DE112020000223B4 - Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität - Google Patents

Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität Download PDF

Info

Publication number
DE112020000223B4
DE112020000223B4 DE112020000223.3T DE112020000223T DE112020000223B4 DE 112020000223 B4 DE112020000223 B4 DE 112020000223B4 DE 112020000223 T DE112020000223 T DE 112020000223T DE 112020000223 B4 DE112020000223 B4 DE 112020000223B4
Authority
DE
Germany
Prior art keywords
secure
page
entity
guest
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
DE112020000223.3T
Other languages
German (de)
English (en)
Other versions
DE112020000223T5 (de
Inventor
Lisa Cranton Heller
Fadi Busada
Jonathan Bradbury
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of DE112020000223T5 publication Critical patent/DE112020000223T5/de
Application granted granted Critical
Publication of DE112020000223B4 publication Critical patent/DE112020000223B4/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0877Cache access modes
    • G06F12/0882Page mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/109Address translation for multiple virtual address spaces, e.g. segmentation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1466Key-lock mechanism
    • G06F12/1475Key-lock mechanism in a virtual system, e.g. with translation means
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45583Memory management, e.g. access or allocation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1016Performance improvement
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/65Details of virtual memory and virtual address translation
    • G06F2212/651Multi-level translation tables
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/65Details of virtual memory and virtual address translation
    • G06F2212/656Address space sharing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/65Details of virtual memory and virtual address translation
    • G06F2212/657Virtual address space management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
DE112020000223.3T 2019-03-08 2020-03-02 Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität Active DE112020000223B4 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16/296,308 US11487906B2 (en) 2019-03-08 2019-03-08 Storage sharing between a secure domain and a non-secure entity
US16/296,308 2019-03-08
PCT/IB2020/051753 WO2020183283A1 (en) 2019-03-08 2020-03-02 Storage sharing between a secure domain and a non-secure entity

Publications (2)

Publication Number Publication Date
DE112020000223T5 DE112020000223T5 (de) 2021-08-26
DE112020000223B4 true DE112020000223B4 (de) 2024-03-07

Family

ID=72334971

Family Applications (1)

Application Number Title Priority Date Filing Date
DE112020000223.3T Active DE112020000223B4 (de) 2019-03-08 2020-03-02 Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität

Country Status (6)

Country Link
US (1) US11487906B2 (https=)
JP (1) JP7379512B2 (https=)
CN (1) CN113544686B (https=)
DE (1) DE112020000223B4 (https=)
GB (1) GB2596242B (https=)
WO (1) WO2020183283A1 (https=)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11640361B2 (en) 2019-03-08 2023-05-02 International Business Machines Corporation Sharing secure memory across multiple security domains
US11308215B2 (en) * 2019-03-08 2022-04-19 International Business Machines Corporation Secure interface control high-level instruction interception for interruption enablement
US11347529B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Inject interrupts and exceptions into secure virtual machine
US11176054B2 (en) 2019-03-08 2021-11-16 International Business Machines Corporation Host virtual address space for secure interface control storage
US11068310B2 (en) * 2019-03-08 2021-07-20 International Business Machines Corporation Secure storage query and donation
US11552943B2 (en) * 2020-11-13 2023-01-10 Cyberark Software Ltd. Native remote access to target resources using secretless connections
US12511421B2 (en) 2020-12-29 2025-12-30 Mongodb, Inc. Systems and methods for end-to end-encryption with encrypted multi-maps
US12511422B2 (en) 2020-12-29 2025-12-30 Mongodb, Inc. Systems and methods for end-to end-encryption with encrypted multi-maps
US12511423B2 (en) 2020-12-29 2025-12-30 Mongodb, Inc. Systems and methods for end-to end-encryption with encrypted multi-maps
US12039073B2 (en) * 2020-12-29 2024-07-16 Mongodb, Inc. Systems and methods using emulation for end to end encryption
US12430449B2 (en) 2021-12-07 2025-09-30 Mongodb, Inc. Systems and methods for hiding response volume with encrypted multi-maps
DE102024200771A1 (de) 2024-01-29 2025-07-31 Robert Bosch Gesellschaft mit beschränkter Haftung Zugriff auf eine Sicherheitsfunktionalität in einer Recheneinheit durch eine Anwendung

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089173A1 (en) 2013-09-24 2015-03-26 Siddhartha Chhabra Secure memory repartitioning
US20180189190A1 (en) 2016-07-29 2018-07-05 Advanced Micro Devices, Inc. Controlling Access to Pages in a Memory in a Computing Device

