JP7546602B2 - オペレーティング・システム・カーネルの分離されたアドレス空間におけるシステム・コールの実行 - Google Patents

オペレーティング・システム・カーネルの分離されたアドレス空間におけるシステム・コールの実行 Download PDF

Info

Publication number
JP7546602B2
JP7546602B2 JP2021568575A JP2021568575A JP7546602B2 JP 7546602 B2 JP7546602 B2 JP 7546602B2 JP 2021568575 A JP2021568575 A JP 2021568575A JP 2021568575 A JP2021568575 A JP 2021568575A JP 7546602 B2 JP7546602 B2 JP 7546602B2
Authority
JP
Japan
Prior art keywords
system call
page table
kernel
access
user space
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2021568575A
Other languages
English (en)
Japanese (ja)
Other versions
JP2022534685A (ja
JP2022534685A5 (https=
JPWO2020234155A5 (https=
Inventor
ラポポート、マイケル
ニーダー、ジョエル、ケリー
ボトムリー、ジェームス
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of JP2022534685A publication Critical patent/JP2022534685A/ja
Publication of JP2022534685A5 publication Critical patent/JP2022534685A5/ja
Publication of JPWO2020234155A5 publication Critical patent/JPWO2020234155A5/ja
Application granted granted Critical
Publication of JP7546602B2 publication Critical patent/JP7546602B2/ja
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/1009Address translation using page tables, e.g. page table structures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1416Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
    • G06F12/145Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being virtual, e.g. for virtual blocks or segments before a translation mechanism
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1491Protection against unauthorised use of memory or access to memory by checking the subject access rights in a hierarchical protection system, e.g. privilege levels, memory rings
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30003Arrangements for executing specific machine instructions
    • G06F9/3004Arrangements for executing specific machine instructions to perform operations on memory
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4406Loading of operating system
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)
  • Hardware Redundancy (AREA)
  • Bus Control (AREA)
JP2021568575A 2019-05-19 2020-05-15 オペレーティング・システム・カーネルの分離されたアドレス空間におけるシステム・コールの実行 Active JP7546602B2 (ja)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16/416,229 US11194639B2 (en) 2019-05-19 2019-05-19 Executing system calls in isolated address space in operating system kernel
US16/416,229 2019-05-19
PCT/EP2020/063618 WO2020234155A1 (en) 2019-05-19 2020-05-15 Executing system calls in isolated address space in operating system kernel

Publications (4)

Publication Number Publication Date
JP2022534685A JP2022534685A (ja) 2022-08-03
JP2022534685A5 JP2022534685A5 (https=) 2022-10-24
JPWO2020234155A5 JPWO2020234155A5 (https=) 2022-10-24
JP7546602B2 true JP7546602B2 (ja) 2024-09-06

Family

ID=70779711

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2021568575A Active JP7546602B2 (ja) 2019-05-19 2020-05-15 オペレーティング・システム・カーネルの分離されたアドレス空間におけるシステム・コールの実行

Country Status (12)

Country Link
US (1) US11194639B2 (https=)
EP (1) EP3973393B1 (https=)
JP (1) JP7546602B2 (https=)
KR (1) KR102612503B1 (https=)
CN (1) CN113711182B (https=)
AU (1) AU2020277632B2 (https=)
BR (1) BR112021023258A2 (https=)
CA (1) CA3137259A1 (https=)
IL (1) IL288057B2 (https=)
MX (1) MX2021013230A (https=)
SG (1) SG11202110222XA (https=)
WO (1) WO2020234155A1 (https=)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11799741B2 (en) * 2019-10-29 2023-10-24 Fannie Mae Systems and methods for enterprise information technology (IT) monitoring
US11586727B2 (en) * 2021-03-29 2023-02-21 Red Hat, Inc. Systems and methods for preventing kernel stalling attacks
CN114048502B (zh) * 2021-10-15 2023-08-15 中国科学院信息工程研究所 一种轻量级可信通道及其通信控制方法
CN116204884A (zh) * 2021-11-30 2023-06-02 华为技术有限公司 内核保护方法、装置及系统
US12254079B2 (en) * 2022-05-10 2025-03-18 International Business Machines Corporation Providing system services
CN117573419B (zh) * 2024-01-16 2024-04-26 上海芯联芯智能科技有限公司 一种页面异常处理方法及装置
CN119004420B (zh) * 2024-10-23 2025-08-15 浙江大华技术股份有限公司 一种权限控制方法、权限控制装置以及计算机存储介质

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101315608A (zh) 2007-05-28 2008-12-03 三星电子株式会社 存储器保护方法和设备
US20130024646A1 (en) 2011-07-20 2013-01-24 Huawei Technologies Co., Ltd. Method and Simulator for Simulating Multiprocessor Architecture Remote Memory Access

