System, method, and computer program product for prohibiting unauthorized access to protected memory regions

US 7,266,658 B2
Filed: 09/12/2002
Issued: 09/04/2007
Est. Priority Date: 09/12/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for prohibiting unauthorized access to a protected region of memory, said method comprising the steps of:

specifying a protected region of a memory;

specifying a trusted region of said memory that is external to said protected region;

specifying a test portion of said protected region and a protected portion of said protected region;

storing a test routine in said test portion;

intercepting, by said test routine, a call that is attempting to access said protected portion;

determining an origination location of said call; and

in response to a determination that said origination location is within said trusted region, permitting said call to access said protected portion.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method, and computer program product are disclosed for prohibiting unauthorized access to a protected region of memory. A protected region of memory and a trusted region of memory are both specified. A call to access a location within the protected region of memory is received. An origination location of the call is then determined. In response to a determination that the origination location is within the trusted region, the call is permitted to access the protected region of memory. In response to a determination that the origination location is outside of the trusted region, the call is prohibited from accessing the protected region of memory.

Citations

36 Claims

1. A method for prohibiting unauthorized access to a protected region of memory, said method comprising the steps of:
- specifying a protected region of a memory;
  
  specifying a trusted region of said memory that is external to said protected region;
  
  specifying a test portion of said protected region and a protected portion of said protected region;
  
  storing a test routine in said test portion;
  
  intercepting, by said test routine, a call that is attempting to access said protected portion;
  
  determining an origination location of said call; and
  
  in response to a determination that said origination location is within said trusted region, permitting said call to access said protected portion.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method according to claim 1, further comprising the step of in response to said origination location being outside of said trusted region, prohibiting said call from accessing said protected portion.
  - 3. The method according to claim 1, further comprising the steps of:
    - creating a software routine;
      
      determining whether said software routine is authorized to access said protected portion; and
      
      in response to a determination that said software routine is authorized to access said protected portion, storing said software routine within said trusted region.
  - 4. The method according to claim 3, further comprising the step of in response to a determination that said software routine is not authorized to access said protected portion, storing said software routine outside of said trusted region.
  - 5. The method according to claim 1, further comprising the steps of:
    - creating a software routine;
      
      determining whether said software routine is to be protected from being accessed by rogue calls, said rogue calls being calls from a memory location that is outside of said trusted region;
      
      in response to a determination that said software routine is to be protected from being accessed by rogue calls, storing said software routine within said protected portion.
  - 6. The method according to claim 1, further comprising the steps of:
    - intercepting, by said test routine, all calls that attempt to access any location within said protected portion;
      
      determining, by said test routine, an origination location of each of said calls;
      
      in response to a determination by said test routine that an origination location of a first call, which attempts to access a first location within said protected portion, is within said trusted region, forwarding, by said test routine, said first call to said first location within said protected portion.
  - 7. The method according to claim 6, further comprising the step of in response to a determination by said test routine that an origination location of a first call, which attempts to access a first location within said protected portion, is outside of said trusted region, returning, by said test routine, said first call to said origination location without said first location within said protected portion being accessed.
  - 8. The method according to claim 1, further comprising the steps of:
    - creating hypervisor code for performing hypervisor functions; and
      
      storing said hypervisor code within said protected portion.
  - 9. The method according to claim 1, further comprising the step of determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated.
  - 10. The method according to claim 1, further comprising the step of specifying a trusted region by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location.
  - 11. The method according to claim 1, further comprising the step of specifying a protected portion by specifying a starting memory location and an ending memory location, said protected portion including all memory locations from and including said starting memory location through and including said ending memory location.
  - 12. The method according to claim 1, further comprising the steps of:
    - specifying a trusted region by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location;
      
      determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated;
      
      determining whether said memory location from which said call originated is between said starting memory location and said ending memory location;
      
      in response to a determination that said memory location from which said call originated is between said starting memory location and said ending memory locations determining that said memory location from which said call originated is within said trusted region of memory and permitting said call to access said protected portion; and
      
      in response to a determination that said memory location from which said call originated is not between said starting memory location and said ending memory location, determining that said memory location from which said call originated is outside of said trusted region and prohibiting said call from accessing said protected portion.