Family Cites Families (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4787031A (en) 1985-01-04 1988-11-22 Digital Equipment Corporation Computer with virtual machine mode and multiple protection rings
JP3657665B2 (ja) 1995-02-14 2005-06-08 富士通株式会社 共用メモリに結合される複数の計算機システム及び共用メモリに結合される複数の計算機システムの制御方法
US6314501B1 (en) 1998-07-23 2001-11-06 Unisys Corporation Computer system and method for operating multiple operating systems in different partitions of the computer system and for allowing the different partitions to communicate with one another through shared memory
JP4220476B2 (ja) 2002-11-18 2009-02-04 エイアールエム リミテッド 安全ドメインおよび非安全ドメインを有するシステム内での仮想−物理メモリアドレスマッピング
WO2005036367A2 (en) 2003-10-08 2005-04-21 Unisys Corporation Virtual data center that allocates and manages system resources across multiple nodes
US20050102670A1 (en) 2003-10-21 2005-05-12 Bretl Robert F. Shared object memory with object management for multiple virtual machines
US10768958B2 (en) * 2004-11-17 2020-09-08 Vmware, Inc. Using virtual local area networks in a virtual computer system
US7814307B2 (en) 2006-03-16 2010-10-12 Microsoft Corporation Fast booting a computing device to a specialized experience
US7610481B2 (en) 2006-04-19 2009-10-27 Intel Corporation Method and apparatus to support independent systems in partitions of a processing system
JP4952308B2 (ja) 2007-03-09 2012-06-13 日本電気株式会社 メモリ共有システム、方法、及び、プログラム
US8261265B2 (en) 2007-10-30 2012-09-04 Vmware, Inc. Transparent VMM-assisted user-mode execution control transfer
US8527715B2 (en) 2008-02-26 2013-09-03 International Business Machines Corporation Providing a shared memory translation facility
GB2460393B (en) * 2008-02-29 2012-03-28 Advanced Risc Mach Ltd A data processing apparatus and method for controlling access to secure memory by virtual machines executing on processing circuitry
US8041877B2 (en) * 2008-06-09 2011-10-18 International Business Machines Corporation Distributed computing utilizing virtual memory having a shared paging space
US8006043B2 (en) 2008-10-06 2011-08-23 Vmware, Inc. System and method for maintaining memory page sharing in a virtual environment
US20100161879A1 (en) 2008-12-18 2010-06-24 Lsi Corporation Efficient and Secure Main Memory Sharing Across Multiple Processors
US8738932B2 (en) 2009-01-16 2014-05-27 Teleputers, Llc System and method for processor-based security
US20110202740A1 (en) * 2010-02-17 2011-08-18 Arm Limited Storing secure page table data in secure and non-secure regions of memory
US9405700B2 (en) 2010-11-04 2016-08-02 Sonics, Inc. Methods and apparatus for virtualization in an integrated circuit
US8984478B2 (en) 2011-10-03 2015-03-17 Cisco Technology, Inc. Reorganization of virtualized computer programs
AU2013297064B2 (en) * 2012-08-03 2016-06-16 North Carolina State University Methods, systems, and computer readable medium for active monitoring, memory protection and integrity verification of target devices
US10198572B2 (en) * 2013-09-17 2019-02-05 Microsoft Technology Licensing, Llc Virtual machine manager facilitated selective code integrity enforcement
US9117081B2 (en) * 2013-12-20 2015-08-25 Bitdefender IPR Management Ltd. Strongly isolated malware scanning using secure virtual containers
US9483639B2 (en) 2014-03-13 2016-11-01 Unisys Corporation Service partition virtualization system and method having a secure application
US9652631B2 (en) * 2014-05-05 2017-05-16 Microsoft Technology Licensing, Llc Secure transport of encrypted virtual machines with continuous owner access
KR20150128328A (ko) 2014-05-09 2015-11-18 한국전자통신연구원 증거 수집 도구 제공 방법, 도메인 분리 기반 모바일 기기에서 증거 자료 확보 장치 및 방법
US9792222B2 (en) 2014-06-27 2017-10-17 Intel Corporation Validating virtual address translation by virtual machine monitor utilizing address validation structure to validate tentative guest physical address and aborting based on flag in extended page table requiring an expected guest physical address in the address validation structure
WO2016006806A1 (ko) 2014-07-08 2016-01-14 김진숙 임산부용 팬티
US9454497B2 (en) 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
US10599458B2 (en) 2015-01-23 2020-03-24 Unisys Corporation Fabric computing system having an embedded software defined network
US10503405B2 (en) * 2015-02-10 2019-12-10 Red Hat Israel, Ltd. Zero copy memory reclaim using copy-on-write
US9870324B2 (en) 2015-04-09 2018-01-16 Vmware, Inc. Isolating guest code and data using multiple nested page tables
KR102327782B1 (ko) 2015-05-29 2021-11-18 한국과학기술원 전자 장치 및 커널 데이터 접근 방법
GB2539435B8 (en) 2015-06-16 2018-02-21 Advanced Risc Mach Ltd Data processing memory access control, in which an owning process for a region of memory is specified independently of privilege level
CN106341369A (zh) * 2015-07-06 2017-01-18 深圳市中兴微电子技术有限公司 安全控制方法及装置
US20170063544A1 (en) 2015-08-26 2017-03-02 Rubicon Labs, Inc. System and method for sharing data securely
US9792143B1 (en) * 2015-10-23 2017-10-17 Amazon Technologies, Inc. Platform secure execution modes
US20170357592A1 (en) 2016-06-09 2017-12-14 Vmware, Inc. Enhanced-security page sharing in a virtualized computer system
US10176115B2 (en) * 2016-07-14 2019-01-08 International Business Machines Corporation Shared memory in a virtual environment
US10303899B2 (en) 2016-08-11 2019-05-28 Intel Corporation Secure public cloud with protected guest-verified host control
US10713177B2 (en) * 2016-09-09 2020-07-14 Intel Corporation Defining virtualized page attributes based on guest page attributes
KR102511451B1 (ko) * 2016-11-09 2023-03-17 삼성전자주식회사 리치 실행 환경에서 보안 어플리케이션을 안전하게 실행하는 컴퓨팅 시스템
US10169088B2 (en) * 2016-11-29 2019-01-01 Red Hat Israel, Ltd. Lockless free memory ballooning for virtual machines
US10447717B2 (en) 2017-01-28 2019-10-15 Qualcomm Incorporated Network attack detection using multi-path verification
US10761996B2 (en) 2018-09-28 2020-09-01 Intel Corporation Apparatus and method for secure memory access using trust domains
CN120448113A (zh) 2018-11-08 2025-08-08 英特尔公司 功能即服务(faas)系统增强
US11461244B2 (en) 2018-12-20 2022-10-04 Intel Corporation Co-existence of trust domain architecture with multi-key total memory encryption technology in servers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089173A1 (en) 2013-09-24 2015-03-26 Siddhartha Chhabra Secure memory repartitioning
US20180189190A1 (en) 2016-07-29 2018-07-05 Advanced Micro Devices, Inc. Controlling Access to Pages in a Memory in a Computing Device

Also Published As

Publication number Publication date
US11487906B2 (en) 2022-11-01
JP7379512B2 (ja) 2023-11-14
GB202112700D0 (en) 2021-10-20
CN113544686A (zh) 2021-10-22
GB2596242A (en) 2021-12-22
CN113544686B (zh) 2025-07-25
GB2596242B (en) 2022-12-07
JP2022522731A (ja) 2022-04-20
DE112020000223T5 (de) 2021-08-26
WO2020183283A1 (en) 2020-09-17
US20200285777A1 (en) 2020-09-10

Similar Documents

Publication Publication Date Title
DE112020000223B4 (de) Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität
DE112020000286B4 (de) Sicheres ein-/auslagern mit seitenänderungserkennung
DE102011103218B4 (de) Systeme, Verfahren und Vorrichtung zum Virtualisieren von TPM- Zugriffen
DE112020000303T5 (de) Testen von speicherschutz-hardware in einer umgebung einer sicheren virtuellen maschine
DE112020000285T5 (de) Programmunterbrechungen für Seiten-Import/-Export
DE102018123710A1 (de) Kryptografische Speicherinhaberschaftstabelle für eine sichere öffentliche Cloud
DE112020000289T5 (de) Abfrage und überlassung von sicherem speicher
DE112020000280B4 (de) Transparente interpretation von gastbefehlen in einer sicheren virtuellen maschinenumgebung
TWI751492B (zh) 用於跨多個安全網域共用安全記憶體之電腦實施之方法、電腦系統及電腦程式產品
DE102016222861B4 (de) Transparentes, sicheres Durchführen von Abrufvorgängen
CN113597609B (zh) 用于安全接口控件存储的主机虚拟地址空间
DE112008002888T5 (de) Hardwarevorrichtungsschnittstelle, die Transaktionsauthentifizierung unterstützt
DE112020004699T5 (de) Schützen von arbeitslasten in kubernetes
KR102789374B1 (ko) 보안 인터페이스 컨트롤 보안 스토리지 하드웨어 태깅
US11182192B2 (en) Controlling access to secure storage of a virtual machine
DE112020005517T5 (de) Prozessgestütztes virtualisierungssystem zum ausführen eines sicheren anwendungsprozesses
DE112020005526T5 (de) Reservieren eines oder mehrerer sicherheitsmodule für einen sicheren gast
DE102018115251A1 (de) Technologien zum Schutz eines virtuellen Maschinenspeichers
KR102774738B1 (ko) 보안 인터페이스 컨트롤 고-레벨 페이지 관리
EP3935495B1 (en) Secure storage isolation
DE102022109195B4 (de) Konfiguration von instanzen mit instanz-metadaten, die in virtuellen sicherheitsprozessoren gespeichert sind
DE112021006005T5 (de) Filtern von zusatzprozessor-befehlstypen
HK40057638A (en) Secure interface control secure storage hardware tagging
HK40057240A (en) Secure interface control high-level instruction interception for interruption enablement

Legal Events

Date Code Title Description
R012 Request for examination validly filed
R016 Response to examination communication
R018 Grant decision by examination section/examining division
R020 Patent grant now final