Enforcing isolation among plural operating systems
First Claim
1. A method of supporting substantially simultaneous operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of a memory of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement wherein said first operating system and said second operating system comprises a driver for a direct memory access device, the method comprising:
- providing the first operating system direct access to the physical address space by using the driver when said first operating system executes on the hardware arrangement;
providing the second operating system direct access to the physical address space by using the driver when said second operating system executes on the hardware arrangement;
maintaining a first set of units of the physical address space to which the second operating system cannot access and a second set of units of the physical address space to which the first operating system cannot access;
preventing access the physical address space when a request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system wherein said act of preventing is accomplished without the need for remapping overlapping physical address spaces; and
enforcing a policy of isolation between said first operating system and said second operating system by permitting said driver to directly control said device without virtualizing said device to said driver.
3 Assignments
0 Petitions
Accused Products
Abstract
Plural guest operating systems run on a computer, where a security kernel enforces a policy of isolation among the guest operating systems. An exclusion vector defines a set of pages that cannot be accessed by direct memory access (DMA) devices. The security kernel enforces an isolation policy by causing certain pages to be excluded from direct access. Thus, device drivers in guest operating systems are permitted to control DMA devices directly without virtualization of those devices, while each guest is prevented from using DMA devices to access pages that the guest is not permitted to access under the policy.
-
Citations
16 Claims
-
1. A method of supporting substantially simultaneous operation of a first operating system and a second operating system on a hardware arrangement, the first operating system comprising software that accesses a physical address space of a memory of the hardware arrangement, the second operating system comprising software that accesses the physical address space of the hardware arrangement wherein said first operating system and said second operating system comprises a driver for a direct memory access device, the method comprising:
-
providing the first operating system direct access to the physical address space by using the driver when said first operating system executes on the hardware arrangement; providing the second operating system direct access to the physical address space by using the driver when said second operating system executes on the hardware arrangement; maintaining a first set of units of the physical address space to which the second operating system cannot access and a second set of units of the physical address space to which the first operating system cannot access; preventing access the physical address space when a request seeks to access a unit of the physical address space that is a member of either the first set or the second set according to whether said request originates from the first operating system or the second operating system wherein said act of preventing is accomplished without the need for remapping overlapping physical address spaces; and enforcing a policy of isolation between said first operating system and said second operating system by permitting said driver to directly control said device without virtualizing said device to said driver. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage medium encoded with computer-executable instructions to perform acts comprising:
-
hosting a first software object wherein said first software object comprises a first operating system that comprises, or is associated with, a driver for a direct memory access device, said driver directly controlling said device without said device being virtualized to said driver; hosting a second software object; allowing said first software object and said second software object to directly access a physical address space of a memory; isolating said first software object and said second software object from each other in accordance with a policy wherein said policy comprises a requirement that there be a portion of the memory to which said first operating system does not have access;
wherein said policy is based on an exclusion vector stored in said physical address space, and wherein said exclusion vector indicates with page-level granularity whether access to a portion of the physical address space is excluded, said exclusion vector consisting of one bit for each page of the physical address space wherein the bit indicates whether access to the bit'"'"'s corresponding page is excluded. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
Specification