13. A data processing system for prohibiting unauthorized access to a protected region of memory, comprising:
- a protected region of a memory that includes a protected portion and a test portion;
  
  a trusted region of the memory that is external to said protected region;
  
  a test routine stored in said test portion;
  
  said test routine intercepting a call that is attempting to access said protected portion;
  
  said system including a CPU executing code for determining an origination location of said call; and
  
  in response to a determination that said origination location is within said trusted region, said CPU executing code for permitting said call to access said protected portion.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The system according to claim 13, further comprising in response to said origination location being outside of said trusted region, said CPU executing code for prohibiting said call from accessing said protected portion.
  - 15. The system according to claim 13, further comprising:
    - a software routine;
      
      said CPU executing code for determining whether said software routine is authorized to access said protected portion; and
      
      in response to a determination that said software routine is authorized to access said protected portion, said software routine being stored within said trusted region.
  - 16. The system according to claim 15, further comprising in response to a determination that said software routine is not authorized to access said protected portion, said software routine being stored outside of said trusted region.
  - 17. The system according to claim 13, further comprising:
    - a software routine;
      
      said CPU executing code for determining whether said software routine is to be protected from being accessed by rogue calls, said rogue calls being calls from a memory location that is outside of said trusted region;
      
      in response to a determination that said software routine is to be protected from being accessed by rogue calls, said software routine being stored within said protected portion.
  - 18. The system according to claim 13, further comprising:
    - said test routine intercepting all calls that attempt to access any location within said protected portion;
      
      said test routine determining an origination location of each of said calls;
      
      in response to a determination by said test routine that an origination location of a first call, which attempts to access a first location within said protected portion, is within said trusted region, said test routine forwarding said first call to said first location within said protected portion.
  - 19. The system according to claim 18, further comprising in response to a determination by said test routine that an origination location of a first call, which attempts to access a first location within said protected portion, is outside of said trusted region, said test routine returning said first call to said origination location without said first location within said protected portion being accessed.
  - 20. The system according to claim 13, further comprising:
    - hypervisor code for performing hypervisor functions; and
      
      said hypervisor code being stored within said protected portion.
  - 21. The system according to claim 13, further comprising the step of determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated.
  - 22. The system according to claim 13, further comprising a trusted region, said trusted region being specified by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location.
  - 23. The system according to claim 13, further comprising a protected portion, said protected portion being specified by specifying a starting memory location and an ending memory location, said protected portion including all memory locations from and including said starting memory location through and including said ending memory location.
  - 24. The system according to claim 13, further comprising:
    - a trusted region, said trusted region being specified by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location;
      
      said CPU executing code for determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated;
      
      said CPU executing code for determining whether said memory location from which said call originated is between and including said starting memory location and said ending memory location;
      
      in response to a determination that said memory location from which said call originated is between said starting memory location and said ending memory location, said CPU executing code for determining that said memory location from which said call originated is within said trusted region and permitting said call to access said protected portion; and
      
      in response to a determination that said memory location from which said call originated is not between and including said starting memory location and said ending memory location, said CPU executing code for determining that said memory location from which said call originated is outside of said trusted region of memory and prohibiting said call from accessing said protected portion.

