CN101290646A - Apparatus and method for protecting system in virtualized environment - Google Patents
Apparatus and method for protecting system in virtualized environment Download PDFInfo
- Publication number
- CN101290646A CN101290646A CNA2008100911004A CN200810091100A CN101290646A CN 101290646 A CN101290646 A CN 101290646A CN A2008100911004 A CNA2008100911004 A CN A2008100911004A CN 200810091100 A CN200810091100 A CN 200810091100A CN 101290646 A CN101290646 A CN 101290646A
- Authority
- CN
- China
- Prior art keywords
- territories
- control module
- device driver
- request
- territory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
Provided is an apparatus and method for protecting a system in a virtualized environment. The apparatus includes a domain unit including a plurality of domains, each having one or more device drivers; a system resource unit forming hardware of the system; a direct memory access (DMA) driver; and a control unit including an access control module which controls the access of the domain unit to the system resource unit in the virtualized environment.
Description
The application require on April 16th, 2007 United States Patent (USP) trademark office submit to the 60/911st, No. 930 U.S. Provisional Applications and on October 31st, 2007, this application all was disclosed in this for reference in the right of priority of the 10-2007-0110296 korean patent application of Korea S Department of Intellectual Property submission.
Technical field
Equipment and the method consistent with the present invention relate to system protection, more particularly, relate to protection system in virtual environment, and wherein, protecting system resources is not visited by malice, and guarantees reliable security service in virtual environment.
Background technology
Usually, the device such as personal computer (PC), PDA(Personal Digital Assistant), wireless terminal and Digital Television (DTV) uses Intel Virtualization Technology to strengthen security and realize various application and service.For security context is provided, Intel Virtualization Technology need be such as the function of safe guidance, fail-safe software and access control.
Fig. 1 is the block diagram of relevant virtualization system equipment.With reference to Fig. 1, relevant virtualization system equipment uses monitor of virtual machine (VMM) 10 to create virtual environment.Relevant virtualization system equipment comprises: unit, territory 20, have a plurality of territories 21,22 ...; System resource unit 30 has ROM (read-only memory) (ROM), CPU (central processing unit) (CPU), storer, battery and I/O (I/O) device.
The territory 21,22 of unit, territory 20 ... each comprise one or more device driver 21a, 22a ....In addition, territory 21,22 ... at least one (for example, the territory 21) comprise direct memory visit (DMA) driver 21b.In relevant virtualization system equipment, DMA are handled in unit, territory 20, and to territory 21,22 ... between channel formation without limits.In addition, when territory 21,22 ... each when attempting access system resources unit 30, unit, territory 20 or VMM 10 carry out simple access control.
Yet because DMA are handled in unit, territory 20, and 10 pairs of system resource unit 30 of VMM do not carry out the access control that possible the malice that is used to prevent unit, territory 20 is visited, so above-mentioned relevant virtualization system equipment has safety issue.
More particularly, DMA is handled in territory 21, and uncontrolled to the visit of physical storage.Therefore, if exist uneasy universe or existence to comprise the territory of device driver with defective, the physical storage of the then described addressable VMM 10 in territory or another territory, and steal confidential data or override sky data (dummy data), thereby the system failure caused.
If the excessive using system storer of special domain then the system failure may occur, like this, reduced system availability.
The quantity of the event channel that can form between two territories is restricted.Therefore, if all available event channels are used in the malice territory, then between residue field, can not form event channel.Therefore, the system failure may appear.
Summary of the invention
Each side of the present invention provides a kind of equipment and method that is used in the virtual environment protection system, and wherein, protecting system resources is not visited by the malice of Malware for example, has solved the system failure, and guarantee reliable security service in virtual environment.
Yet each side of the present invention is not limited to an aspect set forth herein.By with reference to detailed description of the present invention given below, for a those of ordinary skill in field under the present invention, above-mentioned and others of the present invention will become more obvious.
According to an aspect of the present invention, provide a kind of in virtual environment the equipment of protection system.Described equipment comprises: the unit, territory, comprise a plurality of territories, and each territory all has one or more device drivers; The system resource unit, the hardware of formation system; Direct memory visit (DMA) driver; And control module, comprise being controlled in the virtual environment unit, territory to the access control module of the visit of system resource unit.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: request access control module I/O (I/O) space that the access system resources unit is required and interrupt request (IRQ) quantity are distributed to the device driver among of a plurality of territories; Determine whether scheduled visit strategy allows the domain browsing system resource unit of actuating unit driver; And if scheduled visit strategy allows described domain browsing system resource unit, then the input/output space and the IRQ quantity of request are distributed to device driver in the described territory, if scheduled visit strategy does not allow described domain browsing system resource unit, then the input/output space and the IRQ quantity of request are not distributed to device driver in the described territory.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: allow storer by DMA drive access system resource unit by using device driver request access control module among of a plurality of territories; Determine whether scheduled visit control strategy allows the domain browsing storer of actuating unit driver; And if scheduled visit control strategy allows described domain browsing storer, then allow the device driver reference-to storage in the described territory, if scheduled visit control strategy does not allow described domain browsing storer, then do not allow the device driver reference-to storage in the described territory.
According to a further aspect in the invention, provide a kind of in virtual environment the method for protection system.Described method comprises: a request access control module distributing system resource using a plurality of territories; Determine whether described territory request system stock number surpasses the permission limit that scheduled visit control strategy is provided with; And if described territory request system stock number then allows the request system resources allocation to described territory, if described territory request system stock number above allowing limit, does not then allow to give described territory with the request system resources allocation less than allowing limit.
Description of drawings
By the description that the reference accompanying drawing carries out certain exemplary embodiments of the present invention, above-mentioned and others of the present invention will become more apparent, wherein:
Fig. 1 is the block diagram of relevant virtualization system equipment;
Fig. 2 is the block diagram of the equipment of protection system in virtual environment that illustrates according to exemplary embodiment of the present invention;
Fig. 3 illustrates the process flow diagram of I/O (I/O) allocation of space being given the processing of device driver, and wherein, described processing is included in the method for protection system in virtual environment according to exemplary embodiment of the present invention;
Fig. 4 illustrates the control device driver by the process flow diagram of direct memory visit (DMA) driver to the processing of the visit of system storage, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention; And
Fig. 5 illustrates the process flow diagram of control domain to the processing of the visit of system resource, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
Embodiment
Now describe the present invention with reference to the accompanying drawings more all sidedly, exemplary embodiment of the present invention shows in the accompanying drawings.Yet the present invention can embody by different forms, and is not limited to embodiment set forth herein.In addition, thereby provide these embodiment disclosure will be thoroughly and complete and fully design of the present invention is conveyed to those skilled in the art, and the present invention be only limited by claim.In the accompanying drawings, identical label is meant identical parts, therefore will omit their description.
Below, describe in further detail with reference to the accompanying drawings according to of the present invention in virtual environment the equipment and the method for protection system.
When the detailed description of determining prior art or structure may unnecessarily make the present invention blur, may omit detailed description.
Fig. 2 is the block diagram of the equipment of protection system in virtual environment that illustrates according to exemplary embodiment of the present invention.
With reference to Fig. 2, described equipment comprises: unit, territory 100, system resource unit 200 and control module 300.
Unit, territory 100 comprises: a plurality of territories 110,120 ..., each all have one or more device drivers 111,121 ....Unit, territory 100 comprise at least one security domain (for example, the territory 110) and a plurality of common territory (for example, territory 120 ...).Here, security domain is very safe, and common territory is dangerous to a certain extent.
Term " territory " is meant such environment as used herein: can go up in one or more corresponding operating systems (OS) respectively and carry out one or more related device drivers.
System resource unit 200 forms the hardware of system.System resource unit 200 comprises: ROM (read-only memory) (ROM) 210, central processing unit (CPU) 220, battery 230, storer 240, event channel 250 and I/O (I/O) device 260.
ROM 210 is the unalterable storage spaces of unauthorized user or system.
Storer 240 is storage spaces of storage data.Storer 240 can be the nonvolatile memory such as flash memory.
Storer 240 comprises physical storage and the system storage that is used for after a while the direct memory of describing being visited (DMA).
Storer 240 is divided into a plurality of memory blocks, according to type and safe class various data messages being classified, and correspondingly stores described data message.Correspondingly, can in a memory block, encrypt and store important data message.
Use monitor of virtual machine (VMM), the visit of control module 300 (for example, in the wireless Internet environment) 100 pairs of system resource unit 200, control domain unit in virtual environment.
Control module 300 comprises DMA driver 310 and access control module 320.The visit of access control module 320 100 pairs of system resource unit 200, control domain unit in virtual environment.
DMA driver 310 is modules of carrying out dma operation.
Access control module 320 control domains 110,120 ... each device driver 111,121 ... each visit by 310 pairs of system resource unit 200 of DMA driver.Particularly, access control module 320 restriction be installed in unsafe common territory 120 ... in one (for example, territory 120) the malicious device driver in (for example, device driver 121) is to the input/output space relevant with DMA driver 310 and the visit of interrupt request (IRQ).More specifically, when the territory 110,120 that allows access system resources unit 200 according to scheduled visit control strategy ... one in device driver when attempting by DMA driver 310 access system resources unit 200, access control module 320 allows the relevant input/output space of this device drivers visit and DMA driver 310.Yet, if do not allow to attempt device driver access system resources unit 200 by DMA driver 310 access system resources unit 200 according to scheduled visit control strategy, then access control module 320 limits relevant input/output space of this device driver pair and DMA driver 310 and the visit of IRQ.
Access control module 320 be territory 110,120 ... each the option of different access system resources unit 200 is set, and based on the option that is provided with, for territory 110,120 ... each in device driver 111,121 ... each, control described device driver 111,121 ... the input/output space of each request and the distribution of IRQ quantity.More particularly, if scheduled visit control strategy allow device driver 111,121 ... in an access system resources unit 200, then access control module 320 is distributed to device driver in the territory with the input/output space of request and IRQ quantity.If scheduled visit control strategy does not allow device driver access system resources unit 200, then access control module 320 is not distributed to device driver with the input/output space and the IRQ quantity of request.
Access control module 320 restriction territories 110,120 ... each excessive using system Resource Unit 200.More particularly, when territory 110,120 ... each in device driver 111,121 ... in the storer 240 of a using system Resource Unit 200 when surpassing the limit that allows according to scheduled visit control strategy, access control module 320 limits the visit of this device driver to storer 240.In addition, access control module 320 forbid territory 110,120 ... each and territory 110,120 ... another form the event channel of the greater number that surpasses the quantity that allows according to scheduled visit control strategy.
Below, with reference to Fig. 3 to Fig. 5 the method for protection system in virtual environment according to exemplary embodiment of the present invention is described.
Fig. 3 illustrates the process flow diagram of input/output space being distributed to the processing of device driver, and wherein, described processing is included in the method for protection system in virtual environment according to exemplary embodiment of the present invention.
With reference to Fig. 3, the access control module 320 of control module 300 be territory 110,120 ... each be provided for the different options of access system resources unit 200, and based on the option that is provided with, for territory 110,120 ... each in device driver 111,121 ... each, control described device driver 111,121 ... the input/output space of each request and the distribution of IRQ quantity.
More particularly, territory 110,120 ... one in device driver 111,121 ... the required input/output space (operation S 101) of request access control module 320 allocation access system Resource Units 200.Next, determine whether allow domain browsing system resource unit 200 (operation S102) by the access control policy that the access control module 320 of control module 300 is determined.If access control policy allows domain browsing system resource unit 200, then access control module 320 is distributed to device driver (operation S103) in the territory with the input/output space of request and IRQ quantity.Yet if access control policy does not allow domain browsing system resource unit 200, access control module 320 is not distributed to device driver in the territory with the input/output space and the IRQ quantity of request.
Fig. 4 is the process flow diagram that the processing of the visit of control device driver by 310 pairs of system storages of DMA driver is shown, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
With reference to Fig. 4, access control module 320 control domains 110,120 of control module 300 ... each in device driver 111,121 ... each visit by 310 pairs of system resource unit 200 of DMA driver.
More particularly, territory 110,120 ... one in device driver 111,121 ... a request access control module 320 allow its storer 240 (operation S201) by DMA driver 310 access system resources unit 200.Next, determine whether access control policy allows the domain browsing storer 240 of actuating unit driver (operation S202).If access control policy allows domain browsing storer 240, then access control module 320 allows device driver reference-to storage 240 (operation S203).Yet if access control policy does not allow domain browsing storer 240, access control module 320 restraint device drivers are to the visit of storer 240.
Fig. 5 illustrates the process flow diagram of control domain to the processing of the visit of system resource, and wherein, described processing is included in the system protection method according to exemplary embodiment of the present invention.
With reference to Fig. 5, access control module 320 restriction territories 110,120 ... each excessive using system Resource Unit 200.
More particularly, territory 110,120 ... at least one request access control module 320 distributing system resource (operation S301).Next, determine whether described territory request system stock number surpasses the permission limit of access control policy setting (operation S302).If described territory request system stock number is less than allowing limit, then access control module 320 allows to give territory (operation S303) with the request system resources allocation.Yet, allow limit, access control module 320 not to allow to give the territory with system resource allocation if described territory request system stock number surpasses.For example, when territory 110,120 ... each device driver 111,121 ... a use storer 240 when allowing limit, access control module 320 restriction territories are to the visit of storer 240.In addition, access control module 320 forbid territory 110,120 ... each and territory 110,120 ... another form and surpass the greater number event channel that allows quantity.
As mentioned above, be used in the equipment and method of virtual environment protection system, not visited by the malice of Malware, and can the resolution system fault.Therefore, can provide reliable security service.
Although the exemplary embodiment demonstration of the present invention of reference has also been described the present invention, but it should be appreciated by those skilled in the art that, under the situation that does not break away from the spirit and scope of the present invention that are defined by the claims, can carry out the change of various forms and details to it.It only is descriptive that described exemplary embodiment should be considered to, rather than to be restricted to purpose.
Claims (18)
1, a kind of in virtual environment the equipment of protection system, described equipment comprises:
The unit, territory comprises a plurality of territories, and a plurality of territories comprise device driver;
The system resource unit; And
Control module comprises direct memory visit (DMA) driver and access control module, and described access control module is controlled in the virtual environment unit, territory by the visit of DMA driver to the system resource unit.
2, equipment as claimed in claim 1, wherein, described a plurality of territories comprise at least one security domain.
3, equipment as claimed in claim 1, wherein, described system resource unit comprises at least one in following: the event channel between at least two territories in system storage, the physical storage that is used for the DMA driver and described a plurality of territories.
4, equipment as claimed in claim 1, wherein, control module uses the monitor of virtual machine executivecontrol function.
5, equipment as claimed in claim 1, wherein, access control module control device driver in each of described a plurality of territories each by of the visit of DMA driver to the system resource unit.
6, equipment as claimed in claim 5, wherein, access control module restriction is installed in malicious device driver pair I/O (I/O) space relevant with the DMA driver in any one of uneasy universe among described a plurality of territory and the visit of interrupt request (IRQ).
7, equipment as claimed in claim 1, wherein, access control module is that each territory in described a plurality of territories is provided with the different options that is used for the access system resources unit.
8, equipment as claimed in claim 7 wherein, based on the option that is provided with, for the device driver among of described a plurality of territories, is controlled the input/output space relevant with the DMA driver of described device driver request and the distribution of IRQ quantity.
9, equipment as claimed in claim 8, wherein, if allow device driver access system resources unit, then access control module is distributed to device driver among of described a plurality of territories with the input/output space of request and IRQ quantity, if do not allow device driver access system resources unit, then access control module is not distributed to the input/output space of request and IRQ quantity the device driver among of described a plurality of territories.
10, equipment as claimed in claim 1, wherein, access control module limits the excessive using system Resource Unit in described a plurality of territory.
11, equipment as claimed in claim 10, wherein, if device driver uses storer more than allowing limit, then access control module limits device driver among of described a plurality of territories to the visit of the storer of system resource unit.
12, equipment as claimed in claim 10, wherein, access control module is forbidden that each territory in described a plurality of territory and another territory in described a plurality of territory form and is surpassed a plurality of event channels that allow quantity.
13, a kind of in virtual environment the method for protection system, described method comprises:
Request access control module I/O (I/O) space relevant with DMA that the access system resources unit is required and interrupt request (IRQ) quantity are distributed to the device driver among of a plurality of territories;
Determine whether scheduled visit strategy allows the domain browsing system resource unit of actuating unit driver; And
If scheduled visit strategy allows an access system resources unit in described a plurality of territories, then the input/output space of request and IRQ quantity are distributed to the device driver among of described a plurality of territories, if scheduled visit strategy does not allow an access system resources unit in described a plurality of territories, then the input/output space of request and IRQ quantity are not distributed to the device driver among of described a plurality of territories.
14, a kind of in virtual environment the method for protection system, described method comprises:
By using device driver request access control module among of a plurality of territories to allow storer by direct memory visit (DMA) drive access system resource unit;
Determine whether scheduled visit control strategy allows a reference-to storage in described a plurality of territories of actuating unit driver; And
If scheduled visit control strategy allows a reference-to storage in described a plurality of territories, then allow the device driver reference-to storage among of described a plurality of territories, if scheduled visit control strategy does not allow a reference-to storage in described a plurality of territories, then do not allow the device driver reference-to storage among of described a plurality of territories.
15, a kind of in virtual environment the method for protection system, described method comprises:
Use a request access control module distributing system resource in a plurality of territories;
Determine whether described territory request system stock number surpasses the permission limit that scheduled visit control strategy is provided with; And
If a request system stock number in described a plurality of territories is less than allowing limit, then allow to give of described a plurality of territories with the request system resources allocation, if a request system stock number in described a plurality of territories surpass to allow limit, then do not allow to give of described a plurality of territories with the request system resources allocation.
16, method as claimed in claim 15, wherein, a request system stock number in described a plurality of territories comprises the use amount of storer.
17, method as claimed in claim 15, wherein, a request system stock number in described a plurality of territories is included in a plurality of event channels that form between at least two territories in described a plurality of territories.
18, method as claimed in claim 13, wherein, access control policy is determined by the access control module that is included among the VMM.
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US91193007P | 2007-04-16 | 2007-04-16 | |
| US60/911,930 | 2007-04-16 | ||
| KR1020070110296A KR101405319B1 (en) | 2007-04-16 | 2007-10-31 | Apparatus and method for protecting system in virtualization |
| KR10-2007-0110296 | 2007-10-31 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101290646A true CN101290646A (en) | 2008-10-22 |
| CN101290646B CN101290646B (en) | 2013-05-01 |
Family
ID=40034900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100911004A Expired - Fee Related CN101290646B (en) | 2007-04-16 | 2008-04-16 | Apparatus and method for protecting system in virtualized environment |
Country Status (2)
| Country | Link |
|---|---|
| KR (1) | KR101405319B1 (en) |
| CN (1) | CN101290646B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103370715A (en) * | 2010-10-31 | 2013-10-23 | 马克·罗尼尔·塔克 | System and method for securing virtual computing environments |
| CN107017014A (en) * | 2016-01-28 | 2017-08-04 | 硅实验室股份有限公司 | Dynamic containerzation system storage protection for low energy MCU |
| CN108353082A (en) * | 2015-11-05 | 2018-07-31 | 英特尔公司 | Technology for the rogue activity for handling virtual network driver |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR101323858B1 (en) * | 2011-06-22 | 2013-11-21 | 한국과학기술원 | Apparatus and method for controlling memory access in virtualized system |
