Enforcing isolation among plural operating systems

US 7,975,117 B2
Filed: 12/19/2003
Issued: 07/05/2011
Est. Priority Date: 03/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method of supporting substantially simultaneous operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of a memory of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement wherein said first operating system and said second operating system comprises a driver for a direct memory access device, the method comprising:

providing the first operating system direct access to the physical address space by using the driver when said first operating system executes on the hardware arrangement;

providing the second operating system direct access to the physical address space by using the driver when said second operating system executes on the hardware arrangement;

maintaining a first set of units of the physical address space to which the second operating system cannot access and a second set of units of the physical address space to which the first operating system cannot access;

preventing access the physical address space when a request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system wherein said act of preventing is accomplished without the need for remapping overlapping physical address spaces; and

enforcing a policy of isolation between said first operating system and said second operating system by permitting said driver to directly control said device without virtualizing said device to said driver.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.

Citations

16 Claims

1. A method of supporting substantially simultaneous operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of a memory of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement wherein said first operating system and said second operating system comprises a driver for a direct memory access device, the method comprising:
- providing the first operating system direct access to the physical address space by using the driver when said first operating system executes on the hardware arrangement;
  
  providing the second operating system direct access to the physical address space by using the driver when said second operating system executes on the hardware arrangement;
  
  maintaining a first set of units of the physical address space to which the second operating system cannot access and a second set of units of the physical address space to which the first operating system cannot access;
  
  preventing access the physical address space when a request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system wherein said act of preventing is accomplished without the need for remapping overlapping physical address spaces; and
  
  enforcing a policy of isolation between said first operating system and said second operating system by permitting said driver to directly control said device without virtualizing said device to said driver.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said first set includes at least one unit of the physical address space that is not included in said second set.
  - 3. The method of claim 1, wherein the memory is apportioned into a plurality of pages, wherein the first and second sets identify pages to which access is excluded, and wherein said preventing access act comprises blocking said request based on whether said unit of physical address space is included in a page to which access is excluded.
  - 4. The method of claim 1, further comprising:
    - using either said first set or said second set to determine whether a request should be blocked, depending upon whether said first operating system or said second operating system, respectively, is currently actively running.
  - 5. The method of claim 1, wherein said blocking act determines whether to block a request as a function of one or more factors comprising at least one of the following:
    - whether the request originates with the first operating system or the second operating system;
      
      orwhich one of a plurality of devices the request originates from.
  - 6. The method of claim 1, wherein said blocking act determines whether to block a request as a function of one or more factors comprising:
    - a mode for which access is requested.
  - 7. The method of claim 1, wherein said first and second sets are stored in portions of the memory to which access is excluded under at least one of said first and second sets.

8. A computer-readable storage medium encoded with computer-executable instructions to perform acts comprising:
- hosting a first software object wherein said first software object comprises a first operating system that comprises, or is associated with, a driver for a direct memory access device, said driver directly controlling said device without said device being virtualized to said driver;
  
  hosting a second software object;
  
  allowing said first software object and said second software object to directly access a physical address space of a memory;
  
  isolating said first software object and said second software object from each other in accordance with a policy wherein said policy comprises a requirement that there be a portion of the memory to which said first operating system does not have access;
  
  wherein said policy is based on an exclusion vector stored in said physical address space, and wherein said exclusion vector indicates with page-level granularity whether access to a portion of the physical address space is excluded, said exclusion vector consisting of one bit for each page of the physical address space wherein the bit indicates whether access to the bit'"'"'s corresponding page is excluded.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The computer-readable storage medium of claim 8, wherein said second software object comprises a second operating system.
  - 10. The computer-readable storage medium of claim 8, wherein said policy comprises a requirement that there be a portion of the memory that is both inaccessible to the first software object and accessible to the second software object.
  - 11. The computer-readable storage medium of claim 8, wherein said policy governs the accessibility of the physical address space to said first software object and said second software object, wherein said computer-executable instructions execute on a computing device that allows or blocks requests to access the physical address space based on contents of an exclusion vector, and wherein said isolating act comprises:
    - setting the contents of said exclusion vector to block access to portions of said physical address space in accordance with enforcement of said policy.
  - 12. The computer-readable storage medium of claim 11, wherein the contents of said vector are set to allow direct memory access devices to access a buffer portion of said physical address space and is further set to block said direct memory access devices from accessing at least some other portion of said physical address space, and wherein isolating said first software object from said second software object from each other comprises:
    - allowing a direct memory access device controlled either by any of said first software object and said second software object to write to said buffer portion;
      
      receiving an indication that said first software object has written to said buffer portion; and
      
      copying the contents of said buffer portion to a portion of said physical address space that is accessible to said second software object but not to said first software object.
  - 13. The computer-readable storage medium of claim 12, wherein said second software object performs at least one validity test on the contents that is copied from said buffer portion.
  - 14. The computer-readable storage medium of claim 11, wherein said computing device allows or blocks requests to access the physical address space based on the content of the exclusion vector when said requests are made by a direct memory access device.
  - 15. The computer-readable storage medium of claim 11, wherein a request comprises a read request, and wherein the method further comprises:
    - after the request has been blocked, returning a predetermined value instead of the contents of the location to which access is requested.
  - 16. The computer-readable storage medium of claim 11, wherein said exclusion vector is stored in said physical address space, and wherein said policy comprises a requirement that said exclusion vector exclude access to portions of said physical address space in which said exclusion vector is stored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Willman, Bryan Mark, Thornton, Andrew John, Chen, Yuqun, England, Paul, Peinado, Marcus
Primary Examiner(s)
Elmore; Reba I

Application Number

US10/741,629
Publication Number

US 20040205203A1
Time in Patent Office

2,755 Days
Field of Search

711/153, 711/163
US Class Current

711/163
CPC Class Codes

G06F 12/1425   the protection being physic...

G06F 12/1483   using an access-table, e.g....

G06F 21/78   to assure secure storage of...

Enforcing isolation among plural operating systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcing isolation among plural operating systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links