25. A computer program product. which is stored in a computer readable medium, in a data processing system for prohibiting unauthorized access to a protected region of memory, comprising:
- instruction means for specifying a protected region of a memory;
  
  instruction means for specifying a trusted region of said memory that is external to said protected region;
  
  instruction means for specifying a test portion of said protected region and a protected portion of said protected region;
  
  instruction means for storing a test routine in said test portion;
  
  instruction means for intercepting, by said test routine, a call that is attempting to access said protected portion;
  
  instruction means for determining an origination location of said call; and
  
  in response to a determination that said origination location is within said trusted region, instruction means for permitting said call to access said protected portion.
- View Dependent Claims (26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 26. The product according to claim 25, further comprising in response to said origination location being outside of said trusted region, instruction means for prohibiting said call form accessing said protected portion.
  - 27. The product according to claim 25, further comprising:
    - instruction means for creating a software routine;
      
      instruction means for determining whether said software routine is authorized to access said protected portion; and
      
      in response to a determination that said software routine is authorized to access said protected portion, instruction means for storing said software routine within said trusted region.
  - 28. The product according to claim 27, further comprising in response to a determination that said software routine is not authorized to access said protected portion, instruction means for storing said software routine outside of said trusted region.
  - 29. The product according to claim 25, further comprising:
    - instruction means for creating a software routine;
      
      instruction means for determining whether said software routine is to be protected from being accessed by rogue calls, said rogue calls being calls from a memory location that is outside of said trusted region;
      
      in response to a determination that said software routine is to be protected from being accessed by rogue calls, instruction means for storing said software routine within said protected portion.
  - 30. The product according to claim 25, further comprising:
    - instruction means for intercepting, by said test routine, all calls that attempt to access any location within said protected portion;
      
      instruction means for determining, by said test routine, an origination location of each of said calls;
      
      in response to a determination by said test routine that an origination location of a first call, which attempts to access a first location within said protected portion, is within said trusted region, instruction means for forwarding, by said test routine, said first call to said first location within said protected portion.
  - 31. The product according to claim 30, further comprising in response to a determination by said test routine that an origination location of a first call, which aftempts to access a first location within said protected portion, is outside of said trusted region, instruction means for returning, by said test routine, said first call to said origination location without said first location within said protected portion being accessed.
  - 32. The product according to claim 25, further comprising:
    - instruction means for creating hypervisor code for performing hypervisor functions; and
      
      instruction means for storing said hypervisor code within said protected portion.
  - 33. The product according to claim 25, further comprising instruction means for determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated.
  - 34. The product according to claim 25, further comprising instruction means for specifying a trusted region by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location.
  - 35. The product according to claim 25, further comprising instruction means for specifying a protected portion by specifying a starting memory location and an ending memory location, said protected portion including all memory locations from and including said starting memory location through and including said ending memory location.
  - 36. The product according to claim 25, further comprising:
    - instruction means for specifying a trusted region by specifying a starting memory location and an ending memory location, said trusted region including all memory locations from and including said starting memory location through and including said ending memory location;
      
      instruction means for determining an origination location of said call by determining a current value of a link register, said current value of said link register being a memory location from which said call originated;
      
      instruction means for determining whether said memory location from which said call originated is between and including said starting memory location and said ending memory location;
      
      in response to a determination that said memory location from which said call originated is between said starting memory location and said ending memory location, instruction means for determining that said memory location from which said call originated is within said trusted region and permitting said call to access said protected portion; and
      
      in response to a determination that said memory location from which said call originated is not between and including said starting memory location and said ending memory location, instruction means for determining that said memory location from which said call originated is outside of said trusted region and prohibiting said call from accessing said protected portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Harrington, Bradley Ryan, Locke, Kevin Brian
Primary Examiner(s)
Elmore; Stephen C.
Assistant Examiner(s)
KIM, DANIEL Y

Application Number

US10/242,746
Publication Number

US 20040064718A1
Time in Patent Office

1,818 Days
Field of Search

711/163, 711/173, 711/147, 711/152, 711/154, 711/170, 713/164, 713/165, 713/166, 713/189, 713/193, 709/200
US Class Current

711/163
CPC Class Codes

G06F 12/1458 by checking the subject acc...

System, method, and computer program product for prohibiting unauthorized access to protected memory regions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

System, method, and computer program product for prohibiting unauthorized access to protected memory regions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links