CN113544652B - 具有页改变检测的安全分页 - Google Patents

具有页改变检测的安全分页 Download PDF

Info

Publication number
CN113544652B
CN113544652B CN202080018913.XA CN202080018913A CN113544652B CN 113544652 B CN113544652 B CN 113544652B CN 202080018913 A CN202080018913 A CN 202080018913A CN 113544652 B CN113544652 B CN 113544652B
Authority
CN
China
Prior art keywords
page
secure
host
security
hash value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202080018913.XA
Other languages
English (en)
Chinese (zh)
Other versions
CN113544652A (zh
Inventor
J·布拉德伯里
C·博恩特雷格
H·卡斯滕斯
M·施维德夫斯基
R·宾德根
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN113544652A publication Critical patent/CN113544652A/zh
Application granted granted Critical
Publication of CN113544652B publication Critical patent/CN113544652B/zh
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/145Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
CN202080018913.XA 2019-03-08 2020-03-06 具有页改变检测的安全分页 Active CN113544652B (zh)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16/296,303 US11206128B2 (en) 2019-03-08 2019-03-08 Secure paging with page change detection
US16/296,303 2019-03-08
PCT/IB2020/051941 WO2020183308A1 (en) 2019-03-08 2020-03-06 Secure paging with page change detection

Publications (2)

Publication Number Publication Date
CN113544652A CN113544652A (zh) 2021-10-22
CN113544652B true CN113544652B (zh) 2025-06-20

Family

ID=72335881

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080018913.XA Active CN113544652B (zh) 2019-03-08 2020-03-06 具有页改变检测的安全分页

Country Status (6)

Country Link
US (1) US11206128B2 (https=)
JP (1) JP7410161B2 (https=)
CN (1) CN113544652B (https=)
DE (1) DE112020000286B4 (https=)
GB (1) GB2594905B (https=)
WO (1) WO2020183308A1 (https=)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11308215B2 (en) * 2019-03-08 2022-04-19 International Business Machines Corporation Secure interface control high-level instruction interception for interruption enablement
US11347529B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Inject interrupts and exceptions into secure virtual machine
US11347869B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Secure interface control high-level page management
US11971993B2 (en) * 2021-06-01 2024-04-30 Microsoft Technology Licensing, Llc Firmware-based secure tenancy transfer
US20230188324A1 (en) * 2021-12-09 2023-06-15 Sap Se Initialization vector handling under group-level encryption
US12487759B1 (en) * 2022-03-31 2025-12-02 Amazon Technologies, Inc. Secure monitors for memory page protection
US12436790B2 (en) * 2022-04-22 2025-10-07 Red Hat, Inc. Scalable asynchronous communication for encrypted virtual machines
US12443429B2 (en) * 2022-08-30 2025-10-14 Red Hat, Inc. Memory deduplication for encrypted virtual machines

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107346401A (zh) * 2016-05-06 2017-11-14 波音公司 用于安全地执行程序的信息保障系统

