Tamper protection of software agents operating in a vitual technology environment methods and apparatuses

US 7,882,318 B2
Filed: 09/29/2006
Issued: 02/01/2011
Est. Priority Date: 09/29/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

assigning by a virtual machine manager disposed in a memory of a computing device and operated by a processor of the computing device, a first security domain to a first memory page of the memory of the computing device, and a second security domain to a second memory page of the memory of the computing device, wherein the virtual machine manager manages a plurality of virtual machines disposed in the memory and operated by the processor, wherein the virtual machines include a plurality of programs, and the processor is enhanced with a previous security domain register and a current security domain register;

storing by the virtual machine manager information indicative of the first security domain in a first extended page table entry structure that references the first memory page, and information indicative of the second security domain in a second extended page table entry structure that references the second memory page, the first and second extended page table entry structures being part of a page table structure managed by and disposed within the virtual machine manager;

copying by the processor, the information indicative of the first security domain and the information indicative of the second security domain to the previous security domain register and the current security domain register, respectively, if an instruction residing in the first memory page attempts to reference or access the second memory page, wherein the instruction belongs to one of the plurality of programs of the plurality of virtual machines;

comparing by the processor, using the previous security domain register and the current security domain register, the first and second security domains of the first and second memory pages; and

determining by the processor, whether to allow or to disallow the instruction from the first memory page to reference or access the second memory page based at least in part on said comparing.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses, articles, and systems for comparing a first security domain of a first memory page of a physical device to a second security domain of a second memory page of the physical device, the security domains being stored in one or more registers of a processor of the physical device, are described herein. Based on the comparison, the processor disallows an instruction from the first memory page to access the second memory page if the first security domain is different from the second security domain. Resultantly, software agents, in particular, critical software agents, may be protected in a virtual technology (VT) environment more efficiently and effectively.

118 Citations

View as Search Results

28 Claims

1. A method comprising:
- assigning by a virtual machine manager disposed in a memory of a computing device and operated by a processor of the computing device, a first security domain to a first memory page of the memory of the computing device, and a second security domain to a second memory page of the memory of the computing device, wherein the virtual machine manager manages a plurality of virtual machines disposed in the memory and operated by the processor, wherein the virtual machines include a plurality of programs, and the processor is enhanced with a previous security domain register and a current security domain register;
  
  storing by the virtual machine manager information indicative of the first security domain in a first extended page table entry structure that references the first memory page, and information indicative of the second security domain in a second extended page table entry structure that references the second memory page, the first and second extended page table entry structures being part of a page table structure managed by and disposed within the virtual machine manager;
  
  copying by the processor, the information indicative of the first security domain and the information indicative of the second security domain to the previous security domain register and the current security domain register, respectively, if an instruction residing in the first memory page attempts to reference or access the second memory page, wherein the instruction belongs to one of the plurality of programs of the plurality of virtual machines;
  
  comparing by the processor, using the previous security domain register and the current security domain register, the first and second security domains of the first and second memory pages; and
  
