Hard Object: Hardware Protection for Software Objects

US 20080222397A1
Filed: 03/10/2008
Published: 09/11/2008
Est. Priority Date: 03/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method of regulating the execution of a program by a microprocessor, said microprocessor having a plurality of data addresses, each data address having data, and said microprocessor having a plurality of instruction addresses, each instruction address having an instruction, at least one instruction being an accessing instruction for accessing data at a data address target, said microprocessorassociating an owner with a data address, where said owner is a subset of said instruction addresses,having a set-owner operation taking as arguments a data address set-owner argument and a new owner set-owner argument, said set-owner operation altering the owner associated with said data address set-owner argument to be said new owner set-owner argument,said method comprising:

when an accessing instruction at an accessing instruction address accesses data at a data address target, allowing the access if an access condition is met, otherwise issuing a fault, said access conditions comprising;

(a) said accessing instruction address is an element of the owner associated with said data address target,when said set-owner operation executes, allowing said set-owner operation if a set-owner condition is met, otherwise issuing a fault, said set-owner conditions comprising;

(a) at least one instruction of said set-owner operation is an element of the owner associated with said data address set-owner argument.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with one embodiment, additions to the standard computer microprocessor architecture hardware are disclosed comprising novel page table entry fields 015 062, special registers 021 022, instructions for modifying these fields 120 122 and registers 124 126, and hardware-implemented 038 runtime checks and operations involving these fields and registers. More specifically, in the above embodiment of a Hard Object system, there is additional meta-data 061 in each page table entry beyond what it commonly holds, and each time a data load or store is issued from the CPU, and the virtual address 032 translated to the physical address 034, the Hard Object system uses its additional PTE meta-data 061 to perform memory access checks additional to those done in current systems. Together with changes to software, these access checks can be arranged carefully to provide more fine-grain access control for data than do current systems.

103 Citations

View as Search Results

23 Claims

1. A method of regulating the execution of a program by a microprocessor, said microprocessor having a plurality of data addresses, each data address having data, and said microprocessor having a plurality of instruction addresses, each instruction address having an instruction, at least one instruction being an accessing instruction for accessing data at a data address target, said microprocessorassociating an owner with a data address, where said owner is a subset of said instruction addresses,having a set-owner operation taking as arguments a data address set-owner argument and a new owner set-owner argument, said set-owner operation altering the owner associated with said data address set-owner argument to be said new owner set-owner argument,said method comprising:
- when an accessing instruction at an accessing instruction address accesses data at a data address target, allowing the access if an access condition is met, otherwise issuing a fault, said access conditions comprising;
  
  (a) said accessing instruction address is an element of the owner associated with said data address target,when said set-owner operation executes, allowing said set-owner operation if a set-owner condition is met, otherwise issuing a fault, said set-owner conditions comprising;
  
  (a) at least one instruction of said set-owner operation is an element of the owner associated with said data address set-owner argument.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, said microprocessor furtherhaving a kernel-mode,wherein said access conditions further comprise(b) said microprocessor is in kernel mode.
  - 3. The method of claim 1, said microprocessor furtherhaving a kernel-mode,wherein said said set-owner conditions further comprise(b) said microprocessor is in kernel mode.
  - 4. The method of claim 1, said microprocessor furtherassociating an integrity-bit with said data address,having a set-integrity operation taking as arguments a data address set-integrity argument and a new integrity set-integrity argument, said set-integrity operation altering the integrity-bit associated with said data address set-integrity argument to be said new integrity set-integrity argument,said method further comprising:
    - when said set-owner operation executes, taking as an argument said data address set-owner argument, clearing to false said integrity-bit associated with said data address set-owner argument,when said set-integrity operation executes, allowing said set-integrity operation if a set-integrity condition is met, otherwise issuing a fault, said set-integrity conditions comprising;
      
      (a) at least one instruction of said set-integrity operation is an element of the owner of said data address set-integrity argument.
  - 5. The method of claim 4, said microprocessor furtherhaving a kernel-mode,wherein said said set-integrity conditions further comprise(b) said microprocessor is in kernel mode.
  - 6. The method of claim 1 said microprocessor furtherhaving a frame-pointer register and a bottom-of-stack register delimiting an accessible stack range,wherein said access conditions further comprise:
    - (b) said data address target is within said accessible stack range.
  - 7. The method of claim 1 said microprocessor furtherassociating a public-readable-bit with a data address,having a set-public-readable operation taking as arguments a data address set-public-readable argument and a new public-readable set-public-readable argument, said set-public-readable operation altering the public-readable-bit associated with said data address set-public-readable argument to be said new public-readable set-public-readable argument,wherein said access conditions further comprise:
    - (c) said public-readable-bit associated with said data address target is true and said data access is a read,said method further comprising;
      
      when said set-public-readable operation executes, allowing said set-public-readable operation if a set-public-readable condition is met, otherwise issuing a fault, said set-public-readable conditions comprising;
      
      (a) at least one instruction of said set-public-readable operation is an element of the owner of said data address set-public-readable argument.
  - 8. The method of claim 1, said microprocessor furtherhaving an association of a data page with a data address,having an association of a page table entry with a data page,having an association of a page table entry owner with a page table entry,wherein said owner associated with said data address is specified as the page table entry owner provided to the page table entry associated with said data address.
  - 9. The method of claim 1, said microprocessor furtherhaving a module-ID table associating a data module-ID with a data address,having a module meta-data table associating a module subset of instruction addresses with an instruction module-ID,wherein said step of associating an owner with a data address comprises:
    - specifying said owner of said data address as the module subset of instruction addresses associated by said module meta-data table with said instruction module-ID,where said instruction module-ID is equal to said data module-ID associated by said module-ID table with said data address.
  - 10. The method of claim 1 said microprocessor furtherhaving a privilege-master region subset of instruction addresses,wherein said access conditions further comprise(b) said accessing instruction is an element of said privilege-master region.
  - 11. The method of claim 1 said microprocessor furtherhaving a privilege-master region subset of instruction addresses,wherein said set-owner conditions further comprise(b) at least one instruction of said set-owner operation is an element of said privilege-master region.
  - 12. The method of claim 10, said microprocessor furtherhaving input/output channels for input/output operations, said input/output operations controlled by drivers, said drivers comprising a plurality of driver instruction addresses,having a system swap store,having a system swap input/output channel connected to said system swap store, where said system swap input/output channel is the only input/output channel connected to said system swap store,said method further comprising:
    - allowing an input/output operation on said system swap input/output channel only when at least one driver instruction address of said driver controlling said input/output operation is an element of said privilege-master region.

13. A method of regulating the execution of a program by a microprocessor, said microprocessor having a plurality of data addresses, each data address having data, and said microprocessor having a plurality of instruction addresses, each instruction address having an instruction, at least one instruction being an accessing instruction for accessing data at a data address target, said microprocessorhaving a permissions map associating an instruction/data address pair with a permission value, the instruction/data address pair comprising a permissions map instruction address and a permissions map data addresssaid method comprising:
- when an accessing instruction at an accessing instruction address accesses data at a data address target, allowing the access if an access condition is met, otherwise issuing a fault, said access conditions comprising;
  
  (a) said access is in accordance with a permission value from said permissions map using the accessing instruction address as the permissions map instruction address and the data address target as the permissions map data address.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The method of claim 13, said microprocessor furtherhaving a kernel-mode,wherein said access conditions further comprise(b) said microprocessor is in kernel mode.
  - 15. The method of claim 13 said microprocessor furtherhaving a plurality of permissions tables, each permissions table associating a permissions table data address with a permissions table permission value,having a protection domain map associating a protection domain map instruction address with a protection domain map permissions table,said method further comprising:
    - computing said permissions map as follows;
      
      (a) finding the protection domain map permissions table associated by said protection domain map with said permissions map instruction address, then(b) finding the permission value associated by said protection domain map permissions table found in step (a) with said permissions map data address.
  - 16. The method of claim 15 said microprocessor furtherhaving a plurality of permissions sub-tables, each said permissions sub-table comprising(a) a permissions sub-table range subset of data addresses, and(b) a permissions sub-table map associating a data address that is an element of said permissions sub-table range subset of data addresses with a permissions sub-table permission value,associating said permissions sub-table with a plurality of said permissions tables,said method of computing said permissions map further comprising the steps, between step (a) and step (b), of:
    - (a2) if said permissions map data address is an element of the permissions sub-table range of a permissions sub-table associated with said permissions table, then(i) find the permissions sub-table permission value associated by said permissions sub-table with said permissions map data address,(ii) otherwise, perform step (b).
  - 17. The method of claim 13 said microprocessor furtherassociating an owner with a data address, where said owner is a subset of said instruction addresses,having a set-owner operation taking as arguments a data address set-owner argument and a new owner set-owner argument, said set-owner operation altering the owner associated with said data address set-owner argument to be said new owner set-owner argument,having a set-permission-value operation, taking as arguments(a) a domain set-permission-value argument subset of instruction addresses,(b) a data address set-permission-value argument, and(c) a new permission value set-permission-value argument,said set-permission-value operation associating said instruction/data address pairs with said new permission value set-permission-value argument, in said permissions map, said instruction/data address pairs comprising(x) a permissions map instruction address which is an element of said domain set-permission-value argument subset of instruction addresses and(y) said data address set-permission-value argumentsaid method further comprising:
    - when said set-owner operation executes, allowing said set-owner operation if a set-owner condition is met, otherwise issuing a fault, said set-owner conditions comprising;
      
      (a) at least one instruction of said set-owner operation is an element of the owner associated with said data address set-owner argument.when said set-permission-value operation executes, allowing said set-permission-value operation if a set-permission-value condition is met, otherwise issuing a fault, said set-permission-value conditions comprising;
      
      (a) at least one instruction of said set-permission-value operation is an element of the owner associated with said data address set-permission-value argument.
  - 18. The method of claim 17, said microprocessor furtherhaving a kernel-mode,wherein said said set-owner conditions further comprise(b) said microprocessor is in kernel mode.
  - 19. The method of claim 17, said microprocessor furtherassociating an integrity-bit with said data address,having a set-integrity operation taking as arguments a data address set-integrity argument and a new integrity set-integrity argument, said set-integrity operation altering the integrity-bit associated with said data address set-integrity argument to be said new integrity set-integrity argument,said method further comprising:
    - when said set-owner operation executes, taking as an argument said data address set-owner argument, clearing to false said integrity-bit associated with said data address set-owner argument,when said set-integrity operation executes, allowing said set-integrity operation if a set-integrity condition is met, otherwise issuing a fault, said set-integrity conditions comprising;
      
      (a) at least one instruction of said set-integrity operation is an element of the owner of said data address set-integrity argument.
  - 20. The method of claim 19, said microprocessor furtherhaving a kernel-mode,wherein said said set-integrity conditions further comprise(b) said microprocessor is in kernel mode.
  - 21. The method of claim 13 said microprocessor furtherhaving a frame-pointer register and a bottom-of-stack register delimiting an accessible stack range,wherein said access conditions further comprise:
    - (b) said data address target is within said accessible stack range.

22. A computer comprising at least one microprocessor, said microprocessor having a plurality of data addresses, each data address having data, and said microprocessor having a plurality of instruction addresses, each instruction address having an instruction, at least one instruction being an accessing instruction for accessing data at a data address target, said microprocessorassociating an owner with a data address, where said owner is a subset of said instruction addresses,having a set-owner operation taking as arguments a data address set-owner argument and a new owner set-owner argument, said set-owner operation altering the owner associated with said data address set-owner argument to be said new owner set-owner argument,wherein the computer is programmed to regulate execution of a program by the microprocessor through a method comprising:
- when an accessing instruction at an accessing instruction address accesses data at a data address target, allowing the access if an access condition is met, otherwise issuing a fault, said access conditions comprising;
  
  (a) said accessing instruction address is an element of the owner associated with said data address target,when said set-owner operation executes, allowing said set-owner operation if a set-owner condition is met, otherwise issuing a fault, said set-owner conditions comprising;
  
  (a) at least one instruction of said set-owner operation is an element of the owner associated with said data address set-owner argument.
- View Dependent Claims (23)
- - 23. The computer of claim 22, in which said microprocessor furtherassociating an integrity-bit with said data address,having a set-integrity operation taking as arguments a data address set-integrity argument and a new integrity set-integrity argument, said set-integrity operation altering the integrity-bit associated with said data address set-integrity argument to be said new integrity set-integrity argument,said method further comprising:
    - when said set-owner operation executes, taking as an argument said data address set-owner argument, clearing to false said integrity-bit associated with said data address set-owner argument,when said set-integrity operation executes, allowing said set-integrity operation if a set-integrity condition is met, otherwise issuing a fault, said set-integrity conditions comprising;
      
      (a) at least one instruction of said set-integrity operation is an element of the owner of said data address set-integrity argument.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daniel Shawcross Wilkerson, John Kubiatowicz
Original Assignee
Daniel Shawcross Wilkerson, John Kubiatowicz
Inventors
Kubiatowicz, John, Wilkerson, Daniel Shawcross

Granted Patent

US 8,364,910 B2
Time in Patent Office

Days
Field of Search
US Class Current

712/220
CPC Class Codes

G06F 12/145 the protection being virtua...

G06F 12/1483 using an access-table, e.g....

Hard Object: Hardware Protection for Software Objects

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

103 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Hard Object: Hardware Protection for Software Objects

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links