Method and system for providing secure system execution on hardware supporting secure application execution
First Claim
Patent Images
1. A system for providing secure execution of an application comprising:
- at least one processor and a memory; and
the memory storing computer code that, when executed;
creates by a host operating system (“
OS”
) an emulator enclave for emulation of a virtual machine (“
VM”
), wherein the emulator enclave provides a hardware-enforced protected region of an address space of the memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory;
under control of the emulator enclave,emulates execution of instructions of a guest OS of the VM; and
emulates execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS.
2 Assignments
0 Petitions
Accused Products
Abstract
An application such as a virtual machine are executed securely using a software-based, full-system emulator within a hardware-protected enclave, such as an SGX enclave. The emulator may thereby be secure even against a malicious underlying host operating system. In some cases, paging is used to allow even a large application may run within a small enclave using paging. Where the application itself uses enclaves, these guest enclaves may themselves be emulated within an emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.
108 Citations
16 Claims
-
1. A system for providing secure execution of an application comprising:
-
at least one processor and a memory; and the memory storing computer code that, when executed; creates by a host operating system (“
OS”
) an emulator enclave for emulation of a virtual machine (“
VM”
), wherein the emulator enclave provides a hardware-enforced protected region of an address space of the memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory;under control of the emulator enclave, emulates execution of instructions of a guest OS of the VM; and emulates execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS. - View Dependent Claims (2, 3, 4)
-
-
5. A method for providing secure execution of an application comprising:
-
creating by a host operating system (“
OS”
), an emulator enclave for emulation of a virtual machine (“
VM”
), wherein the emulator enclave provides a hardware-enforced protected region of an address space of a memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes guest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory; andunder control of the emulator enclave, emulating execution of instructions of a guest OS of the VM; and emulating execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS. - View Dependent Claims (6, 7, 8, 9, 14, 15, 16)
-
-
10. A non-transitory computer-readable storage medium storing instructions, the instructions, when executed by a processor, causing the processor to:
-
create by a host operating system (“
OS”
) an emulator enclave for emulation of a virtual machine (“
VM”
), wherein the emulator enclave provides a hardware-enforced protected region of an address space of a memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory; andunder control of the emulator enclave, emulate execution of instructions of a guest OS of the VM; and emulate execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS. - View Dependent Claims (11, 12, 13)
-
Specification