  determining by the processor, whether to allow or to disallow the instruction from the first memory page to reference or access the second memory page based at least in part on said comparing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the copying by the processor further comprising copying by the processor, the information indicative of the first and second security domains from a translation lookaside buffer and storing the information indicative of the first and second security domains into the previous security domain register and the current security domain register respectively, when the reference or access is attempted.
  - 3. The method of claim 2, further comprising retrieving the information indicative of the first and second security domains from the page table structure managed by the virtual machine manager of the computing device, and caching the retrieved information indicative of the first and second security domains in the translation lookaside buffer, wherein the page table structure includes extended page tables comprising:
    - a plurality of extended page table pointer structures, each indicating whether a security domain has been set for an associated memory page and features associated with the security domain, anda plurality of extended page table entry structures storing security domains assigned to associated memory pages.
  - 4. The method of claim 3, wherein at least some of the extended page table entry structures having different nesting levels from each other, further comprising storing information indicative of a plurality of security domains in a plurality of bits of the plurality of extended page table entry structures.
  - 5. The method of claim 1, wherein disallowing comprises causing a page fault by the processor, and the instruction of the first memory page is disallowed to reference or access the second memory page, if the first security domain is different from the second security domain.
  - 6. The method of claim 1, further comprising determining whether the second memory page is a hidden memory page, and disallowing the instruction of the first memory page to reference or access the second memory page in response to the second memory page being a hidden memory page.
  - 7. The method of claim 6, further comprising determining whether the reference or access is a read or write reference or access, and, if the second memory page is not a hidden memory page, not disallowing the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a read reference or access, and disallowing the instruction to reference or access the second memory page if the first security domain is lower than the second security domain and the reference or access is a write reference or access.
  - 8. The method of claim 1, further comprising not disallowing the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 9. The method of claim 1, further comprising not disallowing the instruction to reference or access the second memory page if the second security domain is not higher privileged than at least a predetermined security domain.
  - 10. The method of claim 1, wherein the second memory page stores at least a portion of a critical operating system component, and the second security domain is a supervisory security domain.
  - 11. The method of claim 1, wherein the assigning by the virtual machine manager is performed by a security domain assignment service of the virtual machine manager of the computing device.
  - 12. The method of claim 11, wherein the security domain assignment service is further configured to assign a supervisory security domain for base components of a virtual machine, including scheduler, loader, and memory manager of the virtual machine.
  - 13. The method of claim 1, further comprising verifying integrity of an agent of the first virtual machine of the computing device allocated with the first memory page by an integrity measurement module of a virtual machine manager of the computing device.
  - 14. The method of claim 1, wherein the information indicative of the first and second security domains are respectively stored in at least 10 bits of the first and second extended page table entry structures.
  - 15. The method of claim 1, further comprising partitioning by the virtual machine manager, a plurality of security domains into one or more logical groups associated with various levels of extended page table entry structures.
  - 16. The method of claim 1, wherein not disallowing the instruction to reference or access the second memory page at least partially in response to a determination that the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain further comprises not disallowing the instruction to reference or access the second memory page in response to a determination that the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, and the second memory page is marked as executable.

17. A processor comprising:
- a translation lookaside buffer;
  
  a previous security domain register and a current security domain register coupled with the translation lookaside buffer, and configured to;
  
  copy information indicative of first and second security domains of first and second memory pages into the previous and current security domain registers, respectively, from the translation lookaside buffer, if an instruction residing in the first memory page attempts to reference or access the second memory page,wherein the first and second memory pages are memory pages of a memory coupled with the processor,wherein the information indicative of the first and second security domains are assigned to the first and second memory pages, respectively, by a virtual machine manager disposed in the memory and operated by the processor,wherein the information indicative of the first and second security domains are stored by the virtual machine manager in a first and a second extended page table entry structures that reference the first and second memory pages respectively,wherein the first and second extended page table entry structures are part of the virtual memory manager disposed in the memory and operated by the processor,wherein the memory further includes a number of virtual machines managed by the virtual machine manager, and wherein the number of virtual machines have a plurality of programs, respectively, all operated by the processor, andwherein the instruction belongs to one of the plurality of programs; and
  
  a comparing logic configured tocompare the first security domain of the first memory page to the second security domain of the second memory page, andnot disallow an instruction from the first memory page to reference or access the second memory page in response to the first security domain having a privilege level higher than or equal to the second security domain.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The processor of claim 17, wherein the first or second security domains copied from the translation lookaside buffer were retrieved and stored in the translation lookaside buffer from page tables of a virtual machine manager, and the page tables of the virtual machine manager are extended page tables managed by the virtual machine manager, comprising:
    - a plurality of extended page table pointer structures, each configured to indicate whether a security domain has been set for an associated memory page and features associated with the security domain, anda plurality of extended page table entry structures configured to store security domains assigned to associated memory pages.
  - 19. The processor of claim 17, wherein the comparing logic is further adapted to cause a page fault, if the first security domain is different from the second security domain, to disallow the instruction to reference or access the second memory page.
  - 20. The processor of claim 17, wherein the comparing logic is further adapted to determine whether the second memory page is a hidden memory page, and the instruction of the first memory page is also disallowed to reference or access the second memory page if the second memory page is a hidden memory page.
  - 21. The processor of claim 20, wherein the comparing logic is further adapted to determine whether the reference or access is a read or write reference or access, and if the second memory page is not a hidden memory page, not disallow the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a read reference or access, and disallow the instruction to reference or access the second memory page if the first security domain is different from the second security domain and the reference or access is a write reference or access.
  - 22. The processor of claim 17, wherein the comparing logic is further adapted to not disallow the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 23. The processor of claim 17, wherein the second memory page stores at least a portion of a critical operating system component, and the second security domain of the second memory page is a supervisory security domain.

24. A system comprising:
- mass storage having stored therein a virtual machine manager, and at least one critical operating system component program instantiable into a critical operating system component agent of a virtual machine; and
  
  a processor coupled to the mass storage, the processor includinga translation lookaside buffer;
  
  a previous security domain register and a current security domain register coupled to the translation lookaside buffer and configured to;
  
  copy information indicative of first and second security domains of first and second memory pages of the system into the previous and current security domain registers, respectively, from the translation lookaside buffer, if an instruction residing in the first memory page attempts to reference or access the second memory page,wherein the first and second memory pages are memory pages of a memory coupled with the processor,wherein the information indicative of the first and second security domains are assigned to the first and second memory pages, respectively, by the virtual machine manager disposed in the memory and operated by the processor,wherein the information indicative of the first and second security domains are stored by the virtual machine manager in a first and a second extended page table entry structures that reference the first and second memory pages respectively,wherein the first and second extended page table entry structures are part of a virtual memory manager disposed in the memory and operated by the processor,wherein the memory further includes a number of virtual machines having a plurality of programs, all operated by the processor,wherein the instruction belongs to one of the plurality of programs, and the second memory page having at least a portion of the critical operating system component agent of the virtual machine; and
  
  a comparing logic coupled to the registers and adapted tocompare the first security domain of the first memory page to the second security domain of the second memory page, andnot disallow an instruction from the first memory page to access the second memory page in response to the first security domain having a privilege level higher or equal to the second security domain.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The system of claim 24, wherein the first and second security domains stored in the previous and current security domain registers were copied from the translation lookaside buffer, and were cached in the translation lookaside buffer from page tables of a virtual machine manager of the system, and the page tables of the virtual machine manager are extended page tables comprising:
    - a plurality of extended page table pointer structures, each configured to indicate whether a security domain has been set for an associated memory page and features associated with the security domain, anda plurality of extended page table entry structures configured to store security domains assigned to associated memory pages.
  - 26. The system of claim 24, wherein the comparing logic is further adapted to cause a page fault, if the first security domain is different from the second security domain, to disallow the instruction to reference or access the second memory page.
  - 27. The system of claim 24, wherein the comparing logic is further adapted to not disallow the instruction to reference or access the second memory page if the reference or access is one of a jump or a call to an allowed entrypoint of the second memory page, regardless of whether the first security domain is different from the second security domain.
  - 28. The system of claim 24, wherein the critical operating system component agent is assigned a supervisory security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Khosravi, Hormuzd, Savagaonkar, Uday, Sahita, Ravi, Durham, David
Primary Examiner(s)
Doan; Duc T

Application Number

US11/529,828
Publication Number

US 20080082772A1
Time in Patent Office

1,586 Days
Field of Search

None
US Class Current

711/163
CPC Class Codes

G06F 12/145   the protection being virtua...

G06F 12/1491   in a hierarchical protectio...

G06F 21/54   by adding security routines...

G06F 21/6218   to a system of files or obj...

G06F 21/79   in semiconductor storage me...

G06F 2221/2141   Access rights, e.g. capabil...

Tamper protection of software agents operating in a vitual technology environment methods and apparatuses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

118 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Tamper protection of software agents operating in a vitual technology environment methods and apparatuses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links