Enabling byte-code based image isolation

US 20090300370A1
Filed: 05/30/2008
Published: 12/03/2009
Est. Priority Date: 05/30/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initializing a bytecode driver and setting an extensible policy mechanism to protect at least one root data structure including a page table;

interpreting a bytecode of a pre-boot driver associated with a memory access in a byte code interpreter and mapping between a virtual address and a physical address of a memory page of the memory access, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of the page table; and

controlling access to the memory page based on a plurality of protection bits of the page table entry of the page table.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, the present invention includes a method for setting an extensible policy mechanism to protect a root data structure including a page table, interpreting a bytecode of a pre-boot driver in a byte code interpreter, and controlling access to a memory location based on the extensible policy mechanism. Other embodiments are described and claimed.

20 Citations

View as Search Results

15 Claims

1. A method comprising:
- initializing a bytecode driver and setting an extensible policy mechanism to protect at least one root data structure including a page table;
  
  interpreting a bytecode of a pre-boot driver associated with a memory access in a byte code interpreter and mapping between a virtual address and a physical address of a memory page of the memory access, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of the page table; and
  
  controlling access to the memory page based on a plurality of protection bits of the page table entry of the page table.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising setting the extensible policy mechanism to protect a data structure of the pre-boot driver responsive to a request of the pre-boot driver, wherein the pre-boot driver is cryptographically signed.
  - 3. The method of claim 2, further comprising allocating the memory page to an exclusion list by writing a predetermined code in the plurality of protection bits of the associated page table entry.
  - 4. The method of claim 3, further comprising preventing access to the memory page by code other than the pre-boot driver if the memory page is allocated in the exclusion list.
  - 5. The method of claim 4, further comprising preventing access to the memory page by the pre-boot driver if the pre-boot driver is not cryptographically signed.
  - 6. The method of claim 1, further comprising performing the mapping between the virtual address and the physical address with a non-1:
    - 1 mapping to provide a false address to malware.

7. An article comprising a machine-accessible storage medium including instructions that when executed cause a system to:
- initialize a bytecode driver and set an extensible policy mechanism to protect at least one root data structure including a page table;
  
  interpret a bytecode of a pre-boot driver associated with a memory access in a byte code interpreter and map between a virtual address and a physical address of a memory page of the memory access, wherein the physical address is to be accessed using a page directory entry of a page directory and a page table entry of the page table; and
  
  control access to the memory page based on a plurality of protection bits of the page table entry of the page table.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The article of claim 7, further comprising instructions that when executed enable the system to set the extensible policy mechanism to protect a data structure of the pre-boot driver responsive to a request of the pre-boot driver, wherein the pre-boot driver is cryptographically signed.
  - 9. The article of claim 8, further comprising instructions that when executed enable the system to allocate the memory page to an exclusion list by writing a predetermined code in the plurality of protection bits of the associated page table entry.
  - 10. The article of claim 9, further comprising instructions that when executed enable the system to prevent access to the memory page by code other than the pre-boot driver if the memory page is allocated in the exclusion list.
  - 11. The article of claim 7, further comprising instructions that when executed enable the system to perform the mapping between the virtual address and the physical address with a non-1:
    - 1 mapping to provide a false address to malware.

12. A system comprising:
- a processor; and
  
  a memory coupled to the processor to store instructions to cause the processor to initialize a bytecode driver and set an extensible policy mechanism to protect at least one root data structure including a page table, interpret a bytecode of a pre-boot driver associated with a memory access to a memory page via a byte code interpreter, and prior to allowing the memory access, determine whether the pre-boot driver is allowed to access to the memory page based on a plurality of protection bits of a page table entry of a page table associated with the memory page.
- View Dependent Claims (13, 14, 15)
- - 13. The system of claim 12, wherein the memory further includes instructions to set the extensible policy mechanism to protect a data structure of the pre-boot driver responsive to a request of the pre-boot driver, wherein the pre-boot driver is cryptographically signed.
  - 14. The system of claim 13, wherein the memory further includes instructions to allocate the memory page to an exclusion list by writing a predetermined code in the plurality of protection bits of the associated page table entry.
  - 15. The system of claim 12, wherein the memory further includes instructions to perform mapping between a virtual address and a physical address of the memory page with a non-1:
    - 1 mapping to provide a false address to malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Yao, Jiewen, Zimmer, Vincent J., Cui, Liang, Long, Qin

Granted Patent

US 8,327,415 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/193
CPC Class Codes

G06F 12/145 the protection being virtua...

Enabling byte-code based image isolation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Enabling byte-code based image isolation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links