Secure migratable architecture having security features

US 9,823,851 B2
Filed: 02/19/2016
Issued: 11/21/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. A computing system comprising:

a programmable circuit configured to execute instructions according to a first computing architecture;

a memory communicatively connected to the programmable circuit, the memory storing software executable by the programmable circuit, the software including;

an operating system; and

a process including a firmware environment representing a virtual computing system having a second computing architecture different from the first computing architecture and one or more workloads to be executed within the process, the software executable to perform a method including;

upon initiating execution of the process, allocating a portion of the memory for use by the process during execution;

and executing the process hosted by the operating system, wherein the firmware environment manages the portion of the memory using a token associated with one or more area descriptors to describe the portion of the memory and a tag, each of the one or more area descriptors defining to the firmware environment a base address and an offset at which a buffer memory area is located, the base address translated to an address in the memory managed by the operating systemwherein the firmware receives a write request from the one or more workloads, translating the request to a specific memory buffer corresponding to the token, adding an offset to the base address at which the buffer memory area is located, the buffer memory area being within the portion of memory allocated for use by the process, validate that the tag value associated with the address is compatible, write the a value of the memory access request at the offset address,the write value and the offset address is passed to the first computing architecture, wherein the first computing architecture converts the virtual address to a physical address and writes the value in the memory.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for implementing a secure migratable architecture are disclosed. One method includes, upon initiating execution of a process, allocating a portion of a memory for use by the process during execution, the process including a firmware environment representing a virtual computing system having a second computing architecture different from a first computing architecture of a computing system on which the process is executed. The method also includes executing the process hosted by the operating system, wherein the firmware environment manages the portion of the memory using one or more area descriptors to describe the portion of the memory, each of the one or more area descriptors defining to the firmware environment a base address at which a memory area is located, the base address translated to an address in the memory managed by the operating system, the memory area being within the portion of memory allocated for use by the process.

9 Citations

View as Search Results

21 Claims

1. A computing system comprising:
- a programmable circuit configured to execute instructions according to a first computing architecture;
  
  a memory communicatively connected to the programmable circuit, the memory storing software executable by the programmable circuit, the software including;
  
  an operating system; and
  
  a process including a firmware environment representing a virtual computing system having a second computing architecture different from the first computing architecture and one or more workloads to be executed within the process, the software executable to perform a method including;
  
  upon initiating execution of the process, allocating a portion of the memory for use by the process during execution;
  
  and executing the process hosted by the operating system, wherein the firmware environment manages the portion of the memory using a token associated with one or more area descriptors to describe the portion of the memory and a tag, each of the one or more area descriptors defining to the firmware environment a base address and an offset at which a buffer memory area is located, the base address translated to an address in the memory managed by the operating systemwherein the firmware receives a write request from the one or more workloads, translating the request to a specific memory buffer corresponding to the token, adding an offset to the base address at which the buffer memory area is located, the buffer memory area being within the portion of memory allocated for use by the process, validate that the tag value associated with the address is compatible, write the a value of the memory access request at the offset address,the write value and the offset address is passed to the first computing architecture, wherein the first computing architecture converts the virtual address to a physical address and writes the value in the memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the one or more area discriptors are included in an area descriptor collection managed by the firmware environment.
  - 3. The system of claim 1, wherein the portion of the memory is, according to the second architecture implemented in the firmware environment, directly addressable.
  - 4. The system of claim 3, wherein the portion of the memory is, from the perspective of the first architecture implemented by the programmable circuit and operating system, addressable using one or more virtual addresses.
  - 5. The system of claim 1, wherein the area descriptor encapsulates a plurality of attributes of the memory area within the portion of memory.
  - 6. The system of claim 1, wherein the one or more area descriptors are unique within the firmware environment across the entire duration of execution of the process.
  - 7. The system of claim 1, wherein the one or more area descriptors reference a memory area having a common tag value associated with all the memeory locations within the memory area.
  - 8. The system of claim 1, wherein the one or more area descriptors includes a link to a tag area, the tag area including a tag byte associated with each data word in the memory area.
  - 9. The system of claim 8, wherein the memory area is organized in contiguous 64-bit data words, wherin the tag area is seperate from the memory area containing the data words.
  - 10. The system of claim 1, wherein the one or more area descriptors includes a descriptor associated with access rights to the memory area.
  - 11. The system of claim 1, wherein the one or more area descriptors includes a descriptor identifying a type of memory associated with the memory area.

