Method and System for Providing Secure System Execution on Hardware Supporting Secure Application Execution

US 20150089502A1
Filed: 09/25/2014
Published: 03/26/2015
Est. Priority Date: 09/25/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing secure execution of an application comprising:

at least one processor and a memory;

at least one enclave, said enclave comprising a hardware-enforced protected region of an address space of the memory; and

an emulator comprising code that is executable on the at least one processor, is loaded into an emulator enclave, and emulates the functions of the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application such as a virtual machine are executed securely using a software-based, full-system emulator within a hardware-protected enclave, such as an SGX enclave. The emulator may thereby be secure even against a malicious underlying host operating system. In some cases, paging is used to allow even a large application may run within a small enclave using paging. Where the application itself uses enclaves, these guest enclaves may themselves be emulated within an emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.

Citations

20 Claims

1. A system for providing secure execution of an application comprising:
- at least one processor and a memory;
  
  at least one enclave, said enclave comprising a hardware-enforced protected region of an address space of the memory; and
  
  an emulator comprising code that is executable on the at least one processor, is loaded into an emulator enclave, and emulates the functions of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 12, 13)
- - 2. The system of claim 1, in which the application is a virtual machine (VM) running on a host platform, which includes the processor and memory.
  - 3. The system of claim 2, in which the VM itself includes at least one guest enclave and enclave code managing the guest enclave, said emulator being further provided to emulate instructions creating and managing said guest enclave(s), whereby the at least one guest enclave is emulated within the emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.
  - 4. The system of claim 2, in which the VM includes guest memory, said emulator being further provided for securely paging the guest memory to an untrusted region of the memory.
  - 5. The system of claim 3, further including a redirection module comprising code executable on the processor for redirecting execution between each guest enclave and the emulator enclave.
  - 6. The system of claim 5, in which the redirection module is loaded in an unsecured portion of memory under the control of a host operating system.
  - 7. The system of claim 1, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).
  - 12. The method of claim 3, further including redirecting execution between each guest enclave and the emulator enclave.
  - 13. The method of claim 12, in which the step of redirecting execution is directed from within an unsecured portion of memory under the control of a host operating system.

8. A method for providing secure execution of an application comprising emulating the functions of the application with emulator code running within an emulator enclave and executable on at least one processor, said emulator enclave comprising a hardware-enforced protected region of an address space of a memory.
- View Dependent Claims (9, 10, 11, 14)
- - 9. The method of claim 8, in which the application is a virtual machine (VM) running on a host platform, which includes the processor and memory.
  - 10. The method of claim 9, in which the VM itself includes at least one guest enclave and enclave code managing the guest enclave, further comprising emulating instructions creating and managing said guest enclave(s), whereby the at least one guest enclave is emulated within the emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.
  - 11. The method of claim 9, in which the VM includes guest memory, further comprising securely paging the guest memory to an untrusted region of the memory.
  - 14. The method of claim 8, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).

15. A non-transitory computer-readable storage medium storing instructions, the instructions, when executed by a processor, causing the processor to securely execute an application by emulating the functions of the application with emulator code running within an emulator enclave, said emulator enclave comprising a hardware-enforced protected region of an address space of a memory.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The medium of claim 15, in which the application is a virtual machine (VM) running on a host platform, which includes the processor and memory.
  - 17. The medium of claim 16, in which the VM itself includes at least one guest enclave and enclave code managing the guest enclave, said medium further storing instructions, upon execution by the processor, causing the processor to emulate instructions creating and managing said guest enclave(s), whereby the at least one guest enclave is emulated within the emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.
  - 18. The medium of claim 16, in which the VM includes guest memory, said medium further storing instructions, upon execution by the processor, causing the processor to securely page the guest memory to an untrusted region of the memory.
  - 19. The medium of claim 16, further storing instructions, upon execution by the processor, causing the processor to redirect execution using code stored unsecured portion of memory under the control of a host operating system.
  - 20. The medium of claim 15, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
PrivateCore Incorporated (Meta Platforms, Inc. (f/k/a Facebook, Inc.))
Inventors
HOROVITZ, Oded, WEIS, Stephen A., WALDSPURGER, Carl A., RIHAN, Sahil

Granted Patent

US 9,983,894 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

Method and System for Providing Secure System Execution on Hardware Supporting Secure Application Execution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Providing Secure System Execution on Hardware Supporting Secure Application Execution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links