DE112020000286B4 - Sicheres ein-/auslagern mit seitenänderungserkennung - Google Patents

Sicheres ein-/auslagern mit seitenänderungserkennung Download PDF

Info

Publication number
DE112020000286B4
DE112020000286B4 DE112020000286.1T DE112020000286T DE112020000286B4 DE 112020000286 B4 DE112020000286 B4 DE 112020000286B4 DE 112020000286 T DE112020000286 T DE 112020000286T DE 112020000286 B4 DE112020000286 B4 DE 112020000286B4
Authority
DE
Germany
Prior art keywords
secure
page
hash value
value
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
DE112020000286.1T
Other languages
German (de)
English (en)
Other versions
DE112020000286T5 (de
Inventor
Jonathan Bradbury
Christian Borntraeger
Heiko Carstens
Martin Schwidefsky
Reinhard Buendgen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of DE112020000286T5 publication Critical patent/DE112020000286T5/de
Application granted granted Critical
Publication of DE112020000286B4 publication Critical patent/DE112020000286B4/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/1425Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/145Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/15Use in a specific computing environment
    • G06F2212/151Emulated environment, e.g. virtual machine

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)
DE112020000286.1T 2019-03-08 2020-03-06 Sicheres ein-/auslagern mit seitenänderungserkennung Active DE112020000286B4 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16/296,303 US11206128B2 (en) 2019-03-08 2019-03-08 Secure paging with page change detection
US16/296,303 2019-03-08
PCT/IB2020/051941 WO2020183308A1 (en) 2019-03-08 2020-03-06 Secure paging with page change detection

Publications (2)

Publication Number Publication Date
DE112020000286T5 DE112020000286T5 (de) 2021-09-09
DE112020000286B4 true DE112020000286B4 (de) 2024-07-25

Family

ID=72335881

Family Applications (1)

Application Number Title Priority Date Filing Date
DE112020000286.1T Active DE112020000286B4 (de) 2019-03-08 2020-03-06 Sicheres ein-/auslagern mit seitenänderungserkennung

Country Status (6)

Country Link
US (1) US11206128B2 (https=)
JP (1) JP7410161B2 (https=)
CN (1) CN113544652B (https=)
DE (1) DE112020000286B4 (https=)
GB (1) GB2594905B (https=)
WO (1) WO2020183308A1 (https=)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11308215B2 (en) * 2019-03-08 2022-04-19 International Business Machines Corporation Secure interface control high-level instruction interception for interruption enablement
US11347529B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Inject interrupts and exceptions into secure virtual machine
US11347869B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Secure interface control high-level page management
US11971993B2 (en) * 2021-06-01 2024-04-30 Microsoft Technology Licensing, Llc Firmware-based secure tenancy transfer
US20230188324A1 (en) * 2021-12-09 2023-06-15 Sap Se Initialization vector handling under group-level encryption
US12487759B1 (en) * 2022-03-31 2025-12-02 Amazon Technologies, Inc. Secure monitors for memory page protection
US12436790B2 (en) * 2022-04-22 2025-10-07 Red Hat, Inc. Scalable asynchronous communication for encrypted virtual machines
US12443429B2 (en) * 2022-08-30 2025-10-14 Red Hat, Inc. Memory deduplication for encrypted virtual machines

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160246736A1 (en) 2009-01-16 2016-08-25 Teleputers, Llc System and Method for Processor-Based Security