Family Cites Families (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5343527A (en) 1993-10-27 1994-08-30 International Business Machines Corporation Hybrid encryption method and system for protecting reusable software components
US5757919A (en) * 1996-12-12 1998-05-26 Intel Corporation Cryptographically protected paging subsystem
US6021201A (en) 1997-01-07 2000-02-01 Intel Corporation Method and apparatus for integrated ciphering and hashing
US6983365B1 (en) 2000-05-05 2006-01-03 Microsoft Corporation Encryption systems and methods for identifying and coalescing identical objects encrypted with different keys
US6996748B2 (en) 2002-06-29 2006-02-07 Intel Corporation Handling faults associated with operation of guest software in the virtual-machine architecture
WO2005036367A2 (en) 2003-10-08 2005-04-21 Unisys Corporation Virtual data center that allocates and manages system resources across multiple nodes
EP1870814B1 (en) 2006-06-19 2014-08-13 Texas Instruments France Method and apparatus for secure demand paging for processor devices
US7653819B2 (en) 2004-10-01 2010-01-26 Lenovo Singapore Pte Ltd. Scalable paging of platform configuration registers
US20070106986A1 (en) * 2005-10-25 2007-05-10 Worley William S Jr Secure virtual-machine monitor
US7886363B2 (en) 2006-05-24 2011-02-08 Noam Camiel System and method for virtual memory and securing memory in programming languages
EP1870813B1 (en) 2006-06-19 2013-01-30 Texas Instruments France Page processing circuits, devices, methods and systems for secure demand paging and other operations
US20080077767A1 (en) 2006-09-27 2008-03-27 Khosravi Hormuzd M Method and apparatus for secure page swapping in virtual memory systems
US8261265B2 (en) 2007-10-30 2012-09-04 Vmware, Inc. Transparent VMM-assisted user-mode execution control transfer
GB2460393B (en) 2008-02-29 2012-03-28 Advanced Risc Mach Ltd A data processing apparatus and method for controlling access to secure memory by virtual machines executing on processing circuitry
US8738932B2 (en) 2009-01-16 2014-05-27 Teleputers, Llc System and method for processor-based security
US8833437B2 (en) 2009-05-06 2014-09-16 Holtec International, Inc. Heat exchanger apparatus for converting a shell-side liquid into a vapor
US8904190B2 (en) 2010-10-20 2014-12-02 Advanced Micro Devices, Inc. Method and apparatus including architecture for protecting sensitive code and data
US20120185699A1 (en) * 2011-01-14 2012-07-19 International Business Machines Corporation Space-efficient encryption with multi-block binding
WO2012164721A1 (ja) * 2011-06-02 2012-12-06 三菱電機株式会社 鍵情報生成装置及び鍵情報生成方法
JP5316592B2 (ja) 2011-06-09 2013-10-16 富士通セミコンダクター株式会社 セキュアプロセッサ用プログラム
KR101323858B1 (ko) 2011-06-22 2013-11-21 한국과학기술원 가상화 시스템에서 메모리 접근을 제어하는 장치 및 방법
US8681813B2 (en) * 2011-11-29 2014-03-25 Wyse Technology L.L.C. Bandwidth optimization for remote desktop protocol
EP4036721B1 (en) 2012-06-26 2025-03-26 Lynx Software Technologies Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection prevention and further features
US8910238B2 (en) 2012-11-13 2014-12-09 Bitdefender IPR Management Ltd. Hypervisor-based enterprise endpoint protection
WO2014081611A2 (en) 2012-11-20 2014-05-30 Unisys Corporation Error recovery in securely partitioned virtualization system with dedicated resources
US8931108B2 (en) 2013-02-18 2015-01-06 Qualcomm Incorporated Hardware enforced content protection for graphics processing units
US9792448B2 (en) 2014-02-28 2017-10-17 Advanced Micro Devices, Inc. Cryptographic protection of information in a processing system
US9483639B2 (en) 2014-03-13 2016-11-01 Unisys Corporation Service partition virtualization system and method having a secure application
US9390267B2 (en) 2014-05-15 2016-07-12 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
US9251090B1 (en) 2014-06-03 2016-02-02 Amazon Technologies, Inc. Hypervisor assisted virtual memory obfuscation
US9454497B2 (en) 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
US9672354B2 (en) 2014-08-18 2017-06-06 Bitdefender IPR Management Ltd. Systems and methods for exposing a result of a current processor instruction upon exiting a virtual machine
US9305661B2 (en) 2014-09-03 2016-04-05 Microsemi Storage Solutions (U.S.), Inc. Nonvolatile memory system that uses programming time to reduce bit errors
CN105512559B (zh) 2014-10-17 2019-09-17 阿里巴巴集团控股有限公司 一种用于提供访问页面的方法与设备
WO2016097954A1 (en) 2014-12-15 2016-06-23 International Business Machines Corporation System and method for supporting secure objects using memory access control monitor
US10599458B2 (en) 2015-01-23 2020-03-24 Unisys Corporation Fabric computing system having an embedded software defined network
US10157146B2 (en) 2015-02-12 2018-12-18 Red Hat Israel, Ltd. Local access DMA with shared memory pool
US9842065B2 (en) 2015-06-15 2017-12-12 Intel Corporation Virtualization-based platform protection technology
US9720721B2 (en) 2015-07-01 2017-08-01 International Business Machines Corporation Protected guests in a hypervisor controlled system
US9942035B2 (en) 2015-08-18 2018-04-10 Intel Corporation Platform migration of secure enclaves
US10742603B2 (en) 2015-08-26 2020-08-11 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University System and method for monitoring and protecting an untrusted operating system by means of a trusted operating system
US9841987B2 (en) 2015-12-17 2017-12-12 International Business Machines Corporation Transparent secure interception handling
US10116630B2 (en) 2016-04-04 2018-10-30 Bitdefender IPR Management Ltd. Systems and methods for decrypting network traffic in a virtualized environment
WO2017211651A1 (en) 2016-06-08 2017-12-14 Thomson Licensing Devices and methods for core dump deduplication
US10237245B2 (en) 2016-07-15 2019-03-19 International Business Machines Corporation Restricting guest instances in a shared environment
US10303899B2 (en) * 2016-08-11 2019-05-28 Intel Corporation Secure public cloud with protected guest-verified host control
US10176122B2 (en) 2016-10-19 2019-01-08 Advanced Micro Devices, Inc. Direct memory access authorization in a processing system
US10169577B1 (en) 2017-03-28 2019-01-01 Symantec Corporation Systems and methods for detecting modification attacks on shared physical memory
KR102257320B1 (ko) 2017-03-29 2021-05-27 어드밴스드 마이크로 디바이시즈, 인코포레이티드 하이퍼바이저 및 가상 머신 간 메모리 페이지 이행의 모니터링
US20180341529A1 (en) 2017-05-26 2018-11-29 Microsoft Technology Licensing, Llc Hypervisor-based secure container
US10693844B2 (en) 2017-08-24 2020-06-23 Red Hat, Inc. Efficient migration for encrypted virtual machines by active page copying
US11347869B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Secure interface control high-level page management
US11403409B2 (en) 2019-03-08 2022-08-02 International Business Machines Corporation Program interruptions for page importing/exporting