12. A computer-implemented method comprising:
- upon initiating execution of a process, allocating a portion of a memory for use by the process during execution, the process including a firmware environment representing a virtual computing system having a second computing architecture different from a first computing architecture of a computing system on which the process is executed;
  
  and executing the process hosted by the operating system, wherein the firmware environment manages the portion of the memory using a token associated with one or more area descriptors to describe the portion of the memory and a tag, each of the one or more area descriptors defining to the firmware environment a base address and an offset at which a buffer memory area is located, the base address translated to an address in the memory managed by the operating system, wherein the firmware receives a write request from the one or more workloads, translating the request to a specific memory buffer corresponding to the token, adding an offset to the base address at which the buffer memory area is located, the buffer memory area being within the portion of memory allocated for use by the process, validate that the tag value associated with the address is compatible, write the a value of the memory access request at the offset address,the write value and the offset address is passed to the first computing architecture, wherein the first computing architecture converts the virtual address to a physical address and writes the value in the memory.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-implemented method of claim 12, further comprising communicating with a remote computing system via security software, the remote computing system and the computing system being members of a common community of interest.
  - 14. The computer-implemented method of claim 12, wherein the process further includes one or more workloads to be executed within the process.
  - 15. The computer-implemented method of claim 12, wherein executing the process hosted by the operating system comprises calling a native function from the firmware environment, the native function executable according to the first computing architecture.
  - 16. The computer-implemented method of claim 12, wherein executing the process comprises:
    - receiving a memory request from the workload at the firmware, the memory request including a reference to a memory arae and an offset;
      
      translating the memory request to a memory access request according to the native instruction set architecture and managed by the operating system.
  - 17. The computer-implemented method of claim 12, wherein executing the process comprises:
    - allocating a new memory area to the process;
      
      creating a new area descriptor token associated with the new memory area in an area descriptor collection, the area descriptor token referencing an area descriptor associated with the new memory area.

18. A computing system comprising:
- a programmable circuit configured to execute instructions according to a first computing architecture;
  
  a memory communicatively connected to the programmable circuit, the memory storing software executable by the programmable circuit, the software including;
  
  an operating system; and
  
  a process including a firmware environment representing a virtual computing system having a second computing architecture different from the first computing architecture and one or more workloads to be executed within the process according to the second computing architecture, the software executable to perform a method including;
  
  upon initiating execution of the process, allocating a portion of the memory for use by the process during execution;
  
  creating an area descriptor associated with a memory area included within the portion of the memory, the area descriptor including a base address and a length of the memory area;
  
  storing the area descriptor in an area descriptor collection;
  
  and executing the process hosted by the operating system, wherein the firmware environment manages the portion of the memory using a token associated with one or more area descriptors to describe the portion of the memory and a tag, each of the one or more area descriptors defining to the firmware environment a base address and an offset at which a buffer memory area is located, the base address translated to an address in the memory managed by the operating systemwherein the firmware receives a write request from the one or more workloads, translating the request to a specific memory buffer corresponding to the token, adding an offset to the base address at which the buffer memory area is located, the buffer memory area being within the portion of memory allocated for use by the process, validate that the tag value associated with the address is compatible, write the a value of the memory access request at the offset addressthe write value and the offset address is passed to the first computing architecture, wherein the first computing architecture converts the virtual address to a physical address and writes the value in the memory.
- View Dependent Claims (19, 20, 21)
- - 19. The computing system of claim 18, wherein the memory area is associated with a tag included in the area descriptor and the memory request is associated with a plurality of data words in the memory area.
  - 20. The computing system of claim 19, wherein performing the memory request includes assessing the tag prior to accessing the plurality of data words.
  - 21. The computing system of claim 18, further comprising:
    - receiving, at the firmware, a request to deallocate the memory area; and
      
      prior to deallocation of the memory area, erasing data from the memory area.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unisys Corporation
Original Assignee
Unisys Corporation
Inventors
Beale, Andrew Ward, Strong, David
Primary Examiner(s)
Faal, Baboucarr

Application Number

US15/048,203
Publication Number

US 20170024130A1
Time in Patent Office

641 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 12/0223   User address space allocati...

G06F 12/08   in hierarchically structure...

G06F 12/1458   by checking the subject acc...

G06F 12/1483   using an access-table, e.g....

G06F 2009/4557   Distribution of virtual mac...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2212/1004   Compatibility, e.g. with le...

G06F 2212/1016   Performance improvement

G06F 2212/1032   Reliability improvement, da...

G06F 2212/1052   Security improvement

G06F 2212/151   Emulated environment, e.g. ...

G06F 3/061   Improving I/O performance

G06F 3/0617   in relation to availability

G06F 3/062   Securing storage systems

G06F 3/0631   by allocating resources to ...

G06F 3/0637   Permissions

G06F 3/0644   Management of space entitie...

G06F 3/0647   Migration mechanisms

G06F 3/0656   Data buffering arrangements

G06F 3/0659   Command handling arrangemen...

G06F 3/0664 : at device level, e.g. emula...

G06F 3/067 : Distributed or networked st...

G06F 3/0673 : Single storage device

G06F 8/65 : Updates security arrangemen...

G06F 9/4401 : Bootstrapping security arra...

G06F 9/455 : Emulation; Interpretation; ...

G06F 9/45558 : Hypervisor-specific managem...

G06F 9/5016 : the resource being the memory

H04L 41/0843 : based on generic templates

H04L 41/28 : Restricting access to netwo...

H04L 63/20 : for managing network securi...

View All

Secure migratable architecture having security features

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

9 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure migratable architecture having security features

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links