| KR101469894B1 (en) * | 2011-08-12 | 2014-12-08 | 한국전자통신연구원 | Method and apparatus for providing secure execution environment based on domain separation |
| KR101710684B1 (en) | 2015-09-10 | 2017-03-02 | (주) 세인트 시큐리티 | System and method of recovering operating system anayzing malicious code not operating in virtual environment |
| KR20190021673A (en) * | 2017-08-23 | 2019-03-06 | 주식회사 수산아이앤티 | Apparatus and method for preventing ransomware |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2325061B (en) * | 1997-04-30 | 2001-06-06 | Advanced Risc Mach Ltd | Memory access protection |
| JP2002041304A (en) | 2000-07-28 | 2002-02-08 | Hitachi Ltd | Automatic imparting method of backup resource of logical section and logical section based computer system |
| US7036122B2 (en) * | 2002-04-01 | 2006-04-25 | Intel Corporation | Device virtualization and assignment of interconnect devices |
| JP4302641B2 (en) * | 2002-11-18 | 2009-07-29 | エイアールエム リミテッド | Controlling device access to memory |
| JP4119239B2 (en) | 2002-12-20 | 2008-07-16 | 株式会社日立製作所 | Computer resource allocation method, resource management server and computer system for executing the method |
| JP4519738B2 (en) * | 2005-08-26 | 2010-08-04 | 株式会社東芝 | Memory access control device |
-
2007
- 2007-10-31 KR KR1020070110296A patent/KR101405319B1/en active IP Right Grant
-
2008
- 2008-04-16 CN CN2008100911004A patent/CN101290646B/en not_active Expired - Fee Related
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103370715A (en) * | 2010-10-31 | 2013-10-23 | 马克·罗尼尔·塔克 | System and method for securing virtual computing environments |
| CN103370715B (en) * | 2010-10-31 | 2017-04-12 | 时间防御系统有限责任公司 | System and method for securing virtual computing environments |
| CN108353082A (en) * | 2015-11-05 | 2018-07-31 | 英特尔公司 | Technology for the rogue activity for handling virtual network driver |
| CN107017014A (en) * | 2016-01-28 | 2017-08-04 | 硅实验室股份有限公司 | Dynamic containerzation system storage protection for low energy MCU |
| CN107017014B (en) * | 2016-01-28 | 2022-05-31 | 硅实验室股份有限公司 | Dynamic containerized system memory protection for low energy MCU |
Also Published As
| Publication number | Publication date |
|---|---|
| KR20080093359A (en) | 2008-10-21 |
| KR101405319B1 (en) | 2014-06-10 |
| CN101290646B (en) | 2013-05-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101290646B (en) | Apparatus and method for protecting system in virtualized environment | |
| CN101681410B (en) | Apparatus for controlling processor execution in a secure environment | |
| CN101517549B (en) | Data processing device and method for creating a access request in data processing device | |
| CN108073816B (en) | Information processing apparatus | |
| WO2019104988A1 (en) | Plc security processing unit and bus arbitration method thereof | |
| KR101425621B1 (en) | Method and system for sharing contents securely | |
| US20110078760A1 (en) | Secure direct memory access | |
| US9208313B2 (en) | Protecting anti-malware processes | |
| CN101842784A (en) | Hardware device interface supporting transaction authentication | |
| CN104881596A (en) | Modifying memory permissions in a secure processing environment | |
| CN105022954A (en) | Dynamic running method for security kernel service of tristate operating system in Feiteng CPU | |
| US10691627B2 (en) | Avoiding redundant memory encryption in a cryptographic protection system | |
| CN108710585A (en) | Memory management in safety zone | |
| US10242194B2 (en) | Method and apparatus for trusted execution of applications | |
| CN112817780B (en) | Method and system for realizing safety and high-performance interprocess communication | |
| EP1983460B1 (en) | Apparatus and method for protecting system in virtualized environment | |
| CN112446032B (en) | Trusted execution environment construction method, system and storage medium | |
| US10250595B2 (en) | Embedded trusted network security perimeter in computing systems based on ARM processors | |
| CN103348355A (en) | Method and apparatus for managing security state transitions | |
| CN104834874A (en) | Establishing physical locality between secure execution environments | |
| US11334258B2 (en) | System and method for memory region protection | |
| CN115422554A (en) | Request processing method, compiling method and trusted computing system | |
| JP5496464B2 (en) | Apparatus and method for secure system protection in a virtualized environment | |
| CN114065257A (en) | Address space protection method, protection device, equipment and storage medium | |
| EP3667525B1 (en) | Playing memory management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130501 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |