Tamper protection of software agents operating in a VT environment methods and apparatuses
First Claim
1. A method comprising:
- storing a first security domain of a first memory page of a physical device and a second security domain of a second memory page of the physical device in registers of a translation lookaside buffer of a processor of the physical device;
analyzing the first and second security domains of the first and second memory pages when an instruction of the first memory page attempts to reference or access the second memory page; and
disallowing the instruction from the first memory page to reference or access the second memory page based at least in part on the analysis of the first and second security domains.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatuses, articles, and systems for comparing a first security domain of a first memory page of a physical device to a second security domain of a second memory page of the physical device, the security domains being stored in one or more registers of a processor of the physical device, are described herein. Based on the comparison, the processor disallows an instruction from the first memory page to access the second memory page if the first security domain is different from the second security domain. Resultantly, software agents, in particular, critical software agents, may be protected in a VT environment more efficiently and effectively.
-
Citations
29 Claims
-
1. A method comprising:
-
storing a first security domain of a first memory page of a physical device and a second security domain of a second memory page of the physical device in registers of a translation lookaside buffer of a processor of the physical device; analyzing the first and second security domains of the first and second memory pages when an instruction of the first memory page attempts to reference or access the second memory page; and disallowing the instruction from the first memory page to reference or access the second memory page based at least in part on the analysis of the first and second security domains. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A processor comprising:
-
a translation lookaside buffer including first and second registers to store first and second security domains of first and second memory pages of a physical device having the processor; and comparing logic coupled to the translation lookaside buffer and adapted to compare the first security domain of the first memory page to the second security domain of the second memory page, the security domains having been retrieved from the translation lookaside buffer, and not disallow an instruction from the first memory page to reference or access the second memory page if the first security domain is higher than or equal to the second security domain. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. An article of manufacture comprising:
-
a storage medium; and a plurality of programming instructions stored on the storage medium and adapted to instantiate a security domain assignment service of a virtual machine manager of a physical device to assign at least first and second security domains to first and second memory pages of the physical device, and store the assigned at least first and second security domains in page tables of the virtual machine manager, facilitating comparing logic of a processor of the physical device in retrieving the at least first and second security domains, the comparing logic comparing the first security domain of the first memory page to the second security domain of the second memory page, wherein an instruction of the first memory page is attempting to reference or access the second memory page, and the comparing logic not disallowing the instruction from the first memory page to reference or access the second memory page if the first security level is to the same as the second security level. - View Dependent Claims (23, 24)
-
-
25. A system comprising:
-
mass storage having stored therein at least one critical operating system component program instantiable into a critical operating system component agent; and a processor coupled to the mass storage, the processor including a translation lookaside buffer including first and second registers to store first and second security domains of first and second memory pages of the system, the second memory page having the critical operating system component agent; and comparing logic coupled to the translation lookaside buffer and adapted to compare the first security domain of the first memory page to the second security domain of the second memory page, the security domains having been retrieved from the translation lookaside buffer, and not disallow an instruction from the first memory page to access the second memory page if the first security domain is the same as the second security domain. - View Dependent Claims (26, 27, 28, 29)
-
Specification