Family Cites Families (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7496576B2 (en) 2006-03-30 2009-02-24 Microsoft Corporation Isolated access to named resources
US10019327B1 (en) 2008-12-15 2018-07-10 Open Invention Network Llc System and method for hybrid kernel- and user-space incremental and full checkpointing
US9354977B1 (en) 2008-12-15 2016-05-31 Open Invention Network Llc System and method for hybrid kernel- and user-space incremental and full checkpointing
US8627451B2 (en) 2009-08-21 2014-01-07 Red Hat, Inc. Systems and methods for providing an isolated execution environment for accessing untrusted content
US8533418B2 (en) * 2010-06-30 2013-09-10 International Business Machines Corporation Memory allocation with identification of requesting loadable kernel module
US8677354B2 (en) 2010-07-12 2014-03-18 International Business Machines Corporation Controlling kernel symbol visibility and accessibility across operating system linkage spaces
US9323921B2 (en) 2010-07-13 2016-04-26 Microsoft Technology Licensing, Llc Ultra-low cost sandboxing for application appliances
US8954697B2 (en) * 2010-08-05 2015-02-10 Red Hat, Inc. Access to shared memory segments by multiple application processes
US9152548B2 (en) * 2012-01-17 2015-10-06 Vmware, Inc. Controlling access to a privileged resource in user-mode system level mobile virtualization using a ptrace () system call
US9529614B2 (en) * 2012-03-05 2016-12-27 Board Of Regents The University Of Texas Systems Automatically bridging the semantic gap in machine introspection
CN102681940B (zh) * 2012-05-15 2015-06-10 北京航空航天大学 一种针对Linux操作系统内存管理子系统进行性能测试的方法
US10585801B2 (en) * 2012-11-26 2020-03-10 Advanced Micro Devices, Inc. Prefetch kernels on a graphics processing unit
US9910689B2 (en) * 2013-11-26 2018-03-06 Dynavisor, Inc. Dynamic single root I/O virtualization (SR-IOV) processes system calls request to devices attached to host
US9628279B2 (en) * 2014-09-30 2017-04-18 Microsoft Technology Licensing, Llc Protecting application secrets from operating system attacks
US10192067B2 (en) 2016-05-26 2019-01-29 Microsoft Technology Licensing, Llc Self-described security model for resource access
US11188365B2 (en) * 2016-11-29 2021-11-30 Red Hat, Inc. Memory overcommit by speculative fault
US10324838B2 (en) * 2017-10-12 2019-06-18 International Business Machines Corporation Virtually addressable hardware global kernel segment table
US10599835B2 (en) * 2018-02-06 2020-03-24 Vmware, Inc. 32-bit address space containment to secure processes from speculative rogue cache loads
US10698637B2 (en) * 2018-07-03 2020-06-30 Oracle International Corporation Stale block resynchronization in NVM based systems

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101315608A (zh) 2007-05-28 2008-12-03 三星电子株式会社 存储器保护方法和设备
US20130024646A1 (en) 2011-07-20 2013-01-24 Huawei Technologies Co., Ltd. Method and Simulator for Simulating Multiprocessor Architecture Remote Memory Access

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Daniel Gruss et al.,KASLR is Dead: Long Live KASLR,LNCS, ESSoS 2017: Engineering Secure Software and Systems,2017年06月24日,Vol. 10379,pp. 161-176
小田 逸郎,Linuxカーネル2.6解読室 第10回 プロセス空間の管理,UNIX USER,日本,ソフトバンクパブリッシング株式会社,2005年03月01日,第14巻,第3号,pp.117-132
末安 泰三,マンスリーレポート [Android Watch] SElinuxによる保護の有効化などAndroid 4.4 のセキュリティ強化点,日経コミュニケーション,日本,日経BP社,2013年12月01日,第599号,pp. 48-49

Also Published As

Publication number Publication date
AU2020277632A1 (en) 2021-10-14
SG11202110222XA (en) 2021-10-28
JP2022534685A (ja) 2022-08-03
KR20210141682A (ko) 2021-11-23
EP3973393A1 (en) 2022-03-30
US20200364101A1 (en) 2020-11-19
CN113711182B (zh) 2025-02-11
WO2020234155A1 (en) 2020-11-26
IL288057B1 (en) 2024-02-01
IL288057B2 (en) 2024-06-01
CA3137259A1 (en) 2020-11-26
IL288057A (en) 2022-01-01
EP3973393B1 (en) 2024-08-07
AU2020277632B2 (en) 2023-07-06
CN113711182A (zh) 2021-11-26
US11194639B2 (en) 2021-12-07
KR102612503B1 (ko) 2023-12-08
MX2021013230A (es) 2022-01-06
BR112021023258A2 (pt) 2022-01-04

Similar Documents

Publication Publication Date Title
JP7546602B2 (ja) オペレーティング・システム・カーネルの分離されたアドレス空間におけるシステム・コールの実行
US10073986B2 (en) Regulating access to and protecting portions of applications of virtual machines
US9037873B2 (en) Method and system for preventing tampering with software agent in a virtual machine
KR101955189B1 (ko) 스왑 아웃된 메모리 페이지의 가상 머신 가상화된 메모리로의 맵핑을 위한 가상 머신에서의 페이지 오류 삽입
US7284276B2 (en) Return-to-LIBC attack detection using branch trace records system and method
US11449615B2 (en) System and method of forming a log when executing a file with vulnerabilities in a virtual machine
JP7784897B2 (ja) モノリシック・カーネルのための制限された実行環境
US11341241B2 (en) Enhancing memory safe programming using a page frame tag mechanism
US10885206B2 (en) Protecting enterprise data at each system layer
US10114948B2 (en) Hypervisor-based buffer overflow detection and prevention
US20150379265A1 (en) Systems And Methods For Preventing Code Injection In Virtualized Environments
US7484239B1 (en) Detecting heap and stack execution in the operating system using regions
WO2013074071A1 (en) Regulating access to and protecting portions of applications of virtual machines

Legal Events

Date Code Title Description
RD04 Notification of resignation of power of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7424

Effective date: 20220512

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20221012

A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20221021

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20231219

A601 Written request for extension of time

Free format text: JAPANESE INTERMEDIATE CODE: A601

Effective date: 20240319

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20240514

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20240806

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20240827

R150 Certificate of patent or registration of utility model

Ref document number: 7546602

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150