Method and system for designating and handling confidential memory allocations
First Claim
1. A method of protecting confidential data from copying, comprising:
- storing confidential data in a confidential section of virtual memory, wherein storing the confidential data in the confidential section of virtual memory comprises;
mapping the confidential section of virtual memory to an address space in a first physical memory device;
storing the confidential data in the first physical memory device; and
marking the address space in the first physical memory device as having confidential data;
receiving a request to copy data stored in the address space in the first physical memory device to a second physical memory device, wherein the second physical memory device has more capacity and slower memory access speed than the first physical memory device;
determining that the address space in the first physical memory device has been marked as having confidential data;
encrypting the confidential data in the address space in the first physical memory in response to determining that the address space in the first physical memory device has been marked as having confidential data; and
storing the encrypted confidential data in the second physical memory.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for designating and handling confidential memory allocations of virtual memory are provided in which the operating system provides a memory allocation flag that applications may use to indicate any arbitrary area of physical memory marked with this flag may contain confidential data and should be handled accordingly. The operating system also ensures that memory allocated with this flag can be placed in physical memory. When freeing up memory, the operating system protects any data in the memory allocated with this flag. For example, the operating system may prevent the confidential memory from being swapped out to storage or from being accessible to other applications, such as a debuggers. Alternatively, the operating system may encrypt any data in the confidential memory before it is swapped out to storage.
42 Citations
8 Claims
-
1. A method of protecting confidential data from copying, comprising:
-
storing confidential data in a confidential section of virtual memory, wherein storing the confidential data in the confidential section of virtual memory comprises; mapping the confidential section of virtual memory to an address space in a first physical memory device; storing the confidential data in the first physical memory device; and marking the address space in the first physical memory device as having confidential data; receiving a request to copy data stored in the address space in the first physical memory device to a second physical memory device, wherein the second physical memory device has more capacity and slower memory access speed than the first physical memory device; determining that the address space in the first physical memory device has been marked as having confidential data; encrypting the confidential data in the address space in the first physical memory in response to determining that the address space in the first physical memory device has been marked as having confidential data; and storing the encrypted confidential data in the second physical memory. - View Dependent Claims (2, 3, 4)
-
-
5. A system for protecting confidential data from copying, comprising:
- a processing system comprising one or more processors; and
a memory system comprising one or more computer-readable media, wherein the memory system includes at least a first physical memory device and a second physical memory device, the second physical memory device having more capacity and slower memory access speed than the first physical memory device, and wherein the computer-readable media store instructions that, when executed by the processing system, cause the processing system to perform operations comprising; storing confidential data in a confidential section of virtual memory, wherein storing the confidential data in the confidential section of virtual memory comprises; mapping the confidential section of virtual memory to an address space in the first physical memory device; storing the confidential data in the first physical memory device; and marking the address space in the first physical memory device as having confidential data; receiving a request to copy data stored in the address space in the first physical memory device to the second physical memory device; determining that the address space in the first physical memory device has been marked as having confidential data; encrypting the confidential data in the address space in the first physical memory in response to determining that the address space in the first physical memory device has been marked as having confidential data; and storing the encrypted confidential data in the second physical memory. - View Dependent Claims (6, 7, 8)
- a processing system comprising one or more processors; and
Specification