SECURE PRIVILEGE LEVEL EXECUTION AND ACCESS PROTECTION

US 20170193226A1
Filed: 12/05/2016
Published: 07/06/2017
Est. Priority Date: 06/14/2013
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The subject disclosure is directed towards using one or more of hardware, a hypervisor, and privileged mode code to prevent system mode code from accessing user mode data and/or running user mode code at the system privilege level, or vice-versa. Also described is (in systems with a hypervisor) preventing non-hypervisor code from running in hypervisor mode or accessing hypervisor-only data, or vice-versa. A register maintained by hardware, hypervisor, or system mode code contains data access and execution polices for different chunks of addressable space with respect to which requesting entities (hypervisor mode code, system mode code, user mode code) have access to or can execute code in a given chunk. When a request to execute code or access data with respect to an address is received, the request is processed to determine to which chunk the address corresponds. The policy for that chunk is evaluated to determine whether to allow or deny the request.

14 Citations

View as Search Results

40 Claims

1-20. -20. (canceled)

21. A system for enforcing code execution and data access policies comprising:
- enforcement logic configured to;
  
  determine an access designation and an execution designation of a chunk, the chunk comprising a plurality of bits of addressable memory space;
  
  evaluate a request from a source related to code execution at an address against the access designation of the chunk corresponding to the address by accessing policy settings for the chunk, the policy settings identifying one or more execution capabilities and one or more access capabilities of the chunk; and
  
  allow or deny the request based upon the evaluation.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The system of claim 21, wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following:
    - a hypervisor and system mode code, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code.
  - 23. The system of claim 21, wherein the enforcement logic is further configured to:
    - evaluate a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and
      
      determine whether the address corresponds to a chunk in which the source is allowed to access data.
  - 24. The system of claim 21, wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds.
  - 25. The system of claim 21, wherein at least two of the chunks of address spaces are different sizes from one another.
  - 26. The system of claim 21, wherein access designations are maintained in a register set in memory or in a processor location.
  - 27. The system of claim 21, wherein the access designation for the chunk includes information that indicates whether chunk code is executable at user privilege level only, at system privilege level only or in hypervisor mode only.
  - 28. The system of claim 21, wherein the access designation for the chunk includes information that indicates whether chunk data is accessible at user privilege level only, at system privilege level only or in hypervisor mode only.

29. A method comprising:
- determining an access designation and an execution designation of a chunk, the chunk comprising a plurality of bits of addressable memory space;
  
  evaluating a request from a source related to code execution at an address against the access designation of the chunk corresponding to the address by accessing policy settings for the chunk, the policy settings identifying one or more execution capabilities and one or more access capabilities of the chunk; and
  
  allowing or deny the request based upon the evaluation.
- View Dependent Claims (30, 31, 32, 33, 34, 35)
- - 30. The method of claim 29, wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following:
    - a hypervisor and system mode code, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code.
  - 31. The method of claim 29, further comprising:
    - evaluating a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and
      
      determining whether the address corresponds to a chunk in which the source is allowed to access data.
  - 32. The method of claim 29, wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds.
  - 33. The method of claim 29, wherein at least two of the chunks of address spaces are different sizes from one another.
  - 34. The method of claim 29, wherein access designations are maintained in a register set in memory or in a processor location.
  - 35. The method of claim 29, wherein the access designation for the chunk includes information that indicates whether chunk code is executable or accessible at user privilege level only, at system privilege level only or in hypervisor mode only.

36. A computer-readable storage memory having computer-executable instructions that are configured, upon execution, perform operations comprising:
- determining an access designation and an execution designation of a chunk, the chunk comprising a plurality of bits of addressable memory space;
  
  evaluating a request from a source related to code execution at an address against the access designation of the chunk corresponding to the address by accessing policy settings for the chunk, the policy settings identifying one or more execution capabilities and one or more access capabilities of the chunk; and
  
  allowing or deny the request based upon the evaluation.
- View Dependent Claims (37, 38, 39, 40)
- - 37. The computer-readable storage memory of claim 36, wherein the enforcement logic is incorporated in hardware or incorporated into one or more of the following:
    - a hypervisor and system mode code, and wherein the source of the request comprises user mode code, system mode code, or hypervisor mode code.
  - 38. The one or more computer-readable storage memory of claim 36, wherein the computer-executable instructions are further configured to perform the following operations:
    - evaluating a request from a source related to data access at an address against data access information maintained for chunks of address spaces; and
      
      determining whether the address corresponds to a chunk in which the source is allowed to access data.
  - 39. The computer-readable storage memory of claim 36, wherein a subset of bits of the address identifies a chunk of a plurality of equal size chunks to which the address corresponds.
  - 40. The computer-readable storage memory of claim 36, wherein at least two of the chunks of address spaces are different sizes from one another, and wherein access designations are maintained in a register set in memory or in a processor location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Lange, Jonathan E., Chen, Ling Tony, Mejdrich, Eric O., Sell, John V.

Granted Patent

US 10,198,578 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/1004   to protect a block of data ...

G06F 11/1008   in individual solid state d...

G06F 12/0246   in block erasable memory, e...

G06F 12/1441   for a range

G06F 12/1483   using an access-table, e.g....

G06F 12/1491   in a hierarchical protectio...

G06F 21/554   involving event detection a...

G06F 2212/1032   Reliability improvement, da...

G06F 2212/1052   Security improvement

G06F 2212/151   Emulated environment, e.g. ...

G06F 2221/031   Protect user input by softw...

H04L 63/10   for controlling access to d...

SECURE PRIVILEGE LEVEL EXECUTION AND ACCESS PROTECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE PRIVILEGE LEVEL EXECUTION AND ACCESS PROTECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links