Method and system for providing secure system execution on hardware supporting secure application execution

US 9,983,894 B2
Filed: 09/25/2014
Issued: 05/29/2018
Est. Priority Date: 09/25/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing secure execution of an application comprising:

at least one processor and a memory; and

the memory storing computer code that, when executed;

creates by a host operating system (“

OS”

) an emulator enclave for emulation of a virtual machine (“

VM”

), wherein the emulator enclave provides a hardware-enforced protected region of an address space of the memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory;

under control of the emulator enclave,emulates execution of instructions of a guest OS of the VM; and

emulates execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application such as a virtual machine are executed securely using a software-based, full-system emulator within a hardware-protected enclave, such as an SGX enclave. The emulator may thereby be secure even against a malicious underlying host operating system. In some cases, paging is used to allow even a large application may run within a small enclave using paging. Where the application itself uses enclaves, these guest enclaves may themselves be emulated within an emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.

108 Citations

16 Claims

1. A system for providing secure execution of an application comprising:
- at least one processor and a memory; and
  
  the memory storing computer code that, when executed;
  
  creates by a host operating system (“
  
  OS”
  
  ) an emulator enclave for emulation of a virtual machine (“
  
  VM”
  
  ), wherein the emulator enclave provides a hardware-enforced protected region of an address space of the memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory;
  
  under control of the emulator enclave,emulates execution of instructions of a guest OS of the VM; and
  
  emulates execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, further including a redirection module comprising code executable on the processor for redirecting execution between each guest enclave and the emulator enclave.
  - 3. The system of claim 2, in which the redirection module is loaded in an unsecured portion of memory under the control of the host OS.
  - 4. The system of claim 1, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).

5. A method for providing secure execution of an application comprising:
- creating by a host operating system (“
  
  OS”
  
  ), an emulator enclave for emulation of a virtual machine (“
  
  VM”
  
  ), wherein the emulator enclave provides a hardware-enforced protected region of an address space of a memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes guest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory; and
  
  under control of the emulator enclave,emulating execution of instructions of a guest OS of the VM; and
  
  emulating execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS.
- View Dependent Claims (6, 7, 8, 9, 14, 15, 16)
- - 6. The method of claim 5, further comprising emulating instructions creating and managing said guest enclave, such that the guest enclave is nested as a sibling enclave by the emulator enclave.
  - 7. The method of claim 6, further including redirecting execution between each guest enclave and the emulator enclave.
  - 8. The method of claim 7, in which the step of redirecting execution is directed from within an unsecured portion of memory under the control of the host OS.
  - 9. The method of claim 5, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).
  - 14. The method of claim 5 wherein the emulator enclave is a full-system emulator.
  - 15. The method of claim 14 wherein the host OS creates multiple emulator enclaves, each emulator enclave for an independent emulator, each independent emulator for executing a VM.
  - 16. The method of claim 5 wherein the emulator enclave emulates a central processing unit.

10. A non-transitory computer-readable storage medium storing instructions, the instructions, when executed by a processor, causing the processor to:
- create by a host operating system (“
  
  OS”
  
  ) an emulator enclave for emulation of a virtual machine (“
  
  VM”
  
  ), wherein the emulator enclave provides a hardware-enforced protected region of an address space of a memory, wherein the emulator enclave is protected from the host OS, and wherein the VM includes quest memory with the emulator enclave being further provided for securely paging the guest memory to an untrusted region of the memory; and
  
  under control of the emulator enclave,emulate execution of instructions of a guest OS of the VM; and
  
  emulate execution of instructions of a guest application for creating a guest enclave for execution of protected code of the guest application wherein the protected code executing in the secure enclave is protected from the guest OS.
- View Dependent Claims (11, 12, 13)
- - 11. The medium of claim 10, in which the emulator enclave runs on a host platform, which includes the processor and memory.
  - 12. The medium of claim 11, further storing instructions, upon execution by the processor, causing the processor to redirect execution using code stored unsecured portion of memory under the control of the host OS.
  - 13. The medium of claim 10, in which the processor has an x86 processor architecture and is configured with Software Guard Extensions (SGX).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Original Assignee
Meta Platforms, Inc. (f/k/a Facebook, Inc.)
Inventors
Horovitz, Oded, Weis, Stephen A., Rihan, Sahil, Waldspurger, Carl A.
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
DO, STEVEN M

Application Number

US14/497,111
Publication Number

US 20150089502A1
Time in Patent Office

1,342 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

Method and system for providing secure system execution on hardware supporting secure application execution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

108 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing secure system execution on hardware supporting secure application execution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links