Family Cites Families (53)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5343527A (en) 1993-10-27 1994-08-30 International Business Machines Corporation Hybrid encryption method and system for protecting reusable software components
US5757919A (en) * 1996-12-12 1998-05-26 Intel Corporation Cryptographically protected paging subsystem
US6021201A (en) 1997-01-07 2000-02-01 Intel Corporation Method and apparatus for integrated ciphering and hashing
US6983365B1 (en) 2000-05-05 2006-01-03 Microsoft Corporation Encryption systems and methods for identifying and coalescing identical objects encrypted with different keys
US6996748B2 (en) 2002-06-29 2006-02-07 Intel Corporation Handling faults associated with operation of guest software in the virtual-machine architecture
WO2005036367A2 (en) 2003-10-08 2005-04-21 Unisys Corporation Virtual data center that allocates and manages system resources across multiple nodes
EP1870814B1 (en) 2006-06-19 2014-08-13 Texas Instruments France Method and apparatus for secure demand paging for processor devices
US7653819B2 (en) 2004-10-01 2010-01-26 Lenovo Singapore Pte Ltd. Scalable paging of platform configuration registers
US20070106986A1 (en) * 2005-10-25 2007-05-10 Worley William S Jr Secure virtual-machine monitor
US7886363B2 (en) 2006-05-24 2011-02-08 Noam Camiel System and method for virtual memory and securing memory in programming languages
EP1870813B1 (en) 2006-06-19 2013-01-30 Texas Instruments France Page processing circuits, devices, methods and systems for secure demand paging and other operations
US20080077767A1 (en) 2006-09-27 2008-03-27 Khosravi Hormuzd M Method and apparatus for secure page swapping in virtual memory systems
US8261265B2 (en) 2007-10-30 2012-09-04 Vmware, Inc. Transparent VMM-assisted user-mode execution control transfer
GB2460393B (en) 2008-02-29 2012-03-28 Advanced Risc Mach Ltd A data processing apparatus and method for controlling access to secure memory by virtual machines executing on processing circuitry
US8833437B2 (en) 2009-05-06 2014-09-16 Holtec International, Inc. Heat exchanger apparatus for converting a shell-side liquid into a vapor
US8904190B2 (en) 2010-10-20 2014-12-02 Advanced Micro Devices, Inc. Method and apparatus including architecture for protecting sensitive code and data
US20120185699A1 (en) * 2011-01-14 2012-07-19 International Business Machines Corporation Space-efficient encryption with multi-block binding
WO2012164721A1 (ja) * 2011-06-02 2012-12-06 三菱電機株式会社 鍵情報生成装置及び鍵情報生成方法
JP5316592B2 (ja) 2011-06-09 2013-10-16 富士通セミコンダクター株式会社 セキュアプロセッサ用プログラム
KR101323858B1 (ko) 2011-06-22 2013-11-21 한국과학기술원 가상화 시스템에서 메모리 접근을 제어하는 장치 및 방법
US8681813B2 (en) * 2011-11-29 2014-03-25 Wyse Technology L.L.C. Bandwidth optimization for remote desktop protocol
EP4036721B1 (en) 2012-06-26 2025-03-26 Lynx Software Technologies Inc. Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection prevention and further features
US8910238B2 (en) 2012-11-13 2014-12-09 Bitdefender IPR Management Ltd. Hypervisor-based enterprise endpoint protection
WO2014081611A2 (en) 2012-11-20 2014-05-30 Unisys Corporation Error recovery in securely partitioned virtualization system with dedicated resources
US8931108B2 (en) 2013-02-18 2015-01-06 Qualcomm Incorporated Hardware enforced content protection for graphics processing units
US9792448B2 (en) 2014-02-28 2017-10-17 Advanced Micro Devices, Inc. Cryptographic protection of information in a processing system
US9483639B2 (en) 2014-03-13 2016-11-01 Unisys Corporation Service partition virtualization system and method having a secure application
US9390267B2 (en) 2014-05-15 2016-07-12 Lynx Software Technologies, Inc. Systems and methods involving features of hardware virtualization, hypervisor, pages of interest, and/or other features
US9251090B1 (en) 2014-06-03 2016-02-02 Amazon Technologies, Inc. Hypervisor assisted virtual memory obfuscation
US9454497B2 (en) 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
US9672354B2 (en) 2014-08-18 2017-06-06 Bitdefender IPR Management Ltd. Systems and methods for exposing a result of a current processor instruction upon exiting a virtual machine
US9305661B2 (en) 2014-09-03 2016-04-05 Microsemi Storage Solutions (U.S.), Inc. Nonvolatile memory system that uses programming time to reduce bit errors
CN105512559B (zh) 2014-10-17 2019-09-17 阿里巴巴集团控股有限公司 一种用于提供访问页面的方法与设备
WO2016097954A1 (en) 2014-12-15 2016-06-23 International Business Machines Corporation System and method for supporting secure objects using memory access control monitor
US10599458B2 (en) 2015-01-23 2020-03-24 Unisys Corporation Fabric computing system having an embedded software defined network
US10157146B2 (en) 2015-02-12 2018-12-18 Red Hat Israel, Ltd. Local access DMA with shared memory pool
US9842065B2 (en) 2015-06-15 2017-12-12 Intel Corporation Virtualization-based platform protection technology
US9720721B2 (en) 2015-07-01 2017-08-01 International Business Machines Corporation Protected guests in a hypervisor controlled system
US9942035B2 (en) 2015-08-18 2018-04-10 Intel Corporation Platform migration of secure enclaves
US10742603B2 (en) 2015-08-26 2020-08-11 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University System and method for monitoring and protecting an untrusted operating system by means of a trusted operating system
US9841987B2 (en) 2015-12-17 2017-12-12 International Business Machines Corporation Transparent secure interception handling
US10116630B2 (en) 2016-04-04 2018-10-30 Bitdefender IPR Management Ltd. Systems and methods for decrypting network traffic in a virtualized environment
US10210323B2 (en) * 2016-05-06 2019-02-19 The Boeing Company Information assurance system for secure program execution
WO2017211651A1 (en) 2016-06-08 2017-12-14 Thomson Licensing Devices and methods for core dump deduplication
US10237245B2 (en) 2016-07-15 2019-03-19 International Business Machines Corporation Restricting guest instances in a shared environment
US10303899B2 (en) * 2016-08-11 2019-05-28 Intel Corporation Secure public cloud with protected guest-verified host control
US10176122B2 (en) 2016-10-19 2019-01-08 Advanced Micro Devices, Inc. Direct memory access authorization in a processing system
US10169577B1 (en) 2017-03-28 2019-01-01 Symantec Corporation Systems and methods for detecting modification attacks on shared physical memory
KR102257320B1 (ko) 2017-03-29 2021-05-27 어드밴스드 마이크로 디바이시즈, 인코포레이티드 하이퍼바이저 및 가상 머신 간 메모리 페이지 이행의 모니터링
US20180341529A1 (en) 2017-05-26 2018-11-29 Microsoft Technology Licensing, Llc Hypervisor-based secure container
US10693844B2 (en) 2017-08-24 2020-06-23 Red Hat, Inc. Efficient migration for encrypted virtual machines by active page copying
US11347869B2 (en) 2019-03-08 2022-05-31 International Business Machines Corporation Secure interface control high-level page management
US11403409B2 (en) 2019-03-08 2022-08-02 International Business Machines Corporation Program interruptions for page importing/exporting

