Method and system for process working set isolation
First Claim
Patent Images
1. A system, comprising:
- a processor;
a memory;
a secret key stored in hardware;
a cache having one or more lines comprising data of one or more processes executed on the processor in a secure mode; and
a secure execution controller configured to control access to a first line of the cache using a first secure descriptor based on the secret key and associated with a first process such that only the first process can access the first line of the cache and control access to a second line of cache using a second secure descriptor based on the secret key and associated with a second process such that only the second process can access the second line of the cache, wherein the first secure descriptor and the second secure descriptor are different secure descriptors.
3 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of systems and methods disclosed herein may isolate the working set of a process such that the data of the working set is inaccessible to other processes, even after the original process terminates. More specifically, in certain embodiments, the working set of an executing process may be stored in cache and for any of those cache lines that are written to while in secure mode those cache lines may be associated with a secure descriptor for the currently executing process. The secure descriptor may uniquely specify those cache lines as belonging to the executing secure process such that access to those cache lines can be restricted to only that process.
-
Citations
21 Claims
-
1. A system, comprising:
-
a processor; a memory; a secret key stored in hardware; a cache having one or more lines comprising data of one or more processes executed on the processor in a secure mode; and a secure execution controller configured to control access to a first line of the cache using a first secure descriptor based on the secret key and associated with a first process such that only the first process can access the first line of the cache and control access to a second line of cache using a second secure descriptor based on the secret key and associated with a second process such that only the second process can access the second line of the cache, wherein the first secure descriptor and the second secure descriptor are different secure descriptors. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method, comprising:
-
executing one or more processes on a processor in a secure mode; storing data in one or more lines of a cache, wherein the data was stored in a first line of the cache by a first process executed on the processor in the secure mode and in a second line of the cache by a second process executed on the processor in the secure mode; and controlling access to the first line of the cache using a first secure descriptor associated with the first process such that only the first process can access the first line of the cache and controlling access to the second line of the cache using a second secure descriptor associated with the second process such that only the second process can access the second line of the cache, wherein the first secure descriptor and the second secure descriptor are different secure descriptors and are based on a secret key stored in hardware on a system comprising the processor and the cache. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer readable medium, comprising instructions for:
-
executing one or more processes on a processor in a secure mode; storing data in one or more lines of a cache, wherein the data was stored in a first line of the cache by a first process executed on the processor in the secure mode and in a second line of the cache by a second process executed on the processor in the secure mode; and controlling access to the first line of the cache using a first secure descriptor associated with the first process such that only the first process can access the first line of the cache and controlling access to the second line of the cache using a second secure descriptor associated with the second process such that only the second process can access the second line of the cache, wherein the first secure descriptor and the second secure descriptor are different secure descriptors and are based on a secret key stored in hardware on a system comprising the processor and the cache. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification