Method and an apparatus to implement secure system call wrappers
First Claim
Patent Images
1. A computer-implemented method comprising:
- validating, by a system call wrapper in a computer system, a plurality of parameters of a system call directed to a kernel, the plurality of parameters supplied by a user process in a user-space in a user-space memory located outside of a kernel space of the computer system, wherein the user process defines an address space in the user-space memory for a helper process; and
upon validating the plurality of parameters, protecting, by the computer system, the plurality of parameters from being accessed by another process in the user-space, wherein protecting the plurality of parameters from being accessed by another process in the user-space comprises;
creating a separate helper process for the another process in the user-space,assigning a first identifier to the another process in the user-space and a second identifier to the separate helper process, wherein the second identifier is associated with the first identifier, andallowing only the system call wrapper to directly manipulate the separate helper process.
1 Assignment
0 Petitions
Accused Products
Abstract
Some embodiments of a method and an apparatus to a method and an apparatus to implement secure system call wrapper have been presented. In one embodiment, a system call wrapper is used to validate parameters of a system call directed to a kernel from a user-space process. The user-space process supplies the parameters of the system call. The parameters are protected from being accessed by processes in the user-space after the parameters have been validated.
15 Citations
21 Claims
-
1. A computer-implemented method comprising:
-
validating, by a system call wrapper in a computer system, a plurality of parameters of a system call directed to a kernel, the plurality of parameters supplied by a user process in a user-space in a user-space memory located outside of a kernel space of the computer system, wherein the user process defines an address space in the user-space memory for a helper process; and upon validating the plurality of parameters, protecting, by the computer system, the plurality of parameters from being accessed by another process in the user-space, wherein protecting the plurality of parameters from being accessed by another process in the user-space comprises; creating a separate helper process for the another process in the user-space, assigning a first identifier to the another process in the user-space and a second identifier to the separate helper process, wherein the second identifier is associated with the first identifier, and allowing only the system call wrapper to directly manipulate the separate helper process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus comprising:
-
a memory hosting a kernel, a system call wrapper, and a protection mechanism, the memory comprising a kernel space and a user-space memory, wherein the user-space memory is located outside of the kernel space memory; and
;a processor, coupled to the memory, to cause; the system call wrapper to validate a plurality of parameters of a system call directed to the kernel, the plurality of parameters supplied by a user process in a user-space, wherein the user process defines an address space in the user-space memory for a helper process, and to cause the protection mechanism to protect the plurality of parameters from being accessed by another process in the user-space after the system call wrapper has validated the plurality of parameters, wherein the user process defines an address space in the user-space memory for a helper process, wherein the protection mechanism comprises a process creator to create a separate helper process for the another process in the user-space, to assign a first identifier to the another process in the user-space and a second identifier to the separate helper process, and to allow only the system call wrapper to directly manipulate the separate helper process, wherein the second identifier is associated with the first identifier. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory machine-readable storage medium embodying instructions that, when executed by a processor in a computer system, will cause the processor to perform a method comprising:
-
validating, by a system call wrapper in the computer system, a plurality of parameters of a system call directed to a kernel, the plurality of parameters supplied by a user process in a user-space in a user-space memory located outside of a kernel space of the computer system, wherein the user process defines an address space for a helper process in the user-space memory; and upon validating the plurality of parameters, protecting, by the computer system, the plurality of parameters from being accessed by another process in the user-space, wherein protecting the plurality of parameters from being accessed by another process in the user-space comprises; creating a separate helper process for the another process in the user-space, assigning a first identifier to the another process in the user-space and a second identifier to the separate helper process, wherein the second identifier is associated with the first identifier, and allowing only the system call wrapper to directly manipulate the separate helper process. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification