Tamper protection of software agents operating in a VT environment methods and apparatuses

US 20080082772A1
Filed: 09/29/2006
Published: 04/03/2008
Est. Priority Date: 09/29/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

storing a first security domain of a first memory page of a physical device and a second security domain of a second memory page of the physical device in registers of a translation lookaside buffer of a processor of the physical device;

analyzing the first and second security domains of the first and second memory pages when an instruction of the first memory page attempts to reference or access the second memory page; and

disallowing the instruction from the first memory page to reference or access the second memory page based at least in part on the analysis of the first and second security domains.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses, articles, and systems for comparing a first security domain of a first memory page of a physical device to a second security domain of a second memory page of the physical device, the security domains being stored in one or more registers of a processor of the physical device, are described herein. Based on the comparison, the processor disallows an instruction from the first memory page to access the second memory page if the first security domain is different from the second security domain. Resultantly, software agents, in particular, critical software agents, may be protected in a VT environment more efficiently and effectively.

Citations

29 Claims

1. A method comprising:
- storing a first security domain of a first memory page of a physical device and a second security domain of a second memory page of the physical device in registers of a translation lookaside buffer of a processor of the physical device;
  
  analyzing the first and second security domains of the first and second memory pages when an instruction of the first memory page attempts to reference or access the second memory page; and
  
  disallowing the instruction from the first memory page to reference or access the second memory page based at least in part on the analysis of the first and second security domains.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein said storing comprises retrieving the first and second security domains from the translation lookaside buffer and storing the retrieved first and second security domains in the registers of the translation lookaside buffer, when the reference or access is attempted.
  - 3. The method of claim 2, wherein the method further comprises retrieving the first and second security domains from a page table of a virtual machine manager of the physical device, and caching the retrieved first and second security domains in the translation lookaside buffer, and the page tables of the virtual machine manager are extended page tables comprising:
    - extended page table pointer structures, each indicating whether a security domain has been set for an associated memory page and features associated with the security domain, andextended page table entry structures storing security domains assigned to associated memory pages.
  - 4. The method of claim 3, wherein bits from a plurality of extended page table entry structures, at least some of the extended page table entry structures having different nesting levels from each other, may be used to store one security domain.
  - 5. The method of claim 1, wherein the disallowing comprises causing a page fault, and the instruction of the first memory page is disallowed to reference or access the second memory page, if the first security domain is different from the second security domain.
  - 6. The method of claim 1, wherein the method further comprises determining whether the second memory page is a hidden memory page, and the instruction of the first memory page is also disallowed to reference or access the second memory page if the second memory page is a hidden memory page.
  - 7. The method of claim 6, wherein the method further comprises determining whether the reference or access is a read or write reference or access, and, if the second memory page is not a hidden memory page, not disallowing the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a read reference or access, and disallowing the instruction to reference or access the second memory page if the first security domain is lower than the second security domain and the reference or access is a write reference or access.
  - 8. The method of claim 1, further comprising not disallowing the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 9. The method of claim 1, further comprising not disallowing the instruction to reference or access the second memory page if the second security domain is not higher privileged than at least a predetermined security domain.
  - 10. The method of claim 1, wherein the second memory page stores a critical operating system component, and the second security domain is a supervisory security domain.
  - 11. The method of claim 1, further comprising assigning, by a security domain assignment service of a virtual machine manager of the physical device, at least the first and second security domains.
  - 12. The method of claim 1, further comprising verifying integrity of an agent of a virtual machine of the physical device allocated with the first memory page by an integrity measurement module of a virtual machine manager of the physical device.

13. A processor comprising:
- a translation lookaside buffer including first and second registers to store first and second security domains of first and second memory pages of a physical device having the processor; and
  