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160246736A1 (en) 2009-01-16 2016-08-25 Teleputers, Llc System and Method for Processor-Based Security

Also Published As

Publication number Publication date
CN113544652B (zh) 2025-06-20
DE112020000286T5 (de) 2021-09-09
WO2020183308A1 (en) 2020-09-17
US20200287709A1 (en) 2020-09-10
GB2594905A (en) 2021-11-10
JP2022522664A (ja) 2022-04-20
JP7410161B2 (ja) 2024-01-09
GB2594905B (en) 2022-04-20
CN113544652A (zh) 2021-10-22
US11206128B2 (en) 2021-12-21
GB202113007D0 (en) 2021-10-27

Similar Documents

Publication Publication Date Title
DE112020000286B4 (de) Sicheres ein-/auslagern mit seitenänderungserkennung
DE112020000223B4 (de) Gemeinsame speichernutzung zwischen einer sicheren domäne und einer nicht sicheren entität
DE102011103218B4 (de) Systeme, Verfahren und Vorrichtung zum Virtualisieren von TPM- Zugriffen
DE112020000303T5 (de) Testen von speicherschutz-hardware in einer umgebung einer sicheren virtuellen maschine
DE112020000285T5 (de) Programmunterbrechungen für Seiten-Import/-Export
DE112015001977B4 (de) Synchronisieren von Aktualisierungen von Statusanzeigern in einer Datenverarbeitungsumgebung
DE102018123710A1 (de) Kryptografische Speicherinhaberschaftstabelle für eine sichere öffentliche Cloud
DE112020000289T5 (de) Abfrage und überlassung von sicherem speicher
KR102738488B1 (ko) 여러 보안 도메인들에 걸친 보안 메모리의 공유
CN113597609B (zh) 用于安全接口控件存储的主机虚拟地址空间
DE112020000280B4 (de) Transparente interpretation von gastbefehlen in einer sicheren virtuellen maschinenumgebung
DE112008002888T5 (de) Hardwarevorrichtungsschnittstelle, die Transaktionsauthentifizierung unterstützt
KR102789374B1 (ko) 보안 인터페이스 컨트롤 보안 스토리지 하드웨어 태깅
DE112020005517T5 (de) Prozessgestütztes virtualisierungssystem zum ausführen eines sicheren anwendungsprozesses
DE102018115251A1 (de) Technologien zum Schutz eines virtuellen Maschinenspeichers
KR102774738B1 (ko) 보안 인터페이스 컨트롤 고-레벨 페이지 관리
CN113544646B (zh) 安全存储隔离
JP7525234B2 (ja) セキュア・インターフェース・コントロールの通信インターフェース
DE102022109195B4 (de) Konfiguration von instanzen mit instanz-metadaten, die in virtuellen sicherheitsprozessoren gespeichert sind
DE112020000930T5 (de) Daten verschieben und speicherschlüssel auf grundlage vonschlüsselfunktionskontrolle festlegen
DE112021006005T5 (de) Filtern von zusatzprozessor-befehlstypen
HK40057240A (en) Secure interface control high-level instruction interception for interruption enablement
HK40057638A (en) Secure interface control secure storage hardware tagging
HK40057847A (en) Secure storage isolation
HK40057638B (zh) 安全接口控件安全存储硬件标记

Legal Events

Date Code Title Description
R012 Request for examination validly filed
R016 Response to examination communication
R018 Grant decision by examination section/examining division
R020 Patent grant now final