SYSTEMS AND METHODS FOR SECURE ASSOCIATION OF HARDWARD DEVICES

US 20080244758A1
Filed: 03/30/2007
Published: 10/02/2008
Est. Priority Date: 03/30/2007
Status: Abandoned Application

First Claim

Patent Images

1. An apparatus to protect hardware devices from malicious software attacks, comprising:

a virtual machine manager interposed between one or more operating system virtual machines and one or more hardware devices;

a memory protection module executed within the virtual machine manager to monitor the memory state of the virtual machine manager; and

an integrity measurement manager to measure and manage the integrity of one or more device drivers executed within the one or more operating system virtual machines, the device drivers accessing enumerated memory space managed by the memory protection module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus to protect one or more hardware devices from unauthorized software access is described herein and comprises, in one embodiment, a virtual machine manager, a memory protection module and an integrity measurement manager. In a further embodiment, a method of providing secure access to one or more hardware devices may include, modifying a page table, verifying the integrity of a device driver, and providing memory protection to the device driver if the device driver is verified.

81 Citations

View as Search Results

15 Claims

1. An apparatus to protect hardware devices from malicious software attacks, comprising:
- a virtual machine manager interposed between one or more operating system virtual machines and one or more hardware devices;
  
  a memory protection module executed within the virtual machine manager to monitor the memory state of the virtual machine manager; and
  
  an integrity measurement manager to measure and manage the integrity of one or more device drivers executed within the one or more operating system virtual machines, the device drivers accessing enumerated memory space managed by the memory protection module.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, wherein the memory protection module is configured to managed the enumerated memory space by providing memory protection to the virtual machine manager.
  - 3. The apparatus of claim 2, wherein the memory protection include at least one of the following:
    - protection from modification, protection from eavesdropping, and protection from control-flow attacks.
  - 4. The apparatus of claim 1, wherein the integrity measurement module manages the integrity through the execution of instructions intended to inspect an image of the device driver in memory and compare the image with a pre-defined manifest for the device driver.
  - 5. The apparatus of claim 1, wherein the one or more hardware devices are coupled to the virtual machine manager through a bus providing an enumerated memory space that can be mapped to the memory state of the virtual machine manager.
  - 6. The apparatus of claim 1, wherein the integrity measurement manager is executed within an isolated execution environment.
  - 7. The apparatus of claim 1, wherein the integrity measurement manager is executed within the virtualization machine manager.

8. A method, comprising:
- modifying a page table so that the physical address for a hardware device is inaccessible to an operating system virtual machine;
  
  verifying the integrity of a device driver attempting to access the physical address of the hardware device; and
  
  providing memory protection and device memory registers to the device driver if the integrity is verified.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, wherein the page table is modified in response to the interception by a virtual machine manager of a configuration cycle.
  - 10. The method of claim 9, wherein the configuration cycle is a bus configuration cycle, the bus having an enumerated memory space.
  - 11. The method of claim 8, wherein providing memory protection includes at least one of the following:
    - creating a set of protected page tables, wherein the device driver is mapped to an address in the protected page tables;
      
      orusing a set of extended page tables.
  - 12. The method of claim 8, further comprising:
    - detecting a reload of the device driver and repeating.

13. A machine-readable medium having machine-executable instructions contained therein, which when executed perform the following operationsmodifying a page table so that the physical address for a hardware device is inaccessible to an operating system virtual machine;
- verifying the integrity of a device driver attempting to access the physical address of the hardware device; and
  
  providing memory protection and device memory registers to the device driver if the integrity is verified.
- View Dependent Claims (14, 15)
- - 14. The machine-readable medium of claim 13, wherein the page table is modified in response to the interception by a virtual machine manager of a configuration cycle.
  - 15. The machine-readable medium of claim 14, wherein the configuration cycle is a bus configuration cycle, the bus having an enumerated memory space.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Khosravi, Hormuzd M., Durham, David M., Savagaonkar, Uday, Sahita, Ravi

Application Number

US11/694,548
Publication Number

US 20080244758A1
Time in Patent Office

Days
Field of Search
US Class Current

726/34
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 21/70   Protecting specific interna...

SYSTEMS AND METHODS FOR SECURE ASSOCIATION OF HARDWARD DEVICES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

81 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR SECURE ASSOCIATION OF HARDWARD DEVICES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links