  comparing logic coupled to the translation lookaside buffer and adapted tocompare the first security domain of the first memory page to the second security domain of the second memory page, the security domains having been retrieved from the translation lookaside buffer, andnot disallow an instruction from the first memory page to reference or access the second memory page if the first security domain is higher than or equal to the second security domain.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The processor of claim 13, wherein the security domains stored in the translation lookaside buffer were retrieved from pages tables of a virtual machine manager of the physical device, and the page tables of the virtual machine manager are extended page tables comprising:
    - extended page table pointer structures, each configured to indicate whether a security domain has been set for an associated memory page and features associated with the security domain, andextended page table entry structures configured to store security domains assigned to associated memory pages.
  - 15. The processor of claim 13, wherein the comparing logic is further adapted to cause a page fault, if the first security domain is different from the second security domain, to disallow the instruction to reference or access the second memory page.
  - 16. The processor of claim 13, wherein the comparing logic is further adapted to determine whether the second memory page is a hidden memory page, and the instruction of the first memory page is also disallowed to reference or access the second memory page if the second memory page is a hidden memory page.
  - 17. The processor of claim 16, wherein the comparing logic is further adapted to determine whether the reference or access is a read or write reference or access, and if the second memory page is not a hidden memory page, not disallow the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a read reference or access, and disallow the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a write reference or access.
  - 18. The processor of claim 13, wherein the comparing logic is further adapted to not disallow the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 19. The processor of claim 13, wherein the second memory page stores a critical operating system component, and the second security domain of the second memory page is a supervisory security domain.
  - 20. The processor of claim 13, wherein a virtual machine manager of the physical device having the processor, operated by the processor, includes a security domain assignment service adapted to assign at least the first and second security domains.
  - 21. The processor of claim 13, wherein a virtual machine manager of the physical device having the processor, operated by the processor, includes an integrity management module adapted to verify integrity of the first memory page.

22. An article of manufacture comprising:
- a storage medium; and
  
  a plurality of programming instructions stored on the storage medium and adapted to instantiate a security domain assignment service of a virtual machine manager of a physical device toassign at least first and second security domains to first and second memory pages of the physical device, andstore the assigned at least first and second security domains in page tables of the virtual machine manager, facilitating comparing logic of a processor of the physical device in retrieving the at least first and second security domains, the comparing logic comparing the first security domain of the first memory page to the second security domain of the second memory page, wherein an instruction of the first memory page is attempting to reference or access the second memory page, and the comparing logic not disallowing the instruction from the first memory page to reference or access the second memory page if the first security level is to the same as the second security level.
- View Dependent Claims (23, 24)
- - 23. The article of claim 22, wherein the page tables of the virtual machine manager are extended page tables comprising:
    - extended page table pointer structures, each indicating whether a security domain has been set for an associated memory page and features associated with the security domain, andextended page table entry structures storing security domains assigned to associated memory pages.
  - 24. The article of claim 23, wherein the instructions are further adapted to instantiate the security domain assignment service to determine, for at least one of the at least first and second memory pages, one or more features associated with the determined security domain, and store the one or more features in an extended page table pointer structure.

25. A system comprising:
- mass storage having stored therein at least one critical operating system component program instantiable into a critical operating system component agent; and
  
  a processor coupled to the mass storage, the processor includinga translation lookaside buffer including first and second registers to store first and second security domains of first and second memory pages of the system, the second memory page having the critical operating system component agent; and
  
  comparing logic coupled to the translation lookaside buffer and adapted tocompare the first security domain of the first memory page to the second security domain of the second memory page, the security domains having been retrieved from the translation lookaside buffer, andnot disallow an instruction from the first memory page to access the second memory page if the first security domain is the same as the second security domain.
- View Dependent Claims (26, 27, 28, 29)
- - 26. The system of claim 25, wherein the security domains stored in the translation lookaside buffer were retrieved from pages tables of a virtual machine manager of the system, and the page tables of the virtual machine manager are extended page tables comprising:
    - extended page table pointer structures, each configured to indicate whether a security domain has been set for an associated memory page and features associated with the security domain, andextended page table entry structures configured to store security domains assigned to associated memory pages.
  - 27. The system of claim 25, wherein the comparing logic is further adapted to cause a page fault, if the first security domain is different from the second security domain, to disallow the instruction to reference or access the second memory page.
  - 28. The system of claim 25, wherein the comparing logic is further adapted to not disallow the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 29. The system of claim 25, wherein the second security domain of the second memory page having the critical operating system component agent is a supervisory security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Savagaonkar, Uday, Khosravi, Hormuzd, Sahita, Ravi, Durham, David

Granted Patent

US 7,882,318 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/163
CPC Class Codes

G06F 12/145   the protection being virtua...

G06F 12/1491   in a hierarchical protectio...

G06F 21/54   by adding security routines...

G06F 21/6218   to a system of files or obj...

G06F 21/79   in semiconductor storage me...

G06F 2221/2141   Access rights, e.g. capabil...

Tamper protection of software agents operating in a VT environment methods and apparatuses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Tamper protection of software agents operating in a VT environment methods and apparatuses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links