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107346401A (zh) * 2016-05-06 2017-11-14 波音公司 用于安全地执行程序的信息保障系统

Also Published As

Publication number Publication date
DE112020000286T5 (de) 2021-09-09
DE112020000286B4 (de) 2024-07-25
WO2020183308A1 (en) 2020-09-17
US20200287709A1 (en) 2020-09-10
GB2594905A (en) 2021-11-10
JP2022522664A (ja) 2022-04-20
JP7410161B2 (ja) 2024-01-09
GB2594905B (en) 2022-04-20
CN113544652A (zh) 2021-10-22
US11206128B2 (en) 2021-12-21
GB202113007D0 (en) 2021-10-27

Similar Documents

Publication Publication Date Title
CN113544686B (zh) 安全域和不安全实体之间的存储共享
CN113544652B (zh) 具有页改变检测的安全分页
CN113544644B (zh) 跨多个安全域共享安全存储器
CN113597609B (zh) 用于安全接口控件存储的主机虚拟地址空间
CN113544680B (zh) 用于页导入/导出的程序中断
CN113544645B (zh) 在安全虚拟机环境中测试存储保护硬件
US11182192B2 (en) Controlling access to secure storage of a virtual machine
CN113544655A (zh) 安全接口控件安全存储硬件标记
CN113544654B (zh) 安全接口控件高级页管理
WO2020183311A1 (en) Secure storage query and donation
AU2020237597B2 (en) Secure interface control high-level instruction interception for interruption enablement
HK40057847B (zh) 安全存储隔离

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant