16. The information handling system of claim 9 further comprising the set of instructions further performing actions of:
    - inputting the encrypted code lines and data values to a signature generation function, the signature generation function resulting in an signature result; and
      
      storing the signature result in the shared memory.

17. A computer program product stored in a computer readable medium, comprising functional descriptive material that, when executed by a information handling system, causes the information handling system to perform actions that include:
- securely saving a program'"'"'s context to a shared memory in a heterogeneous processor having one or more special purpose processor cores and one or more general purpose processor cores, wherein each of the heterogeneous processor cores can access the shared memory, the secure saving including functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include;
  
  interrupting a secured program running on one of the special purpose processor cores that is running in an isolation mode wherein the isolated special purpose processor core includes a local memory that is inaccessible from the other heterogeneous processor cores;
  
  in response to the interrupting, securely saving the secured program'"'"'s context to the shared memory, wherein the context comprises code lines and data values, the saving including;
  
  generating a random persistent security data;
  
  reading the code lines from the isolated special purpose processor core'"'"'s local memory;
  
  reading the data values from the isolated special purpose processor core'"'"'s local memory;
  
  encrypting the code lines and the data values using the generated persistent security data; and
  
  storing the encrypted code lines and data values in the shared memory.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer program product of claim 17 further comprising functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include:
    - saving the generated persistent security data in a persistent storage register, wherein the persistent security data is a nonce, wherein one of the data values that is encrypted is the nonce, and wherein the encrypting is performed using a static encryption key.
  - 19. The computer program product of claim 17 wherein the persistent security data is an encryption key used in performing the encrypting, the computer program product further including functional descriptive material that, when executed by the information handling system, causes the information handling system to save the persistent security data in a persistent storage register.
  - 20. The computer program product of claim 17 wherein the isolated special processing unit includes an unprotected open memory space used for transferring data between the isolated special purpose processor core and the shared memory, the computer program product further comprising functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include:
    - reading the values stored in the unprotected open space memory; and
      
      writing the unprotected open space memory to the shared memory.
  - 21. The computer program product of claim 17 further comprising functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include:
    - retrieving a program counter corresponding to a location within the secured program where the secured program was interrupted;
      
      encrypting the program counter; and
      
      storing the encrypted program counter in the shared memory.
  - 22. The computer program product of claim 17 further comprising functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include:
    - after the storing;
      
      clearing the isolated special purpose processor core'"'"'s local memory, the clearing leaving the persistent storage register intact;
      
      returning the special purpose processor core to a non-isolation mode; and
      
      loading a second program in the special processing unit running in non-isolation mode, wherein the persistent storage register is only accessible when the special purpose processor core is running in isolation mode.
  - 23. The computer program product of claim 17 further comprising functional descriptive material that, when executed by the information handling system, causes the information handling system to perform additional actions that include:
    - inputting the encrypted code lines and data values to a signature generation function, the signature generation function resulting in an signature result; and
      
      storing the signature result in the shared memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Shimizu, Kanna, Nutter, Mark Richard

Granted Patent

US 8,095,802 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/107
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/71   to assure secure computing ...

G06F 2221/2105   Dual mode as a secondary as...

System and Method for Securely Saving a Program Context to a Shared Memory

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Securely Saving a Program Context to a Shared Memory

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links