METHOD AND AN APPARATUS TO IMPLEMENT SECURE SYSTEM CALL WRAPPERS

US 20100218201A1
Filed: 02/26/2009
Published: 08/26/2010
Est. Priority Date: 02/26/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

validating, by a computer system, parameters of a system call directed to a kernel using a system call wrapper, the parameters supplied by a user process in user-space in a memory of the computer system; and

protecting, by the computer system, the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of a method and an apparatus to a method and an apparatus to implement secure system call wrapper have been presented. In one embodiment, a system call wrapper is used to validate parameters of a system call directed to a kernel from a user-space process. The user-space process supplies the parameters of the system call. The parameters are protected from being accessed by processes in the user-space after the parameters have been validated.

Citations

21 Claims

1. A computer-implemented method comprising:
- validating, by a computer system, parameters of a system call directed to a kernel using a system call wrapper, the parameters supplied by a user process in user-space in a memory of the computer system; and
  
  protecting, by the computer system, the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - translating, by the computer system, the system call to be coming from a helper process of the system call wrapper; and
      
      storing the parameters of the system call within address space of the helper process in the memory.
  - 3. The method of claim 1, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - creating, by the computer system, a helper process, separate from the system call wrapper, having address space in the memory to store the parameters; and
      
      making, by the computer system, the address space of the helper process unreadable and unwritable by the user process, except for area of the address space that is explicitly shared between the helper process and at least one of the processes in the user-space.
  - 4. The method of claim 1, further comprising:
    - forwarding, by the computer system, the system call to the kernel from a helper process separate from the user process, wherein address space of the helper process in the memory stores the parameters of the system call.
  - 5. The method of claim 1, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - creating, by the computer system, a separate helper process for each of the processes in the user-space;
      
      assigning, by the computer system, a first identifier to a respective process in the user-space and a second identifier to a respective helper process, wherein the first identifier and the second identifier are related to each other; and
      
      allowing, by the computer system, only the system call wrapper to directly manipulate the helper process.
  - 6. The method of claim 1, wherein the system call wrapper is a kernel module within the kernel in the computer system.
  - 7. The method of claim 1, wherein the parameters comprise at least one of the following:
    - a file name, a memory address location, a device identifier, a network address, a shared memory structure, a mutual exclusion structure, a process, and a thread.

8. An apparatus comprising:
- a memory hosting a kernel, a system call wrapper, and a protection mechanism; and
  
  ;
  
  a processor, coupled to the memory, to causethe system call wrapper to validate parameters of a system call directed to the kernel, the parameters supplied by a user process in the user-space, and to causethe protection mechanism to protect the parameters from being accessed by processes in the user-space after the system call wrapper has validated the parameters.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8, wherein the protection mechanism comprises:
    - a call translator to translate the system call to be coming from a helper process of the system call wrapper and to store the parameters of the system call within address space of the helper process.
  - 10. The apparatus of claim 8, wherein the protection mechanism comprises:
    - a process creator to create a helper process, separate from the system call wrapper having address space to store the parameters, and to make the address space of the helper process unreadable and unwritable by the user process, except for area of the address space that is explicitly shared between the helper process and at least one of the processes in the user-space.
  - 11. The apparatus of claim 8, wherein the processor further causes the system call wrapper to forward the system call to the kernel from a helper process separate from the user process, wherein address space of the helper process in the memory stores the parameters of the system call.
  - 12. The apparatus of claim 8, wherein the protection mechanism comprises:
    - a process creator to create a separate helper process for each of the processes in the user-space, to assign a first identifier to a respective process in the user-space and a second identifier to a respective helper process, and to allow only the system call wrapper to directly manipulate the helper process, wherein the first identifier and the second identifier are related to each other.
  - 13. The apparatus of claim 8, wherein the system call wrapper is a kernel module within the kernel.
  - 14. The apparatus of claim 8, wherein the parameters comprise at least one of the following:
    - a file name, a memory address location, a device identifier, a network address, a shared memory structure, a mutual exclusion structure, a process, and a thread.

15. A computer-readable storage medium embodying instructions that, when executed by a processor in a computer system, will cause the processor to perform a method comprising:
- validating, by the computer system, parameters of a system call directed to a kernel using a system call wrapper, the parameters supplied by a user process in user-space in a memory of the computer system; and
  
  protecting, by the computer system, the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable storage medium of claim 15, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - translating, by the computer system, the system call to be coming from a helper process of the system call wrapper; and
      
      storing, by the computer system, the parameters of the system call within address space of the helper process in the memory.
  - 17. The computer-readable storage medium of claim 15, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - creating, by the computer system, a helper process, separate from the system call wrapper having address space to store the parameters; and
      
      making, by the computer system, the address space of the helper process unreadable and unwritable by the user process, except for area of the address space that is explicitly shared between the helper process and at least one of the processes in the user-space.
  - 18. The computer-readable storage medium of claim 15, wherein the method further comprises:
    - forwarding, by the computer system, the system call to the kernel from a helper process separate from the user process, wherein address space of the helper process in the memory stores the parameters of the system call.
  - 19. The computer-readable storage medium of claim 15, wherein protecting the parameters from being accessed by processes in the user-space after the parameters have been validated by the system call wrapper comprises:
    - creating, by the computer system, a separate helper process for each of the processes in the user-space;
      
      assigning, by the computer system, a first identifier to a respective process in the user-space and a second identifier to a respective helper process, wherein the first identifier and the second identifier are related to each other; and
      
      allowing, by the computer system, only the system call wrapper to directly manipulate the helper process.
  - 20. The computer-readable storage medium of claim 15, wherein the system call wrapper is a kernel module within the kernel in the computer system.
  - 21. The computer-readable storage medium of claim 15, wherein the parameters comprise at least one of the following:
    - a file name, a memory address location, a device identifier, a network address, a shared memory structure, a mutual exclusion structure, a process, and a thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.

Granted Patent

US 8,561,090 B2
Time in Patent Office

Days
Field of Search
US Class Current

719/330
CPC Class Codes

G06F 21/57 Certifying or maintaining t...

G06F 9/545 where tasks reside in diffe...

METHOD AND AN APPARATUS TO IMPLEMENT SECURE SYSTEM CALL WRAPPERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND AN APPARATUS TO IMPLEMENT SECURE SYSTEM CALL